StackAware Master Services Agreement (“MSA”)

Effective September 12, 2025

This MSA, together with (i) the order form identifying the customer, pricing, scope, and term (the “Order Form”), and (ii) any policies or addenda expressly referenced herein (collectively, the “Agreement”), govern access to the Software and performance of Professional Services between VulnExchange, Inc. DBA StackAware (“Provider”) and the entity identified as customer in the Order Form (“Customer”), each individually a "Party" and collectively the "Parties". The Agreement is effective as of the effective date stated in the Order Form (the “Effective Date”).

1. Description of Offerings

Provider offers (a) access to its software service, application programming interfaces ("API"), and documentation (collectively, the “Software”), and (b) professional, implementation, integration, advisory, or support services as described in an Order Form (collectively, the “Professional Services,” and together with the Software, the “Offerings”).

2. Subscription; Term

• Term and Renewal. The Agreement begins on the Effective Date and continues for the initial term in the Order Form (the “Initial Term”). Thereafter, it renews for successive terms equal to the Initial Term (each, a “Renewal Term,” and together with the Initial Term, the “Subscription Term”) unless either Party gives notice of non-renewal at least 30 days before the end of the then-current term. If the Order Form specifies a free, trial, or pilot plan, either Customer or Provider may terminate on notice.
• Termination for cause. Either Party may terminate the Agreement or an affected Order Form upon 30 days’ written notice ("Notice Period") if the other Party materially breaches the Agreement and fails to cure within that time.

3. Fees; Payment

• Payment. Customer must pay Provider fees in the amount, frequency, timing, and method specified in the Order Form ("Fees").
• Changes at Renewal. Provider may update pricing effective on Renewal Terms with prior notice via email or within the Software
• Non-Refundable. Except as expressly stated in this Agreement, all payments are non-refundable and non-cancellable.
• Survival. This entire section will survive the termination of the Agreement.

4. License

• Software Access. Provider grants Customer a non-exclusive, non-transferable, non-sublicensable right during the Subscription Term to access and use the Software by and for Customer’s employees and contractors authorized by Customer (“Authorized Users”) solely for Customer’s internal business purposes.
• Professional Services. Provider must perform Professional Services described in the Order Form.

5. Acceptable Use; Restrictions

Customer will (a) maintain the confidentiality, and not allow sharing between individual Authorized Users, of access credentials Provider issues to it; (b) be responsible for Authorized Users’ compliance with this Agreement; and (c) use the Offerings only in accordance with the Agreement and applicable law. Customer will not (and will not permit any third party to): (i) copy, modify, create derivative works of, frame, mirror, or reverse engineer the Software; (ii) bypass or compromise security or rate limits (except when operating within the scope of Provider's Vulnerability Disclosure Program); (iii) access the Service to build a competing product or benchmark for publication without prior written consent; (iv) rent, lease, sublicense, or provide the Offerings to third parties other than Authorized Users; (v) remove or obscure proprietary notices; (vi) upload unlawful content; or (vii) exceed the licensed metrics. Provider may suspend access for a violation of this Section.

6. Support

7. Confidentiality

“Confidential Information” is all information Provider gives to Customer or Customer gives to Provider, whether of a technical, business, financial, or any other nature, disclosed in any manner, whether verbally, electronically, visually, or in a written or other tangible form, which is either identified or designated as confidential or which should be reasonably understood to be confidential.

The Party disclosing Confidential Information under this Agreement is the “Discloser,” and the Party receiving the Confidential Information is the “Recipient.”

