Terms of Service ("Agreement") is made between Drata Inc. ("Drata"), a Delaware corporation and you, the customer that has signed up for the Services and agreed to the terms of this Agreement ("Customer") (each, a "Party" and collectively, the "Parties"). The provisions of this Agreement will apply to the Services and the Platform provided to Customer under this Agreement and shall govern all Order Forms entered into between Drata and the Customer.

1. DEFINITIONS. Capitalized terms have the meaning set forth below or as defined within this Agreement.

1.1 "Applicable Privacy Laws" means, to the extent applicable to the Services, all worldwide data protection and privacy laws and regulations, including where applicable, the California Consumer Privacy Act Cal. Civ. Code §§ 1798.100 et seq. ("CCPA"), the General Data Protection Regulation ("GDPR"), the e-Privacy Directive (Directive 2002/58/EC), and any U.S. state or national data protection laws as superseded, amended or replaced.

1.2 "Authorized User" means the Personnel who are authorized to access the Platform pursuant to Customer's rights under this Agreement.

1.3 "Customer Content" means any content and information provided or submitted by, or on behalf of, Customer or its Authorized Users, or imported from Third-Party Services at the direction of Customer, in connection with the Services, including any Personal Data.

1.4 "Customer Marks" means Customer's trademarks, tradenames, service marks, and logos.

1.5 "Documentation" means all specifications, user manuals, and other technical materials relating to the Platform and provided or made available to Customer, as may be modified by Drata from time to time.

1.6 "Drata Technology" means the Platform, the Services, the Documentation and any applicable software, data, or technical information contained within the foregoing.

1.7 "Fees" has the meaning given in Section 3.1.

1.8 "Intellectual Property Rights" means all past, present, and future rights of the following types, which may exist or be created under the laws of any jurisdiction in the world: (a) rights associated with works of authorship, including exclusive exploitation rights, copyrights, moral rights, and mask work rights; (b) trademark and trade name rights and similar rights; (c) trade secret rights; (d) patent and industrial property rights; (e) other proprietary rights of every kind and nature; and (f) rights in or relating to registrations, renewals, extensions, combinations, divisions, and reissues of, and applications for, any of the rights referred to in clauses (a) through (e) of this sentence.

1.9 "Order Form(s)"" means Drata's standard form for ordering Services which specifies the Services and applicable Fees.

1.10 "Personal Data" has the meaning given in Applicable Privacy Laws.

1.11 "Personnel" means the employees, agents and independent contractors engaged by the Customer.

1.12 "Platform" means Drata's continuous security control monitoring and workflow automation platform, which is used to provide the Services, as may be updated or improved by Drata from time to time.

1.13 "Reports" has the meaning given in Section 2.7.

1.14 "Services" means the services provided through the Platform and described on an Order Form agreed by the Parties in writing under this Agreement.

1.15 "Term" has the meaning given in Section 4.1.

1.16 "Third-Party Services" has the meaning given in Section 8.3.

1.17 "Year" means each twelve (12) month period of an Order Form commencing on the effective date of the Order Form and each subsequent anniversary.

2. ACCESS TO THE PLATFORM; RESTRICTIONS; SERVICES.

2.1 Access. Subject to the terms and conditions of this Agreement, Drata hereby grants to Customer, and the Authorized Users on Customer's behalf, a limited, non-exclusive, non-transferable (except as permitted under Section 11.4), non-sublicensable right during the Term to: (a) use and access the Platform and the Services in accordance with the Documentation and the terms of this Agreement; and (b) use and make reasonable copies of the Documentation, in each case solely for Customer's internal business purposes. Customer acknowledges and agrees that Drata may update the Services and the Platform from time to time with or without notifying Customer. Drata shall use commercially reasonable efforts to ensure that any such updates to not materially degrade the functionality of the Platform or the Services.

2.2 Restrictions. Customer shall not, and shall procure that its Authorized Users shall not: (a) allow any third party to access the Drata Technology except as expressly allowed herein; (b) modify, adapt, alter or translate the Drata Technology; (c) sublicense, lease, sell, resell, rent, loan, distribute, transfer or otherwise allow the use of the Drata Technology for the benefit of any unauthorized third party; (d) reverse engineer, decompile, disassemble, or otherwise derive or determine or attempt to derive or determine the source code (or the underlying ideas, algorithms, structure or organization) of the Platform, except as permitted by law; (e) interfere in any manner with the operation of the Platform, the Services or the hardware and network used to operate the same, or attempt to probe, scan or test vulnerability of the Platform without prior authorization of Drata; (f) modify, copy or make derivative works based on any part of the Drata Technology; (g) access or use the Drata Technology to build a similar or competitive product or service or otherwise engage in competitive analysis or benchmarking; (h) attempt to access the Platform through any unapproved interface; (i) use the Platform in connection with any of Customer's time-critical or mission-critical functions; (j) remove, alter, or obscure any proprietary notices (including copyright and trademark notices) of Drata or its licensors on the Drata Technology or any copies thereof; or (k) otherwise use the Drata Technology in any manner that exceeds the scope of use permitted under Section 2.1 or in a manner inconsistent with applicable law, the Documentation, the Order Form or this Agreement. Drata reserves the right to suspend Customer's access to the Platform and the Services for any failure, or suspected failure, to comply with the foregoing conditions.

