SUBSCRIPTION AGREEMENT

This is a legally binding agreement. Please read these terms and conditions carefully. By clicking the

button on the Orbit Labs registration page to accept this agreement, you represent that you have the full

legal authority to enter this agreement on behalf of the party identified in the registration process, and

in that capacity you acknowledge such party’s agreement to be bound by the terms and conditions set

forth or referenced below and in the addenda hereto.

This agreement (the “Agreement”) for use of the Application (as defined below) is between Orbit

Labs, Inc., a Delaware corporation (“Orbit”), and the party (the “Customer”) indicated during the account

registration process (such process and the information provided during such process as amended from time

to time through Customer’s login to its account in the Application in accordance with this Agreement, the

“Registration”). This Agreement is effective upon Customer’s acceptance of it in the course of the

Registration (the “Effective Date”). The information entered by or on behalf of Customer during the

Registration is incorporated herein and made a part of this Agreement.

Certain Definitions.

(a)

“Affiliate” means, as to a party, any other entity that directly or indirectly controls, is under

common control with, or is controlled by, such party; as used in this definition, “control” and its derivatives

mean possession, directly or indirectly, of power to direct the management or policies of an entity.

(b)

“Application” means the online service offered by Orbit, known as Orbit Labs and

accessed at https://orbit.love, together with any associated software applications, database structures and

queries, interfaces, System Interfaces, tools, and the like, together with any and all revisions, modifications,

and updates thereof, as made available by Orbit to Customer pursuant to this Agreement.

(c)

“Confidential Information” means any information of any type in any form that (i) is

disclosed to or observed or obtained by one party from the other party (or from a person the recipient knows

or reasonably should assume has an obligation of confidence to the other party) in the course of, or by virtue

of, this Agreement and (ii) either is designated as confidential or proprietary in writing at the time of such

disclosure or within a reasonable time thereafter (or, if disclosure is made orally or by observation, is

designated as confidential or proprietary orally by the person disclosing or allowing observation of the

information) or is of a nature that the recipient knew or reasonably should have known, under the

circumstances, would be regarded by the owner of the information as confidential or proprietary. Without

limiting any other provisions of this Agreement, and whether or not otherwise meeting the criteria described

herein, the Application, Customer Data, and the content of this Agreement (other than the fact of its

existence and the identities of the parties hereto) shall be deemed conclusively to be Confidential

Information. For purposes of this Agreement, however, the term “Confidential Information” specifically

shall not include any portion of the foregoing that (i) was in the recipient’s possession or knowledge at the

time of disclosure and that was not acquired directly or indirectly from the other party, (ii) was disclosed

to the recipient by a third party not having an obligation of confidence of the information to any person or

body of which the recipient knew or which, under the circumstances, the recipient reasonably should have

assumed to exist, or (iii) is or, other than by the act or omission of the recipient, becomes a part of the public

domain not under seal by a court of competent jurisdiction. A selection or combination of information will

not meet any of the foregoing exceptions solely because some or all of its individual component parts are

so excepted and will meet such exception(s) only if the selection or combination itself is so excepted. In

the event of any ambiguity as to whether information is Confidential Information, the foregoing shall be

interpreted strictly and there shall be a rebuttable presumption that such information is Confidential

Information.

Confidential

Page 1 of 35

(d)

“Customer Data” means all data entered into the Application (i) by Customer Users or (ii)

by or on behalf of Customer pursuant to a conversion of data from another system or system interface with

another system, in each case as such data is maintained in the Application from time to time.

(e)

“Customer User” means an employee or individual independent contractor of Customer

or of an Affiliate of Customer duly authorized by Customer to use the Application pursuant to Orbit’s then-

current procedure for such authorization. For the avoidance of doubt, the System Administrator is a

“Customer User.”

(f)

“Documentation” means all documentation (whether printed or in an electronic retrieval

format) supplied or made available to Customer by Orbit for use with or in support of the Application or

its implementation, including without limitation any and all revisions, modifications, and updates thereof

as may be supplied or made available by Orbit to Customer during the term of this Agreement and all copies

thereof made by or on behalf of Customer.

(g)

“Hosting Services” means the provision, administration, and maintenance of servers and

related equipment, the provision of bandwidth at the hosting facility, and the operation of the Application

for access and use by Customer Users pursuant to this Agreement.

(h)

“Licensed Materials” means the Application and the Documentation.

(i)

“Loss” means all losses, liabilities, damages, awards, settlements, claims, suits,

proceedings, costs and expenses

(including reasonable legal fees and disbursements and costs of

investigation, litigation, expert witness fees, settlement, judgment, interest, and penalties).

(j)

“Statement of Work” means an addendum to this Agreement duly executed by each party

that sets forth the requirements, pricing, and other respective responsibilities of the parties as to additional

services to be provided pursuant to this Agreement; provided, however, that the failure of a Statement of

Work to comply with the foregoing standards shall not, in itself, invalidate such Statement of Work.

(k)

“System Administrator” means the individual identified as such in the Registration or

such substitute designated by Customer from time to time in accordance with Orbit’s then-current

procedures therefor.

(l)

“System Interfaces” means a system interface for transfer of data between the Application

and another system utilizing an application programming interface (API) provided by Orbit to Customer.

(m)

The word “including” means “including without limitation” unless otherwise expressly

provided in a given instance.

License to Customer. Subject to the terms and conditions of this Agreement and any

applicable Statement of Work, Orbit grants to Customer a non-exclusive, non-transferable, non-

sublicensable (except as otherwise provided herein) license during the term of this Agreement for a

Customer User to access and use the Application and relevant Documentation in accordance with the terms

of this Agreement solely for Customer’s internal business purposes. All rights with respect to the Licensed

Materials not explicitly granted herein are reserved to Orbit.

Services. Subject to the terms and conditions of this Agreement and any applicable Statement

of Work, and provided Customer is not in material breach of its obligations hereunder, Orbit shall provide

the following “Services” during the term of this Agreement:

(a)

Hosting. Orbit shall provide the Hosting Services; provided, however, that the Hosting

Services may be interrupted and the Application unavailable for use for reasonable periods from time to

Confidential

Page 2 of 35

time for Orbit to perform scheduled or unscheduled system maintenance, for Orbit to address security

threats or security incidents, or due to the acts or omissions of third parties or Orbit.

(b)

Support. Orbit shall provide to Customer Users reasonable consultation and assistance with

operational and technical support issues arising from use of the Application during Orbit’s then-current

normal business hours pursuant to requests for support services submitted by telephone or e-mail at such

numbers and e-mail addresses as Orbit shall provide to Customer from time to time.

(c)

Maintenance and Error Correction. In response to a reported error, Orbit shall use

commercially reasonable efforts to correct the error or to provide a reasonable workaround sufficient to

alleviate any substantial adverse effect of the problem on the utility of the Application, provided that

Customer assists Orbit in its efforts by, for example, making available, as reasonably requested by Orbit,

information, documentation, access to personnel, and testing.

(d)

Enhancements. From time to time at its discretion, Orbit may implement releases of the

Application that contain changes, updates, patches, fixes, enhancements to functionality, and/or additional

functionality. Orbit in its sole discretion will determine whether to include in the Application, as part of the

maintenance Services hereunder, features or functionality not originally specified for the Application, and

Orbit shall have no obligation to disclose or offer to Customer any such features or functionality.

(e)

Supported Use and Environment. Orbit’s obligations pursuant to this Agreement are

conditioned upon access to and use of the Application by Customer Users in accordance with the

Documentation and use of devices, browsers and other information technology meeting the criteria set forth

in the Documentation, published on Orbit’s website, or otherwise provided or made available to Customer

by Orbit from time to time. Upon reasonable notice to Customer from time to time, Orbit may revise the

specifications described in this paragraph or implement new such specifications to address the evolution of

such technology.

Charges; Taxes. Amounts due hereunder shall be paid in the manner established during

Registration or as subsequently established by access to Customer’s Registration through a System

Administrator login to the Application. If applicable, Customer authorizes Orbit to charge or debit

automatically, using Customer’s provided payment method, all such amounts, including amounts due upon

renewal of this Agreement. Customer is responsible for providing complete and accurate billing and contact

information to Orbit. If Orbit offers Customer an option to be invoiced and Customer elects such option,

payment on each such invoice shall be due within 30 days from the date thereof or on such other terms as

may be set forth in the Registration. Customer shall pay when due (and Orbit at its discretion may collect

and pay on Customer’s behalf) all taxes, levies, or assessments based on or in any way measured by this

Agreement, the Licensed Materials, and the Services provided hereunder, excluding taxes based on Orbit’s

net income, but including sales and use taxes and personal property taxes, if any; provided, however, that

if Customer notifies Orbit in writing that Customer is exempt from paying applicable state, county, city, or

other local sales or use taxes and delivers to Orbit a copy of Customer’s tax exemption certificate or other

evidence satisfactory to Orbit demonstrating such exemption, Orbit shall not collect and pay such taxes on

Customer’s behalf except pursuant to an order from a court of competent jurisdiction or notice from such

taxing authority. If Customer has notified Orbit of such a tax exemption, Customer shall notify Orbit

promptly of any change in the status of such exemption.

Customer Responsibilities and Restrictions.

(a)

Customer Connection to Application. Customer shall be responsible for selecting,

obtaining, and maintaining any equipment and ancillary services needed to access the Application, in each

case meeting any information technology environment criteria described in Section 3(e).

Confidential

Page 3 of 35

(b)

System Administrator. Customer acknowledges and agrees that the System Administrator,

utilizing mechanisms provided therefor within the Application, will have the sole responsibility for

authenticating and provisioning access to the Application for other Customer Users and for disabling access

to the Application for Customer Users. Customer shall cause the System Administrator to perform such

authentication in accordance with generally-accepted information security standards and shall cause the

System Administrator to disable such access immediately upon the termination of employment or

engagement of any Customer User by Customer or its Affiliate or when a Customer User otherwise is no

longer eligible to use the Application pursuant to this Agreement. Customer shall notify Orbit immediately,

by telephone and in writing, to disable access to the Application for a System Administrator who is

terminated or otherwise is no longer eligible to use the Application pursuant to this Agreement.

