Terms of Service

Welcome to Reach's Website!

These terms of service outline the rules and regulations for the use of Reach Security, Inc.'s Website, located at https://reach.security.

By accessing this website we assume you accept these terms and conditions. Do not continue to use Reach Website if you do not agree to take all of the terms and conditions stated on this page.

The following terminology applies to these Terms and Conditions, Privacy Statement and Disclaimer Notice and all Agreements: "Client", "You" and "Your" refers to you, the person log on this website and compliant to the Company’s terms and conditions. "The Company", "the Reach", "Ourselves", "We", "Our" and "Us", refers to our Company. "Party", "Parties", or "Us", refers to both the Client and ourselves. All terms refer to the offer, acceptance, and consideration of payment necessary to undertake the process of our assistance to the Client in the most appropriate manner for the express purpose of meeting the Client’s needs in respect of the provision of the Company’s stated services, in accordance with and subject to, prevailing law of Netherlands. Any use of the above terminology or other words in the singular, plural, capitalization, and/or he/she or they, are taken as interchangeable and therefore as referring to same.

Cookies

We employ the use of cookies. By accessing Reach Website, you agreed to use cookies in agreement with the Reach Security, Inc.'s Privacy Policy.

Most interactive websites use cookies to let us retrieve the user’s details for each visit. Cookies are used by our website to enable the functionality of certain areas to make it easier for people visiting our website. Some of our affiliate/advertising partners may also use cookies.

License

Unless otherwise stated, Reach Security, Inc. and/or its licensors own the intellectual property rights for all material on Reach Website. All intellectual property rights are reserved. You may access this from Reach Website for your own personal use subjected to restrictions set in these terms and conditions.

You must not:

  1. Republish material from Reach Website
  2. Sell, rent or sub-license material from Reach Website
  3. Reproduce, duplicate or copy material from Reach Website
  4. Redistribute content from Reach Website

This Agreement shall begin on the date hereof.

Parts of this website offer an opportunity for users to post and exchange opinions and information in certain areas of the website. Reach Security, Inc. does not filter, edit, publish or review Comments prior to their presence on the website. Comments do not reflect the views and opinions of Reach Security, Inc., its agents, and/or affiliates. Comments reflect the views and opinions of the person who posts their views and opinions. To the extent permitted by applicable laws, Reach Security, Inc. shall not be liable for the Comments or for any liability, damages or expenses caused and/or suffered as a result of any use of and/or posting of and/or appearance of the Comments on this website.

Reach Security, Inc. reserves the right to monitor all Comments and to remove any Comments which can be considered inappropriate, offensive, or causes breach of these Terms and Conditions.

You warrant and represent that:

  1. You are entitled to post the Comments on our website and have all necessary licenses and consents to do so;
  2. The Comments do not invade any intellectual property right, including without limitation copyright, patent or trademark of any third party;
  3. The Comments do not contain any defamatory, libelous, offensive, indecent or otherwise unlawful material which is an invasion of privacy
  4. The Comments will not be used to solicit or promote business or custom or present commercial activities or unlawful activity.
  5. You hereby grant Reach Security, Inc. a non-exclusive license to use, reproduce, edit and authorize others to use, reproduce and edit any of your Comments in any and all forms, formats, or media.

Hyperlinking to our Content

The following organizations may link to our Website without prior written approval:

  1. Government agencies;
  2. Search engines;
  3. News organizations;
  4. Online directory distributors may link to our Website in the same manner as they hyperlink to the Websites of other listed businesses; and
  5. System wide Accredited Businesses except soliciting non-profit organizations, charity shopping malls, and charity fundraising groups which may not hyperlink to our Web site.

These organizations may link to our home page, to publications, or to other Website information so long as the link: (a) is not in any way deceptive; (b) does not falsely imply sponsorship, endorsement, or approval of the linking party and its products and/or services; and (c) fits within the context of the linking party’s site.

We may consider and approve other link requests from the following types of organizations:

  1. Commonly-known consumer and/or business information sources;
  2. Dot.com community sites;
  3. Associations or other groups representing charities;
  4. Online directory distributors;
  5. Internet portals;
  6. Accounting, law and consulting firms; and
  7. Educational institutions and trade associations.

We will approve link requests from these organizations if we decide that: (a) the link would not make us look unfavorably to ourselves or to our accredited businesses; (b) the organization does not have any negative records with us; (c) the benefit to us from the visibility of the hyperlink compensates the absence of Reach Security, Inc.; and (d) the link is in the context of general resource information.

These organizations may link to our home page so long as the link: (a) is not in any way deceptive; (b) does not falsely imply sponsorship, endorsement, or approval of the linking party and its products or services; and (c) fits within the context of the linking party’s site.

If you are one of the organizations listed in paragraph 2 above and are interested in linking to our website, you must inform us by sending an e-mail to Reach Security, Inc. Please include your name, your organization name, contact information as well as the URL of your site, a list of any URLs from which you intend to link to our Website, and a list of the URLs on our site to which you would like to link. Wait 2-3 weeks for a response.

Approved organizations may hyperlink to our Website as follows:

  1. By use of our corporate name; or
  2. By use of the uniform resource locator being linked to; or
  3. By use of any other description of our Website being linked to that makes sense within the context and format of content on the linking party’s site.

No use of Reach Security, Inc.'s logo or other artwork will be allowed for linking absent a trademark license agreement.

iFrames

Without prior approval and written permission, you may not create frames around our Webpages that alter in any way the visual presentation or appearance of our Website.

Content Liability

We shall not be held responsible for any content that appears on your Website. You agree to protect and defend us against all claims that are rising on your Website. No link(s) should appear on any Website that may be interpreted as libelous, obscene, or criminal, or which infringes, otherwise violates, or advocates the infringement or other violation of, any third party rights.

Your Privacy

Please read Privacy Policy

Reservation of Rights

We reserve the right to request that you remove all links or any particular link to our Website. You approve to immediately remove all links to our Website upon request. We also reserve the right to amend these terms and conditions and its linking policy at any time. By continuously linking to our Website, you agree to be bound to and follow these linking terms and conditions.

Removal of links from our website

If you find any link on our Website that is offensive for any reason, you are free to contact and inform us at any moment. We will consider requests to remove links but we are not obligated to or so or to respond to you directly.

We do not ensure that the information on this website is correct, we do not warrant its completeness or accuracy; nor do we promise to ensure that the website remains available or that the material on the website is kept up to date.

Disclaimer

To the maximum extent permitted by applicable law, we exclude all representations, warranties, and conditions relating to our website and the use of this website. Nothing in this disclaimer will:

  1. limit or exclude our or your liability for death or personal injury;
  2. limit or exclude our or your liability for fraud or fraudulent misrepresentation;
  3. limit any of our or your liabilities in any way that is not permitted under applicable law; or
  4. exclude any of our or your liabilities that may not be excluded under applicable law. The limitations and prohibitions of liability set in this Section and elsewhere in this disclaimer: (a) are subject to the preceding paragraph; and (b) govern all liabilities arising under the disclaimer, including liabilities arising in contract, in tort, and for breach of statutory duty.

As long as the website and the information and services on the website are provided free of charge, we will not be liable for any loss or damage of any nature.

Security, Privacy, and Architecture Overview

Reach is designed with the most security-conscious Security and IT teams in mind. Understanding the security practices of an organization you’re looking to trust with your data can feel intentionally confusing and more often than not, frustrating. We strive at Reach to keep things simple and secure.

This article provides an up-to-date overview of the state of Reach’s security and how it applies to our system. We take advantage of cloud security best practices and adhere to strict policies and requirements that enable Reach to maintain the security and integrity of the data our customers entrust us with.

Overview

Sections outlined in this document

  • Corporate Governance
  • Data Security
  • Data privacy
  • Product Security
  • Security architecture

Corporate Governance

Every Reach employee is committed to the security and privacy of our customers and their information. This starts with accessible information security policies that are reviewed on a quarterly cadence and being leveraged throughout the organization. These policies guide how Reach does business, builds products, and operates. Some examples:

  • Data security and privacy training as part of onboarding
  • Employees sign agreements to preserve and protect the confidentiality of customer information they may interact with while doing their jobs
  • Background checks for all employees
  • Multi-factor authentication is required for all business applications that interact with customer data.
  • Employee security awareness training
  • Incident Response plan and subsequent playbooks are reviewed on an annual cadence

Data Security

Data in Transit

  • Customer data sent to Reach is encrypted in transit using best practice and compliant cypher suites.

Data in Rest

  • Data at rest is encrypted using AES-256 encryption
  • Storage level encryption will be used when data is stored in the cloud
  • File system encryption is used in cases where a Reach employed customer success researcher needs to access data and move information to their local device to improve a prospect or customer’s experience.
  • Data searched for and accessed within an event management solution such as a SIEM will default to the customer’s local configuration

Least Privilege

  • User and service accounts are granted roles based on their requirements. These roles are defined with least privilege principals in mind. A user or service must have an applicable set roles which are inventoried and reviewed on a quarterly basis

Data Privacy

Customer Privacy Options

Data Retention and Data Deletion

  • Data rentention is set to 15 months by default for all security event and identity data that is processed by Reach. The timeframe is defined as is to enable your organization to benchmark and track improvement from Year-to-Year
  • Once you have cancelled or terminated your use of our service, the Personal Data will be deleted within 30 days of the termination date, with the exception of data that is required to establish proof of a right or a contract, which will be stored for the duration provided by enforceable law.
  • Once deleted, your data cannot be restored.
  • Data deletion can be requested by the customer by contacting support@reach.security.

Data Access and Disclosure

Customer Access

  • You are able to view a processed representation of your data through the Reach product UI at app.reach.security with the appropriate permissions. User permissions are set by the Reach product admin in your instance settings.
  • 30 days of user access logs can be requested by contacting support@reach.security. Support will respond to the request within 48 hours from the time of the request.

Reach Access

  • Access to production systems is restricted to Reach employees who need to analyze customer data for efficacy purposes and to improve the overall product for Reach customers. These employees are U.S Persons on U.S soil and go through the necessary background checks to let our customers adhere to regulations like those enforced by International Traffic in Arms Regulations. All access privileges are managed by Reach engineering leadership and audited for privilege access violations.

