LICENSING AGREEMENT

This Licensing Agreement (the "Agreement") is entered into and binding upon all relevant parties from the Agreement start date of the signed Quote. The parties to this Agreement are the following: Client, which is indicated in the Quote and has signed this Agreement (the “Licensee”) and ALBATO Limited (the “Licensor”), Vasilissis Freiderikis, 34 Flat/Office 106, 1035, Nicosia, Cyprus, registration number HE-420916, represented by Leonid Goldfarb acting on the basis of the Special power of attorney dated as of June 1st, 2023 together called the “Parties”.

Subject Matter: The Licensor hereby grants the Licensee a non-exclusive and non-transferable right to use the Software Product[1] (the Product or the Albato Platform) made available to the latter through an iFrame[2] by opening access to the Licensor's database server and/or through the application programming interface. The Licensor will provide the Licensee with the Product implementation and modification services, and the Licensee will pay the respective fees under the terms and conditions set forth in this Agreement and the Quote. The Product may be used by the Licensee only to be integrated with the Licensee's products and services and cannot be re-sold or otherwise used for the benefit of third parties on a stand-alone basis. The Licensor will provide the Licensee with the Product implementation, maintenance and modification services, and the Licensee will pay the respective fees under the terms and conditions set forth in this Agreement and the Quote. The license grant includes the right to provide access to Licensee’s end customers referred to as "End Users," as integral components of paid services.

The Product means the Albato integration platform “Albato Embedded,” developed and owned by the Licensor, designed to be incorporated in the Licensee’s product and automate flows through exchanging data between the Licensee’s product and third-party applications. It includes the Albato application source code, the user interface (the Albato platform), and the library of pre-built integrations (connectors). Among the product core modules are the Automation Builder (to build automation flows), ancillary tools for manipulating and transforming data (the Tools), the Solution Builder (to build integration templates), the App Integrator (to build custom apps, APIs, and webhooks), the Partner Dashboard (to monitor usage insights and manage integrations), and the embeddable iFrame (the customer-facing UI for the integrations).

Pricing Plans: The Licensor shall provide the Product on the following commercial terms (the Pricing Plans):

Per-connector pricing plans	Starter	Pro	Custom
Native integrations	+	+	+
Implementation via iFrame	+	+	+
White labeling	-	+	+
Level of iFrame customization	Light	Medium	Custom
Staging environment	Extra fee	Included	Custom
New product features	-	Medium	Custom
Webhook notifications	-	+	+
Max. number of active users	Unlimited	Unlimited	Unlimited
Max. number of active automations (workflows)	Unlimited	Unlimited	Unlimited
Max. number of integration templates (solutions)	Unlimited	Unlimited	Unlimited
Tech support SLA	Second line	Second line	Second or First line
API maintenance and updates	+	+	+
Max. API update time	5 minutes	1 minute	Custom
Custom webhooks	+	+	+
Bulk data migration	-	+	Custom
Enterprise connectors	-	+	Custom
Data residency	-	-	Custom
Managed private cloud	-	Extra fee	Custom
Free connectors included	6	16	Custom
Max. number of active connectors	10	Unlimited	Unlimited
Development of custom connectors per month	-	2	Custom
Integration engineer hours per month (inc. custom connectors)	5	30	Custom
Project hours per month	5	25	Custom
Monthly transactions included	900,000	5,000,000	Custom
Price per 1000 additional transactions	$1.00	$0.30*	Custom
Fixed monthly fee (Fixed Fee)	$1,500	$3,500	Custom
Per-connector monthly fee (Variable Fee)	$80 (flat)	from $20 to $50 (tiered)	Custom

Variable Fee – Tiered Pricing Structure

On the Pro plan, the per-connector monthly fee (“Variable Fee”) is subject to tiered pricing based on the number of Payable Connectors. The unit price per connector decreases as the number of Payable Connectors increases, according to the table below. Payable Connectors are defined as enabled connectors in a given billing period, excluding any free connectors included in the plan. The applicable Variable Fee is calculated by multiplying the number of Payable Connectors by the corresponding per-connector rate within the applicable tier.

Tier	Payable connectors from	Payable connectors to	Price per connector
1	1	15	$50,00
2	16	30	$40,00
3	31	50	$35,00
4	51	70	$30,00
5	71	100	$28,00
6	101	130	$26,00
7	131	160	$24,00
8	161	200	$22,00
9	201	—	$20,00

Per-user pricing plans	Starter	Pro	Custom
Native integrations	+	+	+
Implementation via iFrame	+	+	+
White labeling	-	+	+
Level of iFrame customization	Light	Medium	Custom
Staging environment	Extra fee	Included	Custom
New product features	-	Medium	Custom
Webhook notifications	-	+	+
Max. number of active users	Unlimited	Unlimited	Unlimited
Max. number of active automations (workflows)	Unlimited	Unlimited	Unlimited
Max. number of integration templates (solutions)	Unlimited	Unlimited	Unlimited
Tech support SLA	Second line	Second line	Custom
API maintenance and updates	+	+	+
Max. API update time	5 minutes	1 minute	Custom
Custom webhooks	+	+	+
Bulk data migration	-	+	Custom
Enterprise connectors	-	+	Custom
Data residency	-	-	Custom
Managed private cloud	-	Extra fee	Custom
Free users included	-	100	Custom
Free connectors included	Unlimited	Unlimited	Custom
Max. number of active connectors	Unlimited	Unlimited	Unlimited
Development of custom connectors per month	-	2	Custom
Integration engineer hours per month (inc. custom connectors)	5	30	Custom
Project hours per month	5	25	Custom
Monthly transactions included	900,000	5,000,000	Custom
Price per 1000 additional transactions	$1,00	$0.30*	Custom
Fixed monthly fee (Fixed Fee)	$1,500	$3,500	Custom
Per-user monthly fee (Variable Fee)	$8 (flat)	from $2 to $5 (tiered)	Custom

Variable Fee – Tiered Pricing Structure

On the Pro plan, the per-user monthly fee (“Variable Fee”) is subject to tiered pricing based on the number of Payable Users. The unit price per user decreases as the number of Payable Users increases, according to the table below. Payable Users are defined as active users in a given billing period, excluding any free users included in the plan. The applicable Variable Fee is calculated by multiplying the number of Payable Users by the corresponding per-user rate within the applicable tier.

