Adaptive Master Subscription Agreement

ADAPTIVE SECURITY

‍

MASTER SUBSCRIPTION AGREEMENT

This Master Subscription Agreement (“MSA”) is entered into by and between TeamGuard AI, Inc. d/b/a Adaptive Security (“Adaptive”) and the individual or entity identified on the applicable Order Form (defined below) (“Customer”), on behalf of itself, its affiliates, and its employees and independent contractors that Customer has authorized to access the Platform (defined below) without executing their own separate Order Form (collectively, “Authorized Users”). Adaptive and Customer are each referred to herein as a “Party” and collectively as the “Parties.” This MSA is effective as of the date of the last signature on the first Order Form between the Parties (the “Effective Date”). This MSA, together with any order forms executed between the Parties (each, an “Order Form”) and any other documents between the Parties that incorporate this MSA, constitutes the “Agreement.”
‍

The Agreement governs Adaptive’s provision of and Customer’s access and use of Adaptive’s products, services, programs, and platforms identified in the applicable Order Form or otherwise provided by Adaptive to Customer under this Agreement (“Platform”). Each Order Form executed between the Parties is hereby incorporated by reference. In the event of any conflict or inconsistency between the terms of any Order Form and this MSA, the Order Form will control solely to the extent of the conflict or inconsistency. 
‍

1. Use of the Platform. 
   
   1. Customer shall not: 
      
      1. copy, modify, translate, or create derivative works of the Platform; 
      2. reverse engineer, decompile, disassemble or otherwise attempt to reconstruct, identify or discover any source code, underlying ideas, underlying user interface techniques, or algorithms of the Platform; 
      3. lend, lease, offer for sale, sell or otherwise use the Platform for the benefit of any third party or provide any third party except for Authorized Users with access to the Platform; 
      4. attempt to disrupt the integrity or performance of the Platform; 
      5. attempt to gain unauthorized access to the Platform or its related systems or networks; 
      6. use the Platform in a manner that violates this Agreement, any third-party rights, or any applicable laws; 
      7. use the Platform to harass, cause harm to, or violate the rights of a third party; or 
      8. access the Platform for purposes of benchmarking or competitive analysis, to build a competitive product or services, or to copy any ideas, features, functions, or graphics of the Platform. 
   2. Customer acknowledges and agrees that it is responsible for the use or misuse of the Platform by its Authorized Users. Any action taken or breach of this Agreement by an Authorized User will be deemed an action taken or a breach of this Agreement by Customer. Without limiting the foregoing, Customer is responsible for the proper care and use of Customer’s and its Authorized Users’ access credentials and responsible for any actions resulting from the use of Customer’s or its Authorized Users’ access credentials. Customer grants Adaptive permission for Adaptive to make modifications to its and its Authorized Users’ accounts on their behalf in order to operate the Platform and to maintain security, functionality, or compliance with applicable laws. Such modifications may include executing password change requests, modifying the roles and permissions of Authorized Users, and updating account information. 
      ‍
2. Customer Information. As between the Parties, Customer owns and shall retain all right, title, and interest, including all intellectual property rights, in and to all information, data, materials, works, expressions, or other content uploaded, submitted, or otherwise provided by or on behalf of Customer or any Authorized User for processing by or through the Platform, or collected or received by Adaptive for Customer pursuant to this Agreement, including all Customer Inputs and all derivative works thereof (collectively, “Customer Information”).
   ‍
3. Ownership, License, and Usage Rights.
   
   1. Adaptive Ownership of Platform. As between the Parties, Adaptive owns and shall retain all right, title and interest, including all intellectual property rights, in and to the Platform and all information, data, and materials embodied in or related to the Platform, excluding all Customer Information, subject to the license granted herein. All rights that Adaptive does not expressly grant to Customer in this Agreement are hereby reserved. Adaptive does not grant any ownership interest, or any right, title, or interest (whether express or implied) in or to the Platform or any information, data, and materials embodied in or related to the foregoing.
   2. License to Platform. Subject to the terms and conditions of this Agreement, Adaptive hereby grants to Customer during the Term a non-exclusive, non-transferable, non-assignable (except as otherwise stated herein) and non-sublicensable right and license, solely for Customer’s internal business purposes, (i) to access and use the Platform and (ii) to access and use any other products, services, or features identified in an applicable Order Form or otherwise made available by Adaptive to Customer under this Agreement, and to allow its Authorized Users to access and use the Platform for the foregoing purposes.
   3. Customer Inputs and Platform Outputs. In the course of using the Platform, Customer may upload content to be processed by the Platform in accordance with Customer’s instructions (“Customer Inputs”), and receive outputs generated and returned by the Platform using those Customer Inputs (“Platform Outputs”). Customer is solely responsible for its Customer Inputs and its use of the Platform Outputs and should review any Platform Outputs prior to its use and exercise its own business and legal judgment as to its suitability for use. 
   4. Platform Feedback. From time to time, Customer may make available to Adaptive, directly or indirectly, feedback, analysis, suggestions and/or comments related to the Platform (collectively, “Platform Feedback”). Customer hereby grants to Adaptive a perpetual, irrevocable, worldwide, transferable, sublicensable, royalty-free and fully-paid license to use such Platform Feedback to provide and improve the Platform without any compensation or credit to Customer.
      ‍
4. Platform Training and Support. Adaptive may provide commercially reasonable training and support in connection with the Platform, in its sole discretion. Any such training or support may be available via email to support@adaptivesecurity.com. Adaptive will respond to requests for training or support only from the Authorized Users.
   ‍
5. Fees; Payment Terms.
   
