Terms and Conditions

TERMS AND CONDITIONS

These Terms and Conditions are agreed upon by Client and nSure.ai Payment Assurance Inc. (Supplier).

1. DEFINITIONS

The definitions and rules of interpretation in this Section apply in this Agreement.

1.1. Advisory Notice
Means the notice provided by Supplier to Client for each Submitted Transaction to approve, decline such transaction, or inform Client that such Submitted Transaction was not reviewed by Supplier.

1.2. Affiliate
Means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. Control, for purposes of this definition, means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of the subject entity or otherwise the ability to direct the subject entity’s business or operations.

1.3. Approval Rate or Approved Transaction Level
Means the number of Approved Transactions divided by [the number of Submitted Transactions specifically excluding “Attempted Retries”].

1.4. Approved Transaction
Means a Submitted Transaction, approved by Supplier as advised to Client by an Advisory Notice.

1.5. Attempted Retries
Means all declined transactions within a 24-hour window following the first decline of a “Buyer” who, after being declined once, subsequently makes additional attempts to buy.

1.6. Authorized User
Means an individual employee, consultant, or agent of Client, who is authorized by Client to use the Service.

1.7. Bad Transaction
Means an Approved Transaction that turned out to generate an actual Eligible Chargeback definitely closed - meaning after representments have reached a final conclusion and the chargeback is no longer pending but has reached its final stage with an irreversible status indicating it is definitely lost for the Client.

1.8. Buyer
Is someone attempting a transaction, defined either through (i) a verified Identity (verified email, verified/registered account/identity provider, verified phone number) or (ii) a device-id and/or visitor-id in case of an anonymous or non-verified buyer. In both cases - either a verified or an anonymous buyer - every entity connected/related via Supplier’s relationships graph is considered the same buyer. Connected/related entities are linked based on usage of the same device-id or allocated the same visitor-id (using device fingerprinting) or using the same payment-method (via payment-method-token, estimated-payment-method, etc.).

1.9. Client Data
Means any and all data or information received from or made available by the Client or in the course of using the Services.

1.10. Client Storefront
Means the Client’s e-commerce platforms as defined in the applicable Order Form.

1.11. Confidential Information
Means non-public, proprietary, confidential and/or trade secret information, that is either clearly labeled as such or identified as Confidential Information or that a reasonable person should understand to be confidential given the nature of the information, which is disclosed by the disclosing Party in connection with this Agreement whether before, on, or after the Effective Date, directly or indirectly, to the receiving Party or any of its employees or designated agents. Confidential Information shall not include information that (i) is or becomes publicly known other than through any act or omission of the receiving Party; (ii) was in the other Party's lawful possession before the disclosure; (iii) is lawfully disclosed to the receiving Party by a third Party without restriction on disclosure known to the receiving party; or (iv) is independently developed by the receiving Party.

1.12. Content
Means any information (including contact information), data, audiovisual works, any score or rating regarding an individual or an actual or prospective transaction, any results or recommendations, or any other content made available through the Service or the Software.

1.13. Documentation
Shall mean materials, user guides, manuals, API documentation, and any documentation related to the Services or any parts thereof, which Supplier will provide Client in printed, electronic, or online form.

1.14. Eligible Chargeback
Means a chargeback which has been provided by the Client’s bank, credit card company, or card processor. Eligible Chargebacks shall include one of the reasons stated in Exhibit 1, as they may change from time to time. It is clarified that the reason codes are the codes specifically used by the credit card companies. Merchant banks and other payment processing counterparts may have corresponding reason codes which differ from the reasons codes in Exhibit 1.

1.15. End User
Means an end user on the Client’s Storefront as defined in the applicable Order Form.

1.16. Intellectual Property Rights
Means patent rights, copyrights, trademark rights, moral rights, mask work rights, and any and all other intellectual property rights in inventions, improvements, designs, ideas, works of authorship, formulas, techniques, know-how, methods, processes, computer software programs, databases, and trade secrets, including derivative works of the foregoing, anywhere in the world; each of the above whether or not patentable, copyrightable, or protectable as trade secrets, and irrespective of whether it has been registered.

1.17. Order Form
Means the initial order form between the Parties attached as Schedule A of this Agreement, and/or any additional Order Form that may be entered into by the Parties from time to time and shall be attached hereto and incorporated as part of this Agreement by reference.

1.18. Services (or Service)
Means the recommendation to approve or decline a Submitted Transaction, screening of Transactions, prevention of Bad Transactions, and chargeback services performed by the Software, and/or any other services provided by the Supplier as may be further detailed in the applicable Order Form.

1.19. Software
Means the Supplier’s software applications and platforms made available to clients for the Services, as a subscription service via the internet, including Supplier’s SDK and API, as well as any changes, upgrades, bug fixes, and enhancements thereto.

1.20. Submitted Transaction
Means a Transaction submitted by Client to Supplier for review using the appropriate features of the Software.

1.21. Supplier’s IP
Means all worldwide Intellectual Property Rights in and to the Software, Services, Content, Supplier’s database, and any part thereof, and all software, technical innovations, modifications, enhancements, derivatives, versions, bug fixes, customizations, improvements, and updates thereto, whether registered or unregistered.

1.22. Third-Party Reimbursements
Means any amounts received, expected to be received, or sought by Client from any third party in connection with an Eligible Chargeback, including without limitation any payments resulting from insurance coverage maintained by Client, or arrangements for reimbursement or fraud protection offered by a payment processor or any third party.

1.23. Transaction
Means an order placed by the End User for the purchase of the goods or services mentioned in that order (i) taken in a “card-not-present” environment and (ii) made with a Valid Payment Method. For the avoidance of doubt, a Transaction does not include orders (i) taken in a point-of-sale terminal or in-person (card present) or (ii) made with payment methods that cannot generate chargebacks, including for instance but not limited to check, money orders, Bitcoin or other cryptocurrencies, carrier billing, cash/COD, and more.

1.24. Transaction Information
Means any and all Client Data or third-party platform’s data (if applicable) related to the applicable End User, including any actual or attempted Transactions and patterns on the applicable platform.

1.25. Valid Payment Method
Means a payment method that can generate a chargeback, including credit cards, debit cards, prepaid cards, PayPal, Apple Pay, Android Pay, Alipay, as well as additional methods accepted by Supplier as defined in Schedule A.

