MOVEWORKS, INC. CUSTOMER AGREEMENT

This Customer Agreement (this “Agreement”) is between Moveworks, Inc., a Delaware corporation (“Moveworks”), and the customer who has executed an order form to purchase services from Moveworks (“Customer”). The Agreement is dated as of the effective date of the order form (the “Effective Date”).

Background

Moveworks has developed and makes available a SaaS-based artificial intelligence (AI) product that uses machine learning, conversational-AI and process automation to resolve IT issues (the “Moveworks Product”). Customer desires to use the Moveworks Product to augment its existing IT helpdesk.

1. DEFINITIONS

1.1       The following terms, when used in this Agreement will have the following meanings:

Affiliates means an entity that directly or indirectly Controls, is Controlled by, or is under common Control with another entity, so long as such Control exists. For the purposes of this definition, “Control” means beneficial ownership of 50% or more of the voting power or equity in an entity.

Confidential Information means any information or data disclosed by either party that is marked or otherwise designated as confidential or proprietary or that should otherwise be reasonably understood to be confidential in light of the nature of the information and the circumstances surrounding disclosure. However, “Confidential Information” will not include any information which (a) is in the public domain through no fault of receiving party; (b) was properly known to receiving party, without restriction, prior to disclosure by the disclosing party; (c) was properly disclosed to receiving party, without restriction, by another person with the legal authority to do so; or (d) is independently developed by the receiving party without use of or reference to the disclosing party’s Confidential Information.

Documentation means the printed and digital instructions, on-line help files, technical documentation and user manuals made available by Moveworks for the Moveworks Product.

Order Form means an order form, quote or other similar document that sets forth the specific Moveworks Product and pricing therefor, and that references this Agreement and is mutually executed by the parties.

2. MOVEWORKS PRODUCT

2.1       Provision of Moveworks Product. Subject to the terms and conditions of this Agreement, Moveworks will make the Moveworks Product available to Customer pursuant to this Agreement, the Service Level Agreement attached in Exhibit A and the applicable Order Form, and hereby grants Customer a non-exclusive right to access and use the Moveworks Product to augment its internal IT helpdesk.

2.2       Data Security.

(a)        Moveworks will maintain a security program materially in accordance with industry standards that is designed to (i) ensure the security and integrity of Customer data uploaded by or on behalf of Customer to the Moveworks Product (“Customer Data”); (ii) protect against threats or hazards to the security or integrity of Customer Data; and (iii) prevent unauthorized access to Customer Data. In furtherance of the foregoing, Moveworks will maintain the administrative, physical and technical safeguards to protect the security of Customer Data that are described in the applicable Documentation and Exhibit B. Moveworks’ security safeguards include measures for preventing access, use, modification or disclosure of Customer Data by Moveworks personnel except (a) to provide the Moveworks Product and prevent or address service or technical problems, (b) as required by applicable law, or (c) as Customer expressly permits in writing or under this Agreement. Moveworks will not materially diminish the protections provided in this Section during the term of this Agreement.

(b)        To the extent that Moveworks processes any Personal Data (as defined in the DPA referenced below) contained in Customer Data that is subject to the GDPR (as defined in the DPA), on Customer’s behalf, in the provision of the Moveworks Product, the parties will execute a Data Processing Addendum ("DPA"), and attach such DPA to this Agreement.

2.3       Customer Limitations. The rights granted herein are subject to the following restrictions (the “License Restrictions”). Customer will not directly or indirectly:

(a)        reverse engineer, decompile, disassemble, modify, create derivative works of or otherwise create, attempt to create or derive, or permit or assist any third party to create or derive, the source code underlying the Moveworks Product;

(b)        attempt to probe, scan or test the vulnerability of the Moveworks Product, breach the security or authentication measures of the Moveworks Product without proper authorization or wilfully render any part of the Moveworks Product unusable;

(c)        use or access the Moveworks Product to develop a product or service that is competitive with Moveworks’ products or Product or engage in competitive analysis or benchmarking;

(d)        transfer, distribute, resell, lease, license, or assign Moveworks Product or otherwise offer the Moveworks Product on a standalone basis; or

(e)        otherwise use the Moveworks Product outside the scope expressly permitted hereunder and in the applicable Order Form.