AI for making mission-critical decisions

AI comes in many different flavors. We developed AI for Reach to meet the rigorous demands of enterprise security.

A dedicated AI Model

Reach develops a custom AI model dedicated to:

  • Your enterprise
  • Your users
  • The threats you face

Built to be unique to your company’s inputs, the model is created with your tenant and destroyed when required. This is done without impacting other Reach customers.

Private

By keeping third-party LLMs out of the mix, Reach AI relies on verified, domain-specific data to power its configuration engine. This means all data processed by Reach is private and not shared with third parties; nor do third parties interact with Reach.

Mission-critical decision making

Because security decisions are critical to enterprises, Reach brings the highest level of rigor to its AI. We’ve built it to ensure no hallucinations. This allows your team to focus on critical security decisions, while letting data power cross-platform configuration decisions to land you at the single best result.

Information Processed by Reach

Reach sits at the center of a few data types. Data types fall into three categories; Identity service data, Security event logs, Security product configurations. Some of the data in the Identity service data and Security event logs may contain Personally Identifiable Information.

Identity service data can come from any number of sources. Most commonly the data comes from an Identity Provider within the company, like Microsoft AzureAD or Active Directory.

Security event logs will be analyzed by Reach for a number of products when connected to Reach. You must connect these products to Reach in order for security event ingestion to occur.

Note: Reach is not a Security Incident Event Mananegment (SIEM) product. We are only gathering a subset of the security events for processing purposes.

Security product configurations will be analyzed by Reach for a number of products when connected to Reach

The following data can be processed by Reach:

Data TypeDataMay be Considered Personally Identifiable InformationCan be Anonymized
Directory Service Data NameYes Yes
User nameYes Yes
Email address Yes Yes
DepartmentNoN/A
Role TitleNoN/A
OrganizationNoN/A
Security GroupsNoN/A
Distribution ListsYesYes
Proxy AddressesYesYes
Location (typically office locationNoN/A
userAccountPropertyFlagNoN/A
whenCreatedNoN/A
whenChangedNoN/A
guid_lookup (if needed to join threat logs) NoN/A
OktaWorkerType NoN/A
Security Product Logs* Domain and usernameYesYes
Email Address (sender) YesYes
Email Address (recipient(s)) YesYes
MAC address NoN/A
HostnameYesYes
Qualified hostnames YesYes
Operating system NoN/A
Name of Security device NoN/A
IP Address (Source) YesYes
IP Address (Destination) NoN/A
URLNoN/A
File name YesYes
ForensicsYesYes
Security Product Configurations Security product configuration files NoN/A

Data Processing Locations

All customer data is processed within Amazon Web Service locations in the United States.

Current AWS Regions:

  • us-west-1 (N.California)

Access Logs

  • Access logs are immutable, tamper proof and available for review upon request.

Product Security

Reach is built with industry-tested technology and security practices.

  • Reach employees are required to use Multi-factor authentication to access systems and services
  • Reach adheres to OWASP guidelines and security best-practices
  • Reach performs automated and manual peer review to verify application correctness and security. This invludes automated unit and integration tests run end-to-end on live systems, pre-release, and post-release scenarios
  • Annual 3rd party pentest assessments are performed against Reach and all operating infrastructure

Security Architecture

Security Architecture illustration

Service Level Agreement

Effective: June 12, 2023

This Service Level Agreement (“SLA”) is an addendum to the Reach Enterprise Subscription Agreement (the “Agreement”) and defines the service levels that Reach Security, Inc. (“Reach Security”) will endeavor to provide for the maintenance and support of the Application (“Service”). Capitalized terms not otherwise defined herein have the meaning ascribed to them in the Agreement. Reach Security reserves the right to modify the scope of the maintenance and support of the Service; provided, however, Reach Security shall provide Customer written notice. For clarification purposes, this SLA shall only apply to Customers who have purchased the Service directly from, and who have entered into the Agreement directly, with Reach Security.

1. Primary Coverage Hours. Reach Security will make staff available for Application Administration between 9:00 am to 5:00 pm Pacific Time (PT), Monday through Friday. Additionally, Reach Security will make commercially reasonable efforts to provide Application Administration during non-business hours and on weekends.

2. Application Administration. Reach Security will provide the following during the applicable Subscription Term in accordance with this SLA:

2.1 Technical Support. Assist Customers during Primary Coverage Hours to identify, analyze, and resolve challenges with the Service.

2.2 Service Management. Security monitoring, change control, problem management, and escalation procedures.

2.3 Application Administration. Installation and system setup, support, monitoring, response, repair, tuning, and capacity planning.

2.4 Data backup and retention. Backups of Customer Data stored within the Service.

3. Service Scope

3.1 Application Availability. Reach Security will make commercially reasonable efforts to ensure the Application is capable of being reasonably accessed and used at all times during the Subscription Term except during Scheduled Maintenance (as defined in Section 4).

3.2 Exclusions from Application Availability. The availability of the Application and Reach Security’s obligations with respect to the other service measures set forth herein may be subject to limitations, delays, and other problems inherent to the general use of the Internet and other public networks, or caused by Customer, Users, or third parties including underlying cloud services provider(s) like Amazon Web Services (AWS). Reach Security is not responsible for any delays or other damage resulting from problems outside of Reach Security’s control; however, Reach Security is responsible for the conduct of its third-party agents and contractors.

3.3 Issue Resolution. If the Application is not accessible as specified in Section 3.1 (an “Issue”) Reach Security and Customer will comply with the following resolution procedures for all Issues reported by Customer:

3.3.1 Reporting an Issue. Customer may report an Issue through the Reach Security Support at support@reach.security or Chat. When reporting an Issue, Customer will include a detailed description of the Issue.

3.3.2 Issue Classification. When reporting an Issue, the severity of the Issue will be classified based on the impact to Customer's business operations in accordance with the severity classification table below.

3.3.3 Response Time. Reach Security will use reasonable efforts to respond to Customer's reported Issues within the Primary Coverage Hours and within the timeframe designated below.

Severity LevelDefinitionResponse Time
p0The entire service is inaccessible or unusable. 4 Hours
p1The issue causes a significant loss of service or is a significant error. The impact is an inconvenience that may require a workaround to restore functionality or is a minor error, incorrect behavior, or a documentation error that does not impede the operation of a system. 12 Hours
p2The issue causes a minor reduction of service or is a minor error. The impact is an inconvenience that may require a workaround to restore functionality or is a minor error, incorrect behavior, or a documentation error that does not impede the operation of a System. 24 Hours
p3Minor defects and errors that do not impede system operation in a normal manner.

4. Maintenance. Reach Security periodically repairs and upgrades the Service and shall use commercially reasonable efforts to accomplish this without affecting the Customer’s access to the Service; however, repairs of an emergency or critical nature may result in the Service not being available for the Customer’s usage during the course of such repairs. Reach Security reserves the right to conduct routine maintenance to the Service according to the following protocols:

ItemCommitmentResponse Time
Scheduled Maintenance Routine, scheduled maintenance performed as needed.Reach Security will use commercially reasonable efforts to notify Customer before performing such Maintenance.
Preventative Maintenance Non-scheduled maintenance that needs to be promptly conducted.Reach Security will use commercially reasonable efforts to notify Customer before performing such Maintenance.
Emergency Maintenance Non-scheduled maintenance required to be performed immediately.Reach Security will use commercially reasonable efforts to notify Customer before performing such Maintenance.

5. Compatibility with New Third Party Software. Customer consents and acknowledges that prior to adding new third-party software, the Customer is solely responsible to verify and ensure that such third-party software is compatible with their current or future versions of the Service. Reach Security will not be responsible for any failures or malfunctions resulting from such upgrade, change, or addition of third-party software. A list of supported third-party software and their versions can be found on our website at http://docs.reach.security.

6. Customer Responsibilities

6.1 Trained Contacts. Customer will designate at least one (1) individual within Customer’s organization to serve as primary contact with regards to Customer’s Service (“Primary Technical Contact”). Primary Technical Contact should have sufficient technical knowledge of Customer’s Application environment to enable effective communication with Reach Security.

6.2 Reasonable Assistance. Customer will provide Reach Security with (i) reasonable access to all necessary personnel to answer questions regarding Issues reported by Customer, and (ii) all relevant and available diagnostic information (including product or system information). In addition, Customer will make reasonable efforts to fix Issues identified during troubleshooting.

7. Service Level Agreement. Availability Reach shall make the Reach Subscription Service available 99% of the time, except those services below.

7.1 “Covered Services” means services provided by AWS including but not limited to; AWS Lambda, AWS S3, AWS ECS, CloudFront, and Dynamo DB.

Availability for Covered Services will be calculated per calendar month, as follows:

Agreement Rates formula

Where:

  • “total” means the total number of minutes in the calendar month;
  • “non-excluded” means downtime that is not excluded; and
  • “excluded” means:

7.2 Any downtime during planned maintenance (not to exceed 10 hours in any calendar month) for which Reach gives 2 business days or more hours’ notice in accordance with the Agreement or via the Reach shared slack channel.

7.3 Any unavailability caused by circumstances beyond Reach’ reasonable control, including, without limitation, acts of God, acts of government, flood, fire, earthquakes, civil unrest, acts of terror, strikes or other labor problems (other than those involving Reach employees), third-party Internet Reach failures or delays (other than those Internet Suppliers under contract with Reach),

7.4 Amazon Web Services (“AWS”) outages in Customer’s specific region or that otherwise affect Reach’s ability to provide the Reach Subscription Service, or unavailability caused by Customer’s conduct or error.

Notwithstanding the foregoing, for any availability that is reliant on AWS, availability shall be calculated based on the applicable availability provided by AWS with the same exclusions above.

8. Service Availbility Remedies Should Reach fail to make the Reach Subscription Service available as set forth above, Customer may continue to use the Reach Subscription Service but receive a refund of 1/30th the monthly fee for each day the Reach Subscription Service is affected by making a claim in writing to Reach as described below. All claims of unavailability will be verified against Reach’ system records. Should Reach dispute any period of unavailability alleged by Customer, Reach will provide to Customer a record of Reach Subscription Service availability for the applicable period.

