Master Subscription Agreement

Master Subscription Agreement Guide

Thank you for reviewing the Keyless Master Subscription Agreement ("Agreement") and order form (collectively, "Documents"). We recognize that sometimes attorneys and contract professionals are asked to redline an agreement without a complete understanding of how the service works. We hope that this Guide will be useful as you review the Documents. This Guide is for informational purposes only and should not be construed as legal advice. It does not form part of the contract and will be deleted in the next version of the Documents you receive.

Keyless is a passwordless, multi-factor authentication (MFA) solution that provides strong authentication for users using biometric authentication technology that includes liveness detection. It does not rely on passwords, PIN codes or time codes but instead provides secure authentication without processing any biometric data. Keyless offers two products, and the specific one will be identified on the applicable order form.

• Consumer - authentication for end users (e.g., your customers, consumers) to access online services, websites, and providers or to facilitate customer payments and financial transactions.
• Workforce - authentication for workforce users (e.g., your employees and other staff) to access company systems for mobile or desktop, including through integration with the customer's third-party identity provider. In addition, our customers may use the Keyless Authenticator app to access our services or embed the Keyless SDK into their own branded mobile app.

We acknowledge that our service is complex, and therefore have provided an outline below.

In the first phase, the end user enrolls their device with your company software that has been integrated with the Keyless software (e.g., software development kit or mobile or Windows app for desktop).

1. Initiate: The end user uses your website or application and initiates enrollment.
2. Read biometrics: The end user's device camera captures a sequence of images
3. Extract features: The images are processed on the end user's device to extract biometric features and create a template from those features.
4. Key generation: The end user device generates a unique encrypted cryptographic string and keypair (a Keyless identifier) and destroys the template immediately and irreversibly.
5. Upload and store: The cryptographic string is transmitted to Keyless systems via the Keyless software and is distributed to different nodes.

In the second phase, the end user authenticates their identity in order to log into your website/app or confirm a transaction. The initial steps are the same seen in the Enrollment:

1. Initiate: The end user uses your website or application and initiates authentication.
2. Read biometrics: The end user's device camera captures a sequence of images.
3. Extract features: The images are processed on the end user's device to extract biometric features and create a template from those features. Here is where the steps change:
4. Retrieve key: The template is immediately and irreversibly converted into a unique encrypted cryptographic string which is used to retrieve a cryptographic key corresponding to the Keyless identifier by interacting with one or more nodes within the Keyless systems. This "matching process" involves the Keyless systems performing a match based on a matching algorithm running between the user’s device and one or more Keyless nodes. After the match, the template is destroyed.
5. User key: The end user's device uses the cryptographic key to authenticate the end user.

Customers integrate through Keyless application programming interface (API) and integration of the Keyless SDK into your mobile application, if applicable.

Our privacy-preserving service does not process biometric data. All biometric data stays on the end user device. Instead, Keyless may receive from your end users:

• profile information (e.g., username or email address) that the end user uses to login to your company app/website.
• device data from the end user’s device (e.g., device type, operating system, browser type, IP address, language settings).

Keyless will generate a unique Keyless identifier (cryptographic key) within its systems.

• EEA, UK and Swiss Privacy Policy (Exhibit A): Please see the exhibit attached to the Agreement which details Keyless data processing activities for the establishment and management of the contractual relationship with its Customers under Data Protection Laws.
• EEA, UK and Swiss Data Processing Addendum (Exhibit B): Please see the exhibit attached to the Agreement that sets out the subject-matter and duration of the processing carried out in order to provide the Service, as well as the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the Customer under the GDPR and other European privacy laws.
• Technical and Organizational Security Measures (Exhibit C): Please see the exhibit attached to the Agreement which sets out Keyless security controls as they apply to personal data processed in our service.

Master Subscription Agreement

This Master Subscription Agreement (this "Agreement"), effective as of the date of the Order Form (the "Effective Date"), is between You and KEYLESS TECHNOLOGIES SRL (if You are based in the European Union) or KEYLESS TECHNOLOGIES LIMITED (if You are based outside the European Union) (in both cases "Keyless" or "Us" or "We").

KEYLESS TECHNOLOGIES SRL is a private limited company incorporated in Italy with company number ID and VAT No. 14880901005, whose registered office is at Viale Luca Gaurico 9-11, 00144 Rome, Italy wholly owned by KEYLESS TECHNOLOGIES LIMITED incorporated and registered in England and Wales with company number 11362854 whose registered office is at Milton Gate 60 Chiswell Street London United Kingdom EC1Y 4AG.

By installing our SDK You accept to be bound by the terms and conditions set out in this Agreement.

We provide the Services (as defined herein) to which You intend to subscribe, and this Agreement establishes the business relationship and allocation of responsibilities regarding the Services; now, therefore, the parties agree as follows:

1. Definitions.

   "Affiliates" means, in respect to a party to this Agreement, any company or entity controlled by, controlling or under common control with such party. For this purpose, a party is deemed to "control" a company or entity if it (a) owns, directly or indirectly, at least 50 percent of the capital of the other company, or (b) in the absence of such ownership interest, substantially has the power to direct or cause the direction of the management and set the policies of such company or entity, whether through the ownership of voting securities or other ownership interests, by contract or otherwise.

   "Applicable Laws" means all laws, rules, and regulations applicable to the Services, including but not limited to those relating to privacy, data protection, and data security.

   "Authorized User" means an individual (such as Your employees, consultants, contractors or agents) who is authorized by You to implement and manage the use of the Services.

   "Documentation" means Keyless documentation, guides and policies, including those available at https://docs.keyless.io as updated from time to time, provided by Keyless to You or End Users in connection with the Services.

   "End User" means individuals for whom a subscription to the Services has been procured by You in accordance with Section 5.4, and may include, for example, Your employees, consultants, contractors, or end-customers, depending on the use case.

   "End User Subscriptions" means the End User subscriptions to the Services purchased by You pursuant to this Agreement and the applicable Order Form.

   "Keyless Privacy Notice" means Keyless publicly-facing service privacy notice located at https://keyless.io/privacy or such successor site, which Keyless may update from time to time.

   "Location and Purpose Exhibit": The preliminary questionnaire by which You undertake to not use the Software for illegal purposes and that You must fill out in order to obtain a copy of the Software as per Exhibit D.

   "Order Form" means an ordering document (including any online order form), specifying the Services to be provided by Keyless, that is entered into between You and Keyless and incorporates the terms of this Agreement by reference.

   "Output" means the output generated by Keyless in connection with Your or End Users’ use of the Services and includes the outcome of an End User authentication (e.g., successful authentication or error report, such as failed authentication, timeout, no match, connection error).

   "Sensitive Personal Information" means for the purposes of this Agreement (a) full credit or debit card numbers or financial account information; Social Security numbers or local equivalents; passport numbers; driver’s license numbers or similar identifiers; passwords; physical or mental health condition or information; any information subject to the Health Insurance Portability and Accountability Act, the Payment Card Industry Data Security Standards, as well as other applicable regulations, laws or industry standards designed to protect similar sensitive information; (b) information related to children under the age of 13 (or in the EEA, UK or Switzerland under 16); (c) any information defined under the EU General Data Protection Regulation 2016/679 as a "special category" of personal data and (d) any other information We reasonably determine is sensitive, provided that We communicate such determination to You.

   "Services" means the passwordless authentication services provided by Us to You under this Agreement, and any Support Services, if applicable as per Exhibit E. The specific Services are identified on the applicable Order Form.

   "Software" means the software applications and platform provided by Us as part of the Services which may include the Keyless application programming interface, software development kit, Keyless Authenticator and Keyless Workforce Authentication application, as applicable.

