Main Services Agreement

Main Services Agreement

This Main Services Agreement ("MSA") governs Customer's purchase and use of the Services and is effective between Customer and Ridgeline as of the Effective Date. Terms used but not defined inline have the meanings set forth in Section 12 (Definitions).

1. Access and Use.

1.1. Access to the Ridgeline Service.

During the Subscription Term, subject to the terms and conditions of this Agreement, Ridgeline shall: (i) make the Purchased Services available to Customer; and (ii) provide the Ridgeline Service and support in accordance with the Documentation, the Agreement, and the Laws applicable to Ridgeline’s provision of the Ridgeline Service. Ridgeline shall use commercially reasonable efforts to (a) make the Ridgeline Service continuously available and (b) respond to support cases submitted through its customer support portal promptly (taking into account the nature and severity of the issue), in each case in accordance with the attached Service Level Agreement (“SLA”).

1.2. Customer Obligations.

Customer may provide access to the Ridgeline Service only to Authorized Users and solely for the internal business purposes of Customer and its Affiliates. Customer is solely responsible for (a) Authorized Users’ use of the Ridgeline Service, compliance with the Agreement, and use in accordance with the Documentation, (b) the legality, quality and accuracy of Customer Data, the means by which Customer acquired Customer Data, the use of Customer Data with the Ridgeline Service, and providing any required notices to, and receiving any required consents and authorizations from, Authorized Users and persons whose Personal Data may be included in Customer Data, and (c) maintaining and complying with licenses and consents for Third-Party Products.

1.3. Restrictions on Use.

Customer shall not, and shall not allow any third party, to: (i) use the Ridgeline Service in violation of Laws; (ii) send or store Malicious Code in connection with the Ridgeline Service; (iii) interfere with or disrupt performance of the Ridgeline Service or the data contained therein; (iv) attempt to gain access to the Ridgeline Service or its related systems or networks in a manner not set forth in the Documentation or the Agreement, (v) access the Services, Content, Documentation or any Deliverable (collectively, the “Ridgeline Materials”) in order to build or market a similar product or service or competitive product or service, (vi) modify or copy the Ridgeline Materials nor create any derivative works based on the Ridgeline Materials; (vii) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, timeshare, offer in a service bureau, or otherwise make the Ridgeline Materials available to any third party, other than to Authorized Users as permitted herein; (viii) reverse engineer or decompile any portion of the Ridgeline Materials, including any software utilized by Ridgeline in the provision of the Ridgeline Materials, unless required by Law; (ix) copy any features, functions, integrations, interfaces or graphics of the Ridgeline Materials or (x) use the Ridgeline Service for any other abusive, harmful, deceptive or high-risk purpose not contemplated by an Order Form

1.4. Third-Party Products and Content.

If Customer enables any Third-Party Product, as defined below, for use with the Ridgeline Service, Customer grants Ridgeline permission to determine the access for the provider of that Third-Party Product to any Ridgeline Materials required for the interoperation of the Ridgeline Service with the Third-Party Product. Ridgeline is not responsible for any Third-Party Product or Content, including the quality or accuracy of any data related thereto, nor the availability or operation of the Ridgeline Service to the extent such availability and operation is dependent upon any Third-Party Product or Content. Ridgeline does not make any representations or warranties with respect to such Third-Party Products, Content or any providers thereof. Any exchange of data or other interaction between the Ridgeline Service and Customer’s Third-Party Products and/or other third-party providers is solely between Customer and such provider and is governed by such third-party’s terms and conditions. If the provider of a Third-Party Product ceases to make it available for interoperation with the corresponding Ridgeline Service features on reasonable terms, Ridgeline may cease providing those Ridgeline Service features without any refund, credit, or other compensation. “Third-Party Products” means applications, services, and content provided by entities or individuals other than Ridgeline, and that interoperate with the Ridgeline Service, including cloud service providers, third-party data or market information providers or sources, connectivity service providers, exchanges, and similar services.

1.5. Removal of Content and Third-Party Products.

If Customer receives notice claiming that Content or a Third-Party Product must be removed, modified or disabled to avoid violating applicable law or breach of Customer or Ridgeline’s obligations to any third party with respect to such Third-Party Product or Content, (a) Customer will promptly do so and (b) Ridgeline may delete, modify or disable the applicable Content and/or Third-Party Products. In addition, if Ridgeline is required by any third-party rights holder to remove Content, or receives information that Content provided to Customer may violate applicable law or third-party rights, Ridgeline may discontinue Customer’s access to Content through the Ridgeline Service.

2. Fees.

2.1. Subscriptions, Invoices and Payment.

Unless otherwise provided in the applicable Order Form or SOW, Purchased Services are purchased as subscriptions for the Subscription Term. All fees set forth either on an Order Form or SOW, unless subject to good faith dispute, (a) shall be due and payable within thirty (30) days following the invoice date and (b) are non-refundable and non-cancellable. Ridgeline may send Customer invoices electronically (including by email). All Subscription Fees are based on access rights acquired and not actual usage. Consulting Services fees will be invoiced in accordance with the applicable SOW. All remittance advice and invoice inquiries can be directed to ar@ridgelineapps.com.

2.2. Overdue Payments.

Any payment not received by the due date may accrue, at Ridgeline's discretion, late charges at the rate of 1.0% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, from the date such payment was due until the date paid.

2.3. Taxes.

Any fees invoiced under the Agreement do not include any transaction taxes, which may include local, state, provincial, federal or foreign taxes, levies, duties or similar governmental assessments of any nature, including value-added taxes, excise, sales, use, goods and services taxes, consumption taxes or similar taxes (collectively, “Taxes”). All fees invoiced under the Agreement are payable in full and without reduction for Taxes. Customer is responsible for paying all Taxes imposed on the Services provided under the Agreement. If Ridgeline has a legal obligation to pay or collect Taxes for which Customer is responsible under the Agreement, the appropriate amount shall be computed based on Customer’s address set forth under the “Primary Billing Contact” field on the respective Order Form, and invoiced to and paid by Customer, unless Customer provides Ridgeline with a valid tax exemption certificate authorized by the appropriate taxing authority.

3. Proprietary Rights.

3.1. Ridgeline Intellectual Property.

Ridgeline and its licensors own and retain all right, title and interest in and to (a) the Services, Content, Documentation, and Deliverables, (b) all improvements, enhancements or modifications thereto no matter by whom made, (c) any software, applications, inventions or other technology developed or co-developed in connection with Consulting Services or support hereunder and (d) all Intellectual Property Rights in or relating to any of the foregoing. Subject to the limited rights expressly granted hereunder, Ridgeline reserves all right, title and interest in and to the Ridgeline Materials, including all related Intellectual Property Rights. No rights are granted to Customer hereunder other than as expressly set forth herein.

3.2 Customer Data.

Customer shall own all right, title and interest in and to the Customer Data. Subject to the terms and conditions of this Agreement, Customer grants Ridgeline and its Affiliates a worldwide, limited-term, nonexclusive, royalty-free license to use, copy, transmit, store and host the Customer Data to provide, improve, or develop Ridgeline’s products and services, to prevent or address service or technical problems, or in accordance with the Agreement, Documentation, or Customer's instructions. Personal Data will only be processed in accordance with the Data Protection Addendum.

3.3 Aggregated Data.

Ridgeline may de-identify, aggregate, pseudonymize, collect and analyze (a) data and other information relating to the provision, use and performance of the Services and related systems and technologies (“Usage Data”) and (b) Customer Data and data derived therefrom (collectively, “Aggregated Data”). Ridgeline may, during and after the term of this Agreement, (i) use such Aggregated Data to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with Ridgeline offerings, and (ii) use and disclose Aggregated Data in connection with its business.

3.4. Feedback.

Ridgeline and its Affiliates shall have a royalty-free, worldwide, transferable, sub-licensable, irrevocable, perpetual license to use or incorporate any Feedback into the Ridgeline Service or Consulting Services. Customer has no obligation to provide Feedback. Ridgeline may develop and make changes to the Ridgeline Service, including changes that result from Feedback, in its sole discretion.

4. Confidentiality.

Neither party shall disclose or use any Confidential Information of the other except (a) as reasonably necessary to perform its obligations under the Agreement, (b) to its bona fide representatives so long as such representatives have a need to know and are subject to confidentiality obligations no less protective than this Section 4, (c) to exercise its rights under the Agreement, or (d) with the other’s prior written consent. Each party agrees to protect the Confidential Information of the other in the same manner that it protects its own Confidential Information but in no event with less than reasonable care. A party may disclose the Confidential Information of the other to the extent required by Law only if the party so required promptly provides the other with prior notice of such compelled disclosure (to the extent legally permitted) and provides reasonable assistance, at the other's cost, if the other wishes to contest the disclosure. If a party discloses or uses (or threatens to disclose or use) any Confidential Information of the other in breach of this Section 4, the other shall have the right, in addition to any other remedies available, to injunctive relief to enjoin such acts, and the parties acknowledge that any other available remedies are inadequate.

5. Security of Customer Data.

Ridgeline maintains administrative, physical, and technical safeguards for the security, confidentiality and integrity of Customer Data as described in the attached Security Exhibit. During the term of the Agreement, Ridgeline may not materially decrease the protections set forth in the Security Exhibit or Audit Report. In the event either party becomes aware of any actual or reasonably suspected unauthorized use of, loss of, or access to Customer Data (a “Security Breach”), such party shall notify the other without undue delay after becoming aware of the Security Breach.

6. Warranties & Disclaimer.

6.1. Warranties.

Each party warrants to the other that it (a) has the authority to enter into the Agreement and (b) in connection with its performance of the Agreement, shall comply with all Laws. Ridgeline warrants that: (i) the Purchased Service shall perform materially in accordance with the Documentation; (ii) the functionality of the Purchased Service will not be materially decreased, (iii) the Consulting Services will be performed in a competent and workpersonlike manner in accordance with accepted industry practice; and (iv) to the best of its knowledge, neither the Ridgeline Service nor any Deliverable contains any Malicious Code. Further, each party warrants that it will not knowingly introduce any Malicious Code into the Ridgeline Service.

6.2. Warranty Remedies.

In the event of a breach of the warranties set forth in Section 6.1(i)-(iv), Ridgeline shall correct the non-conforming Purchased Service or Consulting Services at no additional charge to Customer, or in the event Ridgeline is unable to correct such deficiencies after good-faith efforts, Ridgeline shall refund Customer amounts paid that are attributable to the defective Purchased Service or Consulting Services from the date Ridgeline received such notice. In the event of a breach of any such warranty, Customer shall use its commercially reasonable efforts to notify Ridgeline in writing within thirty (30) days of identifying a deficiency. The remedies set forth in this section shall be Customer’s sole remedy and Ridgeline’s sole liability for breach of these warranties.

6.3. DISCLAIMER.

EXCEPT AS EXPRESSLY PROVIDED HEREIN AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, RIDGELINE MAKES NO WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE WITH RESPECT TO ANY THIRD-PARTY PRODUCT, CONTENT, THE RIDGELINE SERVICE, CONSULTING SERVICES AND/OR RELATED DOCUMENTATION. RIDGELINE DOES NOT WARRANT THAT ANY THIRD-PARTY PRODUCTS, CONTENT, OR THE RIDGELINE SERVICE WILL BE ERROR FREE OR UNINTERRUPTED. THE LIMITED WARRANTIES PROVIDED HEREIN ARE THE SOLE AND EXCLUSIVE WARRANTIES PROVIDED TO CUSTOMER IN CONNECTION WITH THE PROVISION OF THE RIDGELINE SERVICE AND/OR CONSULTING SERVICES.

6.4. Trial, Beta, and Early Access Services.

Ridgeline may in its discretion (a) make available certain components of the Ridgeline Service to Customer on a trial, beta, early access, or similar basis (“Non-Purchased Services”), (b) determine the duration of access to such Non-Purchased Services, and (c) delete any data Customer submits to a Non-Purchased Service after using reasonable efforts to notify Customer. Customer shall only use Non-Purchased Services for evaluation purposes and shall not submit any data for any other purpose to Non-Purchased Services. CUSTOMER’S USE OF ANY NON-PURCHASED SERVICE UNDER THIS PARAGRAPH IS “AS-IS” AND WITHOUT INDEMNIFICATION, WARRANTY, SECURITY, SERVICE LEVEL, SUPPORT, OR OTHER OBLIGATIONS TO CUSTOMER OF ANY KIND BY RIDGELINE. After Customer executes an Order Form for the related Purchased Service (if any) released after the Non-Purchased Service, this paragraph shall not apply to the Purchased Service.

7. Indemnification.

7.1. Indemnification by Ridgeline.

Ridgeline shall defend Customer against any claim, demand, suit or proceeding made or brought against Customer by a third party alleging that the use of the Purchased Service in accordance with the Documentation or Deliverable infringes any third party’s Intellectual Property Rights (a “Claim Against Customer”) and will indemnify Customer from damages, attorney fees and costs finally awarded against Customer pursuant to a court award or settlement as a result of, or for any amounts paid by Customer under an award or settlement approved by Ridgeline in writing of, a Claim Against Customer; provided, however, that Customer: (a) promptly gives written notice of the Claim against Customer to Ridgeline; (b) gives Ridgeline sole control of the defense and settlement of the Claim Against Customer (provided that Ridgeline may not settle any Claim Against Customer unless it unconditionally releases Customer of all liability); (c) provides to Ridgeline, at Ridgeline's cost, all reasonable assistance and (d) Customer promptly implements, at Ridgeline’s option, a modified version of the Purchased Service, Documentation or Deliverable intended to mitigate or nullify the Claim against Customer. The above defense and indemnification obligations do not apply if the Claim Against Customer: (i) does not specifically identify the PurchasedServices as the cause; (ii) arises from the use or combination of the Purchased Services, Deliverable, or any part thereof with software, hardware, data, or processes not provided by Ridgeline, if the Purchased Services, Deliverable or use thereof would not infringe without such combination; or (iii) arises from a Third-Party Product or from Customer’s breach of the Agreement or applicable Order Form(s).

7.2. Indemnification by Customer.

Customer shall defend Ridgeline and its Affiliates against any claim, demand, suit or proceeding made or brought against Ridgeline by a third party alleging (a) that any Customer Data or Customer’s use of Customer Data with the Ridgeline Service, (b) a Third-Party Product, or (c) the combination of a Third-Party Product with the Ridgeline Service, infringes or misappropriates such third party’s Intellectual Property Rights, or arising from Customer’s use of the Ridgeline Service, Deliverable or Content in an unlawful manner or in violation of the Agreement, the Documentation, Order Form, or SOW (each a “Claim Against Ridgeline”), and will indemnify Ridgeline from any damages, attorney fees and costs finally awarded against Ridgeline as a result of, or for any amounts paid by Ridgeline under a settlement approved by Customer in writing of, a Claim Against Ridgeline; provided, however, that Ridgeline: (i) promptly gives written notice of the Claim Against Ridgeline to Customer; (ii) gives Customer sole control of the defense and settlement of the Claim Against Ridgeline (provided that Customer may not settle any Claim against Ridgeline unless it unconditionally releases Ridgeline of all liability); and (iii) provides to customer, at Customer's cost, all reasonable assistance. The above defense and indemnification obligations do not apply if a Claim Against Ridgeline arises from Ridgeline’s breach of the Agreement, the Documentation, the applicable Order Form or the applicable SOW.

7.3. Exclusive Remedy.

This Section 7 states each party’s sole liability and exclusive remedy for any third party claims described herein.

