TERMS OF SERVICE FOR DATA LOSS PREVENTION AND DATA POSTURE MANAGEMENT SECURITY PLATFORM

KIKEN TECHNOLOGIES LLC

TERMS OF SERVICE

FOR

DATA LOSS PREVENTION AND DATA POSTURE MANAGEMENT SECURITY PLATFORM

Effective Date: March 3, 2026

Last Updated: March 3, 2026

Version: 1.0

TABLE OF CONTENTS

1. Definitions

2. Subscription and Access

3. Description of Services; Tracer Technology

4. Data Posture Management Security (DSPM) Scanning Services

5. Customer Responsibilities; Configuration and Deployment

6. Shared Responsibility Model

7. Professional Services

8. Intellectual Property

9. Fees and Payment

10. Confidentiality

11. Data Processing and Privacy

12. Limited Warranty

13. Disclaimer of Warranties

14. Limitation of Liability

15. Indemnification

16. Term and Termination

17. Service Level Agreement

18. Force Majeure

19. Export Compliance

20. Anti-Corruption

21. Dispute Resolution; Governing Law

22. General Provisions

Exhibit A: Service Level Agreement

Exhibit B: Data Processing Addendum

Exhibit C: Shared Responsibility Matrix

TERMS OF SERVICE

These Terms of Service (this “Agreement”) are entered into by and between Kiken Technologies LLC, a Delaware limited liability company (“Kiken,” “we,” “us,” or “our”), and the entity or individual identified in the applicable Order Form or account registration (“Customer,” “you,” or “your”). By accessing or using the Kiken Platform, you agree to terms of this agreement and to be bound by this Agreement. If you are using this product and service and/or entering into this Agreement on behalf of a company or other legal entity, you represent that you have the authority to both purchase this product and to bind such entity to this Agreement.

If you do not agree to any/all of these terms, do not access or use the service, product and platform.

1. DEFINITIONS

“Agent” means the Kiken software component deployed within the Customer Environment that facilitates Tracer Injection, DSPM Scanning, and phone-home functionality. Agents are licensed on a per-unit basis as specified in the applicable Order Form.

“Authorized Users” means the individuals authorized by Customer to access and use the Platform under Customer’s subscription, as specified in the applicable Order Form.

“Configuration” means the settings, rules, policies, file-type selections, network parameters, and other specifications established by Customer within the Platform dashboard to define which files and data categories are subject to Tracer Injection and DSPM Scanning.

“Customer Data” means any data, files, documents, or information uploaded to, processed by, or monitored through the Platform by or on behalf of Customer, including without limitation any data into which Tracers are injected.

“Customer Environment” means Customer’s network infrastructure, systems, endpoints, servers, cloud instances, and other computing resources to which the Platform is connected or deployed.

“DSPM Scanning” or “Scanning Services” means the Platform’s data posture management security functionality, which scans the Customer Environment to identify, classify, and report on data assets, security posture, and configuration compliance in accordance with Customer’s Configuration.

“Documentation” means the then-current user manuals, technical specifications, integration guides, API documentation, and other materials made available by Kiken describing the features, functionality, and requirements of the Platform, as may be updated by Kiken from time to time in accordance with Section 12.4.

“Enterprise Customer” means a Customer that has executed a negotiated Order Form containing terms individually negotiated between the parties, as distinguished from a Customer subscribing through Kiken’s standard online subscription process.

“Order Form” means an ordering document or online subscription form executed by the parties or completed by Customer that references this Agreement and specifies the subscription tier, fees, term, number of Authorized Users, number of Agents, and other commercial terms.

“Platform” means the Kiken data loss prevention and data posture management security software-as-a-service platform, including all associated features, tools, APIs, dashboard interfaces, Tracer technology, DSPM Scanning functionality, and any updates, upgrades, or modifications thereto provided by Kiken during the Subscription Term.

“Professional Services” means any onboarding, implementation, configuration assistance, training, consulting, or other professional services provided by Kiken to Customer, as specified in an Order Form or statement of work.

“Subscription Term” means the period during which Customer is authorized to access and use the Platform, as specified in the applicable Order Form.

“Tracer” or “Tracer Technology” means Kiken’s proprietary technology that embeds a persistent, covert digital marker into files within the Customer Environment, which is designed to transmit location and status information (“phone home”) to the Customer’s Platform dashboard when the file is accessed, copied, moved, or exfiltrated from the Customer Environment.

“Tracer Injection” means the process by which the Platform embeds a Tracer into a file within the Customer Environment in accordance with Customer’s Configuration.

2. SUBSCRIPTION AND ACCESS

2.1 Grant of Access

Subject to Customer’s compliance with this Agreement and payment of all applicable fees, Kiken grants Customer a non-exclusive, non-transferable, non-sublicensable right to access and use the Service and Platform during the Subscription Term, solely for Customer’s internal business purposes and in accordance with the Documentation and the applicable Order Form.

2.2 Authorized Users and Agent Licensing

Customer may permit its Authorized Users (within its organization) to access the Platform, provided that Customer shall be responsible for all acts and omissions of its Authorized Users and for ensuring their compliance with this Agreement. Customer shall not permit any other person, entity or third party to access the Platform using Customer’s credentials. Customer’s use of Agents is limited to the number of Agents specified in the applicable Order Form and including any later amendments and additions of additional agents. To extend coverage to additional network segments, endpoints, or regions, Customer must disclose the additional Agents to Kiken and purchase additional Agent Licensing through a new or amended Order Form.