2.3 Usernames and Passwords. Each Authorized User will use his or her unique username and password to access the Platform pursuant to this Agreement. Authorized Users may only access the Platform during one (1) concurrent login session. Customer acknowledges and agrees that: (a) only Authorized Users are entitled to access the Platform with their unique usernames and passwords; (b) it will provide to Drata information and other assistance as necessary to enable Drata to establish access to the Platform for the Authorized Users, and will verify all Authorized User requests for access to the Platform; (c) it will ensure that each unique username and password issued to an Authorized User will be used only by that Authorized User when accessing the Platform; (d) Customer is responsible for maintaining the confidentiality of all Authorized Users' unique usernames and passwords, and is solely responsible for all activities that occur under these Authorized User accounts; and (e) Customer will notify Drata promptly of any actual or suspected unauthorized use of any account, username, or passwords, or any other breach or suspected breach of this Agreement. Drata reserves the right to suspend, disable or terminate any Authorized User's access to the Platform that Drata reasonably determines may have been used by an unauthorized third party. The unique usernames and passwords cannot be shared or used by more than one individual Authorized User to access the Platform.

2.4 Customer Content. Customer is solely responsible for any and all obligations with respect to the accuracy, quality and legality of Customer Content. Customer will obtain all third party licenses, consents and permissions needed for Drata to use, copy, store and process the Customer Content to provide the Services, including the right to integrate with, and pull Customer Content from, Third-Party Services. Without limiting the foregoing, Customer will be solely responsible for obtaining from third parties (including all Personnel) all necessary consents and rights for Drata to use the Customer Content submitted by or on behalf of Customer or Authorized Users for the purposes set forth in this Agreement, including all consents required in accordance with all Applicable Privacy Laws. Customer shall immediately notify, and address with, Drata any complaints or claims by Personnel with respect to the sharing of the Customer Content involving such Personnel.

2.5 Necessary Equipment. Customer must provide all equipment and software necessary to connect to the Platform, including but not limited to, applicable application program interfaces that have sufficient bandwidth to facilitate the Services. Customer is solely responsible for any fees, including internet connection fees, that Customer incurs when accessing the Platform and the Services.

2.6 Support Services. Subject to the terms and conditions of this Agreement, Drata will exercise commercially reasonable efforts to: (a) provide support for the use of the Platform and Services to Customer; and (b) keep the Platform and Services operational and available to Customer, in each case in accordance with its standard policies and procedures.

2.7 Reports. As part of the Services, and subject to the delivery of accurate Customer Content, Drata shall from time to time provide to Customer its results, analysis and recommendations on the Platform for Customer to improve its compliance with the applicable standards specified in the Services ("Reports"). Customer may access and use such Reports for its own internal business purposes in accordance with the terms and conditions of this Agreement.

2.8 Implementation Services. Where the parties have agreed to Drata's provision of certain implementation services ("Implementation Services"), the details of such Implementation Services will be set out in an Order Form or a mutually executed statement of work ("SOW"). The Order Form or SOW, as applicable, will include: (a) a description of the Implementation Services; (b) the schedule for the performance of the Implementation Services; and (c) the Fees applicable for the performance of the Implementation Services. Each Order Form or SOW, as applicable, will incorporate the terms and conditions of this Agreement.

FEES, PAYMENT, AND TAXES.

3.1 Fees. The fees for access to the Platform and for the Services are set forth on the Order Form ("Fees"). Unless otherwise expressly specified in the applicable Order Form, the Fees:

(a) are payable annually in advance; and

(b) are calculated at the beginning of each Year based on the number of Personnel at the commencement of such Year (regardless of whether all such Personnel are Authorized Users for the purposes of this Agreement). Drata reserves the right to increase the Fees payable hereunder upon written notice to Customer at least forty-five (45) days prior to the commencement of each Year.

