Acceptable Use Policy

SOC 2 Criteria: CC1.1, CC1.4, CC1.5, CC2.2, CC5.2

Keywords: Background Checks, Security Awareness Training, Hard Drive Encryption, Anti-Virus Software

Background

StarTree is committed to ensuring all workforce members actively address security and compliance in their roles at StarTree. We encourage self-management and reward the right behaviors.

Purpose

This policy specifies acceptable use of end-user computing devices and technology. Additionally, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

Policy

StarTree policy requires all workforce members to accept and comply with the Acceptable Use Policy. StarTree policy requires that:

• Background verification checks on all candidates for employees and contractors should be carried out in accordance with relevant laws, regulations, and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risk.

• Employees, contractors and third party users must agree and sign the terms and conditions of their employment contract, and comply with acceptable use.

• Employees will go through an onboarding process that familiarizes them with the environments, systems, security requirements, and procedures StarTree has in place. Employees will also have ongoing security awareness training that is audited

• Employee offboarding will include reiterating any duties and responsibilities still valid after terminations, verifying that access to any StarTree systems has been removed, as well as ensuring that all company owned assets are returned.

• StarTree and its employees will take reasonable measures to ensure no corporate data is transmitted via digital communications such as email or posted on social media outlets

• StarTree will maintain a list of prohibited activities that will be part of onboarding procedures and have training available if/when the list of those activities changes.

• A fair disciplinary process will be utilized for employees that are suspected of committing breaches of security. Multiple factors will be considered when deciding the response, such as whether or not this was a first offense, training, business contracts, etc. StarTree reserves the right to terminate employees in the case of serious cases of misconduct.

Procedures

StarTree requires all workforce members to comply with the following acceptable use requirements and procedures, such that:

• All workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access.

• Use of StarTree computing systems is subject to monitoring by StarTree IT and/or Security team.

• Employees may not leave computing devices (including laptops and smart devices) used for business purposes, including companyprovided and BYOD devices, unattended in public.

• Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.

• Use only legal, approved software with a valid license installed through a pre-approved application store. Do not use personal software for business purposes and vice versa.

• Encrypt all email messages containing sensitive or confidential data.

• Employees may not post any sensitive or confidential data in public forums or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting.

• Anti-malware or equivalent protection and monitoring must be installed and enabled on all endpoint systems that may be affected by malware, including workstations, laptops and servers.

• All data storage devices and media must be managed according to the StarTree Data Classification specifications and Data Handling procedures.

StarTree Master Services Agreement

StarTree will not be obligated to provide support to the extent arising from: (i) Customer’s failure to implement any update or enhancement made available to Customer by StarTree at no charge for addressing such error; (ii) changes by Customer or third parties to the operating system, network configuration or environment; (iii) any customization of the Platform for Customer that is not performed by StarTree for Customer; (iv) use of the Platform in a manner for which it is not designed or other than as specified in the applicable documentation or specifications; (v) the combination, use or interconnection of the Platform with other software or hardware not supplied and not approved by StarTree; (vi) use of the Platform on an unsupported hardware or software platform; or (vii) issues caused by problems with uptime or availability of the public cloud providers.

Availability SLAs

“Available” means the ability to complete a transaction without a server time-out or error. Availability is calculated based on the following formula:

A = (T – M – D) / (T – M) x 100%

A = Availability

T = Total Monthly Minutes

M = Maintenance Time

D = Downtime

“Total Monthly Minutes” is the number of days in the month multiplied by 1,440 minutes per day.

“Maintenance Time” is the time period during which the Platform may not be Available each month so that StarTree can perform Planned Maintenance or Preventative Maintenance.

“Downtime” is the portion of Total Monthly Minutes that the Platform is not Available. Downtime excludes time that Customer is unable to access the Platform due to any of the following: (i) Customer’s own Internet service provider; (ii) force majeure events including systemic Internet failures; (iii) failure related to Customer’s hardware, software or network, or Customer bandwidth restrictions; and (iv) outage or delay due to the public cloud service provider.

“Preventative Maintenance” occurs when StarTree makes the Platform unavailable to avoid the need to engage in emergency maintenance in the future. Preventative Maintenance will occur, to the extent possible, during non-peak hours.

“Planned Maintenance” means maintenance undertaken with no less than 10 business days notice, to:

• Support ongoing product and operational projects to ensure optimal performance.

• Deploy non-critical service packs or patches.

• Conduct periodic redundancy testing.

Service Availability. The Platform will be functional in all material respects (i.e. capable of displaying information and conducting transactions as contemplated in the ordinary course of business) 99.9% of the time during any calendar month period.

Code of Conduct

SOC 2 Criteria: CC1.1, CC1.4, CC1.5, CC2.2, CC5.2

Keywords: : Ethical Behavior, Safety, Harassment, Disciplinary Action, Law Enforcement

Purpose

The StarTree Code of Conduct (“Code”) is built around our belief that everything we do will be measured against the highest possible standards of ethical business conduct. Our commitment to high standards helps us hire great people, build great products, and attract loyal customers.

Who must follow the Code?

We expect all employees to know and follow the Code. Failure to do so can result in disciplinary action, up to and including termination of employment. We also expect our contractors, consultants, and others who may be temporarily assigned to perform work or services for StarTree to follow the Code when they work with us. Failure of a StarTree contractor, consultant, or other service provider to follow the Code can result in termination of their relationship with StarTree.

Who to ask about the Code?

If you have a question or concern about the Code, be proactive and contact your manager. You can also submit a question or raise a concern regarding a suspected violation of our Code (or any other StarTree policy) to your manager.

No Retaliation

StarTree prohibits retaliation against anyone who reports, or participates in an investigation of, a possible violation of our Code, our policies, or the law. Please contact a member of senior management if you believe that you are the subject of retaliation within StarTree.

Code of Conduct

As a StarTree employee, you’re expected to be honest, act ethically, and demonstrate integrity in all situations. You have a duty to follow policies and procedures found in this Code of Conduct, as well as those that are specific to your job. You must also comply with all laws that apply to our business. Most of the time, common sense and good judgment provide excellent guideposts. If you’re unsure about the right thing to do, ask someone on the management team.

Before you act, ask yourself:

• Is this the right thing to do?

• Is it legal?

• Do I have the authority to act?

• Does the action comply with the Code of Conduct and policies and procedures?

• If this action became public, how would it look in the news media?

• Would I be upset or embarrassed if other people found out about this action?

If your answer to any of these questions raises doubts, talk with your supervisor, anyone in management, or the StarTree Compliance Officer. If you’re a supervisor or a manager, you’re responsible for knowing the rules and reviewing the Code of Conduct with the people who report to you to make sure they’re familiar with its contents. You’re also responsible for preventing violations of the Code, as well as detecting violations that may occur and reporting them appropriately.

You’re expected to:

• Lead with integrity.

• Encourage employees to ask questions and expand their knowledge of the rules.

• Demonstrate integrity by acting promptly and effectively when necessary.

• Educate employees on compliance policies specific to their job responsibilities.

Quality Work Environment

We are committed to a supportive work environment, where our employees have the opportunity to reach their fullest potential. Members of our StarTree team are expected to do their utmost to create a workplace culture that is free of harassment, intimidation, bias, and unlawful discrimination.Please read the Employee Handbook for greater detail about how we should conduct ourselves at work.

1. Equal opportunity employment

Employment at StarTree is based solely upon individual merit and qualifications directly related to professional competence. We strictly prohibit unlawful discrimination or harassment on the basis of race, color, religion, veteran status, national origin, ancestry, pregnancy status, sex, gender identity or expression, age, marital status, mental or physical disability, medical condition, sexual orientation, or any other characteristics protected by law. We also make reasonable accommodations to meet our obligations under laws protecting the rights of the disabled.

1. Harassment, discrimination, and bullying

StarTree strictly prohibits discrimination, harassment, and bullying in any form – verbal, physical, or visual. If you believe that you’ve been bullied or harassed by anyone at StarTree, or anyone connected to StarTree (such as a partner or vendor), please immediately report the incident to your manager or the HR team. HR will promptly and thoroughly investigate any complaints and take appropriate action.

1. Drugs and alcohol

Substance abuse is incompatible with the health and safety of our employees, and we don’t permit it. Consumption of alcohol is allowed at our office on special occasions, but we ask everyone to use good judgment and never drink in a way that: (i) leads to impaired performance or inappropriate behavior, (ii) endangers the safety of others, or (iii) violates the law. Illegal drugs in our offices or at work-related events are strictly prohibited.