Tier	Payable users from	Payable users to	Price per user
1	1	100	$5,00
2	101	200	$4,00
3	201	300	$3,00
4	301	500	$2,80
5	501	700	$2,60
6	701	1.000	$2,40
7	1.001	1.500	$2,20
8	1.501	2.000	$2,10
9	2.001	—	$2,00

Proof of Concept	POC
Implementation via iFrame	+
White labeling	-
Level of iFrame customization	Default iFrame without branding
Max. number of active automations (workflows)	Up to 4
Max. number of integration templates (solutions)	Up to 2
Custom webhooks	+
Bulk data migration	+
Number of connectors included	Up to 3 including the Licensee application
Max. number of active users	20
Integration engineer hours per month	5
Dedicated Project team hours per month	5
Inclusive monthly transactions	100,000
Fixed monthly fee (Fixed Fee)	Custom

1. The Parties agree to work under the MSA and the terms indicated in the Quote.

2. The Licensor’s monthly remuneration shall consist of fixed and variable fees:

2.1. The Fixed Fee shall be permanent and shall include:

2.1.1. Granting the Licensee the right to use the Product as stated in the Subject matter of this Agreement.

2.1.2. Inclusive monthly transactions (a transaction means a single successful data transmission from one cloud application to another made possible through the Product). The monthly transaction limit is set in aggregate for all the implemented connectors used by the Licensee in a particular month.

2.1.3. Development of new connectors upon the Licensee’s request as stated in the pricing plans.

2.1.4. Development hours of the Licensor’s integration engineers required to scale and enhance the Product functionality, including adding new triggers, actions, webhooks, data points, integration scenarios, solution templates, etc., as stated in the pricing plans.

2.2. The Fixed Fee for the first and last month of the term shall be calculated proportionally to the actual number of days when the Licensee used the Product during the calendar month.

2.3. The Variable Fee shall include:

2.3.1. Project team hours, including a dedicated account manager and a project manager.

2.3.2. Dedicated technical support provided by the Licensor to the Licensee and its customers.

2.3.3. Deployment of new integration templates (solutions) as stated in the pricing plans.

2.3.4. Additional monthly transactions used up by the Licensee and not included in the Fixed Fee.

2.4. The Variable Fee shall consist of:

2.4.1. Monthly fee for implemented connectors or active users. A connector shall be deemed “implemented” if it has been accepted by the Licensee and deployed to the Licensee's iFrame. The Licensor will only charge the Licensee for the Licensee's active users who have set up at least one connector and used at least one transaction in the payable calendar month after a 14-day trial. The trial starts when the Licensee's user is created and registered on Albato via the corresponding Albato API method "Add user." The Licensee won't be charged for users who didn't use any transactions outside of the trial period in the first month after registration, or didn't use any transactions in any given month. At the beginning of each calendar month, the Licensor reevaluates the number of the Licensee's active (billable) users from the previous calendar month.

The Licensee can choose how to register their users on the Licensor's platform, either as individual users or as organizations (tenants). The Licensee's users registered under an organization ID will be treated as a single billable entity by the Licensor, regardless of the number of sub-users (e.g., company employees). In this case, all sub-users under the organization will share the same Albato iFrame, set of integrations, integration history, and transaction limit.

2.4.2. Monthly fee for transaction overages outside of the monthly transaction limit included in the Fixed Fee. Transactions are calculated on a 1,000-package basis, i.e., any number of transactions up to 1,000 shall be regarded and paid for as one 1,000-transaction package.

A Transaction refers to any successfully executed action within an integration where Albato creates, transforms, or updates data—for example, creating a contact, updating a deal, routing a ticket, or sending a message. Each such completed action is counted as one Transaction. For clarity, the Licensor does not charge for API listening or incoming webhooks. All inbound API calls (i.e., triggers) are free of charge and do not count toward the Licensee's transaction limit.

2.4.3. Transaction Overages and Fair Use Policy

The Licensor offers one of the lowest overage rates in the industry, calculated strictly at cost based on actual fees paid to the server provider (e.g., Amazon Web Services).

A Fair Use Policy applies to the Pro and Enterprise (Custom) plans. While the technical monthly transaction limit is 5 million, the Licensor will not automatically charge overage fees to the Licensee if this limit is exceeded. However, if usage consistently or repeatedly spikes above a reasonable threshold (e.g., more than 50% over the contract limit)—whether in two consecutive months or through frequent irregular peaks within a year—the Licensor reserves the right to initiate a pricing review and discuss necessary adjustments to the plan.

2.5. The Licensee has the right to purchase additional transaction packages from the Licensor at any time, for the following fees:

Number of transactions	Price per 1,000 transactions	Package price
500,000	$0.50	$250
1,000,000	$0.40	$400
3,000,000	$0.35	$1,050
5,000,000	$0.30	$1,500

2.6. The Variable Fee hereunder shall be the aggregate of variable fees for all the implemented connectors used by the Licensee or active users. The variable fee shall be calculated based on the number of implemented connectors used by the Licensee, excluding the Licensee application, or the number of active users (the Licensee’s customers).

2.7. The Fixed Fee is a subscription plan. The Licensee is not entitled to request any refund or transfer of the unused service volumes from the current month to any following month.

2.8. Transaction packages are valid until fully used up, irrespective of the time it takes.

2.9. The Licensee is only allowed to switch between per-user and per-connector pricing plans once during the first six months after the Launch date (Clause 7.9.)

2.10. The Licensor will calculate the variable fees and include them in the monthly invoices to be paid by the Licensee, based on the number of the Licensee's active users on the last day of the payable calendar month or the number of implemented connectors.

