M3 Terms and Conditions

THIS DOCUMENT PROVIDES THE TERMS OF USE BETWEEN M3 ACCOUNTING SERVICES, INC., DBA M3(“WE,” “US”), AND YOU IN RELATION TO M3SOFTWARE (THE “SOFTWARE”), AND ALL RELATED MATERIALS AND SERVICES. BY ACCESSING ANY SOFTWARE OR APPLICATIONS PROVIDED BY M3, (INCLUDING WITHOUT LIMITATION BY USING LOGIN CREDENTIALS PROVIDED TO YOU) REVIEW THESE TERMS AND CONDITIONS OF SERVICE (“AGREEMENT”) THOROUGHLY. THIS AGREEMENT IS A LEGAL AGREEMENT BETWEEN YOU AND M3. BY ACCEPTING ELECTRONICALLY (FOR EXAMPLE, CLICKING “I AGREE”), INSTALLING, ACCESSING OR USING THE PRODUCTS AND SERVICES, YOU AGREE TO THESE TERMS AND CONDITIONS. IF YOU DO NOT AGREE TO THIS AGREEMENT, THEN YOU MAY NOT USE THE PRODUCTS AND. IF YOU ARE ACCEPTING THESE TERMS ON BEHALF OF CUSTOMER, BY PROCEEDING, YOU ARE WARRANTING AND REPRESENTING TO US THAT YOU HAVE AUTHORITY TO ACCEPT THESE TERMS FOR CUSTOMER.

Whereas, you have theM3 desire to enter into an agreement for the provision of certain software by M3including this website, content, updates, new releases, and professional services;

Now, therefore, in consideration of the foregoing, the mutual promises and covenants contained herein, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, both You and M3(“Parties”) agree as follows:

1. Term

1.1. Term of Agreement. This Agreement shall commence as of the date you select “I agree” and thereby agree to these terms (the “Effective Date”) and shall continue, unless otherwise terminated earlier pursuant to the terms of this Agreement, until the later of (i) termination of all work performed by M3and (ii) the date M3receives notice from you that you no longer wish to access the Software. Notice may be given by failing to renew your relevant subscription or by written communication to M3 through help.m3as.com or techsupport@m3as.com.

1.2. Term of Statement of Work. Other than providing access to the Software and providing standard support services, any work performed by M3 will be described in a separate statement (a “Statement of Work”) entered into prior to expiration or termination of this Agreement. The term of each Statement of Work shall continue in effect through the earlier of: (i) the date all of the services thereunder have been fully completed and accepted (if applicable) by Customer, or (ii) until such time as such Statement of Work expires or is terminated in accordance with its terms, or (iii) this Agreement is terminated. “Services” herein means services to be performed under a Statement of Work.

1.3 M3 Obligations. During the Term of this Agreement, M3 will use commercially reasonable efforts to make the Software available to Customer for use as a service, subject to the terms and conditions of this Agreement, and will use commercially reasonable efforts to perform the Services in a professional and workmanlike manner.

2. Payment Terms and Invoicing
   For Services offered on a payment or subscription basis, the following terms apply if you are the User paying for the Software or Services,

2.1. Fees. In consideration for M3 full performance of the obligations as described herein, Customer shall pay M3 standard monthly fees and applicable setup fees communicated to you prior to your receipt of access credentials to the Software. Accessing the software serves to accept these terms (if they have not previously been accepted for any reason), or to confirm and reiterate such acceptance (if they have been previously accepted).

2.2. Invoicing. M3 shall render invoices to Customer in U.S. dollars, at the beginning for each month for all active properties, entities, non-operating entities, or any unique instance of a company or property setup within the Software. The invoice shall indicate the product used, the price per product, and user fees or other fees, as well as the total amount then due. Except as otherwise provided in a Statement of Work, invoices shall be issued monthly in the month of service for the Services and Software active during that period and shall be due and payable within fifteen (15) days from date of the invoice.

2.3. Invoicing Disputes. Customer shall notify M3 of any invoice dispute in writing within the time frame specified for payment of the invoice. The Parties shall work in good faith to resolve any invoicing disputes as quickly as reasonably possible. The non-payment of any disputed items shall not constitute a breach under this Agreement. Customer shall pay all amounts due that are not in dispute within the time frame specified above. M3 has the right to disable user access in the event of non-payment after 30 days past due for items which are not in dispute, or in the event any dispute is not resolved within 60 days of the date M3 receives notice of the dispute. The Parties agree that they will not invoke the informal dispute resolution procedures or arbitration terms of Section 11 below to resolve an invoice dispute until after all opportunities set forth in this Section 2.3 to resolve the invoice dispute have been exhausted.

2.4. Payment Responsibility. It is the responsibility of you the Customer to pay M3 standard monthly fees, user fees, applicable setup fees, and any and all other applicable fees for all properties, entities, non-operating entities, or any unique instance of a company or property setup within the Software, this includes all inactive properties and usernames that have not been communicated in writing to M3 to discontinue service and access.

2.5. Payment Methods: Payment should be made through US Banks and the Federal Reserve. M3 will not be responsible for processing fees incurred by your financial institution. Customer must pay with one of the following payment methods:

· Wire Transfer thru your provider.

· ACH originating/submitted thru your bank or third party.

· Check mailed to M3 lockbox.

o Subject to return check fee of $30 or 5% of the amount of each returned check, whichever is greater, plus the amount of any fees charged to the holder of the instrument by a bank or financial institution as a result of the instrument not being honored.

· At some point in the future, M3 may accept valid debit/credit card approved by M3. An additional 3.5% processing fee will be charged for processing of credit/debit cards should we elect to accept the credit card type.

2.6 AutoPay. M3 may require Auto Pay in the future. At that time, you the Customer can setup automatic payments with your choice of payment method in M3 third party Fusebill application. M3 will automatically process your invoices for payment on the due date of the invoice(s). M3 will automatically renew your monthly subscription at the then-current rates unless the Software license or subscription is cancelled or terminated under this Agreement. If Customer payment and registration information is not accurate, current, and complete, and you the Customer do not notify us promptly when such information changes, we may suspend or terminate your account, terminate your license, and refuse any further use of the Software. If you the Customer do not notify us of updates to your payment method (e.g., credit card expiration date), to avoid interruption of your service, we may participate in programs supported by your card provider (e.g., updater services, recurring billing programs, etc.) to try to update your payment information, and you authorize us to continue billing your account with the updated information that we obtain.

2.7 Non-Payment. Customer shall pay all amounts due that are not in dispute within M3 specified terms on invoice. M3 has the right to disable user access in the event of non-payment after 30 days past due for items which are not in dispute, or in the event any dispute is not resolved within 60 days of the date M3 receives notice of the dispute. M3 has the right to pursue Customer for non-payment, which includes reporting to credit agencies, turning over to third party collection agency, and to pursue legal actions.

2.8 Non-Payment Fees. M3 has the right to charge and collect additional fees such as Finance Charges, Return Check Fees, Late Fees and Re-activation Fees for non-payment from you the Customer.

3. Ownership

3.1. M3 Ownership. M3 shall retain all ownership and proprietary rights to the Software and its trademarks, copyrights, patents, trade secrets, and other intellectual property rights and to any commercially available products of M3 that are provided to You (“M3 Property”). Under this Agreement, you receive only the right to use the Software and receive the Services, subject to Customer’s compliance with the terms and conditions of this Agreement and any applicable Statement of Work.

3.2. Vendor Know-How. M3 shall be free to use, in other engagements, its general skills, know-how, and expertise, whether pre-existing or gained under this Agreement or in connection with the provision of the Services. This Agreement does not grant Customer or You any licenses under any of M3′ patents, trademarks, trade secrets, or copyrights.

3.3. M3 Materials. If M3 provides to You any tools, equipment, software, lists, files, contacts, or other materials of any kind that are owned by M3 (collectively referred to as “M3 Provided Materials”), M3 grants to You a non-exclusive, limited, non-transferable license to use such M3 Provided Materials solely in connection with the performance of its obligations to which they relate and solely for the term of this Agreement or the applicable Statement of Work.