   1. Fees. Customer shall pay Adaptive the fees set forth in the applicable Order Form (“Fees”) in accordance with the payment terms in the applicable Order Form. Notwithstanding anything set forth herein, Customer acknowledges and agrees that upon signing an Order Form, all Fees will be non-cancellable and all Fee payments made to Adaptive will be non-refundable. Customer shall make all payments to Adaptive in United States Dollars (USD) unless otherwise agreed upon by the Parties in writing. Customer shall be solely responsible for any foreign exchange or currency conversion costs and fees incurred by Customer under this Agreement. Any Fees not paid when due will accrue interest at the rate of one-and-a-half percent (1.5%) of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, from the date such payment was due until the date paid. If Customer’s unpaid invoices are referred to an attorney or collections agency, Customer shall pay all reasonable costs of collections, including attorney’s fees or collections agency fees actually incurred by Adaptive. 
   2. Taxes. All Fees are exclusive of any taxes, levies, duties, or similar governmental assessments, including sales, use, value-added, and withholding taxes (collectively, “Taxes”). Customer is responsible for all Taxes associated with its purchases under this Agreement, and if any deduction or withholding of Taxes from the Fees is required, Customer shall pay such additional amounts as are necessary to ensure Adaptive receives the full amount of the Fees; provided that Adaptive is solely responsible for Taxes based on its net income, property, and employees. If Adaptive has the legal obligation to collect Taxes for which Customer is responsible, Adaptive will invoice Customer for such amounts unless Customer provides a valid tax exemption certificate from the appropriate taxing authority.
      ‍
6. Confidentiality. “Confidential Information” means any information disclosed by one Party (the “Discloser”) to the other Party (the “Recipient”) that the Recipient knows or reasonably should know is confidential. With respect to Adaptive as the Discloser, Confidential Information includes all non-public specifications, documentation, or technical information provided by Adaptive to Customer or its Authorized Users. With respect to Customer as the Discloser, Confidential Information includes all Customer Information. Confidential Information does not include information that: (i) is or becomes publicly available through no fault of the Recipient; (ii) was known to the Recipient prior to disclosure, as established by documentary evidence; (iii) is received by the Recipient from a third party without breach of any confidentiality obligation; or (iv) is independently developed by the Recipient without use of the Discloser’s Confidential Information, as established by documentary evidence. The Recipient shall not use or disclose the Discloser’s Confidential Information except as necessary to exercise its rights or perform its obligations under this Agreement, and shall limit disclosure to its employees, contractors, bona fide potential investors, and prospective purchasers of a portion of or all of its assets or beneficial ownership interests, in each case who have a need to know and are bound by confidentiality obligations at least as protective as those in this Agreement. The Recipient shall be responsible for any breach of this Section by any such persons. Notwithstanding the foregoing, the Recipient may disclose Confidential Information to the extent required by applicable law, regulation, subpoena, or court order, provided that the Recipient (to the extent legally permitted) gives the Discloser prompt written notice prior to disclosure and limits such disclosure to the minimum extent necessary to comply with the applicable legal requirement.
   ‍
7. Data Security.‍
   
   1. Definitions.
      
      1. “Highly Sensitive Personal Information” means an (i) individual’s government-issued identification number (including Social Security number, driver’s license number, or state-issued identification number); (ii) financial account number, credit card number, debit card number, or credit report information, with or without any required security code, access code, personal identification number, or password that would permit access to an individual’s financial account; (iii) biometric, genetic, health, medical, or medical insurance data; (iv) geolocation data; or (v) information regarding their racial or ethnic origin, religious beliefs, sex life or sexual orientation, union membership, or citizenship or immigration status. 
      2. “Personal Information” means information provided to Adaptive by or at the direction of Customer, information which is created or obtained by Adaptive on behalf of Customer, or information to which access was provided to Adaptive by or at the direction of Customer, in the course of Adaptive’s performance under this Agreement that: (i) identifies or can be used to identify an individual (including, without limitation, names, signatures, addresses, telephone numbers, email addresses, and other unique identifiers); or (ii) can be used to identify or authenticate an individual (including, without limitation, employee identification numbers, government-issued identification numbers, passwords or PINs, user identification and account access credentials or passwords, financial account numbers, credit report information, student information, biometric, health, genetic, medical, or medical insurance data, answers to security questions, an individual’s internet activity or similar interaction history, inferences drawn from other personal information to create consumer profiles, geolocation data, an individual’s commercial, employment, or education history, and other personal characteristics and identifiers), in case of both subclauses (i) and (ii), including, without limitation, all Highly Sensitive Personal Information. Customer’s business contact information is not by itself deemed to be Personal Information.‍
      3. Standard of Care. Adaptive acknowledges and agrees that, in connection with this Agreement, Adaptive may create, receive, or have access to Personal Information. Adaptive shall comply with the terms and conditions set forth in this Agreement in its creation, collection, receipt, transmission, storage, disposal, use, and disclosure of such Personal Information and be responsible for any unauthorized creation, collection, receipt, transmission, access, storage, disposal, use, or disclosure of Personal Information under its control or in its possession by all authorized representatives of Adaptive. ‍
      4. Information Security. Adaptive represents and warrants that its creation, collection, receipt, access, use, storage, disposal, and disclosure of Personal Information does and will comply with all applicable federal, state, and foreign privacy and data protection laws, as well as all other applicable regulations and directives. To the extent Customer includes Personal Information, and unless otherwise agreed to, Adaptive shall retain, use, and disclose such Personal Information for the sole purposes specified in this Agreement. For the avoidance of doubt, Adaptive is a “service provider” (as such term is defined in the California Consumer Privacy Act (“CCPA”)). Adaptive will not “sell” or “share” (as such terms are defined in the CCPA) any Personal Information, use or disclose Customer’s Personal Information outside the business relationship with Customer, or combine Customer’s Personal Information with any personal information Adaptive receives from any other source, except as permitted by applicable laws. Customer has the right to take reasonable and appropriate steps to ensure that Adaptive uses Personal Information in a manner consistent with the Customer’s obligations under applicable laws, and to stop and remediate Adaptive’s unauthorized use of Personal Information. Adaptive will notify Customer if it makes a determination that it can no longer meet its obligations under applicable laws. Adaptive hereby certifies that it understands and shall comply with the restrictions set forth in this Agreement. Adaptive shall maintain commercially reasonable administrative, technical and physical safeguards that are (i) appropriate to the nature of Personal Information that it processes on behalf of Customer and (ii) designed to protect the security, confidentiality and integrity of Customer Information. In the event of any unauthorized acquisition, alteration, or disclosure of Customer’s Personal Information that requires notification to an individual, government or regulatory body, or law enforcement authority under applicable laws, Adaptive shall notify Customer promptly and without undue delay.‍
      5. Sub-Processors. Customer hereby authorizes Adaptive to engage third-party entities to “process” (as such term is defined by applicable laws) Personal Information on behalf of and as specifically directed by Adaptive pursuant to a written contract that includes obligations that are at least as protective as those set out in this Section and as required by applicable laws.
         ‍