   "Support Services" means the support services to be provided by Us in connection with the Services according to Exhibit E, as identified on an Order Form, if applicable.

   "Your Data" means any data that You or End Users send, submit or upload to the Services, including data received or collected about the End User through their device.

   "Your Properties" means Your services and digital applications or properties (e.g., webpages, apps, endpoints, platforms) that You integrate with the Services.

   "Your Provider" means a third party application, platform or service utilized by You in connection with Your business.

2. Services.
   1. Provision of Services. We will make the Services purchased under an Order Form available to You in accordance with the terms of this Agreement, including the EEA, UK and Swiss Data Processing Addendum attached as Exhibit B, the Technical and Organizational Security Measures attached asExhibit C, and the applicable Order Form, as applicable. This includes the right to implement the Software on Your Properties as part of its authorized use of the Services, as further described in Section 2.2.
   2. Deployment of Software and Access to Documentation. We will provide You with the Software and relevant Documentation to enable You (and End Users, as applicable) to access and implement the Services. You will implement the Software in accordance with the Documentation and Keyless reasonable instructions and acknowledge that failure to do so may cause the Services to cease working properly.
   3. End User Subscriptions. The applicable Order Form shall set out the number of End User Subscriptions purchased by You. If You wish to purchase additional End User Subscriptions, we shall agree to a new Order Form covering such additional End User Subscriptions.
   4. Third Party Services. In some circumstances, You may authorize Us to connect the Services to Your Providers to receive or send Your Data. You acknowledge and agree that (a) the services of Your Providers do not form part of the Services and (b) Your Providers are service providers of You and not Keyless. The use of Your Providers in connection with the Services may be subject to a separate written agreement between You and Keyless. KEYLESS DISCLAIMS ALL LIABILITY AND RESPONSIBILITY FOR YOUR PROVIDERS OR FOR THEIR ACTS OR OMISSIONS.
3. Proprietary Rights.
   1. Ownership and Limited License to Services. We own and retain all rights, title and interest in and to the Services, including the Software and Documentation. Subject to the terms and conditions of this Agreement and any applicable Order Form, We hereby grant You a limited, royalty-free, non-exclusive, non-transferable right and license, without the right to grant sublicences, to permit the Authorized Users and End Users (as applicable) to use the Services, including the Software and the Documentation, and to receive the Output during the applicable subscription period identified on an Order Form solely for Your internal business operations of providing passwordless authentication and in accordance with the Location and Purpose Exhibit.
   2. Ownership of and Limited License to Your Data. Except for Keyless use rights in this Agreement, as between the parties, You own and retain all rights, title, and interest in and to Your Data. You grant Us a limited, royalty-free, non-exclusive, worldwide right and license to access, receive, use, process, store, and copy Your Data only to provide and maintain Services as set forth in this Agreement.
   3. Aggregated Data. You acknowledge and agree that We may use usage data and data derived from Your Data that is aggregated with comparable data received from other customers ("Aggregated Data") for internal purposes such as operating, maintaining and improving the Services and distribution in general benchmarking or industry-related reports. For absolute clarity, such Aggregated Data shall not be reasonably capable of identifying any underlying individual nor identify You as a source of any Aggregated Data. Keyless will make no attempt to reidentify the Aggregated Data.
   4. Feedback. If You (including any Authorized User) provide us any feedback in connection with the Services, You shall use reasonable efforts to ensure the accuracy of such feedback granting Keyless an unlimited, irrevocable, perpetual, sublicensable, royalty-free license to use any such feedback or suggestions for any purpose without any obligation or compensation to You or any Authorized User.
   5. Beta Services. From time to time, Keyless may invite You to try features or pre-release versions of the Services that are not generally available to You for non-production use ("Beta Services"). You may accept or decline such invitation in Your sole discretion. Beta Services will be clearly designated as beta, pilot, limited release, developer preview, non-production, evaluation or by a description of similar import. Your use of Beta Services will be for the term specified by Keyless and if no term is specified, then for the earlier of one year from the start date of the Beta Services or when that version of the Beta Services becomes generally available and therefore part of the Services. Keyless may discontinue Beta Services at any time in Keyless sole discretion and may never make them generally available. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, AND NOTWITHSTANDING ANYTHING TO THE CONTRARY, THE BETA SERVICES ARE PROVIDED "AS-IS" WITHOUT ANY WARRANTY OF ANY KIND. THEREFORE, WE HEREBY DISCLAIM ALL LIABILITY FOR ANY HARM OR DAMAGE ARISING OUT OF OR IN CONNECTION WITH ANY BETA SERVICE.
4. Our Commitments.
   1. Compliance with Applicable Law. We will comply with all Applicable Laws in connection with the provision of the Services.
   2. Security. We will maintain a security program with reasonable and appropriate administrative, technical, organizational and physical security measures designed to protect Your Data against unauthorized access, disclosure and loss as set forth on Exhibit C.
   3. Obligations under Exhibits B. Keyless will perform its obligations set out in the EEA, UK and Swiss Data Processing Addendum attached asExhibit B as applicable on a case-by-case basis.
   4. Deletion of Data. Upon termination of this Agreement, You may request deletion of Your Data. We will perform such deletion within ninety (90) days and, where requested by You, certify the same in writing. After the effective date of termination, We shall have no obligation to retain any of Your Data, with the exception of the Aggregated Data and statutory obligations.
5. Your Commitments.
   1. Compliance with Applicable Law. You will comply with all Applicable Laws in connection with the use of the Services.
   2. Account Registration. In some cases, You may register for a Keyless account. In such cases, account information must be accurate, current and complete, and will be treated by Keyless in accordance with the Keyless Privacy Notice. You agree that We may send notices, statements and other information by email or through Your account. You will be solely responsible for all use of the Services under its account, including the acts and omissions of its Authorized Users. In addition, You will use commercially reasonable efforts to prevent unauthorized access to the Keyless Services and will immediately notify Keyless of such unauthorized access.

