EMAIL SECURITY PRODUCT ADDENDUM

This Email Security Product Addendum (this “Addendum”) supplements and amends the Master Subscription Agreement (the “MSA”) between TeamGuard AI, Inc. d/b/a Adaptive Security (“Adaptive”) and the Customer identified on the applicable Adaptive Order Form, on behalf of itself, its Affiliates, and its Authorized Users (collectively, the “Customer”). Capitalized terms not defined herein have the meanings given in the MSA. In the event of any conflict between this Addendum and the MSA, this Addendum shall control.

1. Scope. This Addendum applies to Adaptive’s offering of email data security products and any Adaptive features or services that involve the automated scanning, analysis, or processing of Customer emails (collectively, the “Email Security Products”). Customer acknowledges that the Email Security Products involve the use of artificial intelligence and machine learning technology (collectively, “AI”).

2. Email Data Processing. Customer acknowledges and agrees that the Email Security Products will access and process emails sent to, from, or within Customer’s connected email environment, including incoming, outgoing, and internal emails (“Email Data”), including for the purposes of detecting, analyzing, and classifying, and seeking to remediate potential security threats and otherwise providing the Email Security Products. For the avoidance of doubt, Email Data constitutes Customer’s Confidential Information under the MSA and is subject to the confidentiality obligations set forth therein.

3. Data Use Rights. In addition to the rights granted under Section 2 of the MSA, Customer hereby grants Adaptive a non-exclusive, royalty-free, worldwide license to use Derived Data to:
   
   1. train, develop, and improve Adaptive’s internal AI models and algorithms;
   2. develop and maintain a global threat intelligence database to identify malicious patterns, sender behaviors, and attack techniques across Adaptive’s customer base; and
   3. improve, enhance, and develop Adaptive’s products and services, including Adaptive’s Platform, systems, tools, general threat intelligence, detection efficacy, protection against emerging threats, Email Security Products, and future security offerings.

‍

For the avoidance of doubt, the license granted in this Section 3 does not extend to Raw Email Data (including email bodies, attachments, or metadata identifying individuals). Adaptive’s use of Raw Email Data is limited solely to providing and supporting the Email Security Products as described in Section 2 and Section 4, and subject to the retention limits in Section 6.

“Derived Data” means any data generated by Adaptive's processing of Email Data — including but not limited to statistical outputs (e.g., word counts or keyword frequency), classifications and scores, intent-based signals (e.g., tone, urgency, or threat indicators), and other structured metadata (e.g., timestamps or file and link characteristics) — provided that such data does not identify Customer or any individual and cannot reasonably be used to identify Customer or any individual, or to reconstruct the underlying Email Data. For avoidance of doubt, Derived Data is not considered Customer Information.

“Malicious Email Data” means Email Data that Adaptive (or the Email Security Products) identifies or reasonably suspects to be malicious, suspicious, fraudulent, or otherwise potentially harmful, including phishing, malware, business email compromise, social engineering, and similar attacks. 

“Raw Email Data” means unprocessed Email Data (excluding Malicious Email Data), including email bodies, headers, metadata, and attachments, prior to aggregation, anonymization, or derivation.

4. Malicious Email Use for Security and Improvement. 
   
   1. Customer acknowledges and agrees that Adaptive may retain, analyze, review, annotate, and otherwise process and use Malicious Email Data as necessary to detect, investigate, remediate, and prevent security threats, and to improve Adaptive’s detection capabilities, including training, developing, and improving Adaptive’s internal AI models and algorithms, and developing threat intelligence, in each case subject to Section 5 of this Addendum.
   2. To the extent any Malicious Email is subsequently confirmed to be legitimate and not malicious by Adaptive or by Customer via marking the email as Safe using in-product administration tools Adaptive shall treat such email as Email Data and Raw Email Data (as appropriate) and restrict such email from any uses not otherwise provided for herein. Adaptive will use commercially reasonable efforts to implement such changes to such email classifications within thirty (30) days.

‍

5. Data Safeguards. 
   
   1. When exercising the rights granted under this Addendum, Adaptive shall:
      
      1. implement commercially reasonable technical and organizational measures to protect Email Data, including encryption in transit and at rest;
      2. not sell Email Data to third parties;
      3. when using third-party large language model providers, use only services that do not retain Customer data for training purposes (i.e., “zero data retention” providers);
      4. not use Raw Email Data (including email bodies and attachments) for training AI models, except as expressly permitted for Malicious Email Data under Section 4, or as otherwise instructed by Customer pursuant to customer-specific AI model offerings from Adaptive;
      5. limit internal access to Raw Email Data to personnel with a need-to-know basis for providing and supporting the Email Security Products.
         ‍
   2. Adaptive may use service providers (including hosting, observability, security operations, and support providers) to process Email Data solely to provide and improve the Email Security Products, subject to the terms of this Addendum.

‍

6. Data Retention.
   
   1. ‍Derived Data. Adaptive may retain Derived Data after the expiration or termination of the Agreement, subject to applicable Data Protection Laws. 
   2. ‍Raw Email Data. Adaptive will delete or de-identify Raw Email Data (including email bodies and attachments, but excluding Malicious Email Data) within fourteen (14) days of processing, unless a longer retention period is required for (i) Adaptive’s customer-specific AI model services requested by Customer; (ii) an active security investigation, or (iii) by applicable law. During the retention period, Raw Email Data will be used solely to provide the Email Security Products and support active security investigations, in each case subject to Section 5 of this Addendum.
   3. ‍Malicious Email Data. Adaptive may retain Malicious Email Data for up to one hundred eighty (180) days following detection to support investigation and improvement of security detections. If Customer requests earlier deletion of specific Malicious Email Data, Adaptive will use commercially reasonable efforts to honor such request within thirty (30) days, except where retention is required by applicable law or an active security investigation.
   4. ‍Email Metadata. Adaptive may retain email metadata (e.g., sender/recipient addresses, timestamps, subject lines) for up to one hundred eighty (180) days for security analytics and threat intelligence purposes, after which it will be deleted or de-identified.

‍

7. Customer Data Deletion Rights.‍
   
   1. Deletion Requests. Customer may request deletion of its Raw Email Data and Malicious Email Data at any time by submitting a written request to Adaptive at the designated contact address (or such other method as Adaptive may provide).‍‍
   2. ‍Deletion Timeline. Adaptive will use commercially reasonable efforts to delete the requested data within thirty (30) days of receiving the request, and will provide written confirmation of deletion upon completion.‍
   3. Exceptions. Adaptive is not required to delete data to the extent that retention is: (i) required by applicable law, regulation, or legal process; (ii) necessary for an active, documented security investigation; or (iii) technically infeasible (e.g., data already incorporated into Derived Data). ‍
   4. Termination. Upon expiration or termination of the Agreement, Adaptive will delete all Raw Email Data and Malicious Email Data within sixty (60) days, subject to the exceptions in Section 7(c). ‍
      ‍
8. ‍Survival. The licenses granted in this Addendum shall survive termination or expiration of the Agreement solely with respect to Derived Data generated prior to such termination or expiration. 
   ‍
9. ‍General. Except as expressly modified by this Addendum, the MSA remains in full force and effect. In the event of any conflict or inconsistency between this Addendum and any other addendum, program terms, or supplemental agreement governing Customer's participation in alpha, beta, preview, or early access programs (including any Feature PreviewProgram Addendum), this Addendum shall control with respect to all matters relating to the provision, operation, and use of the Email Security Products, including any processing, use, retention, and deletion of data in connection therewith. This Addendum may be executed in counterparts.