(c)

Account Passwords and Data Security. Customer shall maintain and cause to be maintained

the confidentiality of all user IDs and passwords of Customer Users, including implementing and enforcing

policies and procedures as reasonable and appropriate thereto, and Customer at all times shall maintain (and

shall cause any Affiliate having Customer Users to maintain) adequate technical, physical, and

administrative safeguards, including access controls and system security requirements and devices, to

ensure that access to the Application by or through Customer is limited to Customer Users. Customer shall

be solely responsible for all use or misuse of the user IDs of Customer Users, and except as otherwise

required by applicable law Orbit shall have no obligation to monitor for or report any use or attempted use

of the user IDs of Customer Users. All such user IDs and passwords are deemed to be Confidential

Information of both Customer and Orbit. Customer shall take reasonable steps to ensure that Customer

Users not share user IDs or passwords. Customer shall be responsible for maintaining the user ID and

resetting the password for the System Administrator if the person responsible for such account for Customer

is terminated or otherwise is no longer eligible to use the Application.

(d)

Compliance with Laws. Customer represents, warrants, and covenants that it and its System

Administrator and Customer Users will only use the Services and Licensed Materials in a manner that

complies with all applicable laws, regulations, rules, and other authorities. Customer and its System

Administrator and Customer Users shall not use the Licensed Materials or the Services to collect, store,

receive, process, use, disclose, manipulate, track or distribute any information, including Customer Data,

or otherwise interact with any individual in violation of applicable laws, regulations, rules, and other

authorities.

(e)

Prohibited Uses. Customer and the Customer Users shall not do, nor shall they authorize

any person to do, any of the following by or through the Licensed Materials or Services: (i) collect, store,

receive, process, use, disclose, manipulate, track, or distribute any content or data that is illegal or promotes

illegal acts, involves minors, encourages or incites violence or dangerous acts, or is discriminatory,

derogatory, hateful, abusive, racist, fraudulent, defamatory, libelous, obscene, pornographic, unlawful,

harassing, violent, or threatening; (ii) access, connect to, or retrieve data from any third-party system,

service, application, or site that does not permit such access, connection, or retrieval; (iii) threaten, harass,

bully, or encourage others to do so; (iv) promote or condone discrimination or violence against individuals

or groups based on race, ethnic origin, religion, disability, gender, age, nationality, veteran status, political

affiliation, or sexual orientation/gender identity;

(v) gain or attempt to gain access to any software

applications, computer systems, or data not expressly authorized under this Agreement; (vi) violate any

applicable law, regulation, ordinance, or guideline; (vii) infringe the rights of any other person, including

intellectual property rights (for example, any patent, trademark, trade secret, copyright, or other proprietary

rights) or rights of publicity or privacy; (viii) impersonate any person or entity; (ix) act in a manner that is

discriminatory, derogatory, hateful, abusive, racist, fraudulent, defamatory, libelous, obscene, unlawful,

harassing, violent, or threatening; (x) collect, store, receive, process, use, disclose, manipulate, track or

distribute any computer viruses, worms, trojan horses, back door, trap door, time bombs, malware, or other

malicious code; (xi) hack the Licensed Materials or related systems or networks or otherwise attempt to

Confidential

Page 4 of 35

harvest, access, or collect information of other Orbit users or customers;

(xii) generate fraudulent

impressions of or fraudulent clicks on ad(s) through any automated, deceptive, fraudulent or other invalid

means, including but not limited to through repeated manual clicks, the use of robots, agents or other

automated query tools and/or computer generated search requests, and/or the unauthorized use of other

search engine optimization services and/or software; (xiii) extract data from hate-related websites, websites

that promote violence, websites that include content prohibited by these terms, or illegal drug-related

websites; (xiv) process data on behalf of any third party, unless the third party is also subject to this

Agreement; (xv) engage in any action or practice that reflects poorly on Orbit or otherwise disparages or

devalues Orbit’s reputation or goodwill; (xvi) otherwise use the Licensed Materials, Customer Data, or any

other data associated with the foregoing for any purpose or in any manner not specifically authorized by

this Agreement; or (xvii) attempt to do or assist any party in attempting to do any of the foregoing.

(f)

Other Restrictions. In addition to complying with the other terms, conditions and

restrictions set forth in this Agreement, Customer and the Customer Users shall not do, nor shall they

authorize any person to do, any of the following: (i) make any copies or prints, or otherwise reproduce or

print, any portion of the Licensed Materials, whether in printed or electronic format; (ii) distribute,

republish, download, display, post, or transmit any portion of the Licensed Materials; (iii) copy, create, re-

create, disassemble, reverse engineer, re-engineer, or decompile the Licensed Materials or otherwise

attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms

relevant to the Licensed Materials or any software, documentation or data related to the Licensed Materials;

(iv) modify, adapt, translate, or create derivative works from or based upon any part of the Licensed

Materials; (v) combine or merge any part of the Licensed Materials with or into any other software,

document, or work; (vi) refer to or otherwise use any part of the Licensed Materials as part of any effort to

develop a product or service having any functional attributes, visual expressions, or other features or

purposes similar to those provided by Orbit; (vii) remove, erase, or tamper with any copyright, logo, or

other proprietary or trademark notice printed or stamped on, affixed to, or encoded or recorded in the

Licensed Materials, or use a proxy, reverse proxy, or any other such mechanism that is intended to, or has

the effect of, obscuring any of the foregoing or confusing an individual as to Orbit’s rights in the foregoing;

(viii) fail to preserve all copyright and other proprietary notices in any copy of any portion of the Licensed

Materials made by or on behalf of Customer; (ix) sell, market, license, sublicense, distribute, rent, loan, or

otherwise grant to any third party any right to possess or utilize any portion of the Licensed Materials

without the express prior written consent of Orbit (which may be withheld by Orbit for any reason or

conditioned upon execution by such party of a confidentiality and non-use agreement and/or other such

other covenants and warranties as Orbit in its sole discretion deems desirable); (x) diminish or infringe any

intellectual property rights in and to the Licensed Materials or impair or interfere with any copyright

protection mechanisms, copyright management information systems or digital identification devices

employed in association with the foregoing; (xi) “frame” or “mirror” any portion of the Licensed Materials;

(xii) use any robot, spider, other automatic device, or manual process, to “screen scrape,” monitor, “mine,”

or copy any portion of the Licensed Materials; (xiii) restrict or inhibit any other person from using the

Licensed Materials, including without limitation by means of “hacking” or defacing any portion thereof;

(xiv) use any device, software, methodology, or routine to interfere with or disrupt the Licensed Materials

or the servers or networks connected to the Licensed Materials by trespass or burdening network capacity;

(xv) use the Licensed Materials or Services in any manner that interferes with or disrupts the integrity or

performance of the foregoing or their components; (xvi) create fraudulent accounts; or (xvii) attempt to do

or assist any party in attempting to do any of the foregoing.

(g)

Monitoring. Although Orbit has no obligation to monitor use of the Licensed Materials,

Orbit may do so and may prohibit any use of the Licensed Materials the Orbit believes may be (or is alleged

to be) in violation of applicable laws, regulations, or this Agreement.

Confidential

Page 5 of 35

(h)

Disclaimer. Orbit shall not be liable to Customer for any Loss arising out of or relating to

Customer’s failure to comply with its obligations set forth in this Section 5.

Ownership.

(a)

Customer Data. As between Orbit and Customer, Customer has and retains exclusive

ownership of all Customer Data and all intellectual property and proprietary rights therein. Orbit

acknowledges that the foregoing constitute valuable assets and may constitute trade secrets of Customer or

its licensors.

(b)

Licensed Materials. As between Orbit and Customer, Orbit has and retains exclusive

ownership of the Licensed Materials and all intellectual property and proprietary rights therein. Customer

acknowledges that the foregoing constitute valuable assets and may constitute trade secrets of Orbit or its

licensors.

(c)

Suggestions, Joint Efforts, and Statistical Information. Customer may suggest, and the

parties may discover or create jointly, findings, inventions, improvements, discoveries, or ideas that Orbit,

at its sole option, may incorporate in the Licensed Materials or in other products or services that may or

may not be made available to Customer. Any such finding, invention, improvement, discovery, or idea,

whether or not patentable, that is conceived or reduced to practice during the term of this Agreement,

whether by a party alone or by the parties jointly, arising from or related to this Agreement or the Licensed

Materials shall be and remain solely property of Orbit and may be used, sold, licensed, or otherwise

provided by Orbit to third parties, or published or otherwise publicly disclosed, in Orbit’s sole discretion

without notice, attribution, payment of royalties, or liability to Customer. Customer acknowledges and

agrees that Orbit has and retains exclusive and valid ownership of all anonymized statistical information

regarding Customer Users’ use of the Application. Customer hereby assigns to Orbit any and all right, title,

and interest in and to any such findings, inventions, improvements, discoveries, ideas, and statistical

information. Unless otherwise expressly agreed in writing, Customer shall not obtain any right, title, or

interest (other than the license expressly set forth herein) in or to anything created or developed by Orbit in

connection with or incident to this Agreement.

License to Use Customer Data. Customer grants to Orbit a non-exclusive, transferrable,

sublicensable, worldwide, royalty-free license to use and disclose Customer Data as necessary to perform

its obligations under this Agreement and for purposes of (i) monitoring, improving, and correcting the

performance of the Application, developing enhancements to the Application, developing new products,

and other internal business purposes; (ii) compiling statistical information (including without limitation

aggregating Customer Data with other data); (iii) aggregating Customer Data with other data; (iv) creating

de-identified versions of Customer Data; and (v) in perpetuity using, reproducing, preparing derivative

works of, and distributing such aggregated or de-identified data for any lawful purpose and to grant

sublicenses for the foregoing. Customer represents and warrants that it owns or has the legal right and

authority, and will continue to own or maintain the legal right and authority, to grant to Orbit the license

set forth herein. Customer further represents and warrants that it has provided all necessary notices to

process the Customer Data and to transfer the Customer Data to Orbit. Customer shall indemnify, defend,

and hold harmless Orbit, its affiliates, and their respective directors, officers, employees, and agents from

and against any Losses arising from or related to a claim of a third party with respect to a breach of the

foregoing representations and warranties of Customer.

Confidentiality.