2.3 Usage Restrictions

Customer shall not, and shall not permit any third party to: (a) sublicense, sell, lease, or otherwise transfer access to the Platform; (b) reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code, algorithms, or underlying technology of the Platform, including without limitation any Tracer Technology; (c) modify, adapt, or create derivative works based on the Platform; (d) use the Platform in violation of any applicable law or regulation; (e) use the Platform to develop a competing product or service; (f) use the Platform for the purposes of product evaluation, benchmarking, competitive analysis, or other comparative analysis intended for publication or distribution outside Customer’s organization without Kiken’s prior written consent; (g) interfere with or disrupt the integrity or performance of the Platform; (h) attempt to gain unauthorized access to the Platform or its related systems or networks; or (i) remove, alter, or obscure any proprietary notices on the Platform.

3. DESCRIPTION OF SERVICES; TRACER TECHNOLOGY

3.1 Tracer Injection

The Platform provides data loss prevention capabilities through Kiken’s proprietary Tracer Technology. When properly configured by Customer through the Platform dashboard, the Platform will scan the Customer Environment and inject Tracers into files that match Customer’s Configuration parameters. Once injected, Tracers are designed to transmit status and location data to Customer’s Platform dashboard.

3.2 Phone-Home Functionality

Tracers are engineered to report their status and location to Customer’s Platform dashboard when a file containing a Tracer is accessed, copied, transferred, or otherwise leaves the Customer Environment. The Platform is designed to maintain phone-home capability across a variety of obfuscation environments, including but not limited to virtual private networks (VPNs), virtual machines (VMs), botnet infrastructure, proxy servers, Tor networks, and other obfuscation or redirection techniques commonly employed by threat actors.

3.3 Limitations of Tracer Technology

CUSTOMER ACKNOWLEDGES AND AGREES THAT:

(a) No Tracer technology, or data security service including Kiken’s, can guarantee phone-home functionality in one hundred percent (100%) of all circumstances or across all possible threat environments. While Tracers are designed to function in substantially all foreseeable exfiltration scenarios, there may be circumstances under which a Tracer fails to report, including without limitation situations involving:

(i) Advanced Persistent Threat (“APT”) groups, including state-sponsored or nation-state threat actors, that may develop techniques currently unknown to Kiken to detect, remove, disable, neutralize, or otherwise defeat a Tracer;

(ii) Zero-day exploits or novel attack vectors that circumvent Tracer persistence mechanisms;

(iii) Air-gapped environments, Faraday-caged systems, or other network configurations that physically prevent outbound communication;

(iv) Complete destruction or corruption of the file containing the Tracer;

(v) Sophisticated counter-forensic or anti-analysis techniques that strip, overwrite, or neutralize embedded data within files; or

(vi) Jurisdictions or environments where internet access is restricted, monitored, or blocked by governmental authorities.

(b) The phone-home functionality of any given Tracer is dependent upon numerous factors outside of Kiken’s control, including network availability, file integrity, and the threat actor’s sophistication and methods.

(c) Kiken does not represent, warrant, or insure that Tracers will detect, report, or prevent any / all specific data exfiltration event or security incident. The Platform is a risk-reduction tool and is not a guarantee against every possible data loss – rather it is one layer of a data loss prevention and remediation program.

3.4 Configuration-Dependent Functionality

NOTWITHSTANDING THE LIMITATIONS OF LIABILITY HEREIN, THE PLATFORM’S TRACER INJECTION AND PHONE-HOME FUNCTIONALITY IS ENTIRELY DEPENDENT UPON CUSTOMER’S CONFIGURATION. CUSTOMER UNDERSTANDS THAT NOTWITHSTANDING KIKEN INCURS NO LIABILITY TO CUSTOMER FOR ANY DATA LOSS WHATSOEVER, THE FAILURE TO INJECT A TRACER INTO ANY FILE, OR FOR ANY FAILURE OF AN INJECTED TRACER TO REPORT, ARE PROBABLY FROM, BUT NOT LIMITED TO WHERE SUCH FAILURE RESULTS DIRECTLY OR INDIRECTLY FROM:

(a) Customer’s failure to properly configure the Platform dashboard, including without limitation the failure to select appropriate file types, directories, network segments, or data categories for Tracer Injection;

(b) Customer’s failure to follow the Documentation or Kiken’s published configuration guides and best practices;

(c) Changes to Customer’s network architecture, file storage systems, security policies, or infrastructure that affect Platform operation and are not reflected in Customer’s Configuration;

(d) Misconfiguration, improper deployment, or inadequate maintenance of the Customer Environment;

(e) Customer’s disabling, overriding, or modification of any Platform feature or default setting; or

(f) Actions or omissions of Customer’s employees, contractors, or Authorized Users that interfere with Platform operation.

For the avoidance of doubt: Kiken shall bear no responsibility for any data loss, or for the absence of a Tracer in such file or for any resulting damages, regardless of the cause of such loss including if Customer fails to configure the Platform to inject Tracers into a particular file type, directory, or data category, and a file within that uncovered scope is subsequently exfiltrated, Kiken shall bear no responsibility.

4. DATA POSTURE MANAGEMENT SECURITY (DSPM) SCANNING SERVICES

4.1 Scanning Functionality

The Platform provides DSPM Scanning capabilities that analyze the Customer Environment to identify, classify, and report on data assets, security posture, misconfigurations, access anomalies, and compliance status. Scanning operates in accordance with Customer’s Configuration and the parameters established through the Platform dashboard.

4.2 Scope of Scanning

DSPM Scanning is limited to the systems, networks, endpoints, and data repositories that Customer has connected to and configured within the Platform. The Platform cannot scan systems or data stores that have not been integrated with the Platform or that are outside the scope of Customer’s Configuration.