1. Safe workplace

We are committed to a violence-free work environment. We will not tolerate any level of violence or the threat of violence in the workplace. No one should bring a weapon to work under any circumstances. If you become aware of a violation of this policy, report it to a member of senior management immediately.

Avoid conflicts of interest

As StarTree employees, we should avoid conflicts of interest and circumstances that reasonably present the appearance of a conflict of interest, especially if it would create an incentive for you or present the appearance of an incentive for you, (whether directly or indirectly).

Here is list of areas where conflicts of interest often arise:

• Personal investments (e.g. with competitors)

• Outside employment, advisory roles, and board seats

• Business opportunities found through your work at StarTree

• Inventions influenced by your work at StarTree

• Business opportunities involving friends and relatives

• Acceptance of gifts, entertainment, and other business courtesies

If you are unsure if there is a conflict of interest, contact the Compliance or Legal teams to discuss.

Preserve confidentiality

Throughout its lifecycle, all nonpublic information that is processed, transmitted, and/ or stored by StarTree must be protected in a manner that is consistent with our contractual and legal requirements and reasonable and appropriate for the level of sensitivity, value, and risk associated with Nonpublic information (please see the Data Classification Policy). Information that contains data elements from multiple classifications must be protected at the highest level of information represented. For example, a document that contains Nonpublic and Public information must be treated as Nonpublic information. Nonpublic information must be secured against disclosure, modification, and access by unauthorized individuals. Therefore, the information must be:

• Secured at rest; and

• Secured in transit; and

• Securely destroyed in accordance with record retention policies and procedures.

Information Security

You’re responsible for using StarTree’s computer resources properly – especially with regard to information security – and you need to be thoroughly familiar with StarTree’s Information Security policies and procedures.

These steps can go a long way in preventing unauthorized access:

• Never share your login information.

• Lock your workstation when you step away. Log off your workstation when you leave for the day.

• Clear your workstation, waste can, printers and fax machines of sensitive information, such as PII or company-sensitive information.

Protect StarTree’s Assets

1. Intellectual property

StarTree’s intellectual property rights (e.g. patents, trademarks, copyrights, trade secrets, and “know-how”) are valuable assets. Unauthorized use can lead to their loss or serious loss of value. You must comply with all intellectual property laws, including laws governing the fair use of copyrights and trademarks. You must never use StarTree’s trademarks or other protected information or property for any business or commercial venture without pre-clearance from the Marketing team. Report any suspected misuse of trademarks or other StarTree intellectual property to the Legal or compliance team. Likewise, respect the intellectual property rights of others. Inappropriate use of others’ intellectual property may expose StarTree and you to criminal and civil fines and penalties. Seek advice from the Legal team before you solicit, accept, or use proprietary information from individuals outside the company or allow them obtain access to StarTree proprietary information. You should also check with the Legal team if developing a product feature that uses content not belonging to StarTree.

1. Company Equipment

StarTree gives us the tools and equipment that we need to do our jobs effectively, but counts on us to be responsible and not wasteful. Uncertain whether personal use of company assets is okay? Ask your manager.

1. The Network

StarTree’s network, software, and computing hardware are a critical aspect of our company’s physical property and intellectual property. Follow all security policies diligently. If you have any reason to believe that our network security has been violated – for example, you lose your laptop or think that your network password may have been compromised – promptly report the incident to your manager.

1. Physical Security

Bad actors may steal company assets. Always secure your laptop, important equipment, and your personal belongings, even while on company premises. Promptly report any suspicious activity to your manager.

Ensure financial integrity and responsibility

Financial integrity and fiscal responsibility are core aspects of corporate professionalism. Each

person at StarTree has a role in making sure that money is appropriately spent, our financial records are complete and accurate, and internal controls are honored. This is applicable every time that we hire a new vendor, expense something to StarTree, or sign a new business contract.

It’s important that we also keep records for an appropriate length of time. StarTree’s Data Retention Policy suggests minimum record retention periods for certain types of records. These guidelines help keep in mind applicable legal requirements, accounting rules, and other external requirements. Contractual obligations may sometimes specify longer retention periods for certain types of records. In addition, if you are asked by the Legal team to retain records relevant to a litigation, audit, or investigation, do so until Legal tells you that retention is no longer necessary. If you have any questions regarding the correct length of time to retain a record, contact the Compliance or Legal teams.

Obey the law

StarTree takes its responsibilities to comply with laws very seriously. Every employee is expected to comply with applicable legal requirements and restrictions. You should understand the laws and regulations that apply to your work. Contact the Compliance or Legal teams if you have any questions.

Policy Compliance

Compliance Measurement

The Compliance team will verify compliance with this Code through various methods (e.g.

periodic manager reviews, tool reports, internal and external audits, and employee feedback).

Exceptions

Any exception to this Code must be approved by the Compliance team in writing.

Non-Compliance

Any employee who violates this Code may be subject to disciplinary action, up to and including

termination of employment in addition to any civil and criminal liability.

Your Annual Acknowledgment of the Code of Conduct

Once each year, as a condition of your employment, you’re required to acknowledge that you have received the Code of Conduct and understand its rules. New employees will sign an acknowledgment when they start with the company. Basically, your annual acknowledgment confirms that:

• You’ve reviewed the Code of Conduct and you are required to comply with the Code of Conduct; you will comply with the compliance policies and procedures, as well as policies and procedures related to your job responsibilities;

• You will report any questions or concerns about suspected or actual violations of the Code to your supervisor, anyone in management or StarTree’s Compliance Officer,

• To the best of your knowledge, you haven’t acted contrary to the Code of Conduct

• You have reported any potential conflicts of interest to the Compliance Department.

Data Processing Addendum

Last Updated: July 1, 2023

This Data Processing Addendum (“DPA”) forms part of, and is subject to, the Master SaaS Agreement or other written or electronic terms of service or subscription agreement between the member of the StarTree Group that is a party to such agreement (“StarTree”) and the legal entity defined as ‘Customer’ thereunder together with all Customer Affiliates who are signatories to an Order Form for their own Service Account pursuant to such agreement (collectively, for purposes of this DPA, “Customer”, and together with StarTree, the “Parties”) (such agreement, the “Agreement”). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

1. Definitions.

“Account” means Customer’s account in the Service in which Customer stores and processes Customer Data.

“Affiliate” has the meaning set forth in the Agreement.

“Authorized Affiliate” shall mean a Customer Affiliate who has not signed an Order Form pursuant to the Agreement, but is either a Data Controller or Data Processor for the Customer Personal Data processed by StarTree pursuant to the Agreement, for so long as such entity remains a Customer Affiliate.

“California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act of 2018, as may be amended from time to time. “Customer Data” has the meaning set forth in the Agreement.

“Customer Personal Data” means any Customer Data that is Personal Data.

“Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data.

“Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller.

“Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable, EU & UK Data Protection Law and the CCPA.

“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.

“EU & UK Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018.

“Personal Data” means any information, including opinions, relating to an identified or identifiable natural person and includes similarly defined terms in Data Protection Laws, including, but not limited to, the definition of “personal information” in the CCPA.

“Processing” shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination and “Process”, “Processes” and “Processed” will be interpreted accordingly.

“Purposes” shall mean (i) StarTree’s provision of the Services as described in the Agreement, including Processing initiated by Users in their use of the Services; and (ii) further documented, reasonable instructions from Customer agreed upon by the Parties.

“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.

“Services” means the generally available StarTree software-as-a-service offering described in the Documentation and procured by Customer, and any other services provided by StarTree as described under the Agreement, including but not limited to support and technical services.

“StarTree Group” means StarTree Inc. and its Affiliates.

“SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, found at ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protectio n/standard-contractual-clauses-scc_en.

“Sub-Processor” means any other Data Processors engaged by a member of the StarTree Group to Process Customer Personal Data.

2. Scope and Applicability of this DPA. This DPA applies where and only to the extent that StarTree Processes Customer Personal Data on behalf of Customer as Data Processor in the course of providing the Services.