3. Once every twelve (12) months, the Licensor may unilaterally increase the Fixed Fee and the Variable Fee by up to 10% against those in effect by issuing an invoice for the increased amount. If the Licensor intends to change fees, it shall give the Licensee a 30-day notice before the effective date of the new fees.

4.In case of the need to change the pricing plan, the Licensee shall notify the Licensor by the agreed means of communication no later than fifteen (15) days before the end of the calendar month. The pricing plan is considered changed when the parties sign a new quote reflecting the changes.

5.If the Licensee reaches the limit on the number of active users under any of the Per-user pricing plans, their current plan will be upgraded to a higher plan according to the table in the Pricing plans section, starting the next calendar month.

6. Additional explanations and definitions of the terms of use of the Product and SLA:

6.1. Implementation via iFrame: The Licensor will deploy integrations to the Licensee's product via an iFrame. The Licensor will use the Licensee's brand’s key visuals (e.g., fonts, colors, etc.) to make it more native and seamless to the Licensee's users. This model is the fastest to implement and the easiest to manage for both sides. It will also require the least effort from the Licensee's team to be implemented.

6.2. Implementation via API: This implementation type is also called "headless" deployment. The Licensor will build the backend and ready-to-use API components for all integrations. The Licensee will then connect them to their product's interface and build out a custom UI for the integrations. Although this approach provides the most native UX for the Licensee's end users, it will require a weighty effort from the Licensee's designers, frontend developers, etc.

6.3. iFrame customization SLA:

6.3.1. Basic customization includes light changes to iFrame colors to match the Licensee's UI palette.

6.3.2. Medium customization includes changes to iFrame fonts, colors, and copy (page headers, button and link names, etc.).

6.3.3. Premium customization includes everything from Medium plus significant changes to the UI elements, as well as the possibility of rearranging the existing ones, including based on the Licensee's Figma project. The Licensee can also request new languages to be introduced to the iFrame.

6.4. Technical support SLA:

6.4.1. Second line of support means that the Licensor's tech support agents will interact with the Licensee's employees (not directly with the Licensee’s customers).

6.4.2. First line of support means that the Licensor's tech support agents will interact with Licensee’s customers directly.

6.5. White-labeling service means that the Licensor shall replace the Albato logo with the Licensee's brand on oAuth pages (where technically feasible), so that the Licensee’s customers won’t see any presence of the Licensor’s brand while using integrations. The process may take a few weeks or months, as the Licensee will first need to create an authentication app for each connector they use. These apps are then reviewed by the respective third-party platforms (for example, a Shopify auth app must be reviewed by Shopify). Once approved, the Licensor will replace the Albato logo with the Licensee's brand at the connector oAuth step and redirect the authentication flow to the Licensee's app. For a faster time to market, the Licensee can also use the Licensor's gray-label auth app, Integration Hub.

6.5.1. A non-white-label version of the iFrame will include the "Powered by Albato" credit in its footer and the Albato logo on oAuth pages.

6.6. The Licensor shall deliver custom connectors upon the Licensee’s request in line with the Pricing Plans (Development of custom connectors per month). A custom connector stands for integration with a third-party system not listed in the Albato app library at a time when the Licensee requests it. The Licensor will ensure that delivered custom connector are fully functional, error-free and work in accordance with the Licensee’s technical requirements and industry quality standards.

6.6.1. The Licensor is technically capable of developing a custom connector for a third-party cloud application as long as it has accessible endpoints (API or webhooks) along with documentation. The API of a third-party application must include all essential endpoints, objects, fields, authentication methods, and other components required for the Licensor to integrate it with the Albato API and develop the specific integration use cases, triggers, and actions requested by the Licensee. The Licensor shall provide the Licensee with the agreed number of custom connectors during setup, as outlined in the SLA (Clause 6.13.), and each month following the setup phase, as outlined in the Pricing Plans at the beginning of this Agreement. Nevertheless, for connectors of exceptional complexity with non-standard APIs or intricate logic (e.g., applications from Microsoft, Oracle, SAP, or certain Google tools such as Google Workspace), the delivery time may extend beyond the typical monthly timeframe. Additionally, unforeseen external factors such as prolonged moderation on the third-party side and challenges in obtaining the necessary access to third-party APIs or test accounts may further delay the ETAs. (edited)

6.6.2. By default, a requested custom app should be compatible with the Albato App Integrator service to be built in a no-code way. Otherwise, the Licensor will need to hard-code a custom app for the Licensee which will require custom backend development and extra man-hours from the Licensor's engineers and software developers. For such requests, the Licensor may be incapable of delivering the number of custom connectors in line with the monthly SLAs.

6.6.3. The Licensor has the right to decline a Licensee's request for a custom app if, after a thorough evaluation by the Licensor, its development is considered unfeasible or requiring an unreasonable amount of resource.

6.6.4. The development of each custom connector includes 10 man-hours, free of charge, of the Licensor's team involved in its delivery. The Licensor will charge the Licensee for extra man-hours at a rate of $80/ man-hour. In this scenario, the Licensor will provide the Licensee with a detailed calculation of extra charges.

6.6.5. If the development of a custom connector requires paid access, licensing, or a subscription to the third-party system (e.g., API access, developer account, sandbox, or production environment), the Licensee shall be responsible for covering all such costs directly, or reimbursing the Licensor by including these costs in the Licensor’s invoices.

6.6.6. Project hours stand for man-hours of the Licensor’s project managers who utilize Albato tools such as the Solution Builder, Automation Builder, and Embedded Partner Dashboard to build, test, and deliver integration templates (Solutions) for the Licensee, as well as to coordinate project scope, timelines, and delivery between the Licensee and the Licensor’s engineering teams. The Licensor will charge the Licensee for extra project hours at a rate of $80/ man-hour. In this scenario, the Licensor will provide the Licensee with a detailed calculation of extra charges.