2. LICENSE

2.1. Grant of License
Subject to full compliance with this Agreement and any Order Form, Supplier grants Client a limited, non-exclusive, non-transferable, non-sublicensable, and revocable license to access, use, and permit its Authorized Users to access and use the Software, the Services, and the Content, during the applicable Term, solely for Client’s internal business purposes. Except as provided herein or in the applicable Order Form, Client shall have no other rights with respect to the Services, Software, Supplier’s IP, and Content, or any portion or derivative thereof.

2.2. Usage Restrictions
Client shall not:
(a) Transfer any of its rights to use the Services, Content, or Software;
(b) Sell, rent, lease, or share the Service, Content, or Software;
(c) Permit any person who is not an Authorized User to use or access the Service, Content, or Software;
(d) Attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Software, Content, or Service (as applicable) in any form or media or by any means; or attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Software or Service;
(e) Access all or any part of the Service, Content, or Software in order to build a product or service which competes with the Service or Software;
(f) Use the Service, Content, or Software to provide to third parties or permit third parties to access the Service or Software;
(g) Use the Service, Content, or Software other than for the permitted purpose and in accordance with this Agreement;
(h) Load or penetration test the Service or Software in any way that is, or could reasonably be expected to be, detrimental to Supplier’s ability to provide services to any other Client;
(i) Use the Service, Content, or Software, or provide data to Supplier, in a manner that violates any applicable law, ordinance, regulation, or administrative order and/or this Agreement and any applicable Order Form; or
(j) Permit any other person to do any of the foregoing.

3. SERVICES

3.1. Review of Submitted Transactions

3.1.1. Following the Onboarding Period (as defined below), for any Submitted Transaction, Supplier shall provide the Client with a notice that advises Client (the Advisory Notice): to accept such Submitted Transaction (Approved Transaction), to decline it, or inform Client that such Submitted Transaction was not reviewed by Supplier.

3.1.2. Supplier shall not review a Submitted Transaction in, but not limited to, the following cases:
(i) The Submitted Transaction has already been fulfilled;
(ii) The data provided to the Supplier in relation to the Submitted Transaction does not meet Supplier’s integration standards;
(iii) Client fails to submit to Supplier all the data according to the Documentation (including Transaction Information of non-Submitted Transactions);
(iv) A change that can affect the risk profile was made in the Client environment without Supplier’s prior approval in writing, including but not limited to removal and/or modification of: risk rules, 3DS, GEOs, user profiles, products sold, user flow/lifecycle, verifications, KYC, a part of the traffic monitored (aka, less than 100%), etc.

3.2. Chargebacks Liability Services

3.2.1. Chargeback Notice
In the event that Client has elected Supplier’s Chargeback liability service, and an Approved Transaction turned out to generate an actual Eligible Chargeback (a “Bad Transaction”), then Client must notify Supplier of such Bad Transaction through the applicable feature on the Software within one (1) day from the date Client received notice of the applicable Eligible Chargeback (“Chargeback Notice”). Client will attach to the Chargeback Notice the requested details of the Transaction of an End User, the End User’s order amount (the “Order Amount”), and all other Transaction Information requested by Supplier.

3.2.2. Chargeback Payment
Subject to Client’s continued compliance with the terms of this Agreement, and applicable Order Form, including but not limited to this Section 3 and any payment obligations, Supplier shall reimburse Client an amount equal to the lesser of:
(x) The direct damages actually incurred by Client as a result of such Eligible Chargeback (including associated standard chargeback transaction/processing fees charged by the applicable financial institution); or
(y) The sum of the amount of the Bad Transactions plus any associated standard chargeback transaction/processing fees charged by the applicable financial institution; each of (x) and (y) less any Third-Party Reimbursements (the “Chargeback Payment”).

Supplier will reimburse Client in the form of a credit invoice issued within 70 days following notification by Client of a Chargeback definitely closed - meaning after representments have reached a final conclusion and the chargeback is no longer pending but has reached its final stage with an irreversible status indicating it is definitely lost for the Client. In the event that the Chargeback Payment exceeds the Service Fees to be paid by Client, Supplier shall accrue such excess amounts and deduct them from future invoices after the Service Fees exceed the Chargeback amount.

3.2.3. Conditions
Client represents and warrants that:
(i) The information about the applicable Submitted Transaction provided to Supplier per the terms of this Agreement is full and accurate as of the date on which the applicable Advisory Notice was provided (“Advisory Notice Date”);
(ii) Each Eligible Chargeback for which Client provides a Chargeback Notice was issued or incurred (whichever is earlier) after the applicable Advisory Notice Date;
(iii) Client has taken, and will take, all steps as required and/or requested by the applicable financial institution with respect to each Submitted Transaction for which Client submits a Chargeback Notice; and
(iv) Client has sent or delivered the item purchased by the End User in the Submitted Transaction, in every respect as required by the original order of the End User.

3.2.4. API and Feedback Data
In order to receive the Services, Client must and will provide Supplier with all Client Data according to the Documentation, successively during the Term.

Without derogating from any of the aforementioned, Client will provide Supplier - within twenty-four (24) hours of their knowledge of such data - with all data and information deemed reasonably necessary or beneficial for Supplier to analyze the Submitted Transaction or to otherwise improve Supplier’s services, including without limitation:
(i) Any information required by the Supplier to provide the Advisory Notice and any and all data required to ascertain the validity of each Submitted Transaction;
(ii) Chargeback reports;
(iii) TC40 and SAFE reports;
(iv) Detailed information on fraud alerts, dispute alerts, or any event that could impact the risk associated with each Submitted Transaction.
Client’s failure to provide the aforementioned information within 24 hours of Client’s knowledge will (i) nullify all of Supplier’s obligations and liabilities in Section 3.2.2 for the entire period during which such information is not provided by Client to Supplier; and (ii) generate an additional fee of $5,000 per occurrence to cover Supplier’s necessary recalibration of the Software.

3.2.5. Audit
Notwithstanding the above or any other provision of this Agreement, Supplier shall have the right at any time to audit the legitimacy of any Eligible Chargeback and request any documentation and/or other proof from Client that the applicable item object of the Eligible Chargeback was factually not delivered or provided. In the event that such documentation and/or proof is not provided, and/or if there is a higher rate than usual of Eligible Chargebacks due to “item not delivered” or “item not as described”, or similar reasons for Eligible Chargebacks, Supplier shall have the right to immediately terminate this Agreement, and Supplier shall not be obligated to provide any chargeback payment.

3.2.6. Representment
In the event Client or Supplier successfully dispute an Eligible Chargeback (in each case, the disputing party, the “Representing Party”) with respect to a Submitted Transaction for which Supplier has paid Client a Chargeback Payment, as indicated by notice of a voided chargeback from the financial institution that issued such Eligible Chargeback (“Chargeback Reversal”), then the Representing Party must notify the other Party by providing details regarding such Chargeback Reversal and the total amount refunded to Client related to such Chargeback Reversal (“Chargeback Reimbursement”) within 7 days from the date the Representing Party received notice. Supplier will increase the amount payable under each monthly invoice issued in accordance with the terms of this Agreement or the applicable Order Form to reflect Chargeback Reimbursements applicable to the period covered by the invoice. Failure to do so will nullify the Chargeback Reimbursement or other Third-Party Reimbursement, augmented by a penalty of 10% of the Chargeback Reimbursement or the Third-Party Reimbursement (as applicable) for each occurrence. In the event that the Supplier chooses to dispute an Eligible Chargeback, Client shall provide Supplier with any information and documentation necessary for the representment of such Eligible Chargeback.

3.3. Service Level Agreement (SLA)

3.3.1. Response time
Average of five hundred milliseconds (500ms) measured by Supplier on a twelve-month period following the Onboarding Period and reset at the beginning of each renewal of the Agreement.

3.3.2. Uptime
99.9% uptime calculated on a twelve-month basis and subject to the following:

i. The measurement of the total number of minutes that the Services were available shall be carried out by Supplier and is based on the average percentage availability, calculated at the end of a period of 12 months following the end of the Onboarding Period as the total actual uptime minutes divided by total possible uptime minutes in the year, excluding planned or scheduled downtime and suspensions.

ii. Supplier will use commercially reasonable efforts to:
(a) Schedule downtime for planned outages for service updates, fixes, improvements, upgrades, backups, and maintenance of the Services (together the “Maintenance Window”) outside of local business hours, and
(b) Give Client reasonable prior notice of all newly scheduled outages of the Services, outside of regular maintenance windows (all Supplier-planned downtime being referred to as “Scheduled Maintenance”).

iii. Supplier will not be responsible for any Service Level Failures which relate to:
(a) Any actions or omissions of Client or any third party acting on its behalf;
(b) Failure, interruption, outage, or other problem with any software, hardware, system, network, services, facility, or technology not supplied by Supplier;
(c) Scheduled Maintenance or emergency maintenance;
(d) Client failure to fulfill its responsibilities and obligations in this Agreement;
(e) Disabling, suspension, or termination of the Services under the Agreement; or
(f) Any other cause not under Supplier’s reasonable control including Force Majeure events.

3.3.3. In any event, this SLA will not grant Client any additional remedies beyond what is stipulated in this Agreement.

3.4. Onboarding Period

3.4.1. Unless agreed otherwise in the applicable Order Form, Client’s receipt of the services pursuant to this Schedule is subject to Client successfully completing a three-phase onboarding period, commencing on the Effective Date (the “Onboarding Period”), as described hereunder:

i. API Integration: Client and Supplier will work together to integrate the API according to the dedicated API documentation provided by Supplier specifically for Client.

ii. Training Phase: Supplier will train the Software AI/ML model specifically dedicated to Client. Client’s obligation is to provide all Transaction Information as further detailed in the Documentation, including without limitation data regarding transactions that:
(i) Are not marked for review by Supplier;
(ii) Have been declined by existing fraud screening/prevention systems of the Client.

iii. Roll-Out Phase: Following the Training Phase, Supplier shall begin to gradually assume liability over Submitted Transactions, commencing at a randomly selected scope of approximately 10% of all Submitted Transactions and augmenting the scope until assuming full liability in accordance and subject to the applicable Order Form. Supplier shall use reasonable commercial efforts to complete the Roll-Out Phase within one (1) month following the beginning of the Roll-Out Phase, subject to any delays that aren’t attributed to Supplier.

3.4.2. DURING THE ONBOARDING PERIOD, SUPPLIER SHALL ASSUME NO LIABILITY WHATSOEVER TO CLIENT WITH RESPECT TO MATTERS SET FORTH IN THIS SECTION 3, EXCEPT FOR THE LIMITED LIABILITY SUPPLIER EXPLICITLY ASSUMED IN THE ROLL-OUT PHASE.

3.4.3. All the provisions of the Agreement not explicitly excluded or addressed under this Section shall be in full force and effect and shall govern the Onboarding Period.

4. CLIENT DATA

4.1. License to Client Data
Client hereby grants Supplier and its Affiliates a worldwide, non-exclusive, perpetual, royalty-free, fully paid-up, irrevocable, and sublicensable license and right to utilize the Client Data for the following purposes:
(i) Supplying the Services to Client and to Supplier’s other clients; provided that Supplier shall use the Client Data only to provide the services, and shall not disclose any Client Data, in any form, to other clients, and
(ii) Incorporate Client Data into the Services, to the extent permitted under the applicable law; and
(iii) Use the Client Data in accordance with Supplier’s Privacy Policy.

To clarify, to provide the Services, Supplier must rely on a combination of Client Data from all of its clients as well as external sources, all incorporated into the Services. Supplier shall be unable to provide the Services in the absence of such Client Data. Client acknowledges and agrees that once the Client Data is incorporated into the Services, Supplier shall have the right to use such Client Data, and to provide it to third parties, for the purposes of providing the Services during and after the Term.

4.2. Supplier Use of Client Data Restrictions
Subject to the requirements of applicable law, Supplier will not:
(i) Identify Client to any unaffiliated third party as the source of the Client Data,
(ii) Disclose a complete data set of Client Data for a transaction to any unaffiliated third party,
(iii) Disclose more than the disaggregated portions of Client Data that is necessary to exercise the Supplier’s rights and perform its obligations under these terms, or
(iv) Process Client Data for purposes of cookie tracking, ad exchanges, data brokerages, ad networks, or sending electronic communications (including email) in violation of applicable law.

4.3. Client’s Responsibility
Client acknowledges that Supplier’s provision of the Services is conditioned upon Supplier’s receipt of correct and accurate Client Data. Client further acknowledges that in order for the Supplier to provide its Services, Client must successively provide Client Data in accordance with the terms of this Agreement and/or Order Form (as applicable) as well as the Documentation. Client shall have the full and sole responsibility and liability for the legality, reliability, integrity, accuracy, and quality of Client Data, or any part thereof. Without derogating from the aforementioned Client shall be responsible for:
(i) Obtaining all and any consents, approvals, waivers, and making all disclosures needed in order for Supplier to use the Client Data as permitted by this Agreement, its Schedules and/or any Order Form,
(ii) Obtaining consent to use automated decision-making,
(iii) Providing Client’s End Users with the ability to exercise any access rights, and
(iv) Any requirements or limitations regarding the processing of data of minors, in each case, to the extent required under applicable law.

5. CLIENT'S OBLIGATIONS

5.1. Client is solely responsible for its relationships with all Authorized Users, for their use of the Service, and for ensuring that they comply with all the terms and conditions of this Agreement. Any violation of the terms and/or conditions of this Agreement by an Authorized User shall be deemed to be a violation by the Client of such terms and conditions.

5.2. Client is solely responsible for the security and proper creation, use, and termination of all Authorized User IDs, passwords, and other security devices used in connection with the Service and shall take all reasonable steps to ensure that they are kept confidential and secure, are used properly, and are not disclosed to unauthorized persons. Client shall immediately inform Supplier if there is any reason to believe that a user ID, password, or any other security device has, may, or is likely to become known to any person not authorized to use it, or is being, may be, or is likely to be used in an unauthorized way. Supplier reserves the right (at its sole discretion) to require Client to change any or all of the user IDs, passwords, or other security devices used by Client in connection with the Service, and Client shall promptly comply with any such requirement.

5.3. Client shall not appoint or otherwise allow anyone who is a direct or indirect competitor of Supplier or who works or is otherwise engaged with such, to be an Authorized User hereunder.

5.4. Client will be solely responsible for procuring and maintaining its network connections and telecommunications links from its systems to the Software or Services; and all problems, conditions, delays, delivery failures as well as all other loss or damage arising from or relating to Client's network connections or telecommunications links or caused by the internet shall be the Client’s sole and full liability.

6. CHARGES AND PAYMENT

6.1. Fees
The fees applicable for Client access and use of the Services are defined in the applicable Order Form (the initial order form attached hereto as Schedule A (the “Fees”).

6.2. Payment Terms
Client agrees to remit payment within the payment terms defined in the applicable Order Form. Unless agreed otherwise in the applicable Order Form, Client will be invoiced monthly for Services provided in the previous month. Except as otherwise specified herein or in the applicable Order Form, payment obligations are non-cancellable, and Fees paid are non-refundable.

6.3. Payment Failure
If Supplier has not received payment within the aforementioned payment terms, then without prejudice to any other rights and remedies, the unpaid amounts shall be subject to the maximum finance charge permitted by law plus all expenses of collection. Upon continued failure to pay within 15 days following notification by Supplier to Client, Supplier will have the right to interrupt the Services until payment has been made. During the interruption of the Services, Client will be charged daily an amount equal to the average daily Service Fee of the previous 6 months, augmented by 25%.

6.4. Taxes
The Fees are exclusive of all applicable transaction taxes, including sales, use, and VAT taxes, and Client will be responsible for all taxes and other amounts imposed by any governmental agency on the Fees payable under this Agreement, its Schedules, or any Order Form (except for corporate income tax imposed on Supplier).

7. TERM AND TERMINATION

7.1. Term
Unless agreed otherwise in the applicable Order Form, this Agreement shall commence on the Effective Date and shall remain in force for a period of one (1) year following the completion of the Onboarding Period as set out in Schedule A (if applicable) (the “Initial Term”). Following the Initial Term, it shall be automatically renewed for consecutive one (1) year periods (each, a “Renewal Term”, and together with the Initial Term, the “Term”), unless either Party informs in writing the other, at least ninety (90) days in advance, at any time, that it does not wish for the Agreement to be so renewed.

7.2. Termination for Cause
Either Party may terminate this Agreement immediately upon notice to the other Party if the other Party:
(a) Has committed any material breach which is not cured within thirty (30) days of receipt of written notice to the breaching party, or
(b) Has a receiver or similar party appointed for all or substantially all of its property, is declared insolvent by a court of competent jurisdiction, ceases to do business in the ordinary course, files a petition in bankruptcy or has a petition filed against it in bankruptcy, becomes the subject of any court or administrative proceeding related to its liquidation or insolvency (whether voluntary or involuntary) that is not dismissed within sixty (60) days, or makes an assignment for the benefit of its creditors.

Notwithstanding the above, Supplier may temporarily suspend the Service in whole or in part if Client breaches any term of this Agreement, its Schedules, or Order Form until Client amends such breach. Supplier may also suspend and/or terminate this Agreement and any applicable Order Form with immediate effect if:
(i) The Fees owed by Client under the applicable Order Form are overdue and are not paid within 7 business days following written notice by Supplier;
(ii) Client uses the Services in violation of applicable law; and
(iii) Client is making unauthorized use of the Services in a manner that Supplier reasonably believes may cause it any liability, security risk, damages, or disruption to others’ use of the Services. For the avoidance of doubt, suspension shall not relieve Client’s obligation to pay amounts due, and shall not limit any other right or remedy available to Supplier.

7.3. Effect of Termination
Upon the termination or expiration of this Agreement for any reason:

7.3.1. Client shall immediately cease any and all use of and access to all Services and Software;

7.3.2. Client shall pay all amounts that have accrued and are owed hereunder within ten (10) days following any termination or expiration of this Agreement; and

7.3.3. If requested by a Party, the other Party shall, subject to the terms of this Agreement, destroy or return to the requesting Party, as directed, all of the requesting Party’s Confidential Information, and other materials of the requesting Party in such other Party’s possession or under its control. Notwithstanding the foregoing, each Party shall be entitled to retain any records to the extent it has been advised in writing by counsel that such retention is required to comply with applicable law or regulation.