4.3 Scanning Limitations

Customer acknowledges that DSPM Scanning: (a) may not identify all security vulnerabilities, misconfigurations, or data exposures within the Customer Environment; (b) relies on Customer providing accurate and complete network topology, access credentials, and system integration information; (c) may produce false positives or false negatives; and (d) does not constitute a penetration test, security audit, or compliance certification. Customer is solely responsible for evaluating and acting upon the results of DSPM Scanning.

5. CUSTOMER RESPONSIBILITIES; CONFIGURATION AND DEPLOYMENT

5.1 Configuration Obligations

Customer is solely responsible for: (a) the initial and ongoing configuration of the Platform, including the selection of file types, data categories, directories, network segments, and policies for Tracer Injection and DSPM Scanning; (b) ensuring that the Configuration accurately reflects Customer’s data protection objectives and environment; (c) reviewing and updating the Configuration as Customer’s environment, infrastructure, or data protection requirements change; and (d) testing and validating that the Configuration produces the intended results within the Customer Environment.

5.2 Environment Requirements

Customer shall ensure that the Customer Environment meets the minimum technical requirements specified in the Documentation, including but not limited to operating system versions, network configurations, firewall rules, outbound connectivity requirements, and endpoint agent deployment specifications. Customer acknowledges that failure to meet these requirements may materially impair Platform functionality and intended protections.

5.3 Security Practices

Customer acknowledges that the Platform is one component of a comprehensive security strategy and is not a substitute for prudent security practices. Customer understands that it shall maintain reasonable security measures within the Customer Environment, including but not limited to access controls, network segmentation, endpoint protection, patch management, incident response planning, employee security awareness training, and regular security assessments. Customer understands that is platform is not an insurance product or provide insurance coverage for data loss or infiltrations, and Customer, at its option, will select and maintain its own data loss, data infiltration, and cyber insurance coverage appropriate to Customer’s risk profile and determined by its internal risk management personnel Kiken makes no opinion or advice to Customer as to the amount of and type(s) of related insurance coverage.

5.4 Cooperation

Customer shall provide Kiken with reasonable cooperation, access, and information necessary for Kiken to deliver the Platform and any Professional Services. Customer shall promptly notify Kiken of any material changes to the Customer Environment that may affect Platform operation.

5.5 Compliance with Laws

Customer is solely responsible for ensuring that its use of the Platform, including the deployment of Tracers and DSPM Scanning within the Customer Environment, complies with all applicable Federal, State, Administrative and local laws, regulations, and industry standards, including without limitation data protection, privacy, employment, and electronic surveillance laws applicable to Customer’s jurisdiction and industry.  Customer does and forever shall hold Kiken harmless (and defend Kiken) from any and all claims made by any party in reference to the use of this Platform for alleged violations of any law or standard.6. SHARED RESPONSIBILITY MODEL

The parties acknowledge and agree that notwithstanding the full exclusion of liability as set forth in this agreement, and Customers continued security responsibilities. The allocation of security responsibilities between Kiken and Customer is set forth in Exhibit C (Shared Responsibility Matrix), which is incorporated herein by reference. In general:

Kiken Shall Provide: the security, availability, and integrity of the Platform infrastructure; maintaining and updating the Tracer Technology and DSPM Scanning engine; applying security patches to Platform components; providing secure API endpoints; encrypting Customer Data in transit and at rest within the Platform; and maintaining the Platform’s SOC 2 Type II compliance (or equivalent).

Customer is Responsible for: the configuration of the Platform; the complete and up to date number of Agents, the security of the Customer Environment; the management of Authorized User accounts and credentials; the accuracy and completeness of system integrations; compliance with applicable laws regarding the deployment of Tracers and monitoring within Customer’s systems; and all decisions made in reliance upon Platform outputs, reports, and alerts.

7. PROFESSIONAL SERVICES

7.1 Scope

Kiken may provide Professional Services to Customer as specified in an Order Form or a mutually executed statement of work (“SOW”). Each SOW shall describe the scope, deliverables, timeline, and fees for such Professional Services and shall be governed by this Agreement.

7.2 Professional Services Warranty

Notwithstanding the limits and exclusion of Kiken liability as set forth in this agreement, Kiken Professional Services will be performed as stated herein and consistent with reasonable industry standards. Customer must notify Kiken in writing of any alleged failures by Kiken within thirty (30) days of the performance of the applicable Professional Services.

7.3 Sole Remedy for Professional Services

Customer’s sole and exclusive remedy, and Kiken’s sole and entire liability, for any claimed product or platform failure, in Section 7.2 shall be, at Kiken’s option: (a) re-performance of the applicable Professional Services at no additional charge; or (b) if Kiken is unable to re-perform in a manner that substantially meets the product description within thirty (30) days of written notice, a refund of the fees paid for the deficient Professional Services and time-period. This is limited to the limited period of the failure and not to be construed as the entire scope of engagement or previous fees paid. This Section 7.3 describes the sole and exclusive remedy of Customer and the entire liability of Kiken with respect to any claim arising from or relating to Professional Services.

7.4 Customer Dependencies

Kiken’s obligation to perform Professional Services is contingent upon Customer’s payment of all fees due to Kiken, timely provision of access, information, resources, and cooperation as reasonably required. Delays caused by Customer shall not constitute a failure by Kiken, and Kiken shall be entitled to adjust timelines accordingly.

