Intenseye Legal

1. End Customer License Agreement

This End Customer License Agreement (“License Agreement”) was executed, signed and took effect on Customer’s execution (“Effective Date”) by and between Intenseye, Inc., a Delaware corporation with offices located at 530 5th Avenue, New York, NY 10036 (“Intenseye”) and Customer identified in the Statement of Work (“Customer”).

Customer and Intenseye shall be hereinafter individually referred to as “Party” and collectively as “Parties”.

If the Customer acquires Services (as defined below) under the terms specified herein through a Partner (as defined below), this License Agreement will take precedence over any conflicting terms in the agreement between the Customer and the Partner, insofar as the relationship between the Customer and Intenseye is concerned. Rights granted to the Customer in a separate agreement with the Partner, which are absent in this License Agreement, are applicable exclusively in the context of that Partner. Consequently, the Customer is obliged to pursue any remedies or enforcement of such rights solely with the Partner and not Intenseye.

BY SIGNING A STATEMENT OF WORK, ACCESSING, RECEIVING, AND/OR USING THE SERVICE, YOU AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT. IN NO EVENT MAY YOU ACCESS, RECEIVE OR OTHERWISE USE ANY INTENSEYE PRODUCT OR SERVICE WITHOUT AGREEING TO THESE TERMS (OR ANOTHER AGREEMENT AGREED TO IN WRITING BY INTENSEYE).

1. DEFINITIONS

“Affiliates” means an entity that directly or indirectly Controls, is Controlled by, or is under common Control with another entity, so long as such Control exists. For the purposes of this definition, “Control” means beneficial ownership of 50% or more of the voting power or equity in an entity.
“Authorized User” means the individuals authorized by the Customer to access and use the Services.
“Customer” means the Customer identified in the SOW.
“Customer Data” means any data or images submitted, uploaded, imported, integrated, or otherwise communicated by Customer to Intenseye.
“Facility” means the sites/facilities/plants of the Customer in which Services are to be used by Customer.
“Fees” has the meaning set forth in Section 5.1.
“License Agreement” means, collectively, this End Customer License Agreement and any other attachments hereto.
“Partner” means Intenseye-authorized partner, reseller, distributor or marketplace.
“Partner Contract” means the agreement between Intenseye and Partner authorizing the Partner to resell access to, or provide access to the Services.
“Services” has the meaning set forth in Section 2.
“Service Data” means any statistical and/or other benchmark data gathered by Intenseye from Customer’s use of the Services, including image-related data, for purposes of training Intenseye’s algorithms.
“Service Software” means the AI-powered image processing based workplace safety and security software application that has been developed and owned by Intenseye or applications and any third-party or other software, and all new versions, updates, revisions, improvements, and modifications of the foregoing, that Intenseye provides remote access to and use of as part of the Services.
“Subscription” means a non-exclusive, personal, nontransferable right to use the Services and use the output of the Services in accordance with this License Agreement and the SOW in Customer’s relevant Facilities details of which is stated on the SOW.
“Subscription Start Date” means the date of commencement of the Services set forth in the relevant SOW.
“Subscription Term” means the initial Service term for which the Services can be used in a Facility in accordance with this License Agreement and the agreed upon time period in the relevant SOW.
“Statement of Work” or “SOW” means the document that is mutually agreed to in writing by the Partner and Customer that issued in accordance with this License Agreement and describes, among other things, the Services to be made available, the Fees to be paid, payment term, and Subscription Term. Customer acknowledges the Partner Contract requires Partner to incorporate this License Agreement into all SOWs, and Customer expressly agrees that Intenseye shall have the benefit of and right to enforce this License Agreement against Customer. In the event that any provision of this License Agreement is deemed to conflict with a provision of a SOW or other agreement between Customer and Partner with respect to the Services or other subject matter of this License Agreement, the provision of this License Agreement shall be applicable for Customer and Intenseye, unless Intenseye and Customer agree otherwise in writing.

2. SUBJECT

This License Agreement sets out the principles regarding provision of services details of which set out in the related SOW via the Service Software (“Services”) to the Customer by Intenseye and the rights and obligations of the Parties in respect thereof.

3. TERM

This License Agreement enters into force on Effective Date and remains in effect until the expiration of the last Subscription Term in all effective SOWs issued under this License Agreement (“Term of the License Agreement”). The term of the Services will commence on Subscription Start Date set forth in the SOW and shall continue for the Subscription Term identified therein, and any renewal thereof, unless earlier terminated pursuant to the terms of this License Agreement.

4. LICENSE AND INTELLECTUAL PROPERTY RIGHTS

4.1. License Agreement. Intenseye hereby grants Customer a limited, non-exclusive, non-sublicensable, non-transferable, non-assignable, revocable, worldwide license to access and utilize the Services pursuant to the terms of this License Agreement and the applicable SOW.

4.2. Reservation of Rights. Intenseye and its licensors own and retain all right, title, and interest, including all intellectual property rights, in and to the Service Software, Services and Service Data (collectively “Intenseye Intellectual Property”), including any improvements, modifications, and enhancements. Intenseye expends significant resources gathering, assembling, and compiling the Service Data and such Service Data constitutes an original compilation protected by applicable copyright laws. Except for the rights expressly granted in this License Agreement, Customer shall acquire no other rights, express or implied, in or to the Intenseye Intellectual Property, and all rights not expressly provided to Customer hereunder are reserved by Intenseye and its licensors. If Customer chooses, in its sole discretion, to provide Feedback (defined below) to Intenseye, nothing in this License Agreement or in the parties’ dealings arising out of or related to this License Agreement will restrict Intenseye’s right to use, profit from, disclose, publish, or otherwise exploit Feedback, without compensating or crediting Customer or the individual providing such Feedback. Customer’s Confidential Information shall not include Feedback, to the extent that such Feedback relates exclusively to Intenseye’s products or services. “Feedback” means any feedback (e.g., questions, comments, suggestions or the like), whether orally or in writing, regarding any of the Services.

‍4.3. Use Restrictions. Customer will not, directly or indirectly, alter or modify the Services and Service Software, or reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Services, Service Software or any software, documentation or data related to the Services. Customer shall not make the Services and Service Software available for the benefit of any third party, or sell, resell, license, sublicense, distribute, rent or lease the Services to any third party for any purpose, commercial or otherwise.

‍4.4. Customer Data. All intellectual property rights in and to the Customer Data shall vest and remain vested in the Customer. Customer grants Intenseye a non-exclusive, non-transferable, non-sublicensable (except as set forth herein), royalty-free right during the Term of the License Agreement to copy, transmit and display Customer Data to analyze, develop, test, and operate, provide, and support the Services and/or any of products of Intenseye, as reasonably necessary for Intenseye to provide the Services in accordance with this License Agreement. Subject to the limited licenses granted herein, Intenseye acquires no right, title or interest from Customer or Customer’s licensors under this License Agreement in or to any Customer Data. All intellectual and industrial property rights regarding the Customer Data other than the specified right of use belong to Customer and this limited usage right granted to Intenseye cannot be interpreted in a way to limit Customer's use of all other rights. Company shall be responsible for the accuracy, quality and legality of Customer Data and the means by which Customer acquired such Customer Data. Customer represents and warrants that: (a) it owns or has the right to make Customer Data available to Intenseye; and (b) the posting and use of Customer Data on or through the Service will not (i) violate the intellectual property, privacy, publicity, or other rights of any person or (ii) breach any contract between Customer and a third party. To the extent Customer Data includes information that, alone or in combination with other information, is also personal data, Intenseye does and shall comply with all applicable laws and regulations involving the use, protection, and maintenance of such personal data. Where an Authorized User submits Customer Data, including personal data about such Authorized User, directly to the Service or Intenseye, the provisions of this Section will apply to such Authorized User.

‍4.5. Promotional License. Customer grants to Intenseye a limited, non-exclusive, unrestricted right and license (subject to Customer’s right to cancel such license at any time) to use Customer’s name and logo for the following purposes: (i) to promote the Services; (ii) to demonstrate on Intenseye's website that the Customer is a user of Intenseye’s Services; and (iii) to prepare and publish a use case detailing the Customer’s experience with Service Software. Intenseye is granted no other rights to the Customer’s logo and acknowledges that it shall not gain any proprietary interest in the Customer’s logo. Intenseye is under no obligation to make use of or to provide compensation for any of the rights or permissions granted. Intenseye shall be the exclusive owner of all right, title, and interest, including copyright, in Intenseye’s marketing and promotional materials. Customer may terminate any of the above uses at any time with thirty (30) days written notice.

5. FEES AND PAYMENT‍

5.1. Fees, Payments and Taxes. Pricing and payment of fees and associated taxes for the Services are solely between Customer and Partner.

6. AVAILABILITY AND TECHNICAL SUPPORT‍

6.1. Intenseye will provide the Services in accordance with the Service Level Agreement set forth as Annex 1 hereto. Intenseye may provide bug fixes, patches, and maintenance releases to the Services at any time.

6.2. Intenseye’s support personnel shall respond to Customer’s reasonable telephone and email inquiries regarding issues relating to the Services from 7:00 a.m. to 8:00 p.m., Eastern Standard Time, Monday through Friday, except for standard legal U.S. holidays.

6.3. Should Intenseye require Customer’s support within the scope of the performance of Services, Customer shall not refrain from cooperating with Intenseye.

7. PRIVACY AND PERSONAL DATA PROTECTION

7.1. The Parties have to comply with primarily the applicable personal data protection laws, with regard to personal data which they have learned, accessed and transferred to each other about performance of this License Agreement or/and during the performance of this License Agreement, without limitation to this Section.

7.2. Customer acts as the data controller for the performance of the Services and in personal data processing activities carried out in connection with it.

7.3. For purposes of this License Agreement, Intenseye operates as the data processor under the direction of the Customer, who operates as the data controller. Customer has full control and discretion of its personal data to submit to Intenseye.

7.4. Within the scope of the Services provided by the Intenseye as per this License Agreement, if necessary, Intenseye as a data processor will only process personal data processed by the data controller Customer only for the purpose of performing the Services. It will not be possible for Intenseye to process personal data other than the performance of the License Agreement, to share it with third parties, to use it for advertising, sales and similar purposes.

7.5. Intenseye will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the personal data under this License Agreement. Taking into account costs of implementation, the nature, scope, context and purposes of data processing, and any potential risks to the rights and freedoms of natural persons, these measures include: (a) the encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of personal data. In assessing the appropriate level of security, Intenseye shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing of personal data as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects and the risks that are presented by the processing of personal data, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

7.6. Intenseye shall notify Customer without undue delay, and in any event no later than seventy-two (72) hours, upon Intenseye becoming aware of a personal data breach affecting personal data, providing Customer with sufficient information to allow Customer to meet its obligations to report or inform data subjects of the personal data breach under the applicable data protection laws. Intenseye shall cooperate with Customer and take such reasonable commercial steps to assist in the investigation, mitigation and remediation of a personal data breach.

8. CONFIDENTIALITY AND NON-DISCLOSURE

8.1. In providing the Services under this License Agreement, each Party may have access to to the other Party’s confidential and proprietary information (“Confidential Information”). To the extent such Confidential Information is disclosed to the Parties, the Party receiving the Confidential Information (“Receiving Party”) shall not disclose any Confidential Information to any third party for any reason without the prior written consent of the Party disclosing the Confidential Information (“Disclosing Party”), other than its employees or agents who have a need to know about such information for the performance of this License Agreement.

8.2. In the event the Receiving Party is requested or required by legal process to disclose any of the Confidential Information, the Receiving Party shall, if legally permitted, give the Disclosing Party prompt notice so that the Disclosing Party may seek a protective order or other appropriate relief prior to any such disclosure. If such protective order is not obtained, the Receiving Party shall disclose only that portion of the Confidential Information that its legal counsel advises that it is legally required to disclose and shall work with the Disclosing Party to minimize the extent and effect.