9. Reporting, Claims and Notices Reach will provide Customer SLA reports showing Reach Subscription Service availability upon Customer request and at most once per calendar year. To claim a remedy under this SLA, Customer shall send Reach a notice, via email addressed to support@reach.security within 15 business days after the end of each calendar quarter. Claims may be made on a calendar-quarter basis only and must be submitted within 20 business days after the end of the applicable quarter, except where a Services subscription ends on a date other than the last day of a calendar quarter, in which case any claim related to that subscription must be submitted within 20 business days after the subscription end date. All claims will be verified against Reach’ system records. Should Reach dispute any period of unavailability alleged by Customer, Reach will provide to Customer a record of Reach Subscription Service availability for the applicable period. Reach will provide such records only in response to claims made by Customer in good faith.

Privacy Policy

Effective: April 10, 2022

Scope of This Privacy Policy

Reach Security Inc. (“Reach”, “we”, “us” or “our”) understands you care how information about you is collected and used. Reach is committed to protecting the privacy of individuals who interact with us. This Privacy Policy (“Privacy Policy”) describes our privacy practices for information we collect through our websites, including https://www.reach.security and any other websites that link to this Privacy Policy (the “Website”).

This page informs you of our policies regarding the collection, use, and disclosure of personal information when you use our Website and the choices you have associated with that information.

By using the Website, you agree to the collection and use of information in accordance with this Privacy Policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms and Conditions, accessible from https://www.Reach.security.

Please read this Privacy Policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, do not use our Website. By accessing or using this Website, you agree to this Privacy Policy. This Privacy Policy may change from time to time (see Changes to This Privacy Policy). Your continued use of this Website after we make changes is deemed to be acceptance of those changes. You are encouraged to review the Privacy Policy periodically for updates.

Information Collection and Use

Information You Provide to Us

We collect several different types of information for various purposes to provide and improve our Website.

  • Request a Demonstration. When you request a demonstration of our product, we ask you to provide your name, email address, and company name.

Tracking Technologies

We use the following cookies on our Website:

  • Required Cookies: Required cookies are necessary to enable the basic features of our Website to function. Because required cookies are essential to operate our Website, there is no option to opt out of these cookies.

Links to Other Sites

We provide links to other sites that are not operated by us, including social networking sites or applications that enable you to share information with your social networks and to interact with us on platforms that we do not control. These third-party sites may collect or share information about you, but this Privacy Policy does not apply to their privacy practices. We encourage you to review the privacy policies and settings on the sites with which you interact to make sure you understand the information that may be collected, used, and shared when you leave our Website.

Information Security and Storage

We implement reasonable administrative, technical, and physical security controls designed to protect your personal information from loss, misuse, unauthorized access, disclosure, alteration, or destruction. However, no security controls are impenetrable, and we cannot ensure or warrant the security of your personal information.

We will retain your personal information for as long as necessary to provide you with the Website, as needed to comply with our legal obligations and legal rights including to prevent fraud or enforce our agreements, and for our internal business reasons.

Children’s Privacy

Our Website is not directed to or intended for children under the age of 13. We do not knowingly collect personal information from children under the age of 13 without obtaining parental consent. If you believe we have obtained information from or about a child under 13 without parental consent, please contact us at contact@reach.security so that we can remove the child’s personal information.

Notice to EEA Users

Legal Basis for Processing

We collect and process personal information about you with your consent, as part of a contractual agreement with you, and as necessary to provide our Website to you, operate our business, meet our contractual and legal obligations, protect the security of our Website, and fulfill our other legitimate interests.

Global Data Transfers

Reach is based in the United States and information we collect from you will be processed in the United States. The United States has not received a finding of “adequacy” from the European Union under Article 45 of the GDPR. We rely on derogations for specific situations set forth in Article 49 of the GDPR in order to transfer your personal information across international borders. In particular, we collect and transfer personal information outside of the EU only: (i) with your consent; (ii) to perform a contract with you; or (iii) to fulfill other compelling legitimate interests in a manner that does not outweigh your rights and freedoms.

Your Rights

To the extent required by applicable law, we provide you with: (i) reasonable access to your personal information collected through our Website, and (ii) the ability to correct, export, delete, withdraw consent, object to the processing of, or suspend processing of your personal information. You can contact us at contact@reach.security to submit a request.

You have the right to lodge a complaint with a supervisory authority if you believe we have processed your personal information in a manner inconsistent with your privacy rights. We kindly request that you contact us first so that we may address your concern.

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will post any revised Privacy Policy on this Website. Where changes to this Privacy Policy are material, we will notify you in accordance with applicable law.

Contact Us

If you have any questions about this Privacy Policy, please contact us by email at contact@reach.security.

Subscription Services Agreement

Effective: February 10, 2022

THIS REACH SECURITY SUBSCRIPTION SERVICES AGREEMENT TOGETHER WITH ANY ACCEPTED REACH SECURITY ORDER FORM(S) (THIS "AGREEMENT") IS A BINDING LEGAL AGREEMENT BETWEEN THE CUSTOMER SPECIFIED IN THE ORDER FORM(S) (“CUSTOMER”). AND REACH SECURITY, INC., A DELAWARE CORPORATION ("REACH SECURITY"). BY AGREEING TO AN ORDER FORM INCORPORATING THIS AGREEMENT, CLICKING “I ACCEPT”, OR ACCESSING AND/OR USING THE REACH SECURITY SERVICE (AS DEFINED IN SECTION 1 BELOW), OR ANY PART THEREOF, AS AN AUTHORIZED REPRESENTATIVE OF THE CUSTOMER NAMED ON THE APPLICABLE ORDER FORM ON WHOSE BEHALF YOU ACCESS AND/OR USE THE REACH SECURITY SERVICE, YOU: (1) ARE INDICATING THAT YOU HAVE READ, UNDERSTAND AND ACCEPT THIS AGREEMENT, AND THAT YOU AGREE TO BE BOUND BY ITS TERMS, AND (2) REPRESENT THAT YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT AND TO USE THE REACH SECURITY SERVICE ON BEHALF OF THE CUSTOMER AND TO BIND CUSTOMER TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE WITH ALL OF THE TERMS OF THIS AGREEMENT OR DO NOT HAVE SUCH AUTHORITY, DO NOT ACCESS OR USE THE REACH SECURITY SERVICE. THE “EFFECTIVE DATE” OF THIS AGREEMENT SHALL BE THE DATE THAT THIS AGREEMENT IS ACCEPTED BY OR ON BEHALF OF THE CUSTOMER AS SET FORTH ABOVE.

1. DEFINITIONS

1.1. “API” means Reach Security’s proprietary application programming interfaces (APIs) specified on the applicable Order Form, and any and all modified, updated, or enhanced versions thereof.

1.2. “Authorized Users” means employees and/or contractors of Customer who are authorized to use the Reach Security Service as authorized in this Agreement and subject to any applicable Usage Parameters.

1.3. “Customer Applications” means the security products, services and/or applications deployed in the Customer Environment owned and/or controlled by Customer.

1.4. “Customer Data” means all data and other information transmitted, uploaded and/or submitted by Customer and/or Authorized Users through the API and/or Platform or otherwise provided or made available by Customer and/or its Customer Users to Reach Security in connection with the use of the Reach Security Service. “Customer Data” does not include Operational Metrics.

1.5. “Customer Environment” means the network, infrastructure, digital system, facility or environment operated or managed by Customer as described in an Order Form.

1.6. “Documentation” means Reach Security’s then-current technical user manuals and/or documentation for the APIs, the Platform, and/or Implementation Code, as applicable, made available to Customer hereunder by Reach Security.

1.7. “Implementation Code” means any and all documentation, methodologies, network configurations and architectures, subroutines, procedures, processes, and/or software code included or contained in any Reports, together with any modifications, enhancements, and/or derivative works thereof, provided and/or made available by Reach Security to Customer under this Agreement as part of Customer’s Subscription.

1.8. “Intellectual Property Rights” means patents and patent applications, inventions (whether or not patentable), trademarks, service marks, trade dress, copyrights, trade secrets, know-how, data rights, specifications, mask-work rights, moral rights, author’s rights, and other intellectual property rights, as may exist now or hereafter come into existence, and all derivatives, renewals and extensions thereof, regardless of whether any of such rights arise under the laws of the United States or of any other state, country or jurisdiction.

1.9. “Operational Metrics” means statistics, metrics, analytics, and data regarding the performance and operation of the Software and/or Platform that Reach Security collects in connection with Customer’s and/or its Authorized Users’ use of the Software and/or Platform, and other operational and technical metrics necessary to manage and perform the Software and/or Platform.

1.10. “Order Form” means a written or electronic order form referencing this Agreement that is mutually agreed upon and entered into by the parties for Customer’s purchase of a Subscription, Professional Services, and/or other services from Reach Security under this Agreement.

1.11. “Platform” means Reach Security’s proprietary hosted platform, together with any modifications, enhancements, and/or derivative works thereof, which enables users to track and manage security risk assessments related to their internal security protocols and processes, as further described on the applicable Order Form.

1.12. “Professional Services” has the meaning given to such term in Section 2.5.

1.13. “Reach Security Service” means the Platform, API, Reports, Implementation Code, and/or Support made available and/or provided by Reach Security to Customer as part of or in connection with the Subscription purchased by Customer under this Agreement.

1.14. “Reports” means the security risk assessment and health check reports generated through the Platform as further described on the applicable Order Form.

1.15. “Software” means individually and collectively, (a) the API, (b) the Implementation Code, and (c) the software used to operate the Platform and any and all modified, updated, or enhanced versions thereof.

1.16. “Subscription” means a subscription license purchased by Customer hereunder for access and use of the components and features of the Reach Security Service as specified on the applicable Order Form during the applicable Subscription Term.

1.17. “Subscription Term” means the subscription term specified on the applicable Order Form.

1.18. “Support” has the meaning given to such term in Section 2.4.