2.4       Customer Responsibilities.

(a)        Customer acknowledges that Moveworks’ provision of the Moveworks Product is dependent on Customer providing all reasonably required cooperation (including the prompt provision of access to Customer’s applications (including, where necessary, any application programming interfaces made available to Customer from the application vendor), software systems, personnel, cooperation and materials as reasonably required and any other access as may be specified in the applicable Order Form), and Customer will provide all such cooperation in a diligent and timely manner.

(b)        Customer will (i) be responsible for all use of the Moveworks Product under its account (whether or not authorized), (ii) use commercially reasonable efforts to prevent unauthorized access to or use of the Moveworks Product and notify Moveworks promptly of any such unauthorized access or use and (iii) be responsible for obtaining and maintaining any equipment, software and ancillary services needed to connect to, access or otherwise use the Moveworks Product, including as set forth in the Documentation. Customer will be solely responsible for its failure to maintain such equipment, software and services, and Moveworks will have no liability for such failure (including under any service level agreement, if applicable). In addition, Customer will be responsible for ensuring that its systems (e.g., APIs) have sufficient bandwidth to use the Moveworks Product.

(c)        Customer will not use the Moveworks Product to transmit or provide to Moveworks any financial or medical information of any nature, or any sensitive personal data (e.g., social security numbers, driver’s license numbers, birth dates, personal bank account numbers, passport or visa numbers and credit card numbers).

2.5       Affiliates. Any Affiliate of Customer will have the right to enter into an Order Form executed by such Affiliate and Moveworks and this Agreement will apply to each such Order Form as if such Affiliate were a signatory to this Agreement. With respect to such Order Forms, such Affiliate becomes a party to this Agreement and references to Customer in this Agreement are deemed to be references to such Affiliate. Each Order Form is a separate obligation of the Customer entity that executes such Order Form, and no other Customer entity has any liability or obligation under such Order Form.

3. FEES

3.1       Fees. Customer will pay Moveworks the fees set forth in the Order Form. Except as otherwise specified herein or in any applicable Order Form, (a) fees are quoted and payable in United States dollars and (b) payment obligations are non-cancelable and non-pro-ratable for partial months, and fees paid are non-refundable.

3.2       Late Payment. Moveworks may suspend access to the Moveworks Product immediately upon notice if Customer fails to pay any amounts hereunder at least five (5) days past the applicable due date.

3.3       Taxes. All amounts payable hereunder are exclusive of any sales, use and other taxes or duties, however designated (collectively “Taxes”). Customer will be solely responsible for payment of all Taxes, except for those taxes based on the income of Moveworks. Customer will not withhold any taxes from any amounts due to Moveworks.

4. PROPRIETARY RIGHTS AND CONFIDENTIALITY

4.1       Proprietary Rights. As between the parties, Moveworks exclusively owns all right, title and interest in and to the Moveworks Product and Moveworks’ Confidential Information, and Customer exclusively owns all right, title and interest in and to the Customer Data and Customer’s Confidential Information.

4.2      Feedback. Customer may from time to time provide Moveworks suggestions or comments for enhancements or improvements, new features or functionality or other feedback (“Feedback”) with respect to the Moveworks Product. Moveworks will have full discretion to determine whether or not to proceed with the development of any requested enhancements, new features or functionality. Moveworks will have the full, unencumbered right, without any obligation to compensate or reimburse Customer, to use, incorporate and otherwise fully exercise and exploit any such Feedback in connection with its products and services.