7.4. Survival
The terms of this Agreement which relate to confidentiality, intellectual property ownership, indemnity, limitations and disclaimers of liability and warranty, and payment obligations, along with terms which expressly or by their nature should reasonably survive termination, shall survive the expiration or termination hereof.

8. INTELLECTUAL PROPERTY

8.1. Ownership
As between the Parties, all rights, title, and interest, including any and all Intellectual Property Rights, and any other rights of ownership or use, in and to the Supplier’s IP are and shall remain the sole property of Supplier and its Affiliates and their respective licensors, as applicable, and Client shall acquire no right of ownership or use with respect to any Supplier’s IP, Software, Services, or Content, except for the limited license granted under Section 2 above.

Client acknowledges that the Supplier’s IP, Software, Service, and Content, and the inventions, know-how, and methodology embodied therein are proprietary to, and are the valuable trade secrets of, Supplier and its licensors, as applicable, and that Supplier’s IP, Software, Service, and Content constitute Confidential Information of Supplier.

8.2. Client’s IP
As applicable, Client shall retain all ownership and intellectual property rights, title, and interest in and to all of Client Data.

8.3. Feedback
If Client provides Supplier with identification of any potential errors in, or improvements to, the Service, Software, or any Content (including, without limitation, providing any feedback with respect to any person’s investigatory profile on the Software) (“Feedback”), Client hereby grants Supplier the unrestricted right to use such Feedback, including the right to use such Feedback to improve the Service, Software, and create other products and services. Supplier will treat any Feedback provided by Client as non-confidential and non-proprietary. Client agrees not to submit to Supplier any Feedback that Client considers to be confidential or proprietary.

9. CONFIDENTIALITY

9.1. Each Party shall hold the other Party's Confidential Information in confidence and, unless required by law, not make the other Party's Confidential Information available to any third party or use the other Party's Confidential Information for any purpose other than the implementation of this Agreement. Each Party shall take all reasonable steps to ensure that the other Party's Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of this Agreement; and neither Party shall be responsible for any loss, destruction, alteration, or disclosure of Confidential Information caused by any third party.

9.2. The obligations of the Parties under this Section 9 (‘Confidentiality’) shall not apply to the extent of any disclosure required pursuant to a duly authorized subpoena, court order, government, or other competent authority, provided that the receiving Party has provided, to the extent permitted, prompt notice and assistance to the disclosing Party prior to such disclosure, so that such Party may seek a protective order or other appropriate remedy to protect against disclosure.

9.3. Either party may seek injunctive relief in addition to all other remedies for the protection of its Confidential Information hereunder. The preceding sentence is not intended, nor shall it be construed, to limit a Party’s right to dispute the factual basis underlying any contention that it has committed any breach.

10. DATA PROTECTION AND SECURITY

10.1. The processing of personal data or personal information by Supplier on behalf of the Client is subject to and governed by the Supplier’s Data Processing Agreement (“DPA”), which is an integral part of the Agreement.

10.2. Supplier shall implement and maintain reasonable organizational and technical safeguards consistent with industry practices to protect the security and confidentiality of all Client Data to restrict access thereto, including access and authorization controls, intrusion detection, security monitoring and logging, and anti-virus protections.

10.3. Supplier has no obligation to back up any Client Data, and the Client Data supplier store may be deleted at any time. Client is solely responsible for the preservation and backup of the Client Data, and to the fullest extent permitted by law, Supplier shall have no liability for any data loss, unavailability, or other consequences related to the foregoing.

11. REPRESENTATIONS AND WARRANTIES

11.1. Mutual Warranties
Each Party represents and warrants to the other Party that:
(a) It has the full power and authority to enter into this Agreement and perform its obligations under this Agreement;
(b) The execution, delivery, and performance of this Agreement by it does not violate, conflict with, or constitute a default under any agreement or instrument to which it is a party or by which it is bound, or any applicable law, regulation, or order of any court or other tribunal; and
(c) It shall comply with all applicable laws and regulations (including any applicable anti-bribery, privacy, data protection, security, and corruption legislation), in connection with its performance of this Agreement and any applicable Order Form.

11.2. Supplier Warranties
Supplier warrants that during the applicable Term:
(a) It has and will maintain all necessary licenses, consents, and permissions necessary for the performance of its obligations under this Agreement (without detracting and subject to Client’s obligations and warranties); and
(b) It shall perform the Services in a professional manner and shall use reasonable commercial efforts consistent with industry standards to maintain the Services in a manner that minimizes errors and interruptions in the Services, including providing to Client reasonable technical support Service in accordance with Suppliers’ standard practice. The foregoing warranties shall not apply to errors or nonconformance that:
(i) Are caused by misuse, unauthorized modifications, or combination with third-party hardware, software, products, or services not approved in writing by Supplier; or
(ii) Are caused due to Client’s failure to comply with Supplier’s instructions.

Unless provided otherwise in this Agreement, in any event of nonconformance, or otherwise with respect to any errors, service interruptions, or other problems with the Service, the sole and exclusive remedy of Client shall be commercially reasonable efforts by Supplier to make available to Client a conforming version of the Service, or resolve any error; provided, that the Client shall promptly notify Supplier in writing of such nonconformance or error, and in any event no later than thirty (30) days after such nonconformance or error had occurred.

11.3. Client Warranties
Client represents and warrants that:
(a) It has obtained and will maintain all necessary consents, approvals, and waivers, and will make all disclosures needed, to permit Client and each third-party platform to provide Supplier with, or otherwise authorize Supplier access to, Client Data and to use and disclose to third parties such Client Data in accordance with the terms of this Agreement; and
(b) The Client Data, its provision of the Client Data, and Supplier use and disclosure of the Client Data in accordance with the Agreement, does not and will not infringe or violate any proprietary or personal right of any third party or any laws, regulations, or obligations imposed by any third party.

11.4. No Fair Credit Reporting Act Characteristics
Client understands and agrees that Supplier is not a consumer reporting agency as defined by the Fair Credit Reporting Act, 15 U.S.C. §1681 et seq. (“FCRA”), and that the Software does not include “consumer reports” as defined in the FCRA. Client understands that any information provided to Supplier in order to use the Software has not been collected by Supplier for credit purposes and is not intended to be indicative of any consumer’s creditworthiness, credit standing, credit capacity, or other characteristics listed in Section 603(d) of the FCRA.

11.5. DISCLAIMER
EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, SUPPLIER IS PROVIDING THE SERVICE “AS IS” AND SUPPLIER DOES NOT MAKE, AND HEREBY EXPRESSLY DISCLAIMS, TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS, EXPRESS OR IMPLIED, WITH RESPECT TO THE SERVICE OR THEIR PERFORMANCE HEREUNDER, INCLUDING THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. IN PARTICULAR, SUPPLIER DOES NOT WARRANT THAT THE SERVICE WILL MEET CLIENT’S EXPECTATIONS OR BE ACCURATE, ERROR-FREE, OR OPERATE ON AN UNINTERRUPTED BASIS OR IN COMBINATION WITH ANY OTHER HARDWARE, SOFTWARE, OR SYSTEM. WITHOUT LIMITING THE FOREGOING, SUPPLIER WILL NOT BE LIABLE FOR ANY PROBLEMS WITH THE SERVICE ATTRIBUTABLE TO THE INTERNET, FORCE MAJEURE, OR CLIENT’S OR ANY AUTHORIZED USER’S NETWORK OR ABILITY TO ACCESS THE INTERNET.

12. INDEMNIFICATION

12.1. Indemnification by Supplier
Supplier shall defend, indemnify, and hold Client harmless against any claims, actions, proceedings, losses, damages, expenses, and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with (i) Supplier’s use of Client Data not in accordance with this Agreement, its Schedules or/and applicable Order Form; and (ii) liability to third parties resulting from infringement by the Service of any third party’s intellectual property. However, in no event shall Supplier have any obligations or liability under this Section 12.1 to the extent the claim against Client arises from:
(a) Client or any Authorized User’s use of the Services other than as permitted under this Agreement or the applicable Order Form; or
(b) Use of the Services in a modified form or in combination with products, services, content, or data not furnished to Client by Supplier.

12.2. Potential Infringement
If the Services become, or in Supplier’s reasonable judgment is likely to become, the subject of a claim of infringement, then Supplier may, in its sole discretion:
(a) Obtain the right, at Supplier’s expense, for Client to continue using the Services;
(b) Provide a non-infringing functionally equivalent replacement; or
(c) Modify the Services to correct such infringement. If Supplier, at its sole discretion, determines that none of the above options are commercially reasonable, then Supplier may suspend or terminate Client’s use of the Services, in which case Supplier shall provide Client with a prorated refund of any prepaid, unused Fees applicable to the remaining portion of the Term. Sections 12.1 and 12.3 state Supplier’s sole liability and the Client’s exclusive remedy for infringement claims.

12.3. Exclusive Remedy
This “Indemnification” section states the indemnifying Party’s sole liability to, and the indemnified Party’s exclusive remedy against, the other Party for any third-party claim described in this section.

12.4. Indemnification by Client
Client shall defend, indemnify and hold Supplier harmless, against any claims or demands, and any related costs, damages, expenses, and liabilities (including reasonable attorneys’ fees), arising out of or related to Client’s use of the Services, Software, and Content, and/or any Client Data which violates any applicable law, regulation, or rights of a third party (including, without limitation, client’s failure to obtain any required consents as determined in this Agreement, its Schedules, or any applicable Order Form).

12.5. Indemnification Process
The Party seeking indemnification shall provide prompt notice to the indemnifying Party concerning the existence of an indemnifiable claim and shall provide the indemnifying Party with all information and assistance reasonably requested by the indemnifying Party in defending the claim. The indemnifying Party shall have full control and authority over the defense of any claim; provided, however, that any settlement requiring the Party seeking indemnification to admit liability or make any financial payment shall require such Party’s prior written consent, not to be unreasonably withheld.

13. LIMITATION OF LIABILITY

13.1. Consequential and Related Damages
IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY LOSS OF DATA, LOSS OF BUSINESS OR PROFITS, OR ANY OTHER SPECIAL, PUNITIVE, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL LOSSES OR DAMAGES OF ANY SORT, WHETHER OR NOT SUCH DAMAGES ARE FORESEEABLE, ARISING UNDER OR IN CONNECTION WITH THIS AGREEMENT.

13.2. Liability Cap
IN NO EVENT SHALL EITHER PARTY’S OR ITS AFFILIATES' AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT OR ANY ORDER FORM THEREOF (WHETHER IN CONTRACT, TORT, NEGLIGENCE, OR UNDER ANY OTHER THEORY OF LIABILITY) SHALL IN NO EVENT EXCEED THE TOTAL AMOUNT PAID OR PAYABLE BY CLIENT UNDER THE APPLICABLE ORDER FORM IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE FIRST EVENT GIVING RISE TO LIABILITY.

13.3.
ANY ACTION BY EITHER PARTY RELATED TO AN ACTUAL OR ALLEGED BREACH OF THIS AGREEMENT BY THE OTHER PARTY, OTHER THAN A WILLFUL OR INTENTIONAL BREACH OF THE CONFIDENTIALITY SECTION OR THE INTELLECTUAL PROPERTY SECTION, MUST BE COMMENCED WITHIN TWO (2) YEARS AFTER THE DATE ON WHICH THE BREACH IS DISCOVERED. ANY ACTION NOT BROUGHT WITHIN THAT TWO (2) YEAR PERIOD SHALL BE BARRED, WITHOUT REGARD TO ANY LONGER LIMITATIONS PERIOD SET FORTH IN ANY APPLICABLE LAW OR STATUTE.

14. THIRD PARTY SERVICES

Supplier reserves the right to use third-party service providers that will assist it to provide the Services without Client’s prior written consent; provided however that Supplier shall remain fully responsible for the performance of each such service provider and its employees for their compliance with all the Terms and Conditions of this Agreement as if they were Supplier's own employees.

15. PUBLICITY

15.1. Publicity
Client hereby grants Supplier a royalty-free, global right, and license to:
(a) Refer to Client as a customer of Supplier;
(b) Freely display Client’s name, trademarks, trade names, and/or logos, on all of Supplier’s websites and/or promotional platforms and materials (collectively, “Promotional Platforms”); and
(c) Freely disclose and describe on all Promotional Platforms the existence and nature of Client’s engagement with Supplier.