1.19. “Usage Parameters” means the maximum number of permitted users and/or seats for the use of the Platform specified on the applicable Order Form(s), and any other parameters specified in the applicable Documentation, Order Form, or in writing by Reach Security regarding the scope of use of the Reach Security Service (or any part thereof), Implementation Code, and/or Reports by Customer and/or its Authorized Users.

2. ACCESS AND USE OF THE REACH SECURITY SERVICE

2.1. Rights and Licenses (a) APIs and Platform. Subject to the terms and conditions of this Agreement (including payment of applicable fees), Reach Security grants to Customer a non-exclusive, non-sublicensable, non-transferable limited right during the applicable Subscription Term to permit Authorized Users to (i) use the API specified in the Order Form to enable the Customer Environment to interact with and connect to the Platform, solely through the calls and commands explicitly covered in the API and/or Documentation, (ii) access and use the Platform specified in the Order Form, over the internet, to access, view and download Reports, and to manage and assess the Customer Environment, Customer Applications, and Customer’s internal security protocols and processes, and (iii) reproduce and use a reasonable number of copies of the applicable Documentation in support of the exercise of the licenses and rights granted in this Section

2.1(a). (b) Reports and Implementation Code. Subject to the terms and conditions of this Agreement, Reach Security grants to Customer a limited, personal, perpetual, revocable, non-exclusive, non-sublicensable, non-transferable limited license to (i) use the Reports downloaded through the Platform during the Subscription Term, solely to the extent necessary to manage and assess the Customer Environment, Customer Applications, and Customer’s internal security protocols and processes, and (ii) implement and deploy the Implementation Code solely in the Customer Environment. For the avoidance of doubt, the licenses granted to Customer in this Section 2.1(b) do not permit or grant any continued right to access or use the Platform following termination or expiration of this Agreement or the applicable Order Form. Customer is solely responsible for downloading Reports prior to such termination or expiration. The licenses granted in this Section 2.1(b) shall automatically terminate (without any requirement for Reach Security to provide notice) upon termination of this Agreement for Customer’s breach, or if Customer at any time is in violation of the scope of license grant and/or the use limitations or restrictions set forth in this Agreement with respect to the Reports and/or Implementation Code. Upon termination of the license grants as set forth above, Customer shall immediately cease, and ensure its Authorized Users’ cease, any and all use of the Reports and Implementation Code, and Customer shall destroy all copies of the Reports and Implementation Code, including, without limitation, permanently deleting the Implementation Code (and any copies thereof) from the Customer Environment. (c) Use Limitations. The licenses granted to Customer under this Section 2.1 are limited to Customer’s use of the Platform, APIs, Documentation, Reports, and/or Implementation Code (as applicable), solely for Customer’s internal non-commercial purposes, in accordance with this Agreement and the applicable Documentation, and subject to any applicable Usage Parameters.

2.2. Trial Version. Notwithstanding Section 2.1, if Customer has obtained the Reach Security Service (or any component thereof) on a trial basis as specified on the applicable Order Form (the “Trial Version”), Customer understands and agrees that the applicable licenses and rights set forth in Section 2.1 are granted by Reach Security to Customer for the Trial Version solely for the trial period set forth in the applicable Order Form (“Trial Period”) for Customer’s own internal evaluation purposes, and subject to any and all technical limitations implemented by Reach Security in the Trial Version. Customer acknowledges and agrees that, unless otherwise specified in the applicable Order Form, if Customer has not purchased a Subscription prior to the expiration of the Trial Period, this Agreement will automatically terminate (without the requirement of providing any termination notice) and the Trial Version may cease functioning. NOTWITHSTANDING ANYTHING IN THIS AGREEMENT TO THE CONTRARY, CUSTOMER ACKNOWLEDGES AND AGREES THAT THE TRIAL VERSION IS PROVIDED “AS-IS’ AND WITHOUT ANY WARRANTY WHATSOEVER OR ANY SUPPORT OR OTHER SERVICES (INCLUDING ANY UPDATES OR UPGRADES).

2.3. Restrictions. Customer shall not, and shall not permit any third party (including, without limitation, any Authorized Users) to:

(a) use the Reach Security Service (or any part or component thereof) or allow access to it, in a manner that circumvents contractual usage restrictions or that exceeds any applicable Usage Parameters;

(b) license, sub-license, sell, re-sell, rent, lease, transfer, distribute, time share or otherwise make any portion of the Reach Security Service (or any part or component thereof) available for access by third parties except as otherwise expressly provided in this Agreement;

(c) access or use the Reach Security Service (or any part or component thereof) and/or Professional Services for the purpose of developing competitive products or services;

(d) reverse engineer, decompile, disassemble, copy, or otherwise attempt to derive source code or other trade secrets, or any underlying ideas, algorithms and/or technology from or about the Software (or any part thereof);

(e) use the Reach Security Service (or any part thereof) in a way that violates or infringes upon the rights of a third party, including those pertaining to: contract, intellectual property, privacy, or publicity;

(f) use any aspect of the Software and/or Platform, or any components or functionality thereof, other than those specifically identified in the applicable Order Form, even if technically possible;

(g) remove, alter, or obscure in any way any proprietary rights notices (including copyright notices) of Reach Security or its suppliers on or within the Platform, Software, Reports and/or Documentation;

(h) interfere with or disrupt the integrity or performance of the Software (or any part therefor), or any system, network or data or cause or aid in the cause of the destruction, manipulation, removal, disabling, or impairment of any portion of the Platform and/or Software;

(i) attempt to gain unauthorized access to the Platform and/or Software (or any part thereof), or its related systems or networks or attempt to disable or circumvent any security mechanisms used by the Reach Security Service (including, without limitation, any time-control disabling functionality or other mechanisms in the Trial Version);

(j) frame or utilize framing techniques to enclose the Software and/or Platform or any portion thereof;

(k) use any meta tags, "hidden text", robots, spiders, crawlers, or other tools, whether manual or automated, to collect, scrape, index, mine, republish, redistribute, transmit, sell, license or download the Software, Platform, Reports (or any part thereof), content, and/or the personal information of others without Reach Security’s prior written permission or authorization;

(l) use the Software and/or Platform to store or transmit any malicious or unsolicited code or software, or store, transmit or upload any material and/or content that violates any third party’s intellectual property rights and/or privacy rights;

(m) impersonate any person or entity, use a fictitious name, or falsely state or otherwise misrepresent Customer’s affiliation with any person or entity; or

(n) use the Reach Security Service (or any part thereof), or transmit Customer Data, in any manner that violates in any law, rule, regulation or any other legal or regulatory requirement imposed by any regulatory or government agency, including, without limitation, export laws and regulations. Customer agrees that it shall not permit any person other than Authorized Users to access and use the Reach Security Service (or any part or component thereof), and shall ensure that Authorized Users use the Reach Security Service solely in accordance with this Agreement and the applicable Usage Parameters. Customer is solely responsible for the use of the Reach Security Service by Authorized Users, and any breach of this Agreement by any Authorized User will be deemed a breach by Customer.

2.4. Support. During the applicable Subscription Term (subject to Customer’s payment of applicable fees), Reach Security will use commercially reasonable efforts to provide Customer remote technical support services by email or phone during Reach Security’s normal business hours (8am-5pm Pacific, Monday through Friday, excluding holidays) for Customer’s use of the API and/or Platform (“Support”) in accordance with Reach Security’s then current Support terms and conditions.

2.5. Professional Services. Subject to the terms and conditions of this Agreement (including the payment of applicable fees), Reach Security will provide to Customer, the technical, integration, implementation, and/or other professional services specified in the applicable Order Form and/or a statement of work mutually agreed upon and executed by both parties (each such statement of work, a “Statement of Work,” and such services, the “Professional Services”). The scope, timeline and tasks of the parties with respect to the Professional Services shall be as specified in the Order Form or Statement of Work, as applicable. Each Statement of Work shall be incorporated into and made a part of this Agreement upon execution. If any terms of a Statement of Work conflict with the terms of this Agreement, the terms of this Agreement will govern unless the Statement of Work specifically cites the section of this Agreement it is modifying or deleting.

2.6. Third Party Software. Reach Security may in its sole discretion, make available third party software and/or open source software components (collectively, “Third Party Software”) embedded in, or otherwise provided with, the Software. Third Party Software is expressly excluded from the defined term “Software” as used throughout this Agreement. Third Party Software is not licensed under this Agreement and Customer’s use of such Third Party Software is subject to the applicable third party license terms which are available to Customer on request from Reach Security. Customer is solely responsible for its compliance with the licenses and other terms and agreements applicable to the Third Party Software and for determining if Customer is permitted to use the Third Party Software in connection with any Customer Application and/or the Customer Environment, if applicable.

3. CUSTOMER DATA

3.1. Customer Data. As between the parties, Customer shall retain all right, title and interest in and to Customer Data. Customer hereby grants to Reach Security a worldwide, royalty-free, non-exclusive license to use (including through the use of subcontractors) the Customer Data solely to the extent to provide Customer the Reach Security Service and other services hereunder. Customer represents and warrants that it has all the rights necessary to grant the licenses granted herein to Reach Security in and to such Customer Data. Customer represents and warrants that, with respect to any Customer Data (including, without limitation, any Personal Data), transmitted, hosted, stored or processed in connection with the use of the Platform and/or otherwise provided or made available to Reach Security in connection with the Reach Security Service (a) Customer is in compliance with all Data Protection Laws, and (b) Customer has obtained all permissions and/or approvals from each applicable data source as may be necessary or required to transmit such data through the Platform, and/or provide or make available such data to Reach Security hereunder.

3.2. Personal Data. To the extent any Customer Data includes any personally identifiable information (“Personal Data”), which is subject to any applicable data protection laws and/or regulations (“Data Protection Laws”), Customer acknowledges and agrees that as between Customer and Reach Security, Customer is the data controller and/or business and Reach Security is merely a data processor and/or service provider as such terms are defined pursuant to Data Protection Laws. At Reach Security’s request Customer agrees to execute and/or enter into any documents, agreements, statements, or policies deemed necessary or appropriate by Reach Security in its discretion to comply with any Data Protection Laws with respect to any Personal Data. Personal Data provided to, or collected by, Reach Security in connection with Reach Security Service shall only be used in accordance with this Agreement

4. CUSTOMER OBLIGATIONS

4.1. Customer Assistance. Customer will provide reasonable assistance and support to Reach Security in the provision of the Reach Security Service and/or performance of any services under this Agreement, including, without limitation, any assistance and/or support specified in an Order Form and/or Statement of Work and any other materials, personnel and access (including, if applicable, remote access) to Customer systems and premises as reasonably requested by Reach Security to provide the Reach Security Service, Professional Services, and/or any other services hereunder.