3.4 Your Obligations. You agree not to use, nor permit any third party to use, the Services or content in a manner that violates any applicable law, regulation, or this Agreement. You agree you will not:
· Provide access to or give any part of the Services to any third party.
· Reproduce, modify, copy, sell, trade, lease, rent, or resell the Services.
· Decompile, disassemble, or reverse engineer the Services.
· Make the Services available on any file-sharing or application hosting service. You will manage your passwords and accept updates. You are responsible for securely managing your password(s) for the Services and to contact M3 if you become aware of any unauthorized access to your account. The Products and Services may periodically be updated with tools, utilities, improvements, third party applications, or general updates to improve the Products and Services. You agree to receive these updates.

3.5. Data. The Software is not intended to be used to store information that identifies any individual directly or indirectly. To the extent Customer stores any personally identifiable data using the Software, Customer does so at its own risk, and it is understood and agreed that M3 is not the controller with respect to any such data. Customer is entirely responsible for complying with all applicable laws and regulations in connection with any personally identifiable data stored in the Software including, without limitation, maintaining an appropriate privacy policy that discloses that such data may be processed by third parties in another country and, if required obtains the user’s informed consent prior to storing any such data in the Software. Customer will indemnify, defend, and hold M3 harmless in the case of any third-party claim or enforcement action arising from Customer’s failure to obtain appropriate informed consent, or any other failure of Customer to comply with all applicable data privacy and security laws and regulations (including without limitation those of the European Union). M3′ privacy policy is available at https://www.m3as.com/privacy. By entering into this Agreement, you confirm that you have read the privacy policy and agree to it on behalf of yourself. M3 does not warrant or represent that the Software includes features that would be required of software that maintains personal data, including, without limitation, features that allow removal of such information from the Software upon request of the individual. For this reason and others, You and Customer should not store or process personal identifiable information using the Software. Please refer to the Global Privacy Addendum.

3.6. Data Aggregation. M3 may anonymously consolidate data collected through the use of the Software for the purposes of benchmark reporting available to Customer. Information is reported with commercially reasonable efforts to avoid disclosure of confidential information and shared with designated universities for the purpose of research and publications or used in M3 publications. To the extent M3 provides any such information to You, you agree to abide by any and all license requirements and instructions of M3 related to such information and materials. You shall not acquire any right, title, or interest to the M3 Provided Materials by virtue of this Agreement, other than the limited license expressly granted by M3. All such information and materials shall be deemed and treated as M3 confidential information and You shall not allow access to such information and M3 Provided Materials to any third Party. Upon the expiration or termination of this Agreement or relevant Statement of Work, as the case may be, you shall return the M3 Provided Materials to M3 in substantially the same condition as provided to Customer and shall not retain any copy thereof.

3.7. Software. With respect to software owned or licensed by M3 and provided or made accessible to You for purposes of using the Software or receiving the Services, You shall not copy, reproduce, modify, adapt, translate, or create any derivative works from such software (unless specifically authorized by M3 as part of the Services), or disassemble, decompile, reverse engineer, or make any other attempt by any means to discover or obtain the source code of such software (if such software is provided and only intended to be used in object code format). Except as otherwise expressly set forth in a Statement of Work, you shall use such software solely for the purpose of using the Software and receiving the Services during the term of this Agreement, and otherwise as directed by M3.

3.8. Injunctive Relief. Either Party acknowledges that any remedy for money damages for any violation of Sections 2 or 3 of this Agreement may be inadequate, and the other Party may suffer immediate and irreparable damage through any direct breach or threatened breach. Accordingly, the other Party may, in addition to all other legal remedies, specifically seek to enforce this Section and seek injunctive relief to prevent any threatened or continuing breach without requirement of notice or posting of bond.

4. Indemnification

4.1. Indemnification and Defense. Each Party (an “Indemnifying Party”) shall defend at its own expense, the other Party, including the other’s directors, officers, employees, and agents (collectively, the “Indemnified Parties”) from and against any and all third Party claims, demands, suits, or actions resulting from, arising out of, or relating to the Indemnifying Party’s (including its employees and anyone acting on its behalf) (i) alleged or actual breach of this Agreement; (ii) alleged or actual violation of any statute, law, ordinance, or regulation, or (iii) any alleged or actual infringement of any patent, copyright, trademark, trade secret, or other intellectual property or other rights of a third Party arising out of the Services or the use of the Software as permitted under this Agreement (an “Indemnifiable Claim”). With respect to each Indemnifiable Claim, the Indemnifying Party shall indemnify and hold harmless the Indemnified Parties from and against any and all damages, judgments, awards, expenses, and costs that are awarded and payable to the third Party by a court of competent jurisdiction or that are payable pursuant to a settlement made by the Indemnifying Party.

4.2. Notice of Indemnifiable Claim. The Indemnified Party shall give the Indemnifying Party prompt written notice of any Indemnifiable Claim to the extent reasonably practicable. Such notice shall not diminish the Indemnifying Party’s indemnity obligations hereunder unless and only to the extent that the Indemnifying Party is materially and adversely affected by the Indemnified Party’s failure or delay to give notice.

4.3. Control and Settlement. The Indemnifying Party shall control the defense or settlement of any Indemnifiable Claim provided, however, that the Indemnifying Party shall not agree to any admission of liability or injunctive relief that could reasonably affect the Indemnified Party without the prior written consent of such Indemnified Party. The Indemnified Party shall reasonably cooperate (at the Indemnifying Party’s expense) with the Indemnifying Party in the defense of such claim. Any settlement by the Indemnifying Party must be approved by the Indemnified Party, with such approval not to be unreasonably withheld (except that any settlement requiring the Indemnified Party to make any admission of liability shall be subject to the Indemnified Party’s approval in its sole discretion). The Indemnified Party also has the right to retain its own counsel at its own expense in connection with such claim. If the Indemnifying Party has been advised by the written opinion of counsel to either Party that the use of the same counsel to represent both Parties would present a conflict of interest, then the Indemnified Party may select its own counsel and all costs of the defense shall be borne by the Indemnifying Party.

5. Warranty

M3 warrants that it will use commercially reasonable efforts to make the Software available to Customer during normal business hours (other than scheduled downtime and maintenance windows), that the Software will function substantially in accordance with its documentation, and that it will use commercially reasonable efforts to perform all Services in a
timely, professional, and workmanlike manner. EXCEPT AS EXPRESSLY STATED IN THIS SECTION 5 OR PROHIBITED BY LAW, M3 MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, WITH RESPECT TO THIS AGREEMENT OR THE SOFTWARE OR ANY SERVICES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, AND M3 EXPRESSLY DISCLAIMS ANY AND ALL SUCH WARRANTIES. WITHOUT LIMITING THE FOREGOING, M3 DOES NOT WARRANT THAT: (i) THE SOFTWARE WILL OPERATE OR BE AVAILABLE UNINTERRUPTED; (ii) ALL ERRORS CAN OR WILL BE CORRECTED; OR (iii) THE SOFTWARE OR SERVICES ARE SECURE OR WILL MEET CUSTOMER’S BUSINESS, LEGAL, OR REGULATORY REQUIREMENTS. CUSTOMER’S SOLE AND EXCLUSIVE REMEDY FOR ANY BREACH OF WARRANTY WILL BE THAT M3 SHALL USE COMMERCIALLY REASONABLE EFFORTS TO MODIFY THE SOFTWARE TO BE IN COMPLIANCE WITH THE DOCUMENTATION, OR TO REPERFORM THE NONCONFORMING SERVICES. THE LIMITATIONS IN THIS SECTION 5 WILL APPLY EVEN IF THE APPLICABLE WARRANTY FAILS OF ITS ESSENTIAL PURPOSE.

6. Limitation of Liability

TO THE EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR ANY SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, MULTIPLE, OR PUNITIVE DAMAGES OF ANY KIND, INCLUDING, WITHOUT LIMITATION, LOST PROFITS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. THE FOREGOING LIMITATION OF LIABILITY SHALL NOT APPLY TO AMOUNTS PAYABLE BY A PARTY PURSUANT TO ITS INDEMNIFICATION OBLIGATIONS HEREUNDER BUT SHALL APPLY IN ALL OTHER INSTANCES REGARDLESS OF THE CAUSE OF ACTION UNDER WHICH SUCH DAMAGES ARE SOUGHT.

7. Termination

7.1. Termination for Breach. If a Party breaches this Agreement, the other Party shall have the right to terminate this Agreement by providing written notice of termination, if the breach has not been cured within thirty (30) days following receipt of written notice of the breach. The non-breaching Party shall not be obligated to pay for the breaching Party’s time or resources to cure any breach.