8. INTELLECTUAL PROPERTY

8.1 Kiken IP

Kiken and its licensors retain all right, title, and interest in and to the Platform, including all Tracer Technology, scanning algorithms, software, documentation, trademarks, patents (including any patent-pending technology), copyrights, trade secrets, and all other intellectual property rights therein. This Agreement does not convey to Customer any ownership interest in or to the Platform, but only a limited right of access and use as expressly set forth herein for the period and fees as set forth in the Order Form.

8.2 Customer Data

As between the parties, Customer retains all right, title, and interest in and to Customer Data. Customer grants Kiken a non-exclusive, worldwide, royalty-free license to access, process, and use Customer Data solely to the extent necessary to provide the Platform and related services during the Subscription Term.

8.3 Aggregated Data

Kiken may collect, aggregate, and anonymize data derived from Customer’s use of the Platform (“Aggregated Data”) for purposes of improving the Platform, developing threat intelligence, generating benchmarks, and for other lawful business purposes, provided that such Aggregated Data does not identify Customer or any individual. Kiken owns all right, title, and interest in Aggregated Data.

8.4 Feedback

If Customer provides Kiken with any suggestions, enhancement requests, recommendations, or other feedback regarding the Platform (“Feedback”), Customer hereby assigns to Kiken all right, title, and interest in such Feedback, and Kiken shall be free to use, incorporate, and commercialize any Feedback without restriction or obligation.

9. FEES AND PAYMENT

9.1 Fees

Customer shall pay all fees specified in the applicable Order Form. Unless otherwise stated in the Order Form, all fees are quoted in U.S. dollars and are due net thirty (30) days from the invoice date. All fees owed pursuant to an Order Form are non-cancellable and non-refundable for the applicable Subscription Term. Customer’s obligation to pay fees is unconditional and is not subject to any right of set-off, counterclaim, or deduction.  Service commences upon the full payment of fees as set forth in the Order Form Agreement.

9.2 Late Payment

Any amounts not paid when due shall accrue interest at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted by applicable law and Kiken reserves the right to recover all costs of collection including court and attorney fees incurred for any and all unpaid fees

9.3 Suspension for Non-Payment and Credit Risk

Kiken may suspend Customer’s access to the Platform: (a) upon fifteen (15) days’ written notice of non-payment if payment is not received within such notice period; or (b) immediately if Kiken has reasonable grounds to believe that Customer will not make timely payment, including but not limited to Customer’s insolvency, material deterioration of Customer’s creditworthiness, or a pattern of late payments. Suspension under this Section shall not relieve Customer of its payment obligations.

9.4 Taxes

Any and all state and local taxes as applicable for each jurisdiction will be added to the Customer invoicing. Customer is responsible for all sales, sales and use, value-added, withholding, and other taxes imposed on the transactions contemplated by this Agreement, excluding income taxes upon Kiken’s .

9.5 Disputed Invoices

If Customer disputes any invoice in good faith, Customer shall: (a) provide written notice to Kiken within ten (10) business days of receipt of the disputed invoice, specifying in reasonable detail the nature and basis of the dispute; (b) pay all undisputed amounts by the original due date; and (c) cooperate in good faith with Kiken to resolve the dispute within thirty (30) days of written notice. If the parties are unable to resolve the dispute within such thirty (30) day period, either party may pursue the dispute resolution procedures set forth in Section 21. Failure to provide timely written notice of a dispute shall constitute a waiver of Customer’s right to dispute such invoice.

9.6 Agent-Based Licensing

Customer’s use of the Platform is licensed on a per-Agent basis. The number of Agents licensed to Customer is specified in the applicable Order Form. Customer may not deploy Agents in excess of the licensed quantity without executing a new or amended Order Form. If Customer requires coverage for additional network segments, regions, or endpoints beyond those covered by its existing Agent allocation, Customer must purchase additional Agents at Kiken’s then-current pricing.  Customer will at all times, be responsible for the fees for all Agents utilizing the platform.

10. CONFIDENTIALITY

10.1 Confidential Information

Each party (“Disclosing Party”) may disclose to the other party (“Receiving Party”) certain non-public information that is designated as confidential or that a reasonable person would understand to be confidential given the nature of the information and circumstances of disclosure (“Confidential Information”). Kiken’s Confidential Information includes the Platform, Tracer Technology, pricing, security architecture, and all proprietary methodologies. Customer’s Confidential Information includes Customer Data and Configuration details.

10.2 Obligations

The Receiving Party shall: (a) hold Confidential Information in strict confidence using at least the same degree of care it uses for its own confidential information, but no less than reasonable care; (b) not disclose Confidential Information to any third party except as expressly permitted herein or with the Disclosing Party’s prior written consent; and (c) use Confidential Information solely for the purposes of this Agreement.

10.3 Exceptions

Confidential Information does not include information that: (a) is or becomes publicly available without breach of this Agreement; (b) was known to the Receiving Party prior to disclosure without restriction; (c) is independently developed by the Receiving Party without use of Confidential Information; or (d) is rightfully received from a third party without restriction. A Receiving Party may disclose Confidential Information to the extent required by law or court order, provided it gives the Disclosing Party prompt written notice and reasonable cooperation to seek a protective order.

11. DATA PROCESSING AND PRIVACY

To the extent Kiken processes personal data on behalf of Customer, the parties’ respective obligations regarding such processing shall be governed by the Data Processing Addendum attached hereto as Exhibit B, which is incorporated by reference. Customer represents and warrants that it has obtained all necessary consents, authorizations, and legal bases required under applicable data protection laws for the deployment of Tracers within, and the scanning of, the Customer Environment, including but not limited to the monitoring of file movements and the transmission of Tracer data to the Platform, and holds Kiken harmless for any and all claims that Customer violated any law in the deployment and use of this Platform.