8.3. Both parties understand and agree that monetary damages will not be a sufficient remedy for any breach of the Receiving Party’s confidentiality obligations under this Section and that the Disclosing Party shall be entitled to seek equitable relief, including injunction and specific performance, as a remedy for any such breach. Such remedies will not be deemed to be the exclusive remedies for a breach for the Disclosing Party but will be in addition to all other remedies available to the Disclosing Party at law or in equity.

9. REPRESENTATIONS AND WARRANTIES

9.1. Mutual Warranties. Each Party represents and warrants that: (i) Each Party is a business duly incorporated and in good standing under the laws of its state of incorporation; (ii) Each Party has all requisite corporate power and authority to execute, deliver, and perform its obligations under this License Agreement; (iii) Each Party shall comply with all international, federal or state laws or regulations applicable to the performance of its obligations under this License Agreement; (iv) Services may be subject to export laws and regulations of the United States and other jurisdictions. Each Party represents that it is not named on any U.S. government denied-party list. Customer shall not permit access or use any Services in a U.S. embargoed country or in violation of any other applicable export laws or regulations.

9.2. Intenseye Representations and Warranties. Intenseye represents, warrants and covenants that throughout the Term of the License Agreement (i) the Service shall perform materially with the functionality in accordance with the applicable documentation and such functionality will be maintained in all material respects in subsequent upgrades to the Service; (ii) it will employ then-current, best industry-standard measures to test the Service to detect and remediate viruses, trojan horses, worms, logic bombs, or other harmful code or programs designed to negatively impact or misappropriate Customer Data or the operation or performance of the Service; (iii) the Service shall perform pursuant to the terms of the Service Level Agreement attached hereto as Annex 1 and incorporated herein by reference; (iv) it is the sole owner of the Service or otherwise has full power and authority to grant to Customer the rights to use the Service and other rights granted herein; and (v) as of the Effective Date, and to Intenseye’s actual or constructive knowledge, neither the performance by Customer in its utilization of the Service, nor the license of and authorized use by Customer of the Service as described herein, do not infringe upon or misappropriate any proprietary or intellectual property right of any third party. Intenseye shall perform the technical support services in compliance with specialties of every specific technical issue and does not guarantee any solution regarding any technical issue.

9.3. Customer Representations and Warranties. Customer represents and warrants that: (a) its use of the Service, including any Customer Data provided by Customer for use with the Service or handling by Intenseye, will: (i) comply with any applicable law or regulation, (ii) not cause a breach of any agreement with or rights of any third party (including without limitation the rules of any social network platform or any data subject rights) and (iii) not unreasonably interfere with use of services offered by the Company to third parties; and (b) it shall use the Service strictly in accordance with this License Agreement and other written instructions (e.g., product documentation, release notes, mutually agreed SOWs, etc.) provided by Intenseye.

10. DISCLAIMERS

10.1. INTENSEYE DOES NOT MAKE ANY GUARANTEE OF IMPACT, OUTCOME, OR RESULTS. UNLESS OTHERWISE STATED HEREIN AND TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO CUSTOMER THROUGH THIS LICENSE AGREEMENT ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. INTENSEYE DOES NOT REPRESENT OR WARRANT THAT THE SERVICE SOFTWARE (I) WILL BE UNINTERRUPTED, TIMELY OR SECURE (II) WILL BE FREE OF DEFECTS, INACCURACIES OR ERRORS, (III) WILL MEET CUSTOMER’S REQUIREMENTS, OR (IV) WILL OPERATE IN THE CONFIGURATION OR WITH OTHER HARDWARE OR SOFTWARE. EXCEPT WHERE PROHIBITED BY LAW, INTENSEYE EXPRESSLY DISCLAIMS ANY AND ALL REPRESENTATIONS, WARRANTIES OR CONDITIONS OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE AND MERCHANTABILITY AND WILL NOT BE LIABLE FOR CUSTOMER’S USE OF OR RELIANCE ON THE SERVICES.

10.2. Intenseye disclaims any and all liability for the acts, omissions, and conduct of any third parties. To the extent permitted by applicable law, Intenseye makes no warranties regarding third party services, goods, resources, and information including, without limitation, warranties of fitness for a particular purpose, merchantability, and non-infringement and will not be liable for Customer’s use of such third-party services, goods, resources or information.

10.3. With regard to any dispute between Customer and any of its employees, contractors, visitors, invitees, agents, customers, representatives or other third party (whether an individual or public or private entity) arising from or relating to Customer’s use of the Services, the analytics generated in connection with the Services, and/or Customer’s reliance on such analytics, Customer hereby releases Intenseye and its subsidiaries, affiliates, officers, directors, shareholders, employees, representatives, agents, volunteers, attorneys, managers, licensors, business partners and each of their respective successors and assigns, from all claims, demands, causes of action, liabilities, legal fees and costs, and damages (actual or consequential) of every kind and nature, known and unknown, arising out of or in any way connected with such disputes.

10.4. The purpose of the Services provided by Intenseye is to provide technical solutions to help ensure the Customer’s compliance with the applicable occupational health and safety legislation at the Customer’s Facilities specified in the SOWs, limited to the scope of Services defined in the SOWs. In this context, Intenseye cannot be held liable in the event of any situation contrary to the relevant legislation, especially occupational accidents that may cur in the Facilities during the utilization of the Services. Accordingly, Intenseye shall not be held liable for any loss or damage, intangible, legal and financial consequences arising or resulting any acts or omissions by Customer, including acts or omissions made by Customer in reliance upon the analytics generated from the Customer Data collected, processed and reported in connection with the Services.

11. LIMITATION OF LIABILITY

Except with respect to a Party’s indemnification obligations herein (“Exceptions”), neither Party shall be liable to the other party or any third party for any consequential, incidental, indirect, exemplary, punitive or special damages (including damages for lost profits, security breach, lost data or loss of goodwill) arising out of, relating to or connected with the use of the Services, even if such Party has been advised of the possibility of such damages. To the extent permitted by applicable law, except with respect to the Exceptions, except for each Party’s liability for payment of fees and for infringement of intellectual property rights, in no event will either Party’s aggregate liability to the other Party, including that of its officers, directors, employees, and agents, arising out of or in connection with this License Agreement exceed the fees paid or payable to Intenseye by Partner during the Subscription Term giving rise to the claim.

12. INDEMNITY

12.1. By Intenseye. To the maximum extent permitted by law, Intenseye agrees to indemnify, defend and hold harmless Customer, and its Customer subsidiaries, affiliates, officers, directors, shareholders, employees and each of their respective successors and assigns (the “Customer Indemnified Parties”) from and against all damages, losses, liabilities, claims, expenses, fees or costs (including, without limitation, reasonable attorneys’ fees and costs) incurred in connection with any claim, demand or action brought or asserted against any of the Customer Indemnified Parties arising out of or relating to a claim that the Services infringe another person's patent, copyright, trade secret or trademark. Intenseye will not have liability for, and Customer will defend Intenseye against, and pay any damages awarded against Intenseye and direct expenses, including reasonable attorneys' fees to the extent the claimed infringement would not have occurred but for (i) the use of the Services other than in accordance with Intenseye’s published instructions, (ii) any unauthorized modification or alteration of the Services by Customer, (iii) any combination or use of the Services with any other product or system or technologies not supplied by Intenseye or otherwise anticipated by this License Agreement, (iv) Intenseye's compliance with Customer's design or specifications, and/or (v) any refusal to accept or use suitable modified or replacement of the Services provided by Intenseye to avoid infringement. In the event of claimed infringement, Intenseye shall, at its option: (A) obtain a right for Customer to continue using the Services for no additional fee; (B) modify the Services (as applicable) to make it non-infringing; (C) replace the Services (as applicable) with a non-infringing equivalent with the same functionality, features, and performance; or (D) terminate this License Agreement and refund on a pro-rata basis the unused portion of the Fees.

‍12.2. By Customer. To the maximum extent permitted by law, Customer agrees to indemnify, defend and hold harmless Intenseye, and its Intenseye subsidiaries, affiliates, officers, directors, shareholders, employees, and each of their respective successors and assigns (the “Intenseye Indemnified Parties”) from and against all damages, losses, liabilities, claims, expenses, fees or costs (including, without limitation, reasonable attorneys’ fees and costs) incurred in connection with any claim, demand or action brought or asserted against any of the Intenseye Indemnified Parties arising out of or relating to (i) Customer’s use of the Services in breach of this License Agreement, (ii) Customer’s violation of any third party right, including without limitation any intellectual property right, publicity, property or privacy right, (iii) a breach of Customer’s representation or warranties under this License Agreement, (iv) Customer’s failure to obtain the proper consents and/or authorizations to capture, process and/or transmit Customer Data to Intenseye, (v) Customer’s violation of applicable state and federal rules, regulations and statutes, (vi) bodily injury, death or property damage of Customer’s employees, contractors, visitors, invitees, agents, customers, representatives or other third party.

‍12.3. Notice. As a condition to an indemnifying Party’s (each, an “Indemnitor”) obligations under this Section, a Party entitled to indemnification (each, an “Indemnitee”) will: (i) promptly notify the Indemnitor of the claim for which the Indemnitee is seeking indemnification; (ii) grant the Indemnitor sole control of the defense and settlement of the claim; (iii) provide the Indemnitor, at the Indemnitor’s expense, with all assistance, information, and authority reasonably required for the defense and settlement of the claim; (iv) preserve and will not waive legal, professional or any other privilege attaching to any of the records, documents, or other information in relation to such claim without prior notification of consent by the Indemnitor. The Indemnitor will not settle any claim that involves a remedy other than payment without the Indemnitee’s prior written consent, which may not be unreasonably withheld or delayed. An Indemnitee has the right to retain counsel, at the Indemnitee’s expense, to participate in the defense or settlement of any claim. The Indemnitor will not be liable for any settlement or compromise that an Indemnitee enters into without the Indemnitor’s prior written consent.

13. RENEWAL AND TERMINATION

13.2. Automatic Termination. This License Agreement shall automatically terminate, without notice, (i) upon the institution by or against either Party of insolvency, receivership or bankruptcy proceedings or any other proceedings for the settlement of either Party’s debts, (ii) upon either Party making an assignment for the benefit of creditors, or (iii) upon either Party’s dissolution or ceasing to do business.

13.3. Termination for Cause. Either Party may terminate this License Agreement if the other Party breaches any material provisions of this License Agreement and fails to cure such breach within thirty (30) days after receipt of written notice of such breach. Additionally, Intenseye may terminate Customer’s access to the Services and this License Agreement if Partner fails to pay any amount due under its Partner Contract and such failure remains uncured following the cure period specified in the Partner Contract.

13.4. Survival. The following Sections survive termination of this License Agreement: Promotional License, Confidentiality & Non-Disclosure, Disclaimers, Indemnity, Limitation of Liability, and Governing Law.

14. GENERAL PROVISIONS

14.1. Affiliates. Any Affiliate of Customer will have the right to enter into a SOW executed by such Affiliate and Partner and this License Agreement will apply to each such SOW as if such Affiliate were a signatory to this License Agreement. With respect to such SOWs, such Affiliate becomes a party to this License Agreement and references to Customer in this License Agreement are deemed to be references to such Affiliate.

14.2. Force Majeure. Neither party will be deemed in breach of this License Agreement if the failure to perform is caused by circumstances beyond its reasonable control, including without limitation acts of God, acts of government, flood, fire, earthquake, civil unrest, acts of terror, strikes or labor problems, computer, internet, or telecommunications failures, delays or network intrusions, or denial of service attacks, but only if (a) such party gives prompt written notice to the other party of the force majeure event, and (b) such failure or delay results notwithstanding the exercise of reasonable care and diligence to avoid or mitigate the same in anticipation of or in response to such causes. The time for performance will be extended for a period equal to the duration of the force majeure event.