8. Security Awareness Training. If Customer purchases access through an Order Form to Adaptive's cybersecurity training and simulation products, including (i) features that provide for simulated cybersecurity incidents targeting Customer’s business and personnel as directed by Customer and its Authorized Users (e.g., phishing, vishing, and deepfake simulations) (“Cybersecurity Incident Simulations”); (ii) features that allow Customer to generate custom training modules; and (iii) features that enable Authorized Users to report suspected phishing or other suspicious emails through their email client, which routes such reported emails for classification as safe or malicious (“Phish Reporting Product,” and such features collectively, the “Security Awareness Training Products”), then this Section 8 applies to such access and use. Customer acknowledges that certain features of the Security Awareness Training Products involve the use of artificial intelligence and machine learning technology (collectively, “AI”). Except as otherwise set forth in this Agreement, by opting-in to receive or otherwise utilizing the Security Awareness Training Products on the Platform, Customer hereby authorizes Adaptive to access, process, retain, and use data generated through Customer’s and its Authorized Users’ use of the Security Awareness Training Products (including emails submitted by Authorized Users through the Phish Reporting Product), and any outputs or derivatives thereof, for purposes of providing the Platform to Customer and improving, enhancing, and developing Adaptive’s products and services, including the Platform, systems, tools, general threat intelligence, detection efficacy, protection against emerging threats, and future security offerings. Such data will be converted to data that has been aggregated and anonymized such that it is non-personally identifiable and cannot reasonably be associated with Customer or any Authorized User where reasonably practical (“Aggregated Anonymized Data”). For the avoidance of doubt, the foregoing license does not extend to any training materials, security policies, or other content uploaded by Customer to the Platform for Customer’s internal business purposes.
   ‍
9. Email Security Product. If Customer purchases access through an Order Form to Adaptive’s email data security products or any features or services that involve the automated scanning, analysis, or processing of Customer emails (such features, collectively, the “Email Security Product”), then this Section 9 applies to such access and use. In the event of any conflict between this Section 9 and any other provision of this Agreement with respect to Email Data, this Section 9 shall control. Customer acknowledges that the Email Security Product involves the use of artificial intelligence. The Email Security Product constitutes part of the Platform for all purposes under this Agreement. Adaptive hereby grants to Customer during the term of any applicable Order Form a non-exclusive, non-transferable, non-assignable (except as otherwise stated in this Agreement) and non-sublicensable right and license to access and use the Email Security Product for Customer’s internal business purposes, subject to any usage limits set forth in an applicable Order Form, including to enable those Authorized Users to whom Customer elects to provide access to use the Email Security Product (each such Authorized User, an “Email Security User”).‍
   
