Search

DocuSign Envelope ID: 6BE73965-BAEF-4791 -B930-DABA9714DC55

‘@ DARKTRACE

(c) Customer’s continued allegedly infringing activity after being notified thereof and being provided with modifications that
would have avoided the alleged infringement (which in implementing such modifications, Darktrace will use commercially
reasonable efforts to have substantially preserve the utility and functionality of the Offering or other intellectual property
that is the subject of the claim); (d) Customer’s use of the Software that is the subject of the claim in a manner not in
accordance with this Agreement or the Documentation; (e) use of other than Darktrace’s most current release of the
Software that is the subject of the claim if the third party claim would have been avoided by use of the most current release
or revision release or revision.

10.3. Remedies. If Darktrace reasonably believes the Software infringes a third party’s Intellectual Property Rights, then
Darktrace will, at its option and at no additional cost to Customer: (a) procure for Customer the right to continue to use the
Software; (b) replace the Software; or (c) modify the Software to avoid the alleged infringement. If none of the options in
the previous sentence are commercially reasonable, Darktrace may terminate the licence for the allegedly infringing
Software and refund a pro rata refund of the Fees paid by Customer from the date a third party claim arose for the allegedly
infringing Software to the then-current date, whereupon this Agreement will automatically terminate.

10.4. THIS CLAUSE 10 IS ACOMPLETE STATEMENT OF THE CUSTOMER’S REMEDIES FOR THIRD PARTY CLAIMS FOR INFRINGEMENT
AS DESCRIBED IN CLAUSE 10.1.

11. CUSTOMER DATA; CUSTOMER UNDERTAKINGS AND INDEMNITY

11.1. Customer Data; Licence Grant. Customer will own all right, title and interest in and to the Customer Data and to the extent
such Customer Data is included in a Report, the actual content of such Report. For any Customer Data stored on the
Appliance, to the extent required to provide the Services, Customer grants to Darktrace a limited, and non-exclusive licence
to access and use the Customer Data only to the extent necessary for Darktrace to perform the Services. Customer agrees
Darktrace may utilise the details of any Alerts occurring in Customer’s network and any connected data source to develop
the Offering on an anonymised basis and excluding any Customer Confidential Information.

11.2. Customer Security Obligations. In using the Offering or authorising its Outsource Provider and third parties to use it on
Customer’s behalf, Customer (and not Darktrace) will be responsible for establishing, monitoring, and implementing security
practices to control the physical access to and use of the Offering and all Customer Data therein, including Personal Data.

11.3. DATA DISCLAIMER; INDEMNITY. CUSTOMER IS SOLELY RESPONSIBLE FOR ITS USE OF THE OFFERING, THE ACTIVITIES OF ITS
USERS AND FOR THE ACCURACY, INTEGRITY, LEGALITY, RELIABILITY AND APPROPRIATENESS OF ALL CUSTOMER DATA.
CUSTOMER EXPRESSLY RECOGNISES THAT DARKTRACE DOES NOT CREATE OR ENDORSE ANY CUSTOMER DATA PROCESSED
BY OR USED IN CONJUNCTION WITH THE OFFERING. CUSTOMER FURTHER ACKNOWLEDGES THAT DARKTRACE AND ITS
AFFILIATES DO NOT PROVIDE BACKUP SERVICES FOR CUSTOMER DATA AND CUSTOMER UNDERTAKES THAT IT SHALL BE
SOLELY RESPONSIBLE FOR BACKUP OF ALL CUSTOMER DATA. Customer will, at Customer’s own expense, indemnify, defend
and hold Darktrace, its Affiliates, and their respective officers, directors, and employees, (“Darktrace_Indemnitees”)
harmless from and against all liabilities, damages, and costs, including settlement costs and reasonable attorneys’ fees,
incurred by reason of Darktrace's compliance with the instructions of Customer with respect to the ownership, custody,
processing or disposition of the Customer Data by Darktrace, as applicable.