12. LIMITED WARRANTY

12.1 Platform Performance Warranty

Kiken warrants that, during the Subscription Term, the Platform will perform substantially in accordance with the Documentation when used in compliance with this Agreement and the Documentation. This warranty applies only when the Platform is properly configured by Customer in accordance with the Documentation and Kiken’s published configuration guides.

12.2 Sole Remedy for Platform Warranty

Customer’s sole and exclusive remedy, and Kiken’s sole and entire liability, for any breach of the warranty set forth in Section 12.1 shall be, at Kiken’s option: (a) commercially reasonable efforts to correct the non-conformity; or (b) if Kiken is unable to correct such non-conformity within sixty (60) days following written notice from Customer, termination of the affected subscription and a pro rata refund of prepaid fees for the unused portion of the Subscription Term. This Section 12.2 describes the sole and exclusive remedy of Customer and the entire liability of Kiken with respect to any claim arising from or relating to the Platform’s performance or functionality.

12.3 Warranty Conditions

The warranty in Section 12.1 shall not apply to the extent any non-conformity results from: (a) use of the Platform other than in accordance with the Documentation; (b) modifications to the Platform not authorized by Kiken; (c) combination of the Platform with third-party software, hardware, or services not approved by Kiken; (d) Customer’s failure to implement updates or patches provided by Kiken; or (e) issues arising from the Customer Environment, including misconfigurations, infrastructure failures, or network issues.

12.4 Documentation Updates

Kiken may update the Documentation from time to time in its sole discretion to reflect changes in the Platform’s features, functionality, configuration requirements, or best practices, provided that such updates shall not materially diminish the core functionality of the Platform during the then-current Subscription Term. Updated Documentation shall be made available through Kiken’s standard documentation channels.

13. DISCLAIMER OF WARRANTIES

EXCEPT FOR THE EXPRESS LIMITED WARRANTIES SET FORTH IN SECTIONS 12.1 AND 7.2, THE PLATFORM, ALL PROFESSIONAL SERVICES, AND ALL RELATED SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE.” KIKEN HEREBY DISCLAIMS ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.

WITHOUT LIMITING THE FOREGOING, KIKEN MAKES NO WARRANTY OR REPRESENTATION THAT:

(A) THE PLATFORM WILL DETECT, PREVENT, REPORT, OR MITIGATE ALL DATA LOSS EVENTS, UNAUTHORIZED ACCESS, SECURITY BREACHES, EXFILTRATION ATTEMPTS, OR OTHER SECURITY INCIDENTS;

(B) TRACERS WILL SUCCESSFULLY PHONE HOME OR REPORT THEIR STATUS IN EACH AND EVERY CASE, UNDER ALL CONDITIONS, OR ACROSS ALL THREAT ENVIRONMENTS;

(C) THE PLATFORM WILL BE UNINTERRUPTED, ERROR-FREE, OR COMPLETELY SECURE;

(D) THE PLATFORM WILL IDENTIFY ALL VULNERABILITIES, MISCONFIGURATIONS, OR SECURITY EXPOSURES WITHIN THE CUSTOMER ENVIRONMENT;

(E) THE PLATFORM WILL OPERATE EFFECTIVELY AGAINST ADVANCED PERSISTENT THREATS (APTS), STATE-SPONSORED THREAT ACTORS, ZERO-DAY EXPLOITS, OR NOVEL ATTACK VECTORS CURRENTLY UNKNOWN TO KIKEN; OR

(F) THE RESULTS OBTAINED FROM USE OF THE PLATFORM WILL BE ACCURATE, RELIABLE, OR COMPLETE.

CUSTOMER ACKNOWLEDGES THAT NO DATA LOSS PREVENTION, DATA POSTURE MANAGEMENT, OR CYBERSECURITY SOLUTION CAN GUARANTEE COMPLETE PROTECTION AGAINST ALL THREATS. THE PLATFORM IS A RISK-REDUCTION TOOL DESIGNED TO SUBSTANTIALLY REDUCE THE LIKELIHOOD OF UNDETECTED DATA LOSS AND TO IMPROVE CUSTOMER’S SECURITY POSTURE. IT IS NOT INSURANCE, AND IT IS NOT A GUARANTEE AGAINST DATA LOSS OR SECURITY INCIDENTS. CUSTOMER IS SOLELY RESPONSIBLE FOR MAINTAINING COMPREHENSIVE SECURITY PRACTICES, POLICIES, PROCEDURES, AND INSURANCE COVERAGE APPROPRIATE TO CUSTOMER’S RISK AND RISK MANAGEMENT PROFILE.

14. LIMITATION OF LIABILITY

14.1 Exclusion of Consequential Damages

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING WITHOUT LIMITATION DAMAGES FOR:

(A) LOSS OF DATA, INCLUDING CUSTOMER DATA THAT WAS EXFILTRATED, STOLEN, DESTROYED, CORRUPTED, OR OTHERWISE COMPROMISED;

(B) LOSS OF REVENUE, PROFITS, GOODWILL, OR BUSINESS OPPORTUNITIES;

(C) BUSINESS INTERRUPTION OR LOSS OF USE;

(D) THE COST OF DATA BREACH NOTIFICATION, CREDIT MONITORING, FORENSIC INVESTIGATION, OR REMEDIATION;

(E) REGULATORY FINES, PENALTIES, OR ASSESSMENTS IMPOSED BY ANY GOVERNMENTAL AUTHORITY;

(F) THIRD-PARTY CLAIMS ARISING FROM OR RELATED TO A SECURITY INCIDENT, DATA BREACH, OR DATA LOSS EVENT;

(G) REPUTATIONAL HARM OR DAMAGE;

(H) THE FAILURE OF ANY TRACER TO PHONE HOME, REPORT, OR OTHERWISE FUNCTION AS INTENDED; OR

(I) THE FAILURE OF DSPM SCANNING TO IDENTIFY ANY VULNERABILITY, MISCONFIGURATION, OR EXPOSURE;

IN EACH CASE WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL THEORY, AND WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND REGARDLESS OF THE FAILURE OF THE ESSENTIAL PURPOSE OF ANY REMEDY PROVIDED HEREIN.

14.2 Cap on Direct Damages

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE AGGREGATE LIABILITY OF EITHER PARTY UNDER THIS AGREEMENT SHALL NOT EXCEED THE TOTAL FEES ACTUALLY PAID OR PAYABLE BY CUSTOMER TO KIKEN DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM (THE “GENERAL CAP”).

14.3 Super Cap Obligations

Notwithstanding Section 14.2, the aggregate liability of either party for breaches of Section 10 (Confidentiality) and Section 15 (Indemnification) shall not exceed two times (2x) the General Cap.

14.4 Exceptions

The limitations in this Section 14 shall not apply to: (a) Customer’s payment obligations under this Agreement; (b) either party’s liability for fraud, willful misconduct, or gross negligence; (c) Kiken’s indemnification obligations under Section 15.1 (IP Indemnification); or (d) either party’s liability for breach of Section 2.3 (Usage Restrictions) or Section 8 (Intellectual Property).

14.5 Basis of the Bargain; Mutual Acknowledgment

The parties specifically acknowledge that the limitations and exclusions set forth in this Section 14 are reflected in Kiken’s pricing and form an essential basis of the bargain between the parties. These limitations reflect a reasonable allocation of risk between the parties and shall apply notwithstanding any failure of the essential purpose of any limited remedy. Both parties acknowledge that they have freely negotiated these limitations, that the fees payable hereunder reflect such allocation, and that absent these limitations, the fees for the Platform would be substantially higher. Each party has had the opportunity to consult with legal counsel regarding these provisions.

15. INDEMNIFICATION

15.1 Kiken Indemnification (IP)

Kiken shall defend, indemnify, and hold harmless Customer and its officers, directors, employees, and agents from and against any third-party claim alleging that Customer’s authorized use of the Platform infringes or misappropriates such third party’s intellectual property rights (“IP Claim”), and shall pay any damages finally awarded or settlement amounts agreed to by Kiken. If an IP Claim is made or appears likely, Kiken may, at its sole option: (a) procure the right for Customer to continue using the Platform; (b) modify the Platform to make it non-infringing without materially diminishing functionality; or (c) if neither (a) nor (b) is commercially reasonable, terminate the affected subscription and refund any prepaid fees for the unused Subscription Term.

This Section 15.1 describes the sole and exclusive remedy of Customer and the entire liability of Kiken with respect to any IP Claim or any claim of infringement or misappropriation of intellectual property rights.

15.2 IP Indemnification Exclusions

Kiken’s indemnification obligation under Section 15.1 shall not apply to the extent an IP Claim arises from: (a) modifications to the Platform made by anyone other than Kiken; (b) Customer’s combination of the Platform with third-party products, services, or data not contemplated by the Documentation; (c) Customer’s use of the Platform in violation of this Agreement; or (d) Customer’s continued use of a version of the Platform after Kiken has provided an updated, non-infringing version, or any unauthorized use or use during non-payment.

15.3 Customer Indemnification

Customer shall defend, indemnify, and hold harmless Kiken and its officers, directors, employees, and agents from and against any third-party claim arising from or related to: (a) Customer Data, including any claim that Customer Data infringes or misappropriates any third party’s rights; (b) Customer’s use of the Platform in violation of this Agreement or applicable law; (c) Customer’s deployment of Tracers or DSPM Scanning in a manner that violates the privacy rights or other legal rights of any third party; or (d) Customer’s failure to maintain adequate security practices within the Customer Environment.

15.4 Indemnification Procedure

The indemnified party shall: (a) promptly notify the indemnifying party in writing of any claim (provided that failure to provide prompt notice shall not relieve the indemnifying party of its obligations except to the extent materially prejudiced); (b) grant the indemnifying party sole control of the defense and settlement of the claim; and (c) provide reasonable cooperation at the indemnifying party’s expense. The indemnifying party shall not settle any claim in a manner that imposes liability or obligations on the indemnified party without its prior written consent, not to be unreasonably withheld.

16. TERM AND TERMINATION

16.1 Term

This Agreement commences on the Effective Date and continues until all subscriptions hereunder have expired or been terminated. Each Subscription Term shall be as specified in the applicable Order Form and shall automatically renew for successive periods equal to the initial Subscription Term unless either party provides written notice of non-renewal at least sixty (60) days prior to the expiration of the then-current term.

16.2 Termination for Cause

Either party may terminate this Agreement: (a) upon thirty (30) days’ written notice if the other party materially breaches this Agreement and fails to cure such breach within the notice period; or (b) immediately upon written notice if the other party becomes insolvent, makes an assignment for the benefit of creditors, or becomes the subject of any bankruptcy or similar proceeding.

16.3 Effect of Termination

Upon termination or expiration: (a) all rights granted hereunder shall immediately cease; (b) Customer shall cease all use of the Platform; (c) each party shall return or destroy the other party’s Confidential Information; and (d) Kiken shall make Customer Data available for export for thirty (30) days following termination, after which Kiken may delete Customer Data. Sections 1, 5, 8, 9, 10, 13, 14, 15, and 21 shall survive any termination or expiration of this Agreement, together with any other provisions that by their nature are intended to survive, including any accrued rights to payment.