   1. Definitions. For purposes of this Section 9, the following definitions apply: “Derived Data” means any data generated by Adaptive’s processing of Email Data — including but not limited to statistical outputs (e.g., word counts or keyword frequency), vector embeddings, classifications and scores, intent-based signals (e.g., tone, urgency, or threat indicators), and other structured metadata (e.g., timestamps or file and link characteristics) — provided that such data does not identify Customer or any individual and cannot reasonably be used to identify Customer or any individual, or to reconstruct the underlying Email Data. For the avoidance of doubt, Derived Data is not Customer Information. “Email Metadata” means structured data about a user’s emails collected by the Email Security Product, including but not limited to: SMTP envelope data, email header fields (including subject lines), IP addresses, message routing paths, timestamps, authentication results (such as SPF, DKIM, and DMARC), and message technical specifications. Email Metadata does not include email body content or attachments. “Malicious Email Data” means Email Data that Adaptive (or the Email Security Product) identifies or reasonably suspects to be malicious, suspicious, fraudulent, or otherwise potentially harmful, including phishing, malware, business email compromise, social engineering, and similar attacks. “Raw Email Data” means unprocessed Email Data (excluding Malicious Email Data), including email bodies, headers, Email Metadata, and attachments, prior to aggregation, anonymization, or derivation.‍
   2. Email Data Processing. Customer acknowledges and agrees that the Email Security Product will access and process emails sent to, from, or within Customer’s connected email environment, including incoming, outgoing, and internal emails (“Email Data”), including for the purposes of detecting, analyzing, classifying, and seeking to remediate potential security threats and otherwise providing the Email Security Product. For the avoidance of doubt, Email Data constitutes Customer’s Confidential Information under this Agreement and is subject to the confidentiality obligations set forth herein.‍
   3. Data Use Rights. In addition to the rights granted to Adaptive under this Agreement with respect to Customer Information, Customer hereby grants Adaptive a non-exclusive, royalty-free, worldwide license to use Derived Data to: (i) train, develop, and improve Adaptive’s internal AI models and algorithms; (ii) develop and maintain a global threat intelligence database to identify malicious patterns, sender behaviors, and attack techniques across Adaptive’s customer base; and (iii) improve, enhance, and develop Adaptive’s products and services, including the Platform, systems, tools, general threat intelligence, detection efficacy, protection against emerging threats, and future security offerings. For the avoidance of doubt, the license granted in this Section 9.c does not extend to Raw Email Data (including email bodies, attachments, or metadata identifying individuals). Adaptive’s use of Raw Email Data is limited solely to providing and supporting the Email Security Product as described in Section 9.b and Section 9.d, and subject to the retention limits in Section 9.f.‍
   4. Malicious Email Use for Security and Improvement. (i) Customer acknowledges and agrees that Adaptive may retain, analyze, review, annotate, and otherwise process and use Malicious Email Data as necessary to detect, investigate, remediate, and prevent security threats, and to improve Adaptive’s detection capabilities, including training, developing, and improving Adaptive’s internal AI models and algorithms, and developing threat intelligence, in each case subject to Section 9.e of this Agreement. (ii) To the extent any malicious email is subsequently confirmed to be legitimate and not malicious by Customer via marking the email as “Safe” using settings in the Platform (“Re-Classified Email”), Adaptive shall treat such Re-Classified Email as Email Data and Raw Email Data (as appropriate) and restrict such Re-Classified Email from any uses not otherwise provided for herein. Adaptive will use commercially reasonable efforts to implement such changes to email classifications within sixty (60) days. Notwithstanding the foregoing, Customer may, at its sole discretion, elect to permit Adaptive to retain and use Re-Classified Email (including for the purposes described in Section 9.d(i)) by affirmatively opting in through settings in the Platform. Customer may withdraw such consent at any time through the same settings, and upon withdrawal, Adaptive will cease further use of such Re-Classified Email for purposes beyond those permitted for Email Data and Raw Email Data within sixty (60) days of such withdrawal.‍
   5. Data Safeguards. (i) When exercising the rights granted under this Section 9, Adaptive shall: (A) implement commercially reasonable technical and organizational measures to protect Email Data, including encryption in transit and at rest; (B) not sell Email Data to third parties; (C) when using third-party large language model providers, use only services that do not retain Customer data for training purposes (i.e., “zero data retention” providers); (D) not use Raw Email Data (including email bodies and attachments) for training AI models, except as expressly permitted for Malicious Email Data under Section 9.d, or as otherwise instructed by Customer pursuant to customer-specific AI model offerings from Adaptive; and (E) limit internal access to Raw Email Data to personnel with a need-to-know basis for providing and supporting the Email Security Product. (ii) Adaptive may use service providers (including hosting, observability, security operations, and support providers) to process Email Data solely to provide and improve the Email Security Product, subject to the terms of this Section 9.‍
   6. Data Retention. (i) Derived Data. Adaptive may retain Derived Data after the expiration or termination of this Agreement, subject to applicable data protection laws. (ii) Raw Email Data. Adaptive will delete or de-identify Raw Email Data (including email bodies and attachments, but excluding Malicious Email Data and Email Metadata) within fourteen (14) days of processing, unless a longer retention period is required for (A) Adaptive’s customer-specific AI model services requested by Customer; (B) an active security investigation; or (C) applicable law. During the retention period, Raw Email Data will be used solely to provide the Email Security Product and support active security investigations, in each case subject to Section 9.e of this Agreement. (iii) Malicious Email Data. Adaptive may retain Malicious Email Data for up to one hundred eighty (180) days following detection to support investigation and improvement of security detections. (iv) Email Metadata. Adaptive may retain Email Metadata for up to one hundred eighty (180) days for security analytics and threat intelligence purposes, after which it will be deleted or de-identified.‍
   7. Customer Data Deletion Rights. (i) Deletion Requests. Customer may request deletion of its Raw Email Data, Email Metadata, and/or Malicious Email Data at any time by submitting a written request to Adaptive at the designated contact address (or such other method as Adaptive may provide). (ii) Deletion Timeline. Adaptive will use commercially reasonable efforts to delete the requested data within thirty (30) days of receiving the request, and will provide written confirmation of deletion upon completion. (iii) Exceptions. Adaptive is not required to delete data to the extent that retention is: (A) required by applicable law, regulation, or legal process; (B) necessary for an active, documented security investigation; or (C) technically infeasible (e.g., data already incorporated into Derived Data). (iv) Termination. Upon expiration or termination of this Agreement, Adaptive will delete all Raw Email Data, Email Metadata, and Malicious Email Data within sixty (60) days, subject to the exceptions in Section 9.g(iii).‍
   8. Representations and Warranties. In addition to the representations and warranties set forth in Section 13, Customer represents, warrants, and covenants that: (i) it has obtained, and shall maintain throughout the term of the applicable Order Form, all rights, consents, and authorizations required under applicable laws to access and use the Email Security Product as contemplated by this Section 9, including Adaptive’s processing of any Email Data in connection therewith; (ii) it has the legal authority to collect, transmit, and make available Email Data to Adaptive as contemplated by this Agreement, including under all applicable privacy, data protection, and employment laws, rules and regulations; (iii) it is solely responsible for providing all required notices to, and obtaining all required consents from, its Email Security Users regarding Customer’s use of the Email Security Product, including the collection and transmission of Email Data; and (iv) its use of the Email Security Product shall comply with all applicable laws in each jurisdiction in which the Email Security Product is used or deployed.‍
   9. Warranty Disclaimer. CUSTOMER ACKNOWLEDGES AND AGREES THAT CERTAIN FEATURES OF THE EMAIL SECURITY PRODUCT RELY ON AUTOMATED DETECTION METHODOLOGIES, INCLUDING AI-BASED CLASSIFICATION AND RISK SCORING, WHICH MAY PRODUCE FALSE POSITIVES (E.G., INCORRECTLY IDENTIFYING A COMMUNICATION AS MALICIOUS) OR FALSE NEGATIVES (E.G., FAILING TO IDENTIFY A COMMUNICATION AS MALICIOUS). ADAPTIVE SHALL NOT BE LIABLE FOR ANY LOSSES ARISING OUT OF OR RELATED TO (I) ANY FALSE POSITIVE OR FALSE NEGATIVE, OR (II) ANY FAILURE OF THE PLATFORM TO DETECT, PREVENT, OR REMEDIATE ANY SECURITY THREAT, MALICIOUS COMMUNICATION, OR DATA EXPOSURE.‍
   10. Indemnification. In addition to the indemnification obligations set forth in Section 16, Customer shall indemnify, defend, and hold harmless Adaptive and its affiliates, and each of their respective officers, directors, consultants, contractors, agents, attorneys, and employees from and against all Losses (defined below) arising out of any Action (defined below) resulting from: (i) Customer’s breach of its representations, warranties or covenants in Section 9.h; or (ii) Customer’s use of the Email Security Product.
       ‍