12. LIMITATION OF LIABILITY

12.1. LIMITATION OF LIABILITY. SUBJECT TO THE REMAINDER OF THIS CLAUSE 12, EACH PARTY’S MAXIMUM LIABILITY TO THE
OTHER PARTY FOR ANY AND ALL CLAIMS, LOSS OR DAMAGE, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), BREACH
OF STATUTORY DUTY, OR OTHERWISE, ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT SHALL NOT EXCEED, IN
THE AGGREGATE, THE TOTAL AMOUNT OF ALL FEES PAID OR PAYABLE TO DARKTRACE FOR THE OFFERING DURING THE THEN-
APPLICABLE TERM, EXCEPT THAT IN RESPECT OF (I) CLAUSE 11.3 (“DATA DISCLAIMER; INDEMNITY”) AND (II) CLAUSE 15 (“DATA
PROTECTION”) EACH PARTY’S LIABILITY TO THE OTHER FOR ALL SUCH BREACHES SHALL NOT EXCEED, IN THE AGGREGATE , THE
GREATER OF (A) THREE TIMES (3X) TOTAL FEES PAID OR PAYABLE TO DARKTRACE FOR THE OFFERING DURING THE THEN-
APPLICABLE TERM OR (B) ONE MILLION FIVE HUNDRED THOUSAND U.S. DOLLARS ($1,500,000).

12.2. EXCLUSION OF CONSEQUENTIAL DAMAGES. SUBJECT TO CLAUSE 12.3 BELOW, NEITHER PARTY SHALL BE LIABLE TO THE
OTHER FOR ANY INDRECT OR CONSEQUENTIAL LOSS; OR ANY LOSS OF PROFITS; LOSS OF REVENUE OR BUSINESS; LOSS OF
GOODWILL OR REPUTATION; LOSS OF OR CORRUPTION OR DAMAGE TO DATA; LOSS OF MANAGEMENT TIME, HOWSOEVER
ARISING AND WHETHER OR NOT SUCH PARTY HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS, CORRUPTION OR

V09.12.2020 MCA SHRINKWRAP 6

DocuSign Envelope ID: 6BE73965-BAEF-4791 -B930-DABA9714DC55

12.3.

13.

13.1.

13.2.

13.3.

13.4.

13.5.

13.6.

14.

14.1.

‘@ DARKTRACE

DAMAGE.

Exclusions from Limitation of Liability. Nothing in this Agreement will exclude or limit either Party’s liability for: (i) for death
or personal injury due to negligence; (ii) fraud; (iii) breach of Clause 14 (“Confidentiality”); (iv) breach of Clause 5 (“Licence
Grant for the Software and Restrictions”), (v) Gross Negligence or Willful Misconduct; or (vi) for any other matter in respect
of which liability cannot lawfully be limited or excluded. For purposes of the foregoing, “Gross Negligence” means the
performance or failure of performance by a party of a manifest duty at law (not being a contractual breach) with a wanton
and reckless disregard of the consequences of such failure as they may affect the life, property or right of the other party;
and “Willful Misconduct” means an action undertaken by a party with the malicious intent to cause harm to the other party.

TERM; TERMINATION

Term. This Agreement is effective from the Effective Date and will remain in force until: (i) expiry of the Evaluation Period
in accordance with Clause 2.1 above; or (ii) the end of the term specified in a Product Order Form (as applicable the “Term”).
In the event of extension or renewal of the Product Order Form, such extension or renewal shall be considered a new and
separate Term.

Expiration of the Term. Notwithstanding any provision of this Clause 13, Customer’s right to use, and Customer’s access
to, the Appliance will automatically terminate on expiry of the Term unless and until Customer renews or extends the Term
for the Appliance.

Termination for Breach. Either Party may terminate this Agreement if: (i) the other Party is in material breach of the
Agreement and fails to cure such breach within thirty (30) days after receipt of written notice; or (ii) the other Party ceases
its business operations or becomes subject to insolvency proceedings, which proceedings are not dismissed within thirty
(30) days.

