Prelude Service Terms

These Prelude Service Terms, together with any exhibits or schedules attached (the “Terms”) govern your access to and use of the following Prelude Research, Inc. or affiliate (“Prelude”) cybertechnology services: (i) Detect (continuous security testing software); (ii) Security Monitoring Services; (iii) any other services that Prelude shall expressly declare to be governed by these Terms from time to time; and, (iv) related professional services (“Professional Services” and collectively, the “Services” but excluding Non-Prelude Applications (as defined herein)). 

BY EXECUTING A SALES ORDER, STATEMENT OF WORK OR SIMILAR DOCUMENT THAT REFERENCES THESE TERMS (A “SALES ORDER”, AND TOGETHER WITH THESE TERMS, THE “AGREEMENT”), YOU AGREE TO BE BOUND BY AND COMPLY WITH THESE TERMS. IF YOU DO NOT AGREE TO THESE TERMS, YOU MAY NOT ACCESS OR USE THE SERVICES. IF YOU ARE ENTERING INTO THESE TERMS ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY TO THESE TERMS.  In order to be binding, a Sales Order must be signed by both parties. The parties may enter into additional Sales Orders from time to time during the Term (as defined below).

Provision of Services and License Grant

Ownership of Services. Prelude owns the Services, including all modifications and improvements thereto and derivative works thereof. Prelude shall make the Services available to you and your authorized employees, affiliates and subsidiaries (“Users”) in accordance with the Agreement for your internal business purposes only. Any products or services provided to you prior to the execution of any Sales Order remain the sole property and confidential information of Prelude and shall be governed by the terms of this Agreement.

Service & Support Terms. Prelude shall make the Services available pursuant to the service level standards set forth in Exhibit A, attached hereto, except as otherwise provided for in a Sales Order. Prelude provides technical support to all users through certain Discord and Slack channels made available to customers and electronic mail at support@preludesecurity.com. Support is available on weekdays during the hours of 9:00 am through 8:00 pm Eastern time, with the exclusion of U.S. federal holidays.

Data Processing Agreement. You and Prelude will agree to and abide by the provisions of the Data Processing Agreement set forth in Exhibit B, attached hereto.

Updates to Services. During the Term of this Agreement, Prelude may make updates or modifications to the Services and their features or functionality, provided that the changes do not materially diminish the Services. Your access to new products and features may require additional Sales Orders, to the extent such products or features are not within the scope of your Sales Order(s).

License Grant. Subject to and conditioned on your payment of fees due under the Agreement and full compliance with all other terms and conditions of the Agreement, Prelude hereby grants you and your Users a revocable, worldwide, non-exclusive license during the applicable Order Term (as defined below) to access and use the Services solely for your internal business purposes (the “Enterprise License”), subject to any usage or user restrictions set forth in a Sales Order. This Enterprise License granted pursuant to this Section will terminate upon termination of the applicable Order Term, as defined below.

Ownership of Customer Data. You own all data delivered to Prelude by you or collected by Prelude on your behalf (the “Customer Data”). You hereby grant to Prelude a fully paid, royalty-free, limited, worldwide, non-exclusive license to use Customer Data to provide the Services to you, and to provide security monitoring, verify data integrity, and use data regarding the use of the Services in order to make improvements and enhancements to the Services and Prelude offerings. For the avoidance of doubt, Prelude may use the Customer Data in accordance with this Section notwithstanding the confidentiality terms below. You have sole responsibility for the legality, reliability, integrity, accuracy and quality of Customer Data and for the means by which you acquire Customer Data. You represent and warrant to Prelude that you have all rights, consents, permissions and legal authority as may be necessary to provide the Customer Data to Prelude and to authorize Prelude to process the Customer Data in order to provide the Services. 

Feedback. If you (including any User) provide Prelude with any feedback, suggestions, enhancement request, recommendation, or correction regarding the Services or Professional Services (“Feedback”), Prelude may use, disclose, reproduce, or otherwise distribute and exploit the Feedback without restriction or any obligation to you or any User provided that the Feedback does not identify you or any User. You hereby grant to Prelude a worldwide, perpetual, irrevocable, sublicensable, royalty-free license to use and incorporate into the Services and Professional Services any Feedback and exploit such Feedback for Prelude’s commercial purposes without compensation to you.  

Non-Prelude Applications. Prelude may make third-party products or services available for use with the Services, including service or software applications not provided by Prelude (“Non-Prelude Applications”) which are designed to interoperate with the Services and implementation and other consulting services (the “Non-Prelude Services”). If you elect to use an authorized Non-Prelude Service with the Services,  you hereby grant Prelude permission to allow the Non-Prelude Service and its providers to access Customer Data as required to interoperate with the Services.  Prelude is not responsible for any disclosure, modification, deletion of Customer Data resulting from such access by a Non-Prelude Service or their providers.  To use Non-Prelude Applications, you may be required to obtain access to Non-Prelude Applications from providers and may be required to grant Prelude access to your accounts on such Non-Prelude Applications. Prelude does not guarantee the continued availability of such Service features and interoperability, and may cease providing them without entitling you to any refund, credit or other compensation.  You grant to Prelude and applicable contractors a worldwide, limited-term license to host, copy, transmit, run and display Non-Prelude Applications and program code created by or for you using the Services or for use by you with the Services, as is necessary for Prelude to provide the Services in accordance with this Agreement. Such Non-Prelude Services must at all times be in compliance with applicable law and not violate the rights of any third-party.

User Requirements. All Users of the Services at any point in time must use the same Prelude domain for their email address. Vendors, third-parties, partners and anyone else not employed by you cannot be added to the Enterprise License, except as otherwise permitted in a Sales Order.

Restrictions and Responsibilities

You may only use the Services as explicitly set forth in this Agreement. You are solely responsible for determining whether the Services are sufficient for your purposes, including but not limited to, whether the Services satisfy your legal and/or regulatory requirements.

You will (a) be responsible for Users’ compliance with this Agreement and Sales Orders, (b) be responsible for the interoperation of any third party, Non-Prelude Applications with which you use the Services, including compliance with the terms of service of any Non-Prelude Application, (c) use commercially reasonable efforts to prevent unauthorized access to or use of Services, and notify Prelude promptly of any such unauthorized access or use, and (d) use the Services only in accordance with this Agreement, the applicable Sales Order, and applicable laws and government regulations. 

In the event you have subscribed under a Sales Order to a Service that leverages artificial intelligence, the terms of Prelude’s AI User Guidelines (available at https://www.preludesecurity.com/legal/ai-user-guidelines) shall govern your access to and use of such features or functionalities.  

You agree that you and your Users will not: (i) reproduce, modify, distribute, transfer, or make available the Services, or any portion thereof to any third party; (ii) reverse engineer, decompile, disassemble, or otherwise attempt to derive the underlying source code for the Services; (iii) tamper with or modify any data collected by the Services; (iv) create an account for anyone other than the applicable User; (v) use another User’s account; (vi) harass, abuse, or harm another person by use of the Services; (vii) bypass or circumvent any access controls or Services use limits; (viii) remove any proprietary rights notices or other notices contained in the Services; or (ix) publicly publish any performance or benchmark tests or analysis related to the Services, or use thereof, without Prelude’s prior written permission; or (x) access or use the Services in order to build a competitive product or service or to benchmark with a non-Prelude product or service.

You acknowledge that the Services will require Users to share with Prelude certain information which may include limited personal information regarding Users (such as usernames, email address and/or phone number, or limited identifiers such as device names) solely for the purposes of providing and improving the Services or for troubleshooting or other customer support purposes. You warrant that, prior to authorizing an individual to become a User, and prior to the transfer of any personal information in connection with the Services, all personal information that is transferred to Prelude for processing has been collected, processed, and transferred in compliance with applicable law, and in particular, that you have a valid legal basis for processing such personal information prior to transferring them to Prelude. You assume full responsibility for ensuring that all legal requirements concerning personal information have been met before authorizing any individual to become a User. 

Confidentiality

The parties’ confidentiality obligations shall be as set forth in this confidentiality Section, and these terms supersede any non-disclosure or confidentiality agreement entered into between you and Prelude prior to the Effective Date of this Agreement notwithstanding any terms to the contrary in such agreements. Subject to the Provision of Services and License Grant terms above, the recipient of Confidential Information (the “Receiving Party”) from the other party (the “Disclosing Party”) agrees that at all times and notwithstanding any termination or expiration of this Agreement it will hold in confidence and not disclose to any third party, or use other than as required for the performance of this Agreement, any Confidential Information of the Disclosing Party, except as approved in writing by the Disclosing Party or otherwise permitted by the terms of this Agreement. Notwithstanding the foregoing, the Receiving Party may permit access to Confidential Information to its officers, directors, employees, investors, consultants or agents, including legal counsel (“Representatives”) who have a need to know such information, have been advised of the Receiving Party’s obligations under this Agreement, and  are contractually or legally bound by obligations of nondisclosure and nonuse at least as stringent as those contained herein.  The failure of any Representative of the Receiving Party to comply with this Agreement shall be considered a breach of this Agreement by the Receiving Party.  

As used herein, the “Confidential Information” of a Disclosing Party will mean any and all technical and non-technical information disclosed by such party to the Receiving Party, which may include without limitation: (a) patent and patent applications; (b) trade secrets; (c) proprietary and confidential information, ideas, techniques, sketches, drawings, works of authorship, models, inventions, know-how, processes, apparatuses, equipment, algorithms, software programs, software source documents, and formulae related to the current, future, and proposed products and services of each of the parties, such as information concerning research, experimental work, development, design details and specifications, engineering, financial information, procurement requirements, purchasing, manufacturing, customer lists, investors, employees, business and contractual relationships, business forecasts, sales and merchandising, and marketing plans; and (d) all other information that the Receiving Party knew, or reasonably should have known, was the Confidential Information of the Disclosing Party. “Confidential Information” shall not include information that: (a) is or becomes generally known or publicly available through no fault of the Receiving Party; (b) is known by or in the possession of the Receiving Party prior to its disclosure, as evidenced by business records, and is not subject to restriction; (c) is lawfully obtained from a third party who has the right to make such disclosure; or (d) was developed by employees or agents of the Receiving Party without reference to any Confidential Information of the Disclosing Party.

Receiving Party agrees that its unauthorized disclosure of the Disclosing Party’s Confidential Information may cause irreparable damage to the Disclosing Party and, in addition to all other remedies available at law or in equity, the Disclosing Party will have the right to seek equitable and injunctive relief and to recover the amount of damages (including reasonable attorneys’ fees and expenses) incurred in connection with that unauthorized use. Subject to the provisions of Section 9 herein, the Receiving Party will be liable under the Agreement to the Disclosing Party for any use or disclosure in violation of this confidentiality Section by the Receiving Party, its affiliates, or their respective personnel, agents, subcontractors, attorneys, accountants, or other advisors.  

The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided the Receiving Party (a) gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure, and (b) discloses only that portion of the Confidential Information that is required to be disclosed. If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to that Confidential Information. The Disclosing Party’s Confidential Information will remain confidential regardless of any disclosure as set forth in this Section 3, and the Receiving Party’s obligations with respect to Disclosing Party’s Confidential Information will not be changed or lessened by virtue of those disclosures.

Notwithstanding anything to the contrary herein, Prelude shall have the right to collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services and related systems and technologies (including, without limitation, information concerning Customer Data and data derived therefrom) (“Service Attributes”). Prelude will be free (during and after the Term hereof) to (i) use such Service Attributes to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services and other Prelude offerings, and (ii) disclose such data solely in aggregate or other de-identified form in connection with its business.

Payment of Fees

Subscriptions.  Services are purchased as subscriptions and any added subscriptions during the Term will co-terminate with any underlying subscriptions.

Invoices. You shall pay to Prelude fees set forth on each Sales Order. Except as otherwise specified herein or in a Sales Order: (a) the fees set forth in each Sales Order hereunder shall be fixed during the Order Term of such Sales Order; (b) except as set forth in the termination section hereunder, payment obligations are non-cancelable and fees paid are non-refundable; (c) quantities purchased cannot be decreased during the relevant Order Term; (d) the fees set forth in each Sales Order hereunder will be invoiced as specified in each Sales Order; and (e) if invoicing dates are not specified in a Sales Order, fees will be invoiced upon execution of such Sales Order; and subsequent years’ fees under such Sales Order will be invoiced annually thirty (30) days in advance of each anniversary.

Payment. Invoiced charges are due net thirty (30) days from the invoice date. You will be responsible for providing complete and accurate billing and contact information to Prelude and notifying Prelude of any changes to such information. If you believe that Prelude has billed you incorrectly, you must contact Prelude at billing@preludesecurity.com no later than 15 days after the closing date on the first billing statement in which the error or problem appeared, in order to receive an adjustment or credit.

Overdue Charges. If the invoiced amount is thirty (30) or more days overdue, then (a) without limiting Prelude’s rights or remedies, those overdue charges shall accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, and (b) Prelude may, in its sole discretion, suspend Services to you until such amounts are paid in full.

Taxes. Prelude’s fees do not include any taxes, levies, duties or similar governmental assessments of any nature, including, for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction (collectively, “Taxes”). You are responsible for paying all Taxes associated with your purchases made pursuant to this Agreement. If Prelude has the legal obligation to collect or pay Taxes for which you are responsible under this Agreement, Prelude shall invoice you and you shall pay that amount unless you can produce a valid Tax exemption certificate authorized by the appropriate taxing authority. For clarity, Prelude is solely responsible for Taxes assessable against Prelude based on Prelude’s income, property and employees.

Terms and Termination

Term. These Terms shall be effective as of the date you agree to the terms herein (the “Effective Date”), and continue until the expiration or termination of all Sales Orders hereunder (such time period, the “Term”).  Each Sales Order shall remain in effect until the Sales Order Termination Date specified in such Sales Order, or until such Sales Order is earlier terminated pursuant to this termination Section  (the term of such Sales Order, the “Order Term”).

Termination by Prelude. Prelude may terminate the Agreement or any Sales Order therein in the event of your failure: (i) to pay the subscription fees under any Sales Order and such failure is not cured by you within thirty (30) days of notice to you; or (ii) material breach of these Terms or the applicable Sales Order and such failure is not cured by you within ten(10) day of notice to you, if curable.

Termination by Customer. You may terminate the Agreement or any Sales Order upon written notice to Prelude for Prelude’s material failure to perform its obligations pursuant to these Terms or the applicable Sales Order and such failure is not cured by Prelude within the thirty (30) day notice period, if curable, in which case you shall be entitled to a pro-rata refund on fees paid for the remainder of the unused term. 

Termination for Convenience. Neither Party shall have the right to terminate the Agreement or any Sales Order for convenience during the Term. Termination shall only be permitted in accordance with the termination provisions under this Section.

Effect of Termination. Upon termination or expiration of this Agreement or any Sales Order, (a) the rights and licenses granted to you under this Agreement or the terminated or expired Sales Orders (as applicable) shall automatically and immediately terminate, (b) Prelude shall terminate your access to the Services and Professional Services provided under the Agreement or applicable Sales Order, (c) you shall immediately cease using the Services and Professional Services, and (d) you shall promptly, and in any event no later than fourteen (14) days after termination or expiration, remove all discontinued probes that were installed on its devices (if any) during the provision of the Services or Professional Services. Prelude shall not be liable for any damages or losses resulting from your failure to comply with the obligation in the foregoing subsection (d).

Insolvency. Either party may terminate this Agreement (i) in the case of any voluntary or involuntary filing in bankruptcy, reorganization or receivership or under similar laws for the protection of creditors, by or directed against the other party, which is not withdrawn within thirty (30) days of such filing, (ii) upon the other party’s making an assignment for the benefit of creditors or making a voluntary arrangement with its creditors, (iii) upon the other party’s dissolution or ceasing, or threatening to cease to do business or (iv) if any event occurs, or proceeding is instituted, with respect to the other party that has the equivalent or similar effect to any of the events mentioned in this Section.

Survival. The provisions of these Terms that by their nature should survive termination shall survive, including without limitation, warranty disclaimers, limitation of liability, confidentiality and governing law. 

Additional Terms

Security Standards. Prelude will implement and maintain appropriate technical and organizational measures, as determined by Prelude, designed to protect the security of Customer Data, including measures designed to protect Customer Data from unauthorized access, use, modification, encryption, deletion, loss or disclosure.

Security Incidents. Prelude will report to you any material security breach or other event where there is an actual material loss, theft, unauthorized access, acquisition, use, disclosure, alteration, or destruction of or to Customer Data within Prelude’s possession or control, or a significant risk of any of them (a “Security Incident”) promptly following determination by Prelude that a Security Incident has occurred.  The initial report will be made to the security contacts designated by you from time to time.  You acknowledge that Prelude may rely and depend on data center service providers to provide notice to Prelude of Security Incidents relating to those data centers.

Prelude will investigate the Security Incident and will provide you with detailed information about the Security Incident to the extent reasonably possible and to the extent known.  Prelude will take reasonable steps within Prelude’s systems to mitigate the effects of the Security Incident. Prelude will use commercially reasonable efforts to provide you the information for you to fulfil any obligations under applicable laws to notify your regulators and data subjects of the Security Incident.

Representations, Warranties and Disclaimers

Each party represents and warrants to the other that: (i) it is duly organized and in good standing under the laws of the jurisdiction of its organization and has full capacity and right to make and perform this Agreement, and all necessary authority has been obtained; (ii) it will comply with all laws applicable to it in the performance of its obligations under this Agreement; and (iii) this Agreement constitutes a legal, valid and binding obligation of such party enforceable in accordance with its terms.

EXCEPT AS EXPRESSLY PROVIDED HEREIN AND TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICES AND PROFESSIONAL SERVICES AND ANY GUIDANCE OR RECOMMENDATIONS THEREIN ARE PROVIDED “AS IS” AND “AS AVAILABLE” BASIS AND PRELUDE DOES NOT MAKE WARRANTIES OF ANY KIND, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OR ANY REPRESENTATIONS REGARDING AVAILABILITY, RELIABILITY, OR ACCURACY OF OR UPDATES TO THE SERVICES AND PROFESSIONAL SERVICES.  PRELUDE DOES NOT WARRANT THAT ANY CONFIGURATION SUGGESTIONS OR INDUSTRY BENCHMARKS RELATING THERETO WILL BE ACCURATE, CORRECT, COMPLETE OR CURRENT, AND ANY SUCH SUGGESTIONS SHALL NOT BE RELIED UPON AS LEGAL OR PROFESSIONAL ADVICE. UNDER THE SERVICES, THAT ANY NON-PRELUDE SERVICES OR THIRD PARTY CONTENT COMPLIES WITH APPLICABLE LAWS OR YOUR REGULATORY REQUIREMENTS, THAT THEY ARE ACCURATE OR CURRENT, OR THAT THEY ARE EFFECTIVE TO ACCOMPLISH THEIR APPARENT PURPOSE AND ACCORDINGLY, ARE USED BY YOU AT YOUR OWN RISK.

Warranties for Services. In the event the Services do not substantially conform with the Sales Order, you will notify Prelude in writing specifying the nature and extent of the non-conformity. Prelude shall use commercially reasonable efforts to cure the non-conformity as promptly as possible, but in any event within thirty (30) business days of receipt of your notice. This “Warranties for Services” Section sets forth your exclusive rights and remedies (and Prelude’s sole liability) in connection with any non-conforming Services.

Disclaimer for Unauthorized Electronic Intruders.  Notwithstanding the Section titled “Security Standards” and the technical and organizational measures which are referred to in that Section and which are designed to protect the security of Customer Data, you acknowledge and agree that: (a) such technical and organizational methods may not always be effective to prevent unauthorized electronic intruders from accessing the Services and Customer Data through the Internet or other electronic means; (b) if an unauthorized electronic intruder is able to overcome or avoid Prelude’s technical and organizational methods, the unauthorized electronic intruder may be able to access, use, modify, encrypt, delete, destroy, or steal Customer Data; and (c) Prelude shall have no liability to you for any act by any unauthorized electronic intruder, except for direct damages suffered by you which are a direct result of a breach by Prelude of Prelude’s obligations under the Sections titled “Security Standards” and “Security Incidents”.

Indemification

Prelude Indemnification. Subject to the terms of the Agreement, Prelude shall defend, indemnify and hold you harmless against any against any loss, liabilities, damages, costs, and expenses (including attorney’s fees and amounts paid in settlement) (“Losses”) based on, arising out of, or otherwise in connection with any claims, demands, suits or proceedings (threatened or actual) (“Claims”) made by a third party alleging that the Services infringe any intellectual property rights of such third party. The foregoing obligation is conditioned on your compliance with the procedures set forth in the Section titled “Procedure” below. If the Services become, or in Prelude’s opinion are likely to become, the subject of an infringement Claim, Prelude may, at its option and expense, either: (i) procure for you the right to continue using the Services; (ii) replace or modify the Services so that they become non-infringing; or (iii) terminate the Sales Order underlying the infringing Services and refund you any unused, prepaid fees for the infringing Services covering the remainder of the Order Term after the date of termination. Notwithstanding the foregoing, Prelude will have no obligation or liability under this Section or otherwise with respect to any infringement claim based upon: (a) any use of the Services not in accordance with this Agreement; (b) any use of the Services in combination with products, equipment, software, or data not supplied or approved in writing by Prelude if such infringement would have been avoided but for the combination with other products, equipment, software or data; (c) any claim arising from the Customer Data; or (d) any modification of the Services by any party other than Prelude. THIS “PRELUDE INDEMNIFICATION” SECTION STATES PRELUDE’S ENTIRE LIABILITY AND YOUR EXCLUSIVE REMEDY FOR ANY CLAIMS OF INFRINGEMENT.

Customer Indemnification. Subject to the terms of this Agreement, you will defend, indemnify and hold Prelude harmless against any Loss based on, arising out of, or otherwise in connection with any Claim against Prelude brought by a third party (including any User) (i) alleging that the Customer Data infringes any intellectual property rights of a third party, or (ii) regarding your use of the Services not in accordance with this Agreement, including without limitation, any User’s violation of the Section titled “Restrictions and Responsibilities” of this Agreement. The foregoing obligations are conditioned on Prelude’s compliance with the procedures set forth under “Procedures” below.

Procedure. The indemnified party must (i) notify the indemnifying party promptly in writing of any Claim, including reasonable detail the facts and circumstances surrounding the Claim; (ii) give the indemnifying party sole control of the defense thereof and any related settlement negotiations, including not making any admission of liability or taking any other action that limits the ability of the indemnifying party to defend the claim; and (iii) cooperate and, at the indemnifying party’s request and expense, assist in such defense.

Limitation of Damages and Liability

Limitation of Damages. NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR CONSEQUENTIAL, SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, OR INDIRECT DAMAGES OR FOR LOST PROFITS, LOST REVENUES, BUSINESS INTERRUPTION, HARM TO GOODWILL, OR THE COSTS OF PROCURING REPLACEMENT SERVICES, REGARDLESS OF WHETHER SUCH DAMAGE WAS FORESEEABLE. THIS LIMITATION WILL APPLY TO ALL CLAIMS UNDER ALL THEORIES OF LAW AND EQUITY, EXCEPT WHERE PROHIBITED BY LAW.