10. AI Governance Products. If Customer purchases access through an Order Form to Adaptive’s AI governance products, including Adaptive’s browser extension that permits IT administration and monitors web activity for security risks and unauthorized interactions with tools, as well as any accompanying administrative portal, dashboards, and reporting features, or any features or services that involve the automated scanning, analysis, or processing of Customer’s browser activity data (such features, collectively, the “AI Governance Products”), then this Section 10 applies to such access and use. In the event of any conflict between this Section 10 and any other provision of this Agreement with respect to Browser Data, this Section 10 shall control. Customer acknowledges that the AI Governance Products involve the use of artificial intelligence and machine learning technology. The AI Governance Products constitute part of the Platform for all purposes under this Agreement. Adaptive hereby grants to Customer during the term of any applicable Order Form a non-exclusive, non-transferable, non-assignable (except as otherwise stated in this Agreement) and non-sublicensable right and license to access and use the AI Governance Products for Customer’s internal business purposes, subject to any usage limits set forth in an applicable Order Form, including (i) to deploy and enable the AI Governance Products on the devices of those Authorized Users whose web browsing activity Customer elects to monitor (each such Authorized User, an “AI Governance User”) and enable such AI Governance Users to access and use the AI Governance Products deployed on their devices; and (ii) to designate AI Governance Users to access and use the administrative portal, dashboards, and reporting features of the AI Governance Products to monitor web browsing activity for security risks, detect and manage unauthorized application usage, and monitor and enforce policies governing interactions with tools.‍
    
    1. Definitions. For purposes of this Section 10, the following definitions apply: “Derived Data” means any data generated by Adaptive through processing, analysis, or transformation of Customer Information, including but not limited to: de-identified Browser Metadata, risk signals, classification labels, sensitivity scores, threat intelligence, de-identified usage patterns, and plain-language risk summaries. Derived Data reflects Adaptive’s analytical output in a de-identified manner and does not include Raw Browser Data or Browser Metadata in unprocessed form. For the avoidance of doubt, Derived Data is not Customer Information. “Browser Metadata” means structured, non-content data collected by the AI Governance Products about a user’s browsing session, including but not limited to: page-level metadata, navigation and referral data, file transfer event data, and device context. Browser Metadata does not include the substantive content of web pages, user inputs, or files. “Raw Browser Data” means unprocessed Browser Data, prior to aggregation, anonymization, or derivation.‍
    2. Browser Data Processing. Customer acknowledges and agrees that the AI Governance Products will access and process data sent to, from, or within Customer’s web browsing environment, including downloaded and uploaded data, website information, website interactions, browser information, browser plugins, browser settings information, device information, and other information related to use of the applicable browser (collectively, “Browser Data”), for the purpose of providing the AI Governance Products, which may include, but not be limited to, detecting, analyzing, classifying, and seeking to remediate potential security threats. For the avoidance of doubt, Browser Data constitutes Customer’s Confidential Information under this Agreement and is subject to the confidentiality obligations set forth herein.‍
    3. Data Use Rights. In addition to the rights granted to Adaptive under this Agreement with respect to Customer Information, Customer hereby grants Adaptive a non-exclusive, royalty-free, worldwide license to use Derived Data to improve, enhance, and develop Adaptive’s products and services, including the Platform, systems, tools, general threat intelligence and global threat intelligence database, detection efficacy, protection against emerging threats, and future security offerings. For the avoidance of doubt, the license granted in this Section 10.c does not extend to Raw Browser Data. Adaptive’s use of Raw Browser Data is limited solely to providing and supporting the AI Governance Products as described in Section 10.b, and subject to the retention limits in Section 10.f.‍
    4. Browser Metadata Use for Security and Improvement. Customer acknowledges and agrees that Adaptive may retain, analyze, review, annotate, and otherwise process and use Browser Metadata as necessary to detect, investigate, remediate, and prevent security threats, and to improve Adaptive’s detection capabilities, and developing threat intelligence, in each case subject to Section 10.e of this Agreement.
    5. ‍Data Safeguards. (i) When exercising the rights granted under this Section 10, Adaptive shall: (A) implement commercially reasonable technical and organizational measures to protect Browser Data, including encryption in transit and at rest; (B) not sell Browser Data to third parties; (C) when using third-party large language model providers, use only services that do not retain Customer data for training purposes (i.e., “zero data retention” providers); (D) not use Raw Browser Data for training AI models, except as instructed by Customer pursuant to customer-specific AI model offerings from Adaptive; and (E) limit internal access to Raw Browser Data to personnel with a need-to-know basis for providing and supporting the AI Governance Products. (ii) Adaptive may use service providers (including hosting, observability, security operations, and support providers) to process Browser Data solely to provide and improve the AI Governance Products, subject to the terms of this Section 10.‍
    6. Data Retention. (i) Derived Data. Adaptive may retain Derived Data after the expiration or termination of this Agreement, subject to applicable laws. (ii) Raw Browser Data. Unless otherwise directed in writing or via the Customer account settings by Customer to retain for a longer period, Adaptive will delete or de-identify Raw Browser Data on a transient basis following processing, unless a longer retention period is required for (A) Adaptive’s customer-specific AI model services requested by Customer; (B) an active security investigation; or (C) applicable law. During the retention period, Raw Browser Data will be used solely to provide the AI Governance Products and support active security investigations, in each case subject to Section 10.e of this Agreement. (iii) Browser Metadata. Unless otherwise directed by Customer, and subject to Section 10.g of this Agreement, Adaptive may retain Browser Metadata for the term of the applicable Order Form to provide the AI Governance Products, support active security investigations, and as otherwise provided in this Section 10.‍
    7. Customer Data Deletion Rights. (i) Deletion Requests. Customer may request deletion of its Raw Browser Data or Browser Metadata at any time by submitting a written request to Adaptive at the designated contact address (or such other method as Adaptive may provide). (ii) Deletion Timeline. Adaptive will use commercially reasonable efforts to delete the requested data within thirty (30) days of receiving the request, and will provide written confirmation of deletion upon completion. (iii) Exceptions. Adaptive is not required to delete data to the extent that retention is: (A) required by applicable law, regulation, or legal process; (B) necessary for an active, documented security investigation; or (C) technically infeasible (e.g., data already incorporated into Derived Data). (iv) Termination. Upon expiration or termination of this Agreement, Adaptive will delete all Raw Browser Data and Browser Metadata within sixty (60) days, subject to the exceptions in Section 10.g(iii).‍
    8. Representations and Warranties. In addition to the representations and warranties set forth in Section 13, Customer represents, warrants, and covenants that: (i) it has obtained, and shall maintain throughout the term of the applicable Order Form, all rights, consents, and authorizations required under applicable laws to access, deploy, and use the AI Governance Products as contemplated by this Section 10, including Adaptive’s processing of any Browser Data in connection therewith; (ii) it has the legal authority to collect, transmit, and make available Browser Data to Adaptive as contemplated by this Agreement, including under all applicable privacy, data protection, and employment laws, rules and regulations; (iii) it is solely responsible for providing all required notices to, and obtaining all required consents from, its AI Governance Users regarding Customer’s use of the AI Governance Products, including the collection and transmission of Browser Data; and (iv) its use of the AI Governance Products shall comply with all applicable laws in each jurisdiction in which the AI Governance Products are used or deployed.‍
    9. Warranty Disclaimer. CUSTOMER ACKNOWLEDGES AND AGREES THAT: (I) THE AI GOVERNANCE PRODUCTS RELY ON AUTOMATED DETECTION METHODOLOGIES, INCLUDING AI-BASED CLASSIFICATION AND RISK SCORING, WHICH MAY PRODUCE FALSE POSITIVES (E.G., INCORRECTLY IDENTIFYING ACTIVITY AS A SECURITY RISK) OR FALSE NEGATIVES (E.G., FAILING TO IDENTIFY ACTUAL SECURITY RISKS); (II) PLATFORM OUTPUTS GENERATED BY THE AI GOVERNANCE PRODUCTS ARE PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND DO NOT CONSTITUTE LEGAL, COMPLIANCE, OR EMPLOYMENT ADVICE; AND (III) CUSTOMER IS SOLELY RESPONSIBLE FOR REVIEWING AND EVALUATING ALL PLATFORM OUTPUTS PRIOR TO TAKING ANY ACTION BASED THEREON, INCLUDING ANY EMPLOYMENT, DISCIPLINARY, OR ACCESS-RELATED DECISIONS. ADAPTIVE SHALL NOT BE LIABLE FOR ANY LOSSES ARISING OUT OF OR RELATED TO (A) ANY FALSE POSITIVE OR FALSE NEGATIVE PLATFORM OUTPUT, (B) ANY ACTION TAKEN OR NOT TAKEN BY CUSTOMER OR ITS AI GOVERNANCE USERS IN RELIANCE ON PLATFORM OUTPUTS, OR (C) ANY FAILURE OF THE AI GOVERNANCE PRODUCTS TO DETECT, PREVENT, OR REMEDIATE ANY SECURITY THREAT, UNAUTHORIZED APPLICATION USAGE, OR DATA EXPOSURE.‍
    10. Indemnification. In addition to the indemnification obligations set forth in Section 16, Customer shall indemnify, defend, and hold harmless Adaptive and its affiliates, and each of their respective officers, directors, consultants, contractors, agents, attorneys, and employees from and against all Losses arising out of any Action resulting from: (i) Customer’s breach of its representations, warranties or covenants in Section 10.h; (ii) any claims by employees, contractors, or other AI Governance Users arising out of or relating to the AI Governance Products; (iii) Customer’s collection, transmission, or processing of Browser Data, including any claim that such collection, transmission, or processing violates applicable privacy, data protection, or employment laws, rules or regulations; or (iv) Customer’s use of the AI Governance Products.
        ‍