4.3      Confidentiality. Each party agrees that it will use the Confidential Information of the other party solely in accordance with the provisions of this Agreement and it will not disclose, or permit to be disclosed, the same directly or indirectly, to any third party without the other party’s prior written consent, except as otherwise permitted hereunder. However, either party may disclose Confidential Information (a) to its employees, officers, directors, attorneys, auditors, financial advisors and other representatives who have a need to know and are legally bound to keep such information confidential by confidentiality obligations consistent with those of this Agreement; and (b) as required by law (in which case the receiving party will provide the disclosing party with prior written notification thereof, will provide the disclosing party with the opportunity to contest such disclosure, and will use its reasonable efforts to minimize such disclosure to the extent permitted by applicable law. Neither party will disclose the terms of this Agreement to any third party, except that either party may confidentially disclose such terms to actual or potential lenders, investors or acquirers. Each party agrees to exercise due care in protecting the Confidential Information from unauthorized use and disclosure. In the event of actual or threatened breach of the provisions of this Section or the License Restrictions, the non-breaching party will be entitled to seek immediate injunctive and other equitable relief, without waiving any other rights or remedies available to it. Each party will promptly notify the other in writing if it becomes aware of any violations of the confidentiality obligations set forth in this Agreement.

4.4      Machine Learning. Customer acknowledges that a fundamental component of the Moveworks Product is the use of machine learning for the purpose of improving and providing Moveworks’ products and services. Notwithstanding anything to the contrary, Customer agrees that Moveworks is hereby granted the right to use (during and after the term hereof) IT helpdesk ticket information submitted hereunder to train its algorithms internally through machine learning techniques for such purpose.

4.5       Performance Metrics. Customer further agrees that Moveworks has the right to aggregate, collect and analyze data and other information relating to the performance of the Moveworks Product and shall be free (during and after the term hereof) to (i) use such data and other information to improve Moveworks’ products and services, and (ii) disclose such data and other information solely in an aggregated and anonymized format that does not identify Customer or any individual.

5. WARRANTIES AND DISCLAIMERS

5.1       Moveworks. Moveworks warrants that it will, consistent with prevailing industry standards, perform the Moveworks Product in a professional and workmanlike manner and the Moveworks Product will conform in all material respects with the Documentation. For material breach of the foregoing express warranty, Customer’s exclusive remedy shall be the re-performance of the deficient Moveworks Product or, if Moveworks cannot re-perform such deficient Moveworks Product as warranted, Customer shall be entitled to terminate the applicable Order Form in accordance with Section 8.2(a) and recover a pro-rata portion of the fees paid to Moveworks for such deficient Moveworks Product.

5.2       Customer. Customer warrants that it has all rights necessary to provide any information, data or other materials that it provides hereunder, and to permit Moveworks to use the same as contemplated hereunder.

5.3       DISCLAIMERS. EXCEPT AS EXPRESSLY SET FORTH HEREIN, EACH PARTY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, TITLE, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMER ACKNOWLEDGES THAT THE MOVEWORKS PRODUCT IS BASED ON PREDICTIVE STATISTICAL MODELS, AND ARE INTENDED TO AUGMENT THE EFFICIENCY OF, BUT NOT REPLACE, CUSTOMER’S IT HELPDESK. THE MOVEWORKS PRODUCT MAY CONTAIN BUGS, MAKE ERRORS OR MISINTERPRET IT ISSUES, AND IN SUCH CASES MOVEWORKS CAN DISENGAGE ANY FUNCTIONALITY OF THE MOVEWORKS PRODUCT AT CUSTOMER’S REQUEST. MOVEWORKS DOES NOT REPRESENT OR WARRANT THAT ANY OR ALL IT HELPDESK TICKETS WILL BE RESOLVED OR THAT HUMAN INTERVENTION WILL NOT BE REQUIRED TO RESOLVE AN IT HELPDESK TICKET.

