Terms

These General Conditions (version March 11, 2022) shall apply to the provision by 3rdRisk, and the use by Customer of, the 3rdRisk Platform and the Professional Services and any other agreements and/or legal relationships between 3rdRisk and Customer resulting therefrom or in connection therewith. 3rdRisk expressly rejects the applicability of Customer’s general conditions, unless 3rdRisk has expressly accepted the applicability of Customer’s general conditions in writing. Any amendments to the General Conditions or Order are only legally binding between parties, if both Parties have expressly agreed to such amendments in writing or in accordance with clause 12.3 hereof.

1. Definitions

In in these General Conditions, the following capitalised terms shall have the meanings set out below:

a. 3rdRisk means a limited liability company (Besloten Vennootschap) incorporated under the laws of the Netherlands, with statutory name 3rdRisk Solutions B.V., with its registered seat at Muiden, the Netherlands, registered with the Dutch Chamber of Commerce under registration number 76517292;

b. 3rdRisk Platform means the 3rdRisk applications and online platform delivered as a software-as-a-service offering online via web access designated by 3rdRisk;

c. Administrator means the person or persons appointed by the Customer who has the highest level of rights and responsibilities in relation to the Customer’s account and is authorised to conduct transactions on the 3rdRisk Portal and administrate the Customer’s account;

d. Authorised User means each employee and independent contractors of the Customer who is authorised by the Customer to use the 3rdRisk Platform, including Administators;

e. Confidential Information means all trade secrets, know-how, business and financial information, and other proprietary information or data disclosed to one party by the other, or incorporated in materials or products provided to one party by the other;

f. Customer means the entity identified in the applicable Order that has purchased the 3rdRisk Platform and/or the Professional Services;

g. Documentation means 3rdRisk’s product guides and other end user documentation for the 3rdRisk Platform, as may be updated by 3rdRisk from time to reflect the then-current 3rdRisk Platform;

h. Fees means the fees payable by the Customer to 3rdRisk in respect of the 3rdRisk Platform and/or Professional Services, as further set out in the Order;

i. Order means an ordering document or online order specifying the Service Plan, Professional Services or other services to be provided hereunder by 3rdRisk that is entered into between 3rdRisk and Customer from time to time;

j. Professional Services means, collectively, the consulting and other professional Services which Customer has ordered. The term “Professional Services” does not include the 3rdRisk Platform;

k. Order Term means the period of time for which Customer has ordered the 3rdRisk Platform as specified in the Order;

l. Service Plan means the bundle of 3rdRisk Platform functionalities a Customer may subscribe to by creating an account and placing Orders. Service Plans may be delineated by, among other things, the functionality available for consumption by the Customer, the number of Authorised Users, the support level, the usage limitations, payment terms, price, duration and such other criteria adopted by 3rdRisk from time to time; and

m. Third-Party Service means any service or content provided by a third party that such third party makes available to Customer for use on or through the 3rdRisk Platform, such as conducting assessments and performing audits. Such Third-Party Service may be offered through a 3rdRisk store or elsewhere on the 3rdRisk Platform.

2. Access and use rights

2.1 3rdRisk authorizes Customer to allow the Authorized Users toaccess and use the 3rdRisk Platform during the Order Term in accordance with the Order and these General Conditions. Customer will not otherwise access or use the 3rdRisk Platform in a manner that exceeds Customer’s authorized access and use rights as set forth herein and the Service Plan(s) set forth in the applicable Order.

2.2 Except as may otherwise be expressly agreed in an Order, the Customer may only use the 3rdRisk Platform for the internal business purposes of itself and its affiliates, and may not make the 3rdRisk Platform available to any third party by sale, rent, sublicensing, timesharing or on any other basis nor use the 3rdRisk Platform for the benefit of any third party on any basis including by reselling them or by combining them with the services provided by Customer to third parties.

3. Provision of the 3rdRisk platform

3.1 3rdRisk will ensure the 3rdRisk Platform is provided in a professional manner and will work to ensure it will function for the Order Term in substantial conformity with the Documentation. 3rdRisk does not warrant that the 3rdRisk Platform will operate error free or uninterrupted.

3.2 3rdRisk may temporarily suspend the 3rdRisk Platform in full or in part for the purpose of carrying out preventive, corrective or adaptive maintenance or for security reasons. 3rdRisk shall not suspend the 3rdRisk Platform for longer than necessary, and, to the extent practical given the circumstances, shall notify the Customer in advance.

