SCHEDULE 1

LABSTEP ACCEPTABLE USE POLICY

This Labstep Acceptable Use Policy (this “Policy”) describes prohibited uses of the Labstep electronic laboratory notebook, data management, storage, and retrieval platform and software application (the “Labstep Service”) made available to Customer and/or its Authorized Users (“You”) by Labstep Limited (“Labstep”). The examples described in this Policy are not exhaustive. [Labstep may modify this Policy at any time by posting a revised version in the Labstep Service.] By using the Labstep Service, You agree to the latest version of this Policy. If You violate the Policy or authorize or help others to do so, we may suspend or terminate Your use of the Labstep Service.

1. NO ILLEGAL, HARMFUL, OR OFFENSIVE USE OR CONTENT

a. You may not use, or encourage, promote, facilitate, or instruct others to use, the Labstep Service for any illegal, harmful, fraudulent, infringing, or offensive use, or to transmit, store, display, distribute or otherwise make available content that is illegal, harmful, fraudulent, infringing, or offensive.

b. Prohibited activities or content include:

1. Illegal, Harmful or Fraudulent Activities. Any activities that are illegal, that violate the rights of others, or that may be harmful to others, and/or Labstep operations or reputation, including disseminating, promoting, or facilitating child pornography, offering, or disseminating fraudulent goods, services, schemes, or promotions, make-money-fast schemes, Ponzi, and pyramid schemes, phishing, or pharming.
2. Infringing Content. Content that infringes or misappropriates the intellectual property or proprietary rights of others.
3. Offensive Content. Content that is defamatory, obscene, abusive, invasive of privacy, or otherwise objectionable, including content that constitutes child pornography, relates to bestiality, or depicts non-consensual sex acts.
4. Harmful Content. Content or other computer technology that may damage, interfere with, surreptitiously intercept, or expropriate any system, program, or data, including viruses, Trojan horses, worms, time bombs, or cancelbots.

2. NO SECURITY VIOLATIONS

a. You may not use the Labstep Service to violate the security or integrity of any network, computer or communications system, software application, or network or computing device (each, a “System”) used to provide the Labstep Service.

b. Prohibited activities include:

• Unauthorized Access. Accessing or using any System without permission, including attempting to probe, scan, or test the vulnerability of a System or to breach any security or authentication measures used by a System.
• Interception. Monitoring of data or traffic on a System without permission.
• Falsification of Origin. Forging TCP-IP packet headers, e-mail headers, or any part of a message describing its origin or route. The legitimate use of aliases and anonymous remailers is not prohibited by this provision.

3. NO NETWORK ABUSE

a. You may not make network connections to any users, hosts, or networks unless You have permission to communicate with them.

b. Prohibited activities include:

• Monitoring or Crawling. Monitoring or crawling of a System that impairs or disrupts the System being monitored or crawled.
• Denial of Service (DoS). Inundating a target with communications requests so the target either cannot respond to legitimate traffic or responds so slowly that it becomes ineffective.
• Intentional Interference. Interfering with the proper functioning of any System, including any deliberate attempt to overload a system by mail bombing, news bombing, broadcast attacks, or flooding techniques.
• Operation of Certain Network Services. Operating network services like open proxies, open mail relays, or open recursive domain name servers.
• Avoiding System Restrictions. Using manual or electronic means to avoid any use limitations placed on a System, such as access and storage restrictions.

4. NO E-MAIL OR OTHER MESSAGE ABUSE

You will not distribute, publish, send, or facilitate the sending of unsolicited mass e-mail or other messages, promotions, advertising, or solicitations (like “spam”), including commercial advertising and informational announcements. You will not alter or obscure mail headers or assume a sender’s identity without the sender’s explicit permission. You will not collect replies to messages sent from another internet service provider if those messages violate this Policy or the acceptable use policy of that provider.

5. OUR MONITORING AND ENFORCEMENT

a. Labstep reserves the right, but does not assume the obligation, to investigate any violation of this Policy or misuse of the Labstep Service.

b. Labstep may:

• Investigate violations of this Policy or misuse of the Labstep Service; or
• Remove, disable access to, or modify any content or resource that violates this Policy or any other agreement Labstep has with You for use of the Labstep Service.

c. Labstep may report any activity that it suspects violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. Labstep reporting may include disclosing appropriate customer information. Labstep also may cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this Policy.

3. ERROR RESOLUTION AND ESCALATION FOR SUPPORT CASES

3.1 RESOLUTION. An Error is considered to be resolved upon the earlier to occur of the following: (i) Labstep and Customer mutually agree in writing that the issue or problem is resolved; (ii) Labstep has provided an Update; (iii) a technical work-around solution is provided and is reasonable in Labstep’s discretion; (iv) Customer requests that Labstep close the Support Case; or (v) the Support Case has been left open by the Customer for ten (10) consecutive business days, during which period Labstep has not received a response from any of Customer’s Technical Contacts.

3.2 EXCLUSIONS. Notwithstanding anything in this SLA to the contrary, Labstep will have no obligation to provide any Support Services in connection with: (i) any issue or problem that Labstep determines is not due to any Error or deficiency in the Labstep Cloud Service (including without limitation, issues or problems caused by stand-alone third party software products used in conjunction with the Labstep Cloud Service, the Internet or other communications, Customer network or browser matters, or login issues); (ii) use of the Labstep Cloud Service other than in accordance with the User Documentation and the Governing Agreement; (iii) any issue or problem that is not included in a Support Case; (iv) use of the Labstep Cloud Service provided on a trial or evaluation basis or for which Customer has not paid any fees; (v) any Errors or problems with the applicable Labstep Cloud Service that are not reproducible; or (vi) any Error or problem that is reported by Customer via any Labstep support telephone number or email address. If Labstep does correct any of the Errors described in subsections (i)-(vi) above, or otherwise provides support for a Labstep Cloud Service that is not covered by the terms and conditions contained in this SLA, such Error resolution or support will be provided only following Customer’s written request and approval of all charges, and Customer will be invoiced for such support at Labstep’s then-current “time and materials” rates for such services. Without limiting any of the foregoing, Labstep has no obligation to provide support for any third-party software, data, or other materials distributed or bundled with a Labstep Cloud Service.

4. CUSTOMER’S OBLIGATIONS

4.1 COOPERATION. Customer will provide timely information and access to knowledgeable resources as reasonably required to provide Support Services. Labstep’s support obligations shall be excused to the extent Customer fails to cooperate in this regard.

4.2 RESPONSIBILITIES. The Customer shall: (i) not request, permit or authorize anyone other than Labstep (or a Labstep-authorized partner or provider) to provide any form of Support Services in respect of the Labstep Cloud Services; (ii) cooperate fully with Labstep’s personnel in the diagnosis or investigation of any Error or other issue or problem with the Labstep Cloud Services; (iii) be responsible for maintaining all third party software not explicitly licensed under the Governing Agreement; and (iv) be fully responsible for the actions of any third party (including any Labstep- authorized partner or provider) that it allows to access any information relating to Support Services.

4.3 TECHNICAL CONTACTS. Customer’s contact with Labstep in connection with Customer’s requests for support and reports of Errors shall be solely through its Technical Contact(s). The Technical Contact(s) shall: (i) serve as the internal contact(s) for Customer’s and its Authorized Users who are authorized to use the Labstep Cloud Services per the terms of the Governing Agreement; (ii) be responsible for initiating all requests by, and maintaining all records of, the Customer and its Authorized Users relating to Support Services; (iii) serve as the contact(s) with Labstep on all matters relating to Support Services; and (iv) be responsible for providing information and support, as requested by Labstep, to assist in the reproduction, diagnosis, analysis, and resolution of Errors. Customer shall ensure that its Technical Contacts comply with any reasonable training requirements for the Technical Contact(s) upon notification by Labstep. Subject to the previous sentence, Customer may change its Technical Contact(s) by notifying Labstep in writing.

4.4 REMOTE ACCESS. If Labstep is unable to reproduce a problem, Labstep may require Customer to provide access to Customer’s Labstep Cloud Service tenant in order to continue providing Support Services for such problem. Customer agrees to be solely responsible for protecting and backing up its data prior to any such access. Labstep accepts no liability in connection with Support Services provided in accordance with Section 4.4. A request for such access will be made only after other options are explored.

4.5 PRIMARY SUPPORT. Customer will be responsible for primary support of any Authorized Users in connection with their use of the Labstep Cloud Service in accordance with the terms of the Governing Agreement. Customer is solely responsible for: (i) passing on to its Authorized Users all support materials as appropriate; and (ii) providing software support, including operational instruction, problem reporting and technical advice to its Authorized Users, in each case of (i) and (ii) above, as necessary to enable the Authorized User to continue to use the Labstep Cloud Service as authorized under the Governing Agreement. Customer’s Authorized Users, as well as its contractors and third-party users, may not contact Labstep directly for support, unless designated as a Technical Contact by Customer.