17. SERVICE LEVEL AGREEMENT

Kiken shall use commercially reasonable efforts to maintain Platform availability in accordance with the Service Level Agreement attached hereto as Exhibit A. Service credits issued under the SLA shall constitute Customer’s sole and exclusive remedy, and Kiken’s sole and entire liability, for any failure to meet the availability commitments specified therein.

18. FORCE MAJEURE

Neither party shall be liable for any failure or delay in performing its obligations under this Agreement (other than payment obligations) to the extent such failure or delay results from circumstances beyond such party’s reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, riots, embargoes, acts of governmental authorities, epidemics or pandemics, power failures, telecommunications failures, internet service disruptions, denial-of-service attacks, cyberattacks against the Platform infrastructure by third parties, service disruptions involving hardware, software, or power systems not within such party’s possession or reasonable control (including disruptions affecting third-party cloud hosting providers, content delivery networks, and infrastructure-as-a-service platforms upon which the Platform relies), or changes in applicable law or regulation. The affected party shall provide prompt notice and use commercially reasonable efforts to mitigate the impact of the force majeure event.

19. EXPORT COMPLIANCE

Customer acknowledges that the Platform may be subject to export control and sanctions laws of the United States and other jurisdictions. Customer shall not access or use the Platform in violation of any applicable export control laws or regulations, and represents that it is not located in, or a national or resident of, any country subject to comprehensive U.S. sanctions, and is not listed on any U.S. government denied-party list.

20. ANTI-CORRUPTION

Each party represents and warrants that it has not and will not, in connection with the transactions contemplated by this Agreement, directly or indirectly make, offer, promise, or authorize any payment or transfer of anything of value to any government official, political party, or candidate for political office for the purpose of influencing any act or decision, in violation of the U.S. Foreign Corrupt Practices Act, the UK Bribery Act, or any other applicable anti-corruption law.

21. DISPUTE RESOLUTION; GOVERNING LAW

21.1 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Illinois, without regard to its conflict of laws principles. The United Nations Convention on Contracts for the International Sale of Goods does not apply to this Agreement.

21.2 Dispute Resolution

Any dispute arising out of or relating to this Agreement shall first be submitted to good-faith negotiation between senior executives of each party for a period of thirty (30) days. If the dispute is not resolved through negotiation, either party may initiate binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules. The arbitration shall be conducted by a single arbitrator in DuPage County, Illinois. The arbitrator’s award shall be final and binding, and judgment thereon may be entered in any court of competent jurisdiction.

21.3 Injunctive Relief

Notwithstanding Section 21.2, either party may seek injunctive or other equitable relief in any court of competent jurisdiction to protect its intellectual property rights or Confidential Information without being required to post a bond or other security.

21.4 Jury Waiver

TO THE FULLEST EXTENT PERMITTED BY LAW, EACH PARTY HEREBY IRREVOCABLY WAIVES ANY RIGHT TO A TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THIS AGREEMENT.

22. GENERAL PROVISIONS

22.1 Entire Agreement; Integration; Purchase Order Terms

This Agreement, together with all Order Forms and Exhibits, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, representations, and understandings, whether written or oral. Notwithstanding any terms contained in any Customer purchase order, requisition, or similar document, no terms stated therein other than product name, license quantity (number of Agents), price, Subscription Term, and billing contact shall be incorporated into this Agreement, and all such other terms are expressly rejected and shall have no force or effect on this party agreement. In the event of any conflict between the body of this Agreement and any Order Form or Exhibit, this Agreement shall control unless the Order Form or Exhibit expressly states that it supersedes a specific provision of this Agreement.

22.2 Amendments

For customers subscribing through Kiken’s standard online subscription process, Kiken may update this Agreement from time to time by posting a revised version on its website or providing notice to Customer. Material changes shall be effective thirty (30) days after notice. Continued use of the Platform after such notice constitutes acceptance of the updated terms. For Enterprise Customers, amendments to this Agreement require mutual written consent executed by authorized representatives of both parties.

22.3 Assignment

Neither party may assign this Agreement without the other party’s prior written consent, except that either party may assign this Agreement in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided that the assignee agrees to be bound by this Agreement.

22.4 Severability

If any provision of this Agreement is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties’ original intent.

22.5 Waiver

No waiver of any breach of this Agreement shall constitute a waiver of any other or subsequent breach. No waiver shall be effective unless made in writing and signed by an authorized representative of the waiving party.

22.6 Notices

All notices under this Agreement shall be in writing and shall be deemed given when: (a) delivered personally; (b) sent by confirmed email to the address specified in the Order Form; or (c) one (1) business day after deposit with a nationally recognized overnight courier, addressed to the party at the address specified in the Order Form.

22.7 Independent Contractors

The parties are independent contractors. Nothing in this Agreement creates a partnership, joint venture, agency, or employment relationship between the parties.

22.8 No Third-Party Beneficiaries

This Agreement is for the sole benefit of the parties and their permitted successors and assigns. Nothing in this Agreement, express or implied, is intended to or shall confer upon any third party any legal or equitable right, benefit, or remedy.

22.9 Counterparts

Order Forms may be executed in counterparts, each of which shall be deemed an original, and all of which together shall constitute one instrument. Electronic signatures shall be deemed valid and binding.