3.2 Fees Updates. Except as specified in Section 3.1(b), the Fees are fixed for each Year. However, if during a Year the Customer increases the number of Personnel by fifty percent (50%) or more than the number of Personnel at the commencement of the Year, at such point ("Fee Change Date") the Fees will be increased pro rata to reflect the increased number of Personnel for the remainder of that Year. Promptly following the Fee Change Date, Drata shall issue a new invoice with respect to such increase in the Fees and the Customer shall pay such invoice in accordance with Section 3.3. Drata will not retroactively charge Customer any increased Fees with respect to the period prior to the Fee Change Date. This Section shall not apply with respect to any Customer that has less than thirty (30) Personnel at the beginning of a Year.

3.3 Invoicing and Payment All Fees are quoted in United States Dollars and, except as set forth otherwise in this Agreement, are non-refundable. Drata will invoice Customer annually for the Fees, unless otherwise expressly specified in the applicable Order Form. Fees are payable prior to being granted access to the Drata Technology and no later than thirty (30) days from the date of invoice and will be deemed overdue if they remain unpaid thereafter.

3.4 Late Payments. Payments by Customer that are past due will be subject to interest at the rate of one and one-half percent (1½%) per month (or, if less, the maximum allowed by applicable law) on that overdue balance. Customer will be responsible for any costs resulting from collection by Drata of any such overdue balance, including, without limitation, reasonable attorneys' fees and court costs. Drata reserves the right (in addition to any other rights or remedies Drata may have) to suspend Customer and all Authorized Users' access to the Platform and the Services if any Fees are more than fifteen (15) days overdue until such amounts are paid in full.

3.5 Taxes. The Fees do not include taxes, duties or charges of any kind. If Drata is required to pay or collect any local, value added, goods and services taxes or any other similar taxes or duties arising out of or related to this Agreement (not including taxes based on Drata's income), then such taxes and/or duties shall be billed to and paid by Customer.

3.6 Withholding Payments. If any applicable law requires Customer to withhold amounts from any payments to Drata hereunder, then Customer will perform such obligations consistent with the provisions of this section. Customer will effect such withholding, remit such amounts to the appropriate taxing authorities and promptly furnish Drata with tax receipts evidencing the payments of such amounts. The sum payable by Customer upon which the deduction or withholding is based will be increased to the extent necessary to ensure that, after such deduction or withholding, Drata receives and retains, free from liability for such deduction or withholding, a net amount equal to the amount Drata would have received and retained in the absence of such required deduction or withholding.

4. TERM AND TERMINATION.

4.1 Term. This Agreement will begin on the effective date of the first Order Form between the Parties and will continue in full force and effect for as long as any Order Form remains in effect, unless earlier terminated in accordance with the Agreement (the "Term"). Unless otherwise stated in the applicable Order Form, the term of an Order Form will begin on the effective date of the Order Form and continue in full force and effect for one (1) Year, unless earlier terminated in accordance with the Agreement. Thereafter, the Order Form will automatically renew for additional terms of one (1) Year unless either Party gives written notice of non-renewal to the other Party at least thirty (30) days prior to the expiration of the then-current term.

4.2 Termination for Breach. Either Party may terminate this Agreement immediately upon notice to the other Party if:

(a) the other Party materially breaches this Agreement, and such breach remains uncured more than thirty (30) days after receipt of written notice of such breach; or

(b) the other Party: (i) becomes insolvent; (ii) files a petition in bankruptcy that is not dismissed within sixty (60) days of commencement; or (c) makes an assignment for the benefit of its creditors.

4.3 Effect of Termination. Upon the earlier of expiration or termination of this Agreement:

(i) each Party shall immediately return or, if requested by a Party, destroy all (including any copies of) Confidential Information (as defined below) of the other Party and, upon request, each Party shall provide written certification that the foregoing obligations have been completed;

(ii) the rights and licenses granted to Customer hereunder will immediately terminate, Customer will cease use of the Platform, the Services and Documentation, and return or destroy all copies of the Documentation in its possession/control;

(iii) the Parties' rights and obligations under Sections 2.2, 3, 4.3, 5, 7, 8.4, 9, 10 and 11 will survive termination of this Agreement and/or any Order Form; and

(iv) termination of this Agreement will not limit either Party from pursuing any other remedies available to it, including injunctive relief, nor will termination relieve Customer of its obligation to pay all Fees that accrued prior to such termination.

5. CONFIDENTIALITY.

5.1 Each Party ("Receiving Party") acknowledges that it may receive from the other Party ("Disclosing Party") confidential information relating to the Disclosing Party and such confidential information includes, but is not limited to, technical, business, marketing and financial information, and any other information that could reasonably be considered confidential or proprietary ("Confidential Information"). The terms of this Agreement and any Order Form, the Drata Technology, and all technical information relating thereto shall be considered Confidential Information of Drata.