3. Roles and Scope of Processing.

3.1. Role of the Parties. As between StarTree and Customer, StarTree shall Process Customer Personal Data only as a Data Processor (or sub-processor) acting on behalf of Customer and, with respect to CCPA, as a “service provider” as defined therein, in each case regardless of whether Customer acts as a Data Controller or as a Data Processor on behalf of a third-party Data Controller (“Third-Party Controller”) with respect to Customer Personal Data. To the extent any Usage Data (as defined in the Agreement) is considered Personal Data under applicable Data Protection Laws, StarTree is the Data Controller of such data and shall Process such data in accordance with the Agreement and applicable Data Protection Laws.

3.2. Customer Instructions. StarTree will Process Customer Personal Data only for the Purposes. Customer shall ensure its Processing instructions are lawful and that the Processing of Customer Personal Data in accordance with such instructions will not violate applicable Data Protection Laws. The Parties agree that the Agreement (including this DPA) sets out the exclusive and final instructions to StarTree for all Processing of Customer Personal Data, and (if applicable) include and are consistent with all instructions from Third-Party Controllers. Any additional requested instructions require the prior written agreement of StarTree. StarTree shall promptly notify Customer if, in StarTree’s opinion, such an instruction violates EU & UK Data Protection Law. Where applicable, Customer shall be responsible for any communications, notifications, assistance and/or authorizations that may be required in connection with a Third-Party Controller

3.3. Customer Affiliates. StarTree’s obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following conditions:

(a) Customer must exclusively communicate any additional Processing instructions requested pursuant to 3.2 directly to StarTree, including instructions from its Authorized Affiliates;

(b) Customer shall be responsible for Authorized Affiliates’ compliance with this DPA and all acts and/or omissions by an Authorized Affiliate with respect to Customer’s obligations in this DPA shall be considered the acts and/or omissions of Customer; and

(c) Authorized Affiliates shall not bring a claim directly against StarTree. If an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding or otherwise against StarTree (“Authorized Affiliate Claim”): (i) Customer must bring such Authorized Affiliate Claim directly against StarTree on behalf of such Authorized Affiliate, unless Data Protection Laws require the Authorized Affiliate be a party to such claim; and (ii) all Authorized Affiliate Claims shall be considered claims made by Customer and shall be subject to any liability restrictions set forth in the Agreement, including any aggregate limitation of liability.

3.4. Customer Processing of Personal Data. Customer agrees that it: (i) will comply with its obligations under Data Protection Laws with respect to its Processing of Customer Personal Data; (ii) will make appropriate use of the Services to ensure a level of security appropriate to the particular content of the Customer Personal Data, such as pseudonymizing and backing-up Customer Personal Data; and (iii) has obtained all consents, permissions and rights necessary under Data Protection Laws for StarTree to lawfully Process Customer Personal Data for the Purposes, including, without limitation, Customer’s sharing and/or receiving of Customer Personal Data with third-parties via the Services.

3.5. Details of Data Processing.

(a) Subject Matter: The subject matter of the Processing under this DPA is the Customer Personal Data.

(b) Frequency and duration: Notwithstanding expiry or termination of the Agreement, StarTree will Process the Customer Personal Data continuously and until deletion of all Customer Personal Data as described in this DPA.

(c) Purpose: StarTree will Process the Customer Personal Data for the Purposes, as described in this DPA.

(d) Nature of the Processing: StarTree will perform Processing as needed for the Purposes, and to comply with Customer’s Processing instructions as provided in accordance with the Agreement and this DPA

(e) Retention Period. The period for which Customer Personal Data will be retained and the criteria used to determine that period shall be determined by Customer during the term of the Agreement via its use and configuration of the Service. Upon termination or expiration of the Agreement, Customer may retrieve or delete all Customer Personal Data as set forth in the Agreement. Any Customer Personal Data not deleted by Customer shall be deleted by StarTree promptly upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement.

(f) Categories of Data Subjects: The categories of Data Subjects to which Customer Personal Data relate are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:

(i) Prospects, customers, business partners and vendors of Customer (who are natural persons);

(ii) Employees or contact persons of Customer’s prospects, customers, business partners and vendors; and/or

(iii) Employees, agents, advisors, freelancers of Customer (who are natural persons).

g) Categories of Personal Data: The types of Customer Personal Data are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:

(i) Identification and contact data (name, address, title, contact details);

(ii) Financial information (credit card details, account details, payment information);

(iii) Employment details (employer, job title, geographic location, area of responsibility); and/or

(iv) IT information (IP addresses, cookies data, location data).

(h) Special Categories of Personal Data (if applicable): Subject to any applicable restrictions and/or conditions in the Agreement or Documentation, Customer may also include “special categories of personal data” or similarly sensitive Personal Data (as described or defined in Data Protection Laws) in Customer Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data Processed for the purposes of uniquely identifying a natural person, data concerning health and/or data concerning a natural person’s sex life or sexual orientation.

4. Sub-Processing.

4.1. Authorized Sub-Processors. Customer provides StarTree with a general authorization to engage Sub-processors, subject to Section 4.3 (Changes to Sub-processors), as well as StarTree’s current Sub-processors listed here (“Sub-processor Site”) as of the effective date of this DPA and members of the StarTree Group.

4.2. Sub-Processor Obligations. StarTree shall: (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data as StarTree’s obligations under this DPA to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA. Upon written request, and subject to any confidentiality restrictions, StarTree shall provide Customer all relevant information it reasonably can in connection with its applicable Sub-processor agreements where required to satisfy Customer’s obligations under Data Protection Laws.

4.3. Changes to Sub-Processors. StarTree shall make available on its Sub-processor Site a mechanism to subscribe to notifications of new Sub-processors. StarTree shall provide such notification to those emails that have subscribed at least fourteen (14) days in advance of allowing the new Sub-processor to Process Customer Personal Data (the “Objection Period”). During the Objection Period, objections (if any) to StarTree’s appointment of the new Sub-processor must be provided to StarTree in writing and based on reasonable grounds relating to data protection. In such event, the Parties will discuss those objections in good faith with a view to achieving resolution. If it can be reasonably demonstrated to StarTree that the new Sub-processor is unable to Process Customer Personal Data in compliance with the terms of this DPA and StarTree cannot provide an alternative Sub-processor, or the Parties are not otherwise able to achieve resolution as provided in the preceding sentence, Customer, as its sole and exclusive remedy, may provide written notice to StarTree terminating the Order Form(s) with respect only to those aspects of the Services which cannot be provided by StarTree without the use of the new Sub-processor. StarTree will refund Customer any prepaid unused fees of such Order Form(s) following the effective date of termination with respect to such terminated Services.

5. Security.

5.1. Security Measures. StarTree shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data in accordance with StarTree’s Security Addendum found at https://startree.ai/legal-security-addendum (“Security Addendum”). StarTree may review and update its Security Addendum from time to time, provided that any such updates shall not materially diminish the overall security of the Services or Customer Personal Data.

5.2. Confidentiality of Processing. StarTree shall ensure that any person who is authorized by StarTree to Process Customer Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

5.3. No Assessment of Customer Personal Data by StarTree. StarTree shall have no obligation to assess the contents or accuracy of Customer Personal Data, including to identify information subject to any specific legal, regulatory, or other requirement. Customer is responsible for reviewing the information made available by StarTree relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws.

6. Customer Audit Rights.

6.1. Customer may send a written request for an audit of StarTree’s applicable controls, including inspection of its facilities. Following receipt by StarTree of such request, StarTree and Customer shall mutually agree in advance on the details of the audit, including the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any such audit. StarTree may charge a fee (rates shall be reasonable, taking into account the resources expended by StarTree) for any such audit. The audit, and any information arising therefrom shall be considered StarTree’s Confidential Information and may only be shared with a third party (including a Third-Party Controller) with StarTree’s prior written agreement.

6.3. Where the Auditor is a third-party, the Auditor may be required to execute a separate confidentiality agreement with StarTree prior to any review of Reports or an audit of StarTree, and StarTree may object in writing to such Auditor, if in StarTree’s reasonable opinion, the Auditor is not suitably qualified or is a direct competitor of StarTree. Any such objection by StarTree will require Customer to either appoint another Auditor or conduct the audit itself. Any expenses incurred by an Auditor in connection with any review of Reports or an audit shall be borne exclusively by the Auditor. For clarity, the exercise of audit rights under the SCCs shall be as described in this Section 6 (Customer Audit Rights) and Customer agrees these rights are carried out on behalf of Customer and all relevant Third-Party Controllers, subject to the confidentiality and non-use restrictions of the Agreement.

7. Data Transfers.

7.1. Hosting and Processing Locations. StarTree will only host Customer Personal Data in the region(s) offered by StarTree and selected by Customer on an Order Form or as Customer otherwise configures via the Services (the “Hosting Region”). Customer is solely responsible for the regions from which its Users access the Customer Personal Data, for any transfer or sharing of Customer Personal Data by Customer or its Users and for any subsequent designation of other Hosting Regions (either for the same Account, a different Account, or a separate Service). Once Customer has selected a Hosting Region, StarTree will not Process Customer Personal Data from outside the Hosting Region except as reasonably necessary to provide the Services procured by Customer, or as necessary to comply with the law or binding order of a governmental body.

7.2. Transfer Mechanisms. For any transfers by Customer of Customer Personal Data from the European Economic Area and its member states, United Kingdom and/or Switzerland (collectively, “Restricted Countries”) to StarTree in a country which does not ensure an adequate level of protection (within the meaning of and to the extent governed by the applicable Data Protection Laws of the Restricted Countries) (collectively, “Third Country”), such transfers shall be governed by a valid mechanism for the lawful transfer of Customer Personal Data recognized under applicable Data Protection Laws, such as those directly below in 7.2.1. For clarity, for transfers from the United Kingdom and Switzerland, references in the SCCs shall be interpreted to include applicable terminology for those jurisdictions (e.g., “Member State” shall be interpreted to mean “United Kingdom” for transfers from the United Kingdom).

7.2.1. SCCs. Each party agrees to abide by and transfer Customer Personal Data from the Restricted Countries in accordance with the SCCs, which are incorporated into this DPA by reference. Each party is deemed to have executed the SCCs by entering into this DPA.

(a) The below shall apply to the SCCs, including the election of specific terms and/or optional clauses as described in more detail in (i)-(x) below, and any optional clauses not expressly selected are not included:

(i) The Module 2 terms apply to the extent Customer is a Data Controller and the Module 3 terms apply to the extent Customer is a Data Processor of the Customer Personal Data;

(ii) The optional Clause 7 in Section I of the SCCs is incorporated, and Authorized Affiliates may accede to this DPA and the SCCs under the same terms and conditions as Customer, subject to Section 3.3 of this DPA via mutual agreement of the Parties;

(iii) For purposes of Clause 9 of the SCCs, Option 2 (“General written authorization”) is selected and the process and time period for the addition or replacement of Sub-processors shall be as described in Section 4 (Sub-processing) of this DPA;

(iv) For purposes of Clause 13 and Annex 1.C of the SCCs, Customer shall maintain accurate records of the applicable Member State(s) and competent supervisory authority, which shall be made available to StarTree on request;

(v) For purposes of Clause 14(c), Customer may subscribe to the Sub-processor Site to receive notifications regarding updates to StarTree’s overview of relevant laws and practices of Third Countries;

(vi) For purposes of Clause 17 and Clause 18 of the SCCs, the Member State for purposes of governing law and jurisdiction shall be the Netherlands;

(vii) For purposes of Annex 1.A, the “data importer” shall be StarTree and the “data exporter” shall be Customer and any Authorized Affiliates that have acceded to the SCCs pursuant to this DPA;

(viii) For purposes of Annex 1.B, the description of the transfer is as described in Section 3.5 (Details of Data Processing) of this DPA;

(ix) For purposes of Annex 2, the technical and organization measures are as follows:

(i) Those measures implemented by StarTree shall be as described in Section 5.1 (Security Measures) of this DPA; and (ii) Those measures that can be selected or configured by Customer, including appropriate controls for “special categories of data”, shall be as further described in StarTree’s Documentation; and

(x) The Sub-processors for Annex III shall be as described in Section 4.1 (Authorized Sub-processors) of this DPA.

8. Security Incident Response.

8.1. Security Incident Reporting. If StarTree becomes aware of a Security Incident, StarTree shall notify Customer without undue delay, and in any case, where feasible, notify Customer within seventy-two (72) hours after becoming aware. StarTree’s notification shall be sent to the email registered by Customer within the Service for such purposes, and where no such email is registered, Customer acknowledges that the means of notification shall be at StarTree’s reasonable discretion and StarTree’s ability to timely notify shall be negatively impacted. StarTree shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident.

8.2. Security Incident Communications. StarTree shall provide Customer timely information about the Security Incident, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by StarTree to mitigate or contain the Security Incident, the status of StarTree’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because StarTree personnel do not have visibility to the content of Customer Personal Data, it will be unlikely that StarTree can provide information as to the particular nature of the Customer Personal Data, or where applicable, the identities, number or categories of affected Data Subjects. Communications by or on behalf of StarTree with Customer in connection with a Security Incident shall not be construed as an acknowledgment by StarTree of any fault or liability with respect to the Security Incident.

9. Cooperation.

9.1. Data Subject Requests. StarTree shall promptly notify Customer if StarTree receives a request from a Data Subject that identifies Customer Personal Data or otherwise identifies Customer, including where the Data Subject seeks to exercise any of its rights under applicable Data Protection Laws (collectively, “Data Subject Request”). The Service provides Customer with a number of controls that Customer may use to assist it in responding to Data Subject Requests and Customer will be responsible for responding to any such Data Subject Requests. To the extent Customer is unable to access the relevant Customer Personal Data within the Services using such controls or otherwise, StarTree shall (upon Customer’s written request and taking into account the nature of the Processing) provide commercially reasonable cooperation to assist Customer in responding to Data Subject Requests.

9.2. Data Protection Impact Assessments. StarTree shall provide reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws, so long as Customer does not otherwise have access to the relevant information.

9.3. Government, Law Enforcement, and/or Third Party Inquiries. If StarTree receives a demand to retain, disclose, or otherwise Process Customer Personal Data for any third party, including, but not limited to law enforcement or a government authority (“Third-Party Demand”), then StarTree shall attempt to redirect the Third-Party Demand to Customer. Customer agrees that StarTree can provide information to such third-party as reasonably necessary to redirect the Third-Party Demand. If StarTree cannot redirect the Third-Party Demand to Customer, then StarTree shall, to the extent legally permitted to do so, provide Customer reasonable notice of the Third-Party Demand as promptly as feasible under the circumstances to allow Customer to seek a protective order or other appropriate remedy. This section does not diminish StarTree’s obligations under the SCCs with respect to access by public authorities.

10. Relationship with the Agreement.

10.1. The Parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment, exhibit or standard contractual clauses that StarTree and Customer may have previously entered into in connection with the Services. StarTree may update this DPA from time to time, with such updated version posted to https://startree.ai/legal-data-processing-addendum, or a successor website designated by StarTree; provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.

10.2. Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Customer Personal Data. Notwithstanding the foregoing, and solely to the extent applicable to any Customer Personal Data comprised of patient, medical or other protected health information regulated by HIPAA or any similar U.S. federal or state health care laws, rules or regulations (“HIPAA Data”), if there is any conflict between this DPA and a business associate agreement between Customer and StarTree (“BAA”), then the BAA shall prevail solely with respect to such HIPAA Data.

10.3. Notwithstanding anything to the contrary in the Agreement or this DPA, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the SCCs, and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. Without limiting the Parties’ obligations under the Agreement, each party agrees that any regulatory penalties incurred by one party (the “Incurring Party”) in relation to the Customer Personal Data that arise as a result of, or in connection with, the other party’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce the Incurring Party’s liability under the Agreement as if it were liability to the other party under the Agreement.

10.4. In no event shall this DPA benefit or create any right or cause of action on behalf of a third party (including a Third-Party Controller), but without prejudice to the rights or remedies available to Data Subjects under Data Protection Laws or this DPA (including the SCCs).

10.5. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

Mutual Nondisclosure Agreement

STARTREE, INC.

MUTUAL NONDISCLOSURE AGREEMENT

This Mutual Nondisclosure Agreement (this “Agreement”) is made as of _____________, by and between StarTree, Inc., a Delaware corporation (the “Company”), and ______________________________ (“Counterparty”). Each party has disclosed and/or may further disclose its Confidential Information (as defined below) to the other in connection with the Relationship (as defined below) pursuant to the terms and conditions of this Agreement. As used herein, the term “Discloser” shall refer to the Company whenever the context refers to the Company’s Confidential Information being disclosed to Counterparty, which is referred to as “Recipient” in that context. Conversely, the term “Discloser” shall refer to Counterparty whenever the context refers to Counterparty’s Confidential Information being disclosed to the Company, which is referred to as “Recipient” in that context.

RECITALS

The parties wish to explore a possible business opportunity of mutual interest regarding [________________________________________] (the “Relationship”) in connection with which Discloser has disclosed and/or may further disclose its Confidential Information (as defined below) to Recipient. This Agreement is intended to allow the parties to continue to discuss and evaluate the Relationship while protecting Discloser’s Confidential Information (including Confidential Information previously disclosed to Recipient) against unauthorized use or disclosure.

AGREEMENT

In consideration of the premises and mutual covenants herein, the parties hereby agree as follows:

1. Definition of Confidential Information. “Confidential Information” means information and physical material not generally known or available outside Discloser and information and physical material entrusted to Discloser in confidence by third parties. Confidential Information includes, without limitation: technical data, trade secrets, know-how, research, product or service ideas or plans, software codes and designs, algorithms, developments, inventions, patent applications, laboratory notebooks, processes, formulas, techniques, mask works, engineering designs and drawings, hardware configuration information, agreements with third parties, lists of, or information relating to, employees and consultants of the Discloser (including, but not limited to, the names, contact information, jobs, compensation, and expertise of such employees and consultants), lists of, or information relating to, suppliers and customers, price lists, pricing methodologies, cost data, market share data, marketing plans, licenses, contract information, business plans, financial forecasts, historical financial data, budgets or other business information disclosed by Discloser (whether by oral, written, graphic or machine-readable format), which Confidential Information is designated in writing to be confidential or proprietary, or if given orally, is confirmed in writing as having been disclosed as confidential or proprietary within a reasonable time (not to exceed thirty (30) days) after the oral disclosure, or which information would, under the circumstances, appear to a reasonable person to be confidential or proprietary.

2. Nondisclosure of Confidential Information. Recipient shall not use any Confidential Information disclosed to it by Discloser for its own use or for any purpose other than to carry out discussions concerning, and the undertaking of, the Relationship. Recipient shall not disclose or permit disclosure of any Confidential Information of Discloser to third parties or to employees of Recipient, other than directors, officers, employees, consultants and agents of Recipient who are required to have the information in order to carry out the discussions regarding the Relationship. Recipient shall take reasonable measures to protect the secrecy of and avoid disclosure or use of Confidential Information of Discloser in order to prevent it from falling into the public domain or the possession of persons other than those persons authorized under this Agreement to have any such information. Such measures shall include the degree of care that Recipient utilizes to protect its own Confidential Information of a similar nature. Recipient shall notify Discloser of any misuse, misappropriation or unauthorized disclosure of Confidential Information of Discloser which may come to Recipient’s attention.

3. Exceptions. Notwithstanding the above, information disclosed hereunder shall not be considered “Confidential Information” as defined herein where Recipient can prove that such information:

(a) was in the public domain at the time it was disclosed or has entered the public domain through no fault of Recipient;

(b) was known to Recipient, without restriction, at the time of disclosure, as demonstrated by files in existence at the time of disclosure;

(c) was independently developed by Recipient without any use of the Confidential Information, as demonstrated by files created at the time of such independent development;

(d) is disclosed generally to third parties by Discloser without restrictions similar to those contained in this Agreement;

(e) becomes known to Recipient, without restriction, from a source other than Discloser without breach of this Agreement by Recipient and otherwise not in violation of Discloser’s rights;

(f) is disclosed with the prior written approval of Discloser; or

(g) is disclosed pursuant to the order or requirement of a court, administrative agency, or other governmental body; provided, however, that Recipient shall provide prompt notice of such court order or requirement to Discloser to enable Discloser to seek a protective order or otherwise prevent or restrict such disclosure.

4. Return or Destruction of Materials. Recipient shall, except as otherwise expressly authorized by Discloser, not make any copies or duplicates of any Confidential Information. Any materials or documents that have been furnished by Discloser to Recipient in connection with the Relationship, together with all copies of such documentation (if any), shall be promptly returned or destroyed by Recipient within ten (10) days after (a) the Relationship has been rejected or concluded or (b) the written request of Discloser; provided, however, that Recipient may retain copies of such materials or documents that are stored on Recipient’s IT backup and disaster recovery systems until the ordinary course deletion thereof.

5. No Rights Granted. Nothing in this Agreement shall be construed as granting any rights under any patent, copyright or other intellectual property right of Discloser, nor shall this Agreement grant Recipient any rights in or to Discloser’s Confidential Information other than the limited right to review such Confidential Information solely for the purpose of determining whether to enter into the Relationship. Nothing in this Agreement requires the disclosure of any Confidential Information, which shall be disclosed, if at all, solely at Discloser’s option. Nothing in this Agreement requires the Discloser to proceed with the Relationship or any transaction in connection with which the Confidential Information may be disclosed.

6. No Representations Made. Recipient acknowledges that neither Discloser, nor any of its representatives, in the course of providing the Confidential Information as contemplated hereunder, is making any representation or warranty (express or implied) as to the accuracy or completeness of any such information, and Recipient assumes full responsibility for all conclusions derived from such information. Recipient shall be entitled to, and shall, rely solely on representations and warranties made in a definitive agreement, if any, relating to the Relationship.

7. No Reverse Engineering. Recipient shall not modify, reverse engineer, decompile, create other works from or disassemble any software programs contained in the Confidential Information of Discloser unless permitted in writing by Discloser.

8. Notice of Compelled Disclosure. In the event that Recipient or any person to whom Recipient or its representatives transmit or have transmitted Confidential Information become legally compelled (by oral questions, interrogatories, requests for information or documents, subpoenas, civil investigative demands or otherwise) to disclose any such Confidential Information, the Recipient shall provide the Discloser with prompt written notice so that the Discloser may seek a protective order or other appropriate remedy, or both, or waive compliance with the provisions of this Agreement. In the event that the Discloser is unable to obtain a protective order or other appropriate remedy, or if it so directs the Recipient, the Recipient shall furnish only that portion of the Confidential Information that the Recipient is advised by written opinion of its counsel is legally required to be furnished by it and shall exercise its reasonable best efforts to obtain reliable assurance that confidential treatment shall be accorded such Confidential Information.

9. Common Interest Agreement. To the extent that any Confidential Information provided or made available hereunder may include material subject to the attorney-client privilege, work product doctrine or any other applicable privilege concerning pending or threatened legal proceedings or governmental investigations, Recipient and Discloser understand and agree that they have a commonality of interest with respect to such matters and it is their desire, intention and mutual understanding that the sharing of such material is not intended to, and shall not, waive or diminish in any way the confidentiality of such material or its continued protection under the attorney-client privilege, work product doctrine or other applicable privilege. All Confidential Information provided or made available by Discloser that is entitled to protection under the attorney-client privilege, work product doctrine or other applicable privilege shall remain entitled to such protection under these privileges, this Agreement, and under the joint defense doctrine. Nothing in this Agreement obligates Discloser to reveal material subject to the attorney-client privilege, work product doctrine or any other applicable privilege.

10. Term. The foregoing commitments of each party shall survive any termination of the Relationship between the parties, and shall continue for a period terminating five (5) years from the date on which Confidential Information is last disclosed under this Agreement.

11. Independent Contractors. The parties are independent contractors, and nothing contained in this Agreement shall be construed to constitute the parties as partners, joint venturers, co-owners or otherwise as participants in a joint or common undertaking.

12. Remedies. Each party’s obligations set forth in this Agreement are necessary and reasonable in order to protect Discloser and its business. Due to the unique nature of Discloser’s Confidential Information, monetary damages may be inadequate to compensate Discloser for any breach by Recipient of its covenants and agreements set forth in this Agreement. Accordingly, the parties each agree and acknowledge that any such violation or threatened violation may cause irreparable injury to Discloser and, in addition to any other remedies that may be available, in law, in equity or otherwise, Discloser shall be entitled to obtain injunctive relief against the threatened breach of this Agreement or the continuation of any such breach by Recipient.

13. Miscellaneous.

(a) Governing Law. The validity, interpretation, construction and performance of this Agreement, and all acts and transactions pursuant hereto and the rights and obligations of the parties hereto shall be governed, construed and interpreted in accordance with the laws of the state of California, without giving effect to principles of conflicts of law.