(a)

Security of Confidential Information. Each party possessing Confidential Information of

the other party will maintain all such Confidential Information under reasonably secure conditions, using

Confidential

Page 6 of 35

reasonable security measures and in any event not less than the same security procedures used by such party

for the protection of its own Confidential Information of a similar kind.

(b)

Non-Disclosure Obligation. Except as otherwise may be permitted by this Agreement,

neither party shall disclose any Confidential Information of the other party to any third party without the

express prior written consent of the other party; provided, however, that either party may disclose

appropriate portions of Confidential Information of the other party to those of its employees, contractors,

agents, and professional advisors having a substantial need to know the specific information in question in

connection with such party’s exercise of rights or performance of obligations under this Agreement

provided that all such persons (i) have been instructed that such Confidential Information is subject to the

obligation of confidence set forth by this Agreement and (ii) are bound by contract, employment policies,

or fiduciary or professional ethical obligation to maintain such information in confidence.

(c)

Compelled Disclosure. If either party is ordered by a court, administrative agency, or other

governmental body of competent jurisdiction to disclose Confidential Information, or if it is served with or

otherwise becomes aware of a motion or similar request that such an order be issued, then such party will

not be liable to the other party for disclosure of Confidential Information required by such order if such

party complies with the following requirements: (i) if an already-issued order calls for immediate

disclosure, then such party immediately shall move for or otherwise request a stay of such order to permit

the other party to respond as set forth in this paragraph; (ii) such party immediately shall notify the other

party of the motion or order by the most expeditious possible means; (iii) such party shall not oppose a

motion or similar request by the other party for an order protecting the confidentiality of the Confidential

Information, including not opposing a motion for leave to intervene by the other party; and (iv) such party

shall exercise reasonable efforts to obtain appropriate assurance that confidential treatment will be accorded

the Confidential Information so disclosed.

(d)

Non-Use Obligation. Except as expressly authorized in this Agreement, during the term of

this Agreement and forever thereafter (or for such shorter period as may be imposed by applicable law),

neither party shall use any Confidential Information of the other party, except at the request of and for the

benefit of such other party, without the express prior written consent of the other party.

(e)

Copying of Confidential Information. Except as otherwise may be permitted by this

Agreement, neither party shall copy or otherwise reproduce any part of any Confidential Information of the

other party, nor attempt to do so, without the prior written consent of the other party. Any embodiments of

Confidential Information of a party that may be generated by the other party, either pursuant to or in

violation of this Agreement, will be deemed to be solely the property of the first party and fully subject to

the obligations of confidence set forth herein.

(f)

Proprietary Legends. Without the other party’s prior written consent, neither party shall

remove, obscure, or deface on or from any embodiment of any Confidential Information any proprietary

legend relating to the other party’s rights.

(g)

Reports of Misappropriation. Each party shall report to the other party without

unreasonable delay any act or attempt by any person of which such party has knowledge or reasonably

suspects (i) to use or disclose, or copy Confidential Information without authorization from the other party

or (ii) to reverse assemble, reverse compile, or otherwise reverse engineer any part of the Confidential

Information.

(h)

Post-Termination Procedures. Except with respect to Customer Data as provided in

Section 11(c) or as otherwise expressly provided in this Agreement, promptly upon the expiration or any

termination of this Agreement or other expiration or termination of a party’s right to possess and/or use

Confidential Information, each party shall turn over to the other party (or destroy and certify the same in

Confidential

Page 7 of 35

writing, if agreed in writing by the other party) any embodiments of any Confidential Information of the

other party.

Representations and Warranties; Disclaimers.

(a)

REPRESENTATION AND WARRANTY DISCLAIMERS. THE LICENSED

MATERIALS AND ALL SERVICES PROVIDED OR TO BE PROVIDED UNDER THIS

AGREEMENT ARE PROVIDED “AS IS,” WITH ALL FAULTS, AND CUSTOMER ASSUMES THE

ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LICENSED MATERIALS.

ORBIT DISCLAIMS, ANY AND ALL WARRANTIES, CONDITIONS, OR REPRESENTATIONS

(EXPRESS OR IMPLIED, ORAL OR WRITTEN) WITH RESPECT TO THE LICENSED MATERIALS

OR ANY PART THEREOF OR THE SERVICES, INCLUDING WITHOUT LIMITATION ANY AND

ALL IMPLIED WARRANTIES OR CONDITIONS OF TITLE, NON-INFRINGEMENT,

MERCHANTABILITY, OR FITNESS OR SUITABILITY FOR ANY PURPOSE (WHETHER OR NOT

ORBIT KNOWS, HAS REASON TO KNOW, HAS BEEN ADVISED, OR OTHERWISE IS IN FACT

AWARE OF ANY SUCH PURPOSE), WHETHER ALLEGED TO ARISE BY LAW, BY REASON OF

CUSTOM OR USAGE IN THE TRADE, BY COURSE OF DEALING, OR OTHERWISE. ORBIT

EXPRESSLY DISCLAIMS ANY WARRANTY OR REPRESENTATION TO ANY PERSON OTHER

THAN CUSTOMER.

DUE TO THE CONTINUAL DEVELOPMENT OF NEW TECHNIQUES FOR INTRUDING UPON

AND ATTACKING NETWORKS, ORBIT DOES NOT WARRANT THAT THE LICENSED

MATERIALS, SERVICES, OR ANY EQUIPMENT, SYSTEM, OR NETWORK ON WHICH THEY

ARE USED OR ACCESSED, WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK

THAT RESULTS IN CUSTOMER’S INABILITY TO USE THE LICENSED MATERIALS OR THE

UNAUTHORIZED DISCLOSURE OR COMPROMISE OF CUSTOMER DATA.

COMPANY CANNOT AND DOES NOT GUARANTEE OR WARRANT THAT FILES AVAILABLE

FOR DOWNLOADING FROM THE INTERNET OR THE LICENSED MATERIALS WILL BE FREE

OF VIRUSES OR OTHER DESTRUCTIVE CODE. CUSTOMER IS RESPONSIBLE FOR

IMPLEMENTING SUFFICIENT PROCEDURES AND CHECKPOINTS TO SATISFY ITS

PARTICULAR REQUIREMENTS FOR ANTI-VIRUS PROTECTION AND ACCURACY OF DATA

INPUT AND OUTPUT, AND FOR MAINTAINING A MEANS EXTERNAL TO THE APPLICATION

FOR ANY RECONSTRUCTION OF ANY LOST DATA.

(b)

Other Disclaimers. Customer will be exclusively responsible as between the parties for,

and Orbit makes no representation or warranty with respect to, determining whether the Licensed Materials

will achieve the results desired by Customer, ensuring the accuracy of any Customer Data, and selecting,

procuring, installing, operating, and maintaining the technical infrastructure for Customer’s access to and

use of the Licensed Materials (other than with respect to the Hosting Services). Orbit shall not be liable for,

and shall have no obligations with respect to, any aspect of the Licensed Materials that is modified by any

person other than Orbit or its contractors, use of the Licensed Materials other than in accordance with the

most current operating instructions provided by Orbit, errors or other effects of problems, defects, or

failures of software or hardware not provided by Orbit or of acts or omissions of Customer or any third

party. Customer acknowledges that the operation of the Licensed Materials will not be error free in all

circumstances and that all defects in the Licensed Materials may not be corrected.

(c)

Some jurisdictions do not allow the exclusion of certain warranties or the limitation or

exclusion of liability for incidental or consequential damages, so some of the limitations and disclaimers

above may not apply to Customer. To the extent applicable law does not permit such disclaimer of warranty,

the scope and duration of such warranty and the extent of such liability shall be the minimum permitted

under such applicable law.

Confidential

Page 8 of 35

10.

Breach; Termination; Disposition of Data.

(a)

Notice of Breach; Cure Period. In the event of a breach of a provision of this Agreement,

the notice and cure procedures set forth in this paragraph shall apply. The non-breaching party shall give

the breaching party notice describing the breach and stating the time, as provided herein, within which the

breach must be cured. If a provision of this Agreement sets forth a cure period for the breach in question,

then that provision shall take precedence over any cure period set forth in this paragraph. No cure period

shall be required, except as may be provided otherwise in this Agreement, if this Agreement sets forth

specific deadline dates for the obligation allegedly breached. If the breach is of an obligation to pay money,

the breaching party shall have five business days to cure the breach after written notice thereof by the non-

breaching party. If the breach is a material breach of an obligation relating to the other party’s Confidential

Information, including Customer’s use or disclosure of the Application other than in compliance with the

license granted in this Agreement, then the non-breaching party, in its sole discretion, may specify in the

notice of breach that no cure period will be permitted. Orbit may immediately terminate this Agreement

without notice if Customer breaches its obligations under Section 5. If the breach is other than a breach of

the kind described above in this paragraph, then the cure period will be 30 days after the notice of the breach

by the non-breaching party.

(b)

Termination. If a breach of any provision of this Agreement has not been cured at the end

of the applicable cure period, if any (or upon such breach if no cure period is permitted), then the non-

breaching party thereupon may terminate this Agreement by notice to the other party. Termination of this

Agreement by Orbit for breach by Customer shall terminate all licenses granted to Customer herein. This

Agreement and the licenses granted to Customer herein shall terminate automatically, to the extent

permitted by applicable law in the jurisdiction or jurisdictions in question, if Customer makes an assignment

for the benefit of its creditors, files a petition for bankruptcy, receivership, reorganization, or other like

proceeding under any present or future debtor relief law (or is the subject of an involuntary such petition or

filing that is not dismissed within 60 days after the effective filing date thereof), or admits of a general

inability to pay its debts as they become due. Any termination of this Agreement shall be in addition to, and

not in lieu of, any other rights or remedies available at law or in equity.

(c)

Disposition of Customer Data. Upon Customer’s written request within 30 days following

the expiration or any termination of this Agreement, Orbit shall destroy the Customer Data; provided,

however, that to the extent Orbit is required by applicable law or legal process to retain any portion of the

Customer Data, or to the extent that destruction of any Customer Data is infeasible, Orbit shall retain such

Customer Data as though it were Confidential Information for such time as is required by such law or

process or until destruction is no longer infeasible, after which Orbit promptly shall destroy the Customer

Data. If Customer does not provide such notice within 30 days following the expiration or termination of

this Agreement, Orbit may destroy such Customer Data in its sole discretion.

11.