7.2. Termination by Customer. In addition to any other termination rights, Customer shall have the right to terminate this Agreement for any reason by providing M3 written notice as set forth in Section 8. For the Customer to avoid being invoiced per paragraph 2.2 of this Agreement, M3 must receive written notice of termination at least 72 hours prior to the end of the last month during which Services are to be provided, or the Software is to be used. Failure to do so will result in Customer being invoiced on the first day of the month, and payment for such invoice will be due, even if services will not be required for any, all, or a portion of that upcoming month.
7.3. Termination by M3. In addition to any other termination rights, M3 shall have the right in its discretion to terminate this Agreement or any Statement of Work under this Agreement, for any reason or for no reason, upon thirty (30) days prior written notice to Customer.

7.4. Survival. The rights and obligations of any Party which by their nature extend beyond the expiration or termination of this Agreement, shall continue in full force and effect, notwithstanding the expiration or termination of this Agreement, including, without limitation, rights, and obligations with respect to payment terms and invoicing, confidential information, ownership of work product, indemnification, limitations of liability, and termination.

8. Notices

Any and all notices or demands required or permitted to be given to a Party pursuant to the provisions of this Agreement will be in writing and will be effective and deemed to provide such Party sufficient notice under this Agreement on the earliest of the following: (i) at the time of personal delivery, if delivery is in person; (ii) at the time of next day delivery by a reputable courier service or facsimile, addressed to the other Party at its address specified herein or on-file with M3 (or hereafter modified by subsequent notice to the Parties hereto), with confirmation of receipt made by printed confirmation sheet verifying successful delivery; or (iii) at the time of transmission by email, addressed to the other Party at its email address specified herein or on-file with M3 (or hereafter modified by subsequent notice to the Parties hereto), provided the other Party provides confirmation of receipt within one business day thereafter. All notices not delivered personally, by delivery, or email (with confirmation) will be sent via U.S. Registered Mail or reputable international courier, regular postage and/or other charges prepaid and properly addressed to the Party to be notified at the address, or facsimile number or email address as follows, or at such other address, facsimile number, or email address as such other Party may designate by one of the indicated means of notice herein to the other Parties hereto as follows:

If to M3:
M3
1715 North Brown Road SE
Building A Suite 200
Lawrenceville, GA 30043
Attn: Allen Read Phone: 770-297-1925 Email: accounting@m3as.com

If to Customer:
Address, Email, and Phone number on-file with M3

Notices shall be deemed received upon actual receipt or refusal of delivery.

9. Force Majeure

Except for payment obligations, neither Party shall be liable for any delays or other non-performance resulting from circumstances or causes beyond its reasonable control that are not due to the negligence or misconduct of the Party claiming relief under this Section 9, including, without limitation, fire or other casualty, act of God, war, terrorism, or other violence, any law, order, or requirement of any governmental agency or authority or other causes beyond the reasonable control of such Party, provided that such Party has informed the other Party of such force majeure event promptly upon the occurrence thereof (including a reasonable estimate of the additional time required for performance to the extent determinable) and such Party uses reasonable commercial efforts to effect the required performance as soon as reasonably practicable.

10. Confidentiality

10.1. To the extent the Parties entered into a separate, signed non-disclosure agreement (“NDA”), the terms and conditions of that NDA will prevail over any inconsistent terms in this Agreement.

10.2. Neither Party shall disclose any non-public information received from the other Party (“Disclosing Party”) that is marked or identified in writing as being confidential or proprietary in nature or is disclosed in a context where the receiving party (“Recipient”) should have reasonably understood that the information should be treated as confidential or proprietary, whether or not the words “confidential” or “proprietary” are used. For avoidance of doubt, and without limitation, it is understood and agreed that the Software, its related documentation, all information relating to its performance, and all information relating to planned or in-development features will be deemed and treated as M3′ confidential information, and all data entered into the Software by or for Customer users will be deemed and treated as Customer’s confidential information.

10.3. The Recipient shall protect this information using the same degree of care as it uses to protect its own sensitive business information, but not less than a reasonable degree of care and shall not disclose such information to any third party without the prior written consent of the Disclosing Party.

10.4. The Recipient may disclose confidential information to its employees and contractors who have a need to know such confidential information in order to perform their duties, provided no confidential information shall be disclosed to a contractor unless the contractor has entered into a written confidentiality agreement with the Recipient providing at least as much protection for the Discloser’s confidential information as does this Agreement.

10.5. The obligations in this Article 10 shall not apply to information: a) that is in the public domain at the time of disclosure or becomes part of the public domain after disclosure otherwise than through a breach of this Agreement or wrongdoing by a third party; b) for which the Recipient can provide evidence that it was in its lawful possession prior to disclosure to it by the Disclosing Party; c) independently developed by a Party outside the scope of this Agreement without use of any of, or reference to, the other Party’s confidential information; and/or d) which is required to be circulated by governmental or judicial order or applicable law provided that (where permitted by law) prior to disclosure, the Recipient shall provide prompt notice to the Disclosing Party of the information to be disclosed as to permit the Disclosing Party to take such actions to protect its information as it deems appropriate.

10.6. The obligations set out in this Article 10 shall survive termination, cancellation, or expiry of this Agreement. For confidential information that qualifies as a trade secret under the U.S. Defend Trade Secrets Act of 2016 (the “Act”), the obligations will survive until the later or five (5) years after the termination of this Agreement, and the date on which the confidential information no
longer qualifies as a trade secret under the Act. For all other confidential information, the obligations will survive for five (5) years after termination of this Agreement.

11. Governing Law and Dispute Resolution

11.1. Choice of Law. This Agreement shall be construed in accordance with the laws of the state of Georgia, United States of America, excluding conflict of law provisions.

11.2. Informal Dispute Resolution. Prior to taking any action in connection with this agreement, including without limitation by providing a notice or arbitration or instituting a court action, you agree to provide Us with written notice of the dispute and to negotiate with Us in good faith for not less than fourteen (14) days in an effort to resolve such dispute amicably. In the event the dispute is not resolved during such period, you may then seek formal remedies through the arbitration process set forth in Section 11.3 below.

11.3. Arbitration. Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach thereof which has not been resolved by the Parties within the applicable notice or cure period (if any) will be finally resolved by arbitration exclusively (i) administered by the International Center for Dispute Resolution (the “ICDR”) and (ii) under the Commercial Arbitration Rules of the ICDR, (the “ICDR Rules”). Judgment on the award rendered by the arbitrator(s) may be entered in any court having jurisdiction to do so. The number of arbitrators shall be one (1), unless the Parties subsequently agree in writing that a three (3) arbiter panel shall be appointed to resolve such particular dispute. The arbitrator(s) shall be appointed exclusively in accordance with the ICDR Rules. The place of arbitration shall be Atlanta, Georgia USA, and the arbitration proceedings shall be conducted in English. Any award of the arbitral tribunal shall be final and binding on the parties to the arbitration and judgment thereon may be entered in any court of competent jurisdiction, and application may be made to any court of competent jurisdiction for injunctive or other relief in aid of such arbitration and for judicial recognition of the award and an order of enforcement. The Parties hereby waive any right to appeal from any award to the extent allowed by applicable law and agree that UN Convention on the Recognition and Enforcement of Foreign Arbitral Awards (the “New York Convention”) is applicable to the enforcement of any award. The Parties further waive, to the extent permitted under applicable law, any right that they may have to object to arbitration hereunder on the basis that such an agreement was not entered into after a dispute had arisen. Except as may be required by law, neither a Party nor any arbitrator may disclose the existence, content, or results of any arbitration hereunder without the prior written consent of app parties to the arbitration.

11.4. Exclusive Method for Resolving Disputes. The Parties agree that the informal dispute resolution procedure followed by arbitration, as set forth in this Section 11, shall be the exclusive methods for resolving the disputes covered hereby, and no party to this Agreement will commence any action or proceeding in any court with respect to any such dispute (individually or as part of a class action) except (i) to enforce this Section 11; (ii) to obtain provisional judicial assistance in aid of arbitration under this Section; or (iii) to enforce an arbitral award made in accordance with this Section. Notwithstanding the foregoing, we may bring a court action in any court of competent jurisdiction without prior notice or notice/cure procedures if We determine that such an action is necessary to obtain immediate injunctive relief to protect Our intellectual property or confidential information.