6.7. Integration engineer hours stand for man-hours of the Licensor’s integration engineers who utilize the Albato App Integrator to add new connectors to the Albato API or enhance the functionality of existing ones including the Licensee's application (connector), as well as adding new API endpoints and webhooks (triggers and actions) and other custom product features (New Product Features), and iFrame customization.

6.8. Enterprise connectors include MySQL, PostgreSQL, Google BiqQuery, Google Workspace, PayPal, DocuSign, WhatsApp Business, Greenhouse, Bamboo HR, Workday, QuickBooks, Xero, Facebook, Instagram, all Microsoft, SAP, AWS, and Oracle connectors. The list is not limited to these applications and will continue to expand with the new enterprise-grade systems.

6.9. Data residency means that the Licensor will deploy additional cloud servers to keep the data of the Licensee's customers in a specific geographical location.

6.10. Managed private cloud means that the Licensor will deploy additional AWS cloud to host the Licensee's connectors and customer data that will ensure:

• Enhanced security and control: Access rights will be managed individually for the Licensee's cloud, independent of platform-wide rules.
• Enhanced processing speed: The Licensee's environment will operate separately, ensuring consistent performance without interference from other customers.
• Isolated tenancy: The Licensee's customers' data will be stored and processed in a dedicated AWS instance, fully isolated from other Licensor's users.
• Flexible regional choice: The Licensor can deploy multiple AWS regions that suit Licensee's needs, ensuring regional compliance, lower latency, and better global coverage.

6.11. New product features means enhancements to the Licensor's core product.

Medium: The Licensee may request minor product improvements, like adding a new API method not currently offered by the Licensor. Developing these features should take the Licensor no more than two sprints. Premium: The Licensee can request significant changes to the Licensor's existing product modules, e.g., introducing more detailed error logs or adding new data transformation tools.

The Licensor has the right to decline a Licensee's request for a product feature if, after a thorough evaluation by the Licensor, its development is considered unfeasible or requires an unreasonable amount of resources.

6.12. Webhook notifications means automated alerts with information about integration errors and transaction limits of the Licensee's end users, which the Licensor can send to the Licensee.

6.13. The detailed SLAs for each pricing plan are outlined in the table below:

	Starter	Pro	Custom
Set-up and onboarding
API design support	Extra fee	Included	Included
Help with filling out a technical brief and initial requirements	+	+	+
Implementation time frame	Up to 2 months	Up to 4 months	Custom
Custom connectors built by Albato	Self-service	Up to 2	Custom
Solutions built by Albato	Self-service	Up to 2	Custom
Team hours included	20	60	Custom
Cadence calls with your project team	Weekly	Weekly	Custom
Onboarding and learning materials	+	+	+
Ongoing project management
Solutions built by Albato	Self-service	Up to 3 per month	Custom
Custom connectors built by Albato	Self-service	Up to 2 per month	Custom
Proactive monitoring and troubleshooting of integration errors	Self-service	Included	Included
Project hours/ month	5 in the first 2 months	25	Custom
Integration engineer hours/ month	5	30	Custom
Ongoing customer success
Tech support first response time	Up to 1 business day	Up to 8 hours	Custom
Submission of technical issues, questions and feature requests	Via support	"Via support + Project manager"	"Via support + Project manager"
Cadence calls with your CS team	1 call / month	4 calls / month	Custom
Communication via	Email only	Email or Slack	Email, Slack or your channel (e.g., MS Teams)
Weekly reports with valuable insights and recommendations	—	Included	Included
CS team hours/ month	5	20	Custom

6.14. A dedicated project manager is available on the Pro and Custom plans during the whole course of the project. With the Starter plan, a dedicated project manager is available during the first two months after project kick-off. After that, the Licensee will submit all requests to the Licensor's support.

6.15. Tech support response times vary depending on an issue's severity level. Please refer to the Albato Support Agreement below for specific response times within each pricing plan.

6.16. The Licensor has the right, at its sole discretion, to unilaterally make changes to the core software product of Albato, including but not limited to the iFrame of the Licensee. In this case, the Licensor will notify the Licensee no later than two calendar weeks in advance of upcoming changes if they clearly affect the appearance or operation of the Albato integrations on the Licensee's end. Such changes must not result in a reduction or decrease in the Product's functionality and the scope of services outlined in this agreement.

6.17. In pursuance of achieving the desired product fit and further full-scale collaboration, the Parties may choose to engage in a Proof of Concept (POC) aimed to determine whether the Product meets the Licensee’s requirements. This POC encompasses a series of collaborative steps to ensure a successful outcome:

POC Success Criteria: The Licensor and the Licensee will collaborate closely to establish precise success criteria, setting the stage for a successful POC journey.

POC Timeframe: The POC usually lasts for 1 or 2 months, but the Parties can agree to extend it at any time if necessary.

POC Price: The ultimate price may fluctuate depending on the complexity and scale of integration scenarios that the Licensee may request. The Licensor will assess the POC's scope and the amount of work required from the Licensor's team, and will then present the Licensee with the final price for their approval.

Technical Documentation: The Licensee will provide technical documentation with a clear and exhaustive description of the API endpoints and/or webhooks for the Licensee's SaaS application.

Connector Development: The Licensor will develop a bespoke connector for the Licensee's application with up to 3 triggers and 3 actions of the Licensee’s choice.

Application Selection: The Licensee will select up to 2 existing connectors with the existing triggers and/or actions from the Albato App Library https://albato.com/apps.

Workflow Integration: The Licensor will set up data workflows (integrations) with the Licensee’s application and the chosen third-party systems.

Embeddable iFrame: The Licensor will deliver a ready-to-use, embeddable iFrame, allowing the Licensee to effortlessly integrate the created workflows into their staging or production environment. The iFrame will have the Albato default styling without any additional branding or white-labeling.

User Experience Testing: The Licensee will embed the iFrame into either the staging or production environment of their application, and assess the iFrame's UX/UI through internal testing, or by opening it to their customers.

Data Flow Testing: Albato and the Licensee will join forces to rigorously test the integrations, ensuring flawless data synchronization and alignment with the Licensee's requirements and established success criteria.