(b) Entire Agreement. This Agreement sets forth the entire agreement and understanding of the parties relating to the subject matter herein and supersedes all prior or contemporaneous discussions, understandings and agreements, whether oral or written, between them relating to the subject matter hereof.

(c) Amendments and Waivers. No modification of or amendment to this Agreement, nor any waiver of any rights under this Agreement, shall be effective unless in writing signed by the parties to this Agreement. No delay or failure to require performance of any provision of this Agreement shall constitute a waiver of that provision as to that or any other instance.

(d) Successors and Assigns. Except as otherwise provided in this Agreement, this Agreement, and the rights and obligations of the parties hereunder, will be binding upon and inure to the benefit of their respective successors, assigns, heirs, executors, administrators and legal representatives. The Company may assign any of its rights and obligations under this Agreement. No other party to this Agreement may assign, whether voluntarily or by operation of law, any of its rights and obligations under this Agreement, except with the prior written consent of the Company. Notwithstanding the foregoing, Confidential Information of Discloser may not be assigned without the prior written consent of Discloser, unless the assignee shall be the successor entity to the assignor upon the dissolution of the assignor in its present form.

(e) Notices. Any notice, demand or request required or permitted to be given under this Agreement shall be in writing and shall be deemed sufficient when delivered personally or by overnight courier or sent by email, or 48 hours after being deposited in the U.S. mail as certified or registered mail with postage prepaid, addressed to the party to be notified at such party’s address as set forth on the signature page, as subsequently modified by written notice, or if no address is specified on the signature page, at the most recent address set forth in the Company’s books and records.

(f) Severability. If one or more provisions of this Agreement are held to be unenforceable under applicable law, the parties agree to renegotiate such provision in good faith. In the event that the parties cannot reach a mutually agreeable and enforceable replacement for such provision, then (i) such provision shall be excluded from this Agreement, (ii) the balance of the Agreement shall be interpreted as if such provision were so excluded and (iii) the balance of the Agreement shall be enforceable in accordance with its terms.

(g) Construction. This Agreement is the result of negotiations between and has been reviewed by each of the parties hereto and their respective counsel, if any; accordingly, this Agreement shall be deemed to be the product of all of the parties hereto, and no ambiguity shall be construed in favor of or against any one of the parties hereto.

(h) Counterparts. This Agreement may be executed in any number of counterparts, each of which when so executed and delivered shall be deemed an original, and all of which together shall constitute one and the same agreement. Execution of a facsimile or scanned copy will have the same force and effect as execution of an original, and a facsimile or scanned signature will be deemed an original and valid signature.

[Signature Page Follows]

The parties have executed this Mutual Nondisclosure Agreement as of the date first above written.

THE COMPANY:

STARTREE, INC.

By: ________________________________________(Signature)

Name: ________________________________________

Title: ________________________________________

COUNTERPARTY:

________________________________________(PRINT NAME)

By: ________________________________________(Signature)

Name:________________________________________

Title:

Address:

________________________________________

________________________________________

Email: ________________________________________

Security Addendum

Last Updated: July 1, 2023

This Security Addendum is incorporated into and made a part of the written agreement between StarTree and Customer that references this document (the “Agreement”) and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this Security Addendum, this Security Addendum shall govern.

StarTree utilizes infrastructure-as-a-service cloud providers as further described in the Agreement and/or Documentation (each, a “Cloud Provider”) and provides the Service to Customer using a VPC/VNET and storage hosted by the applicable Cloud Provider (the “Cloud Environment”).

StarTree maintains a comprehensive documented security program under which StarTree implements and maintains physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability, and security of the Service and Customer Data (the “Security Program”), including, but not limited to, as set forth below. StarTree regularly tests and evaluates its Security Program, and may review and update its Security Program as well as this Security Addendum, provided, however, that such updates shall be designed to enhance and not materially diminish the Security Program.

1. Hosting Location of Customer Data

1.1. Hosting Location. The hosting location of Customer Data is the production Cloud Environment in the Region offered by StarTree and selected by Customer on an Order Form or as Customer otherwise configures via the services.

2. Encryption

2.1. Encryption of Customer Data. StarTree encrypts Customer Data at-rest using AES 256-bit (or better) encryption. StarTree uses Transport Layer Security (TLS) 1.2 (or better) for Customer Data in-transit over untrusted networks.

2.2. Encryption Key Management. StarTree’s encryption key management involves regular rotation of encryption keys. Hardware security modules are used to safeguard top-level encryption keys. StarTree logically separates encryption keys from Customer Data.

3. System & Network Security

3.1. Access Controls.

3.1.1. All StarTree personnel access to the Cloud Environment is via a unique user ID, consistent with the principle of least privilege, requires a VPN, as well as multi-factor authentication and passwords meeting or exceeding PCI-DSS length and complexity requirements.

3.1.2. StarTree personnel will not access Customer Data except (i) as reasonably necessary to provide services under the Agreement or (ii) to comply with the law or a binding order of a governmental body.

3.2. Endpoint Controls. For access to the Cloud Environment, StarTree personnel use StarTree-issued laptops which utilize security controls that include, but are not limited to, (i) disk encryption, (ii) endpoint detection and response (EDR) tools to monitor and alert for suspicious activities and Malicious Code (as defined below), and (iii) vulnerability management in accordance with Section 4.7.3 (Vulnerability Management).

3.3. Separation of Environments. StarTree logically separates production environments from development environments. The Cloud Environment is both logically and physically separate from StarTree’s corporate offices and networks.

3.4. Firewalls / Security Groups. StarTree shall protect the Cloud Environment using industry standard firewall or security groups technology with deny-all default policies to prevent egress and ingress network traffic protocols other than those that are business-required.

3.5. Hardening. The Cloud Environment shall be hardened using industry-standard practices to protect it from vulnerabilities, including by changing default passwords, removing unnecessary software, disabling or removing unnecessary services, and regular patching as described in this Security Addendum.

3.6. Monitoring & Logging.

3.6.1. Infrastructure Logs. Monitoring tools or services, such as host-based intrusion detection tools, are utilized to log certain activities and changes within the Cloud Environment. These logs are further monitored, analyzed for anomalies, and are securely stored to prevent tampering for at least one year.

3.6.2. User Logs. As further described in the Documentation, StarTree also captures logs of certain activities and changes within the Account and makes those logs available to Customer for Customer’s preservation and analysis.

3.7. Vulnerability Detection & Management.

3.7.1. Anti-Virus & Vulnerability Detection. The Cloud Environment leverages advanced threat detection tools with daily signature updates, which are used to monitor and alert for suspicious activities, potential malware, viruses and/or malicious computer code (collectively, “Malicious Code”). StarTree does not monitor Customer Data for Malicious Code.

3.7.2. Penetration Testing & Vulnerability Detection. StarTree regularly conducts penetration tests throughout the year and engages one or more independent third parties to conduct penetration tests of the Service at least annually. StarTree also runs weekly vulnerability scans for the Cloud Environment using updated vulnerability databases.

3.7.3. Vulnerability Management. Vulnerabilities meeting defined risk criteria trigger alerts and are prioritized for remediation based on their potential impact to the Service. Upon becoming aware of such vulnerabilities, StarTree will use commercially reasonable efforts to address private and public (e.g., U.S.-Cert announced) critical and high vulnerabilities within 30 days, and medium vulnerabilities within 90 days. To assess whether a vulnerability is ‘critical’, ‘high’, or ‘medium’, StarTree leverages the National Vulnerability Database’s (NVD) Common Vulnerability Scoring System (CVSS), or where applicable, the U.S.-Cert rating.

4. Administrative Controls

4.1. Personnel Security. StarTree requires criminal background screening on its personnel as part of its hiring process, to the extent permitted by applicable law.

4.2. Personnel Training. StarTree maintains a documented security awareness and training program for its personnel, including, but not limited to, onboarding and on-going training.

4.3. Personnel Agreements. StarTree personnel are required to sign confidentiality agreements. StarTree personnel are also required to sign StarTree’s information security policy, which includes acknowledging responsibility for reporting security incidents involving Customer Data.

4.4. Personnel Access Reviews & Separation. StarTree reviews the access privileges of its personnel to the Cloud Environment at least quarterly, and removes access on a timely basis for all separated personnel.

4.5. StarTree Risk Management & Threat Assessment. StarTree’s security committee meets regularly to review reports and material changes in the threat environment, and to identify potential control deficiencies in order to make recommendations for new or improved controls and threat mitigation strategies.