15.2. Case Study
Client agrees to be the subject of a customer testimonial or case study written by Supplier, which will discuss Client’s use of the Software and Service and may be published by Supplier and used in sales, marketing, and press activities. Client must approve each such testimonial or case study in advance, provided that Client’s approval will not be unreasonably delayed or withheld.

16. CONSENT TO ELECTRONIC COMMUNICATION

Client consents to receiving electronic communications from Supplier. These communications may include notices about Client’s account and information concerning or related to the Software and the Services. Client agrees that notices, agreements, disclosures, or other communications that Supplier sends electronically to Client will satisfy any legal communication requirements and shall have the same legal effect, including that such communications be in writing. Notices affecting this Agreement will be sent to administrators through Client’s account or email and will be deemed received within 24 hours.

17. AUDIT

Supplier may audit Client’s use of the Service upon reasonable advance notice, not more than once per calendar year unless Supplier has reasonable cause to believe that Client is using or permitting the Service to be used in an unauthorized manner.

18. GENERAL PROVISIONS

18.1. No Joint Venture or Partnership
This Agreement does not create or evidence a partnership, joint venture, or any other fiduciary relationship between the Parties. The Parties are independent, and each has sole authority and control of the manner of, and is responsible for, its performance of this Agreement. Neither Party may create or incur any liability or obligation for or on behalf of the other Party, except as described in this Agreement.

18.2. Waiver
No failure or delay by either Party in exercising any right under this Agreement will constitute a waiver of that right.

18.3. Assignment
Client shall not assign or otherwise transfer this Agreement, or delegate any duty or assign or otherwise transfer any right hereunder, including by operation of law, without the prior written consent of Supplier in each case. Any attempt to do any of the foregoing without Supplier’s prior written consent shall be a material breach of this Agreement and any assignment or purported assignment without such consent shall be null and void ab initio. Notwithstanding the aforementioned, either Party may assign this Agreement in connection with a merger, acquisition, or sale of all or substantially all of its shares.

18.4. Severability
If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable.

18.5. Entire Agreement
This Agreement constitutes the complete and exclusive statement of the mutual understanding of the Parties and supersedes and cancels all previous written and oral agreements, communications, and other understandings relating to the subject matter of this Agreement, and that all waivers and modifications must be in writing and duly signed by both parties.

18.6. Force Majeure
If either Party is unable to perform any obligation (excluding any payment obligation) under this Agreement because of any matter beyond that Party’s reasonable control, such as lightning, flood, fire, explosion, war, civil disorder, industrial disputes, etc., that Party will have no liability to the other for such failure to perform.

18.7. Governance
This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware. The Parties hereby consent and submit to the exclusive jurisdiction of the competent courts in the district of Delaware in all questions and controversies arising out of this Agreement.

18.8. Counterparts
This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same Agreement.

18.9. Interpretation
In the event of any conflict between this Agreement (and its Schedules) and an Order Form, the terms of such Order Form shall prevail unless expressly stated otherwise.

EXHIBIT 1 - Reason Codes

The list below may not fully reflect certain updates to chargeback codes as may be conducted by card processors from time to time. In the event of an omission of a certain code or category as reported by the card processor, Supplier will determine in its sole discretion the eligibility of such chargeback and Client’s entitlement to receive the Chargeback Payment. Eligible Reason Codes and Categories:

Any chargeback reason codes, or categories not explicitly written herein or not approved in writing by the Supplier in its sole discretion as provided above, shall be deemed as an ineligible chargeback. If Client has elected Ultimate Chargeback liability, Supplier is liable for all types of Chargebacks, above and beyond the reason codes indicated in the above table.

DATA PROCESSING AGREEMENT

This Data Processing Addendum (“DPA”) is made by and between Client and nSure.ai Payment Assurance Inc. (“Supplier”), as required by the EU General Data Protection Regulation 2016/679 (“GDPR”), the California Consumer Privacy Act of 2018, as amended (“CCPA”), and other applicable data protection and privacy laws (together “Applicable Laws”). This Agreement governs matters of data protection with respect to Personal Data between the Parties and shall be in force for as long as Parties Process Personal Data in connection with the Master Service Agreement (the “Agreement”), and it amends any prior agreement between the Parties with respect to data protection matters. Capitalized terms not otherwise defined herein or in the Agreement shall take the meaning ascribed to them by Applicable Laws.

  • Client is either a Controller or Processor of Personal Data governed by GDPR and Applicable Laws (“Personal Data”). Client Processes Personal Data directly and through its Processors; Supplier is a Processor (a ‘service provider’) or a sub-processor for Client.
  • Supplier will Process Personal Data only pursuant to Client’s documented instructions, which may include the Agreement, any other agreement between the Parties with respect to the provision of the Supplier's services to Client, and any other instructions communicated in writing directly to Supplier. Supplier may also Process Personal Data where required by applicable laws to which Supplier is subject, in which case Supplier shall inform Client of that legal requirement before the relevant Processing of that Personal Data, unless prohibited from doing so by law.
  • Client instructs Supplier to Process the Personal Data for the following purposes:
    (i) Providing the Services, including also fraud prevention, product improvement, and auditing;
    (ii) Fulfilling its obligations under this Agreement and any other agreement or lawful instruction; and
    (iii) As required by law.
  • Supplier may only Process the types of Personal Data, relating to such categories of Data Subjects, as are detailed in Appendix A below.
  • Supplier will maintain an updated list of its sub-processors, which will be made available to Client, and Client shall have the right to object, on reasoned grounds, to any sub-processor within thirty (30) days of becoming aware of such sub-processor’s processing. In the event that Client, acting reasonably and in good faith, objects to such processing, then the Client may terminate the portion of the Agreement that requires the employment of said sub-processor. Supplier shall ensure that the arrangement between Supplier and each sub-processor is governed by a written contract including terms which offer at least the same level of protection for the Personal Data being Processed hereunder as those set out in this DPA and which meet the requirements of Article 28(3) of the GDPR. A current list of sub-processors is attached hereto as Appendix B.
  • Supplier's personnel engaged in Processing Personal Data are and will remain committed to confidentiality. Supplier takes not less than industry-appropriate technical and organizational measures to ensure the security of its Processing of Personal Data and meets or exceeds the requirements of GDPR Article 32 and Applicable Laws, as described in Appendix C below.
  • Supplier will assist Client in responding to requests for exercising Data Subjects' rights (GDPR Article 15-22; “Request”). Supplier will inform Client promptly if it receives a Request, and in any event within 72 hours of receiving the Request, and will not take any other action without Client’s authorization. Supplier will likewise assist Client with its obligations pursuant to applicable data protection laws, such as GDPR Articles 32-36, including also data security, data protection impact assessments, and breach notifications. Supplier will inform Client without delay, and in any event within 48 hours, if Supplier experiences or suspects a Personal Data Breach, and will provide full details to Client.
  • Supplier will promptly delete and procure the deletion of Personal Data where so instructed by Client unless and to the extent that retention is required by applicable laws.
  • Where Supplier transfers EU Personal Data to a country outside the EEA which is not considered to provide adequate data protection, the Standard Contractual Clauses (“SCCs”) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN shall apply. For purposes of the SCCs, module 2 (controller to processor) shall apply. In Clause 9 option 2 (general written authorization) will apply, the authorization period will be 14 days. In Clause 11 the optional language will not apply. In Clause 17 governing law will be the Irish law; In Clause 18 disputes shall be resolved by the courts of Ireland. In Annex I Client is the ‘Data exporter’, Supplier is the ‘Data importer’; the ‘Data subjects’, ‘Categories of data’, ‘Frequency of the transfer’, ‘Nature of processing’, ‘Purpose’, ‘Retention period’ and ‘Subject matter, nature, and duration of the processing’ are as described in the appendices below. The ‘competent supervisory authority’ is the Irish DPC.
  • Supplier will make available all information necessary to demonstrate compliance with its obligations under Applicable Laws, such as GDPR Articles 28 and 32. Supplier will reasonably allow for and contribute to audits and inspection in this regard.
  • Supplier may assign its respective rights and obligations hereunder where such assignment is by way of merger or acquisition of all or substantially all Supplier's equity or assets, or change of control.
  • Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced, to the extent possible, by such valid provisions that achieve essentially the same objectives. The choice of law and jurisdiction governing this agreement will be the same as those governing the Agreement.

