Data Act Addendum

This Addendum is intended to provide contractual terms relating to switching of data processing services and portability of Customer Data in accordance with Article 25 of the Data Act (as defined herein). This Addendum applies only to Services provided to customers located in the European Union that are subject to the Data Act. The Addendum will automatically apply to all customers subject to the Data Act with respect to the Services identified in their applicable Order. No separate signature or Order reference is required for this Addendum to be effective.

Unless otherwise defined herein, capitalized terms used in this Addendum have the same meaning given to them under the Agreement. In the event of any conflict between the terms of this Addendum and the Agreement, the terms of this Addendum shall prevail with respect to its subject matter. By continuing to use the Services, Customer acknowledges and agrees that it has read, understood, and accepted this Addendum, and that these terms are fair and reasonable for purposes of the Data Act.

For purposes of this Addendum, the following definitions are hereby added or modified.

"Data Act" means European Union Regulation 2023/2854.

"Destination Provider" means the provider of data processing services chosen by Customer to replace runZero as provider of the Service.

"Digital Assets" means elements in digital form, including applications, for which the Customer has the right of use, independently from the Agreement, to the extent any exist.

"Exportable Data" means the input and output data, including metadata, directly or indirectly generated, or cogenerated, by the Customer’s use of the Service, excluding any assets or data protected by intellectual property rights, or constituting a trade secret, of runZero or third parties, and Statistical Data (as defined in the Agreement) derived therefrom.

"Order" means any (i) quote or order form provided by runZero and signed by Customer; (ii) Partner purchase order accepted by runZero; or (iii) online enrollment in the Evaluation Services or Community Edition Services; and (iv) that specifies the Services to be provided under this Agreement.

"Services" means collectively, all runZero software-as-a-service, software, and any other services and all components thereof ordered by Customer from runZero in an Order, including all updates thereto.

"Switching" means the process whereby Customer changes from using the Services to using those of another data processing service of the same service type, or other service, offered by a different provider of data processing services, or to an on-premises ICT infrastructure, including through extracting, transforming and uploading the data.

For purposes of this Addendum only, the definition of "Services" in the Agreement is modified to exclude: (a) support services and (b) Evaluation Services.

3.1 Notice.Customer may notify runZero, with at least two (2) months’ written notice ("Notice Period"), of its decision to terminate the Services pursuant to Article 25 of the Data Act.

3.2 Transition Period. Following successful Switching or expiration of the Notice Period, Customer has thirty (30) days to request data retrieval ("Transition Period"), to the extent Customer has not already requested erasure of the Exportable Data and Digital Assets.

3.3 Portability. runZero shall ensure that Customer may export Exportable Data and Digital Assets (if any) in a structured, commonly used, machine-readable format, to the extent technically feasible and not conflicting with applicable law or runZero’s legitimate protections.

3.4 Export. To carry out Switching under the Data Act, Customer may access and export Exportable Data during the Subscription Term as described in runZero’s "Exporting asset data" documentation. Customer is solely responsible for completing such transfer or export, unless runZero has agreed to provide technical support subject to a separate written agreement. runZero will provide reasonable assistance to Customer (and any third parties authorized by Customer), to the extent required by the Data Act.

3.5 Exceptions. As part of Switching, runZero is not required to: (1) develop new technologies or services; or (2) compromise the security or integrity of the Services.

3.6 No Switching Charges. In accordance with the Data Act, runZero will not impose any additional fees or charges for the export or retrieval of Customer Data during the Transition Period, other than, where applicable, any reasonable costs incurred by runZero that are directly linked to providing such support, where permitted by law.

4.1 Subscription Commitments. For clarity, nothing in this Addendum waives or limits Customer’s obligation to pay all fees due under the Agreement or any Order for the full Subscription Term of such Agreement and/or Order.

4.2 Early Termination. If Customer elects to terminate the Agreement and/or any Order prior to the end of the applicable Services Subscription Term, Customer acknowledges and agrees that: (a) under no circumstances will such termination entitle Customer to a refund of any fees previously paid under the terminated Agreement and/or Order (as applicable), and (b) if applicable, Customer shall pay all remaining unpaid fees due and owed under the terminated Agreement and/or Order (as applicable), including any annual fees for multi-year Subscription Terms through the end of the last year of such Subscription Term. Such amounts are separate from and not considered "switching charges" under the Data Act.

6.1 Erasure Process. Customer must provide runZero with a written request for erasure of Exportable Data and Digital Assets. Subject to Section 9.6 (or similar terms relating to data deletion and retention) of the Agreement, runZero’s data retention policies ("Data Retention Policies"), technical feasibility, and compliance with applicable laws, runZero will erase Customer’s Exportable Data and Digital Assets (if any) generated directly by the Customer, or relating to the Customer directly.

6.2 Retention. In the event runZero must retain Customer Data as set forth in Section 6.1, (a) runZero will retain Customer Data only as long as is required under its Data Retention Policies or as legally required, and (b) during the retention period, runZero will continue to comply with the Agreement with respect to Customer Data.

7.1 Customer will: (a) take all reasonable measures to achieve effective and timely Switching, including being responsible for the import and implementation of Exportable Data and Digital Assets in Customer’s systems or the systems of the Destination Provider(s); (b) respect and treat as confidential runZero’s intellectual property rights, including trade secrets of any materials and information provided by runZero during and for the Switching Process; (c) contractually bind any third party that Customer has authorized, including the Destination Provider(s), with a provision to fulfill Customer’s obligations as described in this Addendum and allow runZero to monitor compliance with these obligations; and (d) contractually bind any third party that Customer has authorized, including the Destination Provider(s), to take all necessary measures for achieving effective Switching and timely transfer of Exportable Data and Digital Assets.

7.2 Customer agrees to act in good faith to implement reasonable instructions from runZero related to erasure or Switching and require any third party that Customer has authorized, including the Destination Provider(s), cooperates in good faith as set out in Article 27 of the Data Act. Customer is solely responsible for any act or omission of any third party Customer authorizes, including the Destination Provider(s), that affects the successful and timely erasure or Switching.