4.6. External Threat Intelligence Monitoring. StarTree reviews external threat intelligence, including US-Cert vulnerability announcements and other trusted sources of vulnerability reports. U.S.-Cert announced vulnerabilities rated as critical or high are prioritized for remediation in accordance with Section 3.7.3 (Vulnerability Management).

4.7. Change Management. StarTree maintains a documented change management program for the Service.

4.8. Vendor Risk Management. StarTree maintains a vendor risk management program for vendors that process Customer Data designed to ensure each vendor maintains security measures consistent with StarTree’s obligations in this Security Addendum.

5. Physical & Environmental Controls

5.1. Cloud Environment Data Centers. To ensure the Cloud Provider has appropriate physical and environmental controls for its data centers hosting the Cloud Environment, StarTree regularly reviews those controls. Each Cloud Provider shall have a SOC 2 Type II annual audit and ISO 27001 certification, or industry recognized equivalent frameworks. Such controls, shall include, but are not limited to, the following:

5.1.1. Physical access to the facilities are controlled at building ingress points;

5.1.2. Visitors are required to present ID and are signed in;

5.1.3. Physical access to servers is managed by access control devices;

5.1.4. Physical access privileges are reviewed regularly;

5.1.5. Facilities utilize monitor and alarm response procedures;

5.1.6. Use of CCTV;

5.1.7. Fire detection and protection systems;

5.1.8. Power back-up and redundancy systems; and

5.1.9. Climate control systems.

5.2. StarTree Corporate Offices. While Customer Data is not hosted at StarTree’s corporate offices, StarTree’s technical, administrative, and physical controls for its corporate offices, shall include, but are not limited to, the following:

5.2.1. Physical access to the corporate office is controlled at office ingress points;

5.2.2. Badge access is required for all personnel and badge privileges are reviewed regularly;

5.2.3. Visitors are required to sign in;

5.2.4. Use of CCTV at building ingress points;

5.2.5. Tagging and inventory of StarTree-issued laptops and network assets;

5.2.6. Fire detection and sprinkler systems; and

5.2.7. Climate control systems.

6. Incident Detection & Response

6.1. Security Incident Reporting. If StarTree becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident“), StarTree shall notify Customer without undue delay, and in any case, where feasible, notify Customer within 72 hours after becoming aware. To facilitate timely notification, Customer must register and maintain an up-to-date email within the Service for this type of notification. Where no such email is registered, Customer acknowledges that the means of notification shall be at StarTree’s reasonable discretion and StarTree’s ability to timely notify shall be negatively impacted.

6.2. Investigation. In the event of a Security Incident as described above, StarTree shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Any logs determined to be relevant to a Security Incident, shall be preserved for at least one year.

6.3. Communication and Cooperation. StarTree shall provide Customer timely information about the Security Incident to the extent known to StarTree, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by StarTree to mitigate or contain the Security Incident, the status of StarTree’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because StarTree personnel may not have visibility to the content of Customer Data, it may be unlikely that StarTree can provide information as to the particular nature of the Customer Data, or where applicable, the identities, number, or categories of affected data subjects. Communications by or on behalf of StarTree with Customer in connection with a Security Incident shall not be construed as an acknowledgment by StarTree of any fault or liability with respect to the Security Incident.

7. Deletion of Customer Data.

7.1. By Customer. The Service provides Customer controls for the deletion of Customer Data, as further described in the Documentation.

7.2. By StarTree. Subject to applicable provisions of the Agreement, upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement, StarTree shall promptly delete any remaining Customer Data.

8. Customer Rights & Shared Security Responsibilities

8.1. Customer Penetration Testing. Customer may provide a written request for a penetration test of its Account (“Pen Test“) by submitting such request via a support ticket. Following receipt by StarTree of such request, StarTree and Customer shall mutually agree in advance on details of such Pen Test, including the start date, scope and duration, as well as reasonable conditions designed to mitigate potential risks to confidentiality, security, or other potential disruption of the Service or StarTree’s business. Pen Tests and any information arising therefrom are deemed StarTree’s Confidential Information. If Customer discovers any actual or potential vulnerability in connection with a Pen Test, Customer must immediately disclose it to StarTree and shall not disclose it to any third-party.

8.2. Customer Audit Rights.

8.2.1. Customer may send a written request for an audit of StarTree’s applicable controls, including inspection of its facilities. Following receipt by StarTree of such request, StarTree and Customer shall mutually agree in advance on the details of the audit, including the reasonable start date, scope and duration of and security and confidentiality controls applicable to any such audit. StarTree may charge a fee (rates shall be reasonable, taking into account the resources expended by StarTree) for any such audit. Audit Reports, any audit, and any information arising therefrom shall be considered StarTree’s Confidential Information.

8.2.1. Where the Auditor is a third-party (or Customer is using a third-party to conduct an approved Pen Test under Section 8.1), such third party may be required to execute a separate confidentiality agreement with StarTree prior to any audit, Pen Test, and StarTree may object in writing to such third party if in StarTree’s reasonable opinion the third party is not suitably qualified or is a direct competitor of StarTree. Any such objection by StarTree will require Customer to appoint another third party or conduct such audit, Pen Test, or review itself. Any expenses incurred by an Auditor in connection with any review of an audit or Pen Test, shall be borne exclusively by the Auditor.

8.3. Sensitive Customer Data. Use of the Service to meet requirements of PCI-DSS, HIPAA, FedRAMP, or similar heightened standards, require additional controls which shall be implemented by Customer, including that Customer Data subject to such requirements may only be uploaded to Editions and Regions of the Service specifically designated in the Documentation for such requirements. Additionally, Customer must implement all appropriate Customer-configurable security controls, including IP whitelisting and MFA for all User interactive logins (e.g., individuals authenticating to the Service) to protect such data.

8.4. Shared Security Responsibilities. Without diminishing StarTree’s commitments in this Security Addendum, Customer agrees:

8.4.1. StarTree has no obligation to assess the content or accuracy of Customer Data, including to identify information subject to any specific legal, regulatory or other requirement and Customer is responsible for making appropriate use of the Service to ensure a level of security appropriate to the particular content of Customer Data, including, where appropriate, implementation of encryption functionality, pseudonymization of Customer Data, and configuration of the Service to back-up Customer Data;

8.4.2. Customer is responsible for managing and protecting its User roles and credentials, including but not limited to (i) ensuring that all Users keep credentials confidential and not share such information with unauthorized parties, (ii) promptly reporting to StarTree any suspicious activities related to Customer’s Account (e.g., a user credential has been compromised), (iii) appropriately configuring User and role-based access controls, including scope and duration of User access, taking into account the nature of its Customer Data, and (iv) maintaining appropriate password uniqueness, length, complexity, and expiration;

8.4.3. To appropriately manage and protect any Customer-managed encryption keys to ensure the integrity, availability, and confidentiality of the key and Customer Data encrypted with such key; and

8.4.4. To promptly update its Client Software whenever StarTree announces an update.

Software Evaluation Agreement

SOFTWARE EVALUATION AGREEMENT

This Software Evaluation Agreement ( “Agreement”), effective as of ____________, 202___ (“Effective Date”), is made and entered into between ___________________, a ____________ corporation with principal offices at ____________________, California (“Licensor”) and a __________________ corporation, with offices at (“Evaluator”). In consideration of the foregoing and the promises and conditions contained herein, the parties do hereby agree as follows:

1. Right to Use. Subject to the terms and conditions of this Agreement, Licensor grants Evaluator a royalty-free, nonexclusive, non transferable, non-assignable license (without right of sublicense) to use the Licensor computer software product(s) set forth in Exhibit A attached hereto, in machine executable object code form, and any supporting documentation provided by Licensor to Evaluator (collectively, the “Software”) only for the purpose of internal evaluation by Evaluator. Evaluator shall use the Software only at Evaluator’s designated site set forth in Exhibit A.

1.1. License Restrictions. Evaluator will have no right to copy (except for one backup copy), modify or create derivative works of the Software nor to reverse assemble, reverse engineer, decompile or otherwise attempt to derive source code from the Software. In addition, Evaluator shall not:

1.1.1. merge the Software with another program for any purpose whatsoever; or

1.1.2. sublicense, distribute, sell, lend, rent, lease, transfer, or grant any rights in or to all or any portion of the Software; or

1.1.3. transfer or reexport, directly or indirectly, the Software to any person or entity outside of the United States without the prior written consent of Licensor.