• Exclusions. Confidential Information does not include information that:
  • is or becomes public without breach of the terms of this Agreement by Recipient;
  • was in Recipient's possession or was known by Recipient prior to its receipt from Discloser that is not under an obligation of confidentiality;
  • is or becomes available to Recipient without restriction on use or disclosure from a source already in legitimate possession of said Confidential Information, such source being other than Discloser;
  • is developed independently by Recipient without the use of Confidential Information; or
  • is disclosed for unrestricted release with the written approval of Discloser.
• Use and Duration. During the Term of this Agreement and for a period of two (2) years from the expiration or termination of this Agreement, Recipient must not disclose Confidential Information of Discloser for any purpose except as contemplated under this Agreement, unless the Confidential Information constitutes either of the below, in which case this prohibition will extend indefinitely:
  • a trade secret (as defined by the United States Defend Trade Secrets Act of 2016); or
  • personal data (as defined by the European Union General Data Protection Regulation).
• Access and Representatives. Recipient will limit access to Discloser’s Confidential Information to those employees, consultants, vendors, agents, or attorneys (“Representatives”) who must have access to it in order to implement this Agreement and are under an obligation of confidentiality. Recipient will be liable for any breach of this Agreement by its Representatives.
• AI Processing. Recipient may process Confidential Information using machine learning or artificial intelligence (“AI”) systems so long as Recipient obtains commercially reasonable assurances the resulting AI model is not both:
  • trained on Confidential Information; and
  • lawfully available to any person or entity aside from Discloser, Recipient, or Representatives of Recipient.
• Compelled Disclosure. Recipient will not be liable to Discloser for disclosure of Confidential Information if Recipient is obligated to disclose the Confidential Information by order or regulation of any governmental entity so long as Recipient has given timely notification, to the extent it is permissible under the circumstances, to Discloser prior to the date of disclosure and Recipient uses commercially reasonable efforts to obtain confidential treatment of the requested Confidential Information.
• Remedies. Each Party recognizes that the unauthorized use or disclosure of Confidential Information could cause irreparable injury to the Party to whom it relates. Each Party agrees that the Party injured or who might be injured by unauthorized use or disclosure of Confidential Information will be entitled, in addition to any other remedies and damages available, to seek a temporary injunction to restrain violation of this Agreement by the other Party and its agents, representatives, and employees.
• Usage Data. Provider may use information about Customer’s configuration and use of the Software, which do not identify Customer or reveal Customer’s Confidential Information (“Usage Data”) to provide and improve the Software and provide insights, service, and feature announcements, and other reporting. Provider owns Usage Data and may use it for any business purpose during or after the term of this Agreement, including without limitation to develop and improve Provider products and Software and to create and distribute insights, reports, and other materials.
• DPA. If required by law, the parties will execute a data processing addendum (“DPA”) which is incorporated by reference once executed simultaneously with the Order Form.
• Survival. This entire section will survive the termination of the Agreement.

8. Intellectual Property

• Intellectual Property Rights. Worldwide patent rights (including patent applications and disclosures), copyright rights, mask work rights, trademarks, trade secret rights, know-how, and any and all other intellectual property or proprietary rights are collectively “Intellectual Property Rights”.
• Professional Services Deliverables. Professional Services Deliverables include all work products developed by Provider during the conduct of Professional Services but explicitly exclude all materials Provider (1) owns or holds a license to use, (2) created prior to the Effective Date of this Agreement, (3) creates independently from the Professional Services performed under this Agreement, or (4) creates while performing the Professional Services under this Agreement that do not contain Customer Confidential Information, e.g. those related to the improvement, enhancement, modification, or development of Provider’s Offerings.
• Ownership of Professional Services Deliverables. Contingent on Customer’s satisfaction of the payment terms in the relevant Order Form, Provider agrees that all Professional Services Deliverables will be the sole and exclusive property of Customer. At that point, Provider hereby irrevocably transfers and assigns to Customer, and agrees to irrevocably transfer and assign to Customer, all right, title and interest in and to Professional Services Deliverables, including all Intellectual Property Rights therein.
• Provider Intellectual Property. Provider owns the Software and all Intellectual Property Rights therein.
• Feedback. Customer grants Provider a worldwide, royalty-free, irrevocable license to use suggestions or feedback to improve the Offerings without restriction.
• Survival. This entire section will survive the termination of the Agreement.