11. Platform and Product Availability. Adaptive shall use commercially reasonable efforts to make the Platform available to Customer during the Term, except for downtime due to: (i) scheduled maintenance; (ii) Force Majeure Events; (iii) internet and network issues between Adaptive and Customer; (iv) third-party service interruptions; (v) email or SMS delivery delays; (vi) misuse or unauthorized use of the Platform by Customer or its Authorized Users; (vii) Customer’s fraud, gross negligence, or willful misconduct; or (viii) Customer’s failure to comply with the terms and conditions of this Agreement. Customer acknowledges and agrees that the Adaptive SMS/Voice Phishing product is subject to network availability and restrictions imposed by the applicable telecommunication carrier(s), and that Adaptive shall not be liable for any unavailability of the SMS/Voice Phishing product resulting from disruptions to, or restrictions imposed by, the applicable telecommunication carrier network(s) or third-party service interruptions.
12. Term and Termination.‍
    
    1. Term. This Agreement will commence on the effective date of the first Order Form between Adaptive and Customer and continues until all Order Forms have expired or are terminated according to their terms (the “Term”).‍
    2. Termination. Either Party may terminate this Agreement or an individual Order Form upon thirty (30) days’ prior written notice to the other Party if the other Party is in material breach of this Agreement or an individual Order Form and the breaching Party fails to remedy the breach within such thirty (30)-day notice period.‍
    3. Suspension. Adaptive may, with prior written notice to Customer, suspend, limit, or restrict Customer’s and/or its Authorized Users’ access to the Platform, and restrict, disable, or quarantine Customer Information, if: (i) any amount due under this Agreement remains unpaid for more than fifteen (15) days after the due date; (ii) Customer or its Authorized Users use the Platform in violation of this Agreement; or (iii) Customer or its Authorized Users use the Platform in an unauthorized or fraudulent manner. Any such suspension shall not limit Adaptive’s right to terminate this Agreement pursuant to Section 12.b.‍
    4. Effect of Termination. Upon expiration or termination of this Agreement for any reason, the licenses granted to Customer in this Agreement will automatically terminate, Customer shall immediately cease all use of the Platform, and all Fees owed pursuant to Section 5 shall become immediately due and payable. Any usage by Customer of the Platform specified in an Order Form beyond the expiration or termination of the applicable Order Form shall be: (i) paid for by Customer at Adaptive’s standard monthly fees for such Platform; and (ii) subject to the terms and conditions of this Agreement. Any such continued use of the Platform after expiration of an Order Form shall not affect Adaptive’s right to discontinue or terminate the Platform at any time post-expiration.‍
    5. Survival. The provisions of Sections 1.a (“Use of the Platform”), 3.a (“Adaptive Ownership of Platform”), 3.d (“Platform Feedback”), 5 (“Fees; Payment Terms”), 6 (“Confidentiality”), 9.c (“Data Use Rights”) (solely with respect to Derived Data generated prior to expiration or termination), 9.f (“Data Retention”), 9.g (“Customer Data Deletion Rights”), 9.h (“Representations and Warranties”), 9.i (“Warranty Disclaimer”), 9.j (“Indemnification”), 10.c (“Data Use Rights”) (solely with respect to Derived Data generated prior to expiration or termination), 10.f (“Data Retention”), 10.g (“Customer Data Deletion Rights”), 10.h (“Representations and Warranties”), 10.i (“Warranty Disclaimer”), 10.j (“Indemnification”), 11.d (“Effect of Termination”), 11.e (“Survival”), 12 (“Representations and Warranties”), 13 (“Warranty Disclaimer”), 14 (“Limitation of Liability”), 15 (“Indemnification”), 16 (“Press Release; Publicity”), 17 (“Notices”), 18 (“Third-Party Interactions”), 19 (“Miscellaneous”) and any provisions that, by their nature or terms, are intended to survive the expiration or termination of this Agreement, along with all defined terms used in those provisions and sections, will survive the expiration or termination of this Agreement.
       ‍