Risk Allocation.

(a)

EXCLUSION OF INDIRECT DAMAGES. IN NO EVENT WILL ORBIT BE LIABLE

UNDER OR IN CONNECTION WITH THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE

THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT

LIABILITY, AND OTHERWISE, FOR ANY: (a) CONSEQUENTIAL, INCIDENTAL, INDIRECT,

EXEMPLARY, SPECIAL, ENHANCED, OR PUNITIVE DAMAGES; (b) INCREASED COSTS,

DIMINUTION IN VALUE OR LOST BUSINESS, PRODUCTION, REVENUES, OR PROFITS; (c)

LOSS OF GOODWILL OR REPUTATION; (d) USE, INABILITY TO USE, LOSS, INTERRUPTION,

DELAY OR RECOVERY OF ANY DATA, OR BREACH OF DATA OR SYSTEM SECURITY; OR (e)

COST OF REPLACEMENT GOODS OR SERVICES, IN EACH CASE REGARDLESS OF WHETHER

ORBIT WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH

LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE.

Confidential

Page 9 of 35

(b)

EXCLUSION OF SERVICE-RELATED DAMAGES. ORBIT SHALL NOT BE LIABLE

FOR ANY DAMAGES, LIABILITY OR LOSSES ARISING OUT OF: (i) CUSTOMER’S USE OF OR

RELIANCE ON THE SERVICES, OR CUSTOMER’S INABILITY TO ACCESS OR USE THE

APPLICATION; OR (ii) ANY TRANSACTION OR RELATIONSHIP BETWEEN CUSTOMER AND

ANY OTHER INDIVIDUAL, EVEN IF ORBIT HAS BEEN ADVISED OF THE POSSIBILITY OF

SUCH DAMAGES. ORBIT SHALL NOT BE LIABLE FOR DELAY OR FAILURE IN

PERFORMANCE RESULTING FROM CAUSES BEYOND ORBIT’S REASONABLE CONTROL.

(c)

MAXIMUM AGGREGATE LIABILITY. IN NO EVENT WILL ORBIT’S

AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT UNDER ANY

LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING

NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE EXCEED THE TOTAL AMOUNTS PAID

TO ORBIT UNDER THIS AGREEMENT IN THE TWELVE MONTH PERIOD PRECEDING THE

EVENT GIVING RISE TO THE CLAIM.

(d)

Intentional Risk Allocation. Each party acknowledges that the provisions of this

Agreement were negotiated, as a material part of the agreement memorialized herein, to reflect an informed,

voluntary allocation between them of all risks (both known and unknown) associated with the transactions

involved with this Agreement. The warranty disclaimers and limitations in this Agreement are intended,

and have as their essential purpose, to limit the circumstances of liability. The remedy limitations and the

limitations of liability are separately intended, and have as their essential purpose, to limit the forms of

relief available to the parties.

(e)

Indemnification. Customer agrees to indemnify, defend, and hold harmless Orbit, its

Affiliates, their successors and assigns, and all of their respective officers, directors, agents, and employees

from and against any claims, liabilities, damages, judgments, awards, losses, obligations, costs, expenses

or fees (including reasonable attorneys’ fees) arising out of or relating to (i) Customer’s and/or a Customer

User’s use of the Licensed Materials or Services, including those obtained through use of the Licensed

Materials; (ii) Customer’s and/or a Customer User’s breach or violation of this Agreement or applicable

law, regulation, rule, or other authority; or (iii) Customer’s and/or a Customer User’s violation of the rights

of any third party, including those of other users and third-parties.

12.

Marketing. Orbit may identify Customer as an Orbit customer and display Customer’s logos

in its marketing materials and advertisements, on its web site, and in presentations. Orbit shall not acquire

any intellectual property rights in any such logos, trademarks, service marks, or other indicia of origin.

13.

Certain Data Processing.

(a)

Data Processing Addendum. If Customer is a “Controller” as defined in the Data

Processing Addendum attached hereto as Exhibit A, the parties acknowledge and agree that the Data

Processing Addendum shall apply to the extent Customer Data includes “Customer Personal Data,” as

defined in the Data Processing Addendum. If Customer is or becomes a Controller, Customer shall notify

Orbit thereof prior to any Processing of Customer Personal Data (as defined in the Data Processing

Addendum).

(b)

Collection of Technical Data. Notwithstanding anything to the contrary herein, Orbit shall

have the right to collect and analyze data and other information relating to the provision, use and

performance of the Licensed Materials and related systems and technologies, and Orbit will be free (during

and after the term hereof) to (i) use such information and data to improve and enhance the Licensed

Materials and for other development, diagnostic and corrective purposes in connection with the Licensed

Materials and other service offerings, and (ii) disclose such data solely in aggregated or de-identified form

in connection with its business.

Confidential

Page 10 of 35

14.

Other Provisions.

(a)

Notice. Except as otherwise expressly provided herein, notices shall be given under this

Agreement in writing in the English language, signed by the party giving the same, and shall be given

(i) personally (in which case such notices shall be deemed given when so delivered), (ii) by certified or

registered U.S. Mail, properly addressed and postage pre-paid, from within the United States (in which case

such notices shall be deemed given on the third business day after deposit), (iii) by generally recognized

overnight courier, properly addressed and pre-paid, with next business day instruction (in which case such

notices shall be deemed given on the next business day after deposit), or (iv) if to Customer, at Orbit’s

election, by e-mail (in which case such notice shall be deemed given upon transmission unless Orbit

receives a non-delivery email message within a reasonable time thereafter). Such notices shall be sent to

Orbit at 325 9th Street, San Francisco, CA 94103 and to Customer at the address for notices or email address

designated in the Registration or as provided in clause (iv) of this the preceding sentence. Either party may

change its address for purposes of notice by written notice thereof to the other party.

(b)

Nature of Relationship; Subcontractors. Orbit shall provide all Services hereunder as an

independent contractor to Customer. Subject to the provisions of this Agreement regarding confidentiality,

Orbit may perform its obligations hereunder through its employees and through subcontractors. Nothing

contained herein shall be deemed to create any agency, partnership, joint venture, or other relationship

between the parties or any of their affiliates, and neither party shall have the right, power, or authority under

this Agreement to create any duty or obligation on behalf of the other party.

(c)

Force Majeure. Neither party shall be liable for any failure to perform its obligations under

this Agreement if such failure arises, directly or indirectly, out of causes reasonably beyond the direct

control of such party and not due to such party’s own fault or negligence or that of its contractors or

representatives or other persons acting on its behalf, and which cannot be overcome by the exercise of due

diligence and which could not have been prevented through commercially reasonable measures, including

acts of God, acts of terrorists or criminals, acts of domestic or foreign governments, change in any law or

regulation, fires, floods, explosions, epidemics, disruptions in communications, power, or other utilities,

strikes or other labor problems, riots, or unavailability of supplies.

(d)

Governing Law; Venue. This Agreement shall be construed and enforced in accordance

with the laws of the state of California (other than its conflicts of law provisions) and venue shall be

exclusively in the federal or state courts sitting in California.

(e)

Jury Trial Waiver. THE PARTIES SPECIFICALLY WAIVE ANY RIGHT TO TRIAL

BY JURY IN ANY COURT WITH RESPECT TO ANY CONTRACTUAL, TORTIOUS, OR

STATUTORY CLAIM, COUNTERCLAIM, OR CROSS-CLAIM AGAINST THE OTHER ARISING

OUT OF OR CONNECTED IN ANY WAY TO THIS AGREEMENT, BECAUSE THE PARTIES

HERETO, BOTH OF WHICH ARE REPRESENTED BY COUNSEL, BELIEVE THAT THE COMPLEX

COMMERCIAL AND PROFESSIONAL ASPECTS OF THEIR DEALINGS WITH ONE ANOTHER

MAKE A JURY DETERMINATION NEITHER DESIRABLE NOR APPROPRIATE.

(f)

Injunctive Relief. Each party acknowledges that any violation of its covenants in this

Agreement relating to the other party’s Confidential Information and intellectual property would result in

damage to such party that is largely intangible but nonetheless real and that is incapable of complete remedy

by an award of damages. Accordingly, any such violation shall give such party the right to a court-ordered

injunction or other appropriate order to enforce specifically those covenants without bond and without

prejudice to any other rights or remedies to which such party may be entitled as a result of a breach of this

Agreement.

Confidential

Page 11 of 35

(g)

Attorney Fees. If litigation or other action is commenced by a party to enforce this

Agreement or between the parties concerning any dispute arising out of or relating to this Agreement, the

prevailing party will be entitled, in addition to any other award that may be made, to recover all court costs

and other official costs and all reasonable expenses associated with the litigation or other action, including

reasonable fees and expenses of counsel.

(h)

Assignment. Customer may transfer or assign some or all of its rights and/or delegate some

or all of its obligations under this Agreement only with the express prior written consent of Orbit, which

may be granted or withheld in Orbit’s sole discretion; provided, however, that if Customer is not a natural

person, Customer may assign all of its rights hereunder indivisibly to an entity that controls, is controlled

by, or is under common control with Customer (“control” meaning possession, directly or indirectly, of a

majority of an entity’s voting interests) or to a purchaser of substantially all of Customer’s assets so long

as such assignee (i) agrees in writing to comply with Customer’s obligations under, and to be bound by,

this Agreement (this clause does not in itself authorize Customer to delegate its duties under this

Agreement) and (ii) promptly notifies Orbit in writing of the same. Any purported transfer or assignment

by Customer of any right under this Agreement otherwise than in accordance with the provisions of this

paragraph shall be null and void and a breach of this Agreement. This Agreement shall be fully assignable

by Orbit in its sole discretion.

(i)

Successors and Assigns. This Agreement will be binding upon and inure to the benefit of

the parties and their successors and assigns permitted by this Agreement.

(j)

No Third Party Beneficiaries. Except as otherwise expressly set forth herein, nothing in

this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the

parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities

whatsoever.

(k)

Entire Agreement. This Agreement and any separately-executed Statement of Work,

together with all exhibits and attachments to each of the foregoing, constitutes the entire agreement between

the parties concerning the subject matter hereof. In the event of any conflicting terms between this

Agreement and any Statement of Work, this Agreement shall control unless the Statement of Work

specifically states otherwise. No prior or contemporaneous representations, inducements, promises, or

agreements, oral or otherwise, between the parties with reference thereto will be of any force or effect. Each

party represents and warrants that, in entering into and performing its obligations under this Agreement, it

does not and will not rely on any promise, inducement, or representation allegedly made by or on behalf of

the other party with respect to the subject matter hereof, nor on any course of dealing or custom and usage

in the trade, except as such promise, inducement, or representation may be expressly set forth herein.

(l)

Survival. The covenants herein concerning Confidential Information, indemnification,

post-termination procedures, and any other provision that, by its nature, is intended to survive this

Agreement shall survive any termination or expiration of this Agreement.

(m)

Amendment and Waiver. Except as otherwise expressly provided herein, no modification

or amendment to this Agreement will be valid or binding unless in writing and duly executed by the party

or parties to be bound thereby. The failure of either party at any time to require performance by the other

party of any provision of this Agreement shall in no way affect the right of such party to require performance

of that provision. Any waiver by either party of any breach of this Agreement shall not be construed as a

waiver of any continuing or succeeding breach of such provision, a waiver of the provision itself, or a

waiver of any right under this Agreement.

(n)

Severability. If any provision of this Agreement is ruled wholly or partly invalid or

unenforceable by a court or other body of competent jurisdiction, then (i) the validity and enforceability of

Confidential

Page 12 of 35

all provisions of this Agreement not ruled to be invalid or unenforceable will be unaffected; (ii) the effect

of the ruling will be limited to the jurisdiction of the court or other body making the ruling; (iii) the provision

held wholly or partly invalid or unenforceable shall be deemed amended, and the court or other body is

authorized to reform the provision, to the minimum extent necessary to render them valid and enforceable

in conformity with the parties’ intent as manifested herein; and (iv) if the ruling or the controlling principle

of law or equity leading to the ruling subsequently is overruled, modified, or amended by legislative,

judicial, or administrative action, then the provision in question as originally set forth in this Agreement

shall be deemed valid and enforceable to the maximum extent permitted by the new controlling principle

of law or equity.

(o)

Headings. The headings of the sections used in this Agreement are included for

convenience only and are not to be used in construing or interpreting this Agreement.

Confidential

Page 13 of 35

EXHIBIT A

DATA PROCESSING ADDENDUM

This Data Processing Addendum (this “Addendum”) is made effective as of the Effective Date (as

defined below), by and between Orbit and Customer.

WHEREAS, the parties have entered into that certain Subscription Agreement (the “Agreement”)

to which this Addendum is attached and pursuant to which Orbit shall provide the Licensed Materials and

certain services (collectively, the “Services”); and

WHEREAS, Customer is a “Controller” under the GDPR and requires a data processing agreement

with third parties engaged in the Processing of Personal Data on its behalf; and

WHEREAS, in the course of performing its obligations under the Agreement, Orbit may Process

Customer Personal Data on behalf of Customer as a Processor; and

WHEREAS, this Addendum forms an integral part of the Agreement and applies to the extent that

Orbit Processes Customer Personal Data in the course of its performance under the Agreement.

NOW, THEREFORE, in consideration of the mutual covenants contained herein, and other good

and valuable consideration, the sufficiency of which is hereby acknowledged, the parties agree as follows:

Definitions.

(a)

All capitalized terms used but not otherwise defined herein shall have the meanings set

forth in the Agreement.

(b)

“Customer Personal Data” means any Personal Data which Orbit Processes pursuant to

the Agreement on behalf of Customer in its role as Controller.

(c)

“Data Protection Legislation” means all European data protection and privacy laws

applicable to the Processing of Customer Personal Data under the Agreement, including, where applicable,

GDPR.

(d)

“Effective Date” means the later of the date on which the Agreement becomes effective

or the date on which Customer provides Customer Personal Data to Orbit for Processing.

(e)

“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27

April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the

free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(f)

“Personal Data Breach” means a Personal Data Breach of Customer Personal Data in

connection with the Agreement.

(g)

“Security Measures” means commercially reasonable security-related policies, standards,

and practices commensurate with the size and complexity of Orbit’s business; the level of sensitivity of the

Personal Data collected, handled and stored; and the nature of Orbit’s business activities.

(h)

“Sub-Processor” means any Processor engaged by Orbit to Process Customer Personal

Data pursuant to the terms of the Agreement and this Addendum.

Confidential

Page 14 of 35

(i)

“Controller”,

“Data Subject”,

“Personal Data”,

“Personal Data Breach”,

“Processor”, “Process”, “Processing”, and “Supervisory Authority” shall have the meanings ascribed

to such terms in the Data Protection Legislation, whether or not capitalized therein.

Relationship of the Parties. The parties acknowledge and agree that Customer is the

Controller and that Orbit is a Processor with respect to all Customer Personal Data.

Compliance with Laws.

(a)

Each party shall comply with its respective obligations under the Data Protection

Legislation with respect to Customer Personal Data. Customer shall not use the Services or the Licensed

Materials in a manner that violates Data Protection Legislation, nor shall Customer instruct Processor to

Process Customer Personal Data in violation of Data Protection Legislation. Customer represents, warrants,

and covenants that it will only instruct Orbit to Process Customer Personal Data and use the Services and

Licensed Materials in a manner that complies with Data Protection Legislation.

(b)

Customer represents and warrants that it has a valid legal basis or lawful purpose for

Processing Customer Personal Data and for any transfer of Customer Personal Data to Orbit, and Customer

shall maintain a record of such valid legal bases and lawful purposes. Customer shall immediately notify

Orbit if any change should occur in the legal bases or lawful purposes for the Processing or transfer of

Customer Personal Data and shall immediately instruct Orbit of any new or revised scope, duration, subject

matter, nature, or purposes regarding the Processing of Customer Personal Data by Orbit.

(c)

Customer shall have sole responsibility for the accuracy, quality, and legality of Customer

Personal Data and the means by which Customer acquires Customer Personal Data. Customer represents

and warrants that it has all rights and necessary consents and that it has provided all necessary notices to

Process Customer Personal Data and to transfer Customer Personal Data to Orbit. Customer shall obtain all

necessary consents from Data Subjects and shall maintain a record of such rights and consents. Customer

shall immediately notify Orbit if a Data Subject revokes or changes his or her consent to the Processing of

his or her Personal Data and shall immediately instruct Orbit of any new or revised scope, duration, subject

matter, nature, or purposes regarding the Processing of Customer Personal Data by Orbit.

Processing Purpose and Instructions.

(a)

Customer shall determine and instruct Orbit as to the scope, purposes, and manner by

which Customer Personal Data is to be Processed by Orbit and, from time to time, may reasonably modify

those instructions. Orbit shall notify Customer if, in Orbit’s opinion, an instruction provided by Customer

infringes upon Data Protection Legislation.

(b)

Customer represents and warrants to Orbit that the subject matter, duration, nature, and

purposes of the Processing and the types of Personal Data and categories of Data Subjects contemplated by

this Addendum are accurately described as follows and instructs Orbit to engage in such Processing:

(i)

Subject Matter of the Processing: Orbit’s provision of the Services under the

Agreement; provided, however, Customer acknowledges and agrees that it controls how the Licensed

Materials are used to Process Customer Personal Data.

(ii)

Duration of the Processing: The term of the Agreement plus the period from the expiry

of the term until deletion of all Customer Personal Data by Orbit in accordance with the Agreement.

(iii)

The Nature and Purpose of the Processing: Orbit will process Customer Personal Data

for the purposes of providing the Services as instructed by Customer. Processing activities may include:

collection, retrieval, organization, storage, alteration, enhancement, aggregation, de-identification, use, and

Confidential

Page 15 of 35

disclosure. Customer acknowledges and agrees that it controls how the Licensed Materials are used to

Process Customer Personal Data.

(iv)

The Types of Personal Data and Categories of Data Subjects: The types of Personal

Data and Data Subjects include the individuals selected by Customer or Customer’s employees, agents, or

contractors and information collected and Processed in providing the Services. Customer acknowledges

and agrees that it controls how the Licensed Materials are used to Process Customer Personal Data.

(c)

Orbit shall only Process Customer Personal Data as set forth in the Agreement, this

Addendum, and any specific, written instructions provided by an authorized representative of Customer to

Orbit; provided, however that Orbit may engage in Processing required by Data Protection Legislation to

which Orbit is subject after informing Customer of any such requirement (unless the law prohibits providing

such information).

Reasonable Security and Safeguards.

(a)

Subject to any hardware, software and network infrastructure used by Customer, Orbit

shall, taking into account the state of the art, the costs of implementation, and the nature, scope, context and

purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of

natural persons, implement appropriate technical and organizational measures (the Security Measures) to

ensure a level of security appropriate to the risks presented by the Processing and the nature of Customer

Personal Data.

(b)

The Security Measures are subject to technical progress and development, and Orbit may

update or modify the Security Measures from time to time provided that such updates and modifications do

not result in the degradation of the overall security.

(c)

Orbit shall take steps to ensure that any natural person acting under the authority of Orbit

who has been granted access to the Customer Personal Data by Orbit does not Process Customer Personal

Data in violation of this Addendum. Orbit shall ensure that persons authorized to Process Customer

Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation

of confidentiality.

(d)

Customer is responsible for using and configuring the Services and the Licensed Materials

in a manner which enables both parties to comply with Data Protection Legislation and for implementing

appropriate technical and organizational measures with respect to its systems, networks, resources,

personnel, and operations to ensure the privacy and security of Customer Personal Data.

Personal Data Breach.

(a)

Upon becoming aware of a Personal Data Breach, Orbit will notify Customer without

undue delay and will provide information relating to the Personal Data Breach as reasonably requested by

Customer.

(b)

Orbit shall notify Customer without undue delay if, in its assessment, Customer Personal

Data has been Processed in a manner that is inconsistent with this Addendum, the instructions provided

Customer, or Data Protection Laws.

Assessments and Audits.

(a)

Orbit shall, upon reasonable and written notice and subject to obligations of confidentiality

and pursuant to a non-disclosure agreement, contribute to audits (including inspections) conducted by

Customer or a third-party auditor mutually agreed upon by the parties and allow its Processing procedures

Confidential

Page 16 of 35

and documentation to be inspected no more than annually in order to ascertain compliance with this

Addendum. Such audit shall be at Customer’s sole expense. Orbit shall cooperate in good faith with audit

requests by providing access to relevant knowledgeable personnel and documentation. Except as otherwise

required by law, (i) Customer shall provide at least thirty (30) days prior written notice to Orbit of any

requested audit; (ii) any audit shall be conducted during Orbit’s normal business hours; (iii) an audit shall

not last longer than three (3) business days; and (iv) Customer and its agents and auditors shall not access

Orbit’s proprietary or confidential information, except to the extent access is strictly necessary to

demonstrate compliance with this Addendum and in a manner acceptable to Orbit that preserves the

proprietary or confidential nature of the information.

(b)

During the term of this Addendum, Orbit shall make available to Customer all information

necessary to demonstrate Orbit’s compliance with Article 28 of the GDPR.

Cooperation and Assistance

(a)

Taking into account the nature of the Processing and the information available to Orbit,

Orbit shall assist Customer in ensuring compliance with Customer’s obligations under Articles 32 through

36 of the GDPR.

(b)

Taking into account the nature of the Processing, Orbit shall assist Customer by

implementing appropriate technical and organizational measures, insofar as is possible, for the fulfilment

of Customer’s obligations of responding to requests for exercising a data subject’s rights under Chapter III

of the GDPR.

(i)

If Orbit receives any requests from Data Subjects or applicable Supervisory

Authorities relating to the Processing of Customer Personal Data under the Agreement, including requests

from Data Subjects seeking to exercise their rights under Data Protection Legislation, Orbit will promptly

redirect the request to Customer. Orbit will not respond to such communication directly without Customer's

prior authorization, unless legally compelled to do so.

(ii)

In the event Customer needs to provide information (including details of the services

provided by Orbit) to a competent Supervisory Authority, Orbit shall assist Customer in providing such

information, to the extent that such information is solely in the possession of Orbit or its Sub-processors.

(c)

To the extent permitted by law, each party shall promptly inform the other party of any

inquiry or complaint received from a Data Subject or a Supervisory Authority relating to the Processing of

Customer Personal Data under this Addendum. The parties and their respective employees, contractors, and

agents shall cooperate with a Supervisory Authority in the performance of its tasks with respect to this

Addendum.

Use of Sub-Processors

(a)

Customer acknowledges and agrees that Orbit may engage such Sub-Processors as Orbit

determines are reasonably appropriate for the Processing of Customer Personal Data under the Agreement

and the Standard Contractual Clauses attached hereto as Exhibit 1. Orbit shall ensure that each of its Sub-

Processors is bound by substantially the same data protection obligations applicable to Orbit under this

Addendum by way of contract, including sufficient guarantees to implement appropriate technical and

organization measures such that the Processing by the Sub-Processor will meet the requirements imposed

by the GDPR. Customer hereby consents to Orbit’s subcontracting of its processing of Personal Data under

the Standard Contractual Clauses attached hereto as Exhibit 1.

(b)

Customer hereby consents to the processing of Customer Personal Data by, and the

disclosure and transfer of Customer Personal Data to, the Sub-Processors listed on Annex III to Exhibit 1.

Confidential

Page 17 of 35

(c)

Customer provides a general consent for Orbit to engage onward Sub-Processors in the

Processing of Customer Personal Data under the Agreement without Customer’s prior consent, provided

that Orbit has entered into an agreement with the Sub-Processor containing data protection obligations that

are as restrictive as the obligations under this Addendum (to the extent applicable to the services provided

by the Sub-processor). Within ten (10) days of receiving a notification from Orbit to Customer of any

changes in its use of Sub-Processors during the term of the Agreement, Customer shall notify Orbit of any

objections to such additional or different Sub-Processors. If Customer does not timely notify Orbit of an

objection, Customer acknowledges and agrees that Orbit may use the Sub-Processor(s) identified in Orbit’s

notice pursuant to the general authorization provided by Customer in this Section.

(d)

To the extent required under Data Protection Legislation, Orbit will be responsible for any

acts, errors, or omissions of its Sub-Processors that cause Orbit to breach any of its obligations under this

Addendum.

10.

International Data Transfers. Customer acknowledges and agrees that Customer Personal

Data will be transferred to the United States of America, a jurisdiction that has been determined not to offer

an adequate level of data protection by the European Commission. Customer further acknowledges and

agrees that Orbit’s Sub-Processor for cloud storage and related services may in limited instances transfer

Customer Personal Data to other jurisdictions for which the European Commission has not adopted an

adequacy decision. To facilitate such transfers, the parties hereby enter into the Standard Contractual

Clauses attached hereto as Exhibit 1, which are incorporated by reference herein. The parties shall work

together during the Term to ensure that they (or the relevant Sub-Processor) have a legally-approved

mechanism in place to facilitate such data transfers, including working together to document the

appropriateness of such mechanism in accordance with Data Protection Legislation. Customer

acknowledges and agrees that by clicking the button on the Orbit Labs registration page to accept the

agreement, Customer executes the Standard Contractual Clauses attached hereto as Exhibit 1.

11.

Data Retention and Destruction. Upon termination of the Agreement and upon completion

of Orbit’s obligations in relation to the Processing of Customer Personal Data under this Addendum, or

upon Customer’s written instructions at any time during the term of this Addendum, Orbit shall either: (i)

return to Customer all or certain subsets of Customer Personal Data in Orbit’s possession; (ii) render

anonymous all or certain subsets of Customer Personal Data in Orbit’s possession; or (iii) permanently

delete or render unreadable all or certain subsets of Customer Personal Data. In the event Orbit determines

that anonymization, return, or destruction of Customer Personal Data is not reasonably feasible because

Orbit is required by applicable law to retain any such Customer Personal Data, Orbit shall notify Customer

thereof and limit any further Processing to those purposes that make the anonymization, return or

destruction infeasible. The requirements of this section shall survive termination or expiration of this

Addendum and shall be in force as long as any Customer Personal Data remain in the custody or control of

Orbit.

12.

Liability and Indemnification. Customer will indemnify, defend, and hold Orbit harmless

against any claim, demand, suit or proceeding (including any damages, costs, reasonable attorney’s fees,

and settlement amounts) made or brought against Orbit by a third party alleging that the Services, Licensed

Materials, or the Processing or transfer of Customer Personal Data infringes Data Protection Legislation.

13.

General.

(a)

Orbit acknowledges and agrees that it has no ownership of Customer Personal Data other

than as expressly permitted under the Agreement or as authorized by Customer.

(b)

ANY CLAIMS BROUGHT UNDER THIS ADDENDUM WILL BE SUBJECT TO THE

TERMS AND CONDITIONS OF THE AGREEMENT, INCLUDING THE EXCLUSIONS AND

Confidential

Page 18 of 35

EXHIBIT 1

STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

Clause 1

Purpose and scope

(a)

The purpose of these standard contractual clauses is to ensure compliance with the

requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council

of 27 April 2016 on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data (General Data Protection Regulation)

for the transfer of personal data to a third country.

(b)

The Parties:

(i)

the natural or legal person(s), public authority/ies, agency/ies or other body/ies

(hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A

(hereinafter each ‘data exporter’), and

(ii)

the entity/ies in a third country receiving the personal data from the data exporter,

directly or indirectly via another entity also Party to these Clauses, as listed in

Annex I.A (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c)

These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d)

The Appendix to these Clauses containing the Annexes referred to therein forms an integral

part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a)

These Clauses set out appropriate safeguards, including enforceable data subject rights and

effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU)

2016/679 and, with respect to data transfers from controllers to processors and/or

processors to processors, standard contractual clauses pursuant to Article

28(7) of

Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate

Module(s) or to add or update information in the Appendix. This does not prevent the

Parties from including the standard contractual clauses laid down in these Clauses in a

wider contract and/or to add other clauses or additional safeguards, provided that they do

not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or

freedoms of data subjects.

(b)

These Clauses are without prejudice to obligations to which the data exporter is subject by

virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

Confidential

Page 20 of 35

(a)

Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against

the data exporter and/or data importer, with the following exceptions:

(i)

Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii)

Clause 8.1(b), 8.9(a), (c), (d) and (e);

(iii)

Clause 9(a), (c), (d) and (e);

(iv)

Clause 12(a), (d) and (f);

(v)

Clause 13;

(vi)

Clause 15.1(c), (d) and (e);

(vii)

Clause 16(e);

(viii) Clause 18(a) and (b).

(b)

Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU)

2016/679.

Clause 4

Interpretation

(a)

Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms

shall have the same meaning as in that Regulation.

(b)

These Clauses shall be read and interpreted in the light of the provisions of Regulation

(EU) 2016/679.

(c)

These Clauses shall not be interpreted in a way that conflicts with rights and obligations

provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements

between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these

Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred

and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

Confidential

Page 21 of 35

(a)

An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede

to these Clauses at any time, either as a data exporter or as a data importer, by completing

the Appendix and signing Annex I.A.

(b)

Once it has completed the Appendix and signed Annex I.A, the acceding entity shall

become a Party to these Clauses and have the rights and obligations of a data exporter or

data importer in accordance with its designation in Annex I.A.

(c)

The acceding entity shall have no rights or obligations arising under these Clauses from

the period prior to becoming a Party.

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer

is able, through the implementation of appropriate technical and organisational measures, to satisfy

its obligations under these Clauses.

8.1 Instructions

(a)

The data importer shall process the personal data only on documented instructions from

the data exporter. The data exporter may give such instructions throughout the duration of

the contract.

(b)

The data importer shall immediately inform the data exporter if it is unable to follow those

instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer,

as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as

completed by the Parties, available to the data subject free of charge. To the extent necessary to

protect business secrets or other confidential information, including the measures described in

Annex II and personal data, the data exporter may redact part of the text of the Appendix to these

Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject

would otherwise not be able to understand the its content or exercise his/her rights. On request, the

Parties shall provide the data subject with the reasons for the redactions, to the extent possible

without revealing the redacted information. This Clause is without prejudice to the obligations of

the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has

become outdated, it shall inform the data exporter without undue delay. In this case, the data

importer shall cooperate with the data exporter to erase or rectify the data.

Confidential

Page 22 of 35

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After

the end of the provision of the processing services, the data importer shall, at the choice of the data

exporter, delete all personal data processed on behalf of the data exporter and certify to the data

exporter that it has done so, or return to the data exporter all personal data processed on its behalf

and delete existing copies. Until the data is deleted or returned, the data importer shall continue to

ensure compliance with these Clauses. In case of local laws applicable to the data importer that

prohibit return or deletion of the personal data, the data importer warrants that it will continue to

ensure compliance with these Clauses and will only process it to the extent and for as long as

required under that local law. This is without prejudice to Clause 14, in particular the requirement

for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the

contract if it has reason to believe that it is or has become subject to laws or practices not in line

with the requirements under Clause 14(a).

8.6 Security of processing

(a)

The data importer and, during transmission, also the data exporter shall implement

appropriate technical and organisational measures to ensure the security of the data,

including protection against a breach of security leading to accidental or unlawful

destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter

‘personal data breach’). In assessing the appropriate level of security, the Parties shall take

due account of the state of the art, the costs of implementation, the nature, scope, context

and purpose(s) of processing and the risks involved in the processing for the data subjects.

The Parties shall in particular consider having recourse to encryption or pseudonymisation,

including during transmission, where the purpose of processing can be fulfilled in that

manner. In case of pseudonymisation, the additional information for attributing the

personal data to a specific data subject shall, where possible, remain under the exclusive

control of the data exporter. In complying with its obligations under this paragraph, the

data importer shall at least implement the technical and organisational measures specified

in Annex II. The data importer shall carry out regular checks to ensure that these measures

continue to provide an appropriate level of security.

(b)

The data importer shall grant access to the personal data to members of its personnel only

to the extent strictly necessary for the implementation, management and monitoring of the

contract. It shall ensure that persons authorised to process the personal data have committed

themselves to confidentiality or are under an appropriate statutory obligation of

confidentiality.

(c)

In the event of a personal data breach concerning personal data processed by the data

importer under these Clauses, the data importer shall take appropriate measures to address

the breach, including measures to mitigate its adverse effects. The data importer shall also

notify the data exporter without undue delay after having become aware of the breach.

Such notification shall contain the details of a contact point where more information can

be obtained, a description of the nature of the breach (including, where possible, categories

and approximate number of data subjects and personal data records concerned), its likely

consequences and the measures taken or proposed to address the breach including, where

Confidential

Page 23 of 35

appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is

not possible to provide all information at the same time, the initial notification shall contain

the information then available and further information shall, as it becomes available,

subsequently be provided without undue delay.

(d)

The data importer shall cooperate with and assist the data exporter to enable the data

exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to

notify the competent supervisory authority and the affected data subjects, taking into

account the nature of processing and the information available to the data importer.

8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions,

religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for

the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life

or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive

data’), the data importer shall apply the specific restrictions and/or additional safeguards described

in Annex I.B.

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions

from the data exporter. In addition, the data may only be disclosed to a third party located outside

the European Union (in the same country as the data importer or in another third country,

hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under

the appropriate Module, or if:

(i)

the onward transfer is to a country benefitting from an adequacy decision pursuant to

Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii)

the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47

Regulation of (EU) 2016/679 with respect to the processing in question;

(iii)

the onward transfer is necessary for the establishment, exercise or defence of legal claims

in the context of specific administrative, regulatory or judicial proceedings; or

(iv)

the onward transfer is necessary in order to protect the vital interests of the data subject or

of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards

under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a)

The data importer shall promptly and adequately deal with enquiries from the data exporter

that relate to the processing under these Clauses.

(b)

The Parties shall be able to demonstrate compliance with these Clauses. In particular, the

data importer shall keep appropriate documentation on the processing activities carried out

on behalf of the data exporter.

Confidential

Page 24 of 35

(c)

The data importer shall make available to the data exporter all information necessary to

demonstrate compliance with the obligations set out in these Clauses and at the data

exporter’s request, allow for and contribute to audits of the processing activities covered

by these Clauses, at reasonable intervals or if there are indications of non-compliance. In

deciding on a review or audit, the data exporter may take into account relevant

certifications held by the data importer.

(d)

The data exporter may choose to conduct the audit by itself or mandate an independent

auditor. Audits may include inspections at the premises or physical facilities of the data

importer and shall, where appropriate, be carried out with reasonable notice.

(e)

The Parties shall make the information referred to in paragraphs (b) and (c), including the

results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a)

The data importer has the data exporter’s general authorisation for the engagement of sub-

processor(s) from an agreed list. The data importer shall specifically inform the data

exporter in writing of any intended changes to that list through the addition or replacement

of sub-processors at least 10 days in advance, thereby giving the data exporter sufficient

time to be able to object to such changes prior to the engagement of the sub-processor(s).

The data importer shall provide the data exporter with the information necessary to enable

the data exporter to exercise its right to object.

(b)

Where the data importer engages a sub-processor to carry out specific processing activities

(on behalf of the data exporter), it shall do so by way of a written contract that provides

for, in substance, the same data protection obligations as those binding the data importer

under these Clauses, including in terms of third-party beneficiary rights for data

subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its

obligations under Clause 8.8. The data importer shall ensure that the sub-processor

complies with the obligations to which the data importer is subject pursuant to these

Clauses.

(c)

The data importer shall provide, at the data exporter’s request, a copy of such a sub-

processor agreement and any subsequent amendments to the data exporter. To the extent

necessary to protect business secrets or other confidential information, including personal

data, the data importer may redact the text of the agreement prior to sharing a copy.

(d)

The data importer shall remain fully responsible to the data exporter for the performance

of the sub-processor’s obligations under its contract with the data importer. The data

importer shall notify the data exporter of any failure by the sub-processor to fulfil its

obligations under that contract.

(e)

The data importer shall agree a third-party beneficiary clause with the sub-processor

whereby - in the event the data importer has factually disappeared, ceased to exist in law

or has become insolvent - the data exporter shall have the right to terminate the sub-

processor contract and to instruct the sub-processor to erase or return the personal data.

Confidential

Page 25 of 35

Clause 10

Data subject rights

(a)

The data importer shall promptly notify the data exporter of any request it has received

from a data subject. It shall not respond to that request itself unless it has been authorised

to do so by the data exporter.

(b)

The data importer shall assist the data exporter in fulfilling its obligations to respond to

data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In

this regard, the Parties shall set out in Annex II the appropriate technical and organisational

measures, taking into account the nature of the processing, by which the assistance shall

be provided, as well as the scope and the extent of the assistance required.

(c)

In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply

with the instructions from the data exporter.

Clause 11

Redress

(a)

The data importer shall inform data subjects in a transparent and easily accessible format,

through individual notice or on its website, of a contact point authorised to handle

complaints. It shall deal promptly with any complaints it receives from a data subject.

(b)

In case of a dispute between a data subject and one of the Parties as regards compliance

with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a

timely fashion. The Parties shall keep each other informed about such disputes and, where

appropriate, cooperate in resolving them.

(c)

Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the

data importer shall accept the decision of the data subject to:

(i)

lodge a complaint with the supervisory authority in the Member State of his/her

habitual residence or place of work, or the competent supervisory authority

pursuant to Clause 13;

(ii)

refer the dispute to the competent courts within the meaning of Clause 18.

(d)

The Parties accept that the data subject may be represented by a not-for-profit body,

organisation or association under the conditions set out in Article 80(1) of Regulation (EU)

2016/679.

(e)

The data importer shall abide by a decision that is binding under the applicable EU or

Member State law.

(f)

The data importer agrees that the choice made by the data subject will not prejudice his/her

substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

Confidential

Page 26 of 35

(a)

Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies

by any breach of these Clauses.

(b)

The data importer shall be liable to the data subject, and the data subject shall be entitled

to receive compensation, for any material or non-material damages the data importer or its

sub-processor causes the data subject by breaching the third-party beneficiary rights under

these Clauses.

(c)

Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the

data subject shall be entitled to receive compensation, for any material or non-material

damages the data exporter or the data importer (or its sub-processor) causes the data subject

by breaching the third-party beneficiary rights under these Clauses. This is without

prejudice to the liability of the data exporter and, where the data exporter is a processor

acting on behalf of a controller, to the liability of the controller under Regulation (EU)

2016/679 or Regulation (EU) 2018/1725, as applicable.

(d)

The Parties agree that if the data exporter is held liable under paragraph (c) for damages

caused by the data importer (or its sub-processor), it shall be entitled to claim back from

the data importer that part of the compensation corresponding to the data importer’s

responsibility for the damage.

(e)

Where more than one Party is responsible for any damage caused to the data subject as a

result of a breach of these Clauses, all responsible Parties shall be jointly and severally

liable and the data subject is entitled to bring an action in court against any of these Parties.

(f)

The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to

claim back from the other Party/ies that part of the compensation corresponding to its/their

responsibility for the damage.

(g)

The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

(a)

The supervisory authority with responsibility for ensuring compliance by the data exporter with

Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as

competent supervisory authority.

(b)

The data importer agrees to submit itself to the jurisdiction of and cooperate with the

competent supervisory authority in any procedures aimed at ensuring compliance with

these Clauses. In particular, the data importer agrees to respond to enquiries, submit to

audits and comply with the measures adopted by the supervisory authority, including

remedial and compensatory measures. It shall provide the supervisory authority with

written confirmation that the necessary actions have been taken.

Clause 14

Local laws and practices affecting compliance with the Clauses

Confidential

Page 27 of 35

(a)

The Parties warrant that they have no reason to believe that the laws and practices in the

third country of destination applicable to the processing of the personal data by the data

importer, including any requirements to disclose personal data or measures authorising

access by public authorities, prevent the data importer from fulfilling its obligations under

these Clauses. This is based on the understanding that laws and practices that respect the

essence of the fundamental rights and freedoms and do not exceed what is necessary and

proportionate in a democratic society to safeguard one of the objectives listed in Article

23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b)

The Parties declare that in providing the warranty in paragraph (a), they have taken due

account in particular of the following elements:

(i)

the specific circumstances of the transfer, including the length of the processing

chain, the number of actors involved and the transmission channels used; intended

onward transfers; the type of recipient; the purpose of processing; the categories

and format of the transferred personal data; the economic sector in which the

transfer occurs; the storage location of the data transferred;

(ii)

the laws and practices of the third country of destination- including those requiring

the disclosure of data to public authorities or authorising access by such authorities

- relevant in light of the specific circumstances of the transfer, and the applicable

limitations and safeguards;

(iii)

any relevant contractual, technical or organisational safeguards put in place to

supplement the safeguards under these Clauses, including measures applied during

transmission and to the processing of the personal data in the country of destination.