9. Warranties; Disclaimers

• Mutual Authority. Each Party represents it has validly entered into the Agreement and has the authority to do so.
• Professional Services Warranty. Provider warrants that the Software will materially conform to the then-current documentation and that Professional Services will be performed in a professional and workmanlike manner. Customer’s exclusive remedy for breach is re-performance, repair, or replacement. If Provider cannot cure within Notice Period, Customer may terminate the affected Offering and receive a pro-rated refund of prepaid, unused Fees.

EXCEPT FOR THE FOREGOING, THE OFFERINGS AND ALL RELATED MATERIALS ARE PROVIDED “AS IS” AND “AS AVAILABLE,” WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. PROVIDER DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR MEET CUSTOMER REQUIREMENTS.

• Survival. This entire section will survive the termination of the Agreement.

10. Miscellaneous

• Independent Contractor. Provider’s relationship with Customer will be that of an independent contractor acting as a service provider to Customer, and not that of an employee, worker, agent, or partner of Customer.
• Insurance Provider will maintain commercially reasonable insurance coverage.
• Assignment. Neither Party may assign the Agreement without the other’s consent, except either Party may assign to an affiliate or in connection with a merger, acquisition, or sale of substantially all assets, provided the assignee assumes all obligations. Any prohibited assignment is void.
• Notices. All notices required or permitted under this Agreement will be in writing. All such notices will be sent to the email addresses set forth above or to such other email addresses as may be specified by either Party to the other Party in writing. Email notices will be deemed to have been received on the date sent unless the sender receives an immediate, automatic reply that delivery has failed (“Delivery Failure”), or that the recipient is out of the office (“Out of Office Response”). In the case of Delivery Failure, notice will nevertheless be deemed to have been received when originally sent by email if no more than 7 days later the sender delivers a tangible copy of that notice to the recipient’s mailing address. 7 days after the sender of a notice receives an Out of Office Response from the recipient, it will be deemed to have been received.
• Nature of advice. Provider is not a law, finance, or accounting firm and does not provide legal, financial, or accounting advice.
• Whistleblowing. Provider welcomes reports from whistleblowers about impropriety involving finance, security, human resources, or artificial intelligence use. Report via email (whistleblower@stackaware.com) or anonymously via internet form.
• Force Majeure. Neither Party shall be liable for failure or delay in performing its obligations hereunder because of riots, insurrection, fires, flood, storm, explosions, acts of God, war, governmental action, earthquakes, or any other causes that are beyond the reasonable control of such party.
• Governing Law. This Agreement, and any dispute or claim arising out of or related to this Agreement, including its breach or termination, shall be governed by and construed in accordance with the laws of the State of Delaware, United States of America, without reference to conflict of laws principles.
• Amendments. Any amendment to this Agreement will be effective only if it is in writing, identifies itself as an amendment to this Agreement, and is signed by the Parties ("Amendment"). The Order Form may, by referring to specific sections or provisions of this MSA, amend it. Each Party agrees that it will have no claim for innocent or negligent misrepresentation based on any provision of this Agreement.
• Entire Agreement. This Agreement, constitutes the complete and exclusive understanding and agreement of the parties with respect to its subject matter and supersedes all prior understandings and agreements, whether written or oral, with respect to its subject matter.
• Severability. If any provision of this Agreement is held invalid or unenforceable by a court of competent jurisdiction, the remaining provisions of this Agreement will remain in full force and effect, and the provision affected will be construed so as to be enforceable to the maximum extent permissible by law.
• Electronic signatures. Except where prohibited by law, the Parties consent to use electronic signatures to execute this Agreement and agree that such signatures are valid and binding on the parties.
• Calendar days. References to days in this Agreement are to calendar days.
• Publicity. Provider may identify Customer by name and logo (which Provider will use in accordance with Customer's commercially reasonable brand guidelines) as a customer.
• Survival. This entire section will survive the termination of the Agreement.

By executing the Order Form, Customer agrees that this MSA is incorporated by reference and form part of a single, binding Agreement between Customer and Provider.