Master Services Agreement

LAST UPDATED: FEBRUARY 19, 2025

"Effective Date" the effective date of the Order Form referencing this Agreement.

The Order Form and this MSA, Data Security Exhibit, Service Level Agreement, and Data Portability Exhibit, collectively "Exhibits",describe the terms and conditions under which Very Good Security Inc., with an address of 207 Powell St. Floor 2, San Francisco, CA 94102 ("VGS") agrees to provide Customer the services described in each Exhibit. By execution of the Order Form incorporating this Agreement, both VGS and Customer, collectively "Parties", hereby agree to be governed by the Exhibits attached hereto, unless otherwise agreed to by the parties in writing.

The Terms and Conditions, Data Security Exhibit, Service Level Agreement, Data Portability Exhibit, Order Form and any other applicable Exhibits attached hereto set forth the entire understanding of the parties with respect to the subject matter described herein and constitute the entire agreement ("Agreement") between the parties. By signing the incorporating Order Form, Customer and Very Good Security hereby agree as follows:

1. Scope

These Terms and Conditions will apply to Customer's use of Very Good Security's tokenization services, professional services, content, products and offline components ("Services") ordered by Customer pursuant to an ordering document (including this Agreement as well as any online form) specifying the Services to be provided hereunder and related payment terms and/or order form ("Order") or used in a sandbox environment pursuant to Section 2 below. These Terms and Conditions, the attached Service Level Agreement and Data Security exhibits, and all Orders (collectively referred to as this "Agreement") represent the parties\' entire understanding regarding the Services and will control over any different or additional terms of any purchase order or other non-Very Good Security ordering document, and no terms included in any such purchase order or other non-Very Good Security ordering document will apply to the Services. In the event of a conflict between these Terms and Conditions and an Order, the terms of the Order will control. All capitalized terms not defined herein will have the meanings attributed in the Order.

2. Sandbox Environments

VGS provides a sandbox environment for Customer free of charge (though specific services like IP anonymization may have caps) solely for the purposes of testing. Sensitive data or critical workflows should not be utilized with this sandbox. If Customer uses the Services in a sandbox environment provided by Very Good Security, additional terms and conditions related to such sandbox environment may appear on the web page(s) for such Services. Any such additional terms and conditions are incorporated into this Agreement by reference and are legally binding. NOTWITHSTANDING ANYTHING CONTAINED HEREIN, ALL SERVICES PROVIDED IN A SANDBOX ENVIRONMENT ARE PROVIDED "AS-IS" WITHOUT ANY REPRESENTATIONS, SERVICE LEVEL AGREEMENTS, WARRANTIES OR INDEMNITIES, AND VERY GOOD SECURITY WILL HAVE NO LIABILITY ARISING OUT OF CUSTOMER'S USE OF SUCH SERVICES.

3. Right to Use the Services

During the Subscription Term set forth in an Order, Very Good Security grants to Customer a nontransferable, nonexclusive, worldwide right to permit those individuals authorized by Customer or on Customer's behalf, and who are Customer's employees, agents or contractors ("Users"), to access and use the Services subject to the terms of this Agreement. Each Order may define specific usage rights ("Usage Rights"), and Customer will at all times ensure that its use does not exceed its Usage Rights.

4. Usage Restrictions and Representations

4.1 Restrictions on Customer Use

Customer will not, directly or indirectly: (i) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas or algorithms of the Services or any software, documentation or data related to or provided with the Services ("Software"); (ii) modify, translate, or create derivative works based on the Services or Software; or copy (except for archival purposes), rent, lease, distribute, pledge, assign, or otherwise transfer or encumber rights to the Services or Software; (iii) use or access the Services to build or support, and/or assist a third party in building or supporting, products or services competitive to Very Good Security; (iv) remove any proprietary notices or labels from the Services or Software; or (v) otherwise use the Services or Software outside of the scope of the rights granted in Section 3. Customer will use the Services and Software only for its own business operations, and not otherwise outside of the scope of the express rights granted herein.

4.2 Customer Usage Responsibilities

Customer will not knowingly or willfully use the Services in any manner that could damage, disable, overburden, impair or otherwise interfere with Very Good Security's provision of the Services. Customer will be responsible for maintaining the security of its equipment and account access passwords. Customer represents and warrants that Customer will use the Services only in compliance with applicable laws and regulations. Customer will be liable for all acts and omissions of its Users.

4.3 User account suspension

Very Good Security may immediately suspend Customer's password, account, and access to the Services if (i) Customer fails to make payment due within ten business days after Very Good Security has provided Customer with notice of such failure; (ii) Customer violates Section 3, 4, or 11 of these Terms and Conditions, or (iii) if it detects suspicious activity. Any suspension by Very Good Security of the Services under the preceding sentence will not relieve Customer of its payment obligations under this Agreement. Once any issues are resolved, VGS will immediately restore access. Removal of access will be limited to affected/misused accounts and will not suspend Services unless 4.3(i) is not resolved or 4.3(ii) is detected across each of Customer's accounts.

4.4 Opensource Software

Certain "free" or "open source" based software (the "FOSS Software") may be provided by Very Good Security hereunder, but is not considered part of the Software hereunder.

5. Ownership

5.1 VGS IP

Very Good Security will retain ownership of all intellectual property rights in and to the Services and Software (including all derivatives or improvements thereof). Customer grants Very Good Security the unencumbered right to use and incorporate in any of its products or services any suggestions, enhancement requests, feedback, recommendations or other input provided by Customer relating to the Services or Software. Any rights not expressly granted herein are reserved by Very Good Security.