14.3. Relationship of the Parties. The parties’ relationship is strictly that of independent contractors and this License Agreement do not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties. Neither party has the power to bind the other, make any warranties or representations, or incur, assume, or create obligations on the other’s behalf without the other’s prior written consent and each party agrees that it will not perform any act or omission to the contrary.

14.4. Severability. The validity or unenforceability of any provision of this License Agreement shall not affect the validity or enforceability of any other provision of this License Agreement.

14.5. Modifications. No modification of this License Agreement shall be effective unless it is in writing and signed by an authorized representative of each Party.

14.6. Assignment. Neither Party shall assign any of the rights or obligations under this License Agreement without the prior written consent of the other Party, which consent shall not unreasonably be withheld. However, consent is not required for an assignment of this License Agreement in connection with a change of control, merger, stock transfer, sale or other disposition of substantially all the assets of the assigning Party’s business.

14.7. Successors and Assigns. This License Agreement is binding on and inures to the benefit of the Parties and their respective successors and permitted assigns.

14.8. No Waiver. No failure or delay by a party exercising any right, power or privilege under this License Agreement will operate as a waiver thereof.

14.9. Interpretation. Headings are for reference purposes only and do not limit the scope or extent of such section.

14.10. Notices. All notices required or permitted to be given under this License Agreement will be in writing and delivered to Intenseye and to Customer at the addresses provided in this License Agreement and the SOW.

14.11. Governing Law and Venue. This License Agreement and the rights and obligations of the Parties under this License Agreement shall be governed by and construed and enforced in accordance with the laws of the State of New York, without giving effect to the principles thereof relating to the conflicts of laws. In addition, the Parties mutually acknowledge and agree that this License Agreement relates solely to the performance of services (not the sale of goods) and, accordingly, shall not be governed by the Uniform Commercial Code of any state having or claiming jurisdiction. The Parties consent to the jurisdiction of the State of New York, and venue in New York County, with regard to any controversy or claim arising out of or relating to this License Agreement including any Annex, Schedules, SOW, order form and the transactions contemplated therein, or the breach thereof.

14.12. Execution and Counterparts. This License Agreement may be executed in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument. Counterparts may be delivered via facsimile, electronic mail (including pdf or any electronic signature (e.g., DocuSign) complying with the U.S. Federal ESIGN Act of 2000, Uniform Electronic Transactions Act, or other applicable law) or other transmission method and any counterpart so delivered will be deemed to have been duly and validly delivered and be valid and effective for all purposes.

14.13. Entire Agreement and Construction. This License Agreement constitute the entire and exclusive agreement between the Parties as to its subject matter, and supersede all previous and contemporaneous agreements, proposals, or representations, written or oral, concerning the subject matter of this License Agreement. No modification, amendment, or waiver of any provision of this License Agreement shall be effective unless in writing and signed by both parties. In the event of any conflict between the provisions in this License Agreement and any SOW, the License Agreement will take precedence. Notwithstanding any language to the contrary therein, no terms or conditions stated in a purchase order issued by Customer or in any other Customer order documentation shall be incorporated into or form any part of this License Agreement.

‍

2. Master Software as a Service (SaaS) Agreement

This Master Software as a Service (SaaS) Agreement (“Agreement”) was executed, signed and took effect on the date of Customer’s execution of this Agreement or the first SOW (“Effective Date”) by and between Intenseye, Inc., a Delaware corporation with offices located at 1250 Broadway, Suite 401, New York, NY, 10001 (“Intenseye”) and Customer identified in the Statement of Work (“Customer”).

Customer and Intenseye shall be hereinafter individually referred to as “Party” and collectively as “Parties”.

BY SIGNING A STATEMENT OF WORK, ACCESSING, RECEIVING, AND/OR USING THE SERVICE, YOU AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IN NO EVENT MAY YOU ACCESS, RECEIVE OR OTHERWISE USE ANY INTENSEYE PRODUCT OR SERVICE WITHOUT AGREEING TO THESE TERMS (OR ANOTHER AGREEMENT AGREED TO IN WRITING BY INTENSEYE).

1. DEFINITIONS
‍

“Affiliates” means an entity that directly or indirectly Controls, is Controlled by, or is under common Control with another entity, so long as such Control exists. For the purposes of this definition, “Control” means beneficial ownership of 50% or more of the voting power or equity in an entity.
“Agreement” means, collectively, this Software as a Service Agreement and all SOWs issued under this Agreement and any other attachments hereto.
“Authorized User” means the individuals authorized by the Customer to access and use the Services.
“Customer” means the Customer identified in the SOW.
“Customer Data” means any data or images submitted, uploaded, imported, integrated, or otherwise communicated by Customer to Intenseye, including but not limited to any image and video-footage data.
“Facility” means the sites/facilities/plants of the Customer in which Services are to be used by Customer.
“Fees” has the meaning set forth in Section 5.1.
“Services” has the meaning set forth in Section 2.
“Service Data” means any statistical and/or other benchmark data gathered by Intenseye from Customer’s use of the Services.
“Service Software” means the AI-powered image processing based workplace safety and security software application that has been developed and owned by Intenseye or applications and any third-party or other software, and all new versions, updates, revisions, improvements, and modifications of the foregoing, that Intenseye provides remote access to and use of as part of the Services.
“Subscription” means a non-exclusive, personal, non-transferable right to use the Services and use the output of the Services in accordance with this Agreement and the SOW in Customer’s relevant Facilities details of which is stated on the SOW.
“Subscription Start Date” means the date of commencement of the Services set forth in the relevant SOW.
“Subscription Term” means the initial Service term for which the Services can be used in a Facility in accordance with this Agreement and the agreed upon time period in the relevant SOW.
“Statement of Work” or “SOW” means the document that is mutually agreed to in writing by the Parties that issued under this Agreement and describes, among other things, the Services to be made available, the Fees to be paid, payment term, and Subscription Term.

2. SUBJECT

This Agreement sets out the principles regarding provision of services detailed in the related SOW via the Service Software (“Services”) to the Customer by Intenseye and the rights and obligations of the Parties in respect thereof.

3. TERM

This Agreement enters into force on Effective Date and remains in effect until the expiration of the Subscription Terms in all effective SOWs issued under this Agreement (“Term of the SaaS Agreement”). The term of the Services will commence on Subscription Start Date set forth in the SOW and shall continue for the Subscription Term identified therein, and any renewal thereof, unless earlier terminated pursuant to the terms of this Agreement.

4. LICENSE AND INTELLECTUAL PROPERTY RIGHTS
‍

4.2. Reservation of Rights. Intenseye and its licensors own and retain all right, title, and interest, including all intellectual property rights, in and to the Service Software, Services and Service Data (collectively “Intenseye Intellectual Property”), including any improvements, modifications, and enhancements. Intenseye expends significant resources gathering, assembling, and compiling the Service Data and such Service Data constitutes an original compilation protected by applicable copyright laws. Except for the rights expressly granted in this Agreement, Customer shall acquire no other rights, express or implied, in or to the Intenseye Intellectual Property, and all rights not expressly provided to Customer hereunder are reserved by Intenseye and its licensors. If Customer chooses, in its sole discretion, to provide Feedback (defined below) to Intenseye, nothing in this Agreement or in the parties’ dealings arising out of or related to this Agreement will restrict Intenseye’s right to use, profit from, disclose, publish, or otherwise exploit Feedback, without compensating or crediting Customer or the individual providing such Feedback. Customer’s Confidential Information shall not include Feedback, to the extent that such Feedback relates exclusively to Intenseye’s products or services. “Feedback” means any feedback (e.g., questions, comments, suggestions or the like), whether orally or in writing, regarding any of the Services.

4.3. Use Restrictions. Customer will not, directly or indirectly, alter or modify the Services and Service Software, or reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Services, Service Software or any software, documentation or data related to the Services. Customer shall not make the Services and Service Software available for the benefit of any third party, or sell, resell, license, sublicense, distribute, rent or lease the Services to any third party for any purpose, commercial or otherwise.

4.4. Customer Data. All intellectual property rights in and to the Customer Data shall vest and remain vested in the Customer. Customer grants Intenseye a non-exclusive, non-transferable, non-sublicensable (except as set forth herein), royalty-free right during the Term of the SaaS Agreement to copy, transmit and display Customer Data to analyze, develop, test, and operate, provide, and support the Services and/or any of products of Intenseye and train Intenseye’s algorithms, as reasonably necessary for Intenseye to provide the Services in accordance with this Agreement and to increase accuracy of Services. Subject to the limited licenses granted herein, Intenseye acquires no right, title or interest from Customer or Customer’s licensors under this Agreement in or to any Customer Data. All intellectual and industrial property rights regarding the Customer Data other than the specified right of use belong to Customer and this limited usage right granted to Intenseye cannot be interpreted in a way to limit Customer's use of all other rights. Customer shall be responsible for the accuracy, quality and legality of Customer Data and the means by which Customer acquired such Customer Data. Customer represents and warrants that: (a) it owns or has the right to make Customer Data available to Intenseye; and (b) the posting and use of Customer Data on or through the Service will not (i) violate the intellectual property, privacy, publicity, or other rights of any person or (ii) breach any contract between Customer and a third party. To the extent Customer Data includes information that, alone or in combination with other information, is also personal data, Intenseye does and shall comply with all applicable laws and regulations involving the use, protection, and maintenance of such personal data. Where an Authorized User submits Customer Data, including personal data about such Authorized User, directly to the Service or Intenseye, the provisions of this Section will apply to such Authorized User.

4.5. Promotional License. Customer grants to Intenseye a limited, non-exclusive, unrestricted right and license (subject to Customer’s right to cancel such license at any time) to use Customer’s name and logo for the following purposes: (i) to promote the Services; (ii) to demonstrate on Intenseye's website that the Customer is a user of Intenseye’s Services; and (iii) to prepare and publish a use case detailing the Customer’s experience with Service Software. Intenseye is granted no other rights to the Customer’s logo and acknowledges that it shall not gain any proprietary interest in the Customer’s logo. Intenseye is under no obligation to make use of or to provide compensation for any of the rights or permissions granted. Intenseye shall be the exclusive owner of all right, title, and interest, including copyright, in Intenseye’s marketing and promotional materials. Customer may terminate any of the above uses at any time with thirty (30) days written notice.

5. FEES AND PAYMENT
‍

5.1. Fees. In exchange for the provision of the Services, the Customer will pay Intenseye the fees for Services set forth in the relevant SOW (the “Fees”).

5.2. Payment. Customer shall execute an ACH authorization and expressly authorizes Intenseye to charge the applicable Fees through the credit card/financial institution designated by Customer. If the Customer’s pre-authorized payment method fails, Intenseye will provide notification of such payment failure. If the Customer fails to rectify the payment failure within ten (10) days of written notice, Intenseye may immediately stop the provision of Services without notice.

5.3. Payment Term. All Fees payable in connection with the Services shall be paid according to the payment schedule set forth in the applicable SOW.

5.4. Late Payments. Intenseye may suspend or terminate Services for payments that are more than thirty (30) days past due. Past due payments will accrue interest at the greater of 1.5% monthly or the highest interest rate allowable under applicable law.

5.5. Taxes. The Customer is responsible for paying any applicable governmental sales, use, value-added, commodity, harmonized and other taxes imposed on the purchase or use of the Services. To the extent Intenseye is required to collect such taxes, the applicable tax will be added to the Customer's billing account.

5.6. No Refunds. The Customer shall be responsible for all Fees for the entire, applicable Subscription Term. Unless otherwise set forth in the SOW, Fees will not be prorated upon cancellation and/or termination and all Fees paid through the date of termination are nonrefundable. For the avoidance of doubt, with the signature of any SOW, Intenseye is entitled to receive the Total Fees stated in the relevant SOW. In case the Customer does not wish same number of Facilities as stated in the relevant SOW, to be connected with Service Software and/or does not use the Services in the same number of Facilities as stated in the relevant SOW, the Customer cannot refrain from paying and/or claim for a refund of the Total Fees stated in the relevant SOW, by claiming that the Customer did not use the Services (without Intenseye’s fault).

6. AVAILABILITY AND TECHNICAL SUPPORT
‍

6.2. Should Intenseye require Customer’s support within the scope of the performance of Services, Customer shall not refrain from cooperating with Intenseye.

7. PRIVACY AND PERSONAL DATA PROTECTION
‍

7.1. The Parties have to comply with primarily the applicable personal data protection laws, with regard to personal data which they have learned, accessed and transferred to each other about performance of this Agreement or/and during the performance of this Agreement, without limitation to this Section.

7.2. Customer acts as the data controller for the performance of the Services and in personal data processing activities carried out in connection with it.

7.3. For purposes of this Agreement, Intenseye operates as the data processor under the direction of the Customer, who operates as the data controller. Customer has full control and discretion of its personal data to submit to Intenseye.

7.4. Within the scope of the Services provided by the Intenseye as per this Agreement, if necessary, Intenseye as a data processor will only process personal data processed by the data controller Customer only for the purpose of performing the Services. It will not be possible for Intenseye to process personal data other than the performance of the Agreement, to share it with third parties, to use it for advertising, sales and similar purposes.

7.5. Intenseye will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the personal data under this Agreement. Taking into account costs of implementation, the nature, scope, context and purposes of data processing, and any potential risks to the rights and freedoms of natural persons, these measures include: (a) the encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of personal data. In assessing the appropriate level of security, Intenseye shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing of personal data as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects and the risks that are presented by the processing of personal data, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

8. CONFIDENTIALITY AND NON-DISCLOSURE
‍

8.1. In providing the Services under this Agreement, each Party may have access to the other Party’s confidential and proprietary information (“Confidential Information”). To the extent such Confidential Information is disclosed to the Parties, the Party receiving the Confidential Information (“Receiving Party”) shall not disclose any Confidential Information to any third party for any reason without the prior written consent of the Party disclosing the Confidential Information (“Disclosing Party”), other than its employees or agents who have a need to know about such information for the performance of this Agreement.

9. REPRESENTATIONS AND WARRANTIES

‍

‍9.1. Mutual Warranties. Each Party represents and warrants that: (i) Each Party is a business duly incorporated and in good standing under the laws of its state of incorporation; (ii) Each Party has all requisite corporate power and authority to execute, deliver, and perform its obligations under this Agreement; (iii) Each Party shall comply with all international, federal or state laws or regulations applicable to the performance of its obligations under this Agreement; (iv) Services may be subject to export laws and regulations of the United States and other jurisdictions. Each Party represents that it is not named on any U.S. government denied-party list. Customer shall not permit access or use any Services in a U.S. embargoed country or in violation of any other applicable export laws or regulations.

9.2. Intenseye Representations and Warranties. Intenseye represents, warrants and covenants that throughout the Term of the SaaS Agreement that (i) the Service shall perform materially with the functionality in accordance with the applicable documentation and such functionality will be maintained in all material respects in subsequent upgrades to the Service; (ii) it will employ then-current, best industry-standard measures to test the Service to detect and remediate viruses, trojan horses, worms, logic bombs, or other harmful code or programs designed to negatively impact or misappropriate Customer Data or the operation or performance of the Service; (iii) the Service shall perform pursuant to the terms of the Service Level Agreement attached hereto as Annex 1 and incorporated herein by reference; (iv) it is the sole owner of the Service or otherwise has full power and authority to grant to Customer the rights to use the Service and other rights granted herein; and (v) as of the Effective Date, and to Intenseye’s actual or constructive knowledge, neither the performance by Customer in its utilization of the Service, nor the license of and authorized use by Customer of the Service as described herein, do not infringe upon or misappropriate any proprietary or intellectual property right of any third party. Intenseye shall perform the technical support services in compliance with specialties of every specific technical issue and does not guarantee any solution regarding any technical issue.

9.3. Customer Representations and Warranties. Customer represents and warrants that: (a) its use of the Service, including any Customer Data provided by Customer for use with the Service or handling by Intenseye, will: (i) comply with any applicable law or regulation, (ii) not cause a breach of any agreement with or rights of any third party (including without limitation the rules of any social network platform or any data subject rights) and (iii) not unreasonably interfere with use of services offered by the Intenseye to third parties; and (b) it shall use the Service strictly in accordance with this Agreement and other written instructions (e.g., product documentation, release notes, mutually agreed SOWs, etc.) provided by Intenseye.

10. DISCLAIMERS
‍

10.1. INTENSEYE DOES NOT MAKE ANY GUARANTEE OF IMPACT, OUTCOME, OR RESULTS. UNLESS OTHERWISE STATED HEREIN AND TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICES INCLUDED IN OR OTHERWISE MADE AVAILABLE TO CUSTOMER THROUGH THIS AGREEMENT ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. INTENSEYE DOES NOT REPRESENT OR WARRANT THAT THE SERVICE SOFTWARE (I) WILL BE UNINTERRUPTED, TIMELY OR SECURE (II) WILL BE FREE OF DEFECTS, INACCURACIES OR ERRORS, (III) WILL MEET CUSTOMER’S REQUIREMENTS, OR (IV) WILL OPERATE IN THE CONFIGURATION OR WITH OTHER HARDWARE OR SOFTWARE. EXCEPT WHERE PROHIBITED BY LAW, INTENSEYE EXPRESSLY DISCLAIMS ANY AND ALL REPRESENTATIONS, WARRANTIES OR CONDITIONS OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE AND MERCHANTABILITY AND WILL NOT BE LIABLE FOR CUSTOMER’S USE OF OR RELIANCE ON THE SERVICES.

10.2. Intenseye disclaims any and all liability for the acts, omissions, and conduct of any third parties. To the extent permitted by applicable law, Intenseye makes no warranties regarding third party services, goods, resources, and information including, without limitation, warranties of fitness for a particular purpose, merchantability, and non-infringement and will not be liable for customer’s use of such third-party services, goods, resources or information.

10.4. The purpose of the Services provided by Intenseye is to provide technical solutions to help ensure the Customer's compliance with the applicable occupational health and safety legislation at the Customer's Facilities specified in the SOWs, limited to the scope of Services defined in the SOWs. In this context, Intenseye cannot be held liable in the event of any situation contrary to the relevant legislation, especially occupational accidents that may occur in the Facilities during the utilization of the Services. Accordingly, Intenseye shall not be held liable for any loss or damage, intangible, legal and financial consequences arising or resulting any acts or omissions by Customer, including acts or omissions made by Customer in reliance upon the analytics generated from the Customer Data collected, processed and reported in connection with the Services.

11. LIMITATION OF LIABILITY
‍

Except with respect to a Party’s indemnification obligations herein (“Exceptions”), neither Party shall be liable to the other party or any third party for any consequential, incidental, indirect, exemplary, punitive or special damages (including damages for lost profits, security breach, lost data or loss of goodwill) arising out of, relating to or connected with the use of the Services, even if such Party has been advised of the possibility of such damages. To the extent permitted by applicable law, except with respect to the Exceptions, except for each Party’s liability for payment of fees and for infringement of intellectual property rights, in no event will either Party’s aggregate liability to the other Party, including that of its officers, directors, employees, and agents, arising out of or in connection with this Agreement exceed the fees paid or payable to Intenseye during the Subscription Term giving rise to the claim.

12. INDEMNITY
‍

12.1. By Intenseye. To the maximum extent permitted by law, Intenseye agrees to indemnify, defend and hold harmless Customer, and its Customer subsidiaries, affiliates, officers, directors, shareholders, employees and each of their respective successors and assigns (the “Customer Indemnified Parties”) from and against all damages, losses, liabilities, claims, expenses, fees or costs (including, without limitation, reasonable attorneys’ fees and costs) incurred in connection with any claim, demand or action brought or asserted against any of the Customer Indemnified Parties arising out of or relating to a claim that the Services infringe another person's patent, copyright, trade secret or trademark. Intenseye will not have liability for, and Customer will defend Intenseye against, and pay any damages awarded against Intenseye and direct expenses, including reasonable attorneys' fees to the extent the claimed infringement would not have occurred but for (i) the use of the Services other than in accordance with Intenseye’s published instructions, (ii) any unauthorized modification or alteration of the Services by Customer, (iii) any combination or use of the Services with any other product or system or technologies not supplied by Intenseye or otherwise anticipated by this Agreement, (iv) Intenseye's compliance with Customer's design or specifications, and/or (v) any refusal to accept or use suitable modified or replacement of the Services provided by Intenseye to avoid infringement. In the event of claimed infringement, Intenseye shall, at its option: (A) obtain a right for Customer to continue using the Services for no additional fee; (B) modify the Services (as applicable) to make it non-infringing; (C) replace the Services (as applicable) with a non-infringing equivalent with the same functionality, features, and performance; or (D) terminate this Agreement and refund on a pro-rata basis the unused portion of the Fees.

‍12.2. By Customer. To the maximum extent permitted by law, Customer agrees to indemnify, defend and hold harmless Intenseye, and its Intenseye subsidiaries, affiliates, officers, directors, shareholders, employees and each of their respective successors and assigns (the “Intenseye Indemnified Parties”) from and against all damages, losses, liabilities, claims, expenses, fees or costs (including, without limitation, reasonable attorneys’ fees and costs) incurred in connection with any claim, demand or action brought or asserted against any of the Intenseye Indemnified Parties arising out of or relating to (i) Customer’s use of the Services in breach of this Agreement, (ii) Customer’s violation of any third party right, including without limitation any intellectual property right, publicity, property or privacy right, (iii) a breach of Customer’s representation or warranties under this Agreement, (iv) Customer’s failure to obtain the proper consents and/or authorizations to capture, process and/or transmit Customer Data to Intenseye, (v) Customer’s violation of applicable state and federal rules, regulations and statutes, (vi) bodily injury, death or property damage of Customer’s employees, contractors, visitors, invitees, agents, customers, representatives or other third party.

13. RENEWAL AND TERMINATION

‍

13.1. Renewal. Except as otherwise specified in the SOW, Services (the relevant SOW) will automatically renew for additional periods equal to the expiring Subscription Term, unless either Party gives the other notice of non-renewal at least thirty (30) days before the end of the applicable Subscription Term. The Fees for the automatic renewal term will increase five percent (5%) unless the Parties reach a different written agreement before the end of the applicable Subscription Term.

13.2. Automatic Termination. This Agreement shall automatically terminate, without notice, (i) upon the institution by or against either Party of insolvency, receivership or bankruptcy proceedings or any other proceedings for the settlement of either Party’s debts, (ii) upon either Party making an assignment for the benefit of creditors, or (iii) upon either Party’s dissolution or ceasing to do business.

13.3. Termination for Cause. Either Party may terminate this Agreement if the other Party breaches any material provisions of this Agreement and fails to cure such breach within thirty (30) days after receipt of written notice of such breach.

13.4. Survival. The following Sections survive termination of this Agreement: Promotional License, Confidentiality & Non-Disclosure, Disclaimers, Indemnity, Limitation of Liability, and Governing Law.

14. GENERAL PROVISIONS

‍

14.1. Affiliates. Any Affiliate of Customer will have the right to enter into a SOW executed by such Affiliate and Intenseye and this Agreement will apply to each such SOW as if such Affiliate were a signatory to this Agreement. With respect to such SOWs, such Affiliate becomes a party to this Agreement and references to Customer in this Agreement are deemed to be references to such Affiliate.