3.3 3rdRisk reserves the right to suspend Customer’s use of the 3rdRisk Platform in the event it reasonably suspects that Customer’s use of the 3rdRisk Platform violates these General Conditions or the Order. 3rdRisk will first notify the Customer before suspension.

4. Ownership, use of data and confidentiality

4.1 3rdRisk retains all intellectual property rights embodied in (i) the 3rdRisk Platform, and (ii) all software, materials, data and Confidential Information of 3rdRisk made available to Customer via the 3rdRisk Platform or otherwise provided to Customer in connection with the 3rdRisk Platform or the Professional Services.

4.2 Customer grants to 3rdRisk the right to use the content stored by Customer on the 3rdRisk Platform for purposes of providing the 3rdRisk Platform. All right, title and interest in and to the content remains with the Customer.

4.3 Each party shall: (i) keep all Confidential Information strictly confidential, (ii) not disclose any Confidential Information to any third party without the prior written consent of the disclosing party, and (ii) only use and reproduce the Confidential Information for the performance of its obligations under the Order. These obligations shall not apply to any Confidential Information which: (i) at any times becomes public knowledge other than through breach hereof by the receiving party; (ii) can be shown by the receiving party to have been known to the receiving party prior to it being disclosed by the disclosing party to the receiving party; or (iii) is required to be disclosed or used by law.

5. Support, availability and backups

5.1 3rdRisk shall provide support to the Customer during the Order Duration, in relation to the 3rdRidsk Platform, in accordance with the support level specified in the Order. The availability of 3rdRisk support, the contact methods and the response times for each of the available support levels shall be set forth on the 3rdRisk website.

5.2 3rdRisk uses commercially reasonable efforts to maintain availability of the 3rdRisk Platform twenty-four (24) hours per day, seven (7) days per week, less any suspension pursuant to clause 3.2 hereof.

5.3 3rdRisk will perform regular backups of Customer Content, and provide routine and emergency recovery of Customer Content from its archives. The backup schedule will include at least weekly full backups and daily incremental backups. In the event of any loss or corruption of Customer Content, 3rdRisk shall use its commercially reasonable efforts to restore the lost or corrupted Customer Content from the latest backup of such Customer Content maintained by 3rdRisk. 3rdRisk shall not be responsible for any loss, destruction, alteration, unauthorized disclosure or corruption of Customer Content caused by any third party that is not a supplier of 3rdRisk or otherwise connected to 3rdRisk.

6. Authorised users

6.1 Customer shall register at least one (1) individual as an Administrator. The functions of an Administrator shall include: (i) creating, editing and administrating the setup of Authorised Users; (ii) assigning and designating levels of access rights for each Authorised User; (iii) resetting IDs and passwords for Authorised Users; and (iv) disabling or restricting access for Authorised Users;

6.2 Customer shall ensure that (i) it will not allow any Authorised User account to be used by more than one individual; (ii) any user IDs, passwords, and other access credentials (such as API tokens) for the 3rdRisk Platform are kept strictly confidential and shall not shared with any unauthorized person; (iii) if any Authorized User stops working for Customer, the Administrator shall immediately terminate that Authorized User’s access to the 3rdRisk Platform. Customer will be responsible for any and all actions taken using its and its Authorised Users’ accounts, passwords or access credentials. Customer must notify 3rdRisk immediately of any breach of security or unauthorized use of its account.

7. Use of the 3rdRisk platform

7.1 Customer may at any time use the options offered on the 3rdRisk Platform to change its Service Plan. 3rdRisk will, depending upon the price of the new Service Plan, either issue a pro-rated account credit or apply the unused portion of the old plan towards the price of the new Service Plan. Customer shall not be entitled to a refund.

7.2 Customer is fully responsible for (i) all use its Authorised Users make of the 3rdRisk Platform, (ii) all data the Authorised Users upload to and distribute via the 3rdRisk Platform, (iii) all services it provides to third parties through the 3rdRisk Platform, and (iv) all related instructions it gives to 3rdRisk in configuring and using the 3rdRisk Platform. 3rdRisk shall not be responsible for checking the accuracy, validity, usefulness and completeness of the results of the use of the 3rdRisk Platform.