Outcome Evaluation: The Licensee will relay the POC results to Albato, offering insights into which success criteria were met, as well as any that require further attention.

Implementation

7. The Licensor’s implementation services shall include the following scope of work:

7.1. The Parties shall agree on detailed technical requirements for the Connectors and their functionality, including the list of Connectors, triggers, actions, data flows, integration scenarios (use cases), implementation timelines, and costs. The agreements shall be made via email or other electronic means of communication.

7.2. The Licensor shall develop API methods for the Connectors, including triggers, actions, data points, webhooks, authentication methods, and other functions needed to create and deliver the Connectors with the integration scenarios as per the Licensee’s requirements.

7.3. The Licensor shall implement the Connectors via iFrame or API. The Parties shall agree on the iFrame interface design and mockup via email or other means of communication. The Licensor shall build and customize the iFrame in accordance with the design mockup the Parties agreed upon.

7.4. The Licensor shall create integration templates (Solutions) for the requested Connectors.

7.5. The Licensor shall set up test users and perform test operations for the developed triggers and actions, including exchanging data between the Licensee’s Software and third-party cloud applications through the Product, to ensure that the Connectors are error-free and work in accordance with the Licensee’s technical requirements and industry quality standards.

7.6. The Licensee shall provide the Licensor with a test environment and access to the Licensee’s test accounts with all necessary access levels and rights to make possible full testing of each Connector and deployment to the Licensee environment.

7.7. The day following the receipt of the upfront payment for the subscription under the Quote shall be considered the starting date for the implementation.

7.8. Upon completion of the implementation services, the Licensor shall send a confirmation of implementation letter to the Licensee via email or other electronic means. The services rendered shall be deemed accepted by the Licensee and the Connectors shall be deemed implemented after (i) receipt of a confirmation letter (email) from the Licensee on the date of receipt of reply from the Licensee, or (ii) in case the Licensee does not reply and at the same time does not send any additional requests or complaints in regard to the implementation within five (5) business days from the day of receipt of the confirmation of implementation letter from the Licensor — i.e., on the 6th business day after confirmation of implementation was sent by the the Licensor.

7.9. The Launch date is the day when the Licensor commences rendering services under the Quote and the MSA and is defined as the next business day after the upfront payment is received.

7.10. The default implementation scope shall include the number of man-hours per month for the services of the Albato integration engineers and project team, according to the SLA table in clause 6.13.

7.11. The Licensor shall implement the Product to the extent limited to the core capabilities and features of the Albato platform (Core Product) available on the date of the signing of the Quote, including the connectors listed in the Albato app library, built-in capabilities of the Albato App Integrator, iFrame, Solution Builder, and other tools that are inherent to the Albato platform. If the Licensee requests to implement extra features or functionality that fall outside of the Core Product and that, in turn, would require the Licensor to execute custom development to make significant changes to the Product front or backend, the Licensor shall charge the Licensee $80 per hour for the custom development. The same hourly rate will be charged if the implementation scope exceeds the amount of the inclusive implementation hours outlined in the SLA table in Clause 6.13.

Payments

8. Monthly remuneration shall be paid to the Licensor as follows:

8.1. The Licensee shall pay the Fixed Fee on or before the 10th day of the current payable month.

8.2. The Licensee shall pay the Variable Fee on or before the 10th day following the end of the payable month. To determine the Variable Fee, the Licensor shall issue an invoice to the Licensee on or before the 5th day of the month following the payable month. The Licensee shall check whether the invoice is accurate within five (5) days of receipt and then settle the invoice or ask the Licensee for additional information to check whether the calculations are correct.

9. The Licensee shall be deemed to have fulfilled its payment obligations as soon as the funds are credited to the Licensor's bank account.

10. Whenever the Licensee fails to pay the Licensor's invoices by the due date (Clause 8.2.), the Licensor has the right to immediately charge a late payment fee in the amount of up to 50% of the outstanding invoice(s) and also to recover 10% of the amount in annual arrears, to be counted daily, as liquidated damages. Liquidated damages will not be recovered unless there is a written letter of claim lodged by the Licensor.

Term, Renewal and Termination

11. The term of this Agreement shall commence on the date of the signing of the Quote (“Effective Date”) and shall continue in full force and effect as described by this Agreement for a period of 12 (twelve) months or for the period specified in the Quote.

12.1. This Agreement shall be automatically renewed on a yearly basis unless either party terminates it with written notice 30 days prior to the end of the twelve (12) month term.

12.2. Should the Licensee terminate the Agreement for any reason, the Licensee shall not be entitled to any refunds of any amounts paid for the services rendered up to the termination date.

12.3. Any fees accrued or invoiced prior to the termination date shall remain payable in full by the Licensee.

12.4. Termination shall not limit the Licensor’s right to pursue any other remedies available under this Agreement or applicable law.

12.5. If the Licensee fails to pay the outstanding invoice(s) for more than 30 (thirty) calendar days, the Licensor may terminate the Agreement early and suspend any ongoing services, including immediately blocking access to the Product, by sending an email notice to the Licensee at least 5 (five) business days prior.

Warranties

13. Each Party represents and warrants to the other the following:

13.1. It has the full corporate right and authority to enter into this Agreement and to perform the acts required of it hereunder.

13.2. The execution of this Agreement by such Party and the performance by such Party of its obligations and duties hereunder do not and shall not violate any other Agreement to which such Party is a Party or by which it is otherwise bound.

13.3. When executed and delivered by such Party, this Agreement shall constitute the legal, valid, and binding obligation of such Party, enforceable against such Party according to its terms.

13.4. Such Party acknowledges that the other Party makes no representations, warranties, or Agreements related to the subject matter hereof that are not expressly specified in this Agreement.

Additional Provisions

14. Force Majeure. If performance of this Agreement or any other obligation under this Agreement is prevented, restricted, or interfered with by causes beyond either Party's reasonable control, and if the Party unable to carry out their obligations gives the other Party prompt written notice of the circumstances, then the obligations of the Party invoking this provision shall be suspended to the event necessary by such circumstances.