5.4       BETA PRODUCTS. FROM TIME TO TIME, CUSTOMER MAY HAVE THE OPTION TO PARTICIPATE IN A PROGRAM WITH MOVEWORKS WHERE CUSTOMER GETS TO USE ALPHA OR BETA PRODUCTS, FEATURES OR DOCUMENTATION (COLLECTIVELY, “BETA PRODUCTS”) OFFERED BY MOVEWORKS. THE BETA PRODUCTS ARE NOT GENERALLY AVAILABLE AND ARE PROVIDED “AS IS”. MOVEWORKS DOES NOT PROVIDE ANY INDEMNITIES, SERVICE LEVEL COMMITMENTS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, TITLE, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE, IN RELATION THERETO. CUSTOMER OR MOVEWORKS MAY TERMINATE CUSTOMER’S ACCESS TO THE BETA PRODUCTS AT ANY TIME.

6. INDEMNIFICATION

6.1       Indemnity by Moveworks. Moveworks will defend Customer against any claim, demand, suit, or proceeding (“Claim”) made or brought against Customer by a third party alleging that the use of the Moveworks Product as permitted hereunder infringes or misappropriates a United States patent, copyright or trade secret and will indemnify Customer for any damages finally awarded against (or any settlement approved by Moveworks) Customer in connection with any such Claim; provided that (a) Customer will promptly notify Moveworks of such Claim, (b) Moveworks will have the sole and exclusive authority to defend and/or settle any such Claim (provided that Moveworks may not settle any Claim without Customer’s prior written consent, which will not be unreasonably withheld, unless it unconditionally releases Customer of all related liability) and (c) Customer reasonably cooperates with Moveworks in connection therewith. If the use of the Moveworks Product by Customer has become, or in Moveworks’ opinion is likely to become, the subject of any claim of infringement, Moveworks may at its option and expense (i) procure for Customer the right to continue using and receiving the Moveworks Product as set forth hereunder; (ii) replace or modify the Moveworks Product to make it non-infringing (with comparable functionality); or (iii) if the options in clauses (i) or (ii) are not reasonably practicable, terminate this Agreement and provide a pro rata refund of any prepaid fees corresponding to the terminated portion of the applicable subscription term. Moveworks will have no liability or obligation with respect to any Claim if such Claim is caused in whole or in part by (A) compliance with designs, guidelines, plans or specifications provided by Customer; (B) use of the Moveworks Product by Customer not in accordance with this Agreement; (C) modification of the Moveworks Product by any party other than Moveworks without Moveworks’ express consent; (D) Customer Confidential Information or (E) the combination, operation or use of the Moveworks Product with other applications, portions of applications, product(s) or services where the Moveworks Product would not by itself be infringing (clauses (A) through (E), “Excluded Claims”). This Section states Moveworks’ sole and exclusive liability and obligation, and Customer’s exclusive remedy, for any claim of any nature related to infringement or misappropriation of intellectual property.

6.2       Indemnification by Customer. Customer will defend Moveworks against any Claim made or brought against Moveworks by a third party arising out of the Excluded Claims, and Customer will indemnify Moveworks for any damages finally awarded against (or any settlement approved by Customer) Moveworks in connection with any such Claim; provided that (a) Moveworks will promptly notify Customer of such Claim, (b) Customer will have the sole and exclusive authority to defend and/or settle any such Claim (provided that Customer may not settle any Claim without Moveworks’ prior written consent, which will not be unreasonably withheld, unless it unconditionally releases Moveworks of all liability) and (c) Moveworks reasonably cooperates with Customer in connection therewith.

7. LIMITATION OF LIABILITY

EXCEPT FOR A PARTY’S INDEMNIFICATION OBLIGATIONS OR A BREACH OF CONFIDENTIALITY OR THE LICENSE RESTRICTIONS, UNDER NO LEGAL THEORY, WHETHER IN TORT, CONTRACT, OR OTHERWISE, WILL EITHER PARTY BE LIABLE TO THE OTHER UNDER THIS AGREEMENT FOR (A) ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES OF ANY CHARACTER, INCLUDING DAMAGES FOR LOSS OF GOODWILL, LOST PROFITS, LOST SALES OR BUSINESS, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, LOST CONTENT OR DATA, EVEN IF A REPRESENTATIVE OF SUCH PARTY HAS BEEN ADVISED, KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES, OR (B) EXCLUDING CUSTOMER’S PAYMENT OBLIGATIONS, ANY DIRECT DAMAGES, COSTS, OR LIABILITIES IN EXCESS OF THE AMOUNTS PAID BY CUSTOMER UNDER THE APPLICABLE ORDER FORM DURING THE TWELVE (12) MONTHS PRECEDING THE INCIDENT OR CLAIM.