4.6 DATA SHARING. For certain Support Services provided under this SLA, the transmission of machine logs and/or sharing of data via screen share may be required. For avoidance of doubt, Customer shall not include any business sensitive and/or personal information via transmissions relating to Support Services. Customer shall take reasonable measures to anonymize such data before providing the data to Labstep. However, should Labstep agree to accept any log files or other information containing personal data, Labstep will comply with Labstep’s privacy notices, available to view online at www.labstep.com.

4.7 FREEWARE. Labstep may elect to make certain Labstep Services available free of charge for trial, evaluation, or other purposes (“Freeware”). Support for Freeware, if any, will be provided at Labstep’s discretion and in accordance with the license terms for such Freeware.

5. SERVICE LEVELS

5.1 SERVICE LEVELS. The service levels (“Service Levels”) set forth in this section apply only to the operation of Labstep Cloud Services confirmed by Labstep to be correctly configured and active. These Service Levels do not apply to any other product or service offered by Labstep, including Labstep Professional Services.

5.2 UPTIME PERCENTAGE. Subject to the exclusions described in Section 5.2.4 below, the “Uptime Percentage” for the applicable Labstep Cloud Service is calculated according to the formula below. The Uptime Percentage will be measured based on the industry standard monitoring and testing tools utilized by Labstep. Where:

5.2.1 Total minutes in the month = TMM;

5.2.2 Total minutes in month Unavailable = TMU; and

5.2.3 Uptime Percentage = ((TMM-TMU) x 100)/TMM

5.2.4 EXCLUSIONS. Any Labstep Cloud Availability issues resulting from any of the following will be excluded from Uptime calculations:

5.2.4.1 Scheduled maintenance of the Platform not exceeding five (5) hours per calendar month;

5.2.4.2 Any problems to the extent not caused by Labstep or outside Labstep’s reasonable control that result from (i) computing or networking hardware; or (ii) Equipment or software under Customer’s control; (iii) the Internet; (iv) other issues with electronic communications; or (v) events of force majeure such as natural disaster, war, acts of terror, acts of government, or civil unrest;

5.2.4.3 Any problems that result from Customer’s Internet or Internet service providers, VPN issues, email domain server availability or other similar issues;

5.2.4.4 Authentication issues due to changes/issues in Customer’s authentication mechanism;

5.2.4.5 Any problems that result from Customer’s deactivation or suspension of a Customer Managed Key;

5.2.4.6 Access restrictions caused by a suspension of the Customer’s Services User Account access;

5.2.4.7 Labstep’s permitted suspension or termination of Labstep Cloud in accordance with the applicable customer agreement or Labstep’s applicable acceptable use policy;

5.2.4.8 Customer’s breach of its customer agreement for Labstep Cloud;

5.2.4.9 Customer’s failure to purchase adequate capacity on Labstep Cloud;

5.2.4.10 Intentional misuse of Labstep Cloud by Customer; and/or

5.2.4.11 “Beta,” “limited availability” or early access program (EAP) products, features and functions identified as such by Labstep.

6. CHANGES TO SLA. Subject to the terms of the Governing Agreement, Labstep reserves the right, at its discretion, to change the SLA at any time based on prevailing market practices and the evolution of Labstep’s products and services.

7. DISCLAIMER. THIS SLA DEFINES A SERVICE ARRANGEMENT AND NOT A WARRANTY. THE LABSTEP CLOUD SERVICES ARE SUBJECT EXCLUSIVELY TO THE WARRANTIES SET FORTH IN THE APPLICABLE GOVERNING AGREEMENT. THIS SLA DOES NOT CHANGE OR SUPERSEDE ANY TERM OF ANY SUCH GOVERNING AGREEMENT. TO THE EXTENT THERE IS A CONFLICT BETWEEN A TRANSLATED VERSION OF THIS SLA AND THIS ENGLISH VERSION, THE ENGLISH LANGUAGE VERSION WILL PREVAIL.

8. DEFINITIONS

8.1 “Available” and “Availability” mean that the Labstep Cloud Service is accessible by establishment of a connection to the Labstep Cloud platform (“Platform”) by Customer over the Internet in accordance with the User Documentation.

8.2 “Bug” means an issue with the Labstep Cloud Services that does not affect the Customer’s ordinary use of the Labstep Cloud Services in accordance with the Documentation.

8.3 “Error” means any verifiable and reproducible failure of a Labstep Cloud Service to materially conform to the User Documentation.

8.4 “Initial Response Time” means the period commencing when an Error is first reported by Customer’s Technical Contact(s) in the manner required by this SLA and ending when a member of the Labstep technical support team logs the report as a Support Case and responds to the Technical Contact(s) by telephone, email, Live Chat or through the Support Assistant.

8.5 "Live Chat” is Labstep’s online chat feature that enables Customers to directly message and communicate with Labstep’s representatives.

8.6 “Labstep Cloud Service” refers to a paid SaaS offering deployed on Labstep Cloud. Labstep Cloud Service excludes Self-Hosted Software.

8.7 “Self-Hosted Software” means the Labstep software tools used with Labstep Cloud and deployed by Customer external to Labstep Cloud. Support for Self-Hosted Software is set forth in Labstep’s Support Policy.

8.8 “Self-Service Tools” means the Knowledge Base (Labstep’s online database of content and FAQs about the use and support of the Labstep Cloud Service), white papers, Community Forums, webcasts, and other materials available in the Support Assistant to Customers (https://help.labstep.com/en/).

8.9 “Severity 1 Error” means that a Labstep Cloud Service is down or not available due to (i) a server-side failure, but not as a result of scheduled maintenance and/or upgrades, or (ii) any event beyond the reasonable control of Labstep, including but not limited to any interruption of power, telecommunications or Internet connectivity, and any failure of Customer’s internal telecommunications Equipment, browser or network configurations, hardware and/or third party software.

8.10 “Severity 2 Error” means that major functionality is materially impacted and not working in accordance with the technical specifications in the Documentation or significant performance degradation is experienced so that critical business operations cannot be performed.

8.11 “Severity 3 Error” means any Error that is not a Bug, Severity 1 Error, or Severity 2 Error.

8.12 “Standard Business Hours” mean from 08:00 to 17:00 (8:00 am to 5:00 pm), Monday to Friday GMT/BST (excluding national and bank holidays).

8.13 “Support Assistant” means Labstep’s online automated support assistant through which Customer can initiate a Support Case available at https://www.labstep.com/.

8.14 “Support Case” means a documented request for Support Services that is registered with Labstep Support in accordance with this SLA and assigned a case number.

8.15 “Support Services” means the technical end user support for a Labstep Cloud Service as described in this SLA. Support Services do not include services performed onsite at any Customer facility, Professional Services or any services not expressly stated in this SLA.

8.16 “Technical Contact(s)” means Customer’s personnel that have been identified in writing by Customer as the technical contact(s) for Customer and authorized to contact Labstep for support.

8.17 “Update” means a subsequent release of a Labstep Cloud Service which Labstep generally makes available for such offering at no additional fee.

8.18 “Uptime” is the calculation of the amount of time in a calendar month that the Platform is Available.

8.19 “Workspace” refers to the named subdomain assigned to Customer on the Platform.

SCHEDULE 3

LABSTEP PROFESSIONAL SERVICES ADDENDUM

This Labstep Professional Services Addendum (“PSA”) forms a part of the Governing Agreement between Labstep and Customer and governs Customer’s purchase, and Labstep’s provision, of Professional Services, as further detailed in the applicable Order. Capitalized terms below are defined in the Governing Agreement or this PSA.

1. SCOPE OF PROFESSIONAL SERVICES AND ORDERS

1.1 PERFORMANCE. Labstep will provide the Professional Services in accordance with this PSA, the applicable Professional Services Package, and the applicable Order. Labstep is responsible for (a) Labstep Personnel’s and any Subcontractor’s provision of the Professional Services in accordance with this PSA, the applicable Professional Services Package, and the applicable Order and (b) all matters related to Labstep Personnel’s employment, including, without limitation, compensation, benefits, and any statutory obligations. Labstep will only allocate Labstep Personnel for the provision of the Professional Services once Customer has executed the applicable Order. Customer will not cancel or terminate an executed Order for the Professional Services if there are less than fourteen (14) days remaining until Labstep commences the provision of such Professional Services.