8. Limitation of Liability.

8.1. LIMITATION OF LIABILITY.

TO THE MAXIMUM EXTENT PERMITTED BY LAW AND EXCEPT WITH RESPECT TO (i) EACH PARTY’S INDEMNIFICATION OBLIGATIONS IN SECTION 7, (ii) DEATH OR PERSONAL INJURY CAUSED BY A PARTY’S NEGLIGENCE, (iii) EITHER PARTY’S WILLFUL MISCONDUCT OR FRAUD, AND/OR (iv) BREACH AND/OR MISAPPROPRIATION OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, IN NO EVENT SHALL EITHER PARTY'S (OR RIDGELINE’S AFFILIATES’ OR THIRD-PARTY LICENSORS’) AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THE AGREEMENT, WHETHER IN CONTRACT, TORT OR OTHERWISE, EXCEED THE FEES ACTUALLY PAID OR PAYABLE BY CUSTOMER DURING THE IMMEDIATELY PRECEDING TWELVE (12) MONTH PERIOD FOR THE SERVICES FROM WHICH THE CLAIM AROSE (OR, FOR A CLAIM ARISING BEFORE THE FIRST ANNIVERSARY OF THE EFFECTIVE DATE, THE AMOUNT PAID OR PAYABLE FOR THE FIRST TWELVE (12) MONTH PERIOD); EXCEPT THAT FOR BREACH OF EITHER PARTY'S CONFIDENTIALITY OR SECURITY OBLIGATIONS, THE BREACHING PARTY'S TOTAL AGGREGATE LIABILITY WILL BE INCREASED TO THE FEES PAID OR PAYABLE UNDER THE AGREEMENT DURING THE IMMEDIATELY PRECEDING 24-MONTH PERIOD.

8.2. EXCLUSION OF DAMAGES.

EXCEPT WITH RESPECT TO AMOUNTS TO BE PAID BY EITHER PARTY PURSUANT TO A COURT AWARD OR SETTLEMENT AS WELL AS THE DEFENSE COSTS UNDER THE INDEMNIFICATION OBLIGATIONS NO MATTER HOW SUCH DAMAGES MAY BE CHARACTERIZED, IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED, OR FOR ANY LOST PROFITS (EXCEPT AS DAMAGES FOR BREACH AND/OR MISAPPROPRIATION OF A PARTY’S INTELLECTUAL PROPERTY), LOSS OF USE, COST OF DATA RECONSTRUCTION, COST OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, WHETHER IN CONTRACT, TORT OR OTHERWISE, ARISING OUT OF, OR IN ANY WAY CONNECTED WITH THE SERVICES, INCLUDING BUT NOT LIMITED TO THE USE OR INABILITY TO USE THE SERVICES, ANY INTERRUPTION, INACCURACY, ERROR OR OMISSION, EVEN IF THE PARTY FROM WHICH DAMAGES ARE BEING SOUGHT OR SUCH PARTY'S LICENSORS OR SUBCONTRACTORS HAVE BEEN PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES. CUSTOMER WILL NOT ASSERT THAT ITS PAYMENT OBLIGATIONS ARE EXCLUDED AS RIDGELINE’S LOST PROFITS.

9. Consulting Services

9.1. Scope.

Consulting Services, including on-site training, integration, consulting and other technical or similar services, are subject to a separate SOW. The assignment or reassignment of all personnel for Consulting Services will be at Ridgeline's sole discretion. Ridgeline does not guarantee that any personnel assigned under a SOW will be assigned during the full term of the Consulting Services. However, if personnel change is deemed appropriate, at the sole discretion of Ridgeline, then the replacement personnel will, at the sole cost and expense of Ridgeline, be brought up to speed on Customer’s project to the appropriate extent necessary in order to facilitate effective provision of the Consulting Services set forth on the respective SOW. Notwithstanding the foregoing, should Customer request replacement of personnel for any legal reason, Customer shall be responsible for any cost and expense incurred to bring the replacement personnel up to speed and knowledgeable to provide the Consulting Services under Customer’s project. Any change to the scope of Consulting Services set forth in an SOW must be initiated through a written change control procedure set forth in the applicable SOW. No change to the scope of Consulting Services in an SOW will be effective unless and until a written change order is mutually executed by the parties.

9.2. Customer Assistance.

Customer agrees to provide, in a timely manner, information and background material regarding Customer's operations, access to Customer's premises, personnel and equipment, and all other forms of assistance as specified in the Order Form or SOW or as otherwise reasonably required by Ridgeline for the satisfactory performance of the Consulting Services, and in accordance with the timing requirements of the project plan or other timing requirements that may be specified in the SOW.

9.3. Delivery Schedule.

The Consulting Services will commence on the date set forth in the relevant SOW and Ridgeline will perform the Consulting Services in accordance with the schedule set forth therein. The Consulting Services will be considered completed upon Ridgeline’s written confirmation (including by email) to the Customer that the Consulting Services have been completed and Customer has not sent a warranty claim within thirty (30) days of receiving Ridgeline’s confirmation.

9.4. Consulting Services Fees.

Consulting Services will be invoiced by Ridgeline in accordance with the applicable SOW. If an estimate is stated in the applicable SOW, such amount is only a good faith estimate for Customer's budgeting and Ridgeline's resource scheduling purposes.

9.5. Expenses.

Customer shall reimburse Ridgeline for reasonable and verified expenses for travel and associated costs incurred in conjunction with the Consulting Services if agreed in the applicable SOW.

10. Term & Termination.

10.1. Term of Agreement.

The Term of the Agreement commences on the Effective Date and continues until one year after the end date of the last Order Form or SOW to terminate, unless terminated earlier in accordance with the terms of this Agreement.

10.2. Termination.

Either party may terminate the Agreement: (i) upon thirty (30) days prior written notice to the other of a material breach by the other if such breach remains uncured at the expiration of such notice period; or (ii) immediately in the event the other becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors. A breach of any SOW will not constitute a material breach or termination of the Order Form or this MSA. In the event the Agreement is terminated, all Order Forms and SOWs are simultaneously terminated. Termination of a specific Order Form or SOW will not terminate this Agreement or other Order Forms or SOWs.

10.3. Effect of Termination.

Upon any termination of the Agreement, or any Order Form, Customer shall, except as specifically provided in Section 10.4 below, as of the date of such termination, immediately cease accessing and using the applicable Ridgeline Materials and Ridgeline Confidential Information. If the Agreement is terminated by Customer in accordance with Section 10.2, Ridgeline will refund Customer any prepaid but unused fees covering the remainder of the term of all Order Forms after the effective date of termination. In no event will termination relieve Customer of its obligation to pay any fees payable to Ridgeline for the period prior to the effective date of termination.

10.4. Retrieval of Customer Data.

Upon written request by Customer prior to any expiration or termination of the Agreement, Ridgeline will make the Ridgeline Service available to Customer for the purposes of retrieval of Customer Data for a period of up to ninety (90) days (or such longer period as Ridgeline and Customer may agree to in an Order Form) after such expiration or termination. Thereafter, Ridgeline will (a) have no obligation to maintain or provide any Customer Data and (b) consistent with its applicable policies, delete all Customer Data.

10.5 Suspension of Service.

Ridgeline may suspend provision of Services upon prior written notice to Customer (which will be reasonable prior notice unless Ridgeline reasonably believes immediate suspension is necessary): (a) if Customer is thirty (30) days or more overdue on a payment not subject to a good faith dispute, (b) if Ridgeline reasonably determines suspension is necessary to avoid material harm to Ridgeline or its customers, or (c) as required by Law. Ridgeline will use reasonable efforts to limit Customer’s right to access or use the portion of the Services that caused the risk. Ridgeline will restore Customer’s access and use rights promptly after Customer has resolved the issue giving rise to the suspension.

10.6. Survival.

Provisions of this Agreement which by their nature are to be performed or enforced following any termination of this Agreement shall survive such termination.

11. General.

11.1 Relationship of the Parties.

The parties are independent contractors. The Agreement does not create nor is it intended to create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties. There are no third-party beneficiaries to the Agreement unless otherwise agreed in an Order Form or Supplement.

11.2. Notices.

All notices under the Agreement shall be in writing and shall be deemed to have been given upon: (i) personal delivery; (ii) two business days following deposit in the United States Mail, by Certified Mail, Return Receipt Requested; (iii) one business day following deposit with a recognized overnight delivery service; i.e. Express mail, DHL, Federal Express, or UPS Next Day Air or (iv) the date of electronic confirmation of receipt of an email. Notices to Ridgeline shall be addressed to the attention of its General Counsel with a copy to legal@ridgelineapps.com. Notices to Customer shall be addressed to Customer’s signatory to the Order Form. Each party may modify its recipient of notices by providing notice pursuant to the Agreement.