8. TERMINATION

8.1       Term. The term of this Agreement will commence on the Effective Date of the initial Order Form and continue until terminated as set forth below. The initial term of each Order Form will begin on the Order Form Effective Date of such Order Form and will continue for the subscription term set forth therein. Except as set forth in such Order Form, the term of such Order Form will automatically renew for successive renewal terms equal to the length of the initial term of such Order Form, unless either party provides the other party with written notice of non-renewal at least thirty (30) days prior to the end of the then-current term.

8.2       Termination. Each party may terminate this Agreement upon written notice to the other party if there are no Order Forms then in effect. Each party may also terminate this Agreement or the applicable Order Form upon written notice in the event (a) the other party commits any material breach of this Agreement or the applicable Order Form and fails to remedy such breach within thirty (30) days after written notice of such breach or (b) subject to applicable law, upon the other party’s liquidation, commencement of dissolution proceedings or assignment of substantially all its assets for the benefit of creditors, or if the other party become the subject of bankruptcy or similar proceeding that is not dismissed within sixty (60) days.

8.3       Deletion of Customer Data. Customer has up to thirty (30) days after contract expiration or termination to request that Moveworks delete Customer Data. Unless the parties agree in writing, Moveworks will not be obligated to retain any Customer Data more than thirty (30) days after termination of this Agreement.

8.4       Survival. Upon termination of this Agreement all rights and obligations will immediately terminate except that any terms or conditions that by their nature should survive such termination will survive, including the License Restrictions and terms and conditions relating to proprietary rights and confidentiality, disclaimers, indemnification, limitations of liability and termination and the general provisions below.

8.3       Deletion of Customer Data. Customer has up to thirty (30) days after contract expiration or termination to request that Moveworks delete Customer Data. Unless the parties agree in writing, Moveworks will not be obligated to retain any Customer Data more than thirty (30) days after termination of this Agreement.

9. GENERAL

9.1       Insurance. Moveworks shall, during the term of this Agreement, maintain in force the following insurance coverage at its own cost and expense: (a) Statutory Worker’s Compensation and Employer’s Liability as required by state law with a minimum limit of $1,000,000 each accident / $1,000,000 each disease / $1,000,000 policy limit per occurrence, Disability and Unemployment Insurance, and all other insurance as required by law, including Employer’s Liability Insurance with limits of no less than $1,000,000 per occurrence, or any amount required by applicable law, whichever is greater; (b) Commercial General Liability, on an occurrence basis, including premises-operations, product completed-operations, broad form property damage, contractual liability, independent contractors and personal liability, with a minimum combined single limit of $1,000,000 per occurrence, naming Customer as an additional insureds; and (c) Professional Errors and Omissions coverage covering the Moveworks Product, with coverage limits of not less than $2,000,000 per claim or per occurrence/$2,000,000 aggregate, placed either on an “occurrence” basis or on a “claims made” basis.

9.2      Export Compliance. Each party will comply with the export laws and regulations of the United States, European Union and other applicable jurisdictions in providing and using the Moveworks Product.

9.3      Publicity. Customer agrees that Moveworks may refer to Customer’s name and trademarks in Moveworks’ marketing materials and website; however, Moveworks will not use Customer’s name or trademarks in any other publicity (e.g., press releases, customer references and case studies) without Customer’s prior written consent (which may be by email).

9.4       Assignment; Delegation. Neither party hereto may assign or otherwise transfer this Agreement, in whole or in part, without the other party’s prior written consent, except that either party may assign this Agreement without consent to a successor to all or substantially all of its assets or business related to this Agreement. Any attempted assignment, delegation, or transfer by either party in violation hereof will be null and void. Subject to the foregoing, this Agreement will be binding on the parties and their successors and assigns.