Termination or Suspension by Darktrace. Without prejudice to any other right or remedy available to Darktrace:

13.4.1. Darktrace may restrict, suspend or terminate Customer’s licence or use of the Offering without liability if a court or
other government authority issues an order prohibiting Darktrace from furnishing the Offering to Customer.
Customer’s obligation to pay Fees during any period of suspension under this Clause 13.4.1 will also be suspended.
In the event the Offering is suspended pursuant to this Clause 13.4.1 then provided it is lawful to do so, Darktrace
will inform Customer of the reasons for the suspension and will work with Customer to resolve such issues and re-
instate the Offering.

13.4.2. Additionally, Darktrace may terminate, suspend or limit Customer’s licence grant or use of the Offering without
liability if Darktrace provides Customer with written notice that it has a reasonable suspicion that Customer is using
the Offering: (i) in breach of Clause 5.1 or Clause 5.2; or (ii) in a manner that is otherwise unlawful, and in each case
Customer does not cure the condition identified in such notice within five (5) business days.

Effect of Termination. Upon termination or expiration of this Agreement:

13.5.1. The Term and all other rights and licences granted by one Party to the other, and any Services provided by Darktrace
to Customer, will cease immediately;

13.5.2. Customer shall ensure all Customer Data is removed from the Appliance and return the Appliance to Darktrace in
accordance with Clause 4.3. DARKTRACE WILL NOT BE RESPONSIBLE FOR MAINTAINING OR PROTECTING ANY
CONFIGURATION SETTINGS OR DATA FOUND ON THE RETURNED HARDWARE OR COMPONENT PART OF THE
HARDWARE AND IT IS CUSTOMER'S SOLE RESPONSIBILITY TO DELETE ANY SUCH INFORMATION PRIOR TO RETURN;
and

13.5.3. All undisputed Fees owing to Darktrace at the date on which termination takes effect will become due and payable.

Survival. The following provisions will survive any termination of this Agreement: Clause 2 (“Evaluations and Beta
Testing”)”; Clause 5 (“Licence Grant For the Software and Restrictions”); Clause 7 (“Fees, Payments and Taxes”); Clause 8
(“Intellectual Property; Ownership”); Clause 9.6 (“Disclaimer”); Clause 10 (“Intellectual Property Rights Infringement
Indemnity”); Clause 11.3 (“Data Disclaimer; Indemnity”); Clause 12 (“Limitation of Liability”); Clause 13.5 (“Effect of
Termination”); Clause 13.6 (“Survival”); Clause 14 (“Confidentiality;”); Clause 15 (“Data Protection”); and Clause 16
(“General Provisions”).

CONFIDENTIALITY

Each party will treat the other party’s Confidential Information as confidential. Confidential Information of one Party (the
“Disclosing Party”) may only be used by the other Party (the “Receiving Party”) for the purpose of fulfilling obligations or
exercising rights under this Agreement, and may only be shared with employees, agents or contractors of the Receiving

V09.12.2020 MCA SHRINKWRAP 7

DocuSign Envelope ID: 6BE73965-BAEF-4791 -B930-DABA9714DC55

15.

‘@ DARKTRACE

Party who have a need to know such information to support such purpose (“Representatives”). Each Party will procure that
any of its Representatives to whom Confidential Information is disclosed are bound by contractual obligations equivalent
to those in this Clause 14.1. Notwithstanding the foregoing, the Receiving Party shall remain liable for the acts or omissions
of its Representatives. Confidential Information will be protected using a reasonable degree of care to prevent unauthorised
use or disclosure for five (5) years from the date of receipt or (if longer) for such period as the information remains
confidential. These obligations do not cover information that: (i) was known or becomes known to the Receiving Party on
a non-confidential basis from a third party, provided that: (a) the Receiving Party has no knowledge that the third party is
subject to a confidentiality agreement with the Disclosing Party in respect of the information; and (b) such information is
not of a type or character that a reasonable person would have regarded it as confidential; (ii) is independently
developed by the Receiving Party without violating the Disclosing Party’s rights; (iii) is or becomes publicly known other
than through disclosure by the Receiving Party or one if its Representatives in breach of this Agreement; or (iv) was lawfully
in the possession of the Receiving Party before the information was disclosed by the Disclosing Party. A party may disclose
Confidential Information to the extent disclosure is required by law or a governmental agency provided that, to the extent
it is lawful to do so, the Receiving Party notifies the Disclosing Party of the request giving it reasonable opportunity to
respond, and cooperate with the Disclosing Party’s reasonable, lawful efforts to resist, limit or delay disclosure at the
Disclosing Party’s expense, and except for making such required disclosure, such information will otherwise continue to be
Confidential Information. On termination of the Agreement, each Party will promptly return or destroy all Confidential
Information of the other Party. Notwithstanding the foregoing, the Receiving Party may disclose Confidential Information
as required by law; provided that, it uses commercially reasonable efforts to limit the disclosure to the minimum amount
of Confidential Information in order to satisfy the legal requirement; provided, further, that such legal requirement shall
not obscure the Disclosing Party’s rights to seek a prospective order or equivalent, at law or in equity, in order to protect
its Confidential Information.