5.2 Customer IP

Customer will retain ownership of any data or information originated by Customer that Customer submits or provides in the course of using the Services ("Customer Data"). Very Good Security has no ownership rights in or to Customer Data. Customer will be solely responsible for the accuracy, quality, content and legality of Customer Data, the means by which Customer Data is acquired and the transfer of Customer Data outside of the Very Good Security Services. Customer Data will be deemed to be Customer Confidential Information pursuant to Section 11 below. Customer represents and warrants that it has all rights necessary to provide Very Good Security with the Customer Data and to use (including to tokenize, store and de-tokenize Customer Data) and transmit such Customer Data in order to provide the Services. Customer is responsible for the security of Customer Data that is stored on Customer's website or application or based on Customer's configuration of the Services. Upon request by Customer, Very Good Security agrees to promptly delete Customer Data specified in Customer's request.

6. Billing and Payment

6.1 Payment

Customer will pay all fees set forth in this Agreement. In entering into this Agreement Customer will provide Very Good Security with information regarding Customer's payment instrument. Customer represents and warrants that such information is true and that Customer is authorized to use the payment instrument, and Customer will promptly update its account information with any changes that may occur. To the extent any amounts are to be paid in advance, Customer authorizes Very Good Security to bill Customer's payment instrument in advance in accordance with the terms of the applicable payment plan, and Customer agrees to pay any charges so incurred.

6.2 No Refunds and Cancellations

All fees are non-cancelable and nonrefundable, except as expressly specified in Section 8.2. All fees are exclusive of taxes, levies, or duties imposed by taxing authorities, and Customer will be responsible for payment of all such taxes, levies, or duties (excluding taxes based on Very Good Security's income), even if such amounts are not listed on an Order or Invoice. Customer will pay all fees in U.S. Dollars or in such other currency as agreed to in writing by the parties.

6.3 Payment Due

All amounts invoiced hereunder are due and payable as specified in the Order, if not specified therin they are due net thirty (30) days from invoice date. Unpaid invoices that are not the subject of a written good faith dispute are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all reasonable expenses of collection.

6.4 Overages

If at any time Very Good Security determines that Customer is exceeding the Usage Rights, Very Good Security reserves the right to charge and Customer agrees to pay Very Good Security's then-current usage fees for such overage.

7. Term and Termination

7.1. Term

This Agreement will commence as of the date set forth in this Agreement (the "effective date"). Unless earlier terminated as set forth below, this agreement will remain in effect through the end of the Subscription Term in any current Order. If a subscription is purchased or any additional Order is purchased, the Subscription Term will automatically renew for additional successive periods of time equal to the length of the original Subscription Term ("Term") (e.g., if the Subscription Term is a year, it will automatically renew for additional year). Renewal will be at prices to be determined then and services/usage quotas will be the same as the quotas provided in the latest month of the then-current term, unless either party provides written notice of non-renewal at least thirty (30) days prior to the end of the then-current term. All sections of this Agreement which by their nature should survive termination will survive, including without limitation, accrued rights to payment, use restrictions and indemnity obligations, confidentiality obligations, warranty disclaimers, and limitations of liability.

7.2. Termination for Material Breach

In the event of a material breach by either party, the non-breaching party will have the right to terminate the applicable Order for cause if such breach has not been cured within 30 days of written notice from the non-breaching party specifying the breach in detail. If Very Good Security terminates an Order for Customer's material breach, all fees set forth on such Order are immediately due and payable. In addition, either party may terminate Customer's access to any sandbox environment for the Services at any time without notice.

7.3 Access to Services Post Termination

Upon any termination or expiration of an Order, Customer's right to access and use the Services covered by that Order will terminate. Notwithstanding the foregoing, at Customer's request if received within 30 days of termination of the Order, Very Good Security will permit Customer to access the Services solely to the extent necessary for Customer to retrieve a file of Customer Data then in Very Good Security's possession. Customer acknowledges and agrees that Very Good Security has no obligation to retain Customer Data and that Very Good Security will have the right to irretrievably delete and destroy Customer Data after 30 days following the termination of this Agreement. Any outstanding remaining amount of fees and charges regarding the Order or Subscription Term must be paid in full as governed by the terms of this Agreement.

7.4 Access Extension

Provided this Agreement is not terminated by VGS pursuant to Section 7.1, Section 7.3 or Entity terminates for cause pursuant to Section 7.2, VGS will continue to provide Services to Customer accounts in existence on the date of termination, pursuant to Section 7.3, commencing on the date of termination of this Agreement and continuing thereafter for three (3) months (the "Extended Service Period"); further, the provision of these extended services shall require prompt payment of three (3) months worth of fees and charges covered by the Order. Further, the Parties may agree in writing to extend the term of the Extended Service Period.

8. Representations, Disclaimer of Warranties, Indemnities

8.1 Express Warranties

Each party represents and warrants to the other party that it has the power and authority to enter into this Agreement. Very Good Security warrants to Customer that it will (a) perform the Services substantially in accordance with its documentation under normal use; and (b) provide the Services in a manner consistent with generally accepted industry standards. Customer must notify Very Good Security of any warranty deficiencies within 30 days from performance of the relevant Services in order to receive warranty remedies.

8.2 Breach of Express Warranties

For breach of the express warranty set forth above, Customer\'s exclusive remedy will be the re-performance of the deficient Services. If Very Good Security cannot re-perform such deficient Services as warranted, Customer will be entitled to recover a pro-rata portion of the unused fees paid to Very Good Security for such deficient Services, and such refund will be Very Good Security\'s entire liability.