4.2. Third Party Integrations. The Platform may allow Customer to integrate with and/or connect to and use certain third party products, services or software (including, without limitation, data products and services) which are subject to separate terms and conditions (collectively, “Third Party Integrations”). If Customer decides to access and use such Third Party Integrations, Customer’s use of such Third Party Integrations is governed solely by the terms and conditions of such Third Party Integrations, and Reach Security does not endorse, is not responsible for, and makes no representations as to such Third Party Integrations, their content or the manner in which they handle Customer’s and/or its Authorized Users’ data. Reach Security is not liable for any damage or loss caused or alleged to be caused by or in connection with Customer’s and/or any Authorized Users’ access or use of any such Third Party Integrations, or Customer’s reliance on the privacy practices or other policies of such Third Party Integrations. REACH SECURITY DOES NOT WARRANT, ENDORSE, GUARANTEE OR ASSUME RESPONSIBILITY FOR ANY THIRD PARTY PRODUCTS OR SERVICES (INCLUDING, BUT NOT LIMITED TO, THIRD-PARTY INTEGRATIONS), AND REACH SECURITY WILL NOT BE A PARTY TO, OR IN ANY WAY MONITOR, ANY TRANSACTION BETWEEN CUSTOMER AND ANY THIRD-PARTY PROVIDERS OF SUCH THIRD PARTY PRODUCTS OR SERVICES AND/OR THIRD PARTY INTEGRATIONS.

5. REACH SECURITY PROPRIETARY RIGHTS

5.1. Proprietary Rights. As between Reach Security and Customer, Reach Security or its licensors retain all right, title and interest in and to any and all Intellectual Property Rights in and to the Reach Security Service, and all components thereof, including, without limitation, the Platform, Software and Reports (but excluding any Customer Data contained in any Reports), and any and all modifications, enhancements and/or improvements thereto. Reach Security reserves all rights and licenses not expressly granted to Customer in Sections 2.1 and 2.2 and no implied license or right is granted by Reach Security. Title to the Software shall not pass from Reach Security to Customer, and the Software and all copies thereof shall at all times remain the sole and exclusive property of Reach Security.

5.2. Operational Metrics. Reach Security monitors and collects Operational Metrics for its own business purposes, such as improving, testing, and maintaining the Software and Platform, and developing additional products and services. Customer grants to Reach Security a non-exclusive, irrevocable, transferable, worldwide, and royalty-free license to collect, analyze and use Operational Metrics relating to its delivery of the Software and Platform, that are derived from, or related to, Customer Data, including the generation of reports for internal, external, and public use, and to use Operational Metrics for Reach Security’s internal business purposes. Reach Security may only publicly distribute Operational Metrics in aggregate, non-personally identifiable form that cannot be used to identify Customer or any individual Authorized User.

5.3. Feedback. To the extent Customer and/or any Authorized User provides any suggestions and feedback to Reach Security regarding the functioning, features, and other characteristics of the Reach Security Service (or any part thereof) and/or other materials or services provided or made available by Reach Security hereunder (“Feedback”), Customer hereby grants Reach Security a perpetual, irrevocable, non-exclusive, royalty-free, fully-paid-up, fully-transferable, worldwide license (with rights to sublicense through multiple tiers of sublicensees) under Customer’s and its licensors’ Intellectual Property Rights to use and exploit such Feedback in any manner and for any purpose.

6. FEES; PAYMENT TERMS

6.1. Subscription Fees. The fees payable by Customer for the Subscription will be set forth in the applicable Order Form (the “Subscription Fees”). Unless otherwise set forth on the Order Form, the Subscription Fees will remain fixed during each Subscription Term unless Customer at any time during the applicable Subscription Term (a) exceeds the applicable Usage Parameters, or (b) Customer increases the Usage Parameters or the Support level, or subscribes to additional features, services or products. Upon any increase in fees pursuant to clause (a) or (b) above, Customer shall pay the Subscription Fees for such increase, pro-rated for the remainder of Customer’s then-current Subscription Term.

6.2. Professional Services. Unless the fees for Professional Services specified in any Order Form or Statement of Work are set forth in that Order Form or Statement of Work, as applicable, the fees payable to Reach Security for Professional Services shall be based on a time and materials basis at Reach Security’s then-current rates for such Professional Services.

6.3. Payment Terms. Unless otherwise set forth on the Order Form, the Subscription Fees are due and payable in advance. The fees due for Professional Services shall be due and payable to Reach Security within thirty (30) days after the date of the applicable invoice for such fees, unless otherwise set forth on the applicable Order Form and/or Statement of Work (as applicable). Customer agrees to pay interest at the rate of 1.5% per month (or the maximum rate allowed by applicable law, whichever is lower) on amounts more than thirty (30) days past due, and to pay all reasonable costs, including attorneys’ fees and costs, associated with Reach Security’s collection of past due amounts. In addition, Reach Security reserves the right to suspend any or all services (including access to the API and/or Platform) hereunder if payments are more than thirty (30) days past due. All amounts due hereunder are non-refundable and non-cancelable, and will be paid in U.S. dollars.

6.4. Taxes. The fees are exclusive of all applicable sales, use, value-added and other taxes, or other similar charges, and Customer will be responsible for payment of all such taxes (other than taxes based on Reach Security’s income), and any related penalties and interest, arising from the payment of the fees, the delivery of the Reach Security Service, or performance of any services by Reach Security.

6.5. Changes to Fees. Reach Security may change its fees and payment terms at its discretion; provided however, that such changes will not take effect for Customer until the start of the next Subscription Term (as specified in the applicable Order Form). Reach Security will provide written notice to Customer of any changes to the fees that affect the Subscription purchased by Customer hereunder.

7. TERM AND TERMINATION

7.1. Term of Agreement. Unless earlier terminated in accordance with the terms of this Agreement, the term of this Agreement will commence on the Effective Date and will continue until the date of expiration or termination of the last Subscription Term.

7.2. Order Forms; Subscriptions. Each Order Form shall commence on the effective date and continue for the Subscription Term, each as set forth therein, and will automatically renew for additional successive terms equal in duration to the initial Subscription Term, unless at least thirty (30) days before the end of the then-current Subscription Term either party provides written notice of non-renewal to the other party. Each Subscription, and (subject to Section 6.5) the corresponding periodic Subscription Fees set forth in an Order Form, shall automatically renew for successive terms equal in duration to the initial Subscription Term, unless the Order Form is terminated as set forth above.

7.3. Termination for Cause. Either party may terminate this Agreement immediately upon written notice if the other party breaches its obligations under this Agreement and does not remedy such breach within thirty (30) days of the date on which the breaching party receives written notice of such breach from the non-breaching party. Either party may terminate this Agreement in its entirety upon written notice if the other party becomes the subject of a petition in bankruptcy or any proceeding related to its insolvency, receivership or liquidation, in any jurisdiction, that is not dismissed within sixty (60) days of its commencement, or makes an assignment for the benefit of creditors.

7.4. Effect of Termination. If this Agreement expires or is terminated for any reason:

(a) Customer will pay to Reach Security any amounts that have accrued before, and remain unpaid as of, the effective date of termination, for the Reach Security Service, including, without limitation, any fees payable for Professional Services performed by Reach Security to Customer prior to the effective date of the expiration or termination;

(b) any and all liabilities of either party to the other party that have accrued before the effective date of the expiration or termination will survive;

(c) except as otherwise set forth in, and subject to, Section 2.1(b), all rights and licenses granted to Customer under this Agreement shall immediately terminate and Customer shall immediately cease, and ensure its Authorized Users’ cease, any and all use of the Reach Security Service; and

(d) Reach Security’s obligations to perform Support, Professional Services and/or any other services hereunder shall immediately terminate.

7.5. Survival. The following Section shall survive any termination or expiration of this Agreement: 1, 2.1(b), 2.1(c), 2.3, 4, 5, 6, 7.4, 7.5, 8, 9, 10, 11, 12.1, and 13 through 20 (inclusive).

8. DISCLAIMER. THE REACH SECURITY SERVICE (AND ALL PARTS AND COMPONENTS THEREOF), PROFESSIONAL SERVICES, AND ANY OTHER MATERIALS OR SERVICES PROVIDED BY REACH SECURITY HEREUNDER ARE PROVIDED TO CUSTOMER ON AN “AS IS” BASIS, WITH ANY AND ALL FAULTS, AND WITHOUT ANY WARRANTY OF ANY KIND. REACH SECURITY EXPRESSLY DISCLAIMS ALL REPRESENTATIONS, WARRANTIES AND CONDITIONS WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT OF THIRD PARTY RIGHTS. REACH SECURITY DOES NOT WARRANT OR MAKE ANY GUARANTEE THAT DEFECTS WILL BE CORRECTED OR THAT THE REACH SECURITY SERVICE (OR ANY PART OR COMPONENT THEREOF), PROFESSIONAL SERVICES, OR ANY OTHER MATERIALS OR SERVICES PROVIDED BY REACH SECURITY: (A) WILL MEET CUSTOMER’S AND/OR ANY AUTHORIZED USERS’ REQUIREMENTS; (B) WILL BE COMPATIBLE WITH THE CUSTOMER ENVIRONMENT, CUSTOMER’S OR ANY AUTHORIZED USERS’ NETWORK, COMPUTER, MOBILE DEVICE AND/OR TABLET, OR ANY THIRD PARTY PRODUCTS OR SERVICES INCLUDING, WITHOUT LIMITATION, ANY THIRD PARTY INTEGRATIONS AND/OR CUSTOMER APPLICATIONS; (C) WILL BE AVAILABLE ON AN UNINTERRUPTED, TIMELY, SECURE OR ERROR-FREE BASIS; OR (D) WILL BE ACCURATE OR RELIABLE.