LIMITATION OF LIABILITY. EXCEPT IN THE EVENT OF GROSS NEGLIGENCE, WILLFUL MISCONDUCT OR FRAUD WHICH LIABILITY HEREUNDER SHALL BE UNLIMITED, AND EXCEPT AS PROVIDED BELOW, THE CUMULATIVE LIABILITY OF EACH PARTY TO THE OTHER WILL BE LIMITED TO THE FEES PAID OR PAYABLE UNDER THIS AGREEMENT FOR THE TWELVE (12) MONTHS PRECEDING THE FILING OF THE CLAIM (OR OVER THE FIRST TWELVE (12) MONTHS IF SUCH INCIDENT ARISES DURING THE FIRST TWELVE (12) MONTHS), FOR ALL OTHER CLAIMS.

NOTWITHSTANDING THE ABOVE “LIMITATION OF LIABILITY” SECTION, IN NO EVENT SHALL THE AGGREGATE LIABILITY OF EITHER PARTY, TOGETHER WITH ALL OF ITS AFFILIATES ARISING OUT OF OR RELATED TO ALL BREACHES OF THE OBLIGATIONS IN SECTIONS TITLED “CONFIDENTIALITY”, “SECURITY STANDARDS”, “SECURITY INCIDENTS”, OR “INDEMNIFICATION” OF THIS AGREEMENT, AND ALL BREACHES OF THE OBLIGATIONS IN ANY DATA PROCESSING AGREEMENT (EXHIBIT B) EXECUTED BY THE PARTIES, EXCEED US$1,000,000.00.

Severability. If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable.  

Assignment. Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the other party’s prior written consent (not to be unreasonably withheld); provided, however, either party may assign this Agreement in its entirety (including all Sales Orders), without the other party’s consent to its Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Notwithstanding the foregoing, (i)if a party is acquired by, sells substantially all of its assets to, or undergoes a change of control in favor of, a direct competitor of the other party, then such other party may terminate this Agreement upon written notice, and (ii) you acknowledge that fees in the applicable Sales Order are based upon the scope of use by you, and that Prelude may require payment of additional fees in connection with assignment to a particular assignee.  Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties, their respective successors and permitted assigns. As used in this Section, “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

No Third Party Beneficiaries. Nothing in this Agreement shall confer, or is intended to confer, on any third party any benefit or the right to enforce any term of this Agreement. No entities other than Prelude and you may terminate, rescind or agree to any modification, waiver or settlement with respect to this Agreement.

Export Control. You acknowledge that you are responsible for complying with all applicable laws and regulations associated with the access and use of Prelude products, including, without limitation, all applicable U.S. export control and economic sanctions laws, including the Export Administration Regulations (“EAR”), International Traffic in Arms Regulations (“ITAR”) and Office of Foreign Asset Control Regulations (“OFAC”). You represent and warrant that you are not and will not be listed on any export control and economic sanctions lists, including those promulgated pursuant to the EAR, ITAR and OFAC, or on any other export exclusion list of any other U.S. or non-U.S. governmental agency. You warrant that you will not, and that none of your Users shall export Prelude products to: (1) destinations requiring a license, (2) persons or entities requiring a license, or (3) end-users and end-uses requiring a license, unless such license has been obtained pursuant to applicable provisions of the EAR, ITAR and/or OFAC regulations.   

Anti-Corruption. You agree that you have not received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from any Prelude employee or agent in connection with this Agreement. If you learn of any violation of the above restriction, you will promptly notify Prelude.

Commercial Software. The Services are “commercial items” as that term is defined at FAR 2.101. If acquired by or on behalf of any executive agency (other than an agency within the Department of Defense (DoD)), the government acquires, in accordance with FAR 12.211 (Technical Data) and FAR 12.212 (Computer Software), only those rights in technical data and software customarily provided to the public as defined in this Agreement. If acquired by or on behalf of any executive agency within the DoD, the government acquires, in accordance with DFARS 227.7202-3 (Rights in commercial computer software or commercial computer software documentation), only those rights in technical data and software customarily provided in this Agreement. In addition, DFARS 252.227-7015 (Technical Data – Commercial Items) applies to technical data acquired by DoD agencies. Any federal legislative or judicial agency shall obtain only those rights in technical data and software customarily provided to the public as defined in this Agreement. This Section is in lieu of, and supersedes, any other FAR, DFARS, DEAR or other clause, provision, or supplemental regulation that addresses government rights in computer software or technical data under this Agreement. Capitalized terms used in this Section are defined in the applicable FAR or DFARs.

Logo Usage. You hereby grant to Prelude the express, revocable right to use your company logo and related trademarks in marketing and sales materials solely to identify you as a Prelude customer; provided that any such use by Prelude shall be consistent in size and scope with Prelude’s use of other customer logos and trademarks. Prelude hereby grants to you the express, revocable right to use Prelude’s logo and related trademarks solely to identify Prelude as a provider of services to you. Other than as expressly stated herein, neither party shall use the other party’s trademarks or logos without the prior written consent of the other party.

Entire Agreement; Amendments. These Terms, including its Exhibits and all Sales Orders, is the final and complete agreement between you and Prelude with respect to the subject matter in this Agreement and supersedes and replaces any prior proposal, representation, discussion or understanding between you and Prelude, including any non-disclosure agreement between you and Prelude notwithstanding anything to the contrary therein.  Prelude reserves the right to modify this Agreement at any time by providing such revised agreement to you or by publishing the revised agreement. Your continued use of the Services after 30 days of such revisions will constitute acceptance to be bound by the terms and conditions of the revised agreement. To the extent of any conflict between these Terms and any other schedule or attachment hereto, these terms and conditions shall prevail unless expressly stated otherwise. Notwithstanding any language to the contrary therein, no terms stated in a purchase order or in any other order document (other than a Sales Order, or other mutually executed order document expressly incorporated herein) shall be incorporated into this Agreement, and all such terms shall be void.