11.3. Waiver and Cumulative Remedies.

No failure or delay by either party in exercising any right under the Agreement shall constitute a waiver of that right or any other right. No waiver of any breach of this Agreement will constitute a waiver of any other breach of the same or any other provision of this Agreement, and no waiver will be effective unless made in writing by the party against whom the waiver is sought to be asserted. Other than as expressly stated herein, the remedies provided herein are in addition to, and not exclusive of, any other remedies of a party at law or in equity.

11.4. Force Majeure.

Neither party will be liable for any failure or delay in performance under this Agreement or causes beyond that party's reasonable control. Dates by which performance obligations are scheduled to be met will be extended for a period equal to the time lost due to any delay so caused.

11.5. Assignment.

Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other (which consent shall not be unreasonably withheld). Notwithstanding the foregoing, either party may assign the Agreement in its entirety without consent of the other to an Affiliate of such party or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets so long as the assignee agrees to be bound by all of the terms of the Agreement and all past due fees are paid in full. Any attempt by a party to assign its rights or obligations under the Agreement other than as permitted by this section shall be void and of no effect. Subject to the foregoing, the Agreement shall bind and inure to the benefit of the parties, their respective successors and permitted assigns.

11.6. Governing Law; Waiver of Jury Trial.

The Agreement shall be governed exclusively by the internal laws of the State of New York, without regard to its conflicts of laws rules, and any litigation arising out of or in connection in any way with this Agreement shall take place in a State or Federal court of competent jurisdiction in New York County,State of New York. Each party irrevocably waives any right to jury trial in connection with any action or litigation in any way arising out of or related to the Agreement.

11.7. Export.

Each party shall comply with the export Laws of the United States and other applicable jurisdictions in providing and using the Ridgeline Service or Consulting Services. Without limiting the generality of the foregoing, Customer shall not make the Ridgeline Service or Consulting Services available to any person or entity that: (i) is located in a country that is subject to a U.S. government embargo; (ii) is listed on any U.S. government list of prohibited or restricted parties; or (iii) is engaged in activities directly or indirectly related to the proliferation of weapons of mass destruction.

11.8. No Investment or Other Advice.

Nothing in this Agreement or the Ridgeline Materials shall constitute or be construed as an offering of financial instruments or as investment advice or investment recommendations by Ridgeline or a recommendation as to an investment or other strategy by Ridgeline. Ridgeline does not express an opinion on the future or expected value of any security or other interest and does not explicitly or implicitly recommend or suggest an investment strategy of any kind. Nothing in this Agreement or the Ridgeline Materials shall constitute or be construed as legal, tax or accounting advice.

11.9. Miscellaneous.

The Agreement, including all exhibits and addenda hereto and all Order Forms and SOWs, constitutes the entire agreement between the parties with respect to the subject matter hereof. In the event of a conflict, the provisions of an Order Form or SOW shall take precedence over provisions of the body of the MSA and over any other exhibit or addenda. The headings in the Agreement are for convenience only. The Agreement supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. No modification or amendment of any provision of the Agreement shall be effective unless in writing and accepted by both parties. If any provision of the Agreement is held by a court of competent jurisdiction to be contrary to law, the provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of the Agreement shall remain in effect. Notwithstanding any language to the contrary therein, no terms or conditions stated in a Customer purchase order, or in any other Customer or Third-Party Product order or authorization documentation of any kind, shall be incorporated into or form any part of the Agreement or modify the terms hereof, and all such terms or conditions shall be null and void. The parties hereby consent to the use of electronic signatures in connection with the execution of any Order Form and/or SOW incorporating this MSA, and further agree that electronic signatures shall be legally binding with the same force and effect as manually executed signatures. The terms “including” and “includes” and the like mean “including without limitation”.

12. Definitions.

The following capitalized terms have the respective meanings specified below and are equally applicable to the singular and plural forms of such terms:

“Affiliate” means any entity which directly or indirectly controls, is controlled by, or is under common control by either party. For purposes of the preceding sentence, “control” means direct or indirect ownership or control of more than50% of the voting interests of the subject entity.

“Agreement” means this MSA, together with its attachments, any Order Form(s), and any SOWs which refer to, or incorporate this MSA, as may be amended or supplemented in compliance with Section 11.9 of this Agreement.

“Audit Report” means Ridgeline’s most recently completed SOC 2 Type II audit report, prepared and delivered by a nationally recognized independent third-party auditor, or any industry standard similar successor or supplemental report or certification.

“Authorized Users” means Customer's or an Affiliate's workers and third-party providers who are authorized by Customer in writing, through the Ridgeline Service's security designation, or by system integration or other data exchange process to access Customer's Tenant or receive Customer Data.

“Confidential Information” means (a) any software utilized by Ridgeline in the provision of the Services and its respective source code; (b) each party’s and/or its licensor’s business or technical information, including the Documentation, training materials, any information relating to Ridgeline’s software plans, designs, costs, prices, product names, finances, marketing plans, business opportunities, personnel, research, development or know-how that is designated by the disclosing party as “confidential” or “proprietary” or the receiving party knows or should reasonably know is confidential or proprietary; and (c) the terms, conditions and pricing of the Agreement (but not its existence or parties). Confidential Information shall not include any information that: (i) is or becomes generally known to the public without breach of any obligation owed to the other party; (ii) was known to a party prior to its disclosure by the other without breach of any obligation owed to the other; (iii) was independently developed by a party without breach of any obligation owed to the other; or (iv) is received from a third party without breach of any obligation owed to the other party.

“Consulting Services” means software configuration, implementation, optimization, and other similar consulting services provided to Customer pursuant to a SOW.

“Content” means information obtained by Ridgeline from third-party content providers or from publicly available sources and made available to Customer through the Ridgeline Service. Content does not include any Third-Party Products.

“Customer Data” means the electronic data or information which Customer or an Authorized User submits to the Ridgeline Service, excluding Content and Third-Party Products.

“Deliverables” means the training, specifications, configurations, implementation, data conversions, workflow, custom developed programs, performance capabilities, and any other activity or document to be completed during the course of Consulting Services.

“Documentation” means the Ridgeline Service’s applicable usage guides and policies, made available to Customer and as updated from time to time.

“Effective Date” means the date upon which the parties agree to the Agreement, including by execution of an Order Form or SOW referencing the MSA

“Feedback” means suggestions, enhancement requests, recommendations or other feedback provided by Customer, its employees and Authorized Users, provided, Customer will not be identified publicly as the source of such suggestions, enhancement requests, recommendations or other feedback.

“Intellectual Property Rights” means any and all common law, statutory and other industrial property rights and intellectual property rights, including copyrights, trademarks, trade secrets, patents and other proprietary rights issued, honored or enforceable under any applicable laws anywhere in the world, and all moral rights related thereto.

“Law” means any local, state, national and/or foreign law, treaties, and/or regulations applicable to a respective party.

“Malicious Code” means code, files, scripts, agents or programs intended to do harm, including, for example, viruses, worms, time bombs and Trojan horses.

“Order Form” means an ordering document or online order specifying the Ridgeline Service or other products or services (excluding Consulting Services) entered into between Customer and Ridgeline, including any addenda and supplements thereto.

“Production” means use of all or parts of the Ridgeline Service to execute transactions, produce reports, process and/or retrieve data or any other similar use in a non-test environment.

“Purchased Service” means the Ridgeline Service purchased by Customer pursuant to an Order Form and excludes any Non-Purchased Service and Third-Party Products.

“Ridgeline Service” means the cloud software-as-a-service provided or made available to Customer by Ridgeline pursuant to one or more executed Order Form(s), excluding Consulting Services, Content and/or Third-Party Products.

“Services” means any Purchased Service, Consulting Services or Non-Purchased Service.

“SOW” or “Statement of Work” means an ordering document or online order specifying the Consulting Services to be delivered executed by Customer and Ridgeline.

“Subscription Fee” means amounts payable by Customer for the Purchased Services.

“Subscription Term” means the length of time during which an Order Form for a Purchased Service is effective as may be specified in the applicable Order Form.