9. EXCLUSIONS. Notwithstanding anything in this Agreement to the contrary, Reach Security will have no responsibility or liability of any kind under this Agreement, arising or resulting from:

(a) problems caused by failed Internet connections or other hardware, software or equipment which is not owned, controlled or operated by Reach Security;

(b) nonconformities resulting from Customer’s, its Authorized Users’, or any third party’s misuse, abuse, negligence, or improper or unauthorized use of all or any part of the Reach Security Service, Support, Professional Services, and/or other services provided hereunder by Reach Security;

(c) modification, amendment, revision, or change to the Software, Platform, Reports, and/or Documentation by any person other than Reach Security; or

(d) any other factor outside of Reach Security’s reasonable control.

10. INDEMNIFICATION

10.1. By Reach Security. Reach Security hereby agrees to indemnify, defend and hold harmless Customer from and against any and all liability and costs (including, without limitation, attorneys’ fees and costs) incurred by Customer in connection with any actual or alleged claim made by a third party against Customer arising from or relating to:

(a) Customer’s use of the Software as authorized herein infringing or misappropriating a third party’s copyright, trade secret or patent issued as of the Effective Date (except to the extent Customer is responsible for the event giving rise to Reach Security’s liability under this Section 10.1); and/or

(b) Reach Security’s gross negligence, willful misconduct, or fraudulent misrepresentation. Reach Security shall have no indemnity obligation to the extent that the infringement arises out of or is based on:

(i) Customer’s continued allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement;

(ii) any Third Party Software, Third Party Integrations, Customer Applications, and/or Customer Data;

(iii) Customer’s or any Authorized User’s use of the Software other than in accordance with this Agreement or the applicable Documentation;

(iv) Customer’s combination or use of the Software with products, services, software and/or hardware not provided by Reach Security;

(v) modifications of the Software by anyone other than Reach Security; or

(vi) any Trial Version or any Reach Security products and/or services provided on a “free” or “beta” basis (including, without limitation, the Reach Security Service offered under a “free” subscription plan). If Customer’s use of any Software is enjoined or Reach Security reasonably believes Customer’s use of any Software may be enjoined, Reach Security may elect to obtain a license for Customer to continue using, or modify, the Software so that it no longer infringes. THE FOREGOING SHALL BE CUSTOMER’S SOLE AND EXCLUSIVE REMEDY AND REACH SECURITY’S SOLE AND EXCLUSIVE OBLIGATION WITH RESPECT TO ANY CLAIM OF INTELLECTUAL PROPERTY INFRINGEMENT AND/OR MISAPPROPRIATION.

10.2. By Customer. Customer hereby agrees to indemnify, defend and hold harmless Reach Security and its parents, affiliates, subsidiaries, licensors, and third party service providers, and its and their respective officers, directors, employees, agents, representatives, and contractors (each, a “Reach Security Party”), from and against any and all liability and costs (including, without limitation, attorneys’ fees and costs) incurred by any Reach Security Party in connection with any actual or alleged claim arising out of, or relating to:

(a) Customer’s or any Authorized Users’ breach of this Agreement and/or any terms and conditions or other agreement applicable to any Third Party Software and/or Third Party Integrations;

(b) Customer’s or its Authorized Users’ use of the Reach Security Service and/or any Professional Services;

(c) Customer Data or a violation of any applicable privacy law, rule or regulation by Customer; and/or

(d) Customer’s gross negligence, fraudulent misrepresentation or willful misconduct or violation of any applicable laws, rules, regulations.

10.3. Procedure. The party to be indemnified under Section 10.1 or 10.2, as applicable, (the “Indemnitee”) shall (a) promptly notify the party obligated to indemnify the Indemnitee under Section 10.1 or 10.2, as applicable, (the “Indemnitor”) in writing of any Claim asserted against the Indemnitee, (b) give the Indemnitor sole control of the defense thereof, and, (c) at the Indemnitor’s reasonable request and expense, cooperate and assist in such defense. The Indemnitee shall promptly deliver to the Indemnitor the original or a true copy of any summons or other process, pleading, or notice issued or served in any suit or other proceeding to assert or enforce any such Claim. Under no circumstances shall the Indemnitor enter into any settlement that involves an admission of liability, negligence or other culpability of any Indemnitee or requires any Indemnitee to contribute to the settlement without the Indemnitee’s prior written consent. Any Indemnitee may participate and retain its own counsel at its own expense.

11. LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL REACH SECURITY BE LIABLE OR OBLIGATED, WITH RESPECT TO THIS AGREEMENT, THE REACH SECURITY SERVICE (OR ANY PART THEREOF), PROFESSIONAL SERVICES, AND ANY OTHER MATERIALS AND/OR SERVICES PROVIDED BY REACH SECURITY, WHETHER UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER LEGAL OR EQUITABLE THEORY AND EVEN IF REACH SECURITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LIABILITY OR OBLIGATION: (A) IN THE AGGREGATE, FOR ANY AMOUNTS IN EXCESS OF THE GREATER OF (I) THE FEES PAID OR PAYABLE BY CUSTOMER TO REACH SECURITY UNDER THE APPLICABLE ORDER FORM AND/OR STATEMENT OF WORK FOR THE REACH SECURITY SERVICE AND/OR PROFESSIONAL SERVICES (AS APPLICABLE) GIVING RISE TO THE LIABILITY DURING THE 12 MONTH PERIOD IMMEDIATELY PRIOR TO THE CAUSE OF ACTION, OR (II) ONE HUNDRED DOLLARS ($100); (B) FOR ANY COST OF PROCUREMENT OF SUBSTITUTE GOODS, TECHNOLOGY, SERVICES OR RIGHTS; (C) FOR ANY INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, RELIANCE, OR CONSEQUENTIAL DAMAGES; (D) FOR INTERRUPTION OF USE OR LOSS OR CORRUPTION OF DATA; OR (E) FOR ANY MATTER BEYOND REACH SECURITY’S REASONABLE CONTROL. THE PARTIES AGREE THAT THESE LIMITATIONS SHALL APPLY EVEN IF THIS AGREEMENT OR ANY LIMITED REMEDY SPECIFIED HEREIN IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. THE PARTIES AGREE THAT THIS SECTION 11 REPRESENTS A REASONABLE ALLOCATION OF RISK AND THAT REACH SECURITY WOULD NOT PROCEED IN THE ABSENCE OF SUCH ALLOCATION. THIS ALLOCATION OF RISK IS AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN THE PARTIES.

12. CONFIDENTIALITY; PUBLICITY

12.1. Confidentiality. “Confidential Information” means any proprietary information received by the other party during, or prior to entering into, this Agreement that a party should know is confidential or proprietary based on the circumstances surrounding the disclosure. Confidential Information of Reach Security shall include the fees payable hereunder, Software, Documentation, Reports, Feedback, and any non-public technical and business information regarding the Reach Security Service (or any part thereof). Confidential Information does not include information that

(a) is or becomes generally known to the public through no fault of or breach of this Agreement by the receiving party;

(b) is rightfully known by the receiving party at the time of disclosure without an obligation of confidentiality;

(c) is independently developed by the receiving party without use of the disclosing party’s Confidential Information; or

(d) the receiving party rightfully obtains from a third party without restriction on use or disclosure. The receiving party of any Confidential Information of the other party will maintain the confidentiality of Confidential Information and further agrees not to use such Confidential Information for any purpose except as necessary to fulfill its obligations and exercise its rights under this Agreement.

The receiving party shall protect the secrecy of and prevent disclosure and unauthorized use of the disclosing party's Confidential Information using the same degree of care that it takes to protect its own confidential information and in no event shall use less than reasonable care.

The receiving party may disclose the Confidential Information of the disclosing party if required by judicial or administrative process, provided that the receiving party first provides to the disclosing party prompt notice of such required disclosure to enable the disclosing party to seek a protective order.

The Receiving Party shall promptly return or destroy, at the Disclosing Party’s request, the Disclosing Party’s Confidential Information (including all copies thereof) in each party’s possession or control. and agrees, at the Disclosing Party’s request, to certify that it has complied with the foregoing requirements. Neither party will disclose any terms of this Agreement to anyone other than its attorneys, accountants, and other professional advisors under a duty of confidentiality except: (i) as required by applicable law, or (ii) in connection with a proposed merger, financing, or sale of such party’s business (provided that any third party to whom the terms of this Agreement are to be disclosed is under a duty of confidentiality).

12.2. Publicity. During the term of this Agreement, Customer hereby agrees that Reach Security shall have the right, but not the obligation, to include Customer’s name and logo as a customer who uses the Reach Security Service on Reach Security’s websites and in other marketing materials promoting the Reach Security Service.

13. GOVERNING LAW; VENUE. This Agreement shall be governed by, construed and enforced in accordance with, the laws of the State of California, without reference to its choice of law rules to the contrary. The United Nations Convention on Contracts for the International Sale of Goods in its entirety is expressly excluded from this Agreement. Furthermore, this Agreement (including without limitation, the Platform, Software, and any services provided hereunder) will not be governed or interpreted in any way by referring to any law based on the Uniform Computer Information Transactions Act (UCITA) or any other act derived from or related to UCITA. Each party hereby irrevocably consents to the exclusive jurisdiction and venue of the federal, state, and local courts in San Francisco County, California, in connection with any action arising out of or in connection with this Agreement. Notwithstanding anything to the contrary herein, either party may seek injunctive or other appropriate relief in any court with competent jurisdiction in any country, in the event of any actual or alleged violation of such party’s Intellectual Property Rights or Confidential Information by the other party.

14. EXPORT CONTROL. Customer acknowledges that the laws and regulations of the United States of America and foreign jurisdictions may restrict the export and re-export of certain commodities and technical data of United States of America origin, including the Platform and Software. Customer agrees that it will not export or re-export the Platform and/or Software (or any part thereof) without the appropriate United States or foreign government licenses or permits.