1.2 CUSTOMER RESPONSIBILITIES. Customer will comply with the terms of this PSA, the applicable Professional Services Package, and the applicable Order. Customer will cooperate reasonably and in good faith with Labstep Personnel in their provision of the Professional Services including, without limitation: (a) providing Labstep Personnel sufficient resources, knowledgeable employees or staff of Customer, and safe working facilities with Internet access; (b) timely access to accurate and complete Customer Materials; (c) timely, accurate, and complete responses to inquiries or requests for feedback or information from Labstep Personnel; (d) appointing a Customer representative for each Professional Services project to serve as a primary point of contact for Labstep Personnel and to make authorized decisions on behalf of Customer; and (e) actively participating in scheduled project meetings with Labstep Personnel. If Customer’s failure to comply with this Section 1.2 prevents Labstep from providing the Professional Services, as determined by Labstep in its sole discretion, Labstep’s obligation to provide the Professional Services will be excused until Customer remedies such failure, and Labstep will not be responsible for any delays resulting therefrom. If any delay in the provision of Professional Services is caused by Customer and results in additional fees, Customer will pay such additional fees in accordance with Section 2 (FEES AND TAXES) of this PSA. Customer will not hire Labstep Personnel during the Term of this PSA and for a period of twelve (12) months thereafter without the Labstep’s prior written consent; provided, however, this restriction will not apply in cases where Labstep Personnel independently respond to public advertisements that are not specifically directed at Labstep Personnel.

1.3 PERMITTED USES. Customer may use, copy, and modify Deliverables solely in conjunction with Customer's authorized use of the Labstep Services.

1.4 AFFILIATES. An Affiliate of Labstep may provide Professional Services to Customer, subject to the terms of this PSA, provided that such Affiliate of Labstep executes an Order directly with Customer. Labstep will (a) be responsible for its Affiliates’ provision of the Professional Services and (b) enforce the terms of this PSA, the applicable Professional Services Package, and any applicable Order on behalf of its Affiliates providing the Professional Services. An Affiliate of Customer may receive the Professional Services under this PSA, provided that such Affiliate of Customer (a) complies with the terms of this PSA and (b) executes an Order directly with Labstep or an Affiliate of Labstep, as applicable. Customer represents and warrants that it has sufficient rights and the authority to make this PSA binding upon each of its Affiliates. Customer and each of its Affiliates will be jointly and severally liable for the acts and omissions of such Affiliate in connection with this PSA, the applicable Professional Services Package, and the applicable Order. Any claim from an Affiliate of Customer will only be brought against Labstep by Customer on behalf of such Affiliate.

1.5 CHANGE ORDERS. Customer may submit written requests to Labstep to change the scope of Professional Services, including Service Packages, described in an applicable Order (each such request, a “Change Order Request”). If Labstep elects to consider a Change Order Request, then Labstep will promptly notify Customer if Labstep believes that the Change Order Request requires an adjustment to the Fees or to the schedule for the performance of the Professional Services. In such event, the Parties will negotiate in good faith a reasonable and equitable adjustment to the Fees and/or schedule, as applicable. Labstep will continue to perform Professional Services pursuant to the existing Order and will have no obligation to perform any Change Order Request unless and until the Parties have agreed in writing to such an equitable adjustment (a “Change Order”). A Change Order is not required for any reallocation by Customer among the various types of Standalone Services available as part of a given Subscription Services plan, provided that (i) Labstep has not commenced delivery, (ii) such reallocation is among Standalone Services of equivalent value (as indicated on the relevant datasheet), and (iii) it does not cause a change in the total Fee for the Service Package as stated on the applicable Order. To request any such reallocation, Customer must provide written notice to Labstep via Customer’s Account Representatives, which request Labstep may confirm or deny in its discretion.

2. COMPENSATION AND INVOICING

2.1 PROFESSIONAL SERVICES FEES. Customer will pay Labstep or the Affiliate of Labstep providing the Professional Services, as applicable, the Fees, including out-of-pocket expenses, set forth in the applicable Order. If the funds on Customer’s Account do not cover the Fees due, Labstep may suspend the provision of the Professional Services until Customer’s account has sufficient funds to cover the Fees due. If Customer is invoiced, Customer will pay the Fees due within thirty (30) days of the date of the invoice, except as otherwise set forth in the applicable Order. If Customer fails to pay an invoice and cure such failure within thirty (30) days of the date Labstep provides Customer with written notice of the same, then Labstep may (a) assess, and Customer will pay, a late fee of the lesser of 1.5% per month or the maximum amount allowable by law and (b) suspend the provision of the Professional Services until all Fees due are paid in full.

2.2 SERVICE PACKAGES. Labstep will invoice Services Packages on an annual basis through the Subscription Term. Labstep will invoice Customer for all Service Packages ordered upon receipt of a valid Order. The Order will confirm the quantity and price of the Service Package(s) ordered, as described in Labstep’s proposal or quotation, and will constitute Customer’s acceptance of the applicable proposal or quote. Labstep’s obligation for completion of the Professional Services proposed is limited to the credits, hours, days, or weeks outlined in the Service Package description(s) within Labstep's proposal. Labstep may, at its sole discretion, stop work to avoid exceeding the total allotted time and/or credits specified. Unused labor credits or time remaining after the performance of a Service Package will expire and not be available for performance later. If funded Service Packages have not been performed within the Subscription Term, the Service Package will expire, and no refund will be provided.

2.3 TAXES. All fees are exclusive of any applicable taxes, levies, duties, or other similar exactions imposed by a legal, governmental, or regulatory authority in any applicable jurisdiction, including, without limitation, sales, use, value-added, consumption, or withholding taxes (collectively, “Taxes”). Customer will pay Taxes in connection with this Agreement (excluding any taxes based on Labstep’s net income, property, or employees), unless the necessary tax exemption information is provided to Labstep or a valid tax exemption certificate is provided to and approved by Labstep. Any exemption from paying Taxes will be on a going-forward basis. If the appropriate tax authority determines, at any time, that Customer is not exempt from paying Taxes, Customer will promptly pay such Taxes to Labstep, plus any applicable interest or penalties.

2.4 PAYMENT DISPUTES. If Customer wishes to dispute any Fees or Taxes, Customer must provide written notice of such dispute to Labstep within sixty (60) days of being billed. Where Customer is disputing any Fees or Taxes, Customer must act reasonably and in good faith and will cooperate diligently with Labstep to resolve the dispute.

3. LABSTEP PERSONNEL

3.1 QUALIFICATIONS. The Labstep Personnel assigned to perform the Professional Services will be qualified, experienced, and otherwise fit for their performance of the Professional Services under the applicable Order. If Customer, in Customer’s reasonable judgement, determines that Labstep Personnel assigned to Customer’s project are unfit, Labstep will in good faith discuss alternatives, and Labstep will replace Personnel as reasonably necessary. Customer acknowledges that any replacement may cause delay in the performance of the Professional Services.

3.2 USE OF SUBCONTRACTORS. Labstep reserves the right to use Subcontractors in performance of the Professional Services, provided: (a) any Subcontractor Labstep use meets the requirements herein and conditions of this PSA and the applicable Order; (b) Labstep will be responsible for the Subcontractor’s compliance with the terms herein and the Order; and (c) upon Customer’s request or inquiry, Labstep will identify any Subcontractor that Labstep is using, or planning to use, to provide Professional Services in the applicable Order, and will cooperate in good faith to provide Customer with all relevant information regarding such Subcontractors.

3.3 NO EMPLOYEE BENEFITS. Labstep acknowledges and agrees that Labstep’s Personnel are not eligible for or entitled to receive any compensation, benefits, or other incidents of employment that Customer makes available to Customer’s employees. Labstep is solely responsible for all employment related taxes, expenses, withholdings, and other similar statutory obligations arising out of the relationship between Labstep and Labstep’s Personnel and the performance of Professional Services by such Labstep Personnel.

4. LABSTEP’S SECURITY AND COMPLIANCE COMMITMENTS

4.1 COMPLIANCE WITH CUSTOMER’S SECURITY PROGRAM. While on Customer’s premises, Labstep’s Personnel will comply with Customer’s security practices and procedures generally prescribed by Customer for onsite visitors and service providers. However, any requirement that is in addition to the compliance requirements set forth in this PSA (e.g., security requirements that are different from the security practices described herein) must be expressly set forth in an Order. Labstep agrees to discuss in good faith any condition or requirement Customer may have for Labstep’s Personnel that are different from standard policies, however any additional requirement may delay Professional Services and must be vetted and implemented by mutual agreement of the Parties and expressly set forth in an Order. Labstep does not guarantee that it will be able to meet any additional requested requirements.

4.2 LABSTEP’S SECURITY PRACTICES. Labstep has implemented and follows an enterprise security program, with the policies, plans, and procedures consistent with Labstep’s security and privacy obligations. Labstep’s Personnel will be subject to the data protection and confidentiality obligations set forth in the Governing Agreement with respect to any of Customer’s data that Labstep may have access to in connection with the Professional Services.

4.3 PERMISSIONS FOR ACCESS. In the event Customer requires any Labstep Personnel to sign any waivers, releases, or other documents as a condition to gain access to Customer’s premises for performance of the Professional Services (“Access Documents”), Customer agrees: (a) that Labstep Personnel who will be required to sign Access Documents will sign on behalf of Labstep; (b) that any additional or conflicting terms in Access Documents with this PSA will have no effect; and (c) Customer will pursue any claims for breach of any terms in the Access Documents against Labstep and not the individual signing.