9.5       Amendment; Waiver. No amendment or modification to this Agreement, nor any waiver of any rights hereunder, will be effective unless assented to in writing by both parties. Any such waiver will be only to the specific provision and under the specific circumstances for which it was given and will not apply with respect to any repeated or continued violation of the same provision or any other provision. Failure or delay by either party to enforce any provision of this Agreement will not be deemed a waiver of future enforcement of that or any other provision.

9.6        Relationship. Nothing contained herein will in any way constitute any association, partnership, agency, employment or joint venture between the parties hereto, or be construed to evidence the intention of the parties to establish any such relationship. Neither party will have the authority to obligate or bind the other in any manner, and nothing herein contained will give rise or is intended to give rise to any rights of any kind to any third parties.

9.7        Unenforceability. If a court of competent jurisdiction determines that any provision of this Agreement is invalid, illegal, or otherwise unenforceable, such provision will be enforced as nearly as possible in accordance with the stated intention of the parties, while the remainder of this Agreement will remain in full force and effect and bind the parties according to its terms.

9.8        Governing Law. This Agreement will be governed by the laws of the State of California, exclusive of its rules governing choice of law and conflict of laws. This Agreement will not be governed by the United Nations Convention on Contracts for the International Sale of Goods.

9.9        Notices. Any notice required or permitted to be given hereunder will be given in writing by personal delivery, certified mail, return receipt requested, or by overnight delivery. Notices to the parties must be sent to the respective address set forth in the signature blocks below, or such other address designated pursuant to this Section.

9.10        Entire Agreement. This Agreement comprises the entire agreement between Customer and Moveworks with respect to its subject matter, and supersedes all prior and contemporaneous proposals, statements, sales materials or presentations and agreements (oral and written). No oral or written information or advice given by Moveworks, its agents or employees will create a warranty or in any way increase the scope of the warranties in this Agreement.

9.11        Force Majeure. Neither Party will be deemed in breach hereunder for any cessation, interruption or delay in the performance of its obligations due to causes beyond its reasonable control (“Force Majeure Event”), including earthquake, flood, or other natural disaster, act of God, labor controversy, civil disturbance, terrorism, war (whether or not officially declared), cyber attacks (e.g., denial of service attacks), or the inability to obtain sufficient supplies, transportation, or other essential commodity or service required in the conduct of its business, or any change in or the adoption of any law, regulation, judgment or decree.

9.12      Government Terms. Moveworks provides the Moveworks Product, including related software and technology, for ultimate federal government end use solely in accordance with the terms of this Agreement. If Customer (or any of its customers) is an agency, department, or other entity of any government, the use, duplication, reproduction, release, modification, disclosure, or transfer of the Moveworks Product, or any related documentation of any kind, including technical data, software, and manuals, is restricted by the terms of this Agreement. All other use is prohibited and no rights than those provided in this Agreement are conferred. The Moveworks Product was developed fully at private expense.

9.13      Interpretation. For purposes hereof, “including” means “including without limitation”.

EXHIBIT A

SERVICE LEVEL AGREEMENT

AVAILABILITY COMMITMENT.

The Moveworks Product will be Available 99.9% of the time, measuredly on a calendar monthly basis (the “Availability Commitment”). “Availability” means that the Moveworks Product is available to receive IT helpdesk tickets or IT helpdesk communications from Customer’s employees or other personnel. Availability measures will not include downtime resulting from:

  • Upgrades: Moveworks makes regular upgrades on a weekly basis between 5pm and midnight Pacific Time. Moveworks will provide notice to Customer in the event downtime due to upgrades is expected to exceed 1 hour.
  • Maintenance: Moveworks will use commercially reasonable efforts to provide Customers with email notification of all maintenance periods expected to exceed 1 hour. These maintenance periods will involve applying critical security patches and other emergency repairs to the Moveworks infrastructure.