8.3 VGS Representations and Warranties

Very Good Security represents and warrants that: (a) it does, and will continue to throughout the term of this Agreement including without limitation to any renewal Term, implement, maintain and use technical, physical and administrative safeguards to protect all Customer Data that are at least as rigorous as accepted industry practices and standards for information security, and as required under all applicable privacy and data security laws; (b) the Software will not contain any virus, worm, trap door, back door, Trojan horse, malicious code, or other limiting routine, instruction, or design that would erase data, provide unauthorized access or disrupt Customer's system from operating as intended; (c) it will comply with all applicable laws, rules and regulations with respect to privacy or data security; and (d) without limiting any other provision of this Agreement, it is, and will continue to be throughout the Term, fully compliant with a current applicable PCI Data Security Standard ("PCI DSS"), including without limitation establishing, implementing and maintaining a comprehensive information security program that assures Very Good Security and its personnel's compliance with the foregoing. Very Good Security shall promptly provide, at the request of the Company, current certification of compliance with the PCI DSS by an authority commonly recognized by the payment card industry for such purpose, on at least an annual basis. Very Good Security shall undergo regular audits as prescribed by the PCI DSS board and shall provide Customer with access to findings of such audits, and Very Good Security shall immediately notify Customer of any significant security risks or changes identified as a result of such audits. Very Good Security shall at all times during the Term limit access to Customer Data to those employees, authorized agents, contractors, consultants, service providers and subcontractors who have a need to such access in order for Very Good Security to perform its obligations under this Agreement (collectively, "Authorized Persons"). Very Good Security shall ensure that each Authorized Person is aware of the requirements of Very Good Security's internal security measures and the terms and conditions of this Agreement and shall secure a legally binding agreement from each Authorized Person to comply therewith prior to permitting such Authorized Person to access Customer Data. Very Good Security shall be responsible for, and remain liable to, Customer for the actions and omissions of all Authorized Persons relating to Customer Data as if they were Very Good Security's own actions and omissions and shall periodically review whether each Authorized Persons continues to need access in order for Very Good Security to perform its obligations under this Agreement. Without limiting the foregoing, Very Good Security agrees it will, throughout the Term, comply with the Very Good Security Data Security Exhibit hereby attached to this Agreement and incorporated herein by this reference.

8.4 Maintenance and SLAs

The Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, or because of other causes beyond Very Good Security's reasonable control, but Very Good Security will use reasonable efforts to provide advance notice in writing or by e-mail of any scheduled unavailability of the Services. Very Good Security shall comply with the Very Good Security Service Level Agreement hereby attached to this Agreement and incorporated herein by this reference. Very Good Security currently has and will continue to maintain industry standard insurance coverage, at its sole expense.

8.5 Warranty Disclaimers

EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH HEREIN, Very Good Security AND ITS THIRD PARTY PROVIDERS HEREBY DISCLAIM ALL EXPRESS OR IMPLIED WARRANTIES WITH REGARD TO THE SERVICES, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT AND QUALITY. Very Good Security AND ITS THIRD PARTY PROVIDERS MAKE NO REPRESENTATIONS OR WARRANTIES REGARDING THE RELIABILITY, AVAILABILITY, TIMELINESS, SUITABILITY, ACCURACY OR COMPLETENESS OF THE SERVICES OR THE RESULTS CUSTOMER MAY OBTAIN BY USING THE SERVICES. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, Very Good Security AND ITS THIRD PARTY PROVIDERS DO NOT REPRESENT OR WARRANT THAT (A) THE OPERATION OR USE OF THE SERVICES WILL BE TIMELY, UNINTERRUPTED OR ERROR-FREE; OR (B) THE QUALITY OF THE, SERVICES WILL MEET CUSTOMER\'S REQUIREMENTS. CUSTOMER ACKNOWLEDGES THAT NEITHER Very Good Security NOR ITS THIRD PARTY PROVIDERS CONTROLS THE TRANSFER OF DATA OVER COMMUNICATIONS FACILITIES, INCLUDING THE INTERNET, AND THAT THE SERVICES MAY BE SUBJECT TO LIMITATIONS, DELAYS, AND OTHER PROBLEMS INHERENT IN THE USE OF SUCH COMMUNICATIONS FACILITIES. Very Good Security IS NOT RESPONSIBLE FOR ANY DELAYS, DELIVERY FAILURES, OR OTHER DAMAGE RESULTING FROM SUCH PROBLEMS. EXCEPT WHERE EXPRESSLY PROVIDED OTHERWISE BY Very Good Security, THE SERVICES ARE PROVIDED TO CUSTOMER ON AN "AS IS" BASIS.

9. Indemnity

Customer will defend, indemnify, and hold harmless Very Good Security and its officers, directors, employees, agents, affiliates, successors and permitted assigns (collectively, "VGS Indemnified Party") from and against any Losses (as defined below), arising from any third party claim against VGS Indemnified Party resulting from any breach by Customer of this Agreement or any use of the Services in violation of any law or regulation. Very Good Security will defend, indemnify, and hold harmless Customer and its officers, directors, employees, agents, affiliates, successors and permitted assigns (collectively, "Customer Indemnified Party") against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including attorneys' fees, payable to a third party by Indemnified Party (collectively, "Losses"), arising out of any third party claim against Customer Indemnified Party resulting from Very Good Security's or its agents' collection, processing, storage, use, transmission or destruction of Confidential Information, including, but not limited to, a suspected or actual Incident (as defined in the Very Good Security Data Security Exhibit attached to this Agreement), in each case resulting from Very Good Security's breach of Sections 8.3 or 11 of this Agreement. The indemnified party shall (a) give written notice to the indemnifying party promptly after learning of such claim, (b) tender the defense of the claim to the indemnifying party, (c) provide the indemnifying party with reasonable assistance, at the indemnifying party's expense, in connection with the defense of such claim, and (d) not settle any such claim without the prior written consent of the indemnifying party.