Insurance. Prelude, at its own expense, shall procure and maintain during the Term of the Agreement insurance policies to include the following coverage: (a) workers’ compensation insurance for its own employees that meets the statutory limits of the states in which Prelude operates and all federal statutes and regulations, as applicable; (b) employers’ liability insurance of not less than $1,000,000 aggregate limit; (c) commercial general liability insurance of not less than $1,000,000 per occurrence and $2,000,000 in the aggregate, including contractual liability; and (d) Internet, network, and privacy liability “cyber” insurance of not less than $1,000,000 per claim and $2,000,000 in the aggregate, to be maintained for two years beyond expiration or termination of the Agreement, covering the Services provided under the Agreement. Upon your written request, Prelude shall provide to you insurance certificates.

Relationship of the Parties. No agency, partnership, joint venture, or employment is created as a result of this Agreement and you do not have any authority of any kind to bind Prelude in any respect whatsoever. In no event shall one party’s personnel be deemed an employee, agent, or subcontractor of the other party.  

Notices. All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when delivered, if transmitted by email; and upon receipt, if sent by first class mail. 

Governing Law and Venue. This Agreement shall be governed by the laws of the State of New York without regard to its conflict of laws provisions. The federal and state courts sitting in New York, New York, U.S.A. will have proper and exclusive jurisdiction and venue with respect to any disputes arising from or related to the subject matter of this Agreement. Notwithstanding the foregoing, each party shall have the right to commence and prosecute any action for injunctive relief before any court of competent jurisdiction. Without limiting the foregoing, the Standard Contractual Clauses as defined in Exhibit B to this Agreement shall be governed by the laws as chosen therein. 

Force Majeure. Neither party shall be liable to the other for any delay or failure to perform hereunder (excluding payment obligations) due to circumstances beyond such party’s reasonable control, including acts of God, acts of government, flood, fire, earthquakes, civil unrest, acts of terror, strikes or other labor problems (excluding those involving such party’s employees), service disruptions involving hardware, software or power systems not within such party’s possession or reasonable control, and denial of service attacks.

YOU ACKNOWLEDGE THAT YOU HAVE READ THE TERMS AND ALL ATTACHED EXHIBITS, AND THAT YOU ARE NOT ENTERING INTO THIS AGREEMENT ON THE BASIS OF ANY REPRESENTATIONS NOT EXPRESSLY SET FORTH HEREIN.

‍

Date of Last Update: April 30, 2025

Exhibit A

Subscription Service Availability

Terms used, but not defined, herein shall have the meanings provided in the Prelude Service Terms to which this Exhibit A is attached.

Prelude shall use reasonable efforts consistent with prevailing industry standards to maintain the Services in a manner which minimizes errors and interruptions in the Services. Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Prelude or by third-party providers, or because of other causes beyond Prelude’s reasonable control, but Prelude shall use reasonable efforts to provide advance notice in writing, by banner notice on its website or within the Services, or by email of any scheduled service disruption.

The Services shall be available no less than 99.9% of the time per calendar month as measured and recorded by Prelude’s internal processes, excluding reasonable and scheduled maintenance periods, which Prelude shall strive to deliver outside of regular business hours. Prelude shall provide you with 2 business days prior notice via email to a contact to be designated by you before performing any scheduled maintenance that renders the Services inaccessible for greater than eight (8) hours. Any downtime resulting from outages of third party connections or utilities or other reasons beyond Prelude’s control will also be excluded from the calculation of availability.

As your sole and exclusive remedy, and Prelude’s entire liability, should monthly availability fall below 99.9%, you may receive a service credit against your next invoice equal to two percent (2%) of its subscription fees for that month for each one percent (1%) (or portion thereof) of unavailability. To receive a service credit, you must request the service credit in writing to Prelude within 15 days of the end of the calendar month in which the availability service level was not met. Service credits are only applied to future invoices, unless you have paid all outstanding invoices. If you have paid all outstanding invoices, then Prelude will give you a refund in cash for the amount of the service credit within 30 days of your request.

Exhibit B

Data Processing Agreement

This Data Processing Agreement (“DPA”) is made part of the Prelude Service Terms entered into between you, and your subsidiaries and affiliates (“Customer” or “Data Controller”), and Prelude Research, Inc., and its subsidiaries and affiliates (“Prelude” or “Data Processor”), each a “Party” and collectively the “Parties”, dated as of even date herewith. 

WHEREAS:

1. The Parties have entered into Prelude Services Terms under which Prelude will deliver to the Customer its Services (hereinafter the “Agreement”).

2. In the course of providing the Services to the Customer under the Agreement, Prelude may gain access to a very limited amount of personal data accessible through the Customer’s endpoints or submitted by the Customer or its representatives or on its behalf to the Services. The Customer may also provide personal data to Prelude when setting up, managing, and maintaining its customer account. This Data Processing Agreement also covers any data processed in the context of provision of support to the Customer by Prelude. 

3. The Parties wish to ensure that any processing of personal data is carried out in accordance with the applicable Data Privacy Laws.