12. General Terms

12.1. Time of the Essence. Time is of the essence with respect to any payment obligations hereunder.

12.2. Assignment. This Agreement shall inure to the benefit of, and shall be binding upon, the Parties and their respective heirs, successors, and permitted assigns. Customer shall not assign this Agreement or any rights hereunder or, except as expressly permitted in this Agreement, delegate any obligations hereunder to any third Party without M3′ prior written consent, which consent shall not be unreasonably withheld, delayed, or conditioned. Any assignment contrary to the foregoing shall be null and void. Notwithstanding the foregoing, Customer shall have the right without consent to assign this Agreement or rights hereunder or delegate obligations to any entity which has acquired a hotel, whether by foreclosure, merger, or acquisition; provided that (i) any such assignment or delegation to an acquirer is conditioned upon the assignee’s assumption of all obligations and liabilities of the assignor under this Agreement, and (ii) prompt notice of the assignment is given to M3. M3 shall have the right in its discretion to terminate this Agreement immediately in addition to all other available remedies if there is any assignment or delegation in violation of the foregoing.

12.3. Publicity. Without limiting Customer’s confidentiality obligations in this Agreement, and notwithstanding anything in this Agreement to the contrary, Customer shall not advertise, market, disclose, or otherwise make known to others (other than Customer employees) the existence of this Agreement or any information relating to any terms of this Agreement, without the prior written consent of M3, which shall not be unreasonably withheld. However, Customer may disclose such information as may be expressly required under applicable law without such consent from M3; provided that Customer promptly (prior to such disclosure to the extent reasonably possible) notifies M3 in writing of any such disclosure required by law, including any notices received by Customer requiring such disclosure.

12.5. Severability. If any provision of this Agreement is found to be invalid or unenforceable to any extent, then the invalid portion shall be deemed conformed to the minimum requirements of law to the extent possible. In addition, all other provisions of this Agreement shall not be affected and shall continue to be valid and enforceable to the fullest extent permitted by law.

12.6. Amendment. Any modification or amendment of this Agreement (including, without limitation, any Statement of Work) must be in writing and bear the signature of the duly authorized representatives of both Parties.

12.7. Entire Agreement; Interpretation. This Agreement together with any Statement of Work and/or NDA executed by both Parties sets forth the entire agreement and understanding between the Parties with respect to the subject matter hereof, and supersedes any other agreements, discussions, proposals, representations, or warranties, whether written or oral between the Parties with respect to the subject matter hereof.

12.8. Remedies. Except as expressly provided in this Agreement, a Party’s exercise of any right or remedy under this Agreement or under applicable law is not exclusive and shall not preclude such Party from exercising any other right or remedy that may be available to it. If either Party seeks monetary damages from the other Party, and a final judgment is entered entirely in favor of the Party defending the monetary damages claim, then the Party who brought such monetary claim
shall reimburse the defending Party for its reasonable attorney’s fees and costs paid defending that claim. Otherwise, each Party shall bear its own fees and expenses unless otherwise provided by statute.

12.9. Third Party Beneficiaries. This Agreement is for the sole benefit of the Parties and is not intended to, and shall not be construed to, create any right or confer any benefit on or against any third Party, except as expressly provided in this Agreement.

12.10. Effectiveness of Agreement. The preparation, revision, or delivery of this document for examination and discussion is not an offer to enter into any agreement and is merely a part of the negotiations between the Parties. Neither Party shall have any obligation or liability to the other whatsoever at law or in equity (including, without limitation, any claims for detrimental reliance or promissory estoppel) relating to the subject matter hereof unless and until Customer accepts the terms of this Agreement. The Parties may modify this Agreement, but only in writing with the understanding that the modified Agreement will be effective when accepted by both Parties, which acceptance may be in the same manner in which this Agreement was first accepted.

12.11 Changes. We reserve the right to modify this Agreement, in our sole discretion, at any time. Such modifications may be posted through the Products and Services, on our website for the Products and Services or when we notify you by other means. We may also change or discontinue the Products and Services, in whole or in part. It is important that you review this Agreement whenever we modify it because your continued use of the Products and Services indicates your agreement to the modifications.

Last revised: ___9/14/2021___

Global Data Privacy Addendum

This Global Data Privacy Addendum (this “Privacy Addendum”) is attached and made part of the agreement (the “Services Agreement”) between Customer (as identified in Services Agreement and the Statement of Work), including all affiliates, if any, and the Service Provider which processes Personal Data on behalf of Customer pursuant to the Services Agreement (as identified in the Services Agreement and the Statement of Work).
The Privacy Addendum is divided into two separate addendums setting forth the privacy provisions applicable to the Services Agreement.

GDPR Addendum

1. DEFINITIONS

1.1 “Data Subject Request” means a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of processing, erasure, data portability, object to the processing, or its right not to be subject to an automated individual decision-making.

1.2 “EU Rules” means the laws and regulations of the European Union, the European Economic Area (“EEA”), their member states, the United Kingdom, and Switzerland, applicable to the processing of Personal Data under the Services Agreement, including (where applicable) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 also known as the General Data Protection Regulation (“GDPR”).

1.3 “Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’) located in the EEA, United Kingdom, or Switzerland; an identifiable natural person is one who can be identified, directly or indirectly in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person; and is processed by Service Provider on behalf of the Customer within the scope of the Services Agreement.

1.4 “Services” means the services and other activities to be supplied to or carried out by or on behalf of Service Provider for the Customer pursuant to the Services Agreement.

1.5 “Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data from a Data Controller in the EEA, United Kingdom, or Switzerland to processors established in third countries under the EU Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016, or any legislation replacing the EU Regulation 2016/679, in the form set out in the Annex of European Commission Decisions 2021/914 and 2021/915 on June 4, 2021, (or any alternative or successor Decision(s), that approves new standard contractual clauses for transfers to data processors in third countries), as amended by incorporating the description of the Personal Data to be transferred set out in Annex I to this Privacy Addendum and the technical and organizational measures to be implemented as set out in Annex II to this Privacy Addendum. The Standard Contractual Clauses are available on the European Commission’s website at the following links: https://eur-lex.europa.eu/eli/dec_impl/2021/914; https://eur-lex.europa.eu/eli/dec_impl/2021/915; and https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

2. APPLICABILITY; ROLES OF THE PARTIES

2.1 This Privacy Addendum amends and supplements the Services Agreement between the parties. The terms of this Privacy Addendum will apply to all processing of Personal Data in relation to the Services provided under the terms of the Services Agreement. This Privacy Addendum will not apply to the processing of Personal Data, where such processing is not regulated by the EU Rules.

2.2 Capitalized terms used, but not defined, in this Privacy Addendum have the meanings assigned to them in the Services Agreement or the EU Rules, including the terms “Data Protection Officer”, “Member States”, “Personal Data Breach”, and “Privacy Impact Assessment”.

2.3 In the context of this Privacy Addendum, the Customer acts as a Data Controller and the Service Provider acts as a Data Processor with regard to the processing of Personal Data.

2.4 Service Provider shall carry out the Services and process the Personal Data received from the Customer as set out in the Services Agreement or as otherwise notified in writing by the Customer to Service Provider during the term of the Services Agreement. In the event that in Service Provider’s opinion a processing instruction given by the Customer may infringe EU Rules, Service Provider shall immediately inform the Customer upon becoming aware of such a processing instruction.

2.5 Service Provider shall undertake at all times to comply with the EU Rules and not to perform its obligations under the Services Agreement in such way as to cause the Customer to breach any of its applicable obligations under the EU Rules and any existing regulations issued by the relevant data protection authorities.

3. DATA PROTECTION

3.1 All Personal Data provided to Service Provider by the Customer or obtained by Service Provider in the course of its work with the Customer should be protected and may not be copied, disclosed, or processed in any way without the written authority of the Customer. To the extent that the provisions of the Services Agreement or the instructions of the Customer necessitate the copying, disclosure, or processing of data, this will be deemed to constitute the required authority to do so.

3.2 Service Provider agrees to comply from time to time with any reasonable measures required by the Customer to ensure its obligations under this Privacy Addendum are satisfactorily performed in accordance with all applicable legislation. This includes any best practice guidance the Customer notifies Service Provider of.