5. DELIVERABLES AND CUSTOMER MATERIALS

5.1 DELIVERABLES. The Professional Services Labstep performs (e.g., implementation and configuration of the Labstep Services), and the Deliverables Labstep offers, creates, and delivers to Customer in connection with the Professional Services, are generally applicable to Labstep’s business, and therefore Labstep requires the right to be able to re-use the Deliverables Labstep creates for one customer in connection with all Labstep customers. For the avoidance of doubt, Labstep’s use of the Deliverables created for Customer in connection with Professional Services will comply with Labstep’s ongoing obligations and restrictions with respect to Customer’s Customer Materials and Customer’s Confidential Information, and Labstep will not identify Customer in any way in connection with Labstep’s further use of such Deliverables.

5.2 LABSTEP’S OWNERSHIP. Subject to Customer’s ownership rights in Customer Materials, Labstep will own all rights in and to all Deliverables.

5.3 LICENSE RIGHTS. For those Deliverables provided under an applicable Order, Customer will have the right to access and use those Deliverables in connection with Customer’s access to the applicable Labstep Service(s), and those rights will be of the same scope and duration as Customer’s rights to the underlying Labstep Service.

5.4 CUSTOMER’S MATERIALS. Labstep will have no rights in or to any Customer Materials; however, Customer grants Labstep the right to use Customer Materials in order to provide the Professional Services outlined in the applicable Order. Nothing in this PSA will be deemed to transfer to Labstep any ownership of Customer Materials.

6. ADDITIONAL SERVICE PACKAGE SPECIFIC TERMS

6.1 SERVICE PACKAGES. Services Packages include (a) standalone service offerings (such as account set-up, workspace set up, and Training Services) (“Standalone Services”) and (b) technical and support subscription service plans (such as data migration, database structuring, workflow mapping, device set up, data export, workflow mapping, additional training, and API support services) (“Subscription Services”). Certain Subscription Services may include access to Standalone Services. A full description of the Service Packages offerings is available upon request, as updated from time to time.  The scope of a Services Package is as indicated in the applicable Order and/or Service Packages datasheet (available upon request).

6.2 SUBSCRIPTION TERM AND CONSUMPTION PERIOD.

6.2.1 SUBSCRIPTION SERVICES. Subscription Services begin on the start date indicated in the applicable Order and are provided on a continuing basis for the duration of the Subscription Term.  Any Subscription Term for Service Packages may only be renewed by mutual written agreement of the Parties. Any renewal terms and conditions, including pricing, are subject to change.

6.2.2 STANDALONE SERVICES. Standalone Services must be consumed within twelve (12) months of the date of the applicable Order.  After this period, Customer will no longer have any access to the Standalone Service(s).

6.3 AVAILABILITY OF SERVICE PACKAGES REPRESENTATIVES. Service Packages are offered during Business Hours (as defined below) and are delivered by Labstep product specialists such as engagement managers, solution strategists and/or technical architects (each, a “Service Packages Representative”) following a kick-off meeting to be scheduled within thirty (30) days from the date of the Order or the start of the Subscription Term, whichever is later.  Labstep may designate different Service Packages Representatives to provide Service Packages (or portions thereof), depending on the particular Professional Services and Labstep Services in scope.  Service Packages may be provided remotely or, for certain types and/or Subscription Services plans, on site, in each case, on a schedule mutually agreed between Labstep and Customer’s Account Representatives (as defined below).  More information regarding on-site services delivery is included in Section 6.6 (TRAVEL & LIVING EXPENSES).  For Subscription Services, Service Packages Representatives will be available to provide the Subscription Services for up to the number of credits/hours per Subscription Term.  “Business Hours” means 9 am to 5 pm in a mutually agreed primary location for service delivery on any day that is not a Labstep-designated holiday or weekend in such location.

6.4 ACCOUNT REPRESENTATIVES. Customer must designate up to two (2) individuals to serve as key points of contact with the Service Packages team (the “Account Representatives”). Customer must submit all requests through its Account Representatives, and Labstep will rely and act upon each Account Representative’s instructions. Customer must ensure that the Account Representatives have baseline technical knowledge of the Labstep Services associated with the Service Packages.

6.5 LIMITATIONS OF SERVICE PACKAGES. Fees for Service Packages are to secure the availability, and time and effort, of Service Packages Representatives.  Labstep will use commercially reasonable efforts to provide Service Packages in a professional manner and to address Customer requests, but Labstep does not guarantee resolution of such requests.  Actual areas of advice and guidance will depend on the ordered Service Packages, as well as on Customer‘s requests and needs. Topics that are not explicitly listed in a Service Packages description or in an applicable Service Packages datasheet are outside the scope of the related Professional Services.

6.6 TRAVEL & LIVING EXPENSES. Unless states otherwise in an applicable Order, on-site services are not included in the Service Packages unless agreed on a case-by-case basis. In such case, any pre-approved travel, lodging and meal expenses incurred by a Service Packages Representative may be invoiced directly to Customer, at minimum monthly, and Customer will reimburse Labstep for those expenses in accordance with the payment terms in the applicable Order for the Service Package(s).

6.7 STANDALONE SERVICES. Standalone Services are standalone service offerings (such as account set-up, workspace set up, and Training Services) to discuss the design and implementation of Customer’s deployment of Labstep Services or solutions, as described in the applicable Order and/or Standalone Services datasheet.

6.8 REFUND POLICY.  Customer may request a refund for Standalone Services if Customer provides notice to Labstep via Customer’s Account Representative within thirty (30) days of the date of the Order and before Labstep has commenced delivery of the Standalone Services.

7. TERM AND TERMINATION

7.1 TERM. This PSA will commence on the PSA Effective Date and will continue in effect until terminated in accordance with Section 7.2 (TERMINATION) (“Term”).

7.2 TERMINATION. Either Party may terminate this PSA for convenience by providing written notice of termination no less than thirty (30) days prior to the intended effective date of termination, provided that all Professional Services being provided under this PSA are completed as of such intended effective date of termination. Either Party may terminate this Agreement if the other party materially breaches this Agreement and fails to remedy such breach within thirty (30) days of the date of written notice of such breach. Subject to applicable law, either Party may terminate this PSA immediately by providing written notice in the event of the other Party’s liquidation, commencement of dissolution proceedings or any other proceeding relating to a receivership, failure to continue business, assignment for the benefit of creditors, or becoming the subject of bankruptcy. The following provisions, in addition to this sentence, will survive any termination of this PSA: Section 2 (FEES AND TAXES), Section 5 (DELIVERABLES AND CUSTOMER MATERIALS), Section 6 (ADDITIONAL SERVICE PACKAGE SPECIFIC TERMS), Section 8 (MUTUAL INDEMNIFICATION), and Section 9 (LIMITATION OF LIABILITY).

8. MUTUAL INDEMNIFICATION

8.1 INDEMNIFICATION BY LABSTEP. Labstep will defend Customer, its Affiliates, and each of their directors, officers, and employees (collectively, “Customer Indemnified Parties”) from and against any claim, demand, suit, or proceeding made or brought against a Customer Indemnified Party by a third party arising out of (a) the Labstep IP or Deliverables infringing or misappropriating such third party’s intellectual property rights or (b) death, bodily injury, or damage to tangible property to the extent caused by Labstep Personnel’s provision of the Professional Services under this Agreement, the applicable Professional Services Package, and the applicable Order Form (collectively, “Labstep Indemnifiable Claim”). Labstep will indemnify Customer from any damages, attorney fees, and costs awarded against a Customer Indemnified Party or for settlement amounts approved by Labstep for a Labstep Indemnifiable Claim. If the Labstep IP or Deliverables become, or in Labstep’s opinion are likely to become, the subject of any Labstep Indemnifiable Claim for third-party intellectual property rights infringement or misappropriation, Labstep may at its option and expense: (x) procure for Customer the right to continue using the Labstep IP or Deliverables; (y) modify the Labstep IP or Deliverables to make such Labstep IP or Deliverables non-infringing; or (z) if the foregoing options are not reasonably practicable, terminate this Agreement or the applicable Order Form and refund Customer the fees paid under the applicable Order Form. Labstep will have no obligation under this Section 8.1 with respect to any Labstep Indemnifiable Claim arising out of (i) Customer’s breach of this Agreement, the applicable Professional Services Package, or the applicable Order Form; (ii) Customer’s or a third party’s modification of the Labstep IP or Deliverables, where the unmodified version would not be infringing; (iii) any Customer Materials or Labstep’s reliance on any Customer Materials; or (iv) the combination, operation, or use of the Labstep IP or Deliverables with hardware, software, products, services, applications, or any portions thereof, by Customer or a third party, where the Labstep IP or Deliverables would not by themselves be infringing.