7.3 Customer shall at all times ensure that all of its use of the 3rdRisk Platform complies with applicable laws, does not violate any third-party rights (expressly including any third-party intellectual property rights) and does not constitute an unlawful act against any third party.

7.4 In connection with the use of the 3rdRisk Platform, Customer shall (i) observe all instructions given by 3rdRisk, (ii) follow all guidelines stated in the Documentation, and (ii) not use the 3rdRisk Platform in a manner interfering or disrupting the integrity or the proper functioning of the 3rdRisk Platform and the data stored thereon.

7.5. Customer shall not use the 3rdRisk Platform to create, use, send, store, or run viruses or other harmful computer code, files, scripts, agents, or other programs, or otherwise engage in a malicious act or disrupt its security, integrity or operation.

7.6 3rdRisk may, from time to time, at its discretion, change and/or improve the 3rdRisk Platform, including by (i) changing, removing, or adding features or functionality to the 3rdRisk Platform, or (ii) making changes to the design or graphical user interface.

7.7 3rdRisk may at any time change or restructure the available Service Plans of the 3rdRisk Platform. In the event of a change or restructuring that negatively affects the Customer (e.g. in case of reduced functionalities, increased user limitations or increase of prices), 3rdRisk will ask the Customer to make a choice for one of the new Service Plans at least two months before the end of the applicable Order Duration.

7.8 In the event Customer accesses or uses any Third-Party Services, such Third-Party Services shall be governed solely by the terms and conditions as agreed upon by Customer with the provider of such Third-Party Services. 3rdRisk does not endorse, and shall not be responsible or liable for, and makes no representations as to any aspect of such Third-Party Services. Services provided through the 3rdRisk Platform without clear agreed upon separate terms shall be regarded as part of the 3rdRisk Platform offering as set forth herein.

8. Professional services

8.1 Customer and 3rdRisk may enter into one or more Orders for the provision by 3rdRisk of Professional Services. 3rdRisk will perform the Professional Services, subject to the fulfilment of any responsibilities and payments due from Customer, as stated in the Order.

8.2 3rdRisk warrants that the Professional Services will be performed in a competent and workmanlike manner, in accordance with accepted industry standards and practices and all material requirements set forth in the Order. Customer will notify 3rdRisk of any breach within thirty (30) days after performance of the nonconforming Professional Services. On receipt of such notice, 3rdRisk, shall at its option, and as Customer’s sole remedy, (i) use commercially reasonable efforts to re-perform the Professional Services in conformance with these warranty requirements, or (ii) terminate the Order for the affected Professional Services and refund to Customer any amounts paid for the non-conforming Professional Services.

8.3 All delivery dates and other periods stated or agreed by 3rdRisk for Professional Services are determined based on data known to 3rdRisk when it agreed or communicated such dates or periods and may be subject to change. 3rdRisk will use its reasonable efforts to observe agreed delivery dates and other periods as much as possible, subject to the Customer’s timely performance of its obligations.

8.4 Professional Services are separately ordered from the 3rdRisk Platform and are not required for use of the 3rdRisk Platform. A breach by 3rdRisk of its obligations with respect to the 3rdRisk Platform shall not by itself constitute a breach by 3rdRisk of its obligations with respect to the Professional Services respectively and vice versa.

9. Fees and payments

9.1 All prices of 3rdRisk are exclusive of turnover tax (VAT) and other taxes, levies or duties imposed by governmental authorities. The Customer shall pay each invoice within sixty (60) days after the invoice date.

9.2 The Fees for the 3rdRisk Platform will be charged in advance for each payment period referred to in the Order

9.3 Fees for Professional Services are payable in accordance with the payment schedule set out in the Order or in absence thereof, monthly in arrears on the basis of actual hours spent in the past month. Fees for Professional Services are excluding applicable travel and accommodation costs which will be charged separately as incurred to provide the agreed Professional Services and which have been approved by customer in advance, except as explicitly agreed otherwise in the relevant Order.

9.4 In case of late payment and after Customer has been sent a notification to remedy within 10 days, and Customer has not remedied the payment within said term, 3rdRisk can charge the Customer the applicable Dutch statutory commercial interest rate to the outstanding amount.

9.5 If the Customer does not pay the Fees owed within the agreed period and after Customer has been sent a notification to remedywithin 10 days, and Customer has not remedied the payment within said term, the Customer will be in default without any notice of default being required, in which case 3rdRisk will be entitled to temporarily suspend access to the 3rdRisk Platform or terminate the Order with immediate effect, without taking into account a notice period.