“Third-Party Products” means applications, services, and content provided by entities or individuals other than Ridgeline, and that interoperate with the Ridgeline Service, including cloud service providers, third-party data or market information providers or sources, connectivity service providers, exchanges, and similar services.

‍

Service Level Agreement

This Service Level Agreement (“SLA”) is part of the Agreement and defines the operational commitments of the Ridgeline Service’s Production environment and Ridgeline’s support commitments for Purchased Services in Production. Capitalized terms used but not defined in this SLA have the meanings assigned to them in the Agreement.

1. Uptime and Downtime.

Ridgeline will use its best efforts to ensure that the Ridgeline Service is generally available 24 hours a day, 7 days a week, throughout the Subscription Term. Customer acknowledges that as an internet delivered service, the Ridgeline Service may experience periods of downtime, including but not limited to planned downtime. Ridgeline commits to using its best efforts to plan downtime when the securities markets are not open for trading and will communicate planned downtime in advance via Ridgeline’s current customer support portal.

Ridgeline's Service Availability commitment for a given calendar month is 99.5%. Service Availability is calculated per month as follows:

((Total - Unplanned Outage - Planned Maintenance)/(Total - Planned Maintenance)) × 100% ≥ 99.5%

Definitions:

• Total is the total minutes in the month.
• Unplanned Outage is the total minutes of unplanned downtime in the month outside of the Planned Maintenance window.
• Planned Maintenance is the total minutes of scheduled maintenance in the month.

Ridgeline’s Planned Maintenance window consists of up to twenty-four (24) hours of weekly maintenance. Ridgeline’s weekly maintenance window begins at 10:00 p.m. (Eastern) on Friday.

All maintenance window times are subject to change. Any changes will be communicated to customers with at least thirty (30) days’ notice via Ridgeline Customer Support.

If any actual maintenance exceeds the time allotted for Planned Maintenance, it will be considered an Unplanned Outage. However, if Ridgeline completes maintenance in less time than allotted for Planned Maintenance, that time will not be credited to offset any Unplanned Outage time for the month.

Ridgeline will evaluate Service Availability based on the ability of Authorized Users to sign in to a Ridgeline production tenant successfully. Customers may request an availability report not more than once per month via Ridgeline Customer Support.

In the event that Ridgeline's Service Availability falls below 99.5% in a given month (a “Service Availability Failure”), Customer shall be entitled to the following remedies outlined below. The term “Monthly Subscription Fee” means an amount equal to 1/12 of the Annual Subscription Fee owed in the then current year.

Ridgeline shall pay or credit Customer the corresponding Service Level Credit specified above in the event of a Service Availability Failure. Ridgeline shall not be required to pay credits to the extent that failure to meet Service Availability is caused solely by circumstances that constitute a force majeure event.

Disaster Recovery

Ridgeline maintains a comprehensive disaster recovery plan for all Ridgeline software components and services following industry best practices. The disaster recovery plan aims to minimize the impact of any potential service disruptions and ensure timely recovery.

To ensure the effectiveness of the disaster recovery plan, Ridgeline will conduct regular testing exercises at least once every six months. These tests will simulate various disaster scenarios and validate the recovery capabilities of the Ridgeline Service. Ridgeline will provide a written summary of the results from the most recent test to its customers through Ridgeline Customer Support.

The disaster recovery plan will be periodically reviewed and updated to align with evolving industry standards and to incorporate any feedback or lessons learned from test exercises or real-life incidents. Ridgeline is committed to maintaining disaster recovery capabilities to ensure high availability and data integrity.

2. Support Case Submission and Severity Level Determination.

Ridgeline defines support case severity for issues affecting the Ridgeline Service in the following manner. In the event of a conflict regarding the appropriate severity determination, each party shall promptly escalate such conflict to its management team for resolution through consultation between the parties' management based on the severity level.

• Severity 0 (Critical): The Ridgeline Service is unavailable, or a Ridgeline Service issue prevents trade order execution, for all Authorized Users. All Authorized Users are completely unable to perform normal job functions. No workaround exists.
• Severity 1 (High): An issue with the Ridgeline Service prevents any Authorized User from completing a critical process with a significant impact, including, for example, the inability to do quarterly client performance reporting or reconciliation for trading. No workaround exists.
• Severity 2 (Medium): An issue with the Ridgeline Service prevents an Authorized User from completing an important business process that impacts Customer’s operations. A workaround exists but is not optimal.
• Severity 3 (Low): An issue with the Ridgeline Service delays an Authorized User from completing a non-critical business process that is not crucial to Customer’s operations. A workaround exists.

Below is Ridgeline’s response commitment to Customer during Ridgeline’s applicable Customer Support hours of operation. For the avoidance of doubt, Ridgeline’s Response Commitment standards shall only apply during Ridgeline’s standard or, if applicable pursuant to the preceding paragraph, International Customer Support hours of operation.

3. Ridgeline Customer Support Hours

Standard Customer Support Hours of Operation.

Ridgeline’s Customer Support is available from 7:00 a.m. to 7:00 p.m. (Eastern) Monday through Friday, with the exception of holidays observed by the New York Stock Exchange (NYSE).

International Customer Support Hours of Operation.

Ridgeline shall provide its Customer Support hours of operation to provide availability from two hours before major market open hours in Asia, Europe, and the U.S., during such major market open hours, and up until two hours after such major markets close. The Ridgeline Customer Support hours for applicable Ridgeline customers will be 5:00 p.m. (Eastern) Sunday through 7:00 p.m. (Eastern) Friday. For the avoidance of doubt, these extended Customer Support hours will not be applicable to Customer unless Customer uses the Ridgeline Service to support such global trading and operations.

4. Scope and Support for Content and Third-Party Products.

Ridgeline will support functionality it makes available as part of any Purchased Service. For issues or functionality caused by issues, errors or changes in Customer's systems or third-party products or services, Ridgeline may assist Customer and the third-party providers in diagnosing and resolving issues or errors, but Customer acknowledges that these matters are outside of Ridgeline’s support obligations. Failure to meet commitments under this SLA attributable to (1) Customer's acts or omissions in excess of any limits set forth in the Agreement or Documentation; and (2) force majeure events, shall in each case be excused.

‍

Security Exhibit

Ridgeline’s security program includes:

Security and Data Privacy Awareness and Training. A mandatory security and data privacy awareness and training program for all members of Ridgeline’s workforce, including management.

Access Controls. Policies, procedures, and logical controls:

• a) To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons;
• b) To prevent individuals who should not have access from obtaining access; and
• c) To remove access on a timely basis in the event of a change in job responsibilities or job status.

Network and Systems Security. Deployment of intrusion prevention and detection systems. Deploying systems for the prevention, detection and removal of viruses and other malware from relevant servers as well as endpoints (laptops/desktops).

Physical and Environmental Security. Controls that provide reasonable assurance that access to physical servers at the production data center is limited to properly authorized individuals and environmental controls are established to detect, prevent and control destruction due to environmental extremes.

Security Incident Procedures. A security incident response plan that includes procedures to be followed in the event of any security incident affecting Customer Data or any security incident of any application or system directly associated with the accessing, processing, storage, communication and/or transmission of Customer Data.

Data Integrity. Policies and procedures to ensure the confidentiality, integrity, and availability of Customer Data and protect it from disclosure, improper alteration, or destruction.

Storage and Transmission Security. Technical security measures to guard against unauthorized access to Customer Data that is being transmitted over a public electronic communications network or stored electronically. Such measures include requiring encryption of any Customer Data stored on desktops, laptops, cloud storage, or other removable storage devices which are housed outside of a secured data center.

Secure Disposal. Policies and procedures regarding the disposal of tangible property containing Customer Data taking into account available technology so that Customer Data cannot be practicably read or reconstructed.

Change and Configuration Management. Maintaining policies and procedures for managing changes to production systems, applications, and databases.

Testing. Regular testing of the key controls, systems and procedures of its information security program to validate that they are properly implemented and effective in addressing the threats and risks identified.