The Availability Commitment does not apply to any downtime of the Moveworks Product that results from:

  • Account suspension or termination due to Customer’s breach of the Agreement;
  • Disengagement of functionality of the Moveworks Product due to Customer’s request;
  • Force Majeure Events; or
  • Customer’s or its service provider’s (e.g., ServiceNow, Slack, Skype, Microsoft Bot Framework, Okta, etc.) equipment, software or other technology.

Moveworks will provide customers with reports on Availability upon request.

CREDIT.

If Moveworks fails to achieve the above Availability for the Moveworks Product, Customer may claim a credit based on a monthly pro-rated amount of the annual subscription fee, as provided below.

PERCENTAGE AVAILABILITY
PER MONTH

CREDIT

99.9-100.0

0%

97.0-99.89

4%

94.0-96.99

6%

92.0-93.99

10%

Below 92.0

50%

Customer will not be entitled to a credit if it is in breach of its Agreement with Moveworks, including payment obligations. To receive a credit, a Customer must file a claim for such credit within five (5) days following the end of the month in which the Availability Commitment was not met by contacting Moveworks at support@moveworks.ai with a complete description of the downtime, how Customer was adversely affected, and for how long.

The credit remedy set forth in this Service Level Agreement is Customer’s sole and exclusive remedy for the unavailability of the Moveworks Product.

CUSTOMER SUPPORT.

Moveworks live technical support business hours will start at 9:00 am Pacific Time and run until 5:00 pm Pacific Time on weekdays. Technical support can be contacted via email at support@moveworks.ai or via shared channels in the customer communication platform.

Communication Channels:

EMAIL

PHONE

COMMUNICATION TOOL

support@moveworks.ai

408-435-5100Shared Moveworks Skype/Teams/Slack channel

Live technical support will not be available on Christmas Day (December 25) and New Year’s Day (January 1). Limited technical support will be available during the hours listed above during Moveworks holidays. The current Moveworks holidays are set forth below:

  • Presidents Day (third Monday of February)
  • Memorial Day (last Monday of May)
  • Independence Day (July 4)
  • Labor Day (first Monday of September)
  • Thanksgiving Day (fourth Thursday in November)
  • Christmas Eve (December 24)
  • New Year’s Eve (December 31)

EXHIBIT B

DATA SECURITY REQUIREMENTS

Moveworks maintains a comprehensive, written information security program that contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of Moveworks’ business; (b) the type of information that Moveworks will store; and (c) the need for security and confidentiality of such information.

Moveworks’ security program includes:

1.       Security Awareness and Training. A mandatory security awareness and training program for all members of Moveworks’ workforce (including management), which includes:

  • Training on how to implement and comply with its Information Security Program; and
  • Promoting a culture of security awareness through periodic communications from senior management with employees.

2.       Access Controls. Policies, procedures, and logical controls:

  • To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons;
  • To prevent those workforce members and others who should not have access from obtaining access; and
  • To remove access in a timely basis in the event of a change in job responsibilities or job status.

3.       Physical and Environmental Security. Controls that provide reasonable assurance that access to physical servers at the production data center, if applicable, is limited to properly authorized individuals and that environmental controls are established to detect, prevent and control destruction due to environmental extremes. These controls are implemented by Amazon Web Services (AWS) and they are listed here: https://aws.amazon.com/compliance/data-center/controls/. Specific to Moveworks:

  • Logging and monitoring of unauthorized access attempts to the data center by the data center security personnel;
  • Camera surveillance systems at critical internal and external entry points to the data center, with retention of data per legal or compliance requirements;
  • Systems that monitor and control the air temperature and humidity at appropriate levels for the computing equipment; and
  • Redundant power supply modules and backup generators that provide backup power in the event of an electrical failure, 24 hours a day.

4.       Security Incident Procedures. A security incident response plan that includes procedures to be followed in the event of any Security Breach. Such procedures include:

  • Roles and responsibilities: formation of an internal incident response team with a response leader;
  • Investigation: assessing the risk the incident poses and determining who may be affected;
  • Communication: internal reporting as well as a notification process in the event of unauthorized disclosure of Customer Data;
  • Recordkeeping: keeping a record of what was done and by whom to help in later analysis and possible legal action; and
  • Audit: conducting and documenting root cause analysis and remediation plan.