4. PROCESSING PERSONAL DATA

4.1 Where Service Provider Processes Personal Data (whether stored in the form of physical or electronic records) on behalf of the Customer it shall:

4.1.1 Process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations under the Services Agreement or as is required by law including the EU Rules and any existing laws, rules, or regulations issued by the relevant data protection authorities;

4.1.2 Implement appropriate technical and organizational measures and take the steps necessary to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure, and promptly supply details of such measures as requested by the Customer; such security measures are set out in Section 6 of this Privacy Addendum; and

4.1.3 At the Customer’s request, promptly supply the Customer with details of the technical and organizational systems in place to safeguard the security of the Personal Data held and to prevent unauthorized access.

4.2 Customer acknowledges and agrees that (a) Service Provider’s affiliates may be retained as sub-processors; and (b) Service Provider and Service Provider’s affiliates respectively may engage third-party sub-processors in connection with the provision of the Services. Service Provider will ensure that any third party to which it sub-contracts any processing has entered into a written contract with Service Provider containing similar provisions to those in this Privacy Addendum, to the extent applicable to the nature of the Services provided by such sub-processor. Upon Customer’s request, Service Provider shall make available to Customer the current list of sub-processors with their country of location. If Service Provider provides hosting services under the Services Agreement, the Customer agrees and acknowledges that Service Provider is allowed to host the Personal Data at a third-party data center provider. For the avoidance of doubt, Service Provider shall remain liable for the processing activities of each sub-processor as if those achieved were its own.

4.3 Unless applicable laws require retention of such Personal Data, Service Provider agrees that in the event that it is notified by the Customer that it is not required to provide any further services to the Customer under this Privacy Addendum, Service Provider shall transfer a copy of all information (including Personal Data) held by it in relation to this Privacy Addendum to the Customer in a generally accepted format (provided that the Customer pays for the associated costs) and/or, at the Customer’s request, destroy all such information using a secure method which ensures that it cannot be accessed by any third party and shall issue the Customer with a written confirmation of secure disposal.

4.4 All copyright, database right, and other intellectual property rights in any Personal Data processed under this Privacy Addendum (including, but not limited to, any updates, amendments, or adaptations to the Personal Data by either the Customer or Service Provider) will belong to the Customer. Service Provider is licensed to use such data only for the term of and in accordance with this Privacy Addendum.

5. RIGHTS OF DATA SUBJECTS

5.1 Service Provider shall, to the extent legally permitted, promptly notify Customer if it receives a Data Subject Request.

Taking into account the nature of the processing, Service Provider shall assist Customer by appropriate technical and organizational measures, to the extent possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Chapter III of the GDPR. Except to the extent required by applicable law, Service Provider shall not respond to any such Data Subject Request without Customer’s prior written consent except to confirm that the request relates to Customer.

5.2 Further, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Service Provider shall upon Customer’s request provide reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Service Provider is legally permitted to do so and provided that such Data Subject Request is required under applicable EU Rules. Any costs arising from such provision of assistance shall be the responsibility of Customer, to the extent legally permitted.

6. SECURITY

6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Service Provider shall ensure that in respect of all Personal Data it receives from or processes on behalf of the Customer it shall maintain security measures to a standard appropriate to the: (a) harm that might result from unlawful or unauthorized processing or accidental loss, damage, or destruction of the Personal Data; and (b) nature of the Personal Data.

6.2 Service Provider shall, with regard to Personal Data, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR, and particularly those related to possible Personal Data Breaches. Specifically, Service Provider shall:

6.2.1 Have in place and comply with a security policy which: (a) defines security needs based on a regular Privacy Impact Assessment; (b) allocates responsibility for implementing the policy to a specific individual or members of a team, including having a Data Protection Officer in place; (c) is disseminated to all relevant management and employees; and (d) provides a mechanism for feedback and review;
6.2.2 Ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;

6.2.3 Prevent unauthorized access to the Personal Data;

6.2.4 Ensure its storage of Personal Data conforms with the industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;

6.2.5 Have secure methods in place for the transit of Personal Data within the Customer support portal (for instance, by using encryption);

6.2.6 Use password protection on computer systems on which Personal Data is stored and ensure that only authorized personnel are given details of the password;

6.2.7 Take reasonable steps to ensure the reliability of any employee, agent, contractor, or other individuals who have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Personal Data, as strictly necessary for the purposes of the Services Agreement, and to comply with EU Rules in the context of that individual’s duties to the Service Provider;

6.2.8 Ensure that any employees, agents, contractors, or other individuals required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Privacy Addendum;

6.2.9 Ensure that none of the employees, agents, contractors, or other individuals who have access to the Personal Data publish, disclose, or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer;

6.2.10 Have in place methods for detecting and dealing with breaches of security (including loss, damage, or destruction of Personal Data) including: (a) the ability to identify which individuals have worked with specific Personal Data; and (b) having a proper procedure in place for investigating and remedying

breaches of the data protection principles contained in the EU Rules, including written records.

6.2.11 Have a secure procedure for backing up and storing back-ups separately from originals; and

6.2.12 Have a secure method of disposal for unwanted Personal Data, including back-ups, disks, print outs, and redundant equipment.

6.3 Service Provider shall provide the Customer with relevant documentation, such as an audit report (upon a written request and subject to obligations of confidentiality), with regard to any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, when the Customer reasonably considers that such data protection impact assessments or prior consultations are required pursuant to Article 35 or 36 of the GDPR or pursuant to the equivalent provisions of any other EU Rule, but in each such case solely with regard to processing of Personal Data by, and taking into account the nature of the Processing and information available to, the Service Provider. Such audit will be conducted at the Customer’s cost and expense, to the extent legally permitted.

7. SECURITY BREACH MANAGEMENT AND NOTIFICATION

7.1 Service Provider shall, in accordance with the EU Rules, notify the Customer and/or the supervisory authority as soon as any Personal Data Breach with respect to the Personal Data occurs, but no later than forty-eight (48) hours from the discovery of such a Personal Data Breach. Service Provider’s notification of or response to a Personal Data Breach under this Section 7.1 will not be construed as an acknowledgement by Service Provider of any fault or liability with respect to the Personal Data Breach.

7.2 Service Provider will use reasonable efforts to identity the cause of such Personal Data Breach and shall promptly and without undue delay: (a) investigate the Personal Data Breach and provide Customer with information about the Personal Data Breach, including if applicable, such information a Data Processor must provide to a Data Controller under Article 33(3) of the GDPR to the extent such information is reasonably available; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach to the extent the remediation is within Service Provider’s reasonable control The obligations herein shall not apply to any breach that is caused by Customer or authorized users. Notification will be delivered to Customer in accordance with Section 7.3 below.

7.3 Notification(s) of Personal Data Breaches, if any, will be delivered to one or more of Customer’s business, technical, organizational, or administrative contacts by any means Service Provider selects, including via email. It is Customer’s sole responsibility to ensure it maintains accurate contact information on Service Provider’s support systems at all times.

8. OBLIGATIONS OF THE CUSTOMER

The Customer is solely responsible for:

8.1 Complying, at all times with the EU Rules with respect to the processing of Personal Data in connection with the Services Agreement and the Services;

8.2 Ensuring the processing of the Personal Data by Service Provider is lawful;

8.3 Where applicable, ensuring that legally binding consents to the collection, access, use, maintenance, and/or disclosure of the Personal Data in accordance with the EU Rules and Customer policies and procedures have been obtained from each individual and entity (including without limitation consumers, business Customers, and/or Customer employees and contractors) to whom the Personal Data relates;

8.4 Rendering any Personal Data on its systems unusable, unreadable, or indecipherable to unauthorized individuals in accordance with industry standards, applicable law, and any relevant Codes of Conduct;

8.5 Establishing the applicable information security safeguards and associated policies for protecting Personal Data in its facilities. Customer must communicate the relevant safeguards and policies to Service Provider with reasonable advance notice and in writing when Service Provider provides Services at a Customer facility or accesses Customer’s systems;

8.6 Promptly informing Service Provider of any policies it implements with respect to the processing and protection of Personal Data with express instructions as to how these policies should be implemented by Service Provider;

8.7 Promptly informing Service Provider of any request for erasure with respect to Data Subject’s Personal Data with detailed instructions as to how Service Provider should address the request; and

8.8 Providing to Service Provider and also promptly updating, when necessary, the information indicated below (where applicable): (a) identity and contact information of the Data Protection Officer of the Customer; (b) identity and contact information of the EU representative of the Customer; (c) description of the categories of processing carried out by Customer with respect to the Services; (d) types of Personal Data to be processed; and (e) categories of Data Subjects to whom the Personal Data relates.