Program Adjustments. Monitoring, evaluation, and making necessary adjustments, as appropriate, to the security program in light of:

• a) Any relevant changes in technology and any internal or external threats to Ridgeline systems and services and/or Customer Data;
• b) Security and data privacy regulations applicable to Ridgeline’s business and services; and
• c) Ridgeline’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

‍

Data Protection Addendum

This Data Protection Addendum (“DPA”) forms a part of the Main Services Agreement (as defined therein, the “Agreement”) under which Ridgeline provides its Services and is entered into by Ridgeline and Customer.

Customer enters into this DPA on behalf of itself and, to the extent set forth in Sections 8 and 9, in the name and on behalf of its Controller Affiliates (defined below). All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

In the course of providing the Services under the Agreement, Ridgeline may Process certain Personal Data (as defined below) on behalf of Customer and where Ridgeline Processes such Personal Data on behalf of Customer the Parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.

1. DEFINITIONS

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Controller Affiliate” means any of Customer’s Affiliate(s) (a) that are subject to applicable Data Protection Laws, and (b) permitted to use the Services pursuant to the Agreement between Customer and Ridgeline, but have not signed their own Order Form and are not a “Customer” as defined under the Agreement.

“Customer” means the entity that purchased the Ridgeline Service under an Order Form.

“Data Protection Laws” means all laws and regulations governing the Processing of Personal Data, including laws and binding regulations applicable to the Processing of Personal Data under the Agreement.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“Instruction” means Controller’s documented data Processing instructions issued to Processor in compliance with this DPA.

“Personal Data” means any Customer Data that relates to a Data Subject, to the extent that such information is protected as personal data under applicable Data Protection Laws.

“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller.

“Ridgeline Group” means Ridgeline and its Affiliates engaged in the Processing of Personal Data.

“Special Categories” means sensitive Personal Data under applicable Data Protection Law and may include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, criminal offense, health and sex life.

“Subprocessor” means any entity engaged by Ridgeline or a member of the Ridgeline Group to Process Personal Data in connection with the Services.

“Subprocessor List” means the list identifying the Subprocessors that are authorized to Process Personal Data, accessible through Ridgeline's website or then-current support portal.

2. SCOPE OF PROCESSING OF PERSONAL DATA

2.1 Roles of the Parties.

The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Ridgeline is the Processor and that Ridgeline or members of the Ridgeline Group will engage Subprocessors pursuant to the requirements set forth in Section 4 “Subprocessors”.

2.2 Customer’s Processing of Personal Data.

Customer shall, in its use of the Services and provision of instructions, Process Personal Data in accordance with the Agreement and the requirements of applicable Data Protection Laws. Controller is responsible for ensuring its Instructions to Processor comply with Data Protection Laws. Controller specifically acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted-out from the sale, use, or other disclosures of Personal Data.

2.3 Ridgeline’s Processing of Personal Data.

As Customer’s Processor, Ridgeline shall only Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Authorized Users in their use of the Services; (iii) Processing in compliance with data protection authority or law enforcement agency, and (iv) Processing to comply with other reasonable written Instructions provided by Customer (e.g., via email) that are consistent with the terms of the Agreement (individually and collectively, the “Purpose”). Ridgeline acts on behalf of and on the instructions of Customer in carrying out the Purpose.

2.4 Details of the Processing.

The subject-matter of Processing of Personal Data by Ridgeline is as described in the Purpose in Section 2.3. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Exhibit A (Description of Processing Activities) to this DPA.

3. RIGHTS OF DATA SUBJECTS

3.1 DATA SUBJECT REQUEST FROM DATA SUBJECT.

Controller may receive requests from Data Subjects to exercise Data Subject rights afforded to the Data Subject under applicable Data Protection Law in relation to Personal Data (a “Data Subject Request”). Controller will be solely responsible for responding to any Data Subject Requests, provided that Processor shall reasonably cooperate with the Controller to respond to Data Subject Requests to the extent that Controller is unable to fulfill such Data Subject Requests using functionality in the Service. Taking into account the nature of the Processing, Ridgeline shall assist Customer by appropriate technical and organizational measures, in accordance with the Agreement, for the fulfillment of Customer’s obligation to respond to a Data Subject Request as required by applicable Data Protection Laws.

In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Ridgeline shall, upon Customer’s request, use commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Ridgeline is legally permitted to do so and the response to such Data Subject Request is required under applicable Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Ridgeline’s provision of such assistance, including any Consulting Services and/or fees associated with provision of additional functionality. Ridgeline shall, to the extent legally permitted, instruct the Data Subject to contact the Customer if Ridgeline receives a Data Subject Request.

3.2 DATA SUBJECT REQUESTS FROM AUTHORITIES.

In the case of a notice, audit, inquiry or investigation by a government body, data protection authority or law enforcement agency regarding the Processing of Personal Data, Processor shall promptly notify Controller unless prohibited by applicable law. Controller shall keep records of the Personal Data Processed by Processor, and shall cooperate and provide all necessary information to Processor in the event Processor is required to produce such information to a data protection authority.

3.3 COOPERATION WITH SUPERVISORY AUTHORITIES.

Controller and Processor shall cooperate, on request, with a supervisory authority in the performance of such supervisory authority’s task, in accordance with Data Protection Laws.

4. SUBPROCESSORS

4.1 Appointment of Subprocessors.

Customer agrees and hereby provides a written general authorization that (a) Ridgeline’s Affiliates may be Subprocessors through a written agreement with Ridgeline and (b) Ridgeline and Ridgeline’s Affiliates may engage third-party Subprocessors in connection with the provision of the Services. As a condition to permitting a Subprocessor to Process Personal Data, Ridgeline or a Ridgeline Affiliate will enter into a written agreement with each Subprocessor containing data protection obligations no less protective than this DPA.

4.2 List of Current Subprocessors and Notification of New Subprocessors.

A current Subprocessor List is identified in Exhibit B. Ridgeline shall provide Customer with notification of new Subprocessor(s) by updating the Subprocessor List before authorizing such new Subprocessor(s) to Process any Personal Data.

4.3 Right to Object to New Subprocessors.

Customer may object to Ridgeline’s use of a new Subprocessor by notifying Ridgeline in writing within ten (10) business days after receipt of Ridgeline’s notice under Section 4.2. Such notice shall detail, with particularity, the basis for Customer’s objection. If Ridgeline receives an objection under this Section, Ridgeline will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by such new Subprocessor without unreasonably burdening Customer. If Ridgeline is unable to make available such change within thirty (30) days, either party on written notice to the other may terminate without penalty the applicable Order Form(s) only with respect to those Services which cannot be provided by Ridgeline without the use of such Subprocessor. Ridgeline will refund Customer any prepaid fees solely for such terminated Services following the effective date of termination, without imposing a penalty for such termination on Customer.

4.4 Liability of Ridgeline for Subprocessors.

Ridgeline shall be liable for the acts and omissions of its Subprocessors to the same extent Ridgeline would be liable if performing the Services of each Subprocessor directly.

5. SECURITY

5.1 Controls for the Protection of Personal Data.

Ridgeline shall maintain appropriate technical and organizational measures for protection of the security, including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data and including security incident management policies and procedures, confidentiality and availability of Personal Data in accordance with the Security Exhibit. Ridgeline regularly monitors compliance with these measures.

5.2 Third-Party Reports.

Upon Customer’s reasonable request, and subject to the confidentiality obligations in the Agreement, Ridgeline shall make available to Customer (or Customer’s independent, third-party auditor) information regarding Ridgeline’s compliance with the obligations set forth in this DPA in the form of the third-party audit reports.

6. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION

Ridgeline shall notify Customer without undue delay after becoming aware of any breach relating to Personal Data (under any applicable Data Protection Law) that requires a notification to be made to a Supervisory Authority or Data Subject under applicable Data Protection Law or which Ridgeline is required to notify to Customer under applicable Data Protection Law (a “Personal Data Incident”). Ridgeline shall provide commercially reasonable cooperation and assistance in identifying the cause of such Personal Data Incident and take commercially reasonable steps to remediate the cause to the extent the remediation is within Ridgeline’s control. Except as required by applicable Data Protection Law, the obligations herein shall not apply to incidents that are caused by Customer, Authorized Users and/or any Third-Party Product or other third-party product.