13. Representations and Warranties.
    
    1. Mutual Representations and Warranties. Each Party represents and warrants that: (i) it is duly organized, validly existing, and in good standing under the laws and regulations of its jurisdiction of incorporation, organization or chartering; (ii) it has the full right, power, and authority to enter into this Agreement, to grant the rights and licenses granted hereunder, and to perform all of its obligations hereunder; (iii) the execution of this Agreement has been duly authorized by all necessary corporate or organizational action of the Party; (iv) when executed and delivered by both Parties, this Agreement will constitute the legal, valid and binding obligation of such Party, enforceable against such Party in accordance with its terms; and (v) it is in compliance with, and shall perform its obligations hereunder in compliance with all applicable laws.
    2. Customer Representations and Warranties. Customer represents, warrants, and covenants that: (i) it owns or otherwise has sufficient rights to the Customer Information to grant the rights and licenses set forth in this Agreement; (ii) its use of the Platform, including the initiation and administration of any Cybersecurity Incident Simulations, will comply with all applicable laws, rules, and regulations, including all applicable employment, privacy, data protection, telecommunications, anti-fraud, and consumer protection laws; (iii) it has obtained, and shall maintain throughout the Term, all necessary rights, consents, authorizations, and legal bases required under applicable laws to provide Customer Information (including Personal Information) to Adaptive and to authorize Adaptive’s processing of such Customer Information as contemplated by this Agreement, including under all applicable privacy, data protection, and employment laws, rules, and regulations; and (iv) it has the legal authority to collect, transmit, and make available Customer Information to Adaptive as contemplated by this Agreement.
    3. Customer Waiver of Claims. Customer hereby waives all claims against Adaptive resulting from Cybersecurity Incident Simulations, provided such Cybersecurity Incident Simulations are effected by Adaptive at the direction of Customer.
       ‍
14. Warranty Disclaimer. EXCEPT FOR THE REPRESENTATIONS AND WARRANTIES SET FORTH UNDER SECTION 13 (“REPRESENTATIONS AND WARRANTIES”), ADAPTIVE MAKES NO PROMISES, REPRESENTATIONS OR WARRANTIES WHATSOEVER, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE AND ADAPTIVE HEREBY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF TITLE, MERCHANTABILITY, NONINFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, AS WELL AS ANY LOCAL JURISDICTIONAL ANALOGUES TO THE FOREGOING. 
    ‍
15. Limitation of Liability. TO THE FULLEST EXTENT PERMITTED UNDER APPLICABLE LAW, EXCEPT FOR (I) A PARTY’S FRAUD, GROSS NEGLIGENCE, OR WILLFUL MISCONDUCT, (II) EITHER PARTY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 16 (“INDEMNIFICATION”), (III) EITHER PARTY’S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS UNDER SECTION 6 (“CONFIDENTIALITY”), AND (IV) CUSTOMER’S PAYMENT OBLIGATIONS UNDER SECTION 5 (“FEES; PAYMENT TERMS”), IN NO EVENT WILL EITHER PARTY’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE FEES THAT ARE DUE AND PAYABLE TO ADAPTIVE DURING THE TWELVE (12) MONTHS PRECEDING THE OCCURRENCE GIVING RISE TO THE APPLICABLE CLAIM. EXCEPT AS SET FORTH ABOVE, IN NO EVENT WILL EITHER PARTY HAVE ANY LIABILITY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT (INCLUDING, WITHOUT LIMITATION, FOR LOST PROFITS, DATA OR OTHER BUSINESS OPPORTUNITIES), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER FOR BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE. THESE LIMITATIONS WILL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. THE PARTIES AGREE THAT THE FOREGOING LIMITATIONS REPRESENT A REASONABLE ALLOCATION OF RISK UNDER THIS AGREEMENT.
    ‍
16. Indemnification.
    