   3. End User Subscriptions. You acknowledge and agree that:

      1. the maximum number of End Users that are authorized to use the Services shall not exceed the End User Subscriptions You have purchased on the governing Order Form.
      2. You will not allow any End User Subscription to be used by more than one individual End User unless it has been reassigned in its entirety to another individual End User, in which case the prior End User shall no longer have any right to access or use the Services.
      3. You shall maintain a written, up to date list of current End Users and provide such list to Us within five (5) business days of Our written request at any time.
      4. if the Service is hosted on Your premises, You shall permit Us or Our designated auditor to audit Your use of the Services in order to establish each End User and compliance with this Agreement. Each audit may be conducted no more than once per year, at Our expense, and this right shall be exercised with reasonable prior notice, so that it does not substantially interfere with Your normal conduct of business. If any such audits reveal that access to the Services has been provided to any individual who is not an End User or to more End User Subscriptions than as purchased on an Order Form, then without prejudice to Our other rights, You shall promptly disable such access to the Services and We shall not issue any further access to any such individual. If any such audits reveal that You have underpaid the applicable Fees (as subsequently defined) to Us, then without prejudice to Our other rights, You shall pay to Keyless an amount equal to such underpayment as calculated in accordance with the applicable Order Form within 10 (ten) business days of the date of the relevant audit.
   4. Your Responsibilities. You will provide Us with the information reasonably necessary in order for Us to provide the Services, including Your Data (as applicable), security access information and configuration settings. You will use the Services and the Output only: (a) for Your internal business operations of providing multi-factor authentication; (b) in accordance with the terms of this Agreement, and the Documentation; and (c) in compliance with Applicable Laws. If Your Affiliates use the Services, You warrant that it has the authority to bind those Affiliates to this Agreement and shall be fully and jointly liable for Your Affiliates if such Affiliates do not comply with the terms and obligations set forth in this Agreement or any Order Form.
   5. Usage Restrictions. You shall not: (a) make the Services or Output available to anyone other than Authorized Users or End Users, as applicable; (b) transfer, sublicense, resell, time share or similarly exploit the Services; (c) access the Services, including the Software, and Documentation, to build a competitive product or service; (d) de-compile, reverse engineer, modify, adapt, or otherwise attempt to gain unauthorized access to the Service, or introduce any malicious code into the Services; or (e) provide to Keyless any of Your Data that contains Sensitive Personal Information.
   6. Your Data, Privacy Notice and Consent. You are responsible for the legality, accuracy and completeness of Your Data that You transfer to Us and shall ensure You have the right to transfer (or provide or authorize access to) Your Data to Us for the purposes contemplated in this Agreement (and that You have obtained any necessary consents or authorizations to do so). You will only transfer (or provide or authorize access to) Your Data to Us that has been collected, processed and stored in accordance with Your privacy notice and Applicable Laws. You will ensure that Your privacy notice is readily accessible. You are solely responsible for obtaining any necessary consents, permissions and approvals from and providing any notices to end users required by Applicable Laws and this Agreement. You shall ensure that You have in place appropriate technical and organizational measures to protect against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted.
6. Payment.
   1. Fees and Payment Terms. You will pay the fees as set forth in all applicable Order Forms for the Services, if applicable (the "Fees"). Except as provided herein, all Fees are non-cancelable and non-refundable and payable in the currency identified on the Order Form. If You request invoices (instead of payment by credit card), Fees are payable within thirty (30) days from the applicable invoice date unless otherwise stated in the applicable Order Form. We will notify You in the event You fail to pay any invoice in accordance with the terms of this Section. If any undisputed amount due to Us is not paid within fourteen (14) days of such notice, then, until such amounts are paid in full, We may charge interest on any unpaid amount due at the rate set out by the Legislative Decree 231/2002 (or by the rate set out in the Order Form), from the date such payment was due until the date it is paid. In the event We pursue collection of any overdue Fees payable hereunder, You will reimburse all reasonable third party costs and fees incurred by Us in connection with those collection activities. You shall be responsible for any payments owed but not paid by any of Your Affiliates ordering Keyless Services in any Order Form.
   2. Taxes. The Fees will include any local, state, federal, VAT, sales, use, excise or other taxes, levies or duties where the Services are taxable in the applicable jurisdiction. You are responsible for paying any such taxes, unless You provide Us with a valid tax exemption certificate authorized by the appropriate taxing authority, and excluding taxes based on Our income payable by Us without regard to the transactions contemplated by this Agreement. If applicable, We reserve the right to gross up any Fees, if any required withholding prevents Us from receiving the full amount set forth in the applicable Order Form.
7. Confidentiality.
   1. Definitions. As used herein, "Confidential Information" means all confidential information disclosed by a party ("Disclosing Party") to the other party ("Receiving Party"), whether orally or in writing, that is designated as confidential or that should be reasonably understood as confidential given the nature of the information and the circumstances of disclosure. Your Confidential Information shall include Your Data, and Confidential Information of Us shall include the results of any performance test of the Services, the Software, all Documentation and the Beta Services. Confidential Information of each party shall include the terms and conditions of this Agreement and all Order Forms, as well as business and marketing plans, technology and technical information, product plans and designs, pricing, and business processes disclosed by such party. However, Confidential Information shall not include any information that the Receiving Party can document (a) is or becomes generally available to the public without breach of any obligation owed to the Disclosing Party; (b) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (c) is received from a third party without breach of any obligation owed to the Disclosing Party; or (d) was independently developed by the Receiving Party.
   2. Confidentiality Obligations. The Receiving Party shall use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care) (a) not to use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement; and (b) except as otherwise authorized by the Disclosing Party in writing or as necessary to fulfill Receiving Party’s data protection rights and obligations as described herein, to limit access to Confidential Information of the Disclosing Party to those of its employees, contractors and agents who need such access for purposes consistent with this Agreement. Neither party shall disclose the terms of this Agreement or any Order Form to any third party other than its legal counsel and accountants or in confidence in connection with bona fide fundraising or M&A due diligence activities.
   3. Mandated Disclosures. The Receiving Party may disclose Confidential Information of the Disclosing Party if it is compelled by law to do so; provided, the Receiving Party gives the Disclosing Party prior written notice of such compelled access or disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the access or disclosure. If the Receiving Party is compelled by law to access or disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the access or disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to such Confidential Information.
8. Warranties; Disclaimer.
   1. Warranties. Each party warrants that it has the authority to enter into this Agreement. We further warrant that (a) the Services will perform materially in accordance with applicable Documentation, and (b) We will not materially decrease the functionality of the Services during the subscription term stated on the applicable Order Form. For any breach of the warranty in the foregoing sentence, Your exclusive remedies are described in Sections 11.2 (Termination for Cause) and 11.3 (Refund or Prepayment for Termination for Cause).
   2. DISCLAIMER. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, AND EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, THE SERVICES, INCLUDING SOFTWARE AND DOCUMENTATION AND ALL RELATED SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE" AND ANY PROMISES CONTAINED IN THIS AGREEMENT ARE IN LIEU OF ALL OTHER WARRANTIES, REPRESENTATIONS OR CONDITIONS, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE (INTER ALIA OF THOSE PROVIDED FOR BY SECTION 1490 AND 1667 OF THE CIVIL CODE), INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, ALL OF WHICH ARE EXPRESSLY DISCLAIMED. KEYLESS DOES NOT REPRESENT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE OR MEET YOUR REQUIREMENTS OR THAT THE SERVICES, INCLUDING SOFTWARE AND DOCUMENTATION, MEET OR COMPLY WITH ANY CYBERSECURITY REQUIREMENTS. KEYLESS IS NOT RESPONSIBLE FOR ANY DELAYS, DELIVERY FAILURES, OR ANY OTHER LOSS OR DAMAGE RESULTING FROM THE TRANSFER OF DATA OVER COMMUNICATIONS NETWORKS AND FACILITIES (INCLUDING THE INTRANET). YOU ACKNOWLEDGE THAT, AS A SAAS-BASED SERVICE, THE FUNCTIONALITY AND INTERFACES OF THE SERVICES MAY CHANGE OVER TIME.
9. Indemnification.
   1. By Keyless.
      1. General. We will defend You, Your officers, directors and employees against any third party claim, demand, suit, investigation or proceeding (each, a "Claim") made or brought against such party: (i) alleging that the use of the Services as permitted hereunder infringes or misappropriates the intellectual property right of a third party in the country where You are using the Services; or (ii) arising out of Our gross negligence or willful misconduct, and shall indemnify You for any damages, attorneys’ fees and costs finally awarded against You as a result of, or for any amounts paid by You under a court-approved settlement of a Claim.
      2. Infringement Options. If the use of the Services by You have become, or in Our opinion is likely to become, the subject of any Claim, We may at our option and expense: (i) procure for You the right to continue using the Services as set forth herein; (ii) modify the Services to make it non-infringing; or (iii) if the foregoing options are not reasonably practicable, terminate this Agreement and refund You any unused pre-paid Fees.
      3. Limitations. We will have no liability or obligation with respect to any Claim if such Claim is caused in whole or in part by: (i) use of the Services by You that is not in accordance with this Agreement; or (ii) the combination, operation or use of the Services with other applications, portions of applications, products or services where the Services would not by itself be infringing. This Section states Our entire and exclusive obligation, and Your exclusive remedy, for any claim of any nature related to the subject matter described in this Section.
   2. By You. You will defend Us, our officers, directors and employees against any Claim relating to: (a) any violation or alleged violation by You of Section 5 (Your Commitments); or (b) Your gross negligence or willful misconduct, and shall indemnify Us for any damages, attorneys’ fees and costs finally awarded against Us as a result of, or for any amounts paid by Us under a court-approved settlement of, a Claim.
   3. Obligations. The indemnified party will provide the indemnifying party with prompt written notice of any claim, suit or demand of the right to assume the exclusive defense and control of any matter that is subject to indemnification, and cooperation with any reasonable requests assisting the indemnifying party’s defense and settlement of such matter.
10. Limitation of Liability.

    TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:

    1. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER IN TORT, CONTRACT, OR OTHERWISE, WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES OF ANY CHARACTER AND IN ANY CASE, WHETHER THEY ARE DIRECT OR INDIRECT, FOR LOSS OF GOODWILL, LOST PROFITS, LOST SALES OR BUSINESS, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, LOST DATA, OR FOR ANY AND ALL OTHER SIMILAR DAMAGES OR LOSSES, EVEN IF SUCH PARTY HAS BEEN ADVISED, KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES.
    2. EXCEPT AS DESCRIBED IN THIS PARAGRAPH, UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER IN TORT, CONTRACT, OR OTHERWISE, WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY DAMAGES, COSTS, OR LIABILITIES IN AGGREGATE IN EXCESS OF THE AMOUNTS PAID BY YOU IN THE TWELVE-MONTH PERIOD PRIOR TO THE INITIAL LIABILITY CLAIM. THE FOREGOING LIMITATION WILL NOT APPLY TO (A) A PARTY’S INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION 9, (B) A PARTY’S GROSS NEGLIGENCE, WILLFUL MISCONDUCT, OR FRAUD, OR (C) YOUR PAYMENT OBLIGATIONS, OR (D) INSTANCE SET OUT IN SECTION 1229 OF THE CIVIL CODE.

    THE PROVISIONS OF THIS SECTION ALLOCATE THE RISKS UNDER THIS AGREEMENT BETWEEN THE PARTIES, AND THE PARTIES HAVE RELIED ON THE LIMITATIONS SET FORTH HEREIN IN DETERMINING WHETHER TO ENTER INTO THIS AGREEMENT.

11. Term and Termination.
    1. Term. The term of this Agreement will commence on the Effective Date and will continue as long as We are providing Services to You under an applicable Order Form. Each Order Form shall identify the initial subscription period for the Services and unless otherwise stated on the applicable Order Form, such subscription periods shall automatically renew for additional 12 (twelve) months unless either party provides written notice of its intent not to renew at least sixty (60) days prior to the end of the than-current subscription period. After the initial subscription period, if Our pricing increases, We will give You at least sixty (60) days prior notice of the planned increases, with any agreed-to increases taking effect since the following renewal subscription period.
    2. Termination for Cause; Insolvency. Termination of this Agreement will terminate any and all Order Forms under this Agreement. Either party may terminate for cause this Agreement immediately by giving notice in writing to the other party if the other party commits any material breach of any term of this Agreement and has not cured such breach within thirty (30) days of its receipt of written notice of the breach. In addition, if You are contracting with Keyless Technologies Limited, either party may terminate this Agreement immediately for convenience by giving notice in writing to the other party if the other party files for bankruptcy, becomes or is declared insolvent or is the subject of any proceedings related to its liquidation, insolvency or the appointment of a receiver or similar officer for it; makes an assignment for the benefit of all or substantially all of its creditors; enters into an agreement for the cancellation, extension, or readjustment of substantially all of its obligations.
    3. Refund or Payment upon Termination for Cause. Upon any termination for cause by You, We will refund You any prepaid, unused Fees covering the remainder of the term of all subscriptions of applicable Order Forms after the effective date of termination. Upon any termination for cause by Us, You will pay any unpaid Fees covering the remainder of the term of all Order Forms. In no event will any termination relieve You of the obligation to pay any fees payable to Us for the period prior to the effective date of termination.

    4. Suspension of Services. We shall use commercially reasonable endeavors to make the Services available 24 hours a day, seven days a week, except for:

       1. planned maintenance carried out at Our discretion (but You shall be informed in advance to the extent possible); and
       2. unscheduled maintenance performed outside normal business hours (9:00 to 6:00), provided that We have used reasonable endeavors to give You at least 6 normal business hours notice in advance. Notwithstanding any provision herein to the contrary, in the event of any activity by You or any of Your Authorized Users that has (or in Our reasonable assessment is likely to have) an adverse effect on the operation of the Services, We may temporarily suspend the Services. In such event, We will notify You as soon as possible and will work with You in good faith to remedy the cause of the adverse effect.
    5. Survival. The provisions of this Section and the following Sections will survive any termination of this Agreement: Section 4 (Our Commitments), Section 5 (Your Commitments), Section 6 (Payment), Section 7 (Confidentiality), Section 8 (Disclaimer), Section 9 (Indemnification), Section 10 (Limitation of Liability) Section 11.3 (Refund or Payment upon Termination for Cause) and Section 12 (General Provisions).
12. General Provisions.
    1. Marketing. You grant Us the right to use Your company name and logo as a reference for marketing or promotional purposes on Our website and in other public or private communications with existing or potential customers, subject to Your standard trademark usage guidelines as provided to Us from time-to-time.
    2. Force Majeure. Neither party shall be liable hereunder by reason of any failure or delay in the performance of its obligations due to events beyond the reasonable control of such party, which may include denial-of-service attacks, strikes, shortages, riots, fires, acts of God, war, terrorism, and governmental action.
    3. No Agency. Nothing herein will be construed to create a partnership, joint venture or any type of agency relationship between Keyless and You.
    4. Subcontracting. We are allowed to subcontract the performance arising out of this Agreement provided that We shall fully and exclusively remain responsible vis-à-vis You for the non-performance by its subcontractors.
    5. Health and Safety. Each party shall be responsible for ensuring that its premises and all the relevant operations or activities comply at all times with all relevant laws relating to health and safety at the workplace and public safety matters. In this respect, in compliance with local health and safety law, the parties have acknowledged that due to the intellectual nature of the Services, there are no risks regarding workplace health and safety resulting from the interferences of the working and that there are no costs to be borne to reduce or eliminate such kind of risks.
    6. Notices. Marketing and business-related notices may be delivered by email. All legal notices under this Agreement will be in writing addressed to the parties at the address set forth in the preamble hereto and will be deemed to have been duly given (a) when received, if personally delivered; (b) the first business day after sending by email; (c) the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and (d) upon receipt, if sent by certified or registered mail, return receipt requested.
    7. Governing Law; Venue. This Agreement and any disputes hereunder will be governed by: a) the laws of Italy and any action arising out of this Agreement will be exclusively instituted in the applicable courts of Rome, if You are contracting with Keyless Technologies S.r.l. being located in the European Union; and/or by the laws of England, and any action arising out of this Agreement will be exclusively instituted in the applicable courts of London, if You are contracting with Keyless Technologies Limited being located outside the European Union. The parties expressly waive to the conflict of law principles. Any reference to the Italian law and the Italian civil code shall not apply to You if Your contractual relationship with Us is governed by the laws of England.
    8. Export Control Laws. Each party shall comply with United States, European Union and foreign export control laws or regulations of the place where the Services are received as applicable to the performance under this Agreement. Without limiting the foregoing, both parties – regardless of which is the Keyless contracting entity involved – represent and warrant that (a) they are not listed on any United States, United Kingdom or European Economic Area government list, or are a prohibited or restricted party; (b) they are not subject to any United Nation, United States, European Union, or any other applicable economic sanctions or trade restrictions; and (c) they do not have operations in a country subject to comprehensive United States trade sanctions.
    9. No Assignment. Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other party (not to be unreasonably withheld). Notwithstanding the foregoing, either party may assign this Agreement in its entirety (including all Order Forms), without consent of the other party, to its affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the parties, their respective successors and permitted assigns.
    10. Severability; Waiver. If any provision of this Agreement is held to be unenforceable, such provision will be reformed to the extent necessary to make it enforceable, and such holding will not impair the enforceability of the remaining provisions. The failure by a party to exercise any right hereunder or to enforce strict performance of any provision of this Agreement will not waive such party's right to exercise that or any other right in the future.
    11. Entire Agreement. This Agreement, including all exhibits hereto and all Order Forms, constitutes the entire agreement between the parties and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. Without limiting the foregoing, this Agreement supersedes the terms of any online agreement electronically accepted by You. No modification, amendment, or waiver of any provision of this Agreement shall be effective unless in writing and signed by the party against whom the modification, amendment or waiver is to be asserted. However, to the extent of any conflict or inconsistency between the provisions in the body of this Agreement and any exhibit or addendum hereto or any Order Form, the terms of such exhibit, addendum or Order Form shall prevail. Notwithstanding any language to the contrary therein, no terms or conditions stated in a purchase order, vendor onboarding process or web portal, or any other order documentation (excluding Order Forms) shall be incorporated into or form any part of this Agreement, and all such terms or conditions shall be null and void.
    12. Counterparts. This Agreement may be executed and delivered by PDF counterparts or electronic signatures and such execution and delivery will have the same force and effect of an original document with original signatures.