8.2 INDEMNIFICATION BY CUSTOMER. Customer will defend Labstep, its Affiliates, and each of their directors, officers, and employees (collectively, “Labstep Indemnified Parties”) from and against any claim, demand, suit, or proceeding made or brought against a Labstep Indemnified Party by a third party arising out of Customer’s acts and omissions set forth in Sections 8.1(i), (ii), (iii), or (iv) (“Customer Indemnifiable Claim”). Customer will indemnify Labstep from any damages, attorney fees, and costs awarded against a Labstep Indemnified Party or for settlement amounts approved by Customer for a Customer Indemnifiable Claim.

8.3 CONDITIONS OF INDEMNIFICATION. As a condition of the foregoing indemnification obligations: (a) indemnified party (“Indemnified Party”) will promptly notify indemnifying party (“Indemnifying Party”) of any Labstep Indemnifiable Claim or Customer Indemnifiable Claim, as applicable (individually or collectively referred to herein as a “Claim”) in writing; provided, however, that the failure to give prompt written notice will not relieve Indemnifying Party of its obligations hereunder, except to the extent that Indemnifying Party was actually and materially prejudiced by such failure; (b) Indemnifying Party will have the sole authority to defend or settle a Claim; and (c) Indemnified Party will reasonably cooperate with Indemnifying Party in connection with Indemnifying Party’s activities hereunder, at Indemnifying Party’s expense. Indemnified Party reserves the right, at its own expense, to participate in the defense of a Claim. Notwithstanding anything herein to the contrary, Indemnifying Party will not settle any Claim for which it has an obligation to indemnify under this Section 8 admitting liability or fault on behalf of Indemnified Party, nor create any obligation on behalf of Indemnified Party without Indemnified Party’s prior written consent, which will not be unreasonably withheld, conditioned, or delayed. This Section 8 states Indemnifying Party’s sole liability to, and Indemnified Party’s exclusive remedy against, the other party for any third-party claims.

9. LIMITATION OF LIABILITY. IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS PSA FOR ANY LOST PROFITS, REVENUES, GOODWILL, OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER, LOST DATA, BUSINESS INTERRUPTION, OR PUNITIVE DAMAGES, WHETHER AN ACTION IS IN CONTRACT OR TORT, AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF A PARTY OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF A PARTY’S OR ITS AFFILIATES’ REMEDY OTHERWISE FAILS OF ITS ESSENTIAL PURPOSE. THE DISCLAIMER IN THE PRECEDING SENTENCE WILL NOT APPLY TO THE EXTENT PROHIBITED BY LAW. IN NO EVENT WILL THE AGGREGATE LIABILITY OF EITHER PARTY OR ITS AFFILIATES ARISING OUT OF OR RELATED TO THIS PSA EXCEED THE AMOUNTS PAID OR PAYABLE BY CUSTOMER OR ITS AFFILIATES UNDER THE APPLICABLE ORDER FOR THE PROFESSIONAL SERVICES OUT OF WHICH THE LIABILITY AROSE. THE FOREGOING LIMITATION WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY. THIS SECTION 9 WILL NOT APPLY TO CUSTOMER’S AND ITS AFFILIATES’ BREACH OF SECTION 2 (FEES AND TAXES) OR AMOUNTS PAYABLE PURSUANT TO A PARTY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 8 (MUTUAL INDEMNIFICATION).

10. DEFINITIONS

10.1 “Affiliate” means any entity that directly or indirectly controls or is controlled by, or is under common control with, the Party specified. For purposes of this definition, “control” means direct or indirect ownership of more than fifty percent (50%) of the voting interests of the subject entity.

10.2 “Customer Documentation” means any documentation developed, conceived, or acquired specifically for, or on behalf of, Customer, during the Term (as defined above) of this PSA, in connection with the Professional Services.

10.3 “Customer Materials” means any data, information, specifications, instructions, or materials provided by Customer to Labstep in connection with the Professional Services.

10.4 “Deliverables” means the materials and other deliverables that are provided to Customer as part of the Professional Services, and any materials, technology, know-how and other innovations of any kind that Labstep or Labstep Personnel may create or reduce to practice in the course of performing the Professional Services, including without limitation all improvements or modifications to Labstep proprietary technology, and all Intellectual Property Rights therein.

10.5 “Deliverables” means any materials, work products, or other deliverables developed, conceived, or acquired, during the Term (as defined above) of this PSA, in connection with the Professional Services, and any materials, technology, know-how and other innovations of any kind that Labstep or Labstep Personnel may create or reduce to practice in the course of performing the Professional Services, including without limitation all improvements or modifications to Labstep proprietary technology, and all Intellectual Property Rights therein. Deliverables excludes Customer Documentation.

10.6 “Labstep IP” means any documentation, technical configuration, or workflow templates, starter code, software components, content, documentation, materials, methodologies, or other intellectual property that is developed, conceived, or acquired by Labstep or its Affiliates. Labstep IP excludes Customer Documentation and Customer Materials.

10.7 “Labstep Personnel” means Labstep’s and its Affiliates’ employees and contractors, and employees of Subcontractors that assist in providing the Professional Services.

10.8 “Order” means an order document or statement of work between Customer and Labstep, or any of their Affiliates, that identifies the applicable Professional Services, including Service Packages, being purchased, the mutually agreed upon rate for such Professional Services, and any other applicable commercial terms related to the Professional Services.

10.9 “Professional Services” means the professional services provided to Customer by Labstep, including, without limitation, the development and delivery of any Deliverables related thereto, and the provision of any Services Package (as defined below).

10.10 “Service Package(s)” means the a predefined unit of Professional Services provided at a firm fixed price, the terms for which are incorporated herein by reference and set forth in the applicable Order.

10.11 “Subcontractors” means any third party that assists Labstep or its Affiliates in providing the Professional Services.

10.12 “Training Services” means any training or education services performed by Labstep under the terms of this PSA and any applicable Order. Training Services shall include, without limitation, all training courses and course materials made available by Labstep to Customer.

‍

SCHEDULE 3

LABSTEP DATA PROTECTION ADDENDUM

This Labstep Data Processing Addendum (“DPA”) is subject to, and forms an integral part of, the Governing Agreement between Customer and Labstep for the Labstep Services and reflects the Parties’ agreement about how Labstep will Process Personal Data on Customer’s behalf.

1. DEFINITIONS

1.1 For the purposes of this DPA, the following terms have the meaning set out below:

1.1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.1.2 “CCPA” means the California Consumer Privacy Act, as amended, and its implementing regulations. The terms “Business” and “Service Provider” where used in this DPA addressing compliance under the CCPA will have the meanings given to them under the CCPA.

1.1.3 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.1.4 “Customer-Managed Deployment” means a deployment of on-premises Labstep or Labstep Affiliate software managed and/or hosted by Customer or by Customer’s third-party cloud provider.

1.1.5 “Cloud Services” means cloud hosting and/or provision of Labstep software-as-a-service solution or other cloud services to Customer.

1.1.6 “Customer” means the customer legal entity which is a Party to the Governing Agreement.

1.1.7 “Customer Personal Data” means Personal Data which Labstep Processes on behalf of the Customer in the performance of the Labstep Services, including, where applicable, Cloud Customer Content. It does not include Personal Data for which Labstep is a Controller.

1.1.8 "Data Protection Law" means all applicable laws, rules, regulations, and governmental requirements relating in any way to the privacy, confidentiality, security, integrity and protection of Personal Data, including without limitation the Australia Privacy Act, the Brazil General Data Protection Law (LGPD), the Canada Personal Information Protection and Electronic Documents Act, the EU GDPR, the Japan Act on the Protection of Personal Information, the Singapore Personal Data Protection Act, Swiss Federal Act on Data Protection, the UK Data Protection Act 2018 and UK General Data Protection Regulation, CCPA and other US state and federal laws, in each case only to the extent applicable to the performance of either Party’s obligations under this DPA.

1.1.9 “DPF” means the EU-U.S. Data Privacy Framework, including the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework.

1.1.10 “Data Subject” means any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person's physical, physiological, genetic, mental, economic, cultural, or social identity.

1.1.11 “Data Subject Request” means any request from a Data Subject relating to their rights in Personal Data under applicable Data Protection Law, including without limitation any request to access Personal Data; to rectify Personal Data; to restrict processing of Personal Data; to erase Personal Data; to port Personal Data; to object to Personal Data processing; or not to be subject to automated individual decision making.

1.1.12 “Effective Date” means the date on which Labstep receives a validly executed DPA under the instructions above and always subject to the Customer having validly executed a Governing Agreement.

1.1.13 “EEA” means, for the purpose of this DPA, the European Economic Area (including the European Union) and, for the purposes of this DPA, Switzerland.

1.1.14 “EEA Customer Personal Data” means Customer Personal Data that is subject to the EU GDPR.

1.1.15 "EU GDPR" means, in each case to the extent applicable to the Processing activities (i) Regulation (EU) 2016/679.

1.1.16 “Governing Agreement” means either (i) the Labstep Subscription Services Agreement or (ii) the Labstep Supplemental Terms, between Labstep (or a Labstep Affiliate), and the Customer, under which Labstep provides the applicable Labstep Services.

1.1.17 “Labstep” means the Labstep Limited or the Labstep Affiliate which is Party to the Governing Agreement.

1.1.18 “Labstep Cloud Customer Content” means information, data, materials, media, or other content to the extent it includes Customer Personal Data that is, by, on behalf of or upon the instructions of the Customer, uploaded into and residing in Labstep Cloud, which Labstep or a Labstep Affiliate Processes on behalf of the Customer.

1.1.19 “Labstep Cloud” means a subscription-based, hosted solution provided and managed by Labstep or a Labstep Affiliate under a Governing Agreement.

1.1.20 “Labstep DPF Companies” means any U.S. Affiliates of Labstep which participate in the DPF, found at https://www.dataprivacyframework.gov/s/.

1.1.21 “Labstep Service(s)” means, pursuant to a Governing Agreement, (i) Labstep Cloud, (ii) a Labstep Cloud trial, (iii) a Labstep Cloud presales proof- of-concept performed by Labstep, and/or (iv) Support Services and/or Professional Services requiring Labstep personnel to access or otherwise Process on Customer’s behalf either (a) Labstep Cloud Customer Content while within or originating from Labstep Cloud and/or (b) Customer Personal Data relating to a Customer-Managed Deployment, and in each case, only as it relates to Processing by Labstep or a Labstep Affiliate of Customer Personal Data. Notwithstanding the foregoing, “Labstep Services” does not include, and accordingly, this DPA does not cover, (i) Labstep Cloud Customer Content which leaves Labstep Cloud, and/or (ii) Customer Personal Data stored in a Customer-Managed Deployment, including but not limited to Customer Personal Data stored within self-hosted software.

1.1.22 “Party” or “Parties” means Labstep and the Customer, individually and collectively, as applicable.

1.1.23 “Personal Data” means information relating to an identified or identifiable natural person or as otherwise defined under applicable Data Protection Law.

1.1.24 “Personnel” means a Party’s employees or other workers under their direct control.

1.1.25 “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

1.1.26 “Professional Services” means any implementation, customization, or other consulting services provided to the Customer by Labstep pursuant to the Governing Agreement.

1.1.27 “Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.

1.1.28 "Security Incident" means unauthorized or unlawful destruction, loss, alteration, or access to, or disclosure of, Customer Personal Data that is in Labstep’s possession or under Labstep’s control in its performance of the Labstep Services. It does not include events which are either (i) caused by the Customer or Customer Affiliates or their end users or third parties operating under their direction, such as the Customer’s or Customer Affiliate’s failure to (a) control user access; (b) secure or encrypt Customer Personal Data which the Customer transmits to and from Labstep during performance of the Labstep Services; and/or (c) implement security configurations to protect Customer Personal Data; or (ii) unsuccessful attempts or activities that do not or are not reasonably likely to compromise the security of Customer Personal Data, including but not limited to unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

1.1.29 “Remote Support” means the processes by which Labstep can access Labstep software from a remote location to provide Support Services and/or Professional Services.

1.1.30 “Sensitive Data” means any Personal Data (a) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (b) that is genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation; (c) relating to criminal convictions and offenses; and (d) any other form of Personal Data that is afforded enhanced protection under the applicable Data Protection Law.

1.1.31 “Subprocessor” means any third-party Processor engaged by Labstep to process Personal Data on behalf of Labstep and Customer under this DPA.

1.1.32 “Support Services” means end user support provided by Labstep or an Affiliate to the Customer under the Governing Agreement involving Processing by Labstep of Customer Personal Data either by way of (i) temporary remote access or screenshare, and/or (ii) receipt by Labstep or a Labstep Affiliate of Customer files via Labstep’s support portal.

1.1.33 “Swiss Customer Personal Data” means Customer Personal Data that is subject to the Swiss Federal Act on Data Protection.

1.1.34 “Termination Date” means the termination or expiration of the relevant Service(s) under the Governing Agreement between the Parties, or, in the case of a Labstep Cloud presales proof-of- concept or trial, the termination or expiration of that presales proof-of-concept or trial.

1.1.35 “Third Country” means a third country not deemed by the EU Commission, Swiss Federal Council or UK Information Commissioner, as applicable, to have an equivalent level of privacy protection to those jurisdictions.

1.1.36 “UK Addendum” means the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner and laid before Parliament in accordance with S119A(1) Data Protection Act 2018 on 2 February 2022 but, as permitted by Section 17 of such Addendum, the format of the information set out in Part 1 of the Addendum shall be amended as set out in Section 5.4 of this DPA.

1.1.37 "UK Customer Personal Data" means Customer Personal Data that is subject to the UK General Data Protection Regulation.

1.1.38 “2021 SCCs” mean the standard contractual clauses adopted by the COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as well as any amendments, replacements or other supplementing provisions (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914).

1.2 Any words or terms used in this DPA but not defined have the meanings given to them in Data Protection Laws or Governing Agreement. Provisions of this DPA that apply to only a specific Labstep Service (e.g. Cloud Services, Professional Services, Support Services, etc.) shall be null and void, and Labstep shall have no liability for breach of such provisions, except to the extent Customer receives such Labstep Service.

2. OBLIGATIONS OF CONTROLLER AND PROCESSOR

2.1 GENERAL. The Parties agree that Labstep will Process Customer Personal Data only (i) to perform the Labstep Services; (ii) to the extent permitted by law, for Labstep’s internal “business purposes” (as defined in CCPA) or analogous internal purposes; (iii) as further described on ANNEX 1 hereto, and (iv) as required by applicable Data Protection Law (the “Permitted Purpose”). Labstep will not combine Customer Personal Data received from or Processed on behalf of Customer with Personal Data it receives from or on behalf of third parties, except that Labstep may combine Personal Data as expressly permitted by Data Protection Laws (e.g. to protect against fraud or to improve the Labstep’s services).If Labstep is required to Process the Customer Personal Data for any other purpose under applicable Data Protection Laws, Labstep will, unless prohibited by such laws and subject to the terms of this DPA, inform Customer of this requirement in advance of such Processing. Labstep shall not sell (as defined in applicable Data Protection Law) or share (as defined in CCPA) any Personal Data Processed hereunder.

2.1.1 LABSTEP AS A PROCESSOR. Customer and Labstep agree that with regard to the processing of Customer Content, Customer may act either as a Controller or Processor and Labstep is a processor. Labstep will process Customer Content in accordance with Customer’s instructions as set forth in Section 2.5 (CUSTOMER INSTRUCTIONS).

2.1.2 LABSTEP AS A CONTROLLER OF CUSTOMER ACCOUNT DATA. Customer and Labstep acknowledge that, with regard to the processing of Customer Account Data, Customer is a Controller and Labstep is an independent Controller, not a joint Controller with Customer. Labstep will process Customer Account Data as a Controller in order to (a) manage the relationship with Customer; (b) carry out Labstep’s core business operations, such as accounting and filing taxes; (c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Labstep Services; (d) perform identity verification; (e) comply with Labstep’s legal or regulatory obligation to retain Authorized User records; and (f) as otherwise permitted under applicable Data Protection Law and in accordance with this DPA, the Governing Agreement, and the Labstep Privacy Policy.

2.1.3 LABSTEP AS A CONTROLLER OF CUSTOMER USAGE DATA. The Parties acknowledge that, with regard to the Processing of Customer Usage Data, Customer may act either as a Controller or Processor and Labstep is an independent Controller, not a joint Controller with Customer. Labstep will process Customer Usage Data as a Controller in order to carry out the necessary functions as a electronic laboratory notebook provider, such as: (a) Labstep’s accounting, tax, billing, audit, and compliance purposes; (b) to provide, optimize, and maintain the Labstep Services, platform and security; (c) to investigate fraud, spam, wrongful or unlawful use of the Labstep Services; (d) as required by applicable law or regulation; or (e) as otherwise permitted under applicable Data Protection Law and in accordance with this DPA, the Governing Agreement, and the Labstep Privacy Policy.

2.2 CCPA TERMS. To the extent that the CCPA applies to the Processing of Customer Personal Data in the course of providing the Labstep Services: (i) Labstep is a Service Provider and the Customer is a Business (or Service Provider to another Business) in relation to Customer Personal Data, and (ii) without limiting any other term in this DPA or in the Governing Agreement, Labstep shall not (a) retain, disclose, or use any Customer Personal Data for any purpose (including any commercial purpose) other than the specific purpose of performing the Labstep Services or Labstep’s business purposes; or (b) retain, use, or disclose any Customer Personal Data outside of the direct business relationship between the Customer and Labstep. Labstep hereby certifies that it understands the restrictions set forth in this Section 2.2.