NOW, THEREFORE, THE PARTIES HERETO AGREE AS FOLLOWS:

1. Definitions. For purposes of this DPA:
   
   1. “Privacy Laws” means applicable privacy, security and personal information protection laws and regulations in force from time to time, including, but not limited to, the European General Data Protection Regulation (EU 2016/679) (the “GDPR”); Directive 2002/58/EC (the “e-Privacy Directive”) (and, when replaced, the European regulation revoking and replacing it); European national laws implementing derogations, exceptions or other aspects of the e-Privacy Directive (or regulation replacing it) and/or the GDPR; Personal Information Protection and Electronic Documents Act (Canada) (the “PIPEDA”); the California Consumer Privacy Act of 2018, as amended from time to time (the “CCPA”); California Privacy Rights Act of 2020 (the “CPRA”) as well as other relevant state privacy laws such as, without limitation, Illinois Biometric Information Privacy Act (740 ILCS 14), Texas Capture or Use of Biometric Identifier law (Texas Business and Commercial Code Chapter 503) and the Washington Biometrics Identifiers Statute (RCW 19.375); the GDPR, as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (as amended or replaced from time to time) (the “UK GDPR”);
   2. “Standard Contractual Clauses” or “SCCs” means the applicable module of the standard contractual clauses for the transfer of personal data to third countries adopted pursuant to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021;
   3. “UK SCC Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner and laid before UK Parliament on 2 February 2022 in accordance with section 119A of the UK Data Protection Act 2018;
   4. The terms “Controller”, “Data Controller”, “Data Processor”, “data subject”, “Processing”, “Processor”, “Personal Data Breach” and “Personal Data”, and where applicable “Business”, “Commercial Purpose”, “Consumer”, “Personal Information”, “Service Provider”, “Sell” and “Verifiable Consumer Request”, unless specifically defined otherwise herein, shall bear the respective meanings given to them in the applicable Privacy Laws. With respect to any Personal Data subject to the CCPA, the Parties acknowledge that the Data Controller is a “Business” and the Data Processor is a “Service Provider” as those terms are defined in the CCPA.
2. Subject of this DPA and the Purpose of Processing
   
   1. In performing the obligations set out in the Agreement, the Data Processor processes Personal Data on behalf of the Data Controller. 
   2. The Data Processor shall process Personal Data in accordance with the applicable Privacy Laws, this DPA, and the Agreement, for the purposes of providing, enhancing, improving, updating, securing, analyzing, marketing, or upgrading the Services or developing new services or services related to or complementary to the Services.
   3. The nature of the processing may include any operation that the Data Processor may perform on Personal Data or on sets of Personal Data when providing Services, which may include in particular processing of data provided by the Data Controller within its customer account and limited access by the Data Processor to Personal Data accessible through the endpoints of Data Controller’s infrastructure or during provision of support services, limited and exceptional storage, disclosure by transmission, alignment or combination, erasure or destruction of data (whether or not by automated means).
   4. Categories of Personal Data processed by the Data Processor within the Data Controller’s endpoints are primarily designated by the Data Controller, based on how it chooses to use the Services and the scope of access it grants to the Data Processor. No special categories of data are processed.
   5. The following categories of Personal Data may be included, without limitation:

• Personal data submitted by the Data Controller or on its behalf to the Services in the registration or feedback form, which typically include identification data and Service-related data; and 
• Personal data to which the Data Processor gains access through the provision of the Services, which typically include data contained in the Customer’s endpoints to which the Data Processor gains access while performing vulnerability scans or penetration tests or for support purposes based on the scope of access the Customer granted to Prelude, such as device identifiers (for instance computer name, computer serial number, and if applicable other device identifiers).
• Personal data to which the Data Processor gains access during the provision of support services.
• The exact scope of personal data processed will always depend on the specific Services or Service features then available and used by the Data Controller and the functionality of the Services that the Data Controller decides to implement and utilize. 

6. Categories of data subjects are primarily designated by the Data Controller, based on how it chooses to use the Services and the scope of access it grants to the Data Processor, and may include, without limitation, any individuals whose Personal Data is uploaded to the Services which will typically include employees, customers and business partners of the Data Controller and other persons with whom the Data Controller interacts.

3. Rights & Obligations of the Parties
   
   1. In discharging its obligations under the Agreement, the Data Processor shall perform the processing operations set out in Section 2.
   2. Each Party is obliged, without undue delay, to inform the other Party of any facts affecting the fulfillment of their obligations under this DPA.
   3. The Data Processor shall:
      
      1. Process the Personal Data only on documented instructions from the Data Controller;
      2. Maintain the confidentiality of the Personal Data processed under this DPA. The Data Processor shall ensure that persons authorized to process the personal Data under this DPA have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Data Processor shall train and educate all its personnel with access to Personal Data on the obligation to comply with Privacy Laws that are applicable to the Data Processor as a service provider to the Data Controller;
      3. Assist the Data Controller in ensuring compliance by the Data Controller with, where applicable, the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Data Processor and adopt technical and organizational measures available at www.preludesecurity.com/legal/toms which are incorporated herein by reference;
      4. Delete or anonymize all Personal Data no later than 360 days after the end (in whole or in part) of the provision of Services under Agreement, and delete existing copies unless applicable law to which the Data Processor is subject requires storage of Personal Data or unless copies of Personal Data have been created electronically pursuant to automatic or ordinary course archiving, back-up, security and such Personal Data will be permanently deleted in accordance with standard retention policies and will be treated in accordance with this DPA until permanently deleted; 
      5. Upon request by the Data Controller: (1) make available to the Data Controller all information reasonably necessary to demonstrate compliance with Article 28 of the GDPR and similar requirements of the Privacy Laws; and (2) allow for and contribute to audits, including inspections, conducted by the Data Controller. Audits shall be conducted no more frequently than annually and during reasonable times, shall be of reasonable duration, and shall not unreasonably interfere with the Data Processor’s day-to-day operations. In the event that the Data Controller conducts an audit through a third-party independent contractor, such independent contractor shall be required to enter into a non-disclosure agreement. Additionally, such independent contractor must not be the Data Processor’s direct or indirect competitor. Each Party shall bear its own costs and expenses arising out of or in connection with the audit; 
      6. Notify the Data Controller without undue delay after becoming aware of a Personal Data Breach with respect to the Personal Data processed under this DPA. The Data Processor shall reasonably assist the Data Controller in fulfilling its and Controller’s obligations under Articles 33 and 34 of the GDPR or other Privacy Laws to notify the relevant supervisory authority and data subjects of a Personal Data Breach; 
      7. Not sell or share, as defined in the CCPA and the CPRA, the Personal Data processed on the Data Controller’s behalf; and
      8. Immediately inform the Data Controller if, in its opinion, an instruction from the Data Controller infringes the GDPR or other Privacy Laws.
   4. Each transfer of Personal Data outside of the EU/EEA shall only take place if the specific conditions as laid down in Art. 44 et seq. GDPR have been fulfilled. All transfers of personal data out of the EU, EEA, United Kingdom, and Switzerland under this DPA, unless based on the European Commission’s adequacy decision, shall be governed by the applicable Standard Contractual Clauses, including the UK SCC Addendum, where applicable. Standard Contractual Clauses and the UK SCC Addendum available at www.preludesecurity.com/legal/scc, are incorporated herein by reference.
   5. The Data Controller represents and warrants that it has provided all requisite information and notification to the end users (as Data Subjects) regarding the collection and processing of their Personal Data provided to the Data Processor hereunder, as may be required under the Privacy Laws. 
   6. The Data Controller acknowledges that the Data Processor is not required to verify whether the Data Controller has duly given any prior information/notification to the end users and duly obtained any consent thereof with respect to the Personal Data disclosed to the Data Processor hereunder, and the Data Controller shall bear all liability related thereto.
   7. To the extent reasonably possible, the Data Controller agrees to take necessary measures to:
      