14.1. The term "Force Majeure" shall include, but is not limited to, acts of God, fire, explosion, vandalism, flood, storm, illness, injury, earthquake, general unavailability of essential materials, orders of military or civil authority, national emergencies, riots, strikes, lock-outs, work stoppages, or other labor disputes or supplier failures.

14.2. The Party excused by such events shall use all reasonable efforts under the circumstances to avoid or remove such causes of non-performance and shall proceed to perform with reasonable dispatch whenever such causes are removed or ceased.

14.3. An act or omission shall be deemed within the reasonable control of a Party if committed, omitted, or caused by such Party, or its employees, officers, agents, subsidiaries, or affiliates.

15. Notices. All notices that either Party is required or may desire to serve upon the other Party shall be in e-writing and addressed to the Party to be served at the respective email addresses agreed by the Parties and shall be sent via email.

16. Entire Agreement. This Agreement contains the entire Agreement of the parties regarding the subject matter of this Agreement, and there are no other promises or conditions in any other Agreement, whether oral or written.

17. Waiver of Contractual Rights. The failure of either Party to enforce any provision of this Agreement shall not be construed as a waiver or limitation of that Party's right to subsequently enforce and compel strict compliance with every provision of this Agreement.

18. Headings. The section and paragraph headings appearing in this Agreement are inserted only as a matter of convenience and in no way define, govern, limit, modify, or construe the scope or extent of the provisions of this Agreement to which they may be related. Such headings are not part of this Agreement and shall not be given any legal effect.

19. Amendments. The Licensor may revise this Agreement from time to time by posting a modified version of the Agreement including its effective date. If the Licensor makes material changes to the Agreement, the Licensor will provide the Licensee with reasonable notice prior to the new Agreement taking effect. By continuing to access or use the Product after the posting of any modified Agreement, the Licensee agrees to be bound by such modified Agreement.

20. Severability. If any provision of this Agreement shall be held to be valid or unenforceable for any reason, the remaining provisions shall continue to be valid and enforceable. If a court finds that any provision of this Agreement is invalid or unenforceable, but that by limiting such provision it would become valid and enforceable, then such provision shall be deemed to be written, construed, and enforced as so limited.

21. Assignment. Assignment of the Agreement or any right thereunder is prohibited, unless approved by the other Party in writing in advance.

22. This Agreement shall be governed by Cyprus laws[4], and all disputes shall be resolved through negotiations. In case of the failure to resolve disputes and disagreements through negotiations, the dispute shall be referred to the Cyprus courts[4]. The Licensor's liability hereunder shall be limited to the amount of the fee paid by the Licensee for the first billing period, except that nothing shall limit liability for a breach that caused death or personal injury. This Agreement is legally binding upon the Parties. This Agreement shall supersede all previous negations, agreements and correspondence between the Parties in regard to its subject matter.

23. If the Licensee finds the Licensor’s Product and services satisfactory and meeting the Licensee’s expectations, the Licensee will agree to collaborate with the Licensor in the creation of a comprehensive case study, outlining the tangible business value derived from the Product on the Licensee’s side, showcasing the Licensee’s specific achievements and benefits. This collaboration includes providing essential feedback from the Licensee’s customers as well as specific data points, such as acceleration of integration delivery time; increase in adoption, retention, LTV, or average ticket; reduction in engineering and development costs related to integration development and maintenance; improvements in the customer acquisition cost and sales cycle length; increase in the number of integrations and active integration users (the Licensee’s customers); and other convincing business metrics and results made possible through the implementation of the Product. The resulting case study will be utilized internally (e.g., published on the the Licensor's blog https://albato.com/blog/all) by the Licensor and shared with the Licensor’s customers on an individual basis as social proof. The Licensor commits to not publicly announcing or publishing the study on any media other than the Licensor’s own resources without obtaining explicit consent from the Licensee.The case study can be made in the format of an article (e.g., https://albato.com/blog/publications/maestra-case) or an interview (https://albato.com/blog/publications/interview-maestra) depending on which format the Parties find the most suitable.

ALBATO SUPPORT AGREEMENT

The Licensor will provide support for its platform and product features to the Licensee in accordance with the severity of the issue. The table below provides a summary of the different severity levels.

Severity Level	Definition	Environment	Issue Example
Severity 1	Major service disruption to the Licensor’s platform running in the production environment. No workaround exists. Issues significantly impacting the performance and functionality of the Software Product, causing severe disruption to the Licensee’s use of the Software Product. Affects all or the majority of the Licensee’s users (customers).	Production	The iFrame is down. All Licensee’s users are unable to access the integration UI.
Severity 2	Key functionality impaired. A temporary workaround is available. Issues significantly impacting the performance and functionality of one or more of the key modules of the Software Product, causing significant disruption to the Licensee’s use of the Software Product. Affects all or the majority of the Licensee’s users (customers).	Production	One of the key connectors with a high transaction volume stopped transferring data. Several large users (Licensee’s customers) are affected.
Severity 3	Moderate impact. A reasonable workaround is available. Issues impacting the performance and functionality of one of the modules of the Software Product, causing some degradation in the Licensee’s use of the Software Product.	Production, Staging	One of the connectors is failing to sync some additional, non-mandatory fields. Key fields are still being transferred normally.
Severity 4	Minor impact. Issues are minor, cosmetic, or usability-related, or involve general product feature requests. The core functionality of the Software Product and data transfer remain unaffected.	Production, Staging	Some steps in the automation log aren’t displayed correctly.

(a) Severity Designation:

The Licensor’s support team will assess the severity of the Licensee’s reported issues, and each issue will be assigned a severity level as set forth in the table above. The Licensee must provide full details of the issue including the steps necessary to enable the Licensor to reproduce the issue.

(b) Response Time:

Upon receipt of a support request, the Licensor will investigate the issue and provide the Licensee with a response to each incident in accordance with the applicable Licensor's Support service plan as set forth in the table below.