5.       Contingency Planning. Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, pandemic flu, and natural disaster) that could damage Customer Data or production systems that contain Customer Data. Such procedures include:

  • Data Backups: A policy for performing periodic backups of production data sources, as applicable, according to a defined schedule;
  • Disaster Recovery: A formal disaster recovery plan for the production data center, including:
  • Requirements for the disaster plan to be tested on a regular basis, currently twice a year; and
  • A documented executive summary of the Disaster Recovery testing, at least annually, which is available upon request to customers.
  • Business Continuity Plan: A formal process to address the framework by which an unplanned event might be managed in order to minimize the loss of vital resources.

6.       Audit Controls. Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information.

7.       Data Integrity. Policies and procedures to ensure the confidentiality, integrity, and availability of Customer Data and protect it from disclosure, improper alteration, or destruction.

8.       Storage and Transmission Security. Security measures to guard against unauthorized access to Customer Data that is being transmitted over a public electronic communications network or stored electronically. Such measures include requiring encryption of any Customer Data stored on desktops, laptops or other removable storage devices.

9.       Secure Disposal. Policies and procedures regarding the secure disposal of tangible property containing Customer Data, taking into account available technology so that Customer Data cannot be practicably read or reconstructed.

10.       Assigned Security Responsibility. Assigning responsibility for the development, implementation, and maintenance of Moveworks’ security program, including:

  • Designating a security official with overall responsibility;
  • Defining security roles and responsibilities for individuals with security responsibilities; and
  • Designating a Security Council consisting of cross-functional management representatives to meet on a regular basis.

11.       Testing. Regularly testing the key controls, systems and procedures of its information security program to validate that they are properly implemented and effective in addressing the threats and risks identified. Where applicable, such testing includes :

  • Internal risk assessments;
  • ISO 27001 and ISO 27018 certifications (in progress); and
  • Service Organization Control 1 (SOC1) and Service Organization Control 2 (SOC2) audit reports (or industry-standard successor reports).

12.       Monitoring. Network and systems monitoring, including error logs on servers, disks and security events for any potential problems. Such monitoring includes:

  • Reviewing changes affecting systems handling authentication, authorization, and auditing;
  • Reviewing privileged access to Moveworks production systems; and
  • Engaging third parties to perform network vulnerability assessments and penetration testing on a regular basis.

13.       Change and Configuration Management. Maintaining policies and procedures for managing changes Moveworks makes to production systems, applications, and databases. Such policies and procedures include:

  • process for documenting, testing and approving the patching and maintenance of the Moveworks Product;
  • A security patching process that requires patching systems in a timely manner based on a risk analysis; and
  • A process for Moveworks to utilize a third party to conduct application level security assessments. These assessments generally include testing, where applicable, for:
  • Cross-site request forgery
  • Services scanning
  • Improper input handling (e.g. cross-site scripting, SQL injection, XML injection, cross-site flashing)
  • XML and SOAP attacks

o Weak session management

o Data validation flaws and data model constraint inconsistencies

o Insufficient authentication

o Insufficient authorization

14.       Program Adjustments. Monitoring, evaluating, and adjusting, as appropriate, the security program in light of:

  • Any relevant changes in technology and any internal or external threats to Moveworks or the Customer Data;
  • Security and data privacy regulations applicable to Moveworks; and
  • Moveworks’ own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

15.       Devices – Ensuring that all laptop and desktop computing devices utilized by Moveworks and any subcontractors when accessing Customer Data:

  • will be equipped with a minimum of AES 128-bit full hard disk drive encryption;
  • will have up to date virus and malware detection and prevention software installed with virus definitions updated on a regular basis; and
  • will maintain virus and malware detection and prevention software so as to remain on a supported release. This will include, but not be limited to, promptly implementing any applicable security-related enhancement or fix made available by the supplier of such software.