5.2 Confidential Information does not include information that:

(a) is or becomes generally available to the public other than through a wrongful act of the Receiving Party;

(b) is or becomes available to the Receiving Party on a non-confidential basis from a source that is entitled to disclose it to the Receiving Party; or

(c) is independently developed by the Receiving Party, its employees or third party contractors without access to or use of the Disclosing Party's Confidential Information.

5.3 During and after the term of this Agreement, the Receiving Party shall: (i) not use (except for performance of this Agreement) or disclose Confidential Information of the Disclosing Party without the prior written consent of the Disclosing Party; and (ii) take no less than the same measures that it takes with its own Confidential Information, and in any case no less than reasonable measures, to maintain the Confidential Information of the Disclosing Party in confidence.

5.4 Either Party may disclose Confidential Information to the extent required by law, provided that the Receiving Party gives the Disclosing Party reasonable advance notice of such required disclosure and cooperates with the Disclosing Party so that the Disclosing Party has the opportunity to obtain appropriate confidential treatment for such Confidential Information.

5.5 All Confidential Information disclosed by Disclosing Party shall remain the property of the Disclosing Party. The Disclosing Party reserves all rights in its Confidential Information. Nothing in this Agreement or the disclosures envisaged by this Agreement shall (except for the limited use right above) operate to transfer, or operate as a grant of any Intellectual Property Rights in the Confidential Information.

6. DATA SECURITY; PRIVACY.

6.1 Drata's Commitments. During the Term, Drata shall implement and maintain an information security program that incorporates administrative, technical and physical safeguards designed to:

(a) ensure the security and integrity of the Customer Content;

(b) prevent unauthorized access to, or disclosure of, the Customer Content; and

(c) protect against threats, hazards and security incidents with respect to the Customer Content.

6.2 Privacy. Without limiting Customer's obligations under Sections 2.4, 6.3 and 8.2, each Party shall comply with all Applicable Privacy Laws in the performance of their respective obligations under this Agreement with respect to the processing of Personal Data.

6.3 Customer Responsibility for Data and Security. Customer and its Authorized Users will have access to the Customer Content and will be responsible for all changes to and/or deletions of Customer Content and the security of all passwords and other usernames and passwords required in order the access the Platform and the Services. Upon request to Customer's account manager, Drata may facilitate for Customer the ability to export Customer Content from the Platform. Customer will have the sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Content. Drata is not obligated to back up any Customer Content; the Customer is solely responsible for creating backup copies of any Customer Content at Customer's sole cost and expense.

7. INTELLECTUAL PROPERTY RIGHTS.

7.1 Drata Technology. This Agreement does not grant to Customer any ownership interest in the Drata Technology. The Drata Technology is proprietary to Drata and Drata and/or its licensors have and retain all right, title and interest, including all Intellectual Property Rights therein. Customer acknowledges that any trademarks, trade names, logos, service marks, or symbols adopted by Drata to identify the Platform and the Services belong to Drata and/or its licensors, and that Customer has no rights therein. Except as expressly set forth herein, no express or implied license or right of any kind is granted to Customer regarding the Drata Technology, including any right to obtain possession of any source code, data or other technical material relating to the Drata Technology. All rights not expressly granted to Customer are reserved to Drata.

7.2 Customer License; Ownership. The Customer Content, and Customer's Confidential Information, and all worldwide Intellectual Property Rights therein, are the exclusive property of Customer. All rights in and to the Customer Content and Customer's Confidential Information not expressly granted to Drata in this Agreement are reserved by Customer. Customer grants Drata a non-exclusive, worldwide, royalty-free and fully paid license during the Term to: (a) to download, store, process and use the Customer Content as necessary for purposes of providing and improving the Platform and the Services, (b) to use the Customer Marks as required to provide the Services; and (c) on a perpetual basis, to use the Customer Content in an aggregated and anonymized form to: (i) improve the Services, the Platform and Drata's related products and services (including through various machine learning exercises); (ii) provide analytics and benchmarking services; and (iii) generate and disclose statistics regarding use of the Platform and Services, provided, however, that no Customer-only statistics will be disclosed to third parties without Customer's consent.

7.3 Feedback. Customer hereby grants Drata a perpetual, irrevocable, royalty-free and fully paid right to use and otherwise exploit in any manner any suggestions, ideas, enhancement requests, feedback, recommendations or other information provided by Customer related to the Drata Technology, including for the purpose of improving and enhancing the Platform and the Services; provided that Customer is not referenced in such use.

7.4 Publicity. Drata may use Customer's name and Customer Marks in its Customer list (including on Drata's website, social media and in sales and marketing materials) in the same manner in which it uses the names of its other customers. Drata shall use Customer Marks in accordance with Customer's applicable branding guidelines and Drata may not use Customer's name in any other way without Customer's prior written consent (with email consent deemed sufficient).