15. U.S. GOVERNMENT RIGHTS. The Software (including the Platform) is commercial computer software and all services are commercial items. “Commercial computer software” has the meaning set forth in Federal Acquisition Regulation (“FAR”) 2.101 for civilian agency purchases and the Department of Defense (“DOD”) FAR Supplement (“DFARS”) 252.227-7014(a)(1) for defense agency purchases. If the Software and/or Platform is licensed or acquired by or on behalf of a civilian agency, Reach Security provides the commercial computer software and/or commercial computer software documentation and other technical data subject to the terms of this Agreement as required in FAR 12.212 (Computer Software) and FAR 12.211 (Technical Data) and their successors. If the Software and//or Platform is licensed or acquired by or on behalf of any agency within the DOD, Reach Security provides the commercial computer software and/or commercial computer software documentation and other technical data subject to the terms of this Agreement as specified in DFARS 227.7202-3 and its successors. Only if this is a DOD prime contract or DOD subcontract, the Government acquires additional rights in technical data as set forth in DFARS 252.227-7015. Except as otherwise set forth in an applicable Order Form, this Section 15 is in lieu of, and supersedes, any other FAR, DFARS or other clause or provision that addresses U.S. Government rights in computer software or technical data.

16. NOTICES. Except as otherwise set forth in Section 17 below, all notices permitted or required under this Agreement shall be in writing and shall be delivered by personal delivery, e-mail, or by certified or registered mail, return receipt requested, and shall be deemed given upon personal delivery, five (5) business days after deposit in the U.S. mail, or upon confirmation of transmission if sent by e-mail. Notices shall be sent to (a) Reach Security at: 1725 Hyde St. #6, San Francisco, CA 94109; Attn: Garrett Hamilton, and (b) Customer at the address as set forth in the applicable Order Form. Each party may update its contact information from time-to-time pursuant to this Section 16.

17. ELECTRONIC COMMUNICATIONS. Customer consents to receiving electronic communications from Reach Security, which may include notices about applicable fees and charges, transactional information and other information concerning or related to Customer’s use of the Reach Security Service. These electronic communications are part of Customer’s relationship with Reach Security and Customer receive them as part of Customer’s access and use of the Reach Security Service. Customer agrees that any notices, agreements, disclosures or other communications that Reach Security sends Customer electronically will satisfy any legal communication requirements, including that such communications be in writing, to the extent permitted by applicable law.

18. FORCE MAJEURE. Neither party shall be responsible for any delay in its performance due to labor disputes, shortage of materials, fire, earthquake, flood, telecommunications failure, plague, epidemic, pandemic, outbreaks of infectious disease or any other public health crisis, including quarantine or other employee restrictions, or any other cause beyond its reasonable control, except payments by Customer to Reach Security that are due pursuant to the terms of the Agreement.

19. MODIFICATIONS TO THIS AGREEMENT. Reach Security reserves the right to change, update or modify this Agreement at any time (excluding any Order Forms). The revised Agreement will be posted on the webpage located at [insert webpage address] (the “Site”), and, except with respect to material changes to the Agreement as set forth below, Reach Security will use commercially reasonable efforts to notify Customer of such updated Agreement by posting a notice on the Site that the Agreement has been updated and/or through the user interface of the Platform. With respect to material changes to this Agreement, Reach Security will provide Customer with reasonable notice prior to such change taking effect by emailing Customer at the email address associated with Customer’s account. Material changes to this Agreement will become effective on the date set forth in the notice, and all other changes will become effective from the day they are posted on the Site. Customer is solely responsible for reviewing this Agreement for any changes and/or modifications. If Customer (or any Authorized User) accesses or uses the Reach Security Service (or any part thereof) after the applicable effective date of the revised Agreement, that use will constitute Customer’s acceptance of any revised terms and conditions.

20. MISCELLANEOUS. Customer may not assign its rights or obligations under this Agreement without the Reach Security’s prior written consent. Any attempted assignment or transfer of this Agreement by Customer in contravention of the foregoing shall be null and void. Reach Security may freely assign or transfer this Agreement hereunder without Customer’s consent and Reach Security may delegate the performance of any services hereunder to its affiliates and contractors. This Agreement is not intended to grant rights to anyone except Customer and Reach Security, and in no event shall this Agreement create any third party beneficiary rights. Any waiver of any provision of this Agreement must be in writing and executed by both parties. The failure of either party to exercise any right provided for by this Agreement shall not be deemed a waiver of that right. Each party represents and warrants to the other that the execution and delivery of this Agreement and the performance of such party’s obligations have been duly authorized and that this Agreement is a valid and legal agreement binding on the party and enforceable according to its terms. The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the Parties. This Agreement shall not be interpreted or construed to confer any rights or remedies on or to any third parties. If any part of this Agreement is found to be illegal, unenforceable, or invalid, the remaining portions of this Agreement will remain in full force and effect. This Agreement, including any and all Statement of Works and/or Order Forms entered into hereunder, constitutes the entire agreement between the parties regarding this subject matter, and supersedes all prior oral or written agreements or communications with regard to the subject matter described. If any terms of an Order Form conflict with the terms of this Agreement, the terms of the Order Form will control, solely with respect to the subject matter of such Order Form. The terms on any purchase order, confirmation, or similar document submitted by Customer to Reach Security that are in addition to or inconsistent with this Agreement will have no effect and are hereby rejected. The headings of Sections of this Agreement are for convenience and are not to be used in interpreting this Agreement. As used in this Agreement, the word “including” means “including but not limited to.” QUESTIONS AND ADDITIONAL INFORMATION. Please feel free to contact Reach Security at salesops@reach.security if you have any questions about this Agreement.

Data Processing Agreement

Effective: April 10, 2022

Scope of Data Processing Agreement

This Data Processing Agreement ("DPA") is incorporated into, and is subject to the terms and conditions of, the Agreement between Reach Security, Inc. (together with its Affiliates, “Reach Security”) and the customer entity that is a party to the Agreement ("Customer" or "you").

All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. For the avoidance of doubt, all references to the "Agreement" shall include this DPA (including the SCCs (where applicable), as defined herein).

1. Definitions.

“Agreement” means the written agreement between Customer and Reach Security which governs the provision of the Service to Customer, as such terms or agreement may be updated from time to time.

“Control” has the meaning set forth in the Agreement. The term "Controlled" shall be construed accordingly.

"Customer Data" means any personal data that Reach Security processes on behalf of Customer via the Service, as more particularly described in this DPA.

“Data Protection Laws” means all data protection laws and regulations applicable to a party and/or the processing of Customer Data under the Agreement, including, where applicable, EU Data Protection Law and Non-EU Data Protection Laws.

“EU Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (in each case, as may be amended, superseded or replaced).

"Europe" means, for the purposes of this DPA, the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.

“SCCs” means the standard contractual clauses for processors as approved by the European Commission or Swiss Federal Data Protection Authority (as applicable).

“Security Incident” means any unauthorized or unlawful breach of security that leads to, or is reasonably believed to have led to, the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by Reach Security.

“Sensitive Data” means (a) social security number, tax file number, passport number, driver's license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of "special categories of data" under applicable Data Protection Laws.

“Sub-processor” means any processor engaged by Reach Security, including its Affiliates, to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA. Sub-processors may include third parties or Affiliates of Reach Security but shall exclude Reach Security employees, individual contractors, or individual consultants.

The terms "personal data", "controller", "data subject", "processor" and "processing" shall have the meaning given to them under applicable Data Protection Laws or if not defined thereunder, the GDPR, and "process", "processes" and "processed", with respect to any Customer Data, shall be interpreted accordingly.

2. Roles and Responsibilities

2.1 Parties’ roles. The parties acknowledge and agree that with regard to the processing of Customer Data, Customer is the controller and Reach Security is a processor acting on behalf of Customer, as further described in Annex A (Details of Data Processing) of this DPA. For the avoidance of doubt, this DPA shall not apply to instances where Reach Security is the controller (as defined by EU Data Protection Law) unless otherwise described in Annex D hereto.

2.2 Purpose limitation. Reach Security shall at all times process Customer Data only in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing ("Permitted Purposes"). The parties agree that the Agreement sets out Customer’s complete and final instructions to Reach Security in relation to the processing of Customer Data, and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.

2.3 Prohibited data. Customer will not provide (or cause to be provided) any Sensitive Data to Reach Security for processing under the Agreement, and Reach Security will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.

2.4 Customer compliance. Customer agrees that (i) it shall comply with its obligations as a Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to Reach Security; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Reach Security to process Customer Data and provide the Services pursuant to the Agreement and this DPA.

2.5 Compliance with Data Protection laws. Each Party will ensure that its processing of the Customer Data in accordance with the Agreement will not cause the other Party to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws

3. Sub-processing

3.1 Authorized Sub-processors. Customer consents to Reach Security engaging the Sub-processors set forth in our list of Subprocessors. Reach Security shall notify Customer if it adds or removes Sub-processors at least 10 days prior to any such changes. Customer may opt-in to receive such notifications by emailing a request to support@reach.security.

3.2 Sub-processor obligations. Reach Security shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor; and (ii) remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause Reach Security to breach any of its obligations under this DPA.

3.3 Objection to Sub-processors. Customer may object in writing to Reach Security' appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying Reach Security promptly in writing within five (5) calendar days of receipt of Reach Security' notice. Such notice shall explain the reasonable grounds for the objection. In such an event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If this is not possible, either party may terminate the applicable Services that cannot be provided by Reach Security without the use of the objected-to-new Sub-processor.

4. Security

4.1 Security Measures. Reach Security shall implement and maintain appropriate technical and organizational security measures that are designed to protect Customer Data from Security Incidents and designed to preserve the security and confidentiality of Customer Data in accordance with Reach Security's security standards described in Information Security Policy ("Security Measures").

4.2 Confidentiality of Processing. Reach Security shall ensure that any person who is authorized by Reach Security to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

4.3 Updates to Security Measures. Customer is responsible for reviewing the information made available by Reach Security relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Reach Security may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.

4.4 Security Incident response. Upon becoming aware of a Security Incident, Reach Security shall: (i) notify Customer without undue delay, and where feasible, in any event no later than 48 hours from becoming aware of the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) promptly take reasonable steps to contain and investigate any Security Incident. Reach Security's notification of or response to a Security Incident under this Section 4.4 shall not be construed as an acknowledgment by Reach Security of any fault or liability with respect to the Security Incident.