10. Limitation of Liability

EXCEPT FOR VERY GOOD SECURITY'S BREACH OF SECTIONS 8.3 OR 11 OF THIS AGREEMENT, OR VERY GOOD SECURITY'S INDEMNIFICATION OBLIGATIONS UNDER SECTION 9, OR VERY GOOD SECURITY'S OBLIGATIONS UNDER SECTION 3 OF THE VERY GOOD SECURITY DATA SECURITY EXHIBIT ATTACHED TO THIS AGREEMENT (COLLECTIVELY, THE "SPECIAL LIABILITIES"), VERY GOOD SECURITY WILL NOT BE LIABLE UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY: (A) FOR ERROR OR INTERRUPTION OF USE, INACCURACY OR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICE OR TECHNOLOGY OR LOSS OF BUSINESS; (B) FOR ANY INDIRECT, EXEMPLARY, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES; (C) FOR ANY MATTER BEYOND ITS REASONABLE CONTROL, EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE; OR (D) FOR ANY AMOUNTS THAT, TOGETHER WITH AMOUNTS ASSOCIATED WITH ALL OTHER CLAIMS, EXCEED THE FEES PAID BY CUSTOMER IN THE PRECEEDING 3 MONTHS. WITH RESPECT TO THE SPECIAL LIABILITIES, VERY GOOD SECURITY'S AGGREGATE LIABILITY WILL NOT EXCEED ONE MILLION DOLLARS (US $1,000,000).

11. Confidential Information

Each party (the "Receiving Party") understands that the other party (the "Disclosing Party") has disclosed or may disclose information relating to the Disclosing Party's business (hereinafter referred to as "Confidential Information" of the Disclosing Party). The Receiving Party agrees: (i) without limiting any other provision of this Agreement, to take reasonable precautions to protect such Confidential Information; and (ii) not to use (except to perform its obligations hereunder or as permitted in Section 12 below) or divulge to any third person any such Confidential Information. The Disclosing Party agrees that the foregoing will not apply with respect to any Confidential Information that the Receiving Party can document (a) is or becomes generally available to the public; or (b) was without restriction rightfully in its possession or known by it prior to receipt from the Disclosing Party; or (c) was rightfully disclosed to it without restriction by a third party; or (d) was independently developed without use of any Confidential Information of the Disclosing Party. If the Receiving Party is required by law to make any disclosure of such Confidential Information, it may do so to the extent of such requirement, provided that it first gives written notice to the Disclosing Party thereof (if legally permitted). Each party shall be responsible for any breach of its confidentiality obligations by its respective employees and agents. Upon termination of this Agreement for any reason, or upon the Disclosing Party's request at any time, the Receiving Party shall promptly return to the disclosing party all originals and copies of any of the Disclosing Party's Confidential Information and destroy all information, records and materials developed therefrom. In the event of any threatened or actual breach of this Agreement involving an unauthorized use, disclosure or retention of Confidential Information, the Disclosing Party may suffer irreparable injury not adequately compensable by money damages and for which the Disclosing Party may not have an adequate remedy available at law. Accordingly, the Parties specifically agree that the Disclosing Party shall be entitled to seek injunctive or other equitable relief to prevent or curtail any such breach, threatened or actual, without posting a bond or security and without prejudice to such other rights as may be available under this Agreement or under applicable law.

12. Statistical Information

Notwithstanding anything else in this Agreement or otherwise, Very Good Security may monitor Customer's use of the Services and use Customer Data in an aggregate and anonymous manner, compile statistical and performance information related to the provision and operation of the Services, and may make such information publicly available, provided that such information does not incorporate Customer Data and/or identify Customer's Confidential Information. Very Good Security retains all intellectual property rights in such information.

13. Notices

Very Good Security may give notice applicable to Very Good Security's general Services customer base by means of a general notice on the Services portal, and notices specific to Customer by electronic mail to Customer's e-mail address on record in Very Good Security's account information or by written communication sent by first class mail or pre-paid post to Customer's address on record in Very Good Security's account information. If Customer has a dispute with Very Good Security, wishes to provide a notice under this Agreement, or becomes subject to insolvency or other similar legal proceedings, Customer will promptly send written notice to support@verygoodsecurity.com as well as to Very Good Security at 207 Powell St. Floor 2, San Francisco, CA 94102.

14. General provisions

14.1 Jurisdiction

Any action, claim, or dispute related to this Agreement will be governed by California law, excluding its conflicts of law provisions, and controlling U.S. federal law. The Uniform Computer Information Transactions Act will not apply to this Agreement. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys' fees. The failure of either party to enforce any right or provision in this Agreement will not constitute a waiver of such right or provision unless acknowledged and agreed to by such party in writing.

14.2 Entire Agreement

This Agreement (including all Order(s)) represents the parties' entire understanding relating to the Services, and supersede any prior or contemporaneous, conflicting or additional communications. Customer acknowledges that this Agreement is a contract between Customer and Very Good Security, even though it may be electronic and not physically signed by Customer and Very Good Security, and it governs Customer's use of the Service and takes the place of any prior agreements between Customer and Very Good Security. This Agreement may be amended only by written agreement signed by the parties. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision(s) will be construed to reflect the intentions of the invalid or unenforceable provision(s), with all other provisions remaining in full force and effect.

14.3 Relationship and Assignment

No joint venture, partnership, employment, or agency relationship exists between Very Good Security and Customer as a result of this Agreement or use of the Services. Neither party may assign this Agreement without the prior written approval of the other, such approval not to be unreasonably withheld or delayed, provided that such approval will not be required in connection with a merger or acquisition of all or substantially all of the assets or business of the assigning party related to this Agreement. Any purported assignment in violation of this Section will be void.

Schedule A: VGS Data Security Exhibit

1. Security Measures

Very Good Security will comply with industry standard security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption and any other organizational and technical measures appropriate to protect against unauthorized access to Customer Data), and with all applicable laws regarding data privacy. At Customer's request, but no more than on an annual basis, Very Good Security will provide Customer with an incident response policy, network security policy, and data flow diagram, in an industry standard format.

2. Assessments

Once a year, and after any substantial change is made to Very Good Security's network infrastructure, application, or software/hardware, Very Good Security, at its sole expense, will provide an application security assessment and network vulnerability assessment (collectively, "Assessments"). Very Good Security will respond promptly to any Customer inquiries or requests related to the Assessments. The summaries of such Assessments will be made available to Customer upon request.

3. Incidents

Very Good Security shall notify Customer of an Incident as soon as practicable, but no later than twenty-four (24) hours after Very Good Security becomes aware of it, and agrees to fully cooperate with Customer in Customer's response to such Incident, including, without limitation: (i) assisting with any investigation, (ii) providing Customer with physical access to the facilities and operations affected (to the extent possible), (iii) facilitating interviews with Very Good Security's employees and others involved in the matter, (iv) cooperating in the preparation and transmittal of any notice to be sent to third parties, and (v) making available all relevant records, logs, files, data reporting and other matters in Very Good Security's control required to comply with applicable law, regulation, industry standards or as otherwise required by Customer. Very Good Security shall use commercially reasonable efforts to remedy any Incident as soon as reasonably practicable and prevent any further Incident at Very Good Security's expense in accordance with applicable privacy rights, laws, regulations and standards. Very Good Security shall reimburse Customer for all costs required under applicable law to be incurred by Customer in responding to, and mitigating damages caused by, any Incident resulting from a breach by Very Good Security of Section 8.3 of this Agreement (including this Data Security Exhibit), including all such costs of notice and/or remediation. The incident response and indemnification obligations herein only apply to data specifically and explicitly secured by VGS. In the event of an Incident, Very Good Security shall promptly use its commercially reasonable efforts to prevent a recurrence of any such Incident. "Incident" means any act or omission that compromises either the security, confidentiality or integrity of Customer Data or the physical, technical, administrative or organizational safeguards put in place by Very Good Security that relate to the protection of the security, confidentiality or integrity of Customer Data and that results in the unauthorized access, use, disclosure or deletion of Customer Data. Very Good Security will promptly notify Customer if any notices are required under applicable law in connection with an Incident and allow Customer to assist in preparing and delivering the notices.

4. Security Training

Very Good Security will ensure that its personnel who handle Customer Data receive an appropriate level of formal training on handling sensitive data securely. Very Good Security will require all such personnel to acknowledge in writing that they have completed their security training obligations described.

5. Disaster Recovery Management

Very Good Security will maintain a written disaster recovery plan and provide documentation of the same to Customer upon request, redacted for confidential information. Very Good Security will test that plan at least annually.

6. Disclosure of Customer Data

Very Good Security will only share Customer Data as authorized or instructed by Customer (except as required under applicable law). Customer acknowledges, however, that Very Good Security may disclose metadata regarding Customer Data (which does not include the value of a monetary transaction) with third party service providers for the purposes of providing the Services.

7. Retention of Customer Data

Very Good Security may retain Customer Data for purposes of compliance with applicable laws, including after termination of Customer's account.

[End Data Security Exhibit]

Schedule B: VGS Service Level Agreement

1. Availability

Very Good Security will use commercially reasonable efforts to ensure that the Services are Available 99.9%, measured monthly, excluding scheduled maintenance. For purposes hereof, "Availability" or "Available" means the Services are available for access and use through the web application of the Services. Any downtime resulting from Customer's equipment or systems or service providers required by Customer, outages of utilities or other reasons beyond Very Good Security's control will be excluded from any such calculation.

2. Service Credits

In the event that Very Good Security is unable to provide the Availability objective noted above in any given calendar month, as Customer's sole remedy Customer will receive a credit on its next invoice equal to the corresponding percentage noted below of one (1) month's subscription fees for the Services for the month in which the Availability objective was not obtained.

3. Services Availability

Services availabilityCredit
Availability of 99.0% - 99.9%10%
Availability of 98.0% - 98.9%15%
Availability of 97.0% - 97.9%20%
Availability of 95.0% - 96.9%25%
Less than 95.0%50%

4. Availability Calculation:

Total Time: Total amount of time in the month

Outage Time: Time in the month where Very Good Security failed to accept traffic

Uptime: Total Time -- Outage Time

Availability: Availability shall be calculated as Uptime divided by Total Time.

Remedies will not accrue (i.e., no credits will be issued and an outage will not be considered unavailability for purposes of this Service Level Agreement) if Customer is not current in its payment obligations either when the outage occurs or when the credit would otherwise be issued. To receive credits, Customer must submit a written request, prior to fifteen (15) days after the end of the month in which the Services were unavailable.

5. Support

Very Good Security has a team of technical support engineers available to assist with incidents, problems, technical tasks or questions. Technical support for VGS Services can be reached at:

https://support.verygoodsecurity.com

support@verygoodsecurity.com


Technical support is available 24 hours a day, 7 days a week for incidents involving Urgent and High level service disruption, and in the following business hours for all other requests. Business hours excludes regional holidays and weekends:

9:00 AM - 6:00 PM EET (UTC+2)

9:00 AM - 6:00 PM PST (UTC-8)

Urgent and High level service disruptions are defined and addressed as followed:

6. Support Time Frames

Service DisruptionDescriptionPriorityFirst ResponseResolutionTimeframe
Service Unavailable VGS Platform or Services is completely unavailable and Customer business is impacted.Urgent30m4h24/7
Service Degraded VGS Platform or Services availability is significantly impacting Customer business.High2h12h24/7

[End SLA]

Schedule C: VGS Data Portability Exhibit

1. Overview

Upon termination of this Agreement and subject to the terms in this Exhibit, Customer may export from Very Good Security any of the Customer Data defined in Section 5.2 of the Very Good Security Terms and Conditions so long as the transfer of such data is in compliance with the latest version of PCI--DSS requirements and such transfer is allowable under any applicable laws, rules, or regulations.

2. Prerequisites

Prior to Very Good Security transferring to sensitive Customer Data (including but not limited to PII, Card Data, and Customer must provide three items:

I. A face-to-face meeting or video chat with Customer's authorized representative;

II. A PGP signed email including: a signed letter from Customer outlining the actions to take, defining the affected data, and authorizing Very Good Security to move forward; and

III. Proof that the intended recipient of the data is in compliance with current PCI- DSS Level 1 requirements (usually in the form of a current AOC executed by a Qualified Security Assessor).

3. Logging

Any actions impacting transmittal of Customer Data in this section will be logged in Very Good Security's automated logging system. Upon request, Customer may receive a copy of Customer specific logs reflecting such actions.

4. Fees

Any fees or expenses incurred by data transfers under this section are Customer's sole responsibility.

5. No Other Changes

No other terms or conditions of the Agreement shall be negated or changed as a result of this Exhibit.

[End Data Portability Exhibit]

Schedule D Product Terms and Information:

I. Product Definitions

  1. Card Network: Visa, Inc., Mastercard Incorporated, American Express Company, Discover Financial Services, and any other applicable payment networks used to process payment transactions (e.g. for merchants or acquirers) or to complete issuing requests for issuers.
A. Vault Products:
  1. Vault: Where sensitive data tokenized by VGS is stored.
  2. VGS Vault Platform: Platform that includes access to the VGS Dashboard, VGS HTTP Proxy, mobile SDKs, and REST API to support tokenization/aliasing of sensitive attributes and documents.

    3. Includes up to 2,500 Requests per Minute. This can be increased upon request with Enterprise Support.

  3. Interactions: Each secure interaction represents the process by which VGS systems operate on a record (i.e. rule enforcement, redact, reveal, enrichment, deduplication). This includes all possible interactions and associated operations including, but not limited to: all rule evaluations, token interactions, or any other metered interactions deemed usage or operation by VGS. Interaction quantities are defined within the Usage Reset Cadence terms in each specific Client Order Form.
  4. Stored Records: Each piece of sensitive information captured and stored by the VGS. Stored Record quantities are defined within the Usage Reset Cadence terms in each specific Customer Order Form.
  5. VGS API Tokenization: VGS aliasing/tokenization utilizing the VGS Vault and VGS REST API directly (e.g. without the use of any VGS proxy, MFT, or CMP).
  6. VGS Token/Alias: A customer-specific token that is created by VGS and not by a Card Network.
B. Credential Management Platform
  1. Credential Management Platform: A platform providing tools to simplify the enrollment and management of Network Tokens, Account Updater, Wallets, Card Attributes, and other payments and payment credential related services across Card Networks.

    Includes up to 2,500 Requests per Minute. This can be increased upon request with Enterprise Support.
C. Account Updater
  1. Account Updater: A service that allows for updates for vaulted payment methods in the event that a customer's vaulted card expires or is replaced helping customers avoid failed transactions or gaps in services. This Service is provided as set forth in the specific Customer Order Form and can be for each of the four major payment card networks (Visa, Mastercard, American Express, Discover) or any additional relevant payment networks.
  2. Account Updater Billing Events: are based on Network billing practices and include, but are not limited to the following events (or their reasonable equivalents):

    3. a. Card Expired,

    b. Card Updated (including Expiry Updated),

    c. Card Closed, and

    d. Card Contact Cardholder Advice.

D. Network Tokens
  1. Network Token Provisioning: The successful creation of a Network Token for a Customer. VGS requests and obtains a Network Token from a Card Network on behalf of Customer for a specific PAN and, where the Card Network issues the Network Token, providing Customer with the means to manage and process payment utilizing the created Network Token.
  2. Network Token Backbook Provisioning: The one-time batch/mass Network Token Provisioning to create Network Tokens from all of Customer's existing cards on file. The Backbook Enrollment will convert Customer's existing VGS Tokens to Network Tokens. As indicated on the Order Form, the one-time Backbook Enrollment will be performed without charge. Customer will decide and inform VGS as to when Customer wants VGS to execute the Backbook Provisioning process.
  3. Network Token Frontbook Provisioning: Any network token provisionings of Customer cards following the completion of Backbook Provisioning.
  4. Network Token: A secure merchant-specific token that can be used instead of PANs to process card payments on a particular Card Network. Network Tokens are issued by the applicable Card Network and are obtained by VGS through Network Token Provisioning and provided to Customer pursuant to this Order Form.
  5. Network Token Lifecycle Event: Any update or refresh on an existing Network Token's status based on a notification from a Card Network if the account has been updated with new or modified data. Typically this refreshes the card's expiration date and/or last 4 digits.
  6. Network Token Status Updates: Any update of token status based on notifications from Networks. This includes the following status changes:

    a. Suspend,

    b. Resume/Activated,

    c. Delete.

  7. Cryptogram Fetch: When VGS fetches the cryptogram from the card networks and returns that cryptogram to Customer along with the Network Token, expiration date. This can occur when a Network Token is used in a payment transaction to facilitate transactions
  8. Enhanced Network Tokens: Any Network Tokens with one or more of the following capabilities:

    9. a. Payment Account Reference (“PAR”): Using a Network token to request a PAR.

    b. Account Funding Transaction (“AFT”): Using a Network token transaction to send a payment instruction to fund a wallet or other stored value instrument.

    c. Card Art: Displaying card assets (artwork) to Customer's cardholder when a network token is being utilized to complete a payment transaction.

    d. Token Connect: Using a network token to request an issuer to push payment card credentials to eligible wallets and merchants to create new tokens.

E. Card Attributes
  1. Card Attributes Service: A service that enables basic (BIN) and enhanced (Full-Pan) lookup enabling the customer to utilize a VGS token to enable a client to conduct a Card Attribute lookup without PCI exposure.
  2. BIN: The first numbers on Cards that are utilized to identify the Card Issuer.
  3. Basic (BIN) Lookup: Card Attribute lookups using just the first 6 digits of a PAN. Provides basic information about the card and the card issuer.
  4. Full-Pan Lookup: Card Attribute lookups leveraging the full PAN. Provides enhanced information about the card and the card issuer.
F. Wallet Products
  1. Wallet Decrypt: Any event where VGS decrypts payload from wallet provider and provides Customer with tokenized references to the payment credentials. Enables seamless integration with digital wallets, such as Apple Pay and Google Pay, for tokenized payment processing.
G. File Management Products
  1. SFTP Proxy: A proxy service that intercepts files being exchanged with third parties (including partners and end customers) over SFTP into or out of Customer's network and aliasing/tokenizing sensitive attributes and documents
  2. Managed File Tokenization (“MFT”) Platform: A platform that can securely schedule and asynchronously (batch file) tokenize each settlement file sent by Customer's designated processors or data providers.
H. PCI Compliance
  1. PCI Compliance Services (L1): Includes software subscription that automates and provides maintenance of the PCI environment and the following items (provided upon Client request or by VGS from time to time):

    2. a. VGS Management letter stating VGS responsibility for managed Client CDE.

    b. VGS' Attestation of Compliance (AOC)* to Client for the VGS managed Client cardholder data environment (CDE).

    c. Assistance with PCI and related vendor diligence requests from 3rd parties.

    d. Supports:

    i.   Merchants**: Over 6,000,000 card transactions annually

    ii.  Service Providers**: Over 300,000 card transactions annually

    iii. Partners or 3rd parties otherwise requiring PCI L1 due to the nature of transaction, processing flow, or risk profile of stakeholders.

    *The AOC is the official PCI Attestation signed by a PCI Qualified Security Assessor (QSA) and is a certified declaration of VGS compliance with the PCI-DSS.

    **Note: These volumes are based on Card Brand (Visa/MC/AMEX/JCB) PCI listed Levels.

  2. PCI L1 Audit (VGS provides auditor): VGS Compliance team coordinates audit from auditor selection to evidence gathering, preparation, and onsite audit until customer receives a valid PCI L1 ROC and AOC.
  3. PCI Compliance Services (L2-4): Includes software subscription that automates and provides maintenance of the PCI environment and the following items (provided upon Client request or by VGS from time to time):

    4. a. VGS Mgmt letter stating VGS responsibility for managed Client CDE

    b. VGS' Attestation of Compliance (AOC)* to Client for the VGS managed Client cardholder data environment (CDE).

    c. Assistance with PCI and related vendor diligence requests from 3rd parties. SAQ assistance Supports**:

    d. Merchants: Up to 6,000,000 Card Transactions annually for Merchants

    e. Service Providers: Up to 300,000 Card Transactions Annually for Service Providers

    *The AOC is the official PCI Attestation signed by a PCI Qualified Security Assessor (QSA) and is a certified declaration of VGS compliance with the PCI-DSS. (CDE) to enable the Client to demonstrate PCI L2 - L4 compliance.

    **Note: These volumes are based on Card Brand (Visa/MC/AMEX/JCB) PCI listed Levels.

I. Connectivity Products
  1. HTTP Proxy: Proxy that supports aliasing/tokenizing over HTTP, HTTP/S.
  2. TCP Proxy: Proxy that supports aliasing/tokenizing binary data formats such as ISO8583.
  3. Email Proxy: Proxy that intercepts emails being exchanged with Customer's end-users, clients, and partners into or out of Customer's email servers aliasing/tokenizing sensitive attributes and documents.
  4. VGS Larky: Larky allows VGS customers to not only secure data, but also enhance and transform their sensitive data, without ever being exposed to it. This may be required for certain custom workflows or implementations (e.g. specific encryption workflows, custom header signing, etc.).
  5. VPN: A Virtual Private Network provided and hosted by VGS.
  6. Direct VPN: A Virtual Private Network provided and hosted by VGS that enables VPN or Static IP connectivity to interface with Customer’s partners to allow VGS to secure inbound and outbound traffic.
J. Support Plans
  1. Standard Support:

    2. a. 24/7 Support for Sev 1 and 2 issues

    b. Support is provided via web portal and email

    c. Access to the Knowledge Base

  2. Enterprise Support:

    3. a. 24x7 Support

    b. Support is provided via email, chat, or phone with prioritized responses

    c. Get a response within minutes from our emergency support team

    d. Prioritized access to technical experts

    e. Dedicated Customer Success Manager

    f. Shared messaging channel for chat-based collaboration

II. Product Specific Terms

A. General Card Network Terms and Conditions
  1. Card Network Rules: Customer is responsible for adhering to all applicable card network rules regarding their use of the VGS Service. For reference this includes the Visa Rules specified by Visa, the Mastercard Rules specified by Mastercard, and the American Express Merchant Operating Guide specified by American Express. Each Card Network may amend its Card Network Rules at any time without notice to Customer.
  2. Payment Card Account Data. Customer must not utilize a payment card account number for purposes other than for a transaction and must not use payment card account numbers or payment card transaction data except as permitted under applicable law, the Card Network Rules and this agreement. Unless Customer is issuing cards, has reasonable business justification, and is utilizing sufficient security measures, Customer shall not store CVV, CVC, or similar security code after successful card authorization.
  3. Card Network Security Programs. You must comply with the Card Networks' security standards, requirements and programs (e.g., the Visa Account Information Security Program), and all Card Network Rules governing the privacy, protection, and your use, storage and disclosure of data.
B. Beta Products
  1. Purpose: If Customer utilizes any Beta products or otherwise, Customer acknowledges that early access to Beta Products is provided so that Client may evaluate Beta Products for its own internal business purposes and to give feedback to VGS as part of its participation in a design partnership with VGS so long as Client complies with the terms of this Agreement.
  2. Disclaimers: THE PARTIES FURTHER ACKNOWLEDGE THAT VGS BETA PRODUCTS, RELATED INFORMATION DISCLOSED, AND THE DELIVERY THEREOF UNDER THIS AGREEMENT IS PROVIDED “AS IS” AND NO VGS REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, REGARDING ITS ACCURACY OR COMPLETENESS, OR ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE

    3. Beta Products may not operate correctly, they may have bugs and may not work the way a final commercial version of the product will.

    VGS further reserves the right to change or discontinue Beta Products at any time, for any reason, without notice. VGS may update Beta Products to produce commercial versions, or decide not to release a commercial version at all. Unless otherwise stated, VGS is not obligated to provide any maintenance, technical support, or updates for the Beta Products.

  3. Feedback. Customer, at its sole discretion, may provide input regarding any Beta Products, including, without limitation, comments or suggestions regarding the possible creation, modification, correction, improvement or enhancement of the Services, products and/or services, or input as to whether Client believes VGS' product direction is consistent with its own business and IT needs (collectively “Feedback”). VGS shall be entitled to use Feedback for any purpose without notice, restriction or remuneration of any kind to Client or Client's representatives.
  4. Product Improvement. VGS will utilize all Feedback and insight about the Product from this partnership freely without any restriction or obligation. Partner will not give any Feedback that Provider cannot use in this manner or for the purpose.
  5. Effect of Termination. Upon expiration or termination Customer use of a Beta Product, Customer will no longer have any right to access or use the relevant Beta Product and will no longer be required to provide Feedback or participate in the Program under the Order. Each Recipient will return or destroy Discloser's Confidential Information in its possession or control.
  6. Confidentiality: Customer acknowledges that it may receive special information not available to the rest of the world and that any such non-public information provided by VGS, will be considered VGS' confidential information (collectively, “Confidential Information”), regardless of whether it is marked or identified as such. Client agrees to use the same degree of care as you would with its own confidential information, but no less than reasonable precautions to prevent any unauthorized use, disclosure, publication, or dissemination. Client agrees to not disclose, publish, or disseminate any Confidential Information to any third party, unless approved by VGS.
C. Account Updater

Customer and any Customer Merchants must:

  1. Not have been disqualified from participating in applicable Card Networks.
  2. Be in compliance with the Card Network rules and documentation.
  3. Have a valid business need to receive updated account information, including but not limited to:

    4. a. Credential-on-file business models

    b. Installment payments

    c. Recurring payment services

  4. Meet the following risk management criteria:

    5. a. Must not be engaged in business categorized by the following merchant category codes: 5962, 5966, or 5967.

    b. NOTE: Low-risk segments of a merchant's business may be eligible to participate even though other segments of the merchant's business may not qualify or may be specifically prohibited from participation. For example, a telecommunication company's prepaid cellular segment may be high-risk while its monthly billings for residential service may be low risk. If separable, the low-risk portion of the company's accounts may be eligible for participation in the VAU.

    c. Must not have sales transactions that are predominantly Quasi-Cash.

  5. Comply with all applicable laws and regulations, including compliance with requirements under applicable privacy laws. Responsibilities of the Customer and any Customer merchant under privacy laws include those set out in the Card Network Rules and documentation.
  6. Be approved by Card Networks for participation.
D. Network Tokens
  1. Permitted Uses:

    2. a. Creating Network Tokens

    b. Processing payments using Network Tokens in accordance with Card Network rules and agreements

    c. Notifying or receiving notification of Network Token status changes.

E. Card Art
  1. If VGS provides Customer Card Art, VGS hereby grants Customer the limited, non-exclusive, right to use, reproduce, display, distribute and store such Card Art solely for the purpose of enabling Customer's display of such Card Art to a Cardmember in connection with Customer's Applications. Customer shall, at all times, strictly observe and comply with all specified written requirements provided by Card Networks with respect to the proper use of Card Art. Any modifications to such written requirements delivered to Customer shall be implemented promptly, but in no event more than thirty (30) days after Customer receipt of such modifications. Customers may not use Card Art for any other purpose.
F. Card Attributes
  1. Permitted Uses:

    2. a.  Enabling compliance with applicable law or regulations or policy

    b.  Optimize fraud prevention tools / processes

    c.  Ensuring the proper application of contract terms with processors/card networks existing card acceptance agreements

    d.  Prevent inappropriate or unfair practices

    e.  Identify Prepaid Cards, including reloadable and non-reloadable Prepaid Cards, at the point of sale

    f.   Identifying BIN ranges by issuing country for account updates

    g.  Updating merchant Card-on-file account information

    h.  To the extent necessary to conduct the operational activities required to identify and process Card transactions, including the routing of Card transactions.

    i.   Surcharging that is compliant with all applicable card network rules

  2. Prohibitions: Except where a prohibition is not permitted by applicable law, Client may not

    3. a.  Use the Card Attribute Services to impose restrictions, conditions or disadvantages on Merchants or

    b.  Card transactions, which restrictions, conditions or disadvantages are not imposed equally on Other Payment Products.

    c.  To resell or create derivative products

    d.  Surcharging that is non-compliant with any applicable card network rule

    Illustratively: this means Card Attribute responses may not be used to:

    (i) to identify types of Cards for the purpose of processing Cards differently from other payment products (e.g. the imposition of a fee/surcharge, the implementation of functionality allowing a fee or surcharge, for payment with a Card, which is not applied equally on all payment products except electronic funds transfers, cash, or check;

    (ii) in order to selectively accept Cards (with the exception of fraud management);

    (iii) for any marketing purposes

  3. Card Network Rules: Customer is responsible for adhering to all applicable card network rules regarding their use of this or any other VGS Service.
G. Network Assessment Fee
  1. Network Assessment Fee Price Increases: Customer acknowledges that during the term of this Agreement (including any renewal period) a Network Assessment Fee may be assessed or increased by Card Brands. VGS reserves the right to add or adjust a Network Assessment Fee herein to match. If such price adjustment occurs, VGS will provide reasonable prior notice of any such addition or increase in the price of the Network Assessment Fee. If Customer does not agree to pay such increase, Customer must provide written notice to VGS within fifteen (15) days of notice of such increase. Upon receipt of such notice, VGS will terminate this Order Form, or the agreed upon portion thereof, and halt provisioning of the affected Product SKU (for example Network Tokens and/or Account Updater), as applicable.