8. WARRANTIES; DISCLAIMERS.

8.1 Drata Limited Warranty. Drata represents and warrants that:

(a) the Services will be performed consistent with generally accepted industry practices; and

(b) the Platform will perform in accordance with the service levels set forth on Exhibit A.

Customer must report any deficiencies in the performance of the above warranties to Drata in writing within thirty (30) days of the non-conformance. Provided the Customer has complied with the foregoing, for any breach of the above warranties, Customer's exclusive remedy, and Drata's entire liability, will be the re-performance of the Services and if Drata fails to re-perform the Services as warranted, Customer's sole and exclusive remedy shall be to terminate this Agreement and receive a refund of any pre-paid but unearned Fees prorated on a monthly basis for the remainder of the term of the applicable Order Form.

8.2 Customer Warranty. Customer represents and warrants that:

(a) it has procured all applicable consents required to provide the Customer Content to Drata for the performance of the Services, including in accordance with Section 2.4 and all Applicable Privacy Laws;

(b) the Customer Content will not: (a) infringe or misappropriate any third party's Intellectual Property Rights; (b) be deceptive, defamatory, obscene, pornographic or unlawful; (c) contain any viruses, worms or other malicious computer programming codes intended to damage Drata's Technology; and (d) otherwise violate the rights of a third party (including under all Applicable Privacy Laws); and

(c) neither Customer, nor any of its Authorized Users, shall upload to the Platform any Customer Content that contains any sensitive personal information (such as financial, medical or other sensitive personal information such as government IDs, passport numbers or social security numbers).

Customer agrees that any use of the Drata Technology contrary to or in violation of the representations and warranties of Customer in this Section 8.2 constitutes unauthorized and improper use of the Drata Technology.

8.3 Third-Party Integrations. In order to provide the Services, the Platform integrates with certain third-party websites and applications ("Third-Party Services"). Customer is responsible for enabling the integration of each Third-Party Service and by doing so, Customer acknowledges that it is instructing Drata to share the Customer Content (including, to the extent necessary, any Personal Data) with the providers of such Third-Party Services in order to facilitate the integration. Customer is responsible for notifying such Third-Party Services provider of the integration. Such Third-Party Services are not under the control of Drata and Drata is not responsible for any Third-Party Services. Customer's use of the Third-Party Services is governed by the Customer's agreement with, and all applicable terms and policies including privacy and data gather practices of, providers of the Third-Party Services. Customer acknowledges and agrees that, for the purposes of Applicable Privacy Laws, each of Drata and the Third-Party Services providers are not processors or subprocessors of Personal Data with respect to each other.

8.4 DISCLAIMERS.

(a) TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE PLATFORM AND THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE" AND DRATA AND ITS LICENSORS MAKE NO REPRESENTATIONS, WARRANTIES OR CONDITIONS OF ANY KIND, ORAL, STATUTORY, EXPRESS, IMPLIED, BY COURSE OF COMMUNICATION OR DEALING, OR OTHERWISE. EXCEPT AS SPECIFIED IN SECTION 8.1, DRATA AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL OTHER WARRANTIES, INCLUDING WITH RESPECT TO TITLE, MERCHANTABILITY, NON-INFRINGEMENT OR FITNESS FOR ANY PARTICULAR PURPOSE OF THE DRATA TECHNOLOGY, THE REPORTS AND ANY OTHER PRODUCT OR SERVICES FURNISHED UNDER THIS AGREEMENT. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, DRATA DOES NOT WARRANT THAT THE PLATFORM IS ERROR-FREE OR THAT THE PLATFORM OR THE SERVICES WILL OPERATE WITHOUT INTERRUPTION, THAT THE REPORTS WILL BE ACCURATE AND DRATA GRANTS NO WARRANTY REGARDING THE USE BY CUSTOMER OF THE PLATFORM OR SERVICES. THE DRATA TECHNOLOGY MAY BE SUBJECT TO LIMITATIONS, DELAYS, AND OTHER PROBLEMS INHERENT IN THE USE OF THE INTERNET AND ELECTRONIC COMMUNICATIONS. DRATA IS NOT RESPONSIBLE FOR ANY DELAYS, DELIVERY FAILURES OR OTHER DAMAGES RESULTING FROM SUCH PROBLEMS.

(b) CUSTOMER ACKNOWLEDGES AND AGREES THAT DRATA IS NOT LIABLE, AND CUSTOMER AGREES NOT TO SEEK TO HOLD DRATA LIABLE, FOR THE CONDUCT OF THIRD PARTIES, INCLUDING PROVIDERS OF THE THIRD-PARTY SERVICES, AND THAT THE RISK OF INJURY FROM SUCH THIRD-PARTY SERVICES RESTS ENTIRELY WITH CUSTOMER.