2.3 CUSTOMER PERSONAL DATA FOR SUPPORT SERVICES. The Parties acknowledge that Labstep does not ordinarily require the need to Process Customer Personal Data on the Customer’s behalf to resolve a technical issue for Support Services. Accordingly, the Customer shall use their best efforts to minimize any transfer of Customer Personal Data to Labstep for Support Services. Such efforts shall include but not be limited to removing, anonymizing and/or pseudonymizing Customer Personal Data in files prior to Processing by Labstep.

2.4 OBLIGATIONS OF LABSTEP PERSONNEL. Labstep will ensure that Labstep Personnel required to access the Customer Personal Data are subject to a binding duty of confidentiality in respect of such Customer Personal Data.

2.5 CUSTOMER INSTRUCTIONS. Customer authorizes and instructs Labstep to Process Customer Personal Data for the performance of the Labstep Services as described further on ANNEX 1 hereto. Customer shall ensure that its Processing instructions comply with applicable Data Protection Laws in relation to Customer Personal Data and that the Processing of Customer Personal Data in accordance with the Customer’s instructions will not cause Labstep to be in breach of any relevant law. Customer shall not provide or make available to Labstep any Personal Data (i) defined as Sensitive Personal Data or analogous term under applicable Data Protection Law, or (ii) subject to the Health Insurance Portability and Accountability Act (“HIPAA”), financial privacy laws, or similar industry-specific laws requiring additional protections, in each case, without the prior express written authorization of Labstep. The Customer will not disclose Customer Personal Data to Labstep or instruct Labstep to Process Customer Personal Data for any purpose not permitted by applicable law, including Data Protection Laws. Labstep will notify the Customer if Labstep becomes aware that, and in Labstep's reasonable opinion, an instruction for the Processing of Customer Personal Data given by the Customer violates Data Protection Law, it being acknowledged that Labstep is not under any obligation to undertake additional work, screening or legal assessment to determine whether Customer's instructions are compliant with Data Protection Law.

2.6 CUSTOMER WARRANTIES. The Customer represents and warrants: (i) that it has the right and authority under applicable Data Protection Law and any undertakings it may have entered into to disclose, or have disclosed, Customer Personal Data to Labstep to be Processed by Labstep for the Labstep Services and that the Customer has obtained all necessary consents and provided all necessary notifications required by Data Protection Law with respect to the Processing of Customer Personal Data by Labstep; and (ii) that this DPA, and the Security Measures described on ANNEX 2 are adequate and sufficient, and meet Customer’s legal obligations with respect to any Personal Data made available to Labstep.

2.7 ASSISTANCE TO THE CUSTOMER. Upon a written request and taking into account any self-service tools or other functionality available to the Customer through the Labstep Services, Labstep will provide reasonable cooperation and assistance necessary to assist the Customer, insofar as required by Data Protection Law and as it relates to Processing by Labstep for the Labstep Services, in fulfilling the Customer’s obligations to respond to requests from Data Subjects exercising their rights (notwithstanding the Customer’s obligations in Section 7) and/or to carry out data protection impact assessments. Labstep’s Data Protection Officer and privacy team may be reached at info@labstep.com.

2.8 COMPLIANCE WITH DATA PROTECTION LAWS. Each Party will comply with the Data Protection Laws applicable to it in relation to their performance of this DPA.

3. SECURITY

3.1 SECURITY OF DATA PROCESSING. Labstep will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful Processing and against Security Incidents. At a minimum, these will include the measures set out in ANNEX 2.

3.2 NOTIFICATION OF A SECURITY INCIDENT. Without undue delay after becoming aware of a Security Incident, Labstep or a Labstep Affiliate will notify the Customer without undue delay and take reasonable steps to identify, prevent and mitigate the effects of the Security Incident and to remedy the Security Incident to the extent such remediation is within Labstep’s reasonable control. A notification by Labstep or a Labstep Affiliate to the Customer of a Security Incident under this DPA is not and will not be construed as an acknowledgement by Labstep of any fault or liability of Labstep with respect to the Security Incident.

3.3 NOTIFICATION MECHANISM. Security Incident notifications, if any, will be delivered to Customer by any means Labstep selects, including via email. It is the Customer’s responsibility to ensure that it provides Labstep with accurate contact information and secure transmission at all times.

4. SUBPROCESSORS

4.1 AUTHORIZED SUBPROCESSORS. The Customer agrees that Labstep may use its Affiliates and other Subprocessors to fulfil its contractual obligations under this DPA or to provide certain Labstep Services on its behalf. Schedule 3 lists Subprocessors that are currently engaged by Labstep to carry out Processing activities on Customer Personal Data.

4.2 SUBPROCESSOR OBLIGATIONS. Where Labstep uses a Subprocessor as set forth in this Section 4, Labstep will (i) enter into a written agreement with the Subprocessor and will impose on the Subprocessor contractual obligations not less protective on an aggregate basis than the overall obligations that Labstep has provided under this DPA; and (ii) restrict the Subprocessor’s access to and use of Customer Personal Data to what is reasonably necessary to provide the relevant Labstep Services. Labstep will remain liable, subject to the terms of this DPA, to the Customer for the fulfilment of Labstep's obligations under this DPA with respect to Subprocessors’ Processing of Customer Personal Data.

4.3 APPOINTING A NEW SUBPROCESSOR. Before Labstep engages any new Subprocessor to carry out Processing activities on Customer Personal Data, Labstep will provide notice of such update to the Subprocessor list via the Customer contact. If the Customer is entitled to do so under applicable Data Protection Law and as it relates to the Processing of Customer Personal Data by the Subprocessor, the Customer may make reasonable objections in writing to privacy@labstep.com. After receiving such written objection Labstep will either: (i) work with the Customer to address the Customer’s objections to its reasonable satisfaction, (ii) instruct the Subprocessor not to Process Customer Personal Data, provided that the Customer accepts that this may impair the Labstep Services (for which Labstep shall bear no responsibility or liability), or (iii) notify the Customer of an option to terminate the applicable order form for Labstep Services which cannot be provided by Labstep without the use of the objected-to new Subprocessor. If Labstep does not receive an objection from the Customer, Customer will be deemed to have consented to the appointment of the new Subprocessor.

5. THIRD COUNTRY DATA TRANSFERS

5.1 INTERNATIONAL TRANSFERS. Labstep shall ensure that Customer Personal Data remains adequately protected in relation to any international transfers of Customer Personal Data as and to the extent required under applicable Data Protection Laws.

5.2 TRANSFERS OF EEA CUSTOMER PERSONAL DATA. For transfers of EEA Customer Personal Data by the Customer to Labstep, Customer agrees that Labstep or Labstep Affiliates processing Customer Personal Data hereunder may process Customer Personal Data outside the European Economic Area (“EEA”) as part of the Labstep Services. Any transfers of Customer Personal Data to Labstep to a third country outside the EEA shall be processed subject to:

5.2.1 An adequacy decision of the European Commission; or in the absence thereof;

5.2.2 An applicable Binding Corporate Rules program;

5.2.3 A Labstep DPF Company’s active self-certification (as indicated by the public list of active participants maintained at dataprivacyframework.gov) under the EU-U.S. Data Privacy Framework applicable to such transfers, provided that, in the event Labstep does not maintain such certification, if such certification expires or is terminated for any reason, or in the event such Data Privacy Framework program is no longer in effect or no longer considered adequate in a relevant jurisdiction, then such transfers shall be automatically subject to Section 5.2.4

5.2.4 In event each of the foregoing are unavailable, pursuant to appropriate safeguards, such as the 2021 SCCs;

5.2.5 To the extent each of the transfer mechanisms provided in Sections 5.2.1-5.2.4 of this section 5 are unavailable, and solely to the extent permitted by GDPR, any derogations or other transfer measures provided under GDPR Art. 49.