(c)

The data importer warrants that, in carrying out the assessment under paragraph (b), it has

made its best efforts to provide the data exporter with relevant information and agrees that

it will continue to cooperate with the data exporter in ensuring compliance with these

Clauses.

(d)

The Parties agree to document the assessment under paragraph (b) and make it available to

the competent supervisory authority on request.

(e)

The data importer agrees to notify the data exporter promptly if, after having agreed to

these Clauses and for the duration of the contract, it has reason to believe that it is or has

become subject to laws or practices not in line with the requirements under paragraph (a),

including following a change in the laws of the third country or a measure (such as a

disclosure request) indicating an application of such laws in practice that is not in line with

the requirements in paragraph (a).

(f)

Following a notification pursuant to paragraph (e), or if the data exporter otherwise has

reason to believe that the data importer can no longer fulfil its obligations under these

Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or

organisational measures to ensure security and confidentiality) to be adopted by the data

exporter and/or data importer to address the situation. The data exporter shall suspend the

data transfer if it considers that no appropriate safeguards for such transfer can be ensured,

or if instructed by the competent supervisory authority to do so. In this case, the data

Confidential

Page 28 of 35

exporter shall be entitled to terminate the contract, insofar as it concerns the processing of

personal data under these Clauses. If the contract involves more than two Parties, the data

exporter may exercise this right to termination only with respect to the relevant Party,

unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this

Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1

Notification

(a)

The data importer agrees to notify the data exporter and, where possible, the data

subject promptly (if necessary with the help of the data exporter) if it:

(i)

receives a legally binding request from a public authority, including judicial

authorities, under the laws of the country of destination for the disclosure

of personal data transferred pursuant to these Clauses; such notification

shall include information about the personal data requested, the requesting

authority, the legal basis for the request and the response provided; or

(ii)

becomes aware of any direct access by public authorities to personal data

transferred pursuant to these Clauses in accordance with the laws of the

country of destination; such notification shall include all information

available to the importer.

(b)

If the data importer is prohibited from notifying the data exporter and/or the data

subject under the laws of the country of destination, the data importer agrees to use

its best efforts to obtain a waiver of the prohibition, with a view to communicating

as much information as possible, as soon as possible. The data importer agrees to

document its best efforts in order to be able to demonstrate them on request of the

data exporter.

(c)

Where permissible under the laws of the country of destination, the data importer

agrees to provide the data exporter, at regular intervals for the duration of the

contract, with as much relevant information as possible on the requests received (in

particular, number of requests, type of data requested, requesting authority/ies,

whether requests have been challenged and the outcome of such challenges, etc.).

(d)

The data importer agrees to preserve the information pursuant to paragraphs (a) to

supervisory authority on request.

(e)

Paragraphs (a) to (c) are without prejudice to the obligation of the data importer

pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where

it is unable to comply with these Clauses.

15.2

Review of legality and data minimisation

(a)

The data importer agrees to review the legality of the request for disclosure, in

particular whether it remains within the powers granted to the requesting public

authority, and to challenge the request if, after careful assessment, it concludes that

Confidential

Page 29 of 35

there are reasonable grounds to consider that the request is unlawful under the laws

of the country of destination, applicable obligations under international law and

principles of international comity. The data importer shall, under the same

conditions, pursue possibilities of appeal. When challenging a request, the data

importer shall seek interim measures with a view to suspending the effects of the

request until the competent judicial authority has decided on its merits. It shall not

disclose the personal data requested until required to do so under the applicable

procedural rules. These requirements are without prejudice to the obligations of the

data importer under Clause 14(e).

(b)

The data importer agrees to document its legal assessment and any challenge to the

request for disclosure and, to the extent permissible under the laws of the country

of destination, make the documentation available to the data exporter. It shall also

make it available to the competent supervisory authority on request.

(c)

The data importer agrees to provide the minimum amount of information

permissible when responding to a request for disclosure, based on a reasonable

interpretation of the request.

Clause 16

Non-compliance with the Clauses and termination

(a)

The data importer shall promptly inform the data exporter if it is unable to comply with

these Clauses, for whatever reason.

(b)

In the event that the data importer is in breach of these Clauses or unable to comply with

these Clauses, the data exporter shall suspend the transfer of personal data to the data

importer until compliance is again ensured or the contract is terminated. This is without

prejudice to Clause 14(f).

(c)

The data exporter shall be entitled to terminate the contract, insofar as it concerns the

processing of personal data under these Clauses, where:

(i)

the data exporter has suspended the transfer of personal data to the data importer

pursuant to paragraph (b) and compliance with these Clauses is not restored within

a reasonable time and in any event within one month of suspension;

(ii)

the data importer is in substantial or persistent breach of these Clauses; or

(iii)

the data importer fails to comply with a binding decision of a competent court or

supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance.

Where the contract involves more than two Parties, the data exporter may exercise this

right to termination only with respect to the relevant Party, unless the Parties have agreed

otherwise.

(d)

Personal data that has been transferred prior to the termination of the contract pursuant to

paragraph (c) shall at the choice of the data exporter immediately be returned to the data

exporter or deleted in its entirety. The same shall apply to any copies of the data. The data

importer shall certify the deletion of the data to the data exporter. Until the data is deleted

Confidential

Page 30 of 35

or returned, the data importer shall continue to ensure compliance with these Clauses. In

case of local laws applicable to the data importer that prohibit the return or deletion of the

transferred personal data, the data importer warrants that it will continue to ensure

compliance with these Clauses and will only process the data to the extent and for as long

as required under that local law.

(e)

Either Party may revoke its agreement to be bound by these Clauses where (i) the European

Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that

covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU)

2016/679 becomes part of the legal framework of the country to which the personal data is

transferred. This is without prejudice to other obligations applying to the processing in

question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law

allows for third-party beneficiary rights. The Parties agree that this shall be the law of France.

Clause 18

Choice of forum and jurisdiction

(a)

Any dispute arising from these Clauses shall be resolved by the courts of an EU Member

State.

(b)

The Parties agree that those shall be the courts of France.

(c)

A data subject may also bring legal proceedings against the data exporter and/or data

importer before the courts of the Member State in which he/she has his/her habitual

residence.

(d)

The Parties agree to submit themselves to the jurisdiction of such courts.

Confidential

Page 31 of 35

ANNEX I

A. LIST OF PARTIES

Data Importer: Processor

Data Exporter: Controller

Orbit Labs, Inc.

Customer (as defined in the Subscription

Agreement)

325 9^th Street

Customer’s address and contact information as

San Francisco, CA 94103

designated in Registration (as defined in the

Subscription Agreement)

Privacy Officer

privacy@orbit.love

Activities: Orbit, provider of the Services

Activities: Customer, recipient of the Services

B. DESCRIPTION OF TRANSFER

DATA SUBJECTS. The personal data transferred concern the following categories of data subjects:

Individuals selected by Customer or Customer’s employees, agents, or contractors and information

collected and Processed in providing the Services, namely customers and potential customers.

Customer acknowledges and agrees that it controls how the Licensed Materials are used to Process

Customer Personal Data.

CATEGORIES OF DATA. The personal data transferred concern the following categories of data:

First and last name, title, position, employer, contact information (company, email, phone, physical

business address), professional life data, personal life data. Customer acknowledges and agrees

that it controls how the Licensed Materials are used to Process Customer Personal Data.

SENSITIVE DATA (if appropriate). The personal data transferred concern the following categories of

sensitive data:

Depending on how Customer uses the Services, the personal data may include personal data

revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade

union membership, data concerning health, or data concerning a natural person's sex life or sexual

orientation. Customer acknowledges and agrees that it controls how the Licensed Materials are

used to Process Customer Personal Data.

FREQUENCY. The transfer of personal data will occur with the following frequency:

Periodically during the term of the Subscription Agreement, depending on how Customer uses the

Services

NATURE. The nature of the personal data transfer is as follows:

Orbit will process Customer Personal Data for the purposes of providing the Services and as set

forth in the Agreement. Processing activities may include: collection, retrieval, organization,

Confidential

Page 32 of 35

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND

ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s)

(including any relevant certifications) to ensure an appropriate level of security, taking into

account the nature, scope, context and purpose of the processing, and the risks for the rights and

freedoms of natural persons.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and

purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of

natural persons, the data importer has implemented appropriate technical and organizational measures

intended to ensure a level of security appropriate to the risk

Orbit implements various security and compliance measures to ensure that our technical and

organizational controls to ensure security and processing of data are best in class. Orbit is a

SOC 2 Type 1 certified organization under the Common Criteria, and additionally under the

Confidentiality and Processing Integrity optional Criteria. Orbit implements over 116 discrete

controls, made up of many various individual controls as part of our compliance requirements

to ensure that we meet these requirements.

Orbit encrypts all data in transit and at rest, ensuring that data cannot be accessed by any

unauthorized parties while in transit, physically, or through compromise. Orbit implements

various measures including stringent QA processes and regular evaluation of processing

systems to ensure ongoing integrity, availability and resilience of processing systems and

services. Confidentiality of data is a paramount criteria during engineering scoping and is

regularly evaluated independently by our security and infrastructure teams.

Orbit has various processes in place for regularly testing, assessing and evaluations the

effectiveness of our measures. These include, but are not limited to, monthly audits of access

levels, arbitrary spot checks by independent auditors to ensure control compliance, regular

external security penetration tests and evaluations, as well as automated tooling to identify

compliance violations, and stringent access control scope.

In the event of a Disaster Recovery incident, Orbit is well prepared. Our infrastructure is well

documented and we conduct Disaster Recovery drills at least annually to ensure that in the

event of a significant event, we are fully familiar with the processes and flows needed to recover

with speed and accuracy.

Orbit conducts vendor review for all vendors we conduct business with. Additional review is

conducted for any vendors deemed critical to business continuity, and infrastructure providers

are required to meet beyond-industry-standards for physical and digital security controls and

implementations.

Confidential

Page 34 of 35