DATA PROTECTION

15.1. The Parties acknowledge that the Offering may be used to process Personal Data regulated by the Data Privacy Laws and the

16.

16.1.

16.2.

16.3.

Parties shall comply with the data processing requirements as set out in Appendix 2.
GENERAL PROVISIONS

Entire Agreement; Integration.

16.1.1. This Agreement, the appendices and any documents referenced herein, represent the entire agreement between
the Parties on the subject matter hereof and supersedes all prior discussions, agreements and understandings of
every kind and nature between the Parties and excludes, without limitation, any terms appearing on a purchase
order, invoice or other Customer paperwork or any other terms (in each case whether by way of conduct or
otherwise). No modification of this Agreement will be effective unless in writing and signed by both Parties. Each
Party acknowledges and agrees that, in connection with the Agreement, it has not been induced to enter into the
Agreement in reliance upon, and does not have any remedy in respect of, any representation or other promise of
any nature other than as expressly set out in this Agreement. Each Party signing this Agreement acknowledges that
it has had the opportunity to review this Agreement with legal counsel of its choice and there will be no
presumption that ambiguities will be construed or interpreted against the drafter.

16.1.2. Unless otherwise specifically agreed to in a writing signed by each of the Parties, in the event of any conflict or
inconsistency between this Agreement, an appendix hereto, any Product Order Form issued hereunder, and or any
document incorporated by reference, the order of precedence of the documents from highest to lowest is the
Product Order Form, this Agreement, any appendix hereto and the documents incorporated by reference.

Severability. The illegality or unenforceability of any provision of this Agreement will not affect the validity and
enforceability of any legal and enforceable provisions hereof.

Force Majeure. Neither Party will be liable for any failure or delay in performing services or any other obligation under
this Agreement, nor for any damages suffered by the other or a Customer by reason of such failure or delay, which is,
indirectly or directly, caused by an event beyond such Party’s reasonable control, riots, natural catastrophes, terrorist
acts, governmental intervention, refusal of licences by any government or other government agency, or other acts of god
(each, a “Force Majeure Event”), and such non-performance, hindrance or delay could not have been avoided by the non-
performing Party through commercially reasonable precautions and cannot be overcome by the non-performing Party
through commercially reasonable substitute services, alternate sources, workarounds or other means. During the
continuation of a Force Majeure Event, the non-performing Party will use commercially reasonable efforts to overcome
the Force Majeure Event and, to the extent it is able, continue to perform its obligations under the Agreement.

V09.12.2020 MCA SHRINKWRAP 8

DocuSign Envelope ID: 6BE73965-BAEF-4791 -B930-DABA9714DC55

16.4.

16.5.

16.6.

16.7.

16.8.

16.9.

16.10.

16.11.

‘@ DARKTRACE

Notices. Any notice will be delivered by hand or sent by recorded delivery, registered post or registered airmail and
satisfactory proof of such delivery must be retained by the sender. All notices will only become effective on actual receipt.

Any notices required to be given in writing to Darktrace or any questions concerning this Agreement should be addressed
to: Attn: Legal Department, Darktrace Limited, Maurice Wilkes Building, Cowley Road, Cambridge CB4 ODS, United
Kingdom.