(c) FROM TIME TO TIME, DRATA MAY OFFER NEW "BETA" FEATURES OR TOOLS WITH WHICH CUSTOMER MAY EXPERIMENT. SUCH FEATURES OR TOOLS ARE OFFERED SOLELY FOR EXPERIMENTAL PURPOSES AND WITHOUT ANY WARRANTY OF ANY KIND, AND MAY BE MODIFIED OR DISCONTINUED AT DRATA'S SOLE DISCRETION. THE PROVISIONS OF THIS SECTION APPLY WITH FULL FORCE TO SUCH FEATURES OR TOOLS.

(d) CUSTOMER ACKNOWLEDGES AND AGREES THAT THE SERVICES AND THE REPORTS PROVIDED BY DRATA TO CUSTOMER ARE INTENDED AS RECOMMENDATIONS ONLY AND DO NOT CONSTITUTE ANY WARRANTY OR GUARANTY THAT CUSTOMER, BY FOLLOWING SUCH RECOMMENDATIONS, WILL BE FULLY COMPLIANT WITH ANY APPLICABLE STANDARDS CONTEMPLATED BY THE SERVICES. CUSTOMER ACKNOWLEDGES AND AGREES THAT IT IS SOLELY CUSTOMER'S RESPONSIBILITY TO ENSURE THAT IT COMPLIES WITH ALL SUCH APPLICABLE STANDARDS.

9. INDEMNIFICATION

9.1 By Drata. Drata will defend at its expense any suit brought against Customer, and will pay any settlement Drata makes or approves, or any damages finally awarded in such suit, insofar as such suit is based on a claim by any third party alleging that the Platform or the Services infringes such third party's patents, copyrights or trade secret rights under applicable laws of any jurisdiction within the United States of America. If any portion of the Platform or Services becomes, or in Drata's opinion is likely to become, the subject of a claim of infringement ("Infringing Technology"), Drata may, at Drata's option: (a) procure for Customer the right to continue using the Infringing Technology; (b) replace the Infringing Technology with non-infringing software or services which do not materially impair the functionality of the Platform or Services; (c) modify the Infringing Technology so that it becomes non-infringing; or (d) terminate this Agreement and refund any unused prepaid Fees for the remainder of the term then in effect, and upon such termination, Customer will immediately cease all use of the Drata Technology. Notwithstanding the foregoing, Drata will have no obligation under this section or otherwise with respect to any infringement claim based upon: (i) any use of the Platform or Services not in accordance with this Agreement or as specified in the Documentation; (ii) any use of the Platform or Services in combination with other products, equipment, software or data not supplied by Drata; or (iii) any modification of the Platform or Services by any person other than Drata or its authorized agents (collectively, the "Exclusions" and each, an "Exclusion"). This section states the sole and exclusive remedy of Customer and the entire liability of Drata, or any of the officers, directors, employees, shareholders, contractors or representatives of the foregoing, for infringement claims and actions.

9.2 By Customer. Customer will defend at its expense any suit brought against Drata, and will pay any settlement Customer makes or approves, or any damages finally awarded in such suit, insofar as such suit is based on a claim arising out of or relating to: (a) an Exclusion, or (b) Customer's breach or alleged breach of Sections 6.2 and 8.2. This section states the sole and exclusive remedy of Drata and the entire liability of Customer, or any of its officers, directors, employees, shareholders, contractors or representatives, for the claims and actions described herein.

9.3 Procedure. The indemnifying Party's obligations as set forth above are expressly conditioned upon each of the foregoing: (a) the indemnified Party promptly notifying the indemnifying Party in writing of any threatened or actual claim or suit; (b) the indemnifying Party having sole control of the defense or settlement of any claim or suit; and (c) the indemnified Party cooperating with the indemnifying Party to facilitate the settlement or defense of any claim or suit.

10. LIMITATION OF LIABILITY.

10.1 Types of Damages. NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY NOR TO ANY THIRD PARTIES FOR LOST PROFITS OR LOST DATA OR FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, RELIANCE OR PUNITIVE LOSSES OR DAMAGES HOWSOEVER ARISING UNDER THIS AGREEMENT OR IN CONNECTION WITH THE DRATA TECHNOLOGY, WHETHER UNDER CONTRACT, TORT OR OTHERWISE, WHETHER FORESEEABLE OR NOT AND REGARDLESS WHETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY THAT SUCH DAMAGES MAY ARISE, OCCUR OR RESULT. IN NO EVENT SHALL DRATA BE LIABLE FOR PROCUREMENT COSTS OF SUBSTITUTE PRODUCTS OR SERVICES.