14.2. Force Majeure. Neither party will be deemed in breach of this Agreement if the failure to perform is caused by circumstances beyond its reasonable control, including without limitation acts of God, acts of government, flood, fire, earthquake, civil unrest, acts of terror, strikes or labor problems, computer, internet, or telecommunications failures, delays or network intrusions, or denial of service attacks, but only if (a) such party gives prompt written notice to the other party of the force majeure event, and (b) such failure or delay results notwithstanding the exercise of reasonable care and diligence to avoid or mitigate the same in anticipation of or in response to such causes. The time for performance will be extended for a period equal to the duration of the force majeure event.

14.3. Relationship of the Parties. The parties’ relationship is strictly that of independent contractors and this Agreement do not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties. Neither party has the power to bind the other, make any warranties or representations, or incur, assume, or create obligations on the other’s behalf without the other’s prior written consent and each party agrees that it will not perform any act or omission to the contrary.

14.4. Severability. The validity or unenforceability of any provision of this Agreement shall not affect the validity or enforceability of any other provision of this Agreement.

14.5. Modifications. No modification of this Agreement shall be effective unless it is in writing and signed by an authorized representative of each Party.

14.6. Assignment. Neither Party shall assign any of the rights or obligations under this Agreement without the prior written consent of the other Party, which consent shall not unreasonably be withheld. However, consent is not required for an assignment of this Agreement in connection with a change of control, merger, stock transfer, sale or other disposition of substantially all the assets of the assigning Party’s business.

14.7. Successors and Assigns. This Agreement is binding on and inures to the benefit of the Parties and their respective successors and permitted assigns.

14.8. No Waiver. No failure or delay by a party exercising any right, power or privilege under this Agreement will operate as a waiver thereof.

14.9. Interpretation. Headings are for reference purposes only and do not limit the scope or extent of such section.

14.10. Notices. All notices required or permitted to be given under this Agreement will be in writing and delivered to Intenseye and to Customer at the addresses provided in the SOW.

14.11. Governing Law and Venue. This Agreement and the rights and obligations of the Parties under this Agreement shall be governed by and construed and enforced in accordance with the laws of the State of New York, without giving effect to the principles thereof relating to the conflicts of laws. In addition, the Parties mutually acknowledge and agree that this Agreement relates solely to the performance of services (not the sale of goods) and, accordingly, shall not be governed by the Uniform Commercial Code of any state having or claiming jurisdiction. The Parties consent to the jurisdiction of the State of New York, and venue in New York County, with regard to any controversy or claim arising out of or relating to this Agreement including any Annex, Schedules, SOW, order form and the transactions contemplated therein, or the breach thereof.

14.12. Execution and Counterparts. This Agreement may be executed in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument. Counterparts may be delivered via facsimile, electronic mail (including pdf or any electronic signature (e.g., DocuSign) complying with the U.S. Federal ESIGN Act of 2000, Uniform Electronic Transactions Act, or other applicable law) or other transmission method and any counterpart so delivered will be deemed to have been duly and validly delivered and be valid and effective for all purposes.

14.13. Entire Agreement and Construction. This Agreement and any SOWs constitute the entire and exclusive agreement between the Parties as to its subject matter, and supersede all previous and contemporaneous agreements, proposals, or representations, written or oral, concerning the subject matter of this Agreement. Except as contemplated to the contrary herein with respect to SOWs, no modification, amendment, or waiver of any provision of this Agreement shall be effective unless in writing and signed by both parties. In the event of any conflict between the provisions in this Agreement and any SOW, the SOW will take precedence solely in connection with those specific Services set forth in such SOW and the delivery thereof. In all other instances, this Agreement shall govern and control. Notwithstanding any language to the contrary therein, no terms or conditions stated in a purchase order issued by Customer or in any other Customer order documentation shall be incorporated into or form any part of this Agreement.

‍

ANNEX 1: Service Level Agreement

This Service Level Agreement (“SLA”) is an integral part of License Agreement and sets forth Intenseye’s service level targets associated with the Services as follows. This SLA is only applicable for cases where support is provided to the Customer via remote access to Customer systems.

1. Definitions

Except stated otherwise, all capitalized terms in this SLA have the same meanings as set forth in the Agreement. For purposes of this SLA, the following definitions will apply.

‍“Planned Maintenance” means the window during which weekly scheduled maintenance of the Service may be performed.‍
“Emergency Maintenance” means any time outside of the Planned Maintenance window that Intenseye is required to apply urgent patches or fixes or undertake other urgent maintenance activities. ‍
“Total Scheduled Availability” means seven (7) days per week, twenty-four (24) hours per day, excluding Planned Maintenance and Emergency Maintenance.‍
“Downtime” means the time that users of the Services are not able to (a) access the Services, (b) perform ordinary functions to use or receive Services in accordance with specifications, or (c) utilize the Services for normal business operations due to failure malfunction or delay. Downtime does not include any unavailability of the System Services due to Planned Maintenance, Emergency Maintenance, or Unavailability Exceptions.‍
“Actual Availability” means Total Scheduled Availability minus Downtime.‍
“System Service Availability” will be calculated on a monthly basis using the following formula: [(Actual Availability) divided by (Total Scheduled Availability) multiplied by 100%]‍
“Unavailability Exceptions” has the meaning set forth in Article 5.

2. Integration

The Service Software is installed on cloud servers designated by Intenseye and the Customer will access the Service Software remotely. Intenseye is obliged to provide the Customer with access to the Service Software on the relevant server as soon as possible after the conclusion of this Agreement.

Users who will use the Service Software shall be determined by the Customer. The Customer agrees that it shall be solely responsible for all transactions that its users will perform through the Service Software.

All matters relating to the use and security of access tools such as usernames and passwords that may be provided by Intenseye to the Customer for the use of the Service Software shall be the sole responsibility of the Customer and the users designated by the Customer, and all works and transactions made through the Service Software with these access tools shall be deemed to have been made by the Customer. Intenseye shall not be held liable for any damages that may arise to the Customer and third parties due to the acquisition of these access tools by others.

3. System Service Availability

Subject to the terms of this SLA, Intenseye will provide System Service Availability commitment for a given calendar month at 99%.

Planned Maintenance consists of four (4) hours for weekly maintenance, four (4) hours for monthly maintenance, and four (4) hours for quarterly maintenance. Weekly maintenance begins at 12 am (Eastern) on Fridays; monthly maintenance begins at 2:00 am (Eastern) on the last Saturday of each month, and quarterly maintenance begins at 6:00 am (Eastern) on the last Saturday of each quarter. All times are subject to change upon reasonable notice. If Emergency Maintenance is required, Intenseye will contact the Customer and provide the expected start time and the planned duration of the Emergency Maintenance.

The measurement point for System Service Availability is the availability of the Services at the Intenseye data center’s Internet connection points. Customer may request an availability report not more than once per month via the Customer Support.

4. Customer’s Responsibilities

Customer must: (a) provide remote access to its systems for Intenseye to fulfill its obligations under the SLA, (b) provide a contact in their IT department which will be available for setting up the configuration between Service Software and Customer’s internal camera network, (c) set up port forwarding entries, whitelist the Intenseye external IP addresses in accordance with the Service Software documentation provided to the Customer, (d) set up camera configuration in accordance with the Service Software use cases and minimum bandwidth requirements document provided to the Customer, (e) keep the camera firmware up to date, and (e) maintain the minimum required bandwidth available, keep camera network status healthy and accessible to Software Service.

5. Unavailability Exceptions

The Services will not be considered unavailable for any outage caused by (i) acts or omissions of Customer, its employees, or agents, (iii) Customer or other third-party equipment, software, hardware or network infrastructure, (iv) factors outside of Intenseye’s reasonable control, including any Force Majeure events, denial-of-service attacks, Customer’s internet access, or issues with the underlying server beyond the demarcation point of the Services.

6. Updates

Intenseye will update the Services and make available to Customer any and all patches, enhancements, updates, upgrades, and new versions of the Services that Intenseye makes generally commercially available (“Updates”) and any such Updates will be deemed part of the Services. If there is downtime to be expected with the Update, the update will be performed during the weekend following any Planned Maintenance. Customers shall provide a named Update contact, to schedule and manage Customer through its Update process.

7. Service Response

Intenseye’s Service Response commitment is (i) not less than 50% of (online) transactions in two (2) seconds or less and (ii) not more than 10% in ten (10) seconds or more. Service Response is the processing time of the Service Software in the Intenseye data center to complete transactions submitted from a web browser. This Service Response commitment excludes requests submitted via Intenseye API. The time required to complete the request will be measured from the point in time when the request has been fully received by the encryption endpoint in the Intenseye data center, until such time as the response begins to be returned for transmission to Customer. Customer may request a response time report not more than once per month.

8. Severity Level Determination

Customer shall reasonably self-diagnose each support issue in accordance with the table set forth below and report to Intenseye an appropriate Severity Level designation. Intenseye shall validate Customer’s Severity Level designation, or notify Customer of a proposed change in the Severity Level designation to a higher or lower level with justification for the proposal. In the event of a conflict regarding the appropriate Severity Level designation, each party shall promptly escalate such conflict to its management team for resolution through consultation between the parties’ management, during which time the parties shall continue to handle the support issue in accordance with the Intenseye Severity Level designation. In the rare case a conflict requires a management discussion, both parties shall be available within one hour of the escalation.

Severity Level	Definition	Response Time	Intervention Time
Level 1 - Critical	There is no access to the Services; system-critical defects or errors. No reasonable workaround is available.	1 hour	3 hours following the response
Level 2 - High	Performance of the Services is noticeably impaired but is still accessible and functional to Customer. Impacts some, but not all users. Short-term workaround is available, but not scalable.	3 hours	12 hours following the response
Level 3 - Standard	Routine inquiry regarding the technical issues; information on application capabilities, a bug impacting a limited number of users. A reasonable workaround is available.	12 hours	24 hours following the response

‍
9. SLA Credits

If Intenseye fails to meet any of the Service Levels, Intenseye will issue credits to Customer excluding the taxes, calculated as follows (the “SLA Credit”).

If the System Availability during any given month falls below 99%, Intenseye will provide Customer with a SLA Credit equal to the percentage of the total monthly Fee (calculated on a pro rata basis if Fees are invoiced other than monthly) applicable to the month in which the Service Level failure occurred corresponding to the System Availability Level in the chart below:

Service Availability Level	SLA Credit
99.0-95.0%	10% of the monthly Service Fee
94.9-90%	20% of the monthly Service Fee
< 90%	50% of the monthly Service Fee

To receive SLA Credits, Customer must submit a written request to legal@intenseye.com within 30 days after the end of the month in which the Services failed to meet the Services Availability commitments set forth herein, with sufficient evidence (including a description of the incident and duration of the incident) or Customer’s right to receive SLA Credits with respect to such unavailability will be waived. If Customer is not current in its payment obligations when an outage occurs, remedies may accrue, but SLA Credits will not be issued until Customer becomes current in its payment obligations.

10. Business Continuity and Disaster Recovery Plan

Intenseye will maintain an appropriate disaster recovery and business continuity system in place in accordance with good industry practice that, in the event of emergency or failure (including in connection with a force majeure event), ensures the continued performance of the Services in accordance with this Agreement. The procedures will be provided to Customer upon written request.

11. Technical Assistance; Case Submittal and Reporting

Intenseye will provide the Customer with 24x7x365 technical assistance in accordance with this SLA. The Customer may submit cases to their dedicated support engineer. Customer’s Support contacts must be trained on the Intenseye product(s) for which they initiate support requests. Intenseye will respond to each case in accordance with this SLA and will use commercially reasonable efforts to promptly resolve each case.

‍

ANNEX 2: Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated by reference into Master Software as a Service (SaaS) Agreement or End Customer License Agreement (“SaaS Agreement”) entered by and between the Customer (as defined in the SaaS Agreement) and Intenseye to reflect the Parties’ agreement with regard to the Processing of Personal Data by Intenseye solely on behalf of the Customer.

In this DPA, the Customer is hereinafter referred to as “Data Controller”; and Intenseye is hereinafter referred to as "Data Processor".

Capitalized terms not defined herein shall have the meanings assigned to such terms in the SaaS Agreement.

By signing the SaaS Agreement, the Customer accepts this DPA.

1. DEFINITIONS AND INTERPRETATION

“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq.
“Applicable Law” means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada and the United States of America, as applicable to the Processing of Personal Data under the SaaS Agreement including (without limitation) the GDPR, the UK GDPR, and the US State Privacy Laws, as applicable to the Processing of Personal Data hereunder and in effect at the time of Data Processor’s performance hereunder; which shall be determined based on where the Parties are located, where the Processing of Personal Data occurs, the relevant provisions of the national/supranational data protection laws and conflict of laws regulations.
“Data Breach” refers to any accidental or unlawful destruction, loss, alteration, compromise, disclosure of, or access to Personal Data, stored, transmitted or otherwise processed in the context of the SaaS Agreement.‍
“Data Controller” is the party that determines the purposes and means of the Processing of Personal Data, which is the Customer and/or its Affiliates within the scope of the SaaS Agreement.‍
“Data Processor” is the party that Processes Personal Data on behalf of the Data Controller which is Intenseye or its Affiliates within the scope of the SaaS Agreement.‍
“Data Subject” is the identified or identifiable natural person that the Personal Data is related to.‍
“Data Transfer” means a transfer of Personal Data from the Customer to a Data Processor; or an onward transfer of Personal Data from a Data Processor to a Sub-processor, or between two establishments of a Data Processor.
‍"GDPR” means the General Data Protection Regulation (EU) 2016/679.‍
“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person, which is processed by Intenseye solely on behalf of the Customer, under this DPA and the SaaS Agreement between the Customer and Intenseye.‍
“SaaS Agreement” means the agreement that is entered into between the Customer and Intenseye for the provision of Services to the Customer and its annexes.‍
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.‍
“Sensitive Data” means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under Applicable Law, which may include any of the following depending on the Applicable Law: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) financial and credit information including credit or debit card number; (c) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (d) genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, (e) data relating to criminal convictions and offenses; and/or (f) account passwords in unhashed form.‍
“Services” means the services Intenseye provides in pursuance to the SaaS Agreement.‍
“Standard Contractual Clauses” means the Standard Contractual Clauses between Data Controllers and Data Processors as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.‍
“Sub-processor” means any third party that processes Personal Data under the instruction or supervision of Intenseye.‍
“UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
“US State Privacy Laws” means all state laws relating to the protection and processing of personal data in effect in the United States of America, which may include, without limitation, the CCPA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.

2. DETAILS OF DATA PROCESSING

2.1. Roles of the Parties. The Parties acknowledge and agree that regarding the Processing of Personal Data, the Customer is the Data Controller and Intenseye is the Data Processor. In some circumstances, the Customer may be the Data Processor, in which case the Customer appoints Intenseye as the Customer’s sub-processor, which shall not change the obligations of either the Customer or Intenseye under this DPA, as Intenseye will remain a Data Processor with respect to the Customer in such event.

2.2. Data Controller’s Processing of Personal Data. Data Controller, in its use of the Services, and Data Controller’s instructions to the Data Processor, shall comply with Applicable Law. Data Controller shall establish and have all required legal bases in order to collect, Process and Transfer to Data Processor the Personal Data, and to authorise the Processing and (if necessary) Transfer by Data Processor, and for Data Processor’s Processing activities on Data Controller’s behalf. Data Controller accepts and declares that none of the Personal Data it Transfers to Data Processor is subject to any legal dispute and it possesses all legal rights stipulated under the Applicable Law and any other contract or document that may be binding for Data Controller in order to Process and Transfer such Personal Data.

2.3. Data Processor’s Processing of Personal Data. Data Processor, when Processing on the Data Controller’s behalf under the SaaS Agreement, shall Process Personal Data for the following purposes:

(i) Processing in accordance with the SaaS Agreement and this DPA;

(ii) Processing for the Data Controller as part of its provision of the Services;

(iii) Processing to comply with the Data Controller’s reasonable and documented instructions, where such instructions are consistent with the terms of the SaaS Agreement regarding the manner in which the Processing shall be performed;

(iv) Processing as required under the Applicable Law, and/or as required by a court of competent jurisdiction or other competent governmental authority, provided that Data Processor shall inform Data Controller of the legal requirement before Processing, unless such law or order prohibit such disclosure on important grounds of public interest.

2.4. Purpose Limitation. Data Processor will process personal data in order to provide the Services in accordance with the SaaS Agreement. Schedule 1 (Details and Description of Processing) of this DPA further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of personal data and categories of data subjects.

2.5. Sensitive and Biometric Data. The Parties agree that Services is not intended for the Processing of Sensitive Data and Biometric Data, and the Data Processor does not Process Sensitive and Biometric Data while providing Services.

‍2.6. No Sale of Personal Information. Data Processor certifies that it understands the rules, requirements, and definitions of the CCPA and shall not sell (as such term is defined in the CCPA) any Personal Data Processed hereunder nor take any action that would cause any transfer of Personal Data to or from Data Processor under the SaaS Agreement or this DPA to qualify as “selling” such Personal Data under the CCPA.

3. OBLIGATIONS OF THE DATA PROCESSOR

‍
3.1. The Data Processor Shall:

a. not Process any Personal Data other than in accordance with the Data Controller’s instructions (including the instructions as set out in Schedule 1 (Details and Description of Processing), unless otherwise required under Applicable Law and SaaS Agreement signed between the Parties;

b. keep all Personal Data strictly confidential and ensure, prior to the disclosure of Personal Data to its employees, subcontractors or employees of subcontractors, that these persons are bound by the same conditions of confidentiality;

c. only store the Personal Data for as long as the Data Controller requires and correct, anonymize, block or delete the relevant Personal Data at the Data Controller’s instructions (in such cases, Intenseye shall not be liable for being unable to perform the Services in full compliance with the SaaS Agreement and its annexes directly due to the Data Controller’s referred instruction);

d. ensure that the only persons able to process or access any particular Personal Data in Data Processor’s or Sub-processor’s possession or control in the performance of the SaaS Agreement are the Data Processor’s or Sub-processor’s employees who need to process or access such Personal Data in order to carry out their duties in connection with the SaaS Agreement;

e. ensure that any person who is authorised by Data Processor to process Customer Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty);

f. taking into account the nature of the processing, assist the Data Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Controller's obligation to respond to requests for exercising the data subject's rights laid down the Applicable Law; and

g. comply with all relevant obligations applicable to data processors under the Applicable Law.

4. TECHNICAL AND ORGANIZATIONAL MEASURES‍‍

4.1. The Data Processor shall adopt and maintain an appropriate level of technical and organizational measures to maintain Personal Data and prevent any unlawful Processing of or access to Personal Data. Such technical and organizational measures may at least include measures as set out in Schedule 2 (Technical and Organizational Measures) depending on the nature of the Personal Data Transferred and the Processing conducted by the Data Processor.

4.2. The Data Processor shall ensure that the technical and organizational measures as set out in Schedule 2 (Technical and Organizational Measures) are appropriate, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of persons, that, where appropriate, may include, pseudonymization, encryption, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, etc.

5. NOTIFICATION OF DATA BREACH

‍5.1. Upon becoming aware of a Data Breach, Intenseye shall:

(i) notify Customer without undue delay, and where feasible, in any event no later than 72 hours from becoming aware of the Data Breach;

(ii) provide timely information relating to the Data Breach as it becomes known or as is reasonably requested by Customer; and

(iii) promptly take reasonable steps to contain and investigate any Data Breach. Intenseye’s notification of or response to a Data Breach under this DPA shall not be construed as an acknowledgment by Intenseye of any fault or liability with respect to the Data Breach.

5.2. The notification will include sufficient details including the time of the event, the nature and scale of such event, the nature and scope of Personal Data records concerned, measures taken or to be taken to mitigate the consequences of the Data Breach, etc.

5.3. Intenseye shall without delay take all reasonable measures to reduce and recover the negative impact of a Data Breach.

6. SUB-PROCESSORS

6.1. Data Processor may respectively engage third-party Sub-processors in connection with the provision of the Services and has the Data Controller’s general authorization for the engagement of sub-processor(s) from an agreed list.

6.2. Data Processor shall maintain and regularly update a list of its Subprocessors (“Subprocessor List”). Intenseye’s current list of Sub-Processors used to process Personal Data can be viewed on https://www.intenseye.com/legal. The Sub-processor List includes the identities of the Sub-processors and their entity’s country. The Data Controller is deemed to authorize the Data Processor’s Sub-Processors upon first use of the Services. The Data Controller is encouraged to consult the Subprocessor List periodically to stay informed of current Subprocessors. To receive notifications of new Subprocessors, the Data Controller may email privacy@intenseye.com with the subject line “Subscribe to New Subprocessors.” Once subscribed, the Data Processor will notify the Data Controller of any new Subprocessor before allowing such Subprocessor to Process Customer Personal Data. The Data Controller will have ten (10) days from the date of notice to submit a legitimate, good-faith objection to the new Subprocessor, providing reasonable grounds for the objection. In the event of such an objection, the Data Processor and the Data Controller will collaborate in good faith to address the grounds for the objection. If the objection cannot be resolved within thirty (30) days, either party may terminate the Agreement by providing written notice to the other party.

6.3. The Data Processor reserves the right to replace a Subprocessor if immediate action is necessary to provide the Services. In such cases, the Data Processor shall notify the Data Controller of the replacement as soon as reasonably possible, and the Data Controller may exercise its right to object to the replacement Subprocessor in accordance with the procedure above. In case of such objection, Intenseye will not Transfer Data Controller’s Personal Data to the relevant Sub-processor. However in such cases, Intenseye shall not be liable for being unable to perform the Services in full compliance with the SaaS Agreement and its annexes directly due to its inability to procure such Sub-processor’s services or establish any other kind of relationship with such Sub-processor.

6.4. Data Processor will be liable for the actions and omissions of its Sub-processors undertaken in connection with Data Processor’s performance under this DPA to the same extent Data Processor would be liable if performing the Services directly.

7. INTERNATIONAL DATA TRANSFERS

‍7.1. Intenseye shall comply with the provisions of the SaaS Agreement, this DPA, Applicable Law and decisions and instructions of the Data Processor and the competent supervisory authority, with regards to the Transfer of Personal Data to countries outside the Data Subjects’ country of residence. Data Controller’s legal obligations as data controller under Applicable Law are reserved.

7.2. In case the Data Controller’s Applicable Law is GDPR or UK GDPR and the Data Subjects are based in EU or UK, the Data Processor shall not Transfer Personal Data to a country outside the country of residence of the Data Subjects whose Personal Data is being processed except for transfers to or within the European Economic Area (”EEA”), unless the transfer is:

a. To a country offering an adequate level of protection according to the EU ‘adequacy decision’; or

b. Based on the EU Standard Contractual Clauses for transfers between a Data Controller and a Data Processor.

7.3. In case the Parties agree on using the EU Standard Contractual Clauses, “Module Two: Transfer controller to processor” provisions of the EU Standard Contractual Clauses shall be annexed to this DPA as Schedule 3. In case of a conflict between Schedule 3 and the other provisions and schedules of this DPA, Schedule 3 shall apply.

8. DATA SUBJECT RIGHTS

‍8.1. The Data Processor shall provide all reasonable assistance to ensure that the Data Controller is able to fulfill its legal obligations when a data subject exercises his or her rights under the Applicable Law.

8.2. As soon as the Data Processor receives a request from a Data Subject, the Data Processor shall promptly inform the Data Controller. The Data Processor shall not respond to the request without the consent of the Data Controller.

8.3. On the instruction of the Data Controller, the Data Processor shall, without delay, correct, erase or otherwise adjust or process Personal Data.

9. AUDIT RIGHTS

‍9.1. Data Processor shall make available to the Data Controller on request all information reasonably required to demonstrate compliance with the obligations regarding the protection of Personal Data under this DPA.

9.2. Subject to this Section, Data Processor shall allow for and contribute to audits, including inspections, by Data Controller or an auditor mandated by Data Controller in relation to the Processing of the Personal Data by the Intenseye and who is bound with confidentiality obligations at least equivalent to those binding for Data Controller, provided that Data Controller informs Data Processor of such audit with a written notice in advance (no later than 48 hours before such audit). The expenses of an audit shall be borne by Data Controller unless Data Controller discovers a gross breach of this DPA by Data Processor, in which case the costs of the audit shall be borne by Data Processor.

9.3. Information and audit rights of the Data Controller pursuant to this clause only arise to the extent that compliance cannot be adequately demonstrated in accordance with this clause or the SaaS Agreement does not otherwise give them information and audit rights to ensure that Data Processor meets the relevant requirements of Applicable Law . In addition, Intenseye shall not be liable to disclose any information that (i) it is obligated to keep confidential under Applicable Law, (ii) are confidential information, intellectual property and/or trade secrets of a third party, and (iii) are confidential information, intellectual property and/or trade secrets of Intenseye and is not directly related to the Services provided to Customer by Intenseye under the SaaS Agreement.

10. DATA PROTECTION IMPACT ASSESSMENT

Intenseye shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, as required under Applicable Law, in each case solely in relation to Processing of Personal Data by and taking into account the nature of the Processing and information available to the Data Processor.

11. LIABILITY

Each Party is liable for and indemnifies and hold the other Party harmless from all (i) damages; and (ii) fines imposed by regulators, which arises from or in connection with or pursuant to any negligent act or omission of or the performance of the Parties’ obligations under this DPA.

12. TERM AND TERMINATION

This DPA shall remain in force until the termination of the SaaS Agreement. Parties agree that on the day of termination of this DPA, the Data Processor shall, at the choice and by means and costs of the Data Controller, delete or return all Personal Data and the copies thereof to the Data Controller or a third party designated by the Data Controller, except where storage of copies is legally required.

13. GENERAL

All other terms and conditions of the SaaS Agreement remain in full force and effect. In the event of any conflict between certain provisions of this DPA and the provisions of the SaaS Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the SaaS Agreement solely with respect to the Processing of Personal Data.

Schedule 1 to DPA

DETAILS AND DESCRIPTION OF PROCESSING

‍

Categories of data subjects whose personal data is transferred:‍

The personal data transferred concern the following categories of data subjects:

3Employees including temporary workers, contractors, and job applicants,
Consumers,
Website and digital asset users,
Employees of suppliers, partners, subcontractors and other business contacts, group companies and affiliates, especially in cases where such employees use the Facilities which the Service Software is integrated to.

Categories of personal data:

The personal data transferred concern the following categories of data in an electronic or physical form:

Personal details - including any information that identiﬁes the data subject and their personal characteristics, including: name, address, contact details, mobile phone (opt-in), and email,
Account and Profile Information – display name, profile photo, job title, set preferences,
Service use – Log, device and cookie data obtained via the use of Service Software by users,
Customer support – Information regarding a problem with a Service, services provided and related information, including details of the services supplied, and contracts,
Video footage – CCTV video footage and images to provide the Services,
Other – Any other data that may be uploaded to the Service Software by the Data Controller at its own discretion, including any incident reports and related data such as incident images.

Sensitive data:

THE DATA PROCESSOR WILL NOT INTENTIONALLY PROCESS SENSITIVE AND/OR BIOMETRIC DATA.

The frequency of the transfer:

Personal data will be transmitted when new accounts are created in the Service Software and when errors are reported. The data is transferred on a continuous basis. The Service Software works 24/7, analyzing real-time streaming. However, only unsafe acts and conditions are stored, while other data is disposed of immediately.

Nature of processing:

The personal data transferred will be subject to the following processing activities:

Receiving data, including collection, accessing, retrieval, recording, and data entry
Holding data, including storage, organization and structuring
Using data, including analyzing, consultation, testing, and training the artificial intelligence utilized by Data Processor to provide Services
Updating data, including correcting, adaptation, alteration, alignment and combination
Protecting data, including restricting, encrypting, and security testing
Sharing data, including disclosure, dissemination, allowing access or otherwise making available
Returning data to Data Controller or data subject
Erasing data, including destruction and deletion

‍Purpose(s) of the data transfer and further processing

‍The purpose of processing personal data is described in the SaaS Agreement.‍

‍The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal data such as general details are kept up to date as long as Customer continues to use Service Software. Retention period will be determined by Controller via the platform, provided that such period will not be less than thirty (30) days. If necessary, such data may be retained for compliance with a legal obligation. If, for some reason there needs to be a user to be removed, it can be deleted manually via the Software Service or via our support. The personal data will only be retained for as long as required for the purposes indicated above and in accordance with general data protection guidelines regarding record retention policies. Upon expiration or termination of the SaaS Agreement, Data Processor will delete data as requested.

‍Subject-matter and duration of the processing for transfers to subprocessors

‍The subject-matter of processing of personal data is defined in the SaaS Agreement. The duration of data processing shall be for the term designated under this Schedule.

Schedule 2 to DPA

TECHNICAL AND ORGANIZATIONAL MEASURES

‍This Appendix describes technical and organizational security measures taken by Intenseye for the purposes of data privacy and security. The technical and organizational measures should be implemented in accordance with security best practices and recommendations set out in relevant industrial security standards such as SOC 2 Type II.

1. Information Security Policies and Standards

1.1. The Data Processor will implement security requirements within its organization and for staff and all Sub-processors, service providers, or agents who have access to Personal Data to maintain the integrity, confidentiality, resilience and availability of Personal Data, to include (but not be limited to) the following:

1.1.1. Prevent unauthorized persons from gaining access to Personal Data processing systems (physical access control);

1.1.2. Prevent Personal Data processing systems being used without authorization (logical access control);

1.1.3. Ensure that:

1.1.3.1 persons entitled to use a Personal Data processing system gain access only (i) through an internal and documented process, (ii) to such Personal Data that they are entitled to access in accordance with their access rights and the purposes of the Processing, and (iii) for the time necessary for Processing the Personal Data, and

1.1.3.2 in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control);

1.1.4. Ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified, with appropriate pseudonymisation and encryption measures adopted to protect the confidentiality of data during transfer and storage (data transfer and storage control);

1.1.5. Ensure the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing (entry control);

1.1.6. Ensure that Personal Data are Processed solely in accordance with Data Controller’s Instructions (control of instructions);

1.1.7. Ensure that Personal Data are protected against accidental destruction or loss, and appropriate measures adopted to support access to data and / or restoration of data in the event of a physical or technical incident impacting availability (availability control); and

1.1.8. Ensure that Personal Data collected for different purposes can be processed separately (separation control).

1.2. These rules will be kept up to date and revised whenever relevant changes are made to any information system that uses or houses Personal Data, or to how that system is organized.

1.3. These rules will be routinely reviewed to evaluate efficacy and areas for improvement and where relevant adopt and apply changes as part of a continuous improvement programme.

2. Physical Security

2.1. The Data Processor will maintain commercially reasonable security systems at all Data Processor sites at which an information system that uses or houses Personal Data is located. The Data Processor reasonably and appropriately restrict access to such Personal Data.

2.2. Physical access control will be implemented for all data centers.

3. Organizational Security

3.1. Data Processor will ensure that it has implemented security policies and procedures to classify sensitive information assets, clarify security responsibilities and promote awareness for employees.

3.2. All Personal Data security incidents will be managed in accordance with appropriate incident response procedures.

4. Network Security

The Data Processor will maintain network security using commercially available equipment and industry standard techniques, including firewalls, intrusion detection systems, access control lists and secure routing protocols.

5. Access Control

5.1. Only authorised staff will be permitted to grant, modify or revoke access to an information system that uses or houses Personal Data.

5.2. User administration procedures will be adopted which define user roles and their privileges, how access is granted, changed and terminated; addresses appropriate segregation of duties; and defines.

the logging/monitoring requirements and mechanisms.

5.3. All employees of the Data Processor will be assigned unique User-IDs.

5.4. Access rights will be implemented adhering to the “least privilege” approach.

5.5. The Data Processor will implement commercially reasonable physical and electronic security to create and protect passwords.

6. Virus and Malware Controls

The Data Processor will install and maintain industry standard (which will comprise the latest version or engine) anti-virus and malware protection software on the system. The anti-virus should be updated regularly.

7. Personnel

7.1. The Data Processor will implement a security awareness program to train personnel about their security obligations. This program will include training about data classification obligations, physical security controls, security practices and security incident reporting.

7.2. The Data Processor will have clearly defined roles and responsibilities for its employees. Screening is implemented before employment with terms and conditions of employment applied appropriately.

7.3. The Data Processor personnel will strictly follow established security policies and procedures. Disciplinary process will be appropriately applied if employees commit a security breach.

Schedule 3 to DPA

STANDARD CONTRACTUAL CLAUSES

‍SECTION I

Clause 1

Purpose and scope

a. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

b. The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and

(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).

c. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

d. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:some text
1. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
2. Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
3. Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
4. Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
5. Clause 13;
6. Clause 15.1(c), (d) and (e);
7. Clause 16(e);
8. Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 - Optional

Docking clause

An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

‍

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to: some text
1. lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
2. refer the dispute to the competent courts within the meaning of Clause 18.
The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:some text
1. the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
2. the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
3. any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it: some text
1. receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
2. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:some text
1. the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
2. the data importer is in substantial or persistent breach of these Clauses; or
3. the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Germany.

Clause 18

Choice of forum and jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

The Parties agree that those shall be the courts of Germany.
A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
The Parties agree to submit themselves to the jurisdiction of such courts.

‍

Annex I to Schedule 3

‍A. LIST OF PARTIES

Data exporter: [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Name: …

Address: …

Contact person’s name, position and contact details: …

Activities relevant to the data transferred under these Clauses: The Data Exporter receives the Services (as defined and specified in the SaaS Agreement) offered by the Data Importer.

Signature and date:

Role: Controller

Data importer(s):

Name: Intenseye, Inc.

Address: 1250 Broadway, Suite 401, New York, NY 10001

Contact person’s name, position and contact details: Serhat Çillidağ, CTO, serhat@intenseye.com, +90 (546) 603 3638

Activities relevant to the data transferred under these Clauses: The Data Importer's provision of the Services (as defined and specified in the SaaS Agreement)

Signature and date:

Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

The personal data transferred concern the following categories of data subjects:

Employees including temporary workers, contractors, and job applicants,
Consumers,
Website and digital asset users,
Employees of suppliers, partners, subcontractors and other business contacts, group companies and affiliates, especially in cases where such employees use the facilities which the system is integrated to.

Categories of personal data:

The personal data transferred concern the following categories of data in an electronic or physical form:

Personal details - including any information that identiﬁes the data subject and their personal characteristics, including: name, address, contact details, mobile Phone (opt-in), email,
Account and Profile Information – display name, profile photo, job title, set preferences,
Service use – Log, device and cookie data obtained via the use of the platform by users,
Customer support – Information regarding a problem with a Service, services provided and related information, including details of the services supplied, and contracts,
Video footage – CCTV video footage and images to provide the Services,
Other – Any other data that may be uploaded to the platform by the Controller at its own discretion, including any incident reports and related data such as incident images.

Sensitive data:

THE PROCESSOR WILL NOT INTENTIONALLY PROCESS SENSITIVE AND/OR BIOMETRIC DATA.

The frequency of the transfer:

Personal data will be transmitted when new accounts are created in the system and when errors are reported. The data is transferred on a continuous basis. The system works 24/7, analyzing real-time streaming. However, only unsafe acts and conditions are stored, while other data is disposed of immediately.

Nature of processing:

The personal data transferred will be subject to the following processing activities:

Receiving data, including collection, accessing, retrieval, recording, and data entry
Holding data, including storage, organization and structuring
Using data, including analyzing, consultation, testing, and training the artificial intelligence utilized by Processor to provide ServicesUpdating data, including correcting, adaptation, alteration, alignment and combination
Protecting data, including restricting, encrypting, and security testing
Sharing data, including disclosure, dissemination, allowing access or otherwise making available
Returning data to Controller or data subject
Erasing data, including destruction and deletion

Purpose(s) of the data transfer and further processing

The purpose of processing personal data is described in the Service Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal data such as general details are kept up to date as long as Controller continues to use the platform. Retention period will be determined by Controller via the platform, provided that such period will not be less than thirty (30) days. If necessary, such data may be retained for compliance with a legal obligation. If, for some reason there needs to be a user to be removed, it can be deleted manually via our platform or via our support. The personal data will only be retained for as long as required for the purposes indicated above and in accordance with general data protection guidelines regarding record retention policies. Upon expiration or termination of Service Agreement, Processor will delete data as requested.

Subject-matter and duration of the processing for transfers to subprocessors

The subject-matter of processing of personal data is defined in the Service Agreement. The duration of data processing shall be for the term designated under the Service Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

The Federal Commissioner for Data Protection and Freedom of Information

(Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit)

Graurheindorfer Str. 153

53117 Bonn, Germany

Telephone: +49(0)228997799-0
E-mail: poststelle@bfdi.bund.de

Annex II to Schedule 2- Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data

This Annex describes technical and organizational security measures taken by Intenseye for the purposes of data privacy and security. The technical and organizational measures should be implemented in accordance with security best practices and recommendations set out in relevant industrial security standards such as SOC 2 Type II.

‍1. Information Security Policies and Standards

1.1. The Data Processor will implement security requirements within its organization and for staff and all sub-processors, service providers, or agents who have access to personal data to maintain the integrity, confidentiality, resilience and availability of personal data, to include (but not be limited to) the following:

1.1.1. Prevent unauthorized persons from gaining access to personal data processing systems (physical access control);

1.1.2. Prevent personal data processing systems being used without authorization (logical access control);

1.1.3. Ensure that:

1.1.3.1 persons entitled to use a personal data processing system gain access only (i) through an internal and documented process, (ii) to such personal data that they are entitled to access in accordance with their access rights and the purposes of the processing, and (iii) for the time necessary for processing the personal data, and

1.1.3.2 in the course of processing or use and after storage, personal data cannot be read, copied, modified or deleted without authorization (data access control);

1.1.4. Ensure that personal data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of personal data by means of data transmission facilities can be established and verified, with appropriate pseudonymisation and encryption measures adopted to protect the confidentiality of data during transfer and storage (data transfer and storage control);

1.1.5. Ensure the establishment of an audit trail to document whether and by whom personal data have been entered into, modified in, or removed from personal data processing (entry control);

1.1.6. Ensure that personal data are processed solely in accordance with Data Controller’s Instructions (control of instructions);

1.1.7. Ensure that personal data are protected against accidental destruction or loss, and appropriate measures adopted to support access to data and / or restoration of data in the event of a physical or technical incident impacting availability (availability control); and

1.1.8. Ensure that personal data collected for different purposes can be processed separately (separation control).

1.2. These rules will be kept up to date and revised whenever relevant changes are made to any information system that uses or houses personal data, or to how that system is organized.

1.3. These rules will be routinely reviewed to evaluate efficacy and areas for improvement and where relevant adopt and apply changes as part of a continuous improvement programme.

2. Physical Security

2.1. The Data Processor will maintain commercially reasonable security systems at all Data Processor sites at which an information system that uses or houses personal data is located. The Data Processor reasonably and appropriately restrict access to such personal data.

2.2. Physical access control will be implemented for all data centers.

3. Organizational Security

3.1. Data Processor will ensure that it has implemented security policies and procedures to classify sensitive information assets, clarify security responsibilities and promote awareness for employees.

3.2. All personal data security incidents will be managed in accordance with appropriate incident response procedures.

4. Network Security

5. Access Control

5.1. Only authorised staff will be permitted to grant, modify or revoke access to an information system that uses or houses personal data.

5.2. User administration procedures will be adopted which define user roles and their privileges, how access is granted, changed and terminated; addresses appropriate segregation of duties; and defines.

the logging/monitoring requirements and mechanisms.

5.3. All employees of the Data Processor will be assigned unique User-IDs.

5.4. Access rights will be implemented adhering to the “least privilege” approach.

5.5. The Data Processor will implement commercially reasonable physical and electronic security to create and protect passwords.

6. Virus and Malware Controls

7. Personnel

7.1. The Data Processor will implement a security awareness program to train personnel about their security obligations. This program will include training about data classification obligations, physical security controls, security practices and security incident reporting.

7.2. The Data Processor will have clearly defined roles and responsibilities for its employees. Screening is implemented before employment with terms and conditions of employment applied appropriately.

7.3. The Data Processor personnel will strictly follow established security policies and procedures. Disciplinary process will be appropriately applied if employees commit a security breach.

‍

ANNEX 3: Generative AI Functionality Addendum

Intenseye Chief Terms of Service

‍

1. Use of Generative AI Functionality

‍Customer may enable, continue, or discontinue use of Intenseye’s Generative AI functionality (“Gen AI Functionality”) at their discretion. The terms in this Addendum apply whenever Customer opts to use this functionality.

2. Ownership of Inputs and Outputs‍

a) All content or data that Customer submits through the Gen AI Functionality (“Gen AI Inputs”), along with all resulting content generated through this functionality (“Gen AI Outputs”), will be considered Customer Data. Intenseye shalll not use Gen AI Inputs and Outputs to train its AI models.

b) Some features within the Gen AI Functionality may rely on third-party AI models. By using these features, Customer consents to the relevant third-party provider's use of Gen AI Inputs, Gen AI Outputs, or other Customer Data, strictly as needed to deliver, support, and comply with legal requirements related to the Gen AI Functionality.

c) Third-party providers of Gen AI functionality may temporarily retain Gen AI Inputs and Outputs to support their service operations. Intenseye will ensure that these providers contractually agree not to use the data for (i) training or enhancing their AI models, (ii) improving their services generally, or (iii) any purpose outside of providing the Gen AI Functionality, unless otherwise specified in this Addendum.

d) Any third-party provider of Gen AI Functionality will act as a Subprocessor for Customer Data, including any Personal Data within Gen AI Inputs. All processing of Customer Data will be subject to the Data Processing Addendum (DPA) in place between Intenseye and Customer. However, Gen AI Functionality is not intended to be used to process personally identifiable information. Customer not include any personally identifiable information in Gen AI Input.

3. Responsibility for Inputs and Outputs‍

a) Gen AI Outputs are generated based on a statistical analysis of Gen AI Inputs without a detailed understanding of the Inputs. Customer acknowledges that Outputs depend on Input quality and may be inaccurate, incomplete, unexpected, or contain biases.

b) Customer is solely responsible for (i) ensuring the accuracy and quality of any Gen AI Inputs, (ii) validating the accuracy of any Gen AI Outputs, and (iii) any decisions, actions, or inactions based on Gen AI Outputs.

4. Trial Gen AI Features.

Certain Gen AI functionalities may be provided as trial or early access features (“Trial Gen AI Features”) free of charge. If Intenseye decides to make these features generally available, fees may be introduced with reasonable notice to Customer. Intenseye has no obligation to develop or release final products based on Trial Gen AI Features. Intenseye may modify, suspend, replace, or discontinue any Trial Gen AI Features at any time without liability.

This Addendum is effective upon activation of the Gen AI Functionality by the Customer and is governed by the terms of the Master SaaS Agreement.

‍

Legal‍

1. End Customer License Agreement

1. DEFINITIONS

2. SUBJECT

3. TERM

4. LICENSE AND INTELLECTUAL PROPERTY RIGHTS

5. FEES AND PAYMENT‍

6. AVAILABILITY AND TECHNICAL SUPPORT‍

7. PRIVACY AND PERSONAL DATA PROTECTION

8. CONFIDENTIALITY AND NON-DISCLOSURE

9. REPRESENTATIONS AND WARRANTIES

10. DISCLAIMERS

11. LIMITATION OF LIABILITY

12. INDEMNITY

13. RENEWAL AND TERMINATION

14. GENERAL PROVISIONS

2. Master Software as a Service (SaaS) Agreement

1. DEFINITIONS‍

2. SUBJECT

3. TERM

4. LICENSE AND INTELLECTUAL PROPERTY RIGHTS‍

5. FEES AND PAYMENT‍

6. AVAILABILITY AND TECHNICAL SUPPORT‍

7. PRIVACY AND PERSONAL DATA PROTECTION‍

8. CONFIDENTIALITY AND NON-DISCLOSURE‍

9. REPRESENTATIONS AND WARRANTIES

‍

10. DISCLAIMERS‍

11. LIMITATION OF LIABILITY‍

12. INDEMNITY‍

13. RENEWAL AND TERMINATION

‍

14. GENERAL PROVISIONS

‍

ANNEX 1: Service Level Agreement

1. Definitions

2. Integration

3. System Service Availability

4. Customer’s Responsibilities

5. Unavailability Exceptions

6. Updates

7. Service Response

8. Severity Level Determination

‍ 9. SLA Credits

10. Business Continuity and Disaster Recovery Plan

11. Technical Assistance; Case Submittal and Reporting

ANNEX 2: Data Processing Addendum

1. DEFINITIONS AND INTERPRETATION

2. DETAILS OF DATA PROCESSING

3. OBLIGATIONS OF THE DATA PROCESSOR

4. TECHNICAL AND ORGANIZATIONAL MEASURES‍‍

5. NOTIFICATION OF DATA BREACH

6. SUB-PROCESSORS

7. INTERNATIONAL DATA TRANSFERS

8. DATA SUBJECT RIGHTS

9. AUDIT RIGHTS

10. DATA PROTECTION IMPACT ASSESSMENT

11. LIABILITY

12. TERM AND TERMINATION

13. GENERAL

Schedule 1 to DPA

DETAILS AND DESCRIPTION OF PROCESSING

‍

Schedule 2 to DPA

TECHNICAL AND ORGANIZATIONAL MEASURES

Schedule 3 to DPA

STANDARD CONTRACTUAL CLAUSES

Clause 1

Clause 2

Clause 3

Clause 4

Clause 5

Clause 6

Clause 7 - Optional

Clause 8

Clause 9

Clause 10

Clause 11

Clause 12

Clause 13

Legal
‍

1. DEFINITIONS
‍

4. LICENSE AND INTELLECTUAL PROPERTY RIGHTS
‍

5. FEES AND PAYMENT
‍

6. AVAILABILITY AND TECHNICAL SUPPORT
‍

7. PRIVACY AND PERSONAL DATA PROTECTION
‍

8. CONFIDENTIALITY AND NON-DISCLOSURE
‍

10. DISCLAIMERS
‍

11. LIMITATION OF LIABILITY
‍

12. INDEMNITY
‍

‍
9. SLA Credits