7. RETURN AND DELETION OF PERSONAL DATA

Upon termination of any Services for which Ridgeline is Processing Personal Data, Ridgeline shall, upon Customer’s request, and subject to the limitations described in the Agreement, return all Personal Data in Ridgeline’s possession to Customer or securely destroy such Personal Data and demonstrate to the satisfaction of Customer that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of Personal Data.

8. CONTROLLER AFFILIATES

8.1 Contractual Relationship.

The parties acknowledge and agree that Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Controller Affiliates, where required and as applicable, subject to the provisions of the Agreement and this Section 8 and Section 9. Controller agrees to cause each Controller Affiliate to be bound by the obligations under this DPA and, to the extent applicable, the Agreement.

8.2 Communication.

The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Ridgeline under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Controller Affiliates.

8.3 Rights of Controller Affiliates.

If a Controller Affiliate wishes to exercise rights and seek remedies under this DPA, then the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Controller Affiliate, not separately but in a combined manner for all of its Controller Affiliates together.

9. LIABILITY

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Controller Affiliates and Ridgeline, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

Ridgeline’s and its Affiliates’ total liability for all claims from the Customer and all of its Controller Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Controller Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Controller Affiliate that is a contractual party to any such DPA.

‍

List of Exhibits

Exhibit A: Description of Processing Activities

Exhibit B: Current Copy of Subprocessor List

‍

Exhibit A - Description of Processing Activities

Nature and Purpose of Processing: Processor will Process Personal Data as required to provide the Services in accordance with the Agreement. Controller acknowledges that all Personal Data it instructs Processor to Process for the purpose of providing Consulting Services must be limited to the Customer Data Processed within the Ridgeline Service.

Duration of Processing: Processor will Process Personal Data for the duration of the Agreement and in accordance with Section 2 (Scope of the Processing of Personal Data) of this DPA.

Data Subjects: Customer may submit Personal Data to the Ridgeline Service, the extent of which is determined and controlled by Customer and which may include, but is not limited to, personal data relating to the following categories of data subject:

• authorized Users;
• employees of Customer;
• consultants of Customer;
• contractors of Customer;
• clients of Customer;
• agents of Customer; and/or
• parties or natural persons with which Customer conducts business.

Categories of data: The Personal Data transferred concern the following categories of data:

• communication data (e.g. telephone, email);
• business and personal contact details;
• and other Personal Data which is Customer Data, as defined in the Agreement

Special categories of data: Ridgeline does not require Special Categories for Customer’s access and use of the Ridgeline Service. Customer shall not submit Special Categories to the Ridgeline Service, the extent of which is determined and controlled by Customer in compliance with applicable Data Protection Law.

Processing operations: The Personal Data transferred will be processed in accordance with the Agreement and any Order Form and may be subject to the following processing activities:

• storage and other processing necessary to provide, maintain, and update the Services provided to Customer;
• to provide customer and technical support to Customer; and
• disclosures in accordance with the Agreement, as compelled by applicable law.

‍

Exhibit B - Current Copy of Subprocessor List

Ridgeline engages Subprocessors in connection with the Services across three categories: “Core Subprocessors” support the Ridgeline Service’s infrastructure as a whole. “Secondary Subprocessors” support certain limited components of the Ridgeline Service. “Support Subprocessors” facilitate customer support, monitoring, and information exchange related to the Ridgeline Service.

As the Ridgeline Service grows, Ridgeline may change Subprocessors and will update the Subprocessor List in accordance with the DPA. To receive notifications about changes to the Subprocessor List, please subscribe to Ridgeline’s Trust Center at https://trust.ridgelineapps.com/. Ridgeline’s Subprocessors store data only in the United States. Certain Subprocessors have support personnel located outside the United States who may access Personal Data solely to provide customer support.

‍

CORE SUBPROCESSORS

‍

SECONDARY SUBPROCESSORS

‍

SUPPORT SUBPROCESSORS

‍

Product Supplement - CUSIP Global Services (“CGS”) Terms

In the event Customer has a license agreement with CGS (“Other Agreement”) that permits broader rights than those granted below, then the terms of Customer’s Other Agreement shall govern Customer’s use of the CUSIP Database and/or any information contained therein for so long as such agreement remains in effect.

Customer agrees and acknowledges that the proprietary rights to the CUSIP databases (“CUSIP Database”) and the information contained therein is and shall remain valuable intellectual property owned by, or licensed to, CGS and the American Bankers Association (“ABA”), and that no proprietary rights are being transferred to Customer in such materials or in any of the information contained therein. Any use by Customer outside of the clearing and settlement of transactions requires a license from CGS, along with an associated fee based on usage. Customer agrees that misappropriation or misuse of such materials will cause serious damage to CGS and ABA, and that in such event money damages may not constitute sufficient compensation to CGS and ABA; consequently, Customer agrees that in the event of any misappropriation or misuse, CGS and ABA shall have the right to obtain injunctive relief in addition to any other legal or financial remedies to which CGS and ABA may be entitled.

Customer agrees that Customer shall not publish or distribute in any medium the CUSIP Database or any information contained therein or summaries or subsets thereof to any person or entity except in connection with the normal clearing and settlement of security transactions. Customer further agrees that the use of CUSIP numbers and descriptions is not intended to create or maintain, and does not serve the purpose of the creation or maintenance of, a master file or database of CUSIP descriptions or numbers for itself or any third-party recipient of such service and is not intended to create and does not serve in any way as a substitute for the CUSIP MASTER, DATABASE, INTERNET, ELECTRONIC Services and/or any other future services developed by CGS.

NEITHER CGS, ABA NOR ANY OF THEIR AFFILIATES MAKE ANY WARRANTIES, EXPRESS OR IMPLIED, AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF ANY OF THE INFORMATION CONTAINED IN THE CUSIP DATABASE. ALL SUCH MATERIALS ARE PROVIDED TO CUSTOMER ON AN “AS IS” BASIS, WITHOUT ANY WARRANTIES AS TO MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE NOR WITH RESPECT TO THE RESULTS WHICH MAY BE OBTAINED FROM THE USE OF SUCH MATERIALS. NEITHER CGS, ABA NOR THEIR AFFILIATES SHALL HAVE ANY RESPONSIBILITY OR LIABILITY FOR ANY ERRORS OR OMISSIONS NOR SHALL THEY BE LIABLE FOR ANY DAMAGES, WHETHER DIRECT OR INDIRECT, SPECIAL OR CONSEQUENTIAL, EVEN IF THEY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL THE LIABILITY OF CGS, ABA OR ANY OF THEIR AFFILIATES PURSUANT TO ANY CAUSE OF ACTION, WHETHER IN CONTRACT, TORT, OR OTHERWISE, EXCEED THE FEE PAID BY CUSTOMER FOR ACCESS TO SUCH MATERIALS IN THE MONTH IN WHICH SUCH CAUSE OF ACTION IS ALLEGED TO HAVE ARISEN. FURTHERMORE, CGS AND ABA SHALL HAVE NO RESPONSIBILITY OR LIABILITY FOR DELAYS OR FAILURES DUE TO CIRCUMSTANCES BEYOND THEIR CONTROL.

Customer agrees that the foregoing terms and conditions shall survive any termination of its right of access to the materials identified above.

‍

Product Supplement - NYFIX Acceptable Use Policy and Terms

The following provisions (“NYFIX AUP” or this “Supplement”) apply to Customer (together with its Authorized Users, the “User”) when using (a) the NYFIX Marketplace, which is the NYFIX Inc. proprietary FIX protocol community and network enabling Customer and other users to deliver or receive non-executable indications of interest and advertise trades; or (b) ULLink Inc. Managed Services (collectively, the “NYFIX Services”). ULLink Inc., NYFIX Inc., Itiviti Group AB and any applicable affiliates of such entities are collectively referred to as “NYFIX”. In the event Customer has a license agreement with NYFIX (“Other Agreement”) that permits broader rights than those granted below, then the terms of Customer’s Other Agreement shall govern Customer’s use of the NYFIX Services so long as such agreement remains in effect. The User agrees as follows:

1. Term of use: NYFIX shall have the right to terminate use of the NYFIX Services by giving 30 days written notice to terminate if the User (a) commits a breach of the attached Policy; or (b) ceases to do business, is declared insolvent or becomes subject of receivership. NYFIX shall have the right to terminate use of the NYFIX Marketplace by giving 30 days written notice to terminate if NYFIX is restricted or prohibited from performing its obligations due to laws or regulations or the rules and regulations of any exchange or venue, any self-regulatory agency, or government body having jurisdiction.
2. NYFIX Marketplace: The following apply to the User’s connection to and use of the NYFIX Marketplace: (a) NYFIX shall perform certification testing for all FIX Services to allow User to participate in the marketplace. NYFIX shall not be liable for problems or delays in such certification that are attributable to User. (b) When using the NYFIX Marketplace the User shall input and receive data. The User: (i) shall ensure that it has the right to provide and receive such data; (ii) agrees that it inputs data so that NYFIX may process and transmit User’s data through the Marketplace; (iii) agrees that NYFIX may collect, collate and distribute aggregate statistical analyses and summarized service usage information relating to use of the Marketplace provided that such information will be anonymized, such that it shall not include any data identifying the Customer. (c) The User shall hold NYFIX harmless against all claims arising from the proper transmission and processing of the Client’s data and fully indemnify NYFIX for damages, losses, expenses, or proceedings arising therefrom.
3. DISCLAIMER OF WARRANTIES: TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ITIVITI GROUP AB AND ITS AFFILIATES PROVIDE THE NYFIX SERVICES TO THE USER AND ITS AFFILIATES AND ANY SUPPORT SERVICES RELATED TO THE NYFIX SERVICES ("SUPPORT SERVICES") AS IS AND WITH ALL FAULTS. ITIVITI GROUP AB AND ITS AFFILIATES HEREBY DISCLAIM WITH RESPECT TO THE SERVICES AND SUPPORT SERVICES ALL WARRANTIES AND CONDITIONS, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING ANY AND ALL WARRANTIES OR CONDITIONS OF OR RELATED TO: TITLE, NON INFRINGEMENT, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, LACK OF VIRUSES, ACCURACY OR COMPLETENESS OF RESPONSES, RESULTS, LACK OF NEGLIGENCE OR LACK OF WORKMANLIKE EFFORT, QUIET ENJOYMENT, QUIET POSSESSION, AND CORRESPONDENCE TO DESCRIPTION; (B) THE ENTIRE RISK ARISING OUT OF USE OR PERFORMANCE OF THE SERVICES AND ANY SUPPORT SERVICES REMAINS WITH THE USER.
4. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL, AND CERTAIN OTHER DAMAGES: TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL ITIVITI GROUP AB AND ITS AFFILIATES BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER INCLUDING: (A) DAMAGES FOR: LOSS OF PROFITS, LOSS OF CONFIDENTIAL OR OTHER INFORMATION, BUSINESS INTERRUPTION; (B) PERSONAL INJURY; (C) LOSS OF PRIVACY; (D) FAILURE TO MEET ANY DUTY (INCLUDING OF GOOD FAITH OR OF REASONABLE CARE); (E) NEGLIGENCE; AND (F) ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SERVICES OR THE SUPPORT SERVICES, OR THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES EVEN IF ITIVITI GROUP AB AND ITS AFFILIATES OR RIDGELINE INC. OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
5. LIMITATION OF LIABILITY AND REMEDIES: NOTWITHSTANDING ANY DAMAGES THAT USER MIGHT INCUR FOR ANY REASON WHATSOEVER (INCLUDING, WITHOUT LIMITATION ALL DIRECT OR GENERAL DAMAGES), THE ENTIRE LIABILITY OF ITIVITI GROUP AB AND ITS AFFILIATES AND THE USER’S EXCLUSIVE REMEDY FOR ALL THE SERVICES OR THE SUPPORT SERVICES SHALL BE LIMITED TO U.S. $5000. THE FOREGOING LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE.
6. GOVERNING LAW; THIRD-PARTY BENEFICIARY: This Supplement is governed by and must be construed under the laws of the State of New York. The federal and state courts of New York County, New York, have exclusive jurisdiction over and venue of any suit that relates to this Supplement. The parties hereby waive their right to a trial by jury. Notwithstanding any other provisions to the contrary in the Agreement (including thisSupplement), NYFIX shall benefit from and have the right to enforce the terms of this Supplement against the Users.
7. EFFECTIVENESS OF THIS SUPPLEMENT: This Supplement shall be effective on the date of the effectiveness of the MSA to which it is attached or Order Form in which it is referenced or incorporated.

‍

NYFIX Acceptable Use Policy

Introduction:

This Acceptable Use Policy (the “Policy”) defines acceptable practices for the use of the NYFIX Services.This Policy applies to all aspects of the NYFIX Services. This Policy is designed to assist in protecting the Customers, the NYFIX Services, NYFIX and the community as a whole from improper and/or illegal activity over or utilizing the NYFIX Services. In situations where data communications are carried across networks of Internet Service Providers or via third-party Application Server Providers (together “Providers”), User must also conform to the applicable acceptable use policies of other Providers.

By accessing the NYFIX Services, each such user of the NYFIX Services (“User”) is responsible for compliance with this Policy, including by any person or entity that accesses the NYFIX Services through User’s equipment, systems, networks, or other facilities.

Prohibited Uses

Illegal Activity: The NYFIX Services shall not be used for any unlawful activities or in connection with any criminal or civil violation. The NYFIX Services shall in all cases be used in compliance with applicable law and regulation. Use of the NYFIX Services in any manner, including without limitation for transmission, distribution, retrieval, or storage of any information, data or other material, in violation of any applicable law or regulation (including, where applicable, any tariff or treaty) is prohibited.

Unauthorized Access/Interference: User shall not attempt to gain unauthorized access to, or attempt to interfere with or compromise the normal functioning, operation or security of the NYFIX Services or other systems or networks. User shall not use the NYFIX Services to engage in any activities that may interfere with the ability of others to access or use the NYFIX Services. User shall not use the NYFIX Services to monitor, gather or mine any data, information or communications on any network or system without authorization. User shall not attempt to gain unauthorized access to the user accounts or passwords of other Users.

Infringement: User shall not use or transmit any data or material protected by copyright, service mark, trademark, trade secret, patent or other intellectual property right without proper authorization.

Unsolicited Commercial Email: User shall not use the NYFIX Services to transmit unsolicited commercial e-mail messages or deliberately send excessively large attachments to any recipient (“spamming” or “mailbombing”). User shall not use the NYFIX Services to collect responses from mass unsolicited e-mail messages.

Spoofing/Fraud: User is prohibited from intentionally injecting false data into the NYFIX Services, including bad routing information (the announcing of networks owned by someone else or reserved by the Internet Assigned Numbers Authority) or incorrect DNS information. User shall not send, or attempt to send messages or transmit any electronic communications using a name or address of someone other than the User. Any attempt to fraudulently conceal, deceive, forge or otherwise falsify a User's identity in connection with use of the NYFIX Services is prohibited.

Export Violations: User shall not violate any export regulations.

Responsibilities of Users

Security and Content: User is solely responsible for maintaining the security of its networks, software, programs, products, services, equipment and applications. User shall be solely responsible for any information or material they maintain, transmit, post, distribute, or otherwise make available on, through, using or in connection with the NYFIX Services and for any actions they take based upon any information or material that they receive from the NYFIX Services.

Disclaimer: User acknowledges that the NYFIX Services are provided in conjunction with or enable access to underlying third-party data or market information providers or sources such as exchanges or liquidity pools, third-party connectivity providers, third-party software (collectively or individually “Third-Party Service Providers”). NYFIX Inc. and / or ULLink Inc., their affiliates and licensors shall be neither responsible nor liable for any disputes or claims, including without limitation in breach of contract, tort (including negligence), misrepresentation or breach of statutory duty, that relate to products or services provided by Third-Party Service Providers.

Governing Law: This Policy is governed by and must be construed under the laws of the State of New York. The federal and state courts of New York County, New York, have exclusive jurisdiction over and venue of any suit that relates to this Policy. The parties hereby waive their right to a trial by jury.

‍

Confidential © Ridgeline, Inc. 2025