10.2 Amount of Damages. DRATA'S AGGREGATE CUMULATIVE LIABILITY FOR DAMAGES FOR SERVICES PERFORMED WILL IN NO EVENT EXCEED THE AMOUNT OF FEES PAID BY CUSTOMER UNDER THE APPLICABLE ORDER FORM IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

10.3 Basis of the Bargain. THESE LIMITATIONS OF LIABILITY WILL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. THE PARTIES ACKNOWLEDGE THAT THE PRICES HAVE BEEN SET AND THE AGREEMENT ENTERED INTO IN RELIANCE UPON THESE LIMITATIONS OF LIABILITY AND THAT ALL SUCH LIMITATIONS FORM AN ESSENTIAL BASIS OF THE BARGAIN BETWEEN THE PARTIES. THE PROVISIONS OF THIS AGREEMENT ALLOCATE THE RISKS UNDER THIS AGREEMENT BETWEEN DRATA AND CUSTOMER. DRATA'S FEES FOR THE SERVICES REFLECTS THIS ALLOCATION OF RISK AND THE LIMITATION OF LIABILITY SPECIFIED HEREIN.

10.4 Exclusions. THESE LIMITATIONS OF LIABILITY DO NOT APPLY TO: (A) A BREACH BY A PARTY OF SECTIONS 2 OR 5; (B) CUSTOMER'S OBLIGATIONS UNDER SECTION 8.2; OR (C) ANY DEATH OR PERSONAL INJURY CAUSED BY EITHER PARTY'S NEGLIGENCE, GROSS NEGLIGENCE, OR WILLFUL MISCONDUCT.

11. GENERAL PROVISIONS.

11.1 Relationship Between the Parties. Drata is an independent contractor; nothing in this Agreement will be construed to create a partnership, joint venture, or agency relationship between the Parties. Customer will not have, and will not represent to any third party that it has, any authority to act on behalf of Drata. Each Party will be solely responsible for payment of all compensation owed to its employees, as well as employment related taxes. Each Party will maintain appropriate worker's compensation insurance for its employees as well as general liability insurance.

11.2 Injunctive Relief. Customer acknowledges that the Platform and the Services contain valuable Intellectual Property Rights and proprietary information of Drata, that any actual or threatened breach of Sections 2 or 5 will constitute immediate, irreparable harm to Drata for which monetary damages would be an inadequate remedy, and that injunctive relief is an appropriate remedy for such breach. If Customer continues to use the Platform or the Services after its right to do so has terminated or expired, Drata will be entitled to immediate injunctive relief without the requirement of posting bond.

11.3 Export and Import Laws. Customer agrees not to use, export, re-export, or transfer, directly or indirectly, any U.S. technical data acquired from Drata, or any products utilizing such data, in violation of the United States export laws or regulations. Further, each Party agrees to comply with all relevant export laws and regulations of the United States and the country or territory in which the Services are provided ("Export Laws") to assure that neither any deliverable, if any, nor any direct product thereof is (1) exported, directly or indirectly, in violation of Export Laws or (2) intended to be used for any purposes prohibited by the Export Laws, including without limitation nuclear, chemical, or biological weapons proliferation. Customer further represents that (i) Customer is not located in a country that is subject to a U.S. Government embargo, or that has been designated by the U.S. Government as a "terrorist supporting" country and (ii) Customer is not listed on any U.S. Government list of prohibited or restricted parties. Customer acknowledges and agrees that products, services or technology provided by Drata are subject to the export control laws and regulations of the United States, agrees to comply with these laws and regulations, and agrees that it shall not, without prior U.S. government authorization, export, re-export, or transfer Drata products, services or technology, either directly or indirectly, to any country in violation of such laws and regulations.

11.4 Anti-Bribery. Neither the Customer nor any of its Personnel, directors, affiliates or officers or any other person acting on their behalf has directly or indirectly made any bribes, rebates, payoffs, influence payments, kickbacks, illegal payments, illegal political contributions, or other payments, in the form of cash, gifts, or otherwise, or taken any other action, in violation of the Foreign Corrupt Practices Act of 1977, the UK Bribery Act of 2010 or any other anti-bribery or anti-corruption Law (collectively, the "Anti-Bribery Laws"). The Customer is not, and has not been, the subject of any investigation or inquiry by any governmental body with respect to potential violations of Anti-Bribery Laws. Customer shall immediately notify Drata of any breach, suspected breach of, or any investigation into the suspected breach of, the Anti-Bribery Laws by it or any of the aforementioned persons and, upon such notice, Drata may, in its discretion, immediately terminate this Agreement.