9. INTERNATIONAL DATA TRANSFERS

9.1 Service Provider will only transfer Personal Data outside the EEA, United Kingdom, or Switzerland, where such transfers are regulated by the EU Rules, in compliance with the EU Rules. The Customer authorizes Service Provider (and authorizes Service Provider to authorize its sub-processors) to process Personal Data and to transfer Personal Data to those countries or territories where those sub-processors are located, consistent with the Services Agreement and this Privacy Addendum.

9.2 Transfers Pursuant to the Standard Contractual Clauses

9.2.1 The Standard Contractual Clauses shall apply to Personal Data that is transferred from the EEA, United Kingdom, or Switzerland, either directly or via onward transfer, to any country or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the General Data Protection Regulation and any successor legislation thereto), and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data.

9.2.2 Where the Standard Contractual Clauses apply in accordance with Section 9.2.1:

9.2.2.1 Service Provider agrees to comply with the terms of the Standard Contractual Clauses, for the purposes of which Customer and those of its affiliates established in the EEA, United Kingdom, or Switzerland will be regarded as the Data Controller and Service Provider will be regarded as the Data Processor;

9.2.2.2 The governing law in Clause 9 of the Standard Contractual Clauses shall be the law of the Data Controller;

9.2.2.3 If so, required by the laws or regulatory procedures of any jurisdiction, the parties, or Service Provider and any one or more of its affiliates established in the EEA, United Kingdom, or Switzerland as required, shall execute, or re-execute the Standard Contractual Clauses as separate documents setting out the proposed transfers of Personal Data in such manner as may be required;

9.2.2.4 In the event of inconsistencies between the provisions of the Standard Contractual Clauses and this Privacy Addendum, the Services Agreement, or other agreements between the parties as regards the Services, the Standard Contractual Clauses shall take precedence;

9.2.2.5 In the event that the Standard Contractual Clauses are amended, replaced, or repealed by the European Commission or under EU Rules, the parties shall work together in good faith to enter into any updated version of the Standard Contractual Clauses or negotiate in good faith a solution to enable a transfer of Personal Data to be conducted in compliance with EU Rules; and

9.2.2.6 The parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Standard Contractual Clauses shall be provided by the Data Processor to the Data Controller only upon Data Controller’s request.

10. GENERAL TERMS

10.1 Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of, or related to this Privacy Addendum whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability section of the Services Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Services Agreement and this Privacy Addendum.

10.2 No alteration, amendment, or modification of this Privacy Addendum will be valid unless in writing and signed by an authorized representative of both parties.
10.3 Any ambiguity in the terms of this Privacy Addendum will be resolved to permit Service Provider or Customer to comply with the EU Rules.
10.4 Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of, or related to this Privacy Addendum whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability section of the Services Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Services Agreement and this Privacy Addendum.

10.5 No alteration, amendment, or modification of this Privacy Addendum will be valid unless in writing and signed by an authorized representative of both parties.
10.6 Any ambiguity in the terms of this Privacy Addendum will be resolved to permit Service Provider or Customer to comply with the EU Rules.

10.7 This Privacy Addendum is the entire and complete agreement between the parties with respect to the privacy and security of Personal Data and supersedes any other agreements, representations, or understandings whether oral or written. All clauses of the Services Agreement, that are not explicitly amended or supplemented by the clauses of this Privacy Addendum, and as long as this does not contradict with compulsory requirements of EU Rules, under this Privacy Addendum, remain in full force and effect and shall apply, including, but not limited to: Choice of Law, Choice of Forum, Insurance, Limitation of Liability, Waiver of Jury Trial (to the maximum extent permitted by the EU Rules).

10.8 Should any provision of this Privacy Addendum be found invalid or unenforceable pursuant to any applicable law, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the Privacy Addendum will continue in effect.

10.9 If Service Provider makes a determination that it can no longer meet its obligations in accordance with this Privacy Addendum, it shall promptly notify the Customer of that determination, and cease the processing or take other reasonable and appropriate steps to remediate.

10.10 Notices required under this Privacy Addendum shall be sent according to the Services Agreement with a copy (which shall not constitute notice) to both the usual point of contact or support at Service Provider and via email to:

techsupport@m3as.com

ANNEX I – DETAILS OF PROCESSING

This Annex forms part of the Privacy Addendum.

1. Nature and Purpose of Processing

Service Provider will Process Personal Data as necessary to provide the Services pursuant to the Services Agreement, as further specified in a Statement of Work, and as further instructed by Customer in Customer’s use of the Services.

2. Duration of Processing
   Subject to the ‘Deletion or Return of Personal Data’ section of this Privacy Addendum, Service Provider will Process Personal Data for the duration of the Services Agreement, unless otherwise agreed in writing.
3. Categories of Data Subjects
   Customer may submit Personal Data in the course of using the Services, the extent of which is determined and controlled by Customer in Customer’s sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

Customer Contacts and other end users including your employees, contractors, collaborators, customers, prospects, suppliers, and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to your end users.

4. Categories of Personal Data
   Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in Customer’s sole discretion, and which may include, but is not limited to, the following categories of Personal Data:

(a) Contact Information (as defined in the Services Agreement).

(b) Any other Personal Data submitted by, sent to, or received by Customer, or Customer customers or end users, via the Services.

5. Special Categories of Data (if appropriate)
   The parties do not anticipate the transfer of special categories of data.
6. Processing Operations
   Personal Data will be processed in accordance with the Services Agreement (including this Privacy Addendum) and may be subject to the following Processing activities:

(a) Storage and other Processing necessary to provide, maintain and improve the Services provided to Customer; and/or

(b) Disclosure in accordance with the Services Agreement (including this Privacy Addendum) and/or as compelled by applicable laws.

ANNEX II – SECURITY MEASURES

This Annex forms part of the Privacy Addendum.

M3 Accounting Services, Inc. currently observes the Security Measures described in this Annex II. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Services Agreement.

1. Access Control

(a) Preventing Unauthorized Access

i. Processing: Data collected is processed within the United States. Only telemetry data related to environmental logs and performance is processed by a third-party cloud infrastructure provider. Additionally, we may maintain contractual relationships with vendors in order to provide the Services in accordance with our Privacy Addendum. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
ii. Physical and environmental security: We host our infrastructure with a private, single-tenant, outsourced cloud infrastructure provider. The physical and environmental security controls are audited for SOC 2 Type II compliance.
iii. Authentication: We implement a uniform password policy for our customer products. Customers who interact with the Services via the user interface must authenticate before accessing non-public Customer data.
iv. Authorization: Customer data is stored in single-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

(b) Preventing Unauthorized Use
i. We implement industry standard access controls and detection capabilities for the internal networks that support our Services.
ii. Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the infrastructure. The technical measures implemented differ between infrastructure providers and include traditional firewall rules.
iii. Intrusion detection and prevention: We implement a traditional firewall rule solution to protect our Services.
iv. Static code analysis: Security reviews of code stored in our source code repositories is performed, checking for coding best practices and identifiable software flaws.
v. Penetration testing: We maintain relationships with industry recognized penetration testing service providers for penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.

(c) Limitations of Privilege & Authorization Requirements
i. Information access: A subset of our employees have access to the Services and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of privilege grants are initiated periodically. Employee roles are reviewed at least once annually.
ii. Background checks: All M3 employees undergo a background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All M3 employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

2. Transmission Control
   (a) In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces on every customer site hosted on M3 Services. Our HTTPS implementation uses industry standard algorithms and certificates.
   (b) At-rest: We have implemented technologies to ensure that stored specific personally identifiable information (PII) data is encrypted at rest using industry standard encryption methods.
   
3. Input Control

(a) Detection: We designed our infrastructure to log extensive information about the system behavior for critical resources. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.

(b) Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Services Agreement.

4. Availability Control
   (a) Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99% uptime. The providers maintain full N+1 redundancy to power, network, and HVAC services for our private cloud hosted environments. For traditional colocation environment, no such guarantee is maintained.
   (b) Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple environments.
   (c) Online replicas and backups: Where feasible, production databases are designed to replicate data. Customer databases are backed up and maintained using at least industry standard methods.
   (d) The infrastructure is designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.
   