    Intending to be legally bound, the parties have had this Agreement signed by their duly authorized representatives as of the Effective Date.

Exhibit A

EEA, UK and Swiss Privacy Policy

With this policy notice - provided pursuant to Regulation (EU) 2016/679 ("Regulation" or "GDPR"), as well as Swiss Data Protection Act of 19 June 1992 ("Swiss DPA") and United Kingdom Data Protection Act 2018, as amended ("UK DPA") (GDPR, Swiss DPA and UK DPA, together, "Data Protection Laws") - We aim to provide You with the purposes of collecting and processing Your Data, which categories of data are processed, what are your rights granted by the data protection legislation and how can be exercised.

• Data Controller and DPO

Keyless Technologies S.r.l., with registered office in Viale Luca Gaurico 9-11, 00144 - Rome, VAT no. 14880901005 - with a sole shareholder -

Or

Keyless Technologies Limited incorporated and registered in England and Wales with company number 11362854 whose registered office is at Milton Gate 60 Chiswell Street London United Kingdom EC1Y 4AG.

(one of the above depending on whether you are located is the controller of Your personal data and both are referred to as "Keyless", the "Data Controller" or the "Company")

The Data Controller can be contacted by e-mail at gdpr@keyless.io it or by regular mail at Keyless Technologies S.r.l., at Viale Luca Gaurico 9-11, 00144 – Rome or Keyless Technologies Limited at Milton Gate 60 Chiswell Street London United Kingdom EC1Y 4AG

Keyless has appointed a Data Protection Officer ("DPO") who can be contacted by email at dpo@e-lex.it

• Categories of data, purposes and legal basis for the processing

The Data Controller shall process only the common personal data related to You (for example, first and last name) necessary for the establishment and the management of the contractual relationship, in order to achieve the following purposes.

• Establishment, management and execution of the contractual relationship

The Data Controller will process your personal data for the establishment and subsequent management of the contractual relationship with You and for all activities connected therewith, including, but not limited to, the ordinary administrative management of the agreement and the performance of services under the agreement. This processing is necessary for the performance of a contract to which you are a party or in order to take steps at Your request.

• Complying with legal obligation

Your personal data will be processed by the Data Controller for the fulfillment of legal obligations that may be imposed in connection with pre-contractual checks, establishment and management of the contractual relationship. This processing is necessary for compliance with a legal obligation to which the Data Controller is subject.

• Data Controller’s legitimate interest

Your personal data may be processed for purposes related to policy compliance and/or the development of synergies with Keyless sole shareholder. This processing is necessary for the purposes of the legitimate interests pursued by the Data Controller.

The provision of data is optional, but without it Keyless will not be able to establish the contractual relationship with You.

• Categories of recipients of personal data

Keyless may disclose some of your personal data to third parties that it uses for the performance of activities and/or services that are necessary, functional or otherwise related to the purposes specified in paragraph 2 above.

In particular, the personal data may be communicated - as an integral part of the processing activities - to third parties located within the European Union that offer outsourced services to the Data Controller (e.g., administrative services) as well as to external advisors. These parties will carry out the processing as data processors in accordance with Data Protection Laws (including Article 28 of the GDPR). The updated list of data processors is available upon request.

In addition, the Data Controller may communicate - as appropriate - Your personal data to third parties to whom the communication is due by virtue of legal obligations, to Public Administrations and to credit institutions with which Keyless operates for payment purposes. These parties process the data referring to You as autonomous data controllers.

• Transfer of personal data to third countries

Keyless may transfer Your personal data to its sole shareholder, whose registered office is in the USA, for the purposes set out in paragraph 2(c) above. This transfer will take place in accordance with the conditions set forth in the Data Protection Laws and is governed by standard contractual clauses adopted by the European Commission.

Any further transfers outside the EU will be governed, depending on the recipients, through the use of standard contractual clauses adopted by the European Commission or, alternatively, on the basis of a Commission adequacy decision and/or any other appropriate safeguards provided by the Data Protection Laws.

You will be able to obtain more information about where the personal data has been, if any, transferred by writing to the Data Controller or the DPO at the addresses in paragraphs 1 and 2.

More information about where the data has been transferred may be obtained by writing to the Data Controller or the DPO.

• Data retention period

Keyless will process Your personal data for the purposes of establishment, management and execution of the contract for the entire duration of the contractual relationship. Thereafter, the data will be stored for 11 years, exclusively for purposes related to the fulfillment of legal obligations or the defense of rights of Keyless.

• Data subjects’ rights

Please note that You - as a data subject - have the rights provided by Data Protection Laws and, in particular:

• the right of access to personal data and, in particular, to obtain from the Data Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data;
• the right to rectification and, in particular, to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning you;
• the right to be forgotten, i.e. the right to obtain, where applicable, from the Data Controller the erasure of personal data concerning you without undue delay;
• the right to obtain from the controller restriction of processing;
• the right to request, where applicable, the portability of your personal data.

To exercise Your rights, please contact the Data Controller or the DPO at the addresses indicated in paragraph 1 above. Finally, please note that, pursuant to the applicable regulations, you may lodge any complaints regarding the processing of your personal data with the Italian Data Protection Authority or the Information Commissioner’s Officer.

Exhibit B

EEA, UK and Swiss Data Processing Addendum

In connection with its use of the Services, You may make certain Personal Data (as defined herein) available to Keyless in connection with Your use of the Services. This EEA, UK and Swiss Data Processing Addendum (this "Addendum") describes commitments concerning the processing of such Personal Data and shall govern the processing of Personal Data (as defined below) of which You are the controller under the Data Protection Laws (as defined below), providing the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and Your obligations and rights, in accordance with the Data Protection Laws. The terms of this Addendum are not intended to limit any data protection obligations of either party as provided in the Agreement. Any capitalized term not defined in this Addendum will have the meaning given it in the main body of the Agreement.