4.5 Customer responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Service.

5. Security Reports and Audits

5.1 Audit rights. Reach Security shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Customer in order to assess compliance with this DPA. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including this Section 5.1 and where applicable, the SCCs) and any audit rights granted by Data Protection Laws, by instructing Reach Security to comply with the audit measures described in Sections 5.2 and 5.3 below.

5.2 Security reports. Customer acknowledges that Reach Security is regularly audited by independent third-party auditors and internal auditors respectively. Upon written request, Reach Security shall supply (on a confidential basis) a summary copy of its most current audit report(s) ("Report") to Customer, so that Customer can verify Reach Security's compliance with the audit standards against which it has been assessed.

5.3 Security due diligence. In addition to the Report, Reach Security shall respond to all reasonable requests for information made by Customer to confirm Reach Security's compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, by making additional information available regarding its information security program upon Customer’s written request to infosec@reach.security, provided that Customer shall not exercise this right more than once per calendar year.

6. International Transfers

6.1 Data center locations. Subject to Section 6.2, Customer acknowledges that Reach Security may transfer and process Customer Data to and in the United States and anywhere else in the world where Reach Security, its Affiliates or its Sub-processors maintain data processing operations. Reach Security shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.

6.2 Australian data. To the extent that Reach Security is a recipient of Customer Data protected by the Australian Privacy Law, the parties acknowledge and agree that Reach Security may transfer such Customer Data outside of Australia as permitted by the terms agreed upon by the parties and subject to Reach Security complying with this DPA and the Australian Privacy Law.

6.3 European Data transfers. To the extent that Reach Security is a recipient of Customer Data protected by EU Data Protection Laws ("EU Data") in a country outside of Europe that is not recognized as providing an adequate level of protection for personal data (as described in applicable EU Data Protection Law), the parties agree to the following:

6.3.1 SCCs: Reach Security agrees to abide by and process EU Data in compliance with the SCCs in the form set out in Annex C. For the purposes of the descriptions in the SCCs, Reach Security agrees that it is the "data importer" and Customer is the "data exporter" (notwithstanding that Customer may itself be an entity located outside Europe).

6.4 Alternative transfer mechanism. To the extent Reach Security adopts an alternative data export mechanism (including any new version of or successor to the SCCs) for the transfer of EU Data not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of the transfer mechanisms described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with applicable EU Data Protection Law and extends to the countries to which EU Data is transferred). In addition, if and to the extent that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer EU Data (within the meaning of applicable EU Data Protection Law), Reach Security may implement any additional measures or safeguards that may be reasonably required to enable the lawful transfer of EU Data.

7. Return or Deletion of Data

Upon deactivation of the Services or request, Customer Data shall be deleted, save that this requirement shall not apply to the extent Reach Security is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which such Customer Data Reach Security shall securely isolate and protect from any further processing, except to the extent required by applicable law.

8. Data Subject Rights and Cooperation

8.1 Data subject requests. To the extent that Customer is unable to independently access the relevant Customer Data within the Services, Reach Security shall (at Customer's expense) taking into account the nature of the processing, provide reasonable cooperation to assist Customer by appropriate technical and organizational measures, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement. In the event that any such request is made directly to Reach Security, Reach Security shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Reach Security is required to respond to such a request, Reach Security shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

8.2 Data protection impact assessment. To the extent Reach Security is required under Data Protection Law, Reach Security shall (at Customer's expense) provide reasonably requested information regarding Reach Security’s processing of Personal Data under the Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

9. Jurisdiction-Specific Terms.

To the extent Reach Security processes Customer Data originating from and protected by Data Protection Laws in one of the jurisdictions listed in Annex D, then the terms specified in Annex D with respect to the applicable jurisdiction(s) (“Jurisdiction-Specific Terms”) apply in addition to the terms of this DPA. In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms of this DPA, the applicable Jurisdiction-Specific Terms will take precedence, but only to the extent of the Jurisdiction-Specific Terms’ applicability to Reach Security.

10. Limitation of Liability

10.1 Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement.

10.2 Any claims made against Reach Security or its Affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the Customer entity that is a party to the Agreement.

10.3 In no event shall any party limit its liability with respect to any individual's data protection rights under this DPA or otherwise.

11. Relationship with the Agreement

11.1 This DPA shall remain in effect for as long as Reach Security carries out Customer Data processing operations on behalf of Customer or until termination of the Agreement (and all Customer Data has been returned or deleted in accordance with Section 7.1 above).

11.2 The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Service.

11.3 In the event of any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (i) SCCs; then (ii) this DPA; and then (iii) the Agreement.

11.4 Except for any changes made by this DPA, the Agreement remains unchanged and in full force and effect.

11.5 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.

11.6 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

Annex A – Details of Data Processing

  1. Controller (data exporter): Customer has engaged Reach Security to provide the Service to Customer in accordance with the Agreement.
  2. Processor (data importer): Reach Security Inc, a Delaware corporation
  3. Subject matter: The subject matter of the data processing under this DPA is the Customer Data.
  4. Duration of processing: Reach Security will process Customer Data as outlined in Section 7 (Return or Deletion of Data) of this DPA.
  5. Purpose of processing: Reach Security shall only process Customer Data for the Permitted Purposes, which shall include: (i) processing as necessary to provide the Service in accordance with the Agreement; (ii) processing initiated by Customer in its use of the Service; and (iii) processing to comply with any other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement.
  6. Nature of the processing: Reach Security provides a security platform and other related services, as more particularly described in the Agreement.
  7. Types of Customer Data: Customer may upload, submit or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by Customer in its sole discretion.
  8. Sensitive Data: Reach Security does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the provision of the Service.
  9. Processing Operations: Customer Data will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities: 9.1 Storage and other processing necessary to provide, maintain and improve the Service provided to Customer pursuant to the Agreement; and/or
  10. 9.2 Disclosures in accordance with the Agreement and/or as compelled by applicable law.

Annex B – Security Measures

The Security Measures applicable to the Service are described in the Information Security Policy (as updated from time to time in accordance with Section 4.3 of this DPA).

Annex C - Standard Contractual Clauses

Standard Contractual Clauses

Annex D - Jurisdiction-Specific Terms

Europe:

  1. Objection to Sub-processors. Customer may object in writing to Reach Security’s appointment of a new Sub-processor within five (5) calendar days of receiving notice in accordance with Section 3.1 of DPA, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Reach Security will, at its sole discretion, either not appoint such Sub-processor, or permit Customer to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
  2. Government data access requests. As a matter of general practice, Reach Security does not voluntarily provide government agencies or authorities (including law enforcement) with access to or information about Reach Security accounts (including Customer Data). If Reach Security receives a compulsory request (whether through a subpoena, court order, search warrant, or other valid legal process) from any government agency or authority (including law enforcement) for access to or information about a Reach Security account (including Customer Data) belonging to a Customer whose primary contact information indicates the Customer is located in Europe, Reach Security shall: (i) inform the government agency that Reach Security is a processor of the data; (ii) attempt to redirect the agency to request the data directly from Customer; and (iii) notify Customer via email sent to Customer’s primary contact email address of the request to allow Customer to seek a protective order or other appropriate remedy. As part of this effort, Reach Security may provide Customer’s primary and billing contact information to the agency. Reach Security shall not be required to comply with this paragraph 2 if it is legally prohibited from doing so, or it has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, public safety, or Reach Security’s property, Sites, or Service.

UK:

  1. For the avoidance of doubt, when European Union law ceases to apply to the UK upon the UK's withdrawal from the European Union and until such time as the UK is deemed to provide adequate protection for personal data (within the meaning of applicable EU Data Protection Law) then to the extend Reach Security processes (or causes to be processed) any Customer Data protected by EU Data Protection Law applicable to EEA and Switzerland in the United Kingdom, Reach Security shall process such Customer Data in compliance with the SCCs or any applicable Alternative Transfer Mechanism implemented in accordance with Section 6.3 and 6.4 of this DPA.

California:

  1. Except as described otherwise, the definitions of: “controller” includes “Business”; "processor" includes “Service Provider”; “data subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under CCPA.
  2. For this “California” section of Annex D only, “Reach Security Services” means the security tools and insights available for Reach Security Customers to use as may be further described in the Agreement and/or on the Reach Security website.
  3. For this “California” section of Annex D only, “Permitted Purposes” shall include processing Customer Data only for the purposes described in this DPA and in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, as otherwise agreed in writing, including, without limitation, in the Agreement, or as otherwise may be permitted for “service providers” under the CCPA.
  4. Reach Security’s obligations regarding data subject requests, as described in Section 8 (Data Subject Rights and Cooperation) of this DPA, apply to Consumer’s rights under the CCPA.
  5. Notwithstanding any use restriction contained elsewhere in this DPA, Reach Security shall process Customer Data only to perform the Reach Security Services, for the Permitted Purposes and/or in accordance with Customer’s documented lawful instructions, except where otherwise required by applicable law.
  6. Reach Security may de-identify or aggregate Customer Data as part of performing the Service specified in this DPA and the Agreement.
  7. Where Sub-processors process the personal data of Customer contacts, Reach Security shall ensure that such Sub-processors are Service Providers under the CCPA with whom Reach Security has entered into a written contract that includes terms substantially similar to this DPA or are otherwise exempt from the CCPA’s definition of “sale”. Reach Security conducts appropriate due diligence on its Sub-processors.

Canada:

  1. Reach Security takes steps to ensure that Reach Security's Sub-processors, as described in Section 3 (Sub-processing) of the DPA, are third parties under PIPEDA, with whom Reach Security has entered into a written contract that includes terms substantially similar to this DPA. Reach Security conducts appropriate due diligence on its Sub-processors.
  2. Reach Security will implement technical and organizational measures as set forth in Section 4 (Security) of the DPA.

Reach Subprocessors

Effective: April 10, 2022

EntityService TypeLocation
Amazon Web Services, Inc. Infrastructure-as-a-Service, Application error trackingUnited States
Atlassian Work TrackingUnited States
Slack Technologies, Inc.Customer SupportUnited States