      1. Ensure that any information about the end users (Data Subjects) that is disclosed/transferred to the Data Processor under this DPA is de-personalized, anonymized and/or otherwise encrypted/hashed so as to no longer constitute “personal data” within the meaning of the GDPR by the time it is disclosed/transferred to the Data Processor; 
      2. Ensure that any text typed by the end-user when using the Data Processor’s Services, in particular when completing the registration or feedback form, shall not contain any Personal Data of the end user; and
      3. Discontinue any data conduits from Prelude to a third-party service or platform (e.g. CrowdStrike, or any similar third-party EDR or SIEM solution) that the Customer has linked to the Services or otherwise integrated into the Services and instructed Prelude to transfer data to such third-party service or platform, immediately upon termination of the contractual relationship with such third-party service or platform.

4. Sub-Processing
   
   1. The Data Processor shall engage another processor (i. e. a sub-processor) only in accordance with this DPA. The mechanism hereby stipulated shall be considered a general written authorization from the Data Controller (pursuant to Article 28 par. 2 of the GDPR, to the extent applicable).
   2. The Data Processor may, subject to compliance with this clause, engage a sub-processor, or replace or change the role of an existing sub-processor, provided that it notifies the Data Controller of any intended use of a new sub-processor (e-mail shall be deemed sufficient) (the “email notification”) fifteen (15) days in advance of, as applicable, the engagement of the sub-processor concerned.
   3. The Data Processor shall have the right to engage the new sub-processor unless the Data Controller objects in writing to the proposed use of the relevant sub-processor within fifteen (15) days of receipt of the email notification (in which case the Data Processor shall not, as applicable, use the sub-processor concerned).
   4. The Data Processor shall, where it engages any sub-processor in accordance with this clause: (a) carry out appropriate due diligence on the sub-processor prior to engaging it to verify that it is capable of complying with the data protection obligations under this DPA, to the extent applicable to the services it is to perform; (b) only use a sub-processor that has provided sufficient guarantees to implement appropriate technical and organizational measures; (c) impose on the sub-processor, through a legally binding contract between the Data Processor and sub-processor, data protection obligations equivalent in substance to those set out in this DPA and provide at least the same level of protection as provided for by this DPA; and (d) implement legally required transfer mechanisms (such as SCCs where applicable) for the transfers of Personal Data outside of the EU/EEA. The Data Processor represents and warrants that it has performed the foregoing (a) – (d) with respect to the sub-processors identified at www.preludesecurity.com/legal/sub-processor-list that are already engaged by the Data Processor as of the date of the DPA.
   5. Notwithstanding the foregoing, if the Data Controller objects to the engagement of another sub-processor, the Parties will come together in good faith to discuss an appropriate solution. The Data Processor may in particular choose not to use the intended sub-processor or engage the sub-processor only after corrective steps and / or measures requested by the Data Controller are taken.
5. Data Transfers
   
   1. Within certain Service features or functionalities, you may instruct us to transfer certain Personal Data or other data to third parties who are your separate service providers. We will enable such transfers. We will discontinue these transfers any time upon your specific written instruction. If you instruct us to discontinue these transfers, certain Service features or functionalities may not be available or fully functional. 
6. Data Processor’s Remuneration
   
   1. The Parties have agreed that the remuneration for processing the Personal Data under this DPA is included in the remuneration for the Services provided for in the Agreement.
7. Term and Termination
   
   1. This DPA has been concluded for the duration of the Agreement, and it shall come into force on the date of the signature of the Agreement by both Parties.
   2. In the event the obligations under this DPA are terminated, the Data Processor shall delete the Personal Data belonging to the Data Controller and delete all existing copies, subject to Section 3.c.iv hereof. 
   3. Neither Party hereto is entitled to assign any of the rights and obligations under this DPA to third parties without the prior written consent of the other Party.
8. Miscellaneous
   
   1. This DPA supplements the Agreement and unless otherwise stipulated herein, the provisions of the Agreement shall apply, including any exclusions and limitation of warranties and liabilities provided therein. Provisions in this DPA shall have precedence over any provisions of the Agreement relating to the processing of Personal Data by the Data Processor, if any.
   2. If one or more provisions of this DPA is invalid, ineffective, void or unenforceable, then such provision shall not render the entire DPA invalid, ineffective, void or unenforceable, while in such case the Parties will substitute such invalid, ineffective, void or unenforceable provision with a provision best suited to the purpose of such invalid, ineffective, void or unenforceable provision.