• Certain Definitions.

"Data Protection Laws" means to the extent applicable to the Personal Data in question: (i) the EU General Data Protection Regulation 2016/679 ("GDPR"); (ii) the EU e-Privacy Directive (Directive 2002/58/EC) ("e-Privacy Directive"); (iii) any national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances ("Swiss DPA"); and (v) in respect of the United Kingdom ("UK"), the GDPR as it forms part of United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR") and any other privacy and data protection laws applicable in the UK (in each case as may be amended, extended or re-enacted from time to time).

"Personal Data" means any End User Data for which You act as a data controller under the Data Protection Laws.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Keyless. The term "Personal Data Breach" does not include an unsuccessful attempt to access Personal Data, including without limitation unsuccessful pings and other broadcast attacks of firewalls or edge servers, port scans, log-on attempts, denial of service attacks, packet sniffing or similar incidents.

"Sub-processor" means any third party processor (including Keyless Affiliates) used by Keyless to process Personal Data.

The terms "controller", "personal data", "data subject" "supervisory authority", "processor" and "processing", "process", "processes" and "processed" shall have the meaning given to them under Data Protection Laws and shall be interpreted accordingly.

• Processing of Personal Data. You are a controller of the Personal Data described in Section 3 of this Addendum and Keyless shall process the Personal Data solely (a) as a processor on Your behalf; and (b) in accordance with the provisions set out in this DPA and with Your documented processing instructions. You agree that the provisions set out in the Agreement and in this DPA constitute Your complete processing instructions regarding the processing of Personal Data by Keyless and any additional or alternative processing instructions must be provided in writing. Keyless shall inform You if it becomes aware that Your processing instructions infringe Data Protection Laws but without any obligation to actively monitor Your compliance with Data Protection Laws.

• Details of Processing. The details of the Personal Data processed by Keyless under this DPA are as follows:

  • Subject matter: Collection and processing of Personal Data relating to End Users in connection with the Services.
  • Categories of data subjects: End Users for whom a subscription to the Services has been procured by You, including Your employees, consultants, contractors, or end-customers depending on the use case.
  • Types of personal data: End User profile information (e.g., username or email address) that the End User uses to login to Your Properties, and device data from the End User’s device (e.g., IP address).
  • Purpose and nature of the processing: Providing, maintaining, and improving the Services, as described in the Agreement.
  • Duration of processing: For the duration of the Services.
• Your Responsibilities. You shall be responsible for complying with Your obligations as a controller under Data Protection Laws and agree that You shall be responsible for (a) determining whether the Services are appropriate for processing Personal Data in a manner consistent with Your legal and regulatory obligations; (b) complying with Data Protection Laws with respect to its use of the Services; and (c) obtaining the necessary rights and consents, if applicable, to transfer Personal Data to Keyless and providing any required notices under Data Protection Laws for Keyless and its Sub-processors to lawfully process Personal Data for the purposes contemplated by the Agreement.
• Confidentiality. Keyless shall ensure that any persons it authorizes to process Personal Data (including Keyless employees) are subject to a duty of confidentiality (whether contractual or statutory) and shall only process the Personal Data necessary to perform the Services.
• Safeguards. Keyless will maintain security measures pursuant to the Data Protection Laws (including Article 32 of the GDPR) to ensure an appropriate level of security for the processing activities. Such measures will include, at a minimum, the measures set out in Exhibit C (Technical and Organizational Security Measures) of the Agreement.
• Audits. Upon Your request, Keyless shall make available to You all information necessary to demonstrate compliance with the obligations laid down in this Addendum and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by You. You shall provide reasonable prior notice of any such audit or inspection, and any such audit or inspection shall take place at a mutually agreeable date and time and not be unreasonably disruptive to Keyless business. You shall be responsible for the costs of any such audit or inspection, including reimbursing Keyless for any time expended dealing with the audit or inspection.
• Personal Data Breach Notification. In the event of a Personal Data Breach, Keyless shall inform You without undue delay and shall provide You with reasonable assistance to comply with its obligations under Data Protection Laws with respect to notifying the relevant supervisory authority and/or data subjects affected by the Personal Data Breach.
• Sub-processors. You provide a general authorization for Keyless to appoint Sub-processors including the Sub-processors on the webpage available at https://keyless.io/sub-processors provided that: (a) Keyless imposes the same data protection obligations as set out in this Addendum by way of a contract or other legal act under EEA, UK and Swiss laws and Sub-processors ensure sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Protection Laws; (b) Keyless remains liable for any breach of this Addendum; and (c) Keyless shall notify You in advance of any intended additions or replacements to its Sub-processors in order to allow You to raise any reasonable objections on grounds of data protection. If You raise objections by notifying Keyless in writing within ten (10) calendar days of being notified of any such intended additions or replacements, the parties shall discuss Your objections in good faith with a view to achieving resolution. If You can demonstrate that the new Sub-processor is unable to process Personal Data in compliance with this Addendum and Keyless cannot provide an alternative Sub-processor, or the parties cannot otherwise achieve resolution, You may (as its sole and exclusive remedy) terminate the Agreement with respect only to those aspects of the Services which cannot be provided Keyless without the use of the objected-to Sub-processor and Keyless shall provide You with a pro rata reimbursement of any fees paid but not used.
• International transfers. Keyless does not transfer any Personal Data of the End User outside the European Union. In any case, where such a transfer should be required, You will be notified and the transfer will be governed, depending on the recipients, through the use of standard contractual clauses adopted by the European Commission or, alternatively, on the basis of a European Commission adequacy decision and/or any other appropriate safeguards provided by the Data Protection Laws.
• Cooperation and Data Subject Requests. Keyless shall provide You with reasonable assistance to enable You to comply with its obligations under Data Protection Laws. In particular, Keyless shall promptly notify You of any request, inquiry or complaint from a data subject, supervisory authority, competent court or other third party ("Correspondence") that it receives concerning its processing of Personal Data on Your behalf and reasonably assist You to respond to such Correspondence to the extent that You are unable to do so without further assistance or information. You shall be responsible for any costs and expenses arising from any such assistance by Keyless.
• Data Protection Impact Assessments. Keyless shall provide You with reasonable cooperation and assistance as required under Data Protection Laws for You to conduct a data protection impact assessment and/or to consult with supervisory authorities with respect to Keyless processing of Personal Data, provided that You do not otherwise have access to the relevant information. You shall be responsible for any costs and expenses arising from any such assistance by Keyless.
• Deletion of Personal Data. Upon termination or expiry of the Agreement, Keyless shall (at Your election) delete all Personal Data in its possession or control consistent with the terms of the Agreement. This requirement shall not apply to the extent that Keyless is required to retain Personal Data by applicable law, in which event Keyless shall isolate and protect the Personal Data from any further processing until deletion is legally permissible.
• Compliance with Law. In the event of a change in Data Protection Laws or a determination by a supervisory authority or competent court affecting the data processing undertaken under this Addendum, the parties shall work together in good faith to make any amendments to this Addendum or changes to the Services as are reasonably necessary to ensure continued compliance with Data Protection Laws.

Exhibit C

Technical and Organizational Security Measures

The following is a description of the technical and organizational security measures implemented by Keyless pursuant to Data Protection Laws (including Article 32 of the GDPR) in its provision of the Services to You. Measures apply to all products within the Services except where noted otherwise or unapplicable for feasibility reasons.