Pricing Plan	Support Hours	Severity 1	Severity 2	Severity 3	Severity 4
Starter	3:00 am to 6:00 pm EST during Business Hours (Mon-Fri)	4 Business Hours	8 Business Hours	1 Business Day	1 Business Day
Pro	3:00 am to 6:00 pm EST during Business Hours (Mon-Fri)	2 Business Hours	4 Business Hours	8 Business Hours	1 Business Day
Custom (Enterprise)	Support during holidays and weekends is possible. The response hours outlined in the table for the Custom plan are provisional and subject to individual agreement with the Licensee.	1 Business Hour	2 Business Hours	4 Business Hours	8 Business Hours

(c) Support Process.

Support will be provided during the Support Hours via the Licensor Support Portal for troubleshooting, issue determination, and resolution (including instructions for a workaround where necessary). To receive Support, the Licensee will (i) cooperate with the Licensor as required; (ii) provide the Licensor with all necessary information and resources for the Licensor to investigate or replicate the Issue; and (iii) promptly implement the corrective procedures, updates, or workarounds provided by the Licensor. The Licensor shall not be responsible for any disruptions to or failures of the Software Product to the extent caused by the Licensee’s failure to timely provide or implement the foregoing.

VERSION[4] Text of the Agreement dated January 22, 2025

---

[1] The Albato cloud-based integration platform “Albato Embedded” developed and owned by the Licensor, designed to be incorporated in the Licensee’s product and exchange data between cloud applications

[2] A dynamic HTML page that is embedded inside the Licensee’s Application, allowing the inclusion of dynamic content from external sources

[3] The relevance and version of the Agreement are determined by the moment of signing the Agreement with an e-signature and payment for the Services.

[4] Unless stated otherwise in another document which the Parties agree takes precedence over this Agreement.

Appendix 1 to the Albato Licensing Agreement

DATA PROCESSING AGREEMENT (CONTROLLER TO PROCESSOR)

This Data Processing Agreement (“DPA“) forms part of the Licensing Agreement (“License Agreement“) between you ("you", "Customer" or "your") and Albato Limited, Cyprus, HE 420916 ("Provider," “Processor”, "we," or "us"), together the “Parties” and individually a “Party”.

This Agreement governs legal terms for processing by the Provider of the personal data you may need to process by using Albato Services.

On request of a data subject or other person entitled to receive relevant information, a Party shall make a copy of this DPA, including the Schedules as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, a Party may redact part of the text of the DPA (including any Schedule) prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

WHEREAS

(A) The Customer acts as Controller, who determines the purposes and means of the processing of personal data;

(B) The Provider acts as Processor which processes personal data on behalf of the Controller (provided that nothing shall limit the Processor’s right to act as processor for other controllers, being Processor’s customer’s or not, and act as controller in relations with any third parties);

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and wish to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and to the maximum extent to other Data Protection Legislation;

(D) The DPA apply to the processing of personal data as specified in Schedule 1 thereto;

(E) Schedules to the DPA form an integral part of this DPA;

(F) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

1.1.1. Terms and expressions defined in the Licensee Agreement shall have the meaning assigned to them in the said Agreement;

1.1.2. “DPA” means this Data Processing Agreement and all Schedules; 1.1.3. “Controller Personal Data” means any Personal Data processed by the Processor on behalf of the Controller pursuant to or in connection with the License Agreement; 1.1.4. “EEA” means the European Economic Area; 1.1.5. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; 1.1.6. “GDPR” means EU General Data Protection Regulation 2016/679; 1.1.7. “Data Transfer” means: 1.1.7.1. a transfer of the Controller Personal Data from the Controller to the Processor; or 1.1.7.2. an onward transfer of the Controller Personal Data from the Processor to a Subcontractor, or between two establishments of the Processor, in each case, where such transfer would not be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws); 1.1.8. “Services” means subscription services provided by the Provider to the Customer under the License agreement consisting in web-based, application integration and data linking service. 1.1.9. “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Customer in connection with the License Agreement.

1.2. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Sensitive Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. INTENTIONALLY OMITTED.

3. PROCESSING OF CONTROLLER PERSONAL DATA. SAFEGUARDS

3.1 Processor shall: 3.1.1. comply with all applicable Data Protection Laws in the Processing of Controller Personal Data; and 3.1.2. not Process Controller Personal Data other than on the relevant Controller’s documented instructions. Without limiting other means of giving instructions Controller hereby instructs Processor to process, during the term of this DPA, personal data in accordance with automated instructions made by the Controller via Processor’s Service connected to Processor’s Software product in accordance with the License Agreement. Any instructions via the said Services/Software shall be deemed to be provided by the Controller; and the Controller agrees and acknowledges that the Controller, not the Processor, is responsible for choice of any Services/Software functionality and its implementation under the License Agreement, and you shall use Service/Software functionality with due care and using reasonably secure mechanisms and your internal systems and software decisions; and

3.1.3. process Controller Personal Data within the list (but not obligatory each time all the listed data) stated in Schedule 1 hereto. The Controller warrants that the Controller Personal Data to be processed by the Processor hereunder shall not include any Sensitive Data. In case Controller needs to process any Sensitive Data then the Parties shall expressly agree to do so (providing that the Processor may but shall not be obliged to agree to process such data), including express agreement on the applied restrictions or safeguards, t-hat fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed special training), keeping a record of access to the data, restrictions for onwards transfers or additional security measures.

3.1.4. process personal data for the list of data Subjects indicated in Schedule 1 hereto;

3.1.5. The Processor shall process the Controller Personal Data only for the specific purpose(s) of the transfer, as set out in Schedule 2 hereto unless on further instructions from the Controller; and

3.1.5. The Processor shall process/store the Controller Personal Data only for the period specified in Schedule 3 hereto, and after elapse of legal ground to keep the relevant personal data, the Processor shall erase or destroy it.