Rights of Third Parties. The provisions of this Agreement concerning restrictions on usage of the Offering and protection
of Intellectual Property Rights are for the benefit of and may be enforced by each of Darktrace, any Darktrace Affiliate and
the Darktrace Indemnitees. Except for the foregoing sentence, or as otherwise expressly set out in the Agreement, this
Agreement does not create any rights for any person who is not a party to it and no person who is not a party to this
Agreement may enforce any of its terms or rely on any exclusion or limitation contained herein.

Audit. Customer will permit Darktrace or an independent certified accountant appointed by Darktrace access, on written
notice, to Customer’s premises and Customer’s books of account and records at any time during normal business hours
for the purpose of inspecting, auditing, verifying or monitoring the manner and performance of Customer’s obligations
under this Agreement. Darktrace will not be able to exercise this right more than twice in each calendar year.

Independent Contractors. The Parties are independent contractors. Nothing in this Agreement will be construed to create
a partnership, joint venture, or agency relationship between the Parties.

Assignment. This Agreement may not be assigned by either Party without the written consent of the other Party.
Notwithstanding the foregoing, consent of the other Party will not be required for a transfer to an Affiliate of a Party or if
a Party undertakes an initial public offering, a sale of all or substantially all of its shares or assigns all or substantially all of
its business and assets to another entity that is not a direct competitor of the non-assigning Party. Any attempt to assign
this Agreement in violation of the foregoing will be null and void. This Agreement binds the Parties, their respective
Affiliates, successors and permitted assigns.

Governing Law. Any dispute or claim relating in any way to this Agreement will be governed by the Governing Law, and
adjudicated in the Governing Courts, as defined in the table below, and each Party consents to the exclusive jurisdiction
and venue thereof; save that (i) each party may enforce its or its Affiliates’ intellectual property rights in any court of
competent jurisdiction, including but not limited to equitable relief and (ii) Darktrace or its Affiliate may, bring suit for
payment in the country where the Customer Affiliate that placed the Product Order Form is located. Where arbitration
applies it shall be conducted in English, under the Rules of Arbitration of the International Chamber of Commerce (the
“ICC”) by three arbitrators in accordance with Art 12 of said Rules. The award shall be final and binding on the Parties.
Except to the extent entry of judgment and any subsequent enforcement may require disclosure, all matters relating to
the arbitration, including the award, shall be held in confidence. Customer and Darktrace agree that the United Nations
Convention on Contracts for the International Sale of Goods will not apply.

Customer location (as stated in the | Governing Law Governing Courts
Product Order Form)

United Kingdom The laws of England & Wales The courts of England & Wales

United States of America The laws of the state of | The state or Federal courts in
New York Manhattan, New York

None of the above The laws of England & Wales Arbitration at the ICC in London

Export Restrictions. The Offering is for Customer’s use and not for further commercialisation. Customer acknowledges
that the Offering may be classified and controlled as encryption items under the United Kingdom’s Export Regulations and
other national regulations. Each Party will comply with all applicable laws regarding export-controlled items, and will not
export, re-export or import, directly or indirectly, any export-controlled items, or any direct product of them, nor
undertake any transaction hereunder in violation of any applicable export laws.

ITAR. Customer understands that employees of Darktrace and/or its suppliers may have access to native data to perform
the Support Services herein and represents that none of this data requires protection from access by foreign persons
because it contains technical information regarding defence articles or defence services within the meaning of the United
States International Traffic in Arms Regulations (22 CFR § 120) or technical data within the meaning of the United States
Export Administration Regulations (15 CFR §§ 730 - 774). If any of this data does contain any such information, Customer
will either lock down access to any such data and/or identify any folders containing such data as export-controlled

V09.12.2020 MCA SHRINKWRAP 9

DocuSign Envelope ID: 6BE73965-BAEF-4791 -B930-DABA9714DC55

16.12.

16.13.

‘@ DARKTRACE

information and acknowledges that special service rates may apply thereto.

Government End-User Notice (applicable to United States government customers only). The Offering is commercial within
the meaning of the applicable civilian and military Federal acquisition regulations and any supplements thereto. If the user
of the Appliance is an agency, department, employee, or other entity of the United States Government, the use,
duplication, reproduction, release, modification, disclosure, or transfer of the Appliance, including technical data or
manuals, is governed by the terms, conditions and covenants contained in the Darktrace standard commercial licence
agreement, as contained herein.