Keyless has adopted an organizational model aimed at ensuring the correctness of the processing activities carried out in accordance with privacy by design principle, including inter alia:

• Organization of Information Security.
  • Program.
    • Keyless designates qualified security and compliance personnel whose responsibilities include development, implementation and ongoing maintenance of Keyless security management program to protect against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed within the Keyless Services (the "Security Management Program").
    • As part of the Security Management Program, Keyless requires review and assessment of potential security threats, risks, and vulnerabilities with senior leadership on a regular cadence (no less than annually).

  • Policies. Keyless maintains a comprehensive set of information security and risk management policies, including as they relate to business continuity, access management, vulnerability management, operational security, incident response management, asset management and vendor management, as well as procedure and/or policies aimed inter alia at:

    • use Personal Data exclusively for the purposes set forth in the Agreement and the DPA, as well as for such additional purposes as You may eventually and subsequently indicate, and in any event exclusively for the performance of the Services;
    • process Personal Data in full compliance with the Data Protection Laws, DPA, the Agreement and the instructions provided herein by You;
    • keep personal data separate from data processed on behalf of other parties, on the basis of a logical security criterion, and ensure that any copies of Personal Data held are permanently destroyed when no longer necessary for the performance of the Services or returned to You at its request, in accordance with the applicable law;
    • manage any security breaches, as well as requests from data subjects or supervisory authorities in accordance with the Data Protection Laws and the DPA;
    • prepare and keep an up-to-date record of all processing activities carried out for the purpose of executing the Agreement, in accordance with the Data Protection Laws (including Article 30 of the GDPR).
• Personnel Management.
  • Keyless employees are required to execute a confidentiality agreement, included in their employment agreement in writing at the time of hire, and must acknowledge receipt of, and compliance with, Keyless information security and organizational policies and procedures. Violation of Keyless policies can result in disciplinary action, up to and including termination.
  • Prior to the provision of service, Keyless staff is required to execute an agreement with appropriate confidentiality provisions as well as instructions for proper processing of personal data in accordance with the provisions of Keyless information security and organizational policies and procedures.
  • Upon termination of the employee relationship, Keyless disables access to critical and noncritical systems.

• Networks and Transmission.
  • Network Controls. Keyless uses techniques designed to detect and prevent unauthorized access to Keyless Service systems processing personal data, including firewalls, load balancers, proxies, and network access controls.

  • Encryption. Keyless encrypts personal data as follows:

    • Keyless uses AES 256-bit encryption for personal data stored at rest in Services systems.
    • Keyless requires HTTPS (TLS 1.2 with a modern cypher profile) for transfer of personal information between Keyless and our customers over public networks and we block any non-HTTPS connections for personal information in transit.
    • Keyless uses Keyless Authenticator protocol as an authentication protocol and validates credentials through Keyless Authenticator product or through stored Bcrypt-hashed and salted passwords.
• Data Centers and Data Management.
  • Data Center Controls.
    • Keyless Services operate on Amazon Web Services ("AWS") and are protected by the security and environmental controls of AWS. Detailed information about AWS security, including physical access controls, is available at: https://aws.amazon.com/security/
  • Data Management.
    • Keyless logically separates each of Your personal data by assigning You a unique identifier.
    • Keyless operates logically separated instances of development, test, and production environments independently.
• Access Controls and Logging.
  • Access Controls.
    • Keyless manages access to personal data through the application of Role-Based Access Controls (RBAC) and is restricted to the least amount of privilege necessary to perform their jobs. Access is centrally managed through an enterprise Identity Management Solution. Administrative access to Keyless production servers and databases is restricted to personnel accountable for managing system availability and users determined by Keyless to have a legitimate business requirement. Access reviews are conducted by the Infrastructure Management team periodically (no less than annually) to ensure that only those personnel with access to personal data still require it. Centralized offboarding process includes prompt disablement of user credentials.
    • Keyless requires unique user access authorization through secure logins and strong passwords, including two-factor authentication.
    • Keyless uses security groups on its virtual private network (VPN) to enable access to production systems for Keyless developers. These developers also require an SSH key that is authorized to access production systems.
    • Keyless uses security groups on its AWS Secure Session Manager (SSM) and an authorized SSH key to enable access to production systems for Keyless developers.
  • Event Logging. Keyless Services systems are configured to generate and forward security events and audit logs to a central Security Information and Event Management (Datadog - SIEM) solution for security monitoring and investigation.
• Security Assessments.
  • Keyless conducts routine vulnerability scans of Keyless Services systems.
  • Keyless engages in annual penetration tests of the Keyless Services conducted by independent third-party that include code analysis.
• Business Continuity and Availability.
  • The Keyless Services systems are housed in AWS EU-Central1 and EU-West3 Regions across multi-availability zones.
  • Keyless maintains appropriate business continuity and disaster recovery plans.
  • Keyless maintains processes to ensure service resiliency within its systems, networks and data storage.
  • Keyless maintains an up-to-date incident response plan for disaster recovery events and an incident management policy.
• Incident Response
  • Keyless notifies You without undue delay after becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data (a "Security Breach").
  • Keyless will (i) promptly investigate the Security Breach and take all necessary and advisable actions to mitigate and resolve the Security Breach, (ii) keep You reasonably informed of Keyless activities as they relate to the Security Breach, including providing a summary of the effect of the Security Breach on the personal data and the corrective action taken or to be taken by Keyless, and (iii) perform post-mortem activities to assess compromise path and future action plans to protect from recurrence.

Exhibit D

Location and Purpose Exhibit

We certify that we are the end-user of the Software which is to be supplied by Keyless. We further certify that we shall use the Software solely for the purposes described above; that the Software will not be used for any purpose connected with chemical, biological or nuclear weapons, or missiles capable of delivering such weapons; that it will not be re-exported or otherwise re-sold or transferred if it is known or suspected that they are intended or likely to be used for such purposes; that the end user is not the armed forces or internal security forces of any country; that the Software will not be re-exported or otherwise re-sold or transferred to a destination subject to UN, EU, UK, OSCE embargo where that act would be in breach of the ; and that the Software will not be used in any nuclear explosive activityⁱ or unsafeguarded nuclear fuel cycleⁱⁱ.

1. Includes research on or development, design, manufacture, construction, testing or maintenance of any nuclear explosive device or components of subsystems of such a device.
2. Includes research on or development, design, manufacture, construction, operation or maintenance of any reactor, critical facility, conversion plant, fabrication plant, reprocessing plant, plant for the separation of isotopes of source or special fissionable material, or separate storage installation, where there is no obligation to accept IAEA safeguards at the relevant facility or installation, existing or future, when it contains any source or special fissionable material; or of any heavy water production plant where there is no obligation to accept IAEA safeguards on any nuclear material produced by or used in connection with any heavy water produced therefrom; or where any such obligation is not met.

Exhibit E

Support Services

For the purposes of this Exhibit E, the following terms have the meanings set forth below.

"Contact List" means a current list of Your contacts and telephone numbers You provided to Us from time to time to enable Us to escalate Your Support Requests, including:

1. the first person to contact; and
2. the persons in successively more qualified or experienced positions to provide the support sought.

"Your Cause" means any of the following causes of an Error, except, in each case, any such causes resulting from any action or inaction that is authorised by this Exhibit E or the Agreement, specified in the then-current Documentation, or otherwise authorised in writing by Us:

1. any negligent or improper use, misapplication, misuse, or abuse of, or damage to, the Software and/or Services by You or any Authorised User;
2. any maintenance, update, improvement, or other modification to or alteration of the Software and/or Services by You or any Authorised User;
3. any use of the Software and/or Services by You or any Authorised User in a manner inconsistent with the then-current Documentation;
4. any use by You or any Authorised User of any Third-Party Products that we have not provided or caused to be provided to You; or
5. any use by You or any Authorised User of a non-current version or release of the Software.