    1. Indemnification by Customer. Customer shall indemnify, defend, and hold harmless Adaptive and its affiliates, and each of their respective officers, directors, consultants, contractors, agents, attorneys, and employees from and against all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees and the cost of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers (collectively, “Losses”) arising out of or resulting from any third-party claim, suit, action, or proceeding (each, an “Action”) arising out of or resulting from: (i) Adaptive’s use of Customer Information in accordance with the terms and conditions of this Agreement; (ii) Adaptive’s operation of the Platform and any Adaptive software or services as set forth in the applicable Order Form and directed by Customer (including Cybersecurity Incident Simulations); (iii) Customer’s breach of its representations, warranties, or covenants under this Agreement; (iv) Customer’s unauthorized use of the Platform; or (v) Customer’s use of the Platform in violation of applicable law.
    2. Indemnification by Adaptive. Adaptive shall indemnify, defend, and hold harmless Customer, and their respective officers, directors, consultants, contractors, agents, attorneys, and employees from and against all Losses arising out of or resulting from any Action arising out of or resulting from any claim that the Platform infringes or violates the rights (including intellectual property rights) of any third party. Notwithstanding the foregoing, Adaptive will have no liability for a third-party Action to the extent it arises out of or results from: (A) any breach of this Agreement by Customer; (B) any modification, alteration or addition made to the Platform by Customer, including any combination of the Platform with software not provided by Adaptive; or (C) any Customer Information. This section states Adaptive’s entire and sole liability with respect to third-party Actions.
    3. Indemnification Procedures. The Party seeking indemnity (“Indemnified Party”) shall provide the other Party (“Indemnifying Party”) with prompt written notice of any claim; provided that failure to provide such notice shall not relieve the Indemnifying Party of its obligations except to the extent materially prejudiced thereby. The Indemnifying Party shall, at its sole expense, control the defense of such claim using counsel reasonably acceptable to the Indemnified Party, and the Indemnified Party shall reasonably cooperate therein at the Indemnifying Party’s expense. The Indemnifying Party may not settle any claim without the Indemnified Party’s prior written consent (not to be unreasonably withheld, conditioned, or delayed), unless such settlement consists solely of monetary damages payable by the Indemnifying Party. If the Indemnified Party reasonably determines that the Indemnifying Party is unable or unwilling to defend the Indemnified Party’s interests, the Indemnified Party may assume the defense at the Indemnifying Party’s sole expense.
       ‍
17. Press Release; Publicity. Neither Party shall issue or release any announcement, statement, or press release relating to this Agreement without obtaining the express prior written consent of the other Party. Notwithstanding the foregoing, Adaptive may use Customer’s name and logo in Adaptive’s marketing materials, including on Adaptive’s website, solely to identify Customer as a customer of Adaptive. Customer may withdraw this consent at any time by providing written notice to Adaptive.
    ‍
18. Notices. Any notice required or permitted to be given under this Agreement will be effective if it is (i) in writing and sent by certified or registered mail, or insured courier, return receipt requested, to the appropriate Party at the address set forth in the Order Form and with the appropriate postage affixed; or (ii) sent via electronic mail to legal@adaptivesecurity.com in the case of Adaptive and to the address or email provided in the Order Form, in the case of Customer. Either Party may change its address for receipt of notice by notice to the other Party in accordance with this section. Notices are deemed given two (2) business days following the date of mailing, one (1) business day following delivery to a courier, or on the same day an electronic mail is sent to the recipient.
    ‍
19. Third-Party Interactions. Customer’s use of any third-party products, packages or services that are not provided by Adaptive which link to the Platform, or which are enabled in conjunction with the Platform (“Third-Party Interactions”) shall be at Customer’s choice and sole discretion. To the extent Customer decides to use Third-Party Interactions, Customer’s access and use of such Third-Party Interactions shall be governed solely by the terms and conditions of such Third-Party Interactions as between Customer and the third party. In the event Customer enables, installs, connects, or provides access to any Third-Party Interactions for use with the Platform, Customer (i) permits the transmission of Customer Information to such Third-Party Interactions at Customer’s direction; (ii) permits such Third-Party Interactions to access the Customer Information at Customer’s direction; and (iii) will provide notice to Adaptive of any transmission of Customer Information and provide notice to Adaptive of the identity of such third party (unless notice is provided in connection with an API call). Adaptive does not license, support, control, endorse or otherwise make any representations or warranties regarding any Third-Party Interactions, notwithstanding that Adaptive may have identified such Third-Party Interaction that Customer subsequently decided to use, and notwithstanding that Customer has directed Adaptive to implement or configure such Third-Party Interactions on Customer’s behalf.
    ‍
20. Miscellaneous. 

This Agreement will be governed by and construed under the laws of the State of New York without reference to its conflict of laws principles. All disputes arising out of or related to this Agreement will be subject to the exclusive jurisdiction of the state and federal courts located in New York, New York, and the Parties agree to waive all rights to challenge the foregoing. This Agreement binds and is for the benefit of the successors and permitted assigns of each Party. Neither Party may assign this Agreement or any rights under it, in whole or in part, without the other Party’s prior written consent; provided that either Party may assign this Agreement or any rights under it without prior written consent to a successor in connection with a merger, acquisition, reorganization, consolidation, or sale of all or substantially all of its assets or the business to which this Agreement relates. Any attempt to assign this Agreement other than as permitted above will be void. Customer shall not access, use, or make the Platform available in any country or region subject to comprehensive sanctions administered by the U.S. Treasury Department’s Office of Foreign Assets Control, or to any person or entity on any applicable U.S. government restricted party list. If any provision of this Agreement is held by a court of competent jurisdiction to be unenforceable, then the remaining provisions of this Agreement will remain in full force and effect. Neither Party will be liable for any failure or delay in performing its obligations under this Agreement (other than payment obligations) to the extent such failure or delay results from circumstances beyond the affected Party’s reasonable control, including acts of God, natural disasters, war, terrorism, riots, embargoes, acts of civil or military authorities, fire, flood, epidemic, pandemic, telecommunications failures, cyber-attacks, power outages, or infrastructure failures (each, a “Force Majeure Event”). The affected Party shall provide prompt written notice to the other Party of the Force Majeure Event and use commercially reasonable efforts to mitigate its effects. If a Force Majeure Event continues for more than thirty (30) consecutive days, either Party may terminate this Agreement upon written notice to the other Party. This Agreement, including the MSA and all related Order Form(s), embodies the entire agreement between the Parties with respect to the subject matter set forth herein and supersedes any previous, or contemporaneous communications, whether oral or written, express or implied. The terms of any Customer-generated purchase order or any terms presented in connection with any vendor management tool (e.g., vendor payment portal) will be void and shall have no legal effect. Adaptive may amend this Agreement from time to time by posting an amended version at its website and sending Customer written notice thereof. Such amendment will be deemed accepted by Customer and become effective thirty (30) days after such notice (the “Proposed Amendment Date”), unless Customer first gives Adaptive written notice of objection to the amendment. In case of such objection, this Agreement will continue under the provisions in effect prior to the amendment, and the amendment will become effective at the start of Customer’s next renewal following the Proposed Amendment Date (unless Customer provides notice of non-renewal). Customer’s continued use of the Platform following the effective date of an amendment will confirm Customer’s consent thereto. This Agreement may not otherwise be modified or amended in any other way except by a writing signed by both Parties. All waivers made under this Agreement must be made in writing by the Party making the waiver.