22.10 Order of Precedence

In the event of a conflict among the documents forming this Agreement, the following order of precedence shall apply (highest to lowest): (a) the body of this Agreement; (b) any Exhibits or Addenda; (c) Order Forms; and (d) the Documentation. Notwithstanding the foregoing, an Order Form may expressly supersede a specific provision of this Agreement only if the Order Form specifically identifies the provision being superseded.

IN WITNESS WHEREOF, the parties have caused this Agreement to be executed by their duly authorized representatives as of the Effective Date.

KIKEN TECHNOLOGIES LLC

By: ___________________________________

Name: ________________________________

Title: _________________________________

Date: _________________________________

CUSTOMER:

By: ___________________________________

Name: ________________________________

Title: _________________________________

Date: _________________________________

EXHIBIT A: SERVICE LEVEL AGREEMENT

1. Platform Availability

Kiken shall use commercially reasonable efforts to maintain Platform availability of at least ninety-nine and nine-tenths percent (99.9%) during each calendar month, measured on a 24×7 basis, excluding Scheduled Maintenance (“Uptime Commitment”).

2. Scheduled Maintenance

Kiken will provide at least seventy-two (72) hours’ prior written notice for scheduled maintenance windows. Scheduled maintenance will be performed during off-peak hours (between 12:00 AM and 6:00 AM Central Time) whenever commercially practicable.

3. Service Credits

If Kiken fails to meet the Uptime Commitment in any calendar month, Customer shall be eligible for service credits as follows: (a) 99.0% to 99.89%: credit equal to ten percent (10%) of monthly fees; (b) 95.0% to 98.99%: credit equal to twenty-five percent (25%) of monthly fees; (c) below 95.0%: credit equal to fifty percent (50%) of monthly fees. Service credits must be requested within thirty (30) days of the applicable month and shall be applied as a credit against future invoices. Service credits shall not exceed fifty percent (50%) of the monthly fees for the applicable month. Service credits constitute Customer’s sole and exclusive remedy, and Kiken’s sole and entire liability, for any failure to meet the Uptime Commitment.

4. Exclusions

The Uptime Commitment does not apply to: (a) Scheduled Maintenance; (b) force majeure events; (c) issues caused by the Customer Environment or Customer’s equipment; (d) internet connectivity issues beyond Kiken’s control; or (e) Customer’s misuse of the Platform.

EXHIBIT B: DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) supplements the Agreement and governs the processing of personal data by Kiken on behalf of Customer.

1. Roles

For purposes of applicable data protection laws, Customer is the data controller and Kiken is the data processor with respect to personal data processed through the Platform. Kiken shall process personal data only on Customer’s documented instructions and only to the extent necessary to provide the Platform.

2. Security Measures

Kiken shall implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, including encryption in transit and at rest, access controls, logging, and regular security assessments.

3. Sub-processors

Kiken may engage sub-processors to assist in providing the Platform, provided that Kiken: (a) maintains a current list of sub-processors available upon request; (b) provides Customer with at least thirty (30) days’ prior notice before engaging a new sub-processor; (c) enters into written agreements with sub-processors imposing data protection obligations no less protective than those in this DPA; and (d) remains liable for the acts and omissions of its sub-processors.

4. Data Subject Rights

Kiken shall promptly notify Customer if it receives a request from a data subject exercising rights under applicable data protection laws, and shall provide reasonable assistance to Customer in responding to such requests.

5. Data Breach Notification

Kiken shall notify Customer without undue delay (and in any event within seventy-two (72) hours) upon becoming aware of any personal data breach affecting Customer Data processed through the Platform. Such notification shall include the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or proposed to be taken to address the breach.

6. Data Return and Deletion

Upon termination of the Agreement, Kiken shall, at Customer’s election, return or delete all personal data processed on behalf of Customer, and certify such deletion in writing, subject to applicable legal retention requirements.

EXHIBIT C: SHARED RESPONSIBILITY MATRIX

The following matrix sets forth the allocation of security responsibilities between Kiken and Customer. This matrix is illustrative and does not limit the obligations set forth elsewhere in the Agreement.

KIKEN RESPONSIBILITIES (Platform Security):

Platform infrastructure security, including hosting, network, and physical security

Encryption of Customer Data in transit and at rest within the Platform

Maintenance and patching of Platform software components

Tracer Technology development, maintenance, and updates

DSPM Scanning engine maintenance and threat intelligence updates

Platform access controls and authentication mechanisms

Incident response for security events affecting Platform infrastructure

SOC 2 Type II compliance (or equivalent) for Platform operations

Secure API endpoints and data transmission

Platform backup and disaster recovery

CUSTOMER RESPONSIBILITIES (Environment Security):

Configuration of the Platform, including Tracer Injection and DSPM Scanning parameters

Security of the Customer Environment, including all endpoints, servers, and networks

Management of Authorized User accounts, credentials, and access permissions

Maintenance of firewalls, access controls, and network segmentation within the Customer Environment

Patch management and vulnerability remediation within the Customer Environment

Employee security awareness training

Compliance with applicable laws regarding Tracer deployment and data monitoring

Incident response within the Customer Environment

Evaluation and action upon Platform reports, alerts, and scan results

Maintaining adequate cyber insurance coverage appropriate to Customer’s risk profile

Ensuring outbound network connectivity from the Customer Environment to permit Tracer phone-home functionality

Timely review and update of Configuration as the Customer Environment changes

SHARED RESPONSIBILITIES:

Integration and onboarding of the Platform within the Customer Environment (Kiken provides guidance; Customer implements)

Ongoing communication regarding platform updates, threat intelligence, and configuration best practices

Incident investigation involving both Platform and Customer Environment components.