9.6 3rdRisk may not increase prices of Professional Services and the hourly rates for Professional Services during the Order Duration.

10. Limitation of liability

10.1 The total liability of 3rdRisk under any Order for any breach of contract, unlawful act or otherwise in any calendar year is limited to an amount equal to the total Fees actually paid by Customer to 3rdRisk during the previous full calendar year under the Order, less any refunds or credits received by Customer from 3rdRisk under such Order.

10.2 3rdRisk shall not be liable to Customer in respect of any breach of contract, unlawful act or otherwise for loss of profits, contracts or goodwill or any type of special, indirect, consequential or economic loss (including damage to business, reputation, or goodwill and loss or damage as a result of an action brought by a third party).

10.3 All Customer’s claims for compensation end in any case twelve (12) months after Customer becomes known with the damaging event, unless Customer and 3rdRisk have come to a written and binding settlement for such claim or Customer has commenced legal action in accordance with clause 12.5.

10.4 3rdRisk shall in no event be liable for any damage or loss caused or alleged to be caused by or in connection with Customer’s access or use of any Third-Party Services.

10.5 The Customer will indemnify, defend and hold 3rdRisk harmless from any third-party claims and related reasonable legal costs caused by or related to Customer’s use of the 3rdRisk Platform, insofar such use is outside the purpose as set forth in the documentation of the 3rdRisk Platform. For any use by Customer within said purpose of the 3rd Platform, 3rdRisk will indemnify, defend, and hold Customer harmless from any third-party claims related reasonable legal costs with respect caused by or related to such Customer’s use of the 3rdRisk Platform.

10.6 Nothing in this General Conditions shall operate to exclude or limit a Party’s liability resulting from fraud, wilful misconduct, or gross negligence.

11. Term and termination

11.1 The Order shall remain in effect for the Order Duration. At the end of each Order Duration, the Order shall automatically renew for successive periods for one year terms, unless either the Customer (i) ends the Order in the Customer Portal prior to the end of the (renewed) Order Duration, or (ii) changes the Order Term for the Order for the new period pursuant to clause 7.1.

11.2 A Party shall be entitled to terminate the Order in part or in full, with immediate effect, in writing without taking into account a notice period, if (i) the other Party has ceased to exist or has been dissolved, (b) the other Party has been declared bankrupt, or it has been granted suspension of payments or entered into voluntary liquidation; (iii) the other Party is in breach of any of the other terms of the General Conditions and/or the Order and – if and to the extent such breach can be remedied‐ fails to remedy such breach within a period of thirty (30) days after having received notice with respect to the breach.

11.3 3rdRisk may terminate any the Orders prematurely in case 3rdRisk decides to discontinue the relevant 3rdRisk Platform for all its customers. 3rdRisk will in such case provide at least six (6) months prior written notice of such termination.

11.4 Following the termination of the Order for the 3rdRisk Platform, and subject to the Customer having paid all Fees, 3rdRisk will allow Customer to download from the 3rdRisk Platform any copies of Customer Data for a period of 30 days.

12. Miscellaneous

12.1 Neither party may transfer its rights or obligations under the Order, by operation of law or otherwise, without the other party’s prior written consent. Notwithstanding the foregoing, on notice and without the Customer’s consent, 3rdRisk may in connection with a merger, reorganization, or sale of all or substantially all of 3rdRisk’s assets, transfer the Order in its entirety to 3rdRisk’s successor.

12.2 Customer shall (i) not, and shall not permit its Authorised Users, to impersonate or falsely represent any other person or organization, (ii) only appoint Administrators that are fully authorized to conclude Orders on behalf of the Customer, and (iii) only authorize Authorised Users that are permitted to disclose information concerning the Customer on or through the 3rdRisk Platform. 3rdRisk is entitled to immediately suspend the account of the Customer in the event that 3rdRisk reasonably suspects a breach of any of these obligations.

12.3 The Orders, the General Conditions and all agreements and legal relationships to which they apply shall be governed by the laws of the Netherlands.

12.4 All disputes arising in connection the Orders, these General Conditions or any agreement and legal relationship they are applicable to, shall be submitted to the exclusive jurisdiction of the competent courts of Oost-Brabant, the Netherlands.