"Your Systems" means Your information technology infrastructure, including Your computers, software, databases, electronic systems (including database management systems), and networks.

"Error" means any failure of the Software to operate in all material respects in accordance with the Documentation, including any problem, failure or error referred to in the Service Level Table.

"Out-of-Scope Services" means any of the following:

1. any services that the parties may from time to time agree in writing are not included in the Support Services; and
2. any issue resulting from one or more Your Causes.
3. "First Line Support" means the identification, diagnosis, and correction of Errors by the provision of the following Support Services by help desk technicians sufficiently qualified and experienced to identify and Resolve Your Support Requests reporting these Errors:
4. telephone/email/chat assistance;
5. access to technical information on Our website for proper use of the Software and/or Services.

"Resolve" and the correlative terms, "Resolved," "Resolving," and "Resolution" each have the meaning set forth in paragraph 1.2.

"Service Levels" means the defined Error severity levels and corresponding required service level responses, response times, Resolutions, and Resolution times referred to in the Service Level Table.

"Service Level Table" means the table set out in paragraph 1.2.

"Severity Level 1 Error" has the meaning set forth in the Service Level Table.

"Severity Level 2 Error" has the meaning set forth in the Service Level Table.

"Severity Level 3 Error" has the meaning set forth in the Service Level Table.

"Support Hours" means [8] hours a day, [5] days a week (Monday to Friday, regular working hours in Italy), excluding public holidays in Italy or in the UK depending on whether You are contracting with Keyless Technologies S.r.l. or Keyless Technologies Limited.

"Support Period" means the subscription term identified in the Order Form.

"Support Request" has the meaning set forth in paragraph 2.1.

"Technical Contact" has the meaning set forth in paragraph 2.2.

"Third-Party Products" means all third-party software (including all Open Source Components), computer hardware, network hardware, electrical, telephone, wiring, and all related accessories, components, parts, and devices.

1. SUPPORT SERVICES

   We shall perform Third Line Support, and other Support Services during the Support Hours throughout the Support Period in accordance with the terms and conditions of this Exhibit E and the Agreement, including the Service Levels and other our obligations set forth in this paragraph 1.

   1. We shall:

      1. respond to and Resolve all Support Requests in accordance with the Service Levels;
      2. provide unlimited Third Line of Support to You during all Support Hours by means of email address support@keyless.io; it is intended that First and Second Line (L1/L2) of Support will not be provided and could be negotiated separately
      3. provide You with online access to technical support bulletins and other user support information and forums, to the full extent We make such resources available to our other customers; and
      4. provide to You all such other services as may be necessary or useful to correct an Error or otherwise fulfil the Service Level requirements, including defect repair, programming corrections, and remedial programming.

   2. Response and Resolution times will be measured from the time We receive a Support Request until the respective times We have (a) responded to that Support Request, in the case of response time and (b) Resolved that Support Request, in the case of Resolution time. "Resolve," "Resolved," "Resolution," and correlative capitalized terms mean, with respect to any particular Support Request, that We have corrected the Error that prompted that Support Request and that You have confirmed such correction and Your acceptance of it in writing. We shall respond to and Resolve all Support Requests within the following times based on Your designation of the severity of the associated Error, subject to the parties' written agreement to revise such designation after Our investigation of the reported Error and consultation with You:

      Severity Level of Error	Definition	Required Service Level Response and Response Time	Required Service Level Resolution Time
      1	Business Critical Failures: An Error that: materially affects the operations of the Your business or marketability of Your service or product; prevents necessary work from being done; or disables or materially impairs (i) any major function of the Software and/or Services or (ii) Your use of any major function of the Software and/or Services	Level 1 Response: We shall acknowledge receipt of a Support Request within 180 minutes. Level 2 Response: We shall work on the problem continuously and: restore the Software and/or Services to a state that allows the Customer to continue to use all functions of the Software and/or Services in all material respects within 24 hours after the Level 1 Response time has elapsed; and exercise best efforts to Resolve the Error until full restoration of function is provided.	We shall Resolve the Support Request as soon as practicable and no later than 24 hours after Our receipt of the Support Request. If We Resolve the Support Request by way of a work-around You have accepted in writing, the severity level assessment will be reduced to a Severity Level of Error 2.
      2	System Defect with Work-around: a Severity Level 1 Error for which You have received, within the Resolution time for Severity Level 1 Errors, a work-around that You have accepted in writing; or an Error, other than a Severity Level 1 Error, that affects operations of Your business or marketability of Your service or product.	Level 1 Response: We shall acknowledge receipt of a Support Request or, where applicable, Your written acceptance of a Severity Level 1 Error work-around, within 12 hours. Level 2 Response: We shall, within 2 Business Days after the Level 1 Response time has elapsed, provide: an emergency Software and/or Services fix or work-around; or temporary Software and/or Services release or update release that allows You to continue to use all functions of the Software and/or Services in all material respects.	We shall Resolve the Support Request as soon as practicable and no later than 2 Business Days after the Our receipt of the Support Request or, where applicable, Your written acceptance of a Severity Level 1 Error work-around.
      3	Minor Error: An isolated or minor Error in the Software and/or Services that meets each of the following requirements: does not significantly affect Software and/or Services functionality; can or does impair or disable only certain non-essential Software and/or Services functions; does not materially affect Your use of the Software and/or Services; and has no or no more than a minuscule effect on the operations of Your business or marketability of Your service or product.	Level 1 Response: We shall acknowledge receipt of the Support Request within 24 hours.	We shall Resolve the Support Request as soon as practicable and no later than 5 Business Days after the Our receipt of the Support Request.

   3. If We do not respond to a Support Request within the relevant Service Level response time, You may escalate the Support Request to the parties' respective relationship managers identified below and then to their respective senior management identified below:

      KEYLESS Tech Lead - michele@keyless.io

   4. The parties may, on a case-by-case basis, agree in writing to a reasonable extension of the Service Level response or Resolution times.
   5. We shall, at Your request, provide to You the Out-of-Scope Services in accordance with the terms and conditions of this Exhibit E and the Agreement.
   6. You acknowledge and agree that time is not of the essence with respect to Our performance under this Exhibit E.
2. Support Requests and Your Obligations
   1. You may request Support Services by way of a Support Request. You shall classify Your requests for Error corrections in accordance with the severity level numbers and definitions of the Service Level Table set forth in paragraph 1.2 (each a "Support Request"). You shall notify Us of each Support Request by email, telephone, chat or such other means as the parties may agree to in writing. You shall include in each Support Request a description of the reported Error and the time You first observed the Error.
   2. You shall designate the individual(s) who will act as a direct liaison with Us and be responsible for communicating with, as well as for providing timely and accurate information and feedback to Us in connection with the Support Services (each such individual, a "Technical Contact"). The Technical Contact(s) will be the sole liaison(s) between You and Us in sending Support Requests and communicating with Us in connection with any matters relating to the provision of the Support Services.

   • You shall, by and through its Technical Contact(s), provide Us with:

     1. prompt notice of any Errors; and

     2. each of the following to the extent reasonably necessary to assist Us in reproducing operating conditions similar to those present when You detected the relevant Error and to respond to and Resolve the relevant Support Request:

        • direct access to the Your Systems and the Your files, equipment, and personnel;
        • output and other data, documents, and information, each of which is deemed Your Confidential Information as defined in the Agreement; and
        • such other reasonable cooperation and assistance as the We may request.