Waiver. Each Party agrees that the failure of the other Party at any time to require performance by such Party of any of
the provisions herein will not operate as a waiver of the rights of such Party to request strict performance of the same or
like provisions, or any other provisions hereof, at a later time.

16.14 Insurance. Darktrace shall maintain the insurance coverage described as Appendix 3 hereto or an equivalent throughout

the Term, and Darktrace shall furnish Customer with a copy of its insurance certificate, from time to time during the Term,
upon Customer’s reasonable request

16.15. Headings. All headings used herein are for convenience of reference only and will not in any way affect the interpretation
of this Agreement.

16.16. Equitable Remedies. The Parties agree that with respect to a breach by a Party of Clauses 5, 8 or 14, monetary damages
may not be an adequate or sufficient remedy for a breach of this Agreement. Therefore, in addition to any applicable
monetary damages, a Party will also be entitled to apply for injunctive relief and other equitable relief to prevent breaches
of the Agreement, without proof of actual damage.

IN WITNESS WHEREOPF, the Parties have caused this Agreement to be executed as of the date written below
Darktrace: Darktrace Holdings Limited Customer: City of Nashua, New Hampshire
DocuSigned by:

Kotlel Cias— Jones
By: B9E55C903C5E453_— By:

Rachel Elias-Jones
Name: Name:
Title: Financial Director Title:

2022

Date: 9/5/20 Date:

V09.12.2020 MCA SHRINKWRAP 10

DocuSign Envelope ID: 6BE73965-BAEF-4791 -B930-DABA9714DC55

1.1.

‘@ DARKTRACE

Appendix 1 — Definitions
DEFINITIONS:

Defined Terms. Terms defined in this Appendix 1 will have the meanings given below. Defined terms may be used in the singular

or plural depending on the context.

“Affiliate” means any corporation or other business entity that directly or indirectly controls, is controlled by or is under
common control with a Party. Control means direct or indirect ownership of or other beneficial interest in fifty percent (50%)
or more of the voting stock, other vesting interest, or income of a corporation or other business entity;

“Alerts” means features of the Software that generates alerts of suspected malicious activity on a Customer’s network;
“ Applianc e(s)” means the Software, or Software combined with Hardware, as more fully described on the Product Order Form

“Call Home” means the secure and encrypted channel that connects the Appliance to Darktrace central management;

“Confidential Information” means any information, however conveyed or presented, that relates to the business, affairs,
operations, customers, suppliers, processes, budgets, pricing policies, product information, strategies, developments, trade
secrets, Intellectual Property, and know-how of a Party, and any other information clearly designated by a Party as being
confidential to it (whether or not it is marked "confidential"), and information that ought reasonably be considered to be
confidential, but in all circumstances excludes any Personal Data.

“Customer Data” means all data and information provided by Customer to, or accessible by, Darktrace under this Agreement
in connection with the performance of the Services (which may include information about network traffic on Customer’s
network (metrics), log/metadata collection, as well as the raw packet capture data from Customer’s network);

“Datasheet” means the document providing the specification for the Hardware, Software or Services, as applicable and as
may be updated by Darktrace from time to time;

“Data Privacy Laws” means the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive)
Regulations 2003, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the California Consumer
Privacy Act of 2018 (“CCPA”), and laws of similar purpose or effect in any relevant jurisdiction, in each case as amended,
updated, re-enacted or replaced from time to time;

“Documentation” means user manuals for the Appliance consisting of the applicable installation guides, Datasheets; service
descriptions, technical specifications and online help files provided by Darktrace or available on Darktrace’s online portal, as
may be updated by Darktrace from time to time;

“Effective Date” means the Effective Date specified in the Product Order Form;

“EU Model Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third
countries which do not ensure an adequate level of data protection under Directive 95/46/EC, pursuant to the European
Commission Decision of 5 February 2010;

"Fees" means all applicable fees as set out in the Product Order Form;

“GