The URL can be used to link to this page

Home My WebLink AboutContract 59127AuditBoard, Inc. AuditBoard, Inc. 12900 Park Plaza Dr., Suite 200 Cerritos , CA 90703 auditboard .com ("AuditBoard") A. INCLUDED USE AND USE RIGHTS Table 1: Subscription Fees SERVICES OpsAudit- Professional DESCRIPTION AuditBoard Intelligence (ABI Dashboards) RestAPI Aud it Forms Audit Project Management Aud it Issue Management (Standard) Audit Universe Risk Assessment (Standard) I Audit Universe Risk Assessment (Custom) Inventory/ Auditable Entities I Document Requests and Surveys Reports API Reports Module Required Fields Risk-Based Audit Frequencies Timesheets Word-Based Audit Reports Work Step Preparer Digest WorkStream (Standard) I WorkStream (Custom) Microsoft Office Add-in WorkStream Conditional Questions I WorkStream Recurrence Integrations -Standard Integrations -Project Management Integrations -SSO Pack ORDER FORM# Quote Number: Q-03041 City of Fort Worth 200 Texas St. Fort Worth , TX 76102 Billing Information: Billing Contact Person : Tom Wilson Billing Email for invoices: tom.wilson@fortworthtexas.gov Billing Contact Number: PO Required? If yes , PO#: Additional Billing Instructions : (i.e., Portal Registration) ("Customer") INCLUDED USE Up to 12 Core Users Up to 500 Aud its Unlimited Stakeholders Table 1: Subscription Fees Total: OfF!CIAL RECORD ANNUAL FEE $55 ,000 $55 ,000 Page 1 of 4 crrv SECR~ 0 REC'D FT. WORTH ~i1~ 2 t '23 Ald0:40 IMPLEMENTATION ONE TIME FEE OpsAudit -Standard Implementation $30 ,000 Implementation Fees Total: $30 ,000 If Customer exceeds its Included Use for the AuditBoard Services listed in Table 1 above, Customer shall immediately owe the following incremental fees: Table 2: Incremental Subscription Fees Over Included Usage OpsAudit -Professional -Overage Fee $3 ,215 Core Users Usage Rights Subscription Start Date: Order Effective Date Subscription End Date: 36 month(s) from the Order Effective Date Customer may use the services and modules set forth herein and in any other active Order between the parties , each as AuditBoard makes available through the website cityoffortworth .auditboardapp .com , i ncluding the website itself, and any audio or visual information , documents , text, images , data or other software or services offered by AuditBoard in connection therewith (the "Services") during the subscription term having the Subscription Start Date and Subscription End Date set forth above (the "Initial Term "). Upon expiration of the In itial Term , this Order will immediately renew for a term of one (1) year and will continue to renew for subsequent one (1) year terms (each a "Renewal Term " and collectively, with the Initial Term , the "Term ") on each anniversary of the commencement of the first Renewal Term at AuditBoard 's then-current rates unless either party provides written notice of its intent not to renew the Order at least thirty (30) days prior to the end of the then-current Term . B. TERMS OF YOUR ORDER THIS ORDER FORM (this "Order") together with the AuditBoard Subscription Agreement, with its Exhibits attached hereto as Appendix A , the applicable Service Specific Licensing Terms , attached hereto as Append ix B , the Implementation SOW, a copy of which is attached hereto , as Appendix C , as a non-binding snapshot of the Implementation SOW at the time of entering into the Agreement , and the Addendum to Subscription Agreement, attached hereto as Appendix D , which Customer hereby acknowledges and accepts, constitutes the entire agreement between AuditBoard and Customer governing the Services to the exclusion of all other terms (the "Agreement"). Customer is authorized to use and access the AuditBoard products included in Table 1 solely during the Term in the quantities listed in Table 1 ("Included Use"). This Order shall be considered confidential (including , without limitation , the pricing terms contained herein). Any capitalized terms not otherwise defined herein shall have the meaning attributed in the Agreement. C. ADDITIONAL TERMS Page 2 of 4 Currency: USO Invoice and Payment Terms: DESCRIPTION PAYMENT TERMS INVOICE DATE AMOUNT (USD) Implementation Fee Net 0 Order Effective Date $30 ,000 Year 1 Subscription Fee Net 30 Order Effective Date $55 ,000 Year 2 Subscription Fee Net 30 Order Effective Date+ 1 Year $55 ,000 Year 3 Subscription Fee Net 30 Order Effective Date + 2 Years $55 ,000 TOTAL $195 ,000 Order Expiration: THE VALIDITY OF THIS AGREEMENT IS CONDITIONED ON AUDITBOARD RECEIVING A FULLY SIGNED COPY OF THIS SIGNATURE DOCUMENT NO LATER THAN 5PM PST TIME ON 3/31/2023 ("Deadline"). Notwithstand ing the foregoing , AuditBoard reserves the right to accept th is Signature Document signed or received after the Deadl ine i n AuditBoard 's sole discretion and w ill provide confirmation of its acceptance by adding its initials on the Signature Doc ument after the Deadl ine if it deems fit. [Signature Page Follows] Page 3 of4 IN WITNESS WHEREOF , AuditBoard and Customer have caused this Order to be signed and effective as of the last date signed below by their duly authorized representatives (the "Order Effective Date "). If th is Order Form is executed and/or returned to Aud itBoard by Customer after the Subscription Start Date above , AuditBoard may adj ust Invoice Dates , Subscription Start Date , and /or Subscription End Date , without increasing the Total Subscription Fees , to al ign w ith the Order Effective Date. SIGNED 3/21 /2023 DATED Tina Yeh NAME AuditBoard, Inc. SVP, Finance and operations TITLE SIGNED 3;/2-z/4t:, 2.-3 > DATED City of Fort Worth 'l>Je,{llf,1/ -z n,,/4tP4~rJ NAME TITLE Page 4 of 4 DocuSign Envelope ID : 95952A66-C886-4AE0-8C 17-EE17 AED67795 V AUDITBOARD [FOR CITY OF FORT WORTH ONLY] Appendix A SUBSCRIPTION AGREEMENT THIS SUBSCRIPTION AGREEMENT is between AuditBoard and Customer (as designated in the Order) as of the Effective Date (defined below). The parties agree as follows: PROVISION OF SERVICE . AuditBoard shall make the Service (as defined in the applicable Order) available to Customer, its Affiliates and Authorized Parties for whom Customer enables access solely for internal business purposes of Customer and its Affiliates , which is subject to this Agreement , the SLA, and the Documentation. The Service is provided in U.S. English . 2 CUSTOMER OBLIGATIONS. Customer shall have sole responsibil ity for the accuracy , quality, and legality of all Customer Data , shall take commercially reasonable efforts to prevent unauthorized access to , or use of, the Service , and shall notify AuditBoard promptly of any unauthorized access or use. Customer shall not: (1) use the Service in violation of Laws or the Documentation ; (2) send or store infringing , obscene , threatening , or otherwise unlawful or tortious material , including material that violates privacy rights in conne ction with the Service ; (3) knowingly send or store Malicious Code in connection with the Service; (4) knowingly interfere with or disrupt performance of the Service or the data contained therein ; or (5) attempt to gain access to the Service or its related systems or networks in a manner not set forth in the Documentation . Customer is responsible for its Affiliates and Authorized Parties compliance with the Agreement and any breach by its Affiliates or Authorized Parties will be deemed a breach by Customer. 3 PROPRIETARY RIGHTS : 3.1 Ownership. As between AuditBoard and Customer, Customer owns all right , title and interest to its Customer Data . As between AuditBoard , and AuditBoard's licensors , AuditBoard or its licensors own all right , title and interest to the Service, Documentation , and other AuditBoard Intellectual Property Rights. Except for the limited rights expressly granted to Customer hereunder, AuditBoard reserves all rights , title and interest in and to the Service and Documentation , including all related Intellectual Property Rights . Customer hereby grants AuditBoard a royalty-free , worldwide , transferable , sub-licensable , irrevocable , perpetual license to use or incorporate into its Services any Customer Input. AuditBoard will have no obl igation to make Customer Input an improvement. Customer will have no obligation to provide Customer Input. 3.2 Restrictions : Customer shall not (1) license , sublicense , sell , resell , lease , transfer , ass ign , distribute , time share, offer in a service bureau or otherwise commercially exploit or make any part of the Service or Documentation available to any third party ; (2) modify , copy , or create derivative works based upon any part of the Service or Documentation ; (3) knowingly interfere with or disrupt the integrity or performance of the Service or the data contained therein ; (4) provide any Sensitive Data ; (5) attempt to gain unauthorized access to the Service or its related systems or networks ; (6 ) reverse engineer or otherwise attempt to discover the underlying source or object code, structure or ideas of the Service ; or (7 ) share login credentials between more than one individual User. Customer understands and agrees that the Service is not designed to any specific security requirements for Sensitive Data . Customer is responsible for determining if the Service meets Customer's needs with regard to the data and information Customer intends to load into the Service and Customer is responsible for the activity of all its Users under the Agreement. 4 PAYMENT OBLIGATIONS. 4.1 Fees and Payment. Customer will pay all fees and charges in accordance with the terms contained in each Order. Except as set forth herein , all Orders are non-cancelable and all payments are non-refundable. The Subscription Fees and Included Use stated on an Order cannot be reduced during the relevant subscription term absent a written amendment executed by the parties . Customer will maintain accurate bil ling information with AuditBoard throughout the term and will promptly provide updates should their billing information change . Upon AuditBoard 's request , Customer shall make payments via electronic bank transfer. 4.2 Ta xes and Fees . Fees invoiced pursuant to this Agreement do not include , and may not be reduced to account for, any taxes , which may include local , state , provincial , federal or foreign taxes , withholding taxes , levies , duties or similar governmental assessments of any nature , including , but not limited to , value-added taxes , excise, use, goods and services taxes , consumption taxes , digital sales taxes or similar taxes (collectively "Taxes"). Customer is solely responsible for paying all Taxes except for those based on AuditBoard 's net income or property which shall remain the responsibility of AuditBoard. If AuditBoard has a legal obligation to pay or collect taxes for which Customer is responsible under this Agreement, the appropriate amount shall be computed based on Customer's address listed in the Order which will be used as the ship-to address , and invoiced to and paid by Customer, unless Customer provides AuditBoard with a valid tax exemption certificate authorized by the appropriate taxing authority . Except as otherwise specified in an Order, all fees due hereunder shall be paid in U .S . Dollars . An interest rate of 1.5% per month will be assessed on overdue invoices which are not subject to a good faith dispute between the parties . 4.3 Suspension for Non-Payment. Except for Subscription Fees that are subject to a reasonable and good faith dispute, if a payment is more than 30 days past due and AuditBoard has provided at least 30 days written notice to Customer, AuditBoard may suspend the Service , without liability to Customer, until such amounts are paid in full. 5 CONFIDENTIALITY . Each party or its Affiliates (the "Recipient") shall use the same degree of care that it uses to protect its own confidential information of like kind (but in no event using less than a reasonable standard of care) not to disclose or use any Confidential Information of the other party or its Affiliates (the "Discloser'') except as reasonably necessary to perform the Recipient's obligations or to exercise the Recipient's rights under this Agreement or with the Discloser's prior written permission . Either party may disclose Confidential Information on a need-to-know basis to its Affiliates , Authorized Parties , contractors, and service providers , who are bound by confidentiality obligations at least as restrictive as those in this section . To the extent required by Law, the Recipient 's disclosure of the Discloser's Confidential Information will not be considered a breach of this Agreement if the Recipient promptly provides Discloser with prior written notice of such disclosure (to the extent legally permitted) and reasonable assistance, at the Discloser's cost , if the Discloser wishes to contest the disclosure . The Discloser may seek injunctive relief to enjoin any breach or threatened breach of this section , it being acknowledged by the parties that other remedies may be inadequate . 6 DATA SECURITY. 6.1 AuditBoard shall maintain appropriate administrative , physical , and technical safeguards designed to protect the security of the Service and Customer Data in accordance with the AuditBoard Security Policy. AuditBoard shall not materially decrease the protections provided by the controls set forth in AuditBoard's Security Policy and Audit Reports . Upon Customer's request , AuditBoard will provide a copy of the Audit Reports . Customer Data shall only be used to provide the Service, to prevent or address service or technical problems , Service improvements , in accordance with the Agreement and the Documentation , or Customer instructions . To the extent AuditBoard processes Personal Data , it will only be processed in accordance with the Data Processing Addendum . V. 2 .3.23 Page 1 of 6 © 2023 DocuS ign Envelope ID : 95952A66-C886-4AE0-8C17-EE17AED67795 0 AUDITBOARD 6.2 Each party shall: (1) notify the other party without undue delay of any unauthorized copying , distribution , disclosure or processing of any Confidential Information (each a "Data Security Incident") upon becoming aware of such Data Security Incident unless legally prohibited from doing so, within forty -eight (48) hours or any shorter period required by Law except that Customer is not required to notify AuditBoard unless Customer reasonably determines there is a threat to the Service ; (2) report to the other party promptly thereafter with such details as the other party may reasonably require regarding such Data Security Incident; and (3) use reasonable efforts to immediately stop any unauthorized copying , distribution , disclosure or processing of a party's Confidential Information . 7 WARRANTIES . 7.1 Each party warrants that it has the authority to enter into this Agreement and , in connection with its performance of this Agreement , shall comply with all Laws . AuditBoard warrants that during the Term of the Agreement : (1) the Service will perform materially in accordance with applicable Documentation and (2) to the best of AuditBoard's knowledge the Service does not contain , and AuditBoard will not knowingly introduce , any Ma licious Code . AuditBoard shall correct the non-conforming Service at no additional charge to Customer, and in the event AuditBoard is unable to correct such deficiencies after good-faith efforts , AuditBoard shall refund Customer amounts paid attributable to the defective Service from the date AuditBoard received such notice . Customer shall use commercially reasonable efforts to notify AuditBoard in writing no later than 30 days after identifying a deficiency , but Customer's failure to notify AuditBoard within that period will not affect Customer's right to receive warranty remedies unless AuditBoard is impaired in its ability to correct the deficiency due to Customer's failure to notify. Notice of breaches of the warranty under item (1) above must be made through AuditBoard 's then -current error reporting system ; whereby notices of breaches of any other warranty must be made in writing to AuditBoard in accordance with the notice provisions of this Agreement. The remedies set forth in this section will be Customer's exclusive remedy and AuditBoard 's sole liability for breach of these warranties unless the breach of warranty constitutes a material breach of the Agreement and Customer elects to terminate the Agreement in accordance with section 10 (Term ination). 7.2 DISCLAIMER . WITH THE EXCEPTION OF THE REPRESENTATIONS SET FORTH IN THIS AGREEMENT, AUDITBOARD AND ITS LICENSORS MAKE NO REPRESENTATION , WARRANTY OR GUARANTEE WHATSOEVER AND DISCLAIMS, TO THE MAXIMUM EXTENT PERMITTED BY LAW, ALL WARRANTIES , WHETHER EXPRESS , IMPLIED OR STATUTORY INCLUDING , WITHOUT LIMITATION , ANY IMPLIED WARRANTY OF MERCHANTABILITY , SATISFACTORY QUALITY, NON-INFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE . AUDITBOARD DOES NOT WARRANT THAT THE SERVICE WILL BE ERROR FREE OR UNINTERRUPTED . THE LIMITED WARRANTIES PROVIDED IN THIS AGREEMENT ARE THE SOLE AND EXCLUSIVE WARRANTIES PROVIDED TO THE CUSTOMER. 7.3 ASSUMPTION. CUSTOMER ASSUMES ALL RESPONSIBILITIES AND RISKS, FOR ITSELF AND ALL USERS , REGARDING THE PREPARATION , ACCURACY , REVIEW AND USE OF RESULTS OBTAINED THROUGH USE OF THE SERVICE , AND ANY DECISIONS OR ADVICE MADE OR GIVEN TO ANY PARTY BASED ON THE USAGE OF THE SERVICE . AUDITBOARD AND ITS AFFILIATES , OFFICERS , DIRECTORS , EMPLOYEES , AGENTS, SUBCONTRACTORS AND SUPPLIERS ARE NOT ENGAGED IN RENDERING AUDITING , ACCOUNTING , LEGAL OR OTHER PROFESSIONAL OR EXPERT ADVICE AND ARE NOT RESPONSIBLE FOR HOW THE SERVICE IS USED , THE RESULTS AND ANALYSIS DERIVED BY CUSTOMER BY USE OF THE SERVICE AND ANY DECISIONS THE CUSTOMER MAY MAKE BASED ON THE CUSTOMER'S USAGE OF THE SERVICE. 8 INDEMNIFICATION . 8.1 AuditBoard Indemnification . AuditBoard shall defend Customer, and its Affiliates , officers , directors , employees , attorneys and agents against any third -party Claim brought against Customer alleging that the use of the Service as contemplated hereunder infringes that third party's Intellectual Property Rights and shall indemnify and hold Customer harmless against any Losses arising from such third-party Claim . AuditBoard shall have no indemnification obligation for claims arising from : (1) the use or combination of the Service , or any part thereof, with other products , processes or materials not provided by AuditBoard , if the Services or use thereof would not infringe without such combination; (2) any modification to the Service made by anyone other than AuditBoard or its personnel ; or (3) Customer's use of the Service that is inconsistent with, or contrary to , the terms of this Agreement. AuditBoard may , in its sole option , obtain for Customer the right to continue to use the Service or replace or modify the Service so that they are no longer infringing . If neither of the foregoing options is reasonably available to AuditBoard , then either party may terminate the Agreement and AuditBoard 's sole liability , in addition to the indemnification obligations in this section , will be to refund any prepaid Subscription Fees for the Service that was to be provided after the effective date of termination. 8.2 Customer Indemnification . Customer shall defend AuditBoard, and its Affiliates, officers , directors , employees , attorneys and agents from and against claims and associated finally awarded costs and damages and reasonable expenses (including attorneys' fees and costs) arising out of a third -party Claim alleging that the use of (1) Customer Data or (2) data submitted by Customer , its Affiliates , or its Authorized Parties pursuant to its use of the Service as contemplated under this Agreement , infringes or misappropriates such third-parties rights or Laws and Customer shall indemnify and hold AuditBoard harmless against any Losses relating to such Claim. 8.3 Conditions . The indemnitor's obligations in sections 8 .1 and 8 .2 are conditioned on the indemnitee: (1) promptly giving written notice of the third- party Claim to the indemnitor (although a delay of notice will not relieve the indemnitor of its obligations under this section except to the extent that the indemnitor is prejudiced by such delay); (2) giving the indemnitor sole control of the defense and settlement of the third party Claim (although indemnitor may not settle any third party Claim unless it unconditionally releases indemnitee of all liability); and (3) providing to the indemnitor, at the indemnitor's cost , all reasonable ass istance . Sections 8.1 through 8 .3 state each indemnitee's exclusive remedies and the indemnitor's sole obligations related to the subject matter of these sections. 9 LIMITATION OF LIABILITY . v. 2.3.23 Page 2 of 6 ©2023 DocuSign Envelope ID : 95952A66-C886-4AE0-8C 17-EE 17 AED67795 0 AUDITBOARD 9.1 EXCEPT WITH RESPECT TO (1) DAMAGES CAUSED BY GROSS NEGLIGENCE , WILLFUL MISCONDUCT, OR FRAUD , (2 ) EITHER PARTY 'S INDEMNIFICATION OBLIGATIONS UNDER THIS AGREEMENT , AND (3) CUSTOMER 'S PAYMENT OBLIGATIONS , IN NO EVENT SHALL EITHER PARTY 'S OR ANY OF ITS AFFILIATES , LICENSORS , OR SUBCONTRACTORS' AGGREGATE LIABILITY TO THE OTHER PARTY UNDER THIS AGREEMENT FOR DIRECT DAMAGES EXCEED THE AMOUNTS ACTUALLY PAID BY CUSTOMER FOR THE SERVICE DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO SUCH CLA IM, EXCEPT THAT FOR BREACH OF EITHER PARTY'S CONFIDENTIALITY , SECURITY, OR PRIVACY OBLIGATIONS , SUCH PARTY 'S TOTAL AGGREGATE LIABILITY SHALL BE INCREASED TO TWENTY-FOUR (24) MONTHS FEES . 9.2 IN NO EVENT SHALL EITHER PARTY , ITS AFFILIATES , LICENSORS , OR SUBCONTRACTORS , BE LIABLE TO THE OTHER PARTY FOR AN Y INDIRECT, PUNITIVE , SPECIAL , EXEMPLARY , INCIDENTAL , CONSEQUENTIAL OR OTHER DAMAGES OF ANY TYPE OR KIND (INCLUDING LOSS OF DATA, REVENUE , PROFITS , USE OR OTHER ECONOMIC ADVANTAGE) ARISING OUT OR IN ANY WAY CONNECTED WITH THIS SERVICE , ANY INTERRUPTION , INACCURACY , ERROR OR OMISSION , REGARDLESS OF CAUSE , EVEN IF SUCH PARTY HAS BEEN PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES . THE EX CLUSIONS IN THIS SECTION WILL NOT APPLY TO THE EXTENT PROHIBITED BY LAW. CUSTOMER'S PAYMENT OBLIGATIONS WILL NOT BE CONSIDERED AUDITBOARD 'S LOST PROF ITS. 9.3 Direct Damages . If AuditBoard materially breaches this Agreement , AuditBoard shall re imburse Customer , subject to 9.1, for reasonable costs and expenses actually paid to third partie s for : (1) amounts paid to affected third parties as damages or settlements arising from such breach ; (2) fines and penaltie s imposed by governmental authority arising from such breach; and (3) legal fees , including reasonable attorneys ' fees , to defend against third party claims arising from such breach . 10 TERM AND TERMINATION . 10.1 Term. The Agreement shall remain in full force and effect for so long as the parties maintain an active Order. Either party may terminate this Agreement: (1) for a material breach by the other party that is not cured w ithin thirty (30) days after written noti ce of such material breach , or (2) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership , liquidation or assignment for the benefit of creditors. If this Agreement is terminated , all Orders are simultaneously terminated and Customer shall , as of the date of any termination , immediately cease accessing and otherwise utilizing the Service (except as permitted unde r section 10 .3). 10.2 Refund Upon Termination . If Custome r terminates this Agreement pursuant to section 10.1, AuditBoard shall refund Customer any prepaid Subscription Fees co vering the remainder of the Term of all Subscription Fees after the effective date of termination. If AuditBoard terminates this Agreement pursuant to section 10 .1, Customer must pay any unpaid Subscription Fees covering the remainder of the term of all Orders after the effective date of termination . In no event will any termination rel ieve Customer of the obligation to pay fees payable to Audi!Board for the period pri or to the effecti ve date of termination . 10.3 Retrieval of Customer Data. If this Agreement is terminated , AuditBoard will provide access to Customer Data for thirty (30 ) days from the effective date of termination so that it can be downloaded by Customer in the same format ii was provided by Customer. Customer agrees and acknowledges tha t AuditBoard has no right or ob ligation to reta in Customer Data for more than thirty (30) days after the effective date of termination or expiration and will destroy Customer Data in its possession or control th irty (30) days after the effective date of termination or expiration of this Agreement. 10.4 Suspension . If AuditBoard reasonably determines that Custome r's use or access of the Service is causing a material risk to the security or operation of AuditBoard or any of its customer or to the continued normal operation of the other Audi!Board customers (each a "Deployment Risk "), then AuditBoard may , at any time: 10.4.1 Immediately suspend Customer's access , in whole or in part , to the Service causing the Deployment Risk , until such Deployment Risk is resolved; or 10.4.2 As a final option , where AuditBoard has first used all commercially reasonable efforts to mitigate the Deployment Risk , AudilBoard may terminate the affected Service(s ). 10.5 Survival. The termination or ex piration of this Agreement will not affect any provisions of this Agreement which by their nature survive termination or expiration , including the provisions that deal with the following subject matters : definitions, payment obligations , confidentiality , term and terminatio n , effect of termination , intell ectual property ownership , permitted use , license compliance , limitation of liability, privacy , and the "Miscellaneous " section in this Agreement. 11 MISCELLANEOUS . 11.1 Relationship of the Parties . Customer agrees that AuditBoard is acting as an independent contractor in the performance of all services provided hereunder and no joint venture , partnership , emp loyment , or agency relationship exists between Customer and AuditBoard . To the extent any subcontractors are utilized by AuditBoard in providing the Service , AuditBoard will remain responsible for the full performance of the Services and for the acts or omissions of any subcontractor arising from, or relating to, the services performed by such subcontractor . Unless otherwise specifically set forth herein , there are no third-party beneficiaries to the Agreement. 11.2 Entire Agreement. This is the entire Agreement of the parties relating to this subject and it supersedes all other commitments , negotiations and understandings . In the event of a conflict , the provisions of an Order shall take precedence over provisi ons of this Agreement and over any other exhibit or attachment. Customer acknowledges that it has had the opportunity to review all exhibits and attachments hereto. This Agreement cannot be amended except by a writing signed by both parties. This Agreement cannot be assigned without written consent of the non-assigning party . V. 2.3 .23 Page 3 of 6 ©2023 DocuSign Envelope ID: 95952A66-C886-4AE0-8C 17-EE17 AED67795 0 AUDITBOARD Notwithstanding the foregoing , either party may assign this Agreement without the consent of the other party in connection with a merger, acquisition , corporate reorganization or sale of all or substantially all of its assets so long as the assignee agrees to be bound in writing by all of the terms of this Agreement and all past due Fees are paid in full. Any attempt by a party to assign its rights or obligations under this Agreement other than as permitted by this section will be void . Subject to the foregoing , this Agreement will bind and inure to the benefit of the parties , their respective successors and permitted assigns . Notwithstanding anything to the contrary in this Agreement , no terms or conditions in a Customer purchase order or in any other Customer order documentation shall be incorporated into or form any part of this Agreement, and all such terms or conditio ns shall be null and void . 11.3 Force Majeure. Except for payment obligations , neither party will be liable to the other for any delays or failure in performance of any obligation under this Agreement in the event of and for so long as the performance of any such obligation is prevented or delayed by any cause beyond the reasonable control of such party , provided that the party prevented or delayed from performance immediately notifies the other party of such disability and resumes performance as soon as possible following removal of the disability . 11.4 Governing Law. This Agreement is made in and shall be governed by the laws of the State of California without reference to conflicts of laws. Any action arising under or related to this Agreement will be resolved in the state or federal courts (and the parties hereby consent to personal jurisdiction) in the County of Los Angeles, California . The prevailing party is entitled to recover all reasonable fees, costs and expenses of enforcing its rights , including reasonable attorneys' fees . Each party hereby waives any right to jury trial in connection with any action or litigation in any way arising out of or related to this Agreement . 11.5 Counterparts . Multiple signature pages , signatures delivered via pdf copy or fax , and electronic signatures will all constitute originals and together constitute the same instrument. 11.6 Notice . Unless expressly stated otherwise , all notices under this Agreement shall be in writing and shall be deemed to have been given upon : (1) personal delivery; and (2) the third business day after first class mailing . Notices to AuditBoard shall be sent to the address shown in the Order addressed to the attention of its General Counsel with a copy sent by email to legal@auditboard .com . Notices to Customer shall be sent to the address shown in the Order addressed to Customer's signatory of this Agreement. Each party may modify its recipient of notices by providing notice pursuant to this Agreement. 11. 7 Publicity. Customer hereby grants AuditBoard the right to use Customer's name and/or logo in AuditBoard 's marketing materials and on its website . 11.8 Insurance . AuditBoard will maintain , at its own expense , the types of insurance coverage specified below, on standard policy forms and with insurance companies with at least an A. M . Best rating of A-. Upon Customer's written request , AuditBoard shall provide a certificate of insurance evidencing the following coverages : (1) Workers ' Compensation insurance prescribed by applicable local law and Employers Liability insurance with limits of not less than $1 ,000 ,000 per accident; (2) Commercial General Liability insurance including Contractual Liabil ity Coverage , with coverage for products liability, completed operations , with limits of not less than $1 ,000 ,000 per occurrence and $2 ,000,000 general aggregate ; and (3) Technology Professional Liability Errors & Omissions policy (which includes Cyber Risk coverage and Computer Security and Privacy Liability coverage) with a limit of no less than $5 ,000 ,000 per occurrence and in the aggregate . 11.9 Export. Each party shall comply with the export laws and regulations of the United States and other applicable jurisdictions in providing and using the Service . Without limiting the generality of the foregoing , Customer shall not make the Service available to any person or entity that: (1) is located in a country that is subject to a U .S . government embargo ; (2) is listed on any U.S. government list of prohib ited or restricted parties ; or (3) is engaged in activities directly or indirectly related to proliferation of weapons of mass destruction. 11.1 0Severability; Interpretation . If a court of competent jurisdiction holds any provision of this Agreement to be unenforceable or invalid , that provision will be limited to the minimum extent necessary so that this Agreement will otherwise remain in effect. Section headings are inserted for convenience only and shall not affect interpretation of this Agreement. 12 DEFINITIONS . The following definitions shall apply as herein : 12.1 "Affiliate " means with respect to a party to th is Agreement, any entity that directly or indirectly controls, is controlled by or is under common control with such party. "Control ", "controls ", or "controlled " with respect to this definition of "Affiliate" means the ability to direct the management and policies of an entity through the ownership of more than 50 % of the voting interest of the subject entity. 12.2 "Agreement" means the Subscription Agreement, the attached exhibits , and any executed Order. 12.3 "AuditBoard " means AuditBoard , Inc., a Delaware corporation with a place of business at 12900 Park Plaza Drive , Suite 200 , Cerritos , CA 90703. 12.4 "Audit" means a project created by Customer within the Service's OpsAudit module during a given Year consisting of one or more work steps. 12.5 "Audit Reports" means the most recently completed SOC2 audit reports and ISO 27001 Certifications or comparable industry-standard successor report prepared by AuditBoard's independent third-party auditor. 12.6 "Authorized Parties " means Customer's or an Affiliate 's User's and third-party providers who are authorized by Customer (1) in writing , (2) through the Service as a limited User, or (3) by system integration or other data exchange process to access the Service and Customer Data. 12.7 "C laim" means a claim , demand , lawsuit or other legal proceeding brought against a party to this Agreement. V. 2.3.23 Page 4 of 6 ©2023 UU\.,UVl!::fl I C::.I IVCIV~C ILJ . ;;,,-.,J;;,,-.,JL..r\VV-..._,,VVV--,-f"""'u ... v -v.._, 1, ._._ 1,, ,._....,..,, , ..,.., 0 AUDITBOARD 12.8 "Compliance Framework" means a structured set of guidelines that details processes for maintaining accordance with established regulations, specifications or legislation such as , but not limited to , Payment Card Industry Data Security Standard (PCI DSS) and/or General Data Protection Regulation (GDPR). 12.9 "Confidential Inform ation " means (1) any software utilized by AuditBoard in the provision of the Service and its respective source code ; (2) Customer Data; (3) each party 's business or technical information , including but not limited to the Documentation , training materials , any information relating to software plans , designs , costs , prices and names , finances , marketing plans , business opportunities , personnel , research , development or know-how that is designated by the Discloser as "confidential " or "proprietary" or the Recipient knows or should reasonably know is confidential or proprietary ; and (4) the terms , conditions and pricing of this Agreement (but not its existence or parties). Confidential Information does not include any information that , without the Recipient's breach of an obligation owed to the Discloser: (1) is or becomes generally known to the public ; (2) was known to Recipient prior to disclosure by Discloser; (3) was independently developed by Recipient ; or (4) is received by Recipient from a third party . 12.10 "Control" means , collectively , Tested Controls and Non-Tested Controls. 12.11 "Customer Data " means electronic data and information supplied by or on behalf of Customer to the Service . 12.12 "Customer Input" means suggestions , enhancement requests , recommendations or other feedback provided by Customer, its Users and/or Affiliates relating to the operation or functionality of the Service . 12.13 "Data Processing Addendum " or "DPA" means the Data Processing Addendum located at: https ://auditboard.com/enterprise-ag reements/, a copy of which is attached hereto as Exhibit A 12.14 "Documentation" means AuditBoard documents generally made available to customers that may aid in the use and operation of the Service, which may be updated by AuditBoard from time to time in its sole discretion. 12.15 "Effective Date " means the Order Effective Date of the first Order between th e parties. 12.16 "Key Report" means a report , spreadsheet or any other information or evidence provided by Customer that is separately tested within the Service . 12.17 "Law" means any local, state , national and/or foreign laws , treaties and/or regulations applicable to the respective party . 12.18 "Loss" means reasonable attorneys ' fees and any damages or costs finally awarded or entered into in settlement of a Claim . 12.19 "Intellectual Property Rights" means unpatented inventions , patent applications , patents , design rights , copyrights , trademarks , service marks , trade names , doma in name rights , mask work rights , know-how and other trade secret rights , and all other intellectual property rights , derivatives thereof, and forms of protection of a similar nature anywhere in the world . 12.20 "Malicious Code " means viruses , worms , time bombs , Trojan horses and other malicious code , files , scripts , agents or programs. 12.21 "Non-Tested Control" means having the ability to only document control information and control test information on a single control page within the Service. 12.22 "Risk Page" means having the ability to document risk information on a single Risk page within the Service . 12.23 "Tested Control" means having the ability to document control information , control test information , and control testing results on a single control page within the Service . 12.24 "Order" means a written ordering document expressly referencing this Agreement signed by the parties hereto specifying the Services to be provided hereund er; an "active Order" is any Order that has not been terminated or expired. 12.25 "Security Policy" means the Security Policy located at: https ://auditboard .com/enterprise-agreements/, a copy of wh ich is attached hereto as Exhibit B . 12.26 "Sensitive Data" means an ind ividual's financial information , credit/debit/gift or other payment card information , sexual preferences , medical or health information protected under any health data protection laws, government-issued identification numbers , biometric data (for purposes of uniquely identifying an individual), and any additional types of information included within this term or any similar term (such as "sensitive personal information" or "special categories of personal information") as used in applicable data protection or privacy laws. 12.27 "SLA" means the Service Level Agreement located at: https://auditboard .com/enterprise-agreements/ and which may be updated by AuditBoard from time to time , a copy of which is attached hereto as Exhibit C. 12.28 "User" or "Us ers " means the Customer and Customer's employees , agents , consultants each (i) who are under the direction or supervision of Customer's internal audit or compliance functions and (ii ) who are authorized to use the Service and have been supplied User identifications and passwords by Customer (or by AuditBoard at Customer's request). A "Stakeholder'' is a limited User as further defined in the applicable Order . A "Core User" is any User other than a Stakeholder. [Signature page follows] V. 2.3.23 Pa ge 5 of 6 ©2023 DocuSign Envelope ID : 95952A66-C886-4AE0-BC17-EE17 AED67795 0 AUDITBOARD In witness whereof, the parties have executed this Subscription Agreement as of the date set forth below: AuditBoard , Inc. Customer: SIG NED SIGNED 3/21/2023 DATED Tina Yeh NAME NAME VP of Finance and Operations TITLE V . 2.3.23 Page 6 of 6 ©2023 Do cu Sign Envelope ID: 95952A66-CBB6-4AE0-BC 17-EE17 AE D67795 EXHIBIT A DATA PROCESSING ADDENDUM This Data Processing Addendum ("DPA") is inco r po rated into and forms part of the AuditBoard Subscription Agreement between AuditBoard, Inc. ("AuditBoard"), and Customer with respect to use of the Services (the "Agreement"). This DPA sets out the requirements for AuditBoard's processing of Personal Data on behalf of Customer for the purposes of providing the Services . This DPA is effective on the date of the Agreement. Each of AuditBoard and Customer may be referred to as a ".Qill:!Y" and together as "parties". 1. DEF I NITIONS "CCPA" means the California Consumer Pr ivacy Act, Cal. Civ. Code Section 1798.100 et seq. and its implementing regulations as may be amended from time to time. "Controller" means the entity which, along or jointly with others, determines the purpose and means of Processing of Personal Data, including as applicable any 'business' as that term is defined in the CCPA. "P rocessor'' means the entity which Processes Personal Data on behalf of the Data Controller, including as applicable any 'service provider' as that term is defined in the CCPA . "Data Protection Laws" means all data protection and privacy laws applicable to the Processing of Personal Data under this DPA, including local, state, national and/or foreign laws, trea ties, and/or regulations, including without limitation the GDPR , and implementations of the GDPR into national law, and CCPA, in each case as may be amended or superseded from time to time. "Data Subiect" means the Pe rson to who the Personal Data re lates. "Data Subject Request" means a request from or on behalf of a data subject to exerci se any rights in relation to their Personal Data under Data Protection Laws . "GDPR" means either or both the General Data Protection Regulation (EU) 2016/679 ("EU GDPR ") and the EU GDPR as it forms part of the United Kingdom ("UK") law by virtue of section 3 of the European Union (Withd rawal) Act 2018 ("UK GDPR") as the context may require . "Personal Data" means all Customer Data that relates to an identified or identifiable natural person . "Processing" or "Proc ess" means any operation or set of operations performed on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, di sclos ing by transmission , disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying. "Restricted Country" means: (i) where the EU GDPR applies, a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a country outside the UK which is not based on adequacy regulations pursuant to Section 17A of the UK Data Protection Act 2018; and (iii) where the Swiss Federal Act on Data Protectio n applies, a country outside Switzerland which has not been recognized to provide an adequate level of protection by the Federal Data Protection and Information Commissioner. "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Data from the European Economi c Area ("EE A") to a Restricted Country; (ii) where the UK GDPR applies, a transfer of Personal Data from the UK to a Rest r icted Country; and (iii) where the Swiss Federal Act on Data Protection applies, a transfer of Personal Data from Switzerland to a Restricted Country. "Security Policy" means AuditBoard's Security Policy currently located at: https://auditboard.com /enterprise-agreements/. AuditBoard may update the Security Policy from time to time provided th at such updates do not result in a material reduction of the security of the Services. "Standard Contractual Clause s" mean s (i) where the EU GDPR applies, the clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK secs"). "S ubprocesso r" means an AuditBoard Affiliate or third-party entity engaged by AuditBoard or a AuditBoard Affiliate as a Data Processor under this DPA. "Sub processor List" means the subprocessor list identifying the Subprocessors that are authorized to Process Personal Data, accessible through AuditBoard's website (current ly located at https://www .auditboard.com/subprocessors /J . "UK" means the United Kingdom. Any capitalised terms which are not defined in this DPA are as defined in the Agreement . 2. ROLES & COMPLIANCE WITH DATA PROTECTION LAWS 2.1 For the purposes of this DPA, Customer is the controller of Personal Data , and AuditBoard is the processor of Personal Data except when Customer acts as a Data Pro cessor of Personal Data , in which case AuditBoard is a Subprocessor. The Parties shall comply with all app licable Data Protection Laws. v.1.16.23 ©2023 Doc uSig n Envelope ID: 95952A66-C886 -4 AE0-8C17-EE17AED67795 2.2 AuditBoard will only process Personal Data per Customer's documented instructions. Customer instructs AuditBoard to Process Personal Data to provide the Service in accordance with the Agreement (including this DPA) and as further specified via Customer's use of the Se rvice . AuditBoa rd will notify Customer (unless prohibited by applicable law) if it is required under applicab le law to process Personal Data other than pursuant to Customer's instructions. Further, AuditBoa rd will, as soon as reasonably practicable upon becoming aware, inform the Customer if , in AuditBoard 's reasonable opinion, any instructions provided by the Customer infringe Data Protection Laws. To the extent the CCPA applies to Personal Data, Audit Board will not (i) Sell or Share Personal Data, no r (ii) retain, use or disclose Personal Data for any pu rpose othe r than to provide the Services in accordance with the Ag reement; (iii) retain, use, or disclose Pe rsonal Data outside the direct business relationship between AuditBoa rd and Customer; (iv) combine Personal Data with personal information that AuditBoard has received from another AuditBoard customer, except as permitted under the CCPA . The Term "Sell" and "Share" shall have the meaning set forth in the CCPA . 3. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES 3.1 AuditBoard will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data , in particular protection against accidental or unlawful dest ruction, loss, alteration, unauthorised disclosure of, or access to Personal Data as outlined in Security Po licy. 3.2 AuditBoard shal l require sc reening of its personnel who may have access to Personal Data and shall requ ir e such personnel (i) to Process Personal Data in accordance with Customer's instructions as set forth in this DPA, (ii) to receive appropriate training on their responsibilities regarding the handling and safeguarding of Personal Data; and (iii) to be subject to confidentiality obligations which shall survive the termination of employment. AuditBoard will take reasonable steps to ensu re that any pe rsons whom it autho rizes to access the Pe rsonal Data are unde r ob ligations of confidentiality which sha l l survive the termination of employment. 4 . DATA SECURITY INCIDENTS 4.1 Data Se curity I ncidents . Aud itBoa rd wi l l notify Customer of any Data Security Incident as outlined in section 6 of the Ag reement for Personal Data breaches. S. FURTHER ASSISTANCE 5.1 Ass istance with Data Subject Requests. AuditBoard wi ll, in a manner consiste nt with the functionality of the Se rvice and AuditBoa rd's ro le as a Processor, provide reasonable support to Customer to enable Customer to respond to Data Subject Requests . 5 .2 Handling of Subje ct Requests . For the avoidance of doubt, Customer is responsible for responding to Data Subject Requests. If AuditBoard receives a Data Subject Request or othe r complaint from a Data Subject rega rd i ng the Processing of Personal Data, AuditBoard will promptly forward such request or complaint to Customer, provided the Data Subject has given suffic ient information for AuditBoa rd to identify the Customer. 5.3 Data Protection Impact Assessm e nts and Prior Consultations . Custome r agrees that, to the extent applicable, AuditBoard's then-current SOC 2 audit reports (or comparable industry-standard successor reports) and/or AuditBoard's ISO certifications wi l l be used to carry out Customer's data protection impact assessments and prior consu ltations, and AuditBoa rd sha l l make such reports avai lab le to Custome r. To the extent Customer requi res additional assistance to meet its obligations under applicab le Data Protection Law to carry out a da t a protection impact assessment and prior consultation with the competent supervisory authority related to Custome r's use of the Service, AuditBoard will , taking into account the nature of Processing and the information available to AuditBoa rd, provide such assistance to Customer, at the Customer's cost to be agreed beforehand . 6. SUBPROCESSORS 6.1 Customer he reby agrees and provides a general authorization that AuditBoard and Audit Board's Affiliates may engage Subprocessors. AuditBoard will make available to Customer a Subprocessor List and provide Customer with a mechanism to obtain notice of any updates to the Subprocessor List. AuditBoard will provide notice to Cus t omer at least 30 days prior to authorizing any new Subprocessor to process Personal Data by updating the Subprocessor List. 6.2 AuditBoard will consider any of Customer's reasonable objections t o a new Sub processor within 30 days of Custome r's notification of such new Subprocessor pursuant to Section 6.1 to the extent that Customer is located in the EEA, the UK, or Switze rland or where otherwise requi red by Data Protection Laws applicable to Customer. If Customer has a reasonable objection to any new o r rep lacement Subprocesso r and the parties cannot agree a resolution within thirty (30) days of the objecti on, Customer's sole and exclusive remedy is to terminate the relevant portion(s) of the Se rvice within those thirty (30 ) days, by providing written notice to AuditBoard. Upon any termination by Customer pursuant to this Section , AuditBoa rd shall refund Customer any prepaid fees for the terminated portion(s) of the Service that were to be provided after the effective date of termination. 6.3 AuditBoard wi ll ente r i nto a w ritten contract w ith each Subprocesso r which imposes on such Subprocesso r terms no less protective of Personal Data than those imposed on AuditBoa rd in this DPA. AuditBoard shall be liab le to Customer for any breach by such Subprocessor of any of ob ligation set forth herein to the extent as if the acts or omissions were performed by AuditBoa rd. 7. INTERNATIONAL TRANSFERS 7.1 Customer ag rees that its use of the Services may involve the t ransfer of Pe rsonal Data to, and processing of Persona l Data in, locations outside of the EEA, UK or Switzerland from time to time, such as fo r purposes of providing support to Custome r. 7.2 Processor-to-Processor secs. Where AuditBoa rd is located within the EEA, UK or Switzerland AuditBoard has implemented the Standard Contractual Clauses for any Rest ri cted Transfers of Persona l Data from Aud itBoard (as "data exporter") to Subprocessors (as "da t a importers"). 7.3 Controller-to-Processor secs . Where AuditBoard is located in a Restricted Country, the Standard Cont ractual Clauses will apply to any Restricted Transfe rs from Customer (as "data exporter'') to AuditBoard (as "data importer") as follows: v.1.16.23 ©20 23 DocuSign Envelope ID : 95952A66-C886-4AE0-8C17-E E17AED67795 7.4 EU Personal Data . In relation to Personal Data that is protected by the EU GDPR, the EU secs will apply completed as follows: (i) Module 2 applies unless the Customer is a Processor in which case Module 3 applies; (ii) in Clause 7, the optional docking clau se will apply; (iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes will be in accordance with the notification process set out in Section 6.1 of this DPA ; (iv) in Clause 11, the optional redress langu age will not apply; (vi) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by the law specified in the MSA, provided that law is an EEA Member State law recognizing third party beneficiary rights, otherwise, the laws of Ireland app ly; (vi) in Clause 18(b), disputes shall be resolved before the courts speci fi ed in the MSA, provided these courts ar e located in an EU Member State, otherwise those co urts shal l be the courts of Ireland; (vii) Annex I of the Standard Contractual Clauses shall be deemed completed with the informat ion set out in Annex I to this DPA; and (viii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in the Security Policy . 7.5 UK Personal Data . In relation to Personal Data that is protected by the UK GDPR ("UK Personal Data"), the UK SCCs will apply as follows: (i) The EU secs, completed as set out in Section 7.4 above , shal l also app ly to transfers of such UK Pe rsonal Data; and (ii) The UK Addendum sha l l be deemed executed between the transferring Customer and AuditBoard, and the EU secs shall be deemed amended as specified by the UK Addendum in re spect of the transfer of such UK Personal Data. Tab le s 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU secs, comp leted as set out in Section 7.4 above, and the options "Exporter" and "Importer" sha ll be deemed checked in Table 4. The start date of the UK Addendum (as set out in Tabl e 1) shall be the effective date of this DPA . 7.6 Swiss Personal Data . In relation to Personal Data that is protected by the Swiss Fed eral Act on Data Protection, the EU secs will apply amended and adapted as follows: (i) the Swiss Federal Data Protection and Information Commissioner is the exclusive supervi sory authority; (ii) the term "member state" must not be i nterpreted in such a way as t o exclude data subjects in Switzerland from the possibility of suing for thei r right s in their place of habitual residence (Switzerland) in accordance with Clause 18; and (iii) references to the GDPR in the EU SCCs shall also include the reference to the equ ivalent provisions of the Swiss Federal Act on Data Protection (as amended o r replaced). 7.7 Clarifications . The Standard Contractual Clauses will be subject to the following clarifications: (i) AuditBoard will allow Customer to cond uct audits as desc r ibed in the Standard Contractual Clauses in accordance with Section 8 of this DPA. (ii) Customer co nse nts to Aud itBoa rd appointing Subprocesso r s in accordance with Section 6 of this DPA, and Custome r may exercise its right to object to Subprocessors under the Standard Contractual Clauses in the manner set o ut in Section 6.2. (iii) AuditBoard sha ll return and delete Customer's data in accordance with Section 9 of this DPA . (iv) Customer agrees that any assistance that AuditBoard provides to Customer under the Standard Contractual Clauses shall be in acco rdan ce with Section 5 of this DPA. (v) Nothing in this Section 7.7 of this DPA varies or modifies the Standard Contractual Clauses nor affects any supervisory authority's or data subj ect's ri ghts under the Sta nda rd Contractual Clauses. If any provision of this DPA contradicts, directly or indi rectly, th e Standard Contractual Clauses, the Standard Contractual Clauses sha l l prevail. 8 . AUDIT AND RECORDS 8.1 AuditBoard will, sub ject to the co nfidentiality terms in the Agreement, provide Customer in writing suc h information in AuditBoa rd 's possession or control as may be necessary to demonstrate compliance with its obligations under this DPA . Customer agrees that, to the extent applicable, AuditBoard's then- current SOC 2 audit reports (or compa rable industry-standard successo r reports) and/or AuditBoard's ISO certification(s) will be used to satisfy any audit or inspection requ ests by o r on behalf of Customer. Customer will not exercise the audit rights specified in this Section 8.1 more than once in any twelve (12) calendar month peri od. Any additional audits o r in spections beyond those described in this Section 8.1 will be at Customer's cos t , to be agreed in advance . 9 . DELETION OR RETURN OF DATA 9.1 Upon termination of this DPA, AuditBoard will return or delete the Personal Data in accordance with the relevant provisions of the Agreement. Notwithstan ding the foregoing, AuditBoa rd may retain Personal Data beyond termin ation so lely if, and for so long as, such Person al Data must be retained in order to comply with applicable law . 10. GENERAL 10.1 Conflicts . Thi s DPA is without prejudice to the rights and ob ligations of the parties und er the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms (including definitions) of this DPA shall prevail so fa r as the subject matter concerns the processing of Personal Data . This DPA sets out all of the terms that have been agreed between the parties in relation to the subjects covered by it. Other than in respect of statements mad e fraudul ently, no other repre sentatio ns or terms shall apply or form part of this DPA. 10 .2 Customer Affiliate Enforcement. Customer's Affi liates may enforce the term s of this DPA directly against AuditBoard, subject to the following provisions: (i) Customer will bring any legal action, suit, claim or proceeding which that Affiliate would otherwise have if it were a party to the Agreement (each an "Affiliate Claim") directly against AuditBoard on behalf of suc h Affiliate, except where the Data Protection Laws to which the relevant Affiliate is subject require that the Affiliate itse lf bri ng or be pa rty to suc h Affiliate Claim; and (ii) for the purpose of any Affiliate Claim brought directly against AuditBoard by Customer on behalf of such Affiliate in accordance with this Section , any losses suffered by the relevant Affiliate may be deemed to be lo sses suffered by Customer. 10.3 Termination . The term of this DPA will end simultaneously and automa t ica lly at the later of (i) the termination of the Agreement or, (ii) when al l Personal Dat a is deleted from AuditBoard 's systems. v.1.16.23 ©2023 DocuSign Envelope ID: 95952A66-C886-4AE0-8C 17-EE17 AED67795 10.4 Remed ies. Customer's remedies (including those of its Affiliates) with respect to any breach by AuditBoard, its Affiliates and Subprocessors of the applicable terms of this DPA, and the overal l aggregate liability of AuditBoard and its Affiliates arising out of, or in connection with the Agreement (including this DPA) will be subject to any aggregate limitation of liability that has been agreed between the parties under the Ag r eement. 10.5 M iscellaneous . The sec tion hea dings contained in this DPA are for reference purposes only and shall not in any way affect the meaning or interpretation of this DPA. v .1.16.23 ©2023 DocuSig n Enve lope ID : 95952A66-C886-4AE0-8C17-EE17AED67795 ANNEXI Descr ipt ion of Proce ssing 1 A. LIST OF PARTIES Data ex porte r(s}: Data exporter: Customer. Contact details: As set out in the Agreement . Activities relevant to the data transferred under these Clauses: Use of Audit Board's cloud applications. Signature and date: By entering into the Agreement, data exporter is deemed to have signed these Standard Contractual Clauses incorporated herein as of the effective date of the Agreement. Role: The data exporter's role is set forth in the DPA. Data importer(s}: Data Importer: AuditBoard, Inc. Address: 12900 Park Plaza Dr, Suite 200, Cerritos, CA 90703 Contact person's name, position and contact details: AuditBoard Legal and Privacy Team , legal@auditboard .com Activities relevant to the data transferred under these Clauses: Provide and support enterprise cloud appl ications, including audit and risk management. Signature and date: By entering into the Agreement, data exporter is deemed to have signed these Standard Contractual Clauses inco r porated he r ein as of the effective date of the Agreement . Role (controller/processor): Processor 2 8. DESCRIPTI O N OF TRANSFER Categories of data subjects whose personal data is transferred: • Employee's or contact persons of Customer. Categories of persona l data t r ansfe rr ed: • Prospect s, customers , business partners and supplie rs: Name and contact information (including work address; work telephone numbers; mobile telephone numbers; web address; instant messenger; work email address); business title; company. Sensitive data transferr ed (if app licable) and applied rest r ictions or safegua r ds that fully take into consideration the natu re of the data and the risks involved, such as for instance strict pu r pose limitation, access restrictions (including access only for staff having followed special ised t raining), keeping a record of access to the data , restrictions for onward transfers or additional security measures: • None . The frequency of the t ransfer (e.g. whether the data is transferred on a one-off or continuous basis): • Continuous. Nature of the processing: • The nature and purposes of the processing is the collection, storage, duplication, deletion, and disclosure of Personal Data pursuant to providing the Services to Customer (including AuditBoard's provision of its enterprise cloud applications, including SoxHub and audit management). Purpose(s} of the data transfer and further processing: • Provide and support enterprise cloud applications. The period for which the pe rsonal data wi ll be retained, or, if that is not possible, the criteria used to dete r mine that period: • Personal Data will be retained for the duration of the Agreement. v.1.16.23 ©2023 U0CU::»1gn ~nve1ope 1u : t:10::K>LMoo-voou-..f"'\cu-uv ,, -LL. 1 , nL.vv, , ~..., For transfers to (sub-) processors, also specify subject matter, nature an d duration of the processing: • Th e subject matter, nature and duration of the data importer's transfers to sub -processors are as se t out within the Subprocessor List (cu rrently located at https://www.auditboard.com/subprocessors/J. 3 C. COMPETENT SUPERVISORY AUTHORITY Identify the competent supervisory authority/ies in accordance with Clause 13 • The supervisory authority is the Data Protection Commis sion of Ireland. v.1.16.23 ©2023 DocuSign Envelope ID : 95952A66-C886-4AE0-8C 17-EE 17 AED67795 ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA AuditBoard has implemented and maintain s appropriate technical and organisational measures to ensure a level of security commensu r ate to the risk to the Per so nal Information as outlined in the Security Policy. Such measures include taking appropriate level of secu rity, taking into acco unt the nature, scope, context, and purpose of the pro cess ing, and the ri sks for the rights and freedoms of natural persons. v.1.16.23 ©2023 DocuSign Envelope ID : 95952A66-C886-4AE0-BC 17-EE17 AED67795 0 AUDITBOARD EXHIBIT B Security Policy AuditBoard maintains documented policies and procedures ("Security Policy") that includes appropriate administrative , physical , technical and organizational measures designed to: (i) protect the security, confidentiality , availability and integrity of Customer Data ; (ii) protect against accidental or unlawful destruction , loss , alteration , unauthorized disclosure of Customer Data: (iii) protect against threats or hazards to the security , confidentiality , availability and integrity of Customer Data ; and (iv) comp ly with Applicable Data Protection Laws by which AudilBoard may be regulated. AuditBoard shall regularly monitor, evaluate and assess the effectiveness of the administrative , physical , technical and organizational measures implemented. AuditBoard's administrative , physical , organizational and technical measures shall include , at a minimum , the following: 1. ACCESS TO CUSTOMER DATA. Access controls to manage access to Customer Data and system functionality , unique IDs and passwords , strong (i.e ., two-factor) authentication for remote access systems , and promptly revoking or changing access in response to terminations or changes in job functions. AuditBoard shall prevent disclosure or dissemination of Customer Data to any person not having a need to know of or access to such information. Access to Customer Data must therefore respect the "need to know" and "least privilege" principles : access can only be granted to persons whose function justifies ii, for a specific purpose and their privileges are restricted to the strict minimum necessary to perform their duties . AuditBoard shall implement and maintain controls to ensure the proper segregation of systems and data and make sure Customer Data and/or systems are properly isolated . 2 . ACCESS CONTROL TO SYSTEMS; PASSWORD MANAGEMENT. Unauthorized access to information technology systems must be prevented , including through the use of technical and administrative measures for user identification and authentication . AuditBoard shall ensure appropriate password hardening standards are in place that align with accepted industry security frameworks to ensure sufficient controls , including use of passwords with sufficient length. 3 . PHYSICAL SECURITY. AuditBoard shall provide technical and organizational measures to control access to premise and facilities and prevent unauthorized access . Controls are in place to protect AuditBoard's information technology infrastructure from environmental hazards , to manage and monitor employees into and out of Audi!Board's facilities where Customer Data is processed , and to otherwise prevent unauthorized individuals from gaining physical access to premises , buildings or rooms where systems that process Customer Data. 4 . NETWORK SECURITY. Network security controls shall include the use of firewalls , layered DMZs , and updated Intrusion Detection and/or Prevention Systems to help protect systems from intrusion or limit the scope or success of any attack or attempt of unauthorized access . 5. VULNERABILITY AND PATCH MANAGEMENT. Vulnerability management procedures and technologies shall be used to identify and mitigate against security vulnerabilities . AuditBoard shall ensure that application system and network device vulnerabilities are evaluated and security patches are applied in a timely manner. AuditBoard shall also conduct periodic penetration testing of Internet facing applications and shall use a risk based approach to determine the liming for remediation of the vulnerabilities . AuditBoard shall remediate or mitigate critical or high risk vulnerabilities discovered under this Section promptly. 6 . POLICY REVIEW. AuditBoard shall review its Security Policy at least annually and provide change management procedures to ensure all modifications to AuditBoard's technology and information assets are tested , approved , recorded and monitored as needed . 7 . ADMINISTRATIVE/ORGANIZATIONAL MANAGEMENT. Organizational management shall ensure the proper development and maintenance of information security and technology policies , procedures and standards, including the Security Policy . 8 . INPUT (DATA INTEGRITY); AUDITING, LOGGING. Audi!Board shall retain information system log records to the extent needed to enable monitoring and reporting of unauthorized information system activity, including account logon events , account management, security events , policy change , privileged functions and administrator account creation/deletion . AuditBoard shall conduct regular reviews for indications of inappropriate or unusual activity , and AuditBoard shall protect log records from unauthorized access , unauthorized release , loss , modification , falsification , and deletion. This includes making sure it is possible to examine and establish whether , and by whom , Customer Data have been entered , modified or removed from its information technology assets and infrastructure. V. 7.5.22 ©2022 UU\,;UVl~II CIIVCIU..,C:: ILJ . .:J.J.:J.JLJ"'\vv-.._,vvv......,.,---,.._v v-,, ._,_, •• •---•, -- 0 AUDITBOARD 9. CONTINGENCY PLANNING. AuditBoard maintains policies and procedures for responding to a disaster or business continu ity issue , that damages or makes unavailable Customer Data or systems that contain Customer Data , including a data backup plan and a disaster recovery plan . 10. JOB CONTROL. Processing of Customer Data occurs only as permitted by Agreement. Th is includes implementing appropriate security and integrity procedures , such as (i ) requiring AuditBoard employees, representatives and other personnel to sign terms and conditions requiring confidentiality and information security responsibilities , including requirements to protect Customer Data and compliance with the Agreement and with applicable laws (includ ing Applicable Data Protection Laws}, and (ii ) providing appropriate privacy and information security training to such AuditBoard's personnel. 11 . SECURE DESTRUCTION AND DISPOSAL. Developing , implementing and maintaining appropriate measures designed to destroy or otherwise properly sanitize Customer Data prior to disposal , includ ing release of technology infrastructure and assets used to process Customer Data out of organizational control , or release of such systems for reuse . Proper destruction or sanitization methods include compliance with NIST-developed guidelines for media sanitization , to ensure that third parties cannot obtain Customer Data in hardcopy form and Customer Data in digital form is not recoverable by any known forensic means . 12 . DISCLOSURE (TRANSMISSION) CONTROL; ENCRYPTION. Aud itBoard shall encrypt all Customer Data in transit and at rest using industry standard encryption protocols . 13. AVAILABILITY CONTROL; BUSINESS CONTINUITY; TRANSITION OF SERVICES; DATA PORTABILITY. Customer Data is protected against accidental destruction or loss (including -requirements specified in th is Agreement). Comprehensive data assurance mechanisms are employed includ ing backups , data redundancy , environmental controls (e.g ., fire and smoke detectors , fire suppression and secure facilities ) and the implementation , maintenance and regular testing of disaster recovery plans . V. 7.5.22 ©2022 Do c uSign Envelope ID : 95952A66-C886-4A E0-8C 17-EE 17 AED67795 0 AUDITBOARD EXHIBIT C AuditBoard, Inc. Service Level Agreement This Service Level Agreement is subject to the Agreement , and is only effective after Customer's Go-Live Date. For clarity , this Service Level Agreement applies only to production environments and does not apply to sandbo x environments . I. SOFTWARE AVAILABILITY The Services shall be available 99 .9%, measured monthly , excluding holidays and weekends and scheduled maintenance . If Customer requests maintenance during these hours , any uptime or downtime calculation wi ll exclude periods affected by such maintenance . Further, any downtim e resulting from outages of th ird-party connections or util ities or other reasons beyond AuditBoard 's control will also be excluded from any such calculation. Customer's sole and exclus ive remedy , and AuditBoard 's entire liability , in connection with Service availability shall be that for each period of downtime lasting longe r than one hour, AuditBoard wi ll credit Customer 1/365 of the Annual Fee for the relevant product(s ) set forth in the applicable Order ; provided that no more than one such credit will accrue per day . Downtime shall beg in to accrue as soon as Customer (with notice to AuditBoard ) recognizes that downtime is taking place , and contin ues until the avai lability of the Service is restored . In order to receive downtime credit , Customer must notify AuditBoard in writing w ith in 24 hours from the time of downtime , and failure to provide such notice w ill forfeit the right to receive downtime credit. Such credits may not be redeemed for cash and shall not be cumulative beyond a total of cred its for one (1) wee k of fees for the appl icab le product (s) in any one (1 ) calendar month in any event. AuditBoard 's blocking of data communicat ions or other Service in accordance with its po li cies shall not be dee med to be a failure of Aud itBoard to provide adequate service levels under this Agreement. II. SUPPORT ADDENDUM Th is Support Addendum sets out what levels of support the Customer can expect to receive for the term of the Agreement as well as the procedures should a "defect" occur. a. Contact Customer may contact AuditBoard by phone , email , or through the Service as set forth below . Any requests submitted to AuditBoard by a method not listed in t his section (a) will not be subject the response times set forth below. Phone : +1 .877 .769 .5444 , press Option #2 for Support Email : support@auditboard .com In App : The Help Center, including the ability to submit a support request are accessible w ithin the Service itse lf. b. General Queries AuditBoard endeavors to respond to all general queries about the application wi t hin one (1) business day . For the avoidance of doubt, queries tha t can be addressed or resolved directly by Users in the Service including , w ithout limitation , adjusting roles and permissions , performing data imports , and making configuration updates are not intended to be in scop e for the purposes of this Support Addendum and support for such requests will be provided by AuditBoard solely at its discretion and , if provided , will be limited to directing Users to resources wh ich enable them to resolve the related query the mselves . c. Support Incident Response Time AuditBoard 's policy is to respond to all errors or outages in accordance with the table below. An incident ticket is assigned a priority number based on the nature of the issue. v . 02/18/2020 1 DocuSign Envelope ID : 95952A66-C886-4AE0-8C 17-EE17AED67795 0 AUDITBOARD The below section describes the priority levels as defined by AuditBoard : P1 -Critical P2 -High P3 -Low • Outage of the AuditBoard service • Initial Contact: < 1 business hour • Status Update: Every 2 business hours • Management Escalation : Immediate • Customer's End-User can access the AuditBoard service , however, one or more significant features are unava ilable , such as the ability to generate reports . • Initial Contact: < 3 bus iness hours • Status Update: Every business day until resolution • Management Escalation : 12 business hours • Other error that does not prevent the Customer's End-User from accessing a significant feature of the AuditBoard service (for example , an incorrect notification). • Initial Contact: < 48 business hours Status Update : Available by Email Request • Management Escalation : A Customer business stakeholder (i.e ., not a Customer administrator) may escalate a P3 incident to the AuditBoard Customer Success Director with a written statement of business impact relating to the P3 inc ident. • Aud itBoard may agree to shorten the resolution time for the Defect following an assessment of risk and business impact. v . 02 /18/2020 2 DocuSign Envelope ID : 95952A66-C886-4AE0-BC 17-EE17 AED67795 0 AUDITBOARD Appendi x B OPSAUDIT SERVICE SPECIFIC LICENSING TERMS Additional Definitions: "Audit" means a project created by a Customer within the Service's OpsAudit module during a given Year consisti ng of one or more work steps . "Core User" means any User other than a Stakeholder. "Stakeho lde r" means : OpsAud it -A Stakeholder is a limited user that ca n respond to WorkStream requests (such as for evidence requests), view and remediate issues and access audit final reports . "Risk Page" means having the ability to document risk info rm ation on a single Risk page within the Service. "Workflow" means a unit of automation that wil l pu ll evidence from a third-party integration or run customer-defined automation . "Integratio n" means a n externa l system or app licati on to w hich Audi!Board co nn ects . V. 1.16.23 © 2023 DocuSign Envelope ID : 95952A66-C886-4AE0-8C 17 -EE 17 AED67795 0 AUDITBOARD Appendix C IMPLEMENTATION SERVICES AuditBoard's Customer Advisory Services team ("CAS") will help Customer implement (the "Implementati on Services") the Core Module(s) included on the releva nt Order refe ren ci ng these term s (the "Product" and any individual Core Module within th e relevant Order a "Product") as set forth be low. "Core Module" as used herein includes AuditBoard 's SOX HUB , OpsAudit , RiskOversight , CrossComply , ITR M, Third-Party Risk Management (T PRM ) and ESG modules. Certai n responsibi li t ies with respect to the Implementation Services may vary based on whether the Customer has purchased QuickStart or Standard Implementation Services. Please refer to Appendix A for detailed in formation . The Implementation Services will be performed for the flat fee(s) listed in the associated Ord er and are invoiced one-time , upon execution of the Order. Implementation Services typically do not require AuditBoard to trave l, howeve r, if Custom er requests that AuditBoard trave l, such trave l, and any related expenses will be mutually agreed by the Customer and AuditBoard and then billed separate ly. The Service and all Im plementation work are provide d in U .S. Engl is h. A. Implementation Services and Timeline 1. CAS will imp lement the services specifie d in Appendix A in accordance with AuditBoard 's standard process , described be low in Table 1. 2 . The Implementatio n Services only include, and AuditBoard wi ll only perform the services exp licitly li sted herein. Any additiona l services (includi ng but not limi ted to additional data loads , train ing , custom reports or changes to the configuration afte r the Go-Live Date) wi ll be subject to AuditBoard's sta nd ard Change Order process and may result in a corresponding additi ona l cost to Customer and /or delays to the schedule . 3. Aud itBoard wi ll impl ement up to the numb er of "pricing units" includ ing , but not limited to , "controls ," or "users," or other governi ng amounts included in the Customer's Annual Subscription Fees as of the Effective Date of the Agreement. 4. Implementation Services will occur in one contiguous project timeline. Failure by Customer to perfo rm any of its responsibilities listed herein , modifications to AuditBoard's responsibilities li sted, or delays or phased implementation that requ ir e design sessions or data loads, may result in delays to the pro j ect timeline , addit ional fees , and/o r requi re a sepa rate statement of work. 5 . Commencing on the Effective Date of the Order authorizing the Im pleme ntation Services, Im plem entation Services will expire in accorda nce with the appl ica ble Service Term set forth in Appendix A (the "Expiration Date"). Im plementation Servi ces provided after the Expiratio n Date will be provided under a separate statement of work. 6. Any breach or term in ation of the Imp lementation Services shall not be co ns idered a materia l br each or termination under the Subscription Agreement . Further, the parties agree that the aggregate Limitation of Liability for Implementation Services shall be tied to the fees pa id or payable for the Im plementa tion Services in the last 12 months and not the Servi ce under the Ord e r. v.2 .3 .20 23 ©2023 DocuSign Envelo pe ID : 95952A66-C886-4AE0-8C 17-EE17 AED67795 0 AUDITBOARD Table 1 Phase Estimated AudltBoard Responsibilities Tlmeframe* Initiation 1 -2 weeks • Create Customer's site in the production environment to include AuditBoard's li censed features as of the Effecti ve Date of the Agreement • Provide access to Customer's Aud it Board site for secure fi le transfer and training resources • Conduct plann ing and kick-off meetings w ith Customer • Provide an overview of the imp lementation process • Provide estimated project timeline and key milestone dates Discover:r: 1 -2 weeks • Gain an understanding of custome r data stru ct ure and configuration req uirements Customer Responsibilities • • • • • • • • • • De s ignate a primary contact to se rve as AuditBoard 's main point of contact for the Impl ementation Services Customer s hall ensure that the primary contact is respo ns ib le for the overal l project includi ng Custome r Responsibilities listed here Identify and include internal resources required for implementation Complete AuditBoard Academy online training Confirm estimated project timeline and key milestone dates Extract data needed for implementation from systems cu rrently use d , if applicable Complete AuditBoard templates with data and configuration expected for soft laun ch , if applicable Upload the data needed fo r implementation onto the secu re site provided by CAS by agreed upon due date. Documentation or data should not be provided to AuditBoard by any other means Provide an overview of the company, team structu re. key objectives, processes, and workflows Provide a detailed walkthrough of the data provided and exp lain requirements v .2 .3.2023 ©2023 2 DocuSign Envelope ID: 95952A66-C886-4AE0-8C 17-EE17 AED67795 0 AUDITBOARD De si gn 2 - 4 weeks • Create design examples in the production site with the data provided by Custome r • Present default perm issions options and gather customer's permissions requirements • Conduct up to two (2) design sessions to present the AuditBoard site to customers and gather feedback . Additional design sessions may be scheduled if mutually ag reed. Additiona l design sessions may impact the project schedu le and project completion date • Make mutually agreed configuration changes based on Custome r's feedback • After Customer's feedback is inco rporated , conduct up to one (1) design confirmation session to present the design examples, if applicable Con fi g ure 2 weeks • Migrate Customer's data onto Customer's production site based on the agreed upon design and configuration requirements • C reate user accounts based on agreed upon roles and permissions requirements • If requested by the customer, production site data wi ll be copied to a sandbox site for testing purposes . Th is sandbox site is available unti l project co mpletion , unless Customer has purchased a permanent sandbox environment • • Participate in design sessions and provide feedback within reasonab le turnaround time (max five [5 ] business days) Approve site design prior to Data Load and Configuration phase v.2.3.2023 ©2023 3 DocuSign Envelope ID: 95952A66-C886-4AE0-8C17-EE17AED67795 0 AUDITBOARD T est 2 - 4 weeks • Activate se lected use r accou nts • Communicate a summary of the implementation activities and any outstand ing items • Conduct site review and training with Custome r • Site review and training sessions can be re co rded by CAS and made available to Customer for future use • Su pport Customer's reasonab le review of the Product configuratio n to confirm AuditBoard's comp letion of the responsibilities listed • Make mutually agreed co nfiguration changes identified during Customer's review Launch 1 -2 days • Introduce AuditBoard Suppo rt and Custome r Engagement to Customer. Support and Customer Engagement wi ll be respons ible for addressing subsequent questions, requests, and /or issues from Customer after completion of Imp lementation Services Post None lm1;1l e m ent ation *Estimated time frames are subject to change due to the complexity of the project. • Customer to review resources on AuditBoard Academy and Help Center prior to site review and training • Ensure necessary resou rces attend the site review and training • Customer to conduct testing of site and report issues and provide feedback within reasonable turnaround lime (max five (5) business days) • Provide forma l confi rmation that AuditBoard has completed all of its tasks and responsibi lities as set forth here in and Implementation Services are complete • • • • • • Configure and maintain user accounts and permissions Adjusts modu le settings Rev iew re lease notes for new features Create and mainta in data Launc h projects, as applicab le Defines and measures ongo ing success and optimizes AuditBoard usage v .2.3 .2023 ©2023 4 DocuSign Envelope ID : 95952A66-C886-4AE0-8C 17-EE 17 AED67795 0 AUDITBOARD B. Data 1. Data will be loaded into the production site only. 2. During implementation, Customer is responsible for tracking changes to data provided for implementation . 3. A ll data provided to AuditBoard for use in the Product must be structured data which is suitab le for mass uploading and does not require aggregation or manipulation by AuditBo ard. Fo r examp le : Data from ind ividu al test sheets will not be migrated to Controls on an individual basis by Aud itBoard. 4. Customer is respon sibl e for comp leteness and acc uracy of all data provided . After the Data Load and Configuration , Customer is responsib le for load ing additional data and performing data updates using AuditBoard's inherent features for perfo rming these tasks . C. Communication 1. The Implementatio n Services wi ll be faci litated virtua lly via web conference, electronic commun ications , and collaboration softwa re and wi ll not be performed within Customer's office locations. 2 . All services and communications delivered by AuditBoard wi ll be in English . 3. AuditBoard's standard work week co ns ists of Monday to Friday 8:30 AM to 5 :00 PM (Pacific Time), excluding company ho lid ays. D. Terms Specific to Modules 1. For SOXHUB , CrossComply a nd ITRM modules : Aud itBoard will not recreate or reformat content such as narratives , flowchart d ia grams , policies , or other documentation for Customer. 2. For SOXHUB, CrossComp ly and ITRM modules: AuditBoard will not be linking narratives or policies unless services are specifically purchased . AuditBoard and Customer to mutually agree upon the number of documents to be linked . 3 . For CrossComply and ITRM modu les : App li cable Unified Co m plia nce Framework ® content w ill be made available to Customer pursuant to the Ord e r. E. Disclaimers 1. AuditBoard is not engaged in rendering auditing , accounting , legal , or other professiona l or expert advice . If requested by Customer, CAS may be ab le to provide recommendations based on software configu ration settings observed by AuditBoard , but all decisions about adopting such recommendat ions are at the so le discretion of the Customer. 2 . AuditBoard will not undertake or perform , a nd Customer will not request that AuditBoard undertake or perform , any obligations of Customer, whether regulatory or contractual , assume any responsibility for the management of the Customer's comp liance, inte rnal audit, or Sarbanes-O xley functions, form part of the Cu stomer's internal co ntro l structure re lating to the preparation of regulatory co mpliance or financial reporting or act, or be requested to act by Customer, in such a way as to create an impression that AuditBoard is a member of Customer's management or an employee of the Customer. 3 . AuditBoard will not provide any third-party copyrighted contents , which includes , but is not limited to: risk assessment frameworks , audit programs , and co nt ro l frameworks . If necessary, Customer is expected to procure the rights to s uch contents and prov ide them to AuditBoard . F. Change Process 1. Changes to the co nfig uration , role-based access se t up, and mass data uploads requested after the Data Load and Configuration may requ ire a Change Order and may impact imp lementation timeline. 2 . Any delays in Customer responsibilities , feedback , or review of the Product co nfiguration may cause a delay to th e overall timeline a nd may require a Chang e Order. 3 . In the event of any change that impacts scope, schedule , or cost of the Implementation Services , upon becom ing aware of such change , AuditBoard shall notify Customer and work with Custom er to o btain a Change Order prior to implementation of any adjustments to scope, sched ul e , or costs of the Im plementation . If a change is requested by Customer, the Primary Contact will notify the AuditBoard of the requested change. AuditBoard will , within five (5) busines s days after receipt of th e change request, provide Customer, by completing and submitting to Customer for rev iew and approval the form of Change Ord er, with a cost estimate and time lin e impact, if any , for the requested change. If the proposed Change Orde r is approved by Customer, upon executio n by each party's authorized signatory , it sha ll become a Change Order under the Agreement v.2 .3.2023 © 2023 5 DocuSign Envelope ID: 95952A66-C886-4AE0-8C 17-EE 17 AED67795 0 AUDITBOARD and the SOW shall continue as amended by such Change Order. AuditBoard will implement the applicab le change in accordance with the Change Order , provided that AuditBoard's implementation of the change shall not delay the performance of Services or delivery of a task not reasonab ly affected by such change. Wo rk performed by AuditBoard to prepa re , ana lyze, or respond to a change request shall not be chargeable to Customer under this SOW or otherwise under the Agreement. v.2 .3.2023 ©2023 6 DocuSign Envelope ID: 95952A66-C886-4AE0-BC 17-EE17 AED67795 0 AUDITBOARD Appendix A SOXHUB Only Essential and Professional clients can purchase QuickStart service. Project Team Product focused proj ect lead Produ ct focused technical lead Design & Configuration Site design and recommendations Control data upl oad Upload narratives/flowcharts Link narratives/flowcharts Configuration of permissions WorkStream survey configu ration AuditBoard temp late(s) Training Audi!Board Academy Site review sess ion Virtual instructor-led training Technical SSO setup User Acceptance Testing Support # of weeks of support Service Term Expiration fr om Effective Date ✓ ✓ Not Applicable ✓ ✓ 2 weeks 3 months ✓ ✓ ✓ ✓ ✓ Enterprise Subscriptions Only* ✓ ✓ Mandatory ✓ ✓ Enterprise Subscriptions Only** ✓ 4 weeks 6 months *Narrative link ing is included with the Enterprise subscriptio n package . Other packages can purchase narrative linking as an additio nal service . **Enterprise subscription package only: Four (4) hours of virtual instru ctor-l ed traini ng included. v.2.3.2023 © 2023 7 DocuSign Envelo pe ID : 95952A66-C886-4A E0-8C 17-EE 17 A ED67795 0 AUDITBOARD OpsAudit Only Essential and Professional clients can purchase QuickStart service. Project Team Produ ct focused project lead Product focused technical lead Design & Configuration Site design and recommendations Audit program upload Risk assessment temp late configuration Configuratio n of permiss ion s WorkStream survey configuration AuditBoard template(s) Training AuditBoard Academy Site re v iew session Virtua l instru ctor-l ed training Technical SSO setup User Acceptance Testing Support # of weeks of support Service Term Expi ratio n from Effe ctive Date ✓ ✓ Not Applicable ✓ ✓ 2 weeks 3 m o nth s ✓ ✓ ✓ ✓ 5 templates ✓ ✓ Mandatory ✓ ✓ Enterprise Subscriptions Only** ✓ 4weeks 6 months **Ente rprise s ub script ion package only: Four (4) hours of virtual instructor-led training in c luded . v.2.3.2023 © 2023 8 Do cuSig n Envelo pe ID : 95952A66-C886-4AE0-8C 17-EE 17AED6 7795 0 AUDITBOARD RiskOversight Only Essential and Professional clients can purchase QuickStart service. Project Team Product focused project lead Product focused technical lead Design & Configuration Site design and recommendations Risk data upl oad Risk assessment template configuration His to ric al risk sco re upload Configuration of pe rm issions WorkStream survey configuration AuditBoard template(s) Training AuditBoard Academy Site review sessio n Virtua l in structor-l ed tra ining Technical SSO setup User Acceptance Testing Support # of weeks of support Service Term Expirat ion from Effective Da te ✓ ✓ 3 years Not Applicable ✓ ✓ 2 weeks 3 months ✓ ✓ ✓ ✓ 5 templates 3 years ✓ ✓ Mandatory ✓ ✓ Enterprise Subscription s Only** ✓ 4 weeks 6 mont hs **En terp rise subscription package only: 4 hours of virtua l instructor-led training included . v.2.3 .2023 ©2023 9 Do c uS ign Envelope ID : 95952A66-C886-4AE0 -8C 17-EE17 AED 67795 0 AUDITBOARD CrossComply Project team Pro du ct focused proj ect lea d Product focused techn ica l lead Design & Configuration Site design and recomme nda tions Comp liance data up load U pload po li cies Lin k po licies Configuratio n of perm issions WorkStream survey configuration A ud i!B oard temp late(s) Training Audi!Board Academy Site re v iew sessio n Virtual instructo r-l ed training Technical SSO setu p User Acceptance Testing Support # of weeks of support Service Term Expiratio n from Effective Date ✓ ✓ ✓ ✓ ✓ Enterprise Subscriptions On ly* ✓ ✓ Ma ndato ry ✓ ✓ Enterprise Subscriptions O nl y** ✓ 4 weeks 6 mo nths *Pol icy linking is included with the En terprise subscriptio n package . Othe r packages can pu rchase policy link i ng as a n additiona l service o r can be cli ent se lf-serviced . **En te rprise subscri ption package on ly : Four (4 ) hours of virtua l in structor-l ed training included. v.2.3.2023 ©2023 10 DocuSign Envelope ID : 95952A66-C886-4AE0-8C 17-EE17A ED6 7795 0 AUDITBOARD ITRM Project team Product focused project lead Product focused tech ni ca l lead Design & Configuration Site design and re commendations Risk data upload Risk assessment template configuration Histori ca l ri sk sco re upload Compliance data upl oa d Upload policies Link policies · Configuration of permissions WorkStream survey co nfigurat ion A uditB oard template(s) Training AuditBoard Academy Site review session Virtual instructo r-led training Technical SSO setup User Acceptance Testing Support # of weeks of s upport Service Term Expiration from Effective Date ✓ ✓ ✓ ✓ 5 te mplates 3 yea rs ✓ ✓ En terp ri se Subsc ript ions Onl y* ✓ ✓ Mandatory ✓ ✓ En te rprise Subscriptions Only** ✓ 4 weeks 6 months *Policy linking is included with the En te rpri se subscription package. Other packages can purchase poli cy lin ki ng as an additional service or can be clie nt self-serviced. **En terprise subscription package only : Four (4) hours of v irtu al instructor-led training included . Additional training hours available for additional fee , subject to avai labi lity. v .2 .3.2023 ©2023 11 DocuSign Envelope ID : 95952A66-C886-4AE0-8C 17-EE17AED67795 0 AUDITBOARD TPRM Project Team Product focused project lead Product focused technical lead Design & Configuration Site design and recommendations Vendor data upload TPRM questionnaire template configuration Configurat ion of permissions AuditBoard temp late(s) Training AuditBoard Academy Site review sessio n User Acceptance Testing Support # of weeks of support Service Term Expiration from Effective Date ✓ ✓ ✓ ✓ 2 temp lates ✓ Mandatory ✓ ✓ 4 weeks 6 months v.2 .3.2023 ©2023 12 DocuSign Env elope ID : 95952A66-C 886-4AE0-BC17-EE 17AED67795 0 AUDITBOARD Project Team Product focused project lead Prod uct focused techn ica l lead Design & Configuration Site des ig n a nd recom me nd ations T opic data up load M etric data up load Framework data u plo ad Ri sk assessment te m p late configuratio n Hi storica l ma teriality risk assessment load Wo rkStrea m survey co nfigu ration Configuration of perm issions A udi tB oard temp late(s) Tra i ning Audi tB oard Academy S ite review session Technical SSO setup User Acceptance Testing Support # of weeks of support Service Term Exp irat ion from Effecti ve Date ✓ ✓ ✓ ✓ ✓ ✓ 3 temp lates 1 yea r ✓ ✓ Ma ndatory ✓ ✓ ✓ 4 weeks 6 months v .2.3.2023 © 2023 13 DocuSign Envelope ID : 95952A66-C886-4AE0-8C 17-EE 17 AED67795 Appendix D ADDENDUM TO SUBSCRIPTION AGREEMENT BETWEEN THE CITY OF FORT WORTH AND AUDITBOARD, INC. This Addendum to the Subscription Agreement ("Addendum ") is entered into by and between AuditBoard , Inc. ("Vendor") and the City of Fort Worth ("City"), collectively the "parties." The Contract Documents shall include the following: l. The AuditBoard Order Form # Q-03041 (and any subsequent order form); 2. The AuditBoard Service Level Agreement; 3. The AuditBoard Data Processing Addendum ; 4. The AuditBoard Subscription Agreement; 5. The Auditboard Security Policy ; and 6. This Addendum . Notwithstanding any language to the contrary in the attached Contract Documents (collectively referred to herein as the "Agreement"), the parties stipulate by evidence of execution of this Addendum below by a representative of each party duly authorized to bind the parties hereto , that the parties hereby agree that the provisions in this Addendum below shall be applicable to the Agreement. If any provisions of the attached Contract Documents conflict with the terms herein , are prohibited by applicable law, or conflict with any applicable rule , regulation or ordinance of City, the terms in this Addendum shall control. The parties agree as follows: I. Term. The Agreement shall commence upon the date signed by the Assistant City Manager below ("Effective Date ") and shall expire in accordance with the Subscription End date in an active Order Form ("Expiration Date"), unless terminated earlier in accordance with the provisions of this Agreement or otherwise extended by the parties. This Agreement will automatically renew annually for four one-year renewal periods , each a "Renewal Term." The City shall provide Vendor with written notice of its intent to renew at least thirty (30) days prior to the end of each term. In accordance with section 2(a) below , the City agrees it will not execute any agreement or Renewal Term unless and until it has appropriated sufficient funds to cover the entire agreement Term or Renewal Term. 2. Termination. a. Fiscal Funding Out. Subject to section 1, above , in the event no funds or insufficient funds are appropriated by City in any fiscal period for any payments due hereunder, City wi 11 notify Vendor of such occurrence, and the Agreement shal I terminate on the last day of the fiscal period for which appropriations were received without penalty or expense to the City of any kind whatsoever, except as to the portions of the payments herein agreed upon for which funds have been appropriated . Addendum Page 1 of6 DocuSign Envelope ID : 95952A66-C886-4AED-8C17-EE17AED67795 b. Duties and Obligations of the Partie s. In the event that the Agreement is terminated prior to the Expiration Date or the expiration of any applicable Renewal Term, City shall pay Vendor for services in accordance with Section 10.2 of the Subscription Agreement. Upon termination of the Agreement for any reason , the City shall have the retrieval rights outlined in Section 10.3 of the Subscription Agreement (Retrieval of Customer Data). In the event Vendor has received access to City information or data as a requirement to perform services hereunder, Vendor shall destroy all Customer Data in its possession. 3. Attorneys' Fees, Penalties, and Liquidated Damages. To the extent the Agreement requires City to pay attorneys' fees for any action contemplated or taken , or penalties or liquidated damages in any amount City objects to these terms, and any such terms are hereby deleted from the Agreement and shall have no force or effect. 4. Law and Venue. The Agreement and the rights and obligations of the parties hereto shall be governed by , and construed in accordance with the laws of the United States and state of Texas, exclusive of conflicts of laws provisions. Venue for any suit brought under the Agreement shall be in a court of competent jurisdiction in Tarrant County, Texas. To the extent the Agreement is required to be governed by any state law other than Texas or venue in Tarrant County, City objects to such terms and any such terms are hereby deleted from the Agreement and shall have no force or effect. 5. Linked Terms and Conditions. If the Agreement contains a website link to terms and conditions, the linked terms and conditions located at that website link as of the effective date of the Agreement shall be the linked terms and conditions referred to in the Agreement. To the extent that the linked terms and conditions conflict with any provision of either this Addendum or the Subscription Agreement, the provisions contained within this Addendum and the Subscription Agreement shall control. Except in relation to updates or changes made to the Subscription Agreement (which updates or changes will not apply if made after the Effective Date) if any changes are made to the linked terms and conditions after the date of the Agreement, such changes will not materially diminish the functionality and/or performance of the Service. Further, if Vendor cannot clearly and sufficiently demonstrate the exact terms and conditions as of the Effective Date of the Agreement, all of the linked terms and conditions are hereby deleted and void. 6. Limited Waiver of Sovereign Immunity. The City hereby agrees to waive claims of sovereign immunity from suit as to any dispute arising out of or relating to this Agreement solely related: (1) to the City's payment obligations; (2) the City's obligations under Section 2 of the Subscription Agreement (Customer Obligations); (3) either party 's rights under Section 3.1 of the Subscription Agreement (Ownership); and (4) confidentiality obligations under Section 5. Accordingly, the City agrees that AuditBoard shall be free to commence and prosecute any and all actions for declaratory , injunctive , or monetary relief that AuditBoard would be able to bring if the City was an entity that did not enjoy sovereign immunity, and to enforce, execute upon , and obtain satisfaction of any resulting judgment through any remedy that AuditBoard would be able to invoke if the City was an entity that did not enjoy sovereign immunity (including but not limited to the remedies of replevin and attachment). By this provi s ion , the City does not waive, limit, or modify its sovereign immunity against contested suit except as specifically provided herein . Addendum Page 2 of6 DocuSign Envelope ID : 95952A66-C886-4AE0-8C 17-EE17 AED67795 Limitation of Liability and Indemnity. To the extent the Agreement, in any way , requires City to indemnify or hold Vendor or any third party harmless from damages of any kind or character, such terms are hereby amended to include the following conditions. Any such indemnity obligation is limited to the extent not prohibited by law. And , in no event will any such obligation require the C it y to establ ish a sink in g fund. 7. Insurance. Vendor agrees that insurance coverage provided to City by Vendor is sufficient for purposes of the Agreement only. 8. No Debt. In compliance with Article 11 § 5 of the Texas Constitution , it is understood and agreed that al I obi igations of City hereunder are subject to the availability of funds. If such funds are not appropriated or become unavailable , subject to Section 1 above , City shall have the right to terminate the Agreement except for those portions of funds which have been appropriated prior to termination . 9. Public Information. City is a government entity under the laws of the State of Texas and all documents held or maintained by City are subject to disclosure under the Texas Public Information Act. To the extent the Agreement requires that City maintain records in v iol ation of the Act, City hereby objects to such provisions and such provisions are hereby deleted from the Agreement and sha ll have no force or effect. In the event there is a request for information marked Confident ial or Proprietary , City shall promptly notify Vendor. It will be the responsibility of Vendor to submit reasons objecting to disclosure. A determination on whether such reasons are sufficient will not be decided by City , but by the Office of the Attorney General of the State of Texas or by a court of competent jurisdiction . For clarification , Vendor views all agreements , drafts of agreements , services, systems , and any information shared or otherwise disclosed by Vendor to the City , regardless of its form , to constitute trade secrets and not subject to public disclosure. 10. Immigration Nationality Act. Vendor shall verify the identity and employment e li gibility of its employees who perform work under the Agreement, including completing the Employment Eligibility Verification Form (I-9). Upon request by City , Vendor sha ll provide City with copies of all 1-9 forms and supporting eligibility documentation for each employee who performs work under the Agreement. Vendor shall adhere to all Federal and State laws as well as estab li sh appropriate procedures and controls so that no services will be performed by any Vendor employee who is not legally eligible to perform such services. City , upon written notice to Vendor, shall have the right to immediately terminate the Agreement for violations of this provision by Vendor. 11. No Boycott oflsrael. If Vendor has fewer than 10 employees or the Agreement is for less than $100 ,000 , this section does not apply. Vendor acknowledges that in accordance with Chapter 2270 of the Texas Government Code , City is prohibited from entering into a contract with a company for goods or services unless the contract contains a written verification from the company that it: (l) does not boycott Israel ; and (2) will not boycott Israel during the term of the contract. The terms "boycott Israel " and "company" shall have the meanings ascribed to those Addendum Page 3 of6 DocuSign Envelope ID : 95952A66-C886-4AE0-8C 17-EE17 AED67795 terms in Section 808.001 of the Texas Government Code. By s igning this A ddendum , Vendor certifies that Vendor 's signature provides written verification to City that Vendor : (1) does not boycott Israel; and (2) will not boy cott Israel during th e term of th e A gree ment. 12. Right to Audit. Vendor agrees that City shall , until the expiration of three (3) years after final payment under the Agreement, have access to and the right to examine Vendor 's ISO27k, SOC 2 or HIP AA reports , for audit purposes , as they relate to the Services provided to the City . 13. Prohibition on Boycotting Energy Companies . Vendor acknowledges that in accordance with Chapter 2274 of the Texas Government Code, as added by Acts 2021 , 87th Leg., R.S., S.B. 13 , § 2, the City is prohibited from entering into a contract for goods or services that has a value of $100,000 or more that is to be paid wholly or partly from public funds of the City with a company with 10 or more full-time employees unless the contract contains a written verification from the company that it: (1) does not boycott energy companies ; and (2) will not boycott energy companies during the term of the contract. The terms "boycott energy company" and "company" have the meaning ascribed to those terms by Chapter 2274 of the Texas Government Code, as added by Acts 2021 , 87th Leg., R.S., S.B. 13 , § 2 . To the extent that Chapter 2274 of the Government Code is applicable to this Agreement, by signing this Agreement, Vendor certifies that Contractor's signature provides written verification to the City that Contractor: (1) does not boycott energy companies; and (2) will not boycott energy companies during the term of this Agreement. 14. Prohibition on Discrimination Against Firearm and Ammunition Industries. Vendor acknowledges that except as otherwise provided by Chapter 2274 of the Texas Government Code, as added by Acts 2021, 87th Leg., R.S ., S .B. 19 , § 1, the City is prohibited from entering into a contract for goods or services that has a value of $100 ,000 or more that is to be paid wholly or partly from public funds of the City with a company with 10 or more full-time employees unless the contract contains a written verification from the company that it: (1) does not have a practice , policy , guidance , or directive that discriminates against a firearm entity or firearm trade association ; and (2) will not discriminate during the term of the contract against a firearm entity or firearm trade association. The terms "discriminate ," "firearm entity" and "firearm trade association " have the meaning ascribed to those terms by Chapter 2274 of the Texas Government Code, as added by Acts 2021 , 87th Leg ., R .S., S.B. 19 , § 1. To the extent that Chapter 2274 of the Government Code is applicable to this Agreement, by signing this Agreement, Vendor certifies that Contractor 's signature provides written verification to the City that Contractor: (1) does not have a practice , policy , guidance , or directive that discriminates against a firearm entity or firearm trade association ; and (2) will not discriminate against a firearm entity or firearm trade association during the term of this Agreement. 23 . Publicity. If Vendor wishes to use the City 's name or logo in Vendor 's marketing materials or on its website , it must obtain separate , written , authorization from the City 's Communications and Public Engagement Office. To the extent the Contract Documents authorize the Vendor to use the City 's name or logo without such authorization , said provisions are hereby deleted from the Agreement and shal l have no force or effect Addendum Pag e 4 of6 DocuSign Envelope ID : 95952A66-C886-4AE0-8C 17-EE17 AED67795 (signature page follows) Addendum Page 5 of6 DocuSign Envelope ID: 95952A66-C886-4AE0-8C17-EE17AED67795 [Executed effective as of the date signed by the Assistant City Manager below.]/ [ACCEPTED AND AGREED:] City: By:~~~[_ Name: fi~Ninda LJJst:A.. Title: Asstst!fflt City Manager A-$,~+u,r Date: 3/z'7/2()23 Vendor: 11 DocuSlgned by: By: ~~~~~1c Name: --------T tile: SVP, Finance and operations Date: 3/21/2023 CITY OF FORT WORTH INTERNAL ROUTING PROCESS: Approval Recommended: By: ¢WlkWdrf'M: d1Y1d I m«lfll'IO iMar 22, 2023 14:05 con Name: David A. Medrano -----------Title: City Auditor Approved as to Form and Legality: By: Name: Taylor Paris Title: Assistant City Attorney Contract Authorization: M&C: Addendum Contract Compliance Manager: By signing I acknowledge that I am the person responsible for the monitoring and administration of this contract, including ensuring all performance and reporting requirements . 44e,f 1J·L... By: Thomas E. Wilson (Mar 22 , 202312:00 CDT) Name: Thomas E. Wilson Title: II A11ditar / Interim A11dit Manager City Secretary: By: Name: Title: OFFICIAL RECORD CITY SECRETARY Page6of6 DocuSign· Certificate Of Completion En velope Id: 95952A66C8864AE08C17EE17AED67795 Status: Completed Subject: Complete with DocuSign: City of Fort Worth_AuditBoard_Order Form with Apendices_2023 .03 .21 -ex ... Source Envelope : Documen t Pages: 41 Certificate Pages : 5 AutoNav: Enabled En ve lop e ld Stamping: En ab led Signatu res : 3 Initials : O Tim e Zone: (UTC-08:00) Pacific Time (US & Canada) Record Tracking Status: Original 3/21/2023 12 :35 :1 4 PM Signer Events Tina Yeh tyeh@auditboard .com SVP , Fin ance and Operations AuditBoard, In c . Security Level : Email , Account Authentication (No ne ) Electronic Record and Signature Disclosure: Accepted: 9/18/2020 8:29:33 AM ID : f149eb11-f7a1-4ec7-b0df-0146f8f8b45a In Person Signer Events Editor Delivery Events Agent Delivery Events Intermediary Delivery Events Certified Delivery Events Carbon Copy Events Legal Team legal @auditboard .com Commercial Counsel Se curity Leve l: Email , Account Authent ication (None) Electronic Record and Signature Disclosure : Accepted: 9/23/2020 6 :29 :28 PM ID: e054cb61-ff46-425e-b0ba-c301358cc0f5 Shana Norris snorris@auditboard .com Security Level: Email , Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via DocuSign Witness Events Notary Events Ho ld er : Christiane Disparte cdisparte@auditboard .com Signature r:Doc•llgnodloy: ~..Y.~,c Signature Adoption : Pre-se lected Style Using IP Address : 76 .82 .160 .39 Signed using mobile Signature Status Status Status Status Status COPIED COPIED Signature Signature Envelope Originator: Christiane Disparte 12900 Park Plaza Drive ste 200 Ce rr itos , CA 90703 cdisparte@auditboard.com IP Address: 73 .181 .167 .132 Location : DocuSign Timestamp Sent: 3/21/2023 1 :11 :44 PM Viewed : 3/21 /2023 9 :19:17 PM Signed: 3/21/2023 9:19 :31 PM Timestamp Timestamp Timestamp Timestamp Timestamp Timestamp Sent: 3/21/2023 1 : 11 :43 PM Sent: 3/21 /2023 1 :11 :43 PM Viewed : 3/21 /20231 :12:07 PM Timestamp Timestamp Envelope Summary Events Envelope Sent Certified Delivered Signing Complete Completed Payment Events Status Hashed/Encrypted Secu rity Checked Security Checked Security Checked Status Electronic Record and Signature Disclosure Timestamps 3/21/2023 1 :11 :44 PM 3/21 /2023 9:19 :17 PM 3/21 /2023 9:19:31 PM 3/21 /2023 9:19 :31 PM Timestamps Clt:!(.;lfUfll(.; ri.~(.;UIU dllU VIYI li:tlUlt' Ul:::>l..lU:::>Utt' l.,ICCJlCU UI I, ILJVUILU 1.:-J IL.L.U.-.JV 1 1v 1 Parties agreed to : Tina Yeh , Legal Team ELECTRONIC RECORD AND SIGNATURE DISCLOSURE From time to time, AuditBoard ,Inc. (we, us or Company) may be required by law to provide to you certain written notices or disclosures. Described below are the terms and conditions for providing to you such notices and disclosures electronically through the DocuSign system. Please read the information below carefully and thoroughly, and if you can access this information electronically to your satisfaction and agree to this Electronic Record and Signature Disclosure (ERSD), please confirm your agreement by selecting the check-box next to 'I agree to use electronic records and signatures' before clicking 'CONTINUE ' within the DocuSign system. Getting paper copies At any time , you may request from us a paper copy of any record provided or made available electronically to you by us . You will have the ability to download and print documents we send to you through the DocuSign system during and immediately after the signing session and, if you elect to create a DocuSign account, you may access the documents for a limited period of time (usually 30 days) after such documents are first sent to you. After such time , if you wish for us to send you paper copies of any such documents from our office to you, you will be charged a $0.00 per-page fee. You may request delivery of such paper copies from us by following the procedure described below . Withdrawing your consent If you decide to receive notices and disclosures from us electronically, you may at any time change your mind and tell us that thereafter you want to receive required notices and disclosures only in paper format. How you must inform us of your decision to receive future notices and disclosure in paper format and withdraw your consent to receive notices and disclosures electronically is described below. Consequences of changing your mind If you elect to receive required notices and disclosures only in paper format , it will slow the speed at which we can complete certain steps in transactions with you and delivering services to you because we will need first to send the required notices or disclosures to you in paper format, and then wait unti I we receive back from you your acknowledgment of your receipt of such paper notices or disclosures. Further, you will no longer be able to use the DocuSign system to receive required notices and consents electronically from us or to sign electronically documents from us. All notices and disclosures will be sent to you electronically Unless you tell us otherwise in accordance with the procedures described herein , we will provide electronically to you through the DocuSign system all required notices , disclosures , authorizations, acknowledgements, and other documents that are required to be provided or made available to you during the course of our relationship with you. To reduce the chance of you inadvertently not receiving any notice or disclosure, we prefer to provide all of the required notices and disclosures to you by the same method and to the same address that you have given us . Thus, you can receive all the disclosures and notices electronically or in paper format through the paper mail delivery system. If you do not agree with this process , please let us know as described below. Please also see the paragraph immediately above that describes the consequences of your electing not to receive delivery of the notices and disclosures electronically from us. How to contact AuditBoard,lnc.: You may contact us to let us know of your changes as to how we may contact you electronically, to request paper copies of certain information from us , and to withdraw your prior consent to receive notices and disclosures electronically as follows: To contact us by email send messages to: slachini @ auditboard.com To advise AuditBoard,Inc. of your new email address To let us know of a change in your email address where we should send notices and disclosures electronically to you , you must send an email message to us at slachini @ auditboard.com and in the body of such request you must state: your previous email address , your new email address. We do not require any other information from you to change your email address. If you created a DocuSign account, you may update it with your new email address through your account preferences. To request paper copies from AuditBoard,Inc. To request delivery from us of paper copies of the notices and disclosures previously provided by us to you electronically, you must send us an email to slachini @ auditboard.com and in the body of such request you must state your email address , full name , mailing address , and telephone number. We will bill you for any fees at that time, if any. To withdraw your consent with AuditBoard,Inc. To inform us that you no longer wish to receive future notices and disclosures in electronic format you may: i. decline to sign a document from within your signing session , and on the subsequent page , select the check-box indicating you wish to withdraw yo ur consent, or you may; ii. send us an email to s lachini @ auditboard.com and in the body of such request you must state your email , full name , mailin g address , and telephone number. We do not need any other information from you to withdraw consent.. The consequences of your withdrawing consent for online documents will be that transactions may take a lon ger time to process .. Required hardware and software The minimum syste m requirements for using the DocuSign system may change over time. The current system requirements are found here: https://support .docusign.com/guides/signer-guide - signing-system-requirements . Acknowledging your access and consent to receive and sign documents electronically To confirm to us that you can access this information electronically, which will be similar to other electronic notices and disclosure s that we will provide to you , please confirm that you have read this ERSD , and (i) that you are a ble to print on paper or electronically save this ERSD for your future reference and access ; or (ii) that you are able to email this ERSD to an email address where you will be able to print on paper or save it for yo ur future reference and access. Further, if you consent to receiving notices and disclosures exclusively in electronic format as described herein , then select the check-box next to 'I agree to use electronic records and signatures ' before clicking 'CONTINUE' within the DocuSign system. By selecting the check-box next to 'I agree to use electronic records and signatures', you confirm that: • You can access and read this Electronic Record and Signature Disclosure; and • You can print on paper this E lectronic Record and Signature Di sc losure , or save or send this Electronic Record and Disclosure to a location where yo u can print it , for future reference and access; and • Until or unless you notify AuditBoard ,Inc . as described above , you consent to receive exclusively through electronic means all notices, disclo s ures , authorizations , acknowledgements , and other documents that are required to be provided or made available to yo u by AuditBoard ,Inc . during the course of your relationship with AuditBoard ,Inc ..