11.5 Assignment. Neither Party may assign or transfer its rights or obligations under this Agreement without the prior written consent of the other Party, and any assignment or transfer in derogation of the foregoing shall be null and void, provided, however that either Party shall have the right to assign the Agreement, without the prior written consent of the other Party, to the successor entity in the event of merger, corporate reorganization or a sale of all or substantially all of such Party's assets. This Agreement shall be binding upon the Parties and their respective successors and permitted assigns.

11.6 Notices. All notices required or permitted under this Agreement must be delivered in writing, if to Drata, by emailing support@drata.com and if to Customer by emailing the Customer Point of Contact email address listed on the Order Form, provided, however, that with respect to any notices relating to breaches of this Agreement or termination, a copy of such notice will also be sent in writing to the other Party at the Party's address as listed on the Order Form by courier, by certified or registered mail (postage prepaid and return receipt requested), or by a nationally-recognized express mail service. Each Party may change its email address and/or address for receipt of notice by giving notice of such change to the other Party.

11.7 Governing Law. The Agreement is governed by the laws of the State of California, without regard to its conflicts of laws or provisions and this Agreement shall not be governed or affected by any version of the Uniform Computer Information Transactions Act enacted in any jurisdiction. The United Nations Convention on Contracts for the International Sale of Goods does not apply to this Agreement. The prevailing Party in any action to enforce this Agreement shall be entitled to recover attorneys' fees, court costs, and other collection expenses. Any action or proceeding arising from or relating to this Agreement will be brought in a federal court in the County of San Francisco and each Party irrevocably submits to the jurisdiction and venue of any such court in any such action or proceeding. Notwithstanding the foregoing, nothing shall prevent either Party from seeking relief in any court of competent jurisdiction for any misuse or misappropriating of such Party's Intellectual Property Rights or Confidential Information.

11.8 Waivers; Severability. Any waivers shall be effective only if made by writing signed by representatives authorized to bind the Parties. Any waiver or failure to enforce any provision of this Agreement on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion. If any provision of this Agreement is unenforceable, such provision will be changed and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law and the remaining provisions will continue in full force and effect. Without limiting the generality of the foregoing, Customer agrees that Section 10 will remain in effect notwithstanding the unenforceability of any provision in Sections 8 and 9.

11.9 Construction. The headings of Sections of this Agreement are for convenience and are not to be used in interpreting this Agreement. As used in this Agreement, the word "including" means "including but not limited to."

11.10 Force Majeure. Any delay in the performance of any duties or obligations of either Party (except for the obligation to pay Fees owed) will not be considered a breach of this Agreement if such delay is caused by a labor dispute, shortage of materials, war, fire, earthquake, typhoon, flood, natural disasters, governmental action, pandemic/epidemic, cloud-service provider outages any other event beyond the control of such Party, provided that such Party uses reasonable efforts, under the circumstances, to notify the other Party of the circumstances causing the delay and to resume performance as soon as possible.

11.11 Entire Agreement; Amendment. This Agreement and any applicable Order Form constitutes the complete agreement between the Parties and supersedes all previous and contemporaneous agreements, proposals, or representations, written or oral, concerning the subject matter of this Agreement. To the extent that a conflict arises between the terms and conditions of an Order Form or SOW and the terms of this Agreement, the terms and conditions of this Agreement will govern, except to the extent that the Order Form or SOW, as applicable, expressly states that it supersedes specific language in the Agreement. It is expressly agreed that the terms and conditions of this Agreement and any Order Form supersede the terms any of Customer's purchase order. Neither this Agreement nor an Order Form may be modified or amended except in writing signed by a duly authorized representative of each Party; no other act, document, usage, or custom will be deemed to amend or modify this Agreement or an Order Form.

11.12 U.S. Government Restricted Rights. If Customer is a government end user, then this provision also applies to Customer. The software contained within the Platform and the Services and provided in connection with this Agreement has been developed entirely at private expense, as defined in FAR section 2.101, DFARS section 252.227-7014(a)(1) and DFARS section 252.227- 7015 (or any equivalent or subsequent agency regulation thereof), and is provided as "commercial items," "commercial computer software" and/or "commercial computer software documentation." Consistent with DFARS section 227.7202 and FAR section 12.212, and to the extent required under U.S. federal law, the minimum restricted rights as set forth in FAR section 52.227-19 (or any equivalent or subsequent agency regulation thereof), any use, modification, reproduction, release, performance, display, disclosure or distribution thereof by or for the U.S. Government shall be governed solely by this Agreement and shall be prohibited except to the extent expressly permitted by this Agreement.