Appendix A – Details of Processing

1. Nature, purpose, and subject matter of the Processing.
The nature, purpose, and subject matter of the Processing is the provision of the Services set forth in the Agreement.

2. Categories of Data Subjects.
Client consumers.

3. Types of Personal Data.
Client consumer name (first and last), address, email, device information, transaction-related data, usage of Client online platform, and any other information either provided directly by Client or otherwise processed through Supplier Services.

4. Frequency of the transfer.
Continuous.

Appendix C – Technical and Organizational Measures

1. Information security program and certification.
Supplier is SOC2 Type II certified. A written security program is implemented, maintained, and complied with. As part of the program, Supplier:
(i) Implements an audit program to test and, if necessary, remediate identified gaps of all security controls at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing Personal Data;
(ii) Conducts an annual information security assessment that assesses the threats and vulnerabilities associated with systems; and
(iii) Produces (pursuant to the results of (i) and (ii)) a documented information security assessment and, where appropriate, a risk remediation plan.

2. Security official.
A designated management-level security official is responsible for the development, implementation, and ongoing maintenance of the information security program. The appointed official has appropriate recognized information security credentials and qualifications.

3. Access control.
Access rights are assigned according to the principle that employees and third parties are only granted the level of access they need to perform their activities (need-to-know principle) and only to those systems required for such activities. Access rights are granted according to defined (role-based) permissions. The access rights granted are reviewed regularly. Rights that are no longer required are withdrawn immediately. Access to systems is provided based on strong authentication policies.

4. Physical access control.
Secure areas are defined on the basis of information security and data protection requirements and protected against unauthorized access by appropriate physical safeguards, defined based on the protection needs of the information located or accessed within them.

5. Encryption.
Personal Data encryption at rest using AES-256 and in transit using TLS v1.2 or higher.

6. Confidentiality.
Controls are in place to maintain the confidentiality of Data in accordance with the Service Agreement; All employees and contract personnel are bound by internal policies regarding maintaining the confidentiality of customer data and are contractually obligated to comply with these obligations.

7. Resilience and continuity.
A variety of tools and mechanisms are used to achieve high availability and resiliency. Data is backed up on AWS, and restoration of the backups is tested regularly to ensure the recovery-point objective (RPO) and recovery-time objective (RTO) commitments are met.

8. Third-party vendor management.
Security risk-based assessments of prospective vendors are conducted before working with them to validate that they meet security requirements. Each vendor is periodically reviewed in light of its security and business continuity standards, controls necessary to protect data, and legal/regulatory requirements. Supplier ensures that customer data is returned and/or deleted at the end of a vendor relationship. Written agreements are in place with all vendors, which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for customer Data that these vendors may process.

9. Architecture and Data Segregation.
The cloud infrastructure used for the services is hosted by Amazon Web Services (“AWS”). The AWS data center infrastructure used is located in the United States. Additional information about security provided by AWS is available at AWS Security and AWS Whitepapers. The production environment within AWS, where customer Data and the services are hosted, is a logically isolated Virtual Private Cloud (VPC). Network access between production hosts is restricted, using firewalls to allow only authorized services to interact in the production network. Firewalls are used to manage network segregation between different security zones in the production and corporate environments. Firewall rules are reviewed regularly.

10. Incident response plan.
Policies and procedures are implemented, designed to detect, respond to, and otherwise address incidents, including specific points of contact in the event of an incident.

11. System testing and maintenance.
Supplier tests and maintains systems to protect data including, without limitation:
(i) Installing critical security patches for operating systems and applications within thirty (30) days of publication, and within three (3) months for other types of patches and updates,
(ii) Installing the latest recommended versions of operating systems, software, and firmware for all system components, and
(iii) Ensuring that up-to-date system security agent software includes malware protection set to receive automatically updated (at least daily) patches and virus definitions.

12. Audit logging.
Hardware, software, or procedural mechanisms are implemented and maintained to record and examine activity in processing systems that contain or use electronic information, including appropriate logs and reports concerning the security requirements set forth in this Annex.

13. Security awareness and privacy training.
An ongoing security and privacy awareness and training program is maintained for all employees (including management, employees, contractors, and other agents), which includes training on how to implement and comply with the information security program and setting forth disciplinary measures for the violation of the security program. Security and privacy awareness training are conducted at least annually.