ANNEX III- STANDARD CONTRACTUAL CLAUSES

STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope

(a) The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(b) The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29 (3) and (4) Regulation (EU) 2018/1725.
(c) These Clauses apply to the processing of personal data as specified in Annex II.
(d) Annexes I to IV are an integral part of the Clauses.
(e) These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
(f) These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

Clause 2
Invariability of the Clauses

(a) The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.
(b) This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

Clause 3
Interpretation

(a) Where these Clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively.
(c) These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 4
Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 5
Docking Clause

(a) Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing the Annexes and signing Annex I.
(b) Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in Annex I.
(c) The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES
Clause 6
Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.

Clause 7
Obligations of the Parties

7.1 Instructions
(a) The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
(b) The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the applicable Union or Member State data protection provisions.

7.2 Purpose limitation
The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.

7.3 Duration of the processing of personal data
Processing by the processor shall only take place for the duration specified in Annex II.

7.4 Security of processing

(a) The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
(b) The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.5 Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.

7.6 Documentation and compliance

(a) The Parties shall be able to demonstrate compliance with these Clauses.
(b) The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.
(c) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.
(d) The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.

7.7 Use of sub-processors

(a) The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least thirty days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.
(b) Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
(c) At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
(d) The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.
(e) The processor shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the processor has factually disappeared, ceased to exist in law or has become insolvent – the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

7.8 International transfers

(a) Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.
(b) The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.

Clause 8
Assistance to the controller

(a) The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.
(b) The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions
(c) In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:
(1) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
(2) the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
(3) the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
(4) the obligations in Article 32 Regulation (EU) 2016/679.
(d) The Parties shall set out in Annex III the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

Clause 9
Notification of personal data breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 Regulation (EU) 2016/679 or under Articles 34 and 35 Regulation (EU) 2018/1725, where applicable, taking into account the nature of processing and the information available to the processor.

9.1 Data breach concerning data processed by the controller
In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:

(a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
(b) in obtaining the following information which, pursuant to Article 33(3) Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:
(1) the nature of the personal data including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
(2) the likely consequences of the personal data breach;
(3) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(c) in complying, pursuant to Article 34 Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2 Data breach concerning data processed by the processor

In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:

(a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
(b) the details of a contact point where more information concerning the personal data breach can be obtained;
(c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

SECTION III – FINAL PROVISIONS
Clause 10
Non-compliance with the Clauses and termination

(a) Without prejudice to any provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.
(b) The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:
(1) the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
(2) the processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;
(3) the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
(c) The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.
(d) Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.

ANNEX I:
LIST OF PARTIES

Controller(s) – Referred to for the purposes of this Global Data Privacy Addendum as “Customer”
By logging into our application, you are confirming that you are a customer.
Processor(s) – Referred to for the purposes of this Global Data Privacy Addendum as “Service Provider”: ­:
Name: M3 Accounting Services, Inc.
1715 N Brown Road
Bldg. A, Suite 200
Lawrenceville, GA 30043
Casi Johnson, Chief Operations Officer
Date: 20 April 2022

ANNEX II:
DESCRIPTION OF THE PROCESSING

Categories of Data Subjects Whose Personal Data is Processed
Customer (also referred to as “Controller”) may submit Personal Data in the course of using the Services, the extent of which is determined and controlled by Customer in Customer’s sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:
Customer contacts and other end users, including your employees, contractors, collaborators, customers, prospects, suppliers, and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to Customer end users.

Categories of Personal Data Processed
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in Customer’s sole discretion, and which may include, but is not limited to, the following categories of Personal Data:

(a) Contact Information (as defined in the Services Agreement); and
(b) Any other Personal Data submitted by, sent to, or received by Customer or Customer’s customers or end users, via the Services.

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Nature of the Processing
Service Provider will process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the Statement of Work, and as further instructed by Customer in Customer’s use of the Services.

Purpose(s) for Which the Personal Data is Processed on Behalf of the Controller
Service Provider will process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the Statement of Work, and as further instructed by Customer in Customer’s use of the Services.

Duration of the Processing
Subject to the “Deletion or Return of Personal Data” section of this DPA, Service Provider will process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

ANNEX III:
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational security measures implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons. Examples of possible measures:

The Service Provider (“Processor”) will implement reasonable administrative, physical, managerial, and technical controls safeguards for the protection of the security, confidentiality, and integrity of Personal Data with respect to the Services in accordance with applicable legal requirements, and as set forth in Processor’s Section 6 of this DPA, Annex II-Security Measures to this DPA, and as otherwise agreed to by the Parties in writing. Processor will not materially decrease the overall security of the Services during the term of the Services Agreement.

ANNEX IV:
LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

1. Name: Microsoft Dynamics CRM
   Redmond Washington
   1-800-936-4900
   Microsoft CRM is hosted by Microsoft and is used to collect, manage and store prospect and customer information for the purposes of supporting through the help desk, sending email communication, and general customer information for the purposes of offering our products and services.
2. Name: SlickData
   252 Nassau St, 2nd Floor
   Princeton, NJ 08542
   Rocky Pavicevic, President
   rocky@slickdata.com
   Slickdata is contracted to provide ongoing maintenance and support for Microsoft CRM including testing, deployment, upgrades, and configuration changes to allow use of the application by M3 employees.
3. Name: Quality Technology Services
   300 Satellite Blvd. NW, Suwanee, GA 30024
   support@qtsdatacenters.com
   t. 866-239-5000
   QTS is a data center service provider hosting M3’s private cloud. QTS provisions hardware, networking and infrastructure used to support M3’s applications.
4. Name: Sisense
   1359 Broadway 4th Floor
   New York, NY 10018
   t. 646-432-1507
   info@sisense.com
   Sisense is deployed as an embedded business intelligence tool allowing for the aggregation of data from M3 applications and third-party data sources. Sisense supports M3’s efforts through on-going consulting and technical support.
5. Name: AWS
   United States
   https://aws.amazon.com/contact-us/?nc1=f_m
   AWS is used to host M3 applications that process information for payments. This service is a public cloud that hosts across multiple domains and various locations throughout the US.
6. Name: Fusebill
   232 Herzberg Road, Suite 203
   Ottawa, ON
   Canada, K2K2A1
   t. 613-656-0002
   Fusebill is a subscription billing software application that allows M3 to establish recurring billing to our customers. This application using billing contact information only for the purpose of properly managing the delivery of invoices and account management.
7. Name: Paymerang
   7401 Beaufont Springs Dr, Suite 300
   Richmond, VA 23225
   t. 877-680-7332
   Paymerang processes payments for customers that subscribe to their service including checks, ACH and electronic supplier payments. Each customer will sign their own agreements with Paymerang and grant access to information needed.
8. Name: SharpSpring
   5001 Celebration Point Ave, Suite 410
   Gainesville, GA 32608
   t. 888-428-9605
   Sharpspring is a marketing automation tool and lead tracking tool designed to allow M3 to communicate effectively to customers and to prospects that request more information.
9. Name: Bites and Bytes Document Services
   2700 Brasleton Hwy, Suite 10-353
   Dacula, GA 30019
   Sheldon Downs, CEO
   t. 404-382-8230
   Service provider for document imaging solution that is contracted for maintenance and support of on-prem document imaging solution. Engaged from time to time in testing, deployment, upgrades, and changes to the application as needed.

Non-GDPR Addendum

The following specific terms apply to all processing of Personal Information (as defined below) for the Customer as part of the services provided under the Services Agreement where the GDPR Addendum does not apply.

Whereas the parties have entered into a Services Agreement;

Whereas the parties would like to further specify the data privacy principles that apply to the Services Agreement;

Now, therefore, in consideration of the rights and obligations set forth in the Services Agreement, which they acknowledge, the Parties agree as follows:

1. Definitions
   1.1. Capitalized terms used but not defined in this Privacy Addendum will have the meanings assigned to them in the Services Agreement.
   1.2. “Business Contact Information” is defined as name, job title, department name, company name, business telephone, mobile phone number (if used for business purposes between Service Provider and Customer), business fax number, and business email address.
   1.3. “CCPA” is the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq.
   1.4. “Personal Information” means information that is accessed, received, maintained, processed, stored, or transmitted by Service Provider on behalf of Customer within the scope of the Services Agreement, and includes an individual’s first name or first initial and last name in combination with any one or more of the following items: (i) social security number; (ii) driver’s license number or government-issued identification number; or (iii) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. For clarity, Personal Information excludes Business Contact Information. For information covered by the CCPA, the above definition shall not apply and instead Personal Information shall use the applicable definition of Personal Information from the CCPA, subject to any applicable qualifications or exclusions contained in the CCPA.
   1.5. “Personal Information Request” means a request from a consumer under the CCPA to exercise the right to know or right to delete.
   1.6. “Security Breach” means an unauthorized acquisition or use of unsecured Personal Information that creates a substantial risk of identity theft or fraud against an individual. For clarity, a good faith acquisition of Personal Information by an employee or agent of Service Provider is not a Security Breach unless such employee or agent uses or discloses the Personal Information in an unauthorized manner.
   
2. General
   2.1. This Privacy Addendum amends and supplements the Services Agreement between the parties. The terms of this Privacy Addendum will apply to all processing of Personal Information that is not covered by the terms of the GDPR Addendum in relation to the services provided under the terms of the Services Agreement.
   2.2. Notices required under this Privacy Addendum shall be sent according to the Services Agreement with a copy (which shall not constitute notice) to both the usual point of contact or support at Service Provider and via email to techsupport@m3as.com.
   2.3. The Service Provider shall carry out the services and process Personal Information received from the Customer as set out in the Services Agreement or as otherwise notified in writing by the Customer to the Service Provider during the term of the Services Agreement.
   2.4. With respect to a Personal Information Request, Service Provider shall:
   2.4.1. To the extent legally permitted, promptly notify Customer if it receives a Personal Information Request. Taking into account the nature of the processing, Service Provider shall assist Customer by appropriate technical and organizational measures, to the extent possible, for the fulfillment of Customer’s obligation to respond to a Personal Information Request. Except to the extent required by applicable law, Service Provider shall not respond to any such Personal Information Request without Customer’s prior written consent except to confirm that the request relates to Customer.
   2.4.2. Upon Customer’s request, to the extent Customer, in its use of the Services, does not have the ability to address a Personal Information Request, provide reasonable efforts to assist Customer in responding to such Personal Information Request, to the extent Service Provider is legally permitted to do so and provided that such Personal Information Request is required. Any costs arising from such provision of assistance shall be the responsibility of Customer, to the extent legally permitted.
   
3. Permitted Uses and Disclosures

3.1. Service Provider shall use, disclose, and retain all Personal Information:
3.1.1. As specifically authorized in the Services Agreement and this Privacy Addendum;
3.1.2. Solely for the purpose of performing the services described in the Services Agreement; and
3.1.3. In accordance with applicable laws.
3.2. Service Provider shall not sell, rent, transfer, distribute, or otherwise disclose or make available any Personal Information to any third party without prior written permission from Customer, unless and to the extent required by law. Notwithstanding the foregoing, Service Provider has the right to use third parties, including offshore entities who employ foreign nationals, as well as employees and contractors of Service Provider’s affiliates and subsidiaries, who may also be foreign nationals, in performance of its obligations described in the Services Agreement, and Service Provider has the right to disclose Personal Information to such third parties provided that such third parties are subject to confidentiality obligations similar to those between Service Provider and Customer.

4. Data Security Obligations.
   4.1. Service Provider shall:
   4.1.1. Implement a comprehensive information security program which includes commercially reasonable technical, and administrative safeguards to protect the confidentiality of Personal Information that are no less rigorous than accepted security industry practices;
   4.1.2. Keep all Personal Information contained in any format (e.g., paper, computer system, and removable media) in a secure facility where access of unauthorized personnel is restricted;
   4.1.3. Install reasonably up-to-date firewall protection and operating system patches for files containing Personal Information on a system that is connected to the Internet;
   4.1.4. Install reasonably up-to-date versions of system security agent software which includes malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis, on systems vulnerable to malware and containing or channeling access to systems containing Personal Information;
   4.1.5. Implement secure user authentication protocols including:
   4.1.5.1. Control of user IDs and other identifiers;
   4.1.5.2. A reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as token devices;
   4.1.5.3. Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
   4.1.5.4. Restricting access to active users and active user accounts only; and
   4.1.5.5. Blocking access to user identification after multiple unsuccessful attempts to gain access or exceeding the limitation placed on access for the particular system;
   4.1.6. Implement secure access control measures that:
   4.1.6.1. Restrict access to records and files containing Personal Information to those who need such information to perform their job’s duties; and
   4.1.6.2. Assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access that are reasonably designed to maintain the integrity of the security of the access controls;
   4.1.7. Use strong encryption in the following situations, where practicable:
   4.1.7.1. When Personal Information is transmitted over a public network (M3 requires the use of a Virtual Private Network (VPN) when using any type of public network);
   4.1.7.2. When Personal Information is stored on portable devices; and
   4.1.7.3. When Personal Information is stored on removable media and that media is in transit between physical locations;
   4.1.8. Provide ongoing employee training with respect to its information security program, the proper use of the computer security system, and the importance of Personal Information security;
   4.1.9. Designate responsibility for maintaining Service Provider’s comprehensive information security program;

4.1.10. Oversee its third-party service providers by taking reasonable steps to select and retain third-party service providers that are capable of maintaining security measures to protect Personal Information consistent with applicable laws;
4.1.11. Review the scope of its comprehensive security program at least once a year; and
4.1.12. Document responsive actions taken in connection with any incident involving a Security Breach, and mandatory post-incident reviews of events and actions taken, if any, in order to make changes in business practices relating to the protection of Personal Information.

5. Security Breach
   5.1. Service Provider will notify Customer of a Security Breach in the most expedient time possible and without unreasonable delay, subject to any law enforcement delay and taking into account any measures necessary to determine the scope of the Security Breach and restore the reasonable integrity of the data system.
   5.2. Service Provider will reasonably cooperate with Customer in any resulting investigation, reporting, or other obligations required by applicable law.

6. Obligations of Customer
   6.1. Customer is solely responsible for:
   6.1.1. Ensuring that the processing of the Personal Information is in compliance with all applicable laws;
   6.1.2. Ensuring that any consents required by law and/or Customer policies and procedures for the collection, access, use, maintenance, and/or disclosure of the Personal Information have been obtained from each individual and entity
   (including, without limitation, consumers, business Customers, and/or Customer employees and contractors) to whom the Personal Information relates.
   6.1.3. Rendering any Personal Information on its systems unusable, unreadable, or indecipherable to unauthorized individuals in accordance with industry standards. Customer acknowledges that it is Customer’s responsibility to encrypt all data on Customer’s systems and media components prior to providing such Personal Information to Service Provider for any reason.
   6.1.4. Establishing the applicable information security safeguards and associated policies for protecting Personal Information in its facilities. Customer must communicate the relevant safeguards and policies to Service Provider with reasonable advance notice and in writing when Service Provider provides services at a Customer facility or accesses Customer’s systems.
   6.1.5. Promptly informing the Service Provider of any policies that it implements with respect to the processing and protection of Personal Information with express instructions as to how these policies should be implemented by the Service Provider with mutual agreement that such policies would not interfere with existing M3 policies and procedures;
   6.1.6. Promptly informing the Service Provider of any security breaches with detailed instructions as to how the Service Provider should address the breach.
   6.2. Customers located outside the EEA, United Kingdom, or Switzerland shall inform the Service Provider before providing it with Personal Information relating to individuals located in the EEA, United Kingdom or Switzerland to ensure that the appropriate privacy protections are applied to that data. For purposes of this Privacy Addendum, the Customer is considered to be located in the country specified in the Services Agreement.
   
7. Miscellaneous
   7.1. No alteration, amendment, or modification of this Privacy Addendum will be valid unless in writing and signed by an authorized representative of both parties.
   7.2. Any ambiguity in the terms of this Privacy Addendum will be resolved to permit Service Provider or Customer to comply with applicable laws.
   7.3. This Privacy Addendum is the entire and complete agreement between the parties with respect to the privacy and security of Personal Information that is not covered by the GDPR Addendum and supersedes any other agreements, representations, or understandings whether oral or written. To the extent there are any inconsistencies between the terms of this Privacy Addendum and the terms of the Services Agreement, this Privacy Addendum will prevail. Notwithstanding the foregoing, for the sake of clarity, the limitation of liability set forth in the Services Agreement remains in full force and effect and applies to this Privacy Addendum.