5.2.6 With respect to any transfers made pursuant to Section 5.2.4, such 2021 SCCs will be deemed entered into and completed as follows, and hereby incorporated as such into this DPA:

i. (a) Module One (Controller to Controller) of the EU Standard Contractual Clauses will apply where (i) Labstep is Processing Customer Account Data and (ii) Customer is a Controller of Customer Usage Data and Labstep is Processing Customer Usage Data; (b) Module Two (Controller to Processor) of the EU Standard Contractual Clauses will apply where Customer is a Controller of Customer Content and Labstep is Processing Customer Content;(c) Module Three (Processor to Processor) of the EU Standard Contractual Clauses will apply where Customer is a Processor of Customer Content and Labstep is processing Customer Content; and (d) Module Four (Processor to Controller) of the EU Standard Contractual Clauses will apply where Customer is a Processor of Customer Usage Data and Labstep processes Customer Usage Data;

ii. In Clause 7 of the 2021 SCCs, the optional docking clause will apply with respect to all Labstep Affiliates who Process Customer Personal Data;

iii. In Clause 9 of the 2021 SCCs, Option 2 will apply and the time period for prior notice of Subprocessor changes will be as set forth in Section 4 of this DPA;

iv. In Clause 11 of the 2021 SCCs, the optional language will not apply;

v. In Clause 17 (Option 1), the 2021 SCCs will be governed by the law of the Governing Agreement, provided that if such law is not the law of an EU member state, or if the Governing Agreement does not contain a governing law provision, the 2021 SCCs will be governed by the laws of Ireland;

vi. In Clause 18(b) of the 2021 SCCs, disputes will be resolved before the courts of Ireland;

vii. Annex I, Part A of the 2021 SCCs, shall be completed with the pertinent information as set forth in the Governing Agreement. Annex I, Part B of the 2021 SCCs, shall be completed as set forth on Schedule 1 to this DPA;

viii. Annex I, Part C of the 2021 SCCs: DPC Ireland will be the competent supervisory authority;

ix. Schedule 2 (Technical and Organizational Measures) of this DPA serves as Annex II of the 2021 SCCs;

x. A Party executing this DPA shall be deemed to have signed the 2021 SCCs, consistent with the roles specified in Annex I to this DPA and this Section 5.2.6.; and

xi. To the extent Customer Personal Data is transferred to the United States, Annex V is incorporated into the 2021 SCCs (and shall control to the extent of any conflict with Schedule 2).

5.3 SWISS CUSTOMER PERSONAL DATA. For transfers of Swiss Customer Personal Data by the Customer to Labstep where Swiss Customer Personal Data is transferred to a Third Country not deemed under the Swiss Data Protection Law to provide an equivalent level of privacy protection to that in Switzerland, and where the recipient is not one of the Labstep DPF Companies, the Parties agree that the 2021 SCCs shall apply as set out in ANNEX 4 and as particularized in Clauses 5.1 and 5.2 of this DPA, save that references (i) to the EU GDPR shall be replaced by the respective references and/or equivalent terms in the Swiss Federal Act on Data Protection, (ii) to the competent supervisory authority in Annex I. C. shall be replaced with the Swiss Federal Data Protection and Information Commissioner, and (iii) to Member State(s), the EU and the EEA shall include Switzerland.

5.4 UK CUSTOMER PERSONAL DATA. For transfers of UK Customer Personal Data by the Customer to Labstep where such UK Customer Personal Data is processed in a Third Country not deemed under UK Data Protection Law to provide an equivalent level of privacy protection to that in the UK, and where the recipient is not one of the Labstep DPF Companies, the Parties agree that the provisions of the UK Addendum shall apply to such transfers. In particular:

5.4.1 The Customer will be the data exporter, and Labstep the data importer;

5.4.2 The start date for transfers in Table 1 of the UK Addendum shall be the Effective Date unless otherwise agreed between the Parties;

5.4.3 The details of the Parties and their key contacts in Table 1 of the UK Addendum shall be as set out at the commencement of this DPA, and with no requirement for additional signature;

5.4.4 For the purposes of Table 2, the UK Addendum shall be appended to the 2021 SCCs as incorporated by reference into this DPA (including the selection of modules as specified in Section 5.1, the particulars as specified in Section 5.2 of this DPA and the selection and disapplication of optional clauses as set out in Schedule 4);

5.4.5 The appendix information listed in Table 3 of the UK Addendum is set out in the Governing Agreement, in ANNEX 1 (Description of Processing) and in ANNEX 2 to this DPA (Technical and Organisational Measures); and

5.4.6 For the purposes of Table 4, neither Party may end the UK Addendum as set out in Section 19 thereof.

6. AUDITS

6.1 AUDIT REPORTS. Labstep and/or its relevant Affiliate(s) conduct periodic audits of its controls of relevant systems and processes (e.g., ISO 27001), which may include systems and processes involved in the Processing of Customer Personal Data. These audits (i) occur on a regular, recurring basis, (ii) are performed according to the standards and rules of the relevant regulatory or accreditation body, (iii) are paid for by Labstep/its Affiliate(s), and (iv) produce an audit report (“Audit Report”). The Customer may request, and Labstep shall provide (subject to an NDA, where necessary), such Audit Report(s) or extracts thereof, where applicable to the Labstep Services, in order to satisfy the Customer of Labstep’s compliance with statutory Processor obligations (e.g., Article 28 EU GDPR).

6.2 ADDITIONAL INFORMATION AND AUDITS. Where the information provided in the Audit Reports is not reasonably sufficient to demonstrate compliance by Labstep of its statutory Processor obligations in relation to the applicable Labstep Services, the Parties shall discuss in good faith any additional audits reasonably required by the Customer. Such additional audits, if agreed, must (i) be conducted by a third party agreed to by the Parties, (ii) be carried out at the Customer’s cost, (iii) be conducted in a manner undisruptive to the business of Labstep and its Affiliates, (iv) be conducted subject to the terms of an applicable non-disclosure agreement, (v) restrict its findings to only data and information relevant to Customer; and (vi) not prejudice other confidential information (including but not limited to Personal Data) of Labstep, its Affiliates or its other customers.

7. CUSTOMER OBLIGATIONS

7.1 Customer is solely responsible for (a) the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data; (b) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Law for the collection and use of Personal Data, including obtaining any necessary consents and authorizations; (c) ensuring Customer has the right to transfer, or provide access to, Personal Data to Labstep for Processing in accordance with the terms of the Governing Agreement (including this DPA); and (d) ensuring that Customer’s instructions to Labstep regarding the Processing of Personal Data comply with applicable laws, including applicable Data Protection Law.

7.2 Customer is responsible for independently determining whether the data security provided for in the Labstep Service adequately meets Customer’s obligations under applicable Data Protection Law. Customer acknowledges and agrees that Customer is solely responsible for (a) certain configurations and design decisions for the Labstep Service and (b) for implementing those configurations and design decisions in a secure manner that complies with applicable Data Protection Law. Without limiting the foregoing, Customer represents, warrants, and covenants that Customer shall only transfer Personal Data to Labstep using secure, reasonable, and appropriate mechanisms.

7.3 Customer acknowledges that the Labstep Service is not intended or designed for the Processing of Sensitive Data, and Customer agrees not to provide any Sensitive Data through the Labstep Service. The Parties agree that Customer provides Personal Data to Labstep as a condition precedent to Labstep’s performance of the Labstep Service and that Personal Data is not exchanged for monetary or other valuable consideration.

7.4 Customer acknowledges that Labstep is an independent Controller when carrying out any activities not related solely to Labstep’s Processing of Personal Data added by Customer to the Labstep Service (such as Labstep’s management of its online forum, analytics, customer accounts, and marketing program) in accordance with Section 2.1.

8. MISCELLANEOUS

8.1 ACCESS AND DELETION OF CUSTOMER PERSONAL DATA. Labstep will delete or return all Customer Personal Data to Customer after the end of the provision of Labstep Services relating to Customer Personal Data, and delete existing copies of Customer Personal Data, except as provided below. If Labstep provides Cloud Services: Customer acknowledges that, notwithstanding any provision to the contrary in this Section 8.1, Labstep may retain personal data: (i) in backup storage or media used in connection with the Labstep Cloud Services provided that such storage/media is used only to restore systems, any data subject to a deletion request is deleted upon any restoration from such backups, and otherwise stored in accordance with reasonable security and retention periods; and (ii) as and to the extent required by applicable Data Protection Law.

8.2 EFFECT OF THIS DPA. Except as amended by this DPA, the Governing Agreement will remain in full force and effect. If there is a conflict between any other agreement between the Parties, including the Governing Agreement and this DPA, the terms of this DPA will control as it relates to Processing of Customer Personal Data. If the Parties have entered into a BAA, that BAA shall govern with respect to “PHI” as defined thereunder. In the event of a conflict between this DPA and the applicable EEA/UK Third Country lawful transfer mechanism (e.g., 2021 SCCs, DPF), the relevant Third Country lawful transfer mechanism terms/principles will prevail. This DPA is effective from the Effective Date and only if and for so long as Labstep provides Labstep Services under the Governing Agreement. This DPA will terminate, unless otherwise terminated by the Parties, on the Termination Date.

8.3 LIABILITY. To the extent permitted by law, the total combined liability of either Party towards the other Party, whether in contract, tort or under any other theory of liability, shall be limited to that set forth in the Governing Agreement as well as any disclaimers contained therein. Any reference in such section to the liability of a Party means the aggregate liability of that Party under the Governing Agreement and this DPA.

8.4 UPDATES TO THIS DPA. In the event any change in the Data Protection Laws requires amendment of this DPA, the Parties agree to negotiate in good faith regarding any necessary amendments.