3.2. Controller guarantees and warrants that uses the Services/Software and provides to the Processor for processing the personal data only in compliance with applicable Data Protection Legislation, including without limitation, complying with all Data Subjects rights, providing all necessary notices and information to them and having all necessary consents and authorizations from the Data Subjects. The personal data to be processed by the Processor is not sold to the Processor or provided for any consideration, it is processed as part of the Services/Software functionally under the License Agreement as part of the Services.

3.3. In case the Processor has any legal or technical obstacles to process the personal data under Controller instructions, then the Processor shall inform the Controller accordingly and shall await updated instructions.

3.4. Data Transfers outside the EAA shall be made in accordance with Data Protection Legislation, list of subcontractors, adequate decisions or other agreement between the Parties.

4. PROCESSOR PERSONNEL

4.1. Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Controller Personal Data, as strictly necessary for the purposes of the License Agreement, and to comply with Data Protection Laws in the context of that individual’s duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. SECURITY

5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. The list of major security measures is laid down in Schedule 4 thereto.

5.2. In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

6. SUBPROCESSING

6.1 The Parties agree that the Processor has Controller’s general authorization to use services of Subprocessors from the list indicated in Schedule 5 hereto. The processor may change the said list with 30 days prior written notice to the Controller. In case the Controller reasonably objects to the changes to the Subprocessors list, with provision of reasonable concerns as to the personal data security, then the sole and exclusive remedy for the Controller shall be

7. DATA SUBJECT RIGHTS

7.1 Taking into account the nature of the Processing, Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller obligations, as reasonably understood by Controller, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

7.2 Processor shall:

7.2.1. promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of the Controller Personal Data, provided that in general availability to answer the Data Subjects is vested in the Controller; and

7.2.2. ensure that it does not respond to that request except on the documented instructions of the Controller or as required by applicable laws to which the Processor is subject, in which case Processor shall to the extent permitted by applicable laws inform the Controller of that legal requirement before the Processor responds to the request.

8. PERSONAL DATA BREACH

8.1 Processor shall notify the Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data, providing Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

8.2 Processor shall co-operate with the Controller and take reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

9.1 Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Legislation, in each case solely in relation to the personal data processed hereunder, and taking into account the nature of the processing and information available to, the Processor.

10. AUDIT RIGHTS

10.1 Subject to this section 10, Processor shall make available to the Controller on request all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the processing of the Controller Personal Data hereunder. Any audit and provision of the information shall be at the Controller’s own expense.

10.2 Information and audit rights of the Controller only arise under section 10.1 above to the extent that the License Agreement does not otherwise provide for the Controller’s right/possibility to receive information and audit rights meeting the relevant requirements of Data Protection Legislation.

10.3 Processor agrees to correct any security deficiencies affecting Controller’s Personal Data revealed by these audits, at its own expense, within a timeframe reasonably requested by Controller.

11. GENERAL TERMS

13.1 Confidentiality. Each Party must keep information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain.

11.2 Notices. All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post or sent by email to the address or email address indicated by the Parties while entering into or performing under the License Agreement, including the DPA, or at such other address as notified from time to time by the Parties.

11.3 Each Party shall be liable to the other Party for any damages it causes the other Part by any breach of this DPA.

(a) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching this DPA. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679. (b) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of this DPA, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties. (c) The Parties agree that if one Party is held liable under paragraph (b), it shall be entitled to claim back from the other Party that part of the compensation corresponding to its responsibility for the damage. (d) The Party may not invoke the conduct of another Party to avoid its own liability.

12. GOVERNING LAW. COMPETENT SUPERVISORY AUTHORITY

This Agreement is governed by the laws of the republic of Cyprus. Competent Supervisory Authority: Commissioner for Personal Data Protection 15, Kypranoros Street, 1061 Nicosia, P.O. Box. 23378, 1682 Nicosia Email:

SCHEDULES

Schedule 1

Categories of data subjects whose personal data is processed the data of the Controller and/or Controller’s clients

Categories of personal data processed First name, last name, company name, email, phone number, IP, cookie, other information about the lead form where the request was left and other data as may be additionally agreed by the Parties in writing, including by using Albato interface

Nature of the processing any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, namely recording, storage, adaptation or alteration, structuring, transmission (transfer), erasure or destruction, encryption, data extraction, use

Schedule 2

Purpose(s) for which the personal data is processed on behalf of the controller The personal data will be used to perform the services described in the Agreement.

Schedule 3

Duration of the processing Data processing will be for the period until the termination of the Agreement.

Schedule 4

Major security measures

• Access control policy is implemented • Employee training on data protection and information security • Monitoring the composition of hardware software and information security tools • Rules for using email and spam protection • Information security risk internal analysis is conducted annually • Information security policy is implemented • Differentiation of access rights • A registry of information assets is maintained • Inventory of information assets is carried out annually • Risk management policy • Areas of responsibility for information security are defined and distributed • Information security provisions are included in contracts with counterparties • NDAs with employees are signed • Employees have access to the training material on information security • When an employee quits, they need to complete the steps concerning infosecurity set out in the checklist • Confidentiality policy • • • Daily data backup • Log of Information security incidents • External web application scanning for vulnerabilities • An ACL is configured between VLANs • Rules are set up to filter incoming traffic; • • License Agreements are signed with counterparties • Formalized list of positions allowed to process personal data • Logins to the admin accounts are logged • The administrator can differentiate access rules for personnel • Backups of deleted data are stored for at least 1 months • Processor authorized the persons in charge of communication with Controller and provided means of communication so as to ensure that all the necessary assistance will be provided to the controller in case of necessity personal data stored on the backups; • ; • personal data is protected during transmission by Processor by using SSL/TLS when possible; • IT security is ensued by way of Code Review, which obligatory comprises code security review;

Schedule 5

1. Name: Amazon Web Services, Inc. and/or its affiliates (“AWS”)

Address: P.O. Box 81226 Seattle, WA 98108-1226 Contact person’s name, position and contact details: Data Protection Officer, email: aws-EU-privacy@amazon.com Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data storage