1.2. Rights in Software. The Software is owned by Licensor and is protected by United States and international copyright laws and treaty provisions. Licensor may at any time and at its sole election replace, modify, alter, improve, enhance, or change the Software. This Software license is not a sale and does not transfer to Evaluator any title or ownership interest in or to the Software or any patent, copyright, trade secret, trade name, trademark or other proprietary or intellectual property rights related to the Software. Except for the rights expressly granted herein, Licensor retains all of its right, title and interest in and to the Software. Evaluator shall not remove, alter, or obscure any proprietary notices contained on or within the Software and shall reproduce such notices on any backup copy of the Software.

2. Bug Reports and Feedback. Evaluator shall promptly provide Licensor with a report of any actual or potential error or bug in the Software. Licensor will have no obligation to correct Software errors or bugs in the Software. Evaluator may from time to time provide suggestions, comments or other feedback on the Software (together with bug reports, “Feedback”). Both parties agree that all Feedback is and shall be given entirely voluntarily. Feedback, even if designated as confidential by Evaluator, shall not, absent a separate written agreement, create any confidentiality obligation for Licensor. Licensor shall be free to use, disclose, reproduce, license or otherwise distribute, and exploit the Feedback provided to it as it sees fit, entirely without obligation or restriction of any kind on account of intellectual property rights or otherwise.

3. Confidential Information. Evaluator agrees that neither it nor any of its employees will use for their own account (except as expressly permitted under the license granted in Section 1) or for the account of any third party or disclose to any third party (i) the Software, (ii) any information regarding the content, purpose, design or function of the Software, or (iii) any know-how, technical data or other information, including, but not limited to, that which relates to research, product plans, products, services, customers, markets, developments, inventions, processes, marketing or finances (collectively, “Confidential Information”). The parties understand, however, that Confidential Information will not include any information (x) that is generally known and available in the public domain at the time of disclosure without fault of Evaluator, or (y) that was 1 known to Evaluator prior to its negotiations with Licensor, or (z) that is hereafter rightfully furnished to Evaluator by a third party without restrictions on disclosure and without breach of confidentiality restriction. Evaluator agrees to require every Evaluator employee who will have access to, use of, or knowledge of the Software to execute (in advance of and as a condition to such access, use or knowledge) a confidentiality agreement including terms similar to those contained herein. Evaluator shall protect the secrecy of and avoid disclosure or unauthorized use of Confidential Information in order to prevent it from falling into the public domain or the possession of persons other than those persons authorized hereunder to have any such information, which measures must include the highest degree of care that Evaluator utilizes to protect its own confidential information of a similar nature. Evaluator shall notify Licensor in writing of any misuse or misappropriation of Confidential Information which may come to Evaluator’s attention.

4. Warranty. THE SOFTWARE IS LICENSED “AS IS.” LICENSOR MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE WITH RESPECT TO THE SOFTWARE OR THE USE OR OPERATION THEREOF, AND SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

5. Term and Termination. The term of this Agreement and the license granted herein will commence on the Effective Date and continue for a period of _____ (__) days, unless earlier terminated in accordance with this Section 5. Licensor may terminate this Agreement and the license granted hereunder at any time, immediately upon written notice, in the event Evaluator fails to comply with any of the terms and conditions of this Agreement. Within 10 days after termination or expiration of this Agreement, Evaluator shall return or destroy and provide written certification of destruction, at Licensor’s discretion, all copies of the Software and any related materials. The provisions of Sections 1.2, 2, 3, 4, 6, 7, and 8 will survive any termination or expiration of this Agreement.

6. Limitation of Liability. IN NO EVENT WILL LICENSOR BE LIABLE FOR ANY DAMAGES, INCLUDING LOSS OF DATA, LOSS OF SYSTEM AVAILABILITY, LOSS OF COMPUTER RUN TIME, LOST PROFITS, COST OF COVER OR OTHER SPECIAL, INCIDENTAL, CONSEQUENTIAL, DIRECT OR INDIRECT DAMAGES ARISING FROM THE USE OF THE SOFTWARE OR ACCOMPANYING MATERIALS, HOWEVER CAUSED AND WHETHER BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR ANY OTHER THEORY OF LIABILITY. THIS LIMITATION WILL APPLY EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE PARTIES ACKNOWLEDGE THAT THIS IS A REASONABLE ALLOCATION OF RISK.

7. Remedies. Evaluator agrees that the obligations of Evaluator provided herein are necessary and reasonable in order to protect Licensor and its business, and Evaluator expressly agrees that monetary damages would be inadequate to compensate Licensor for any breach by Evaluator of its covenants and agreements set forth herein. Accordingly, Evaluator agrees and acknowledges that any such violation or threatened violation will cause irreparable injury to Licensor and that, in addition to any other remedies that may be available, in law, in equity or otherwise, Licensor will be entitled to obtain injunctive relief against the breach or threatened breach of this Agreement or the continuation of any such breach by Evaluator, without the necessity of proving actual damages.

8. Miscellaneous. Evaluator may not assign or sublicense or otherwise transfer the rights or license granted hereunder, by agreement or by operation of law, without the prior written consent of Licensor, and all assignments in violation of this prohibition will be null and void. This Agreement is the entire agreement between the parties relating to the subject matter hereof and may only be modified in writing signed by both parties. This Agreement will be governed by the laws of the State of California without reference to conflicts of law principles. In any dispute arising out of this Agreement, Licensor and Evaluator each consent to the jurisdiction of both the state and federal courts of Santa Clara County, California and agree to bring any actions arising out of this Agreement in such court. If any provision or clause of this Agreement is held unenforceable, the remainder of this Agreement will continue in full force and effect.

The parties have signed below to indicate their acceptance of the above terms and conditions:

(“Evaluator”)

By: _________________________________________________

Title: _________________________________________________

Date: _________________________________________________

(“Licensor”)

By: _________________________________________________

Title: _________________________________________________

Date: _________________________________________________

Exhibit A

SOFTWARE

Software:_________________________________________________

Designated Public Cloud Provider :_____________________

Designated region: _____________________

____________________________ Evaluator

____________________________ Street Address

____________________________ City, State, Zip Code

StarTree Software License Agreement

StarTree will not be obligated to provide support to the extent arising from: (i) Customer’s failure to implement any update or enhancement made available to Customer by StarTree at no charge for addressing such error; (ii) changes by Customer or third parties to the operating system, network configuration or environment; (iii) any customization of the Platform for Customer that is not performed by StarTree for Customer; (iv) use of the Platform in a manner for which it is not designed or other than as specified in the applicable documentation or specifications; (v) the combination, use or interconnection of the Platform with other software or hardware not supplied and not approved by StarTree; (vi) use of the Platform on an unsupported hardware or software platform; or (vii) issues caused by problems with uptime or availability of the public cloud providers.

Availability SLAs

“Available” means the ability to complete a transaction without a server time-out or error. Availability is calculated based on the following formula:

A = (T – M – D) / (T – M) x 100%

A = Availability

T = Total Monthly Minutes

M = Maintenance Time

D = Downtime

“Total Monthly Minutes” is the number of days in the month multiplied by 1,440 minutes per day.

“Maintenance Time” is the time period during which the Platform may not be Available each month so that StarTree can perform Planned Maintenance or Preventative Maintenance.

“Downtime” is the portion of Total Monthly Minutes that the Platform is not Available. Downtime excludes time that Customer is unable to access the Platform due to any of the following: (i) Customer’s own Internet service provider; (ii) force majeure events including systemic Internet failures; (iii) failure related to Customer’s hardware, software or network, or Customer bandwidth restrictions; and (iv) outage or delay due to the public cloud service provider.

“Preventative Maintenance” occurs when StarTree makes the Platform unavailable to avoid the need to engage in emergency maintenance in the future. Preventative Maintenance will occur, to the extent possible, during non-peak hours.

“Planned Maintenance” means maintenance undertaken with no less than 10 business days notice, to:

• Support ongoing product and operational projects to ensure optimal performance.

• Deploy non-critical service packs or patches.

• Conduct periodic redundancy testing.

Service Availability. The Platform will be functional in all material respects (i.e. capable of displaying information and conducting transactions as contemplated in the ordinary course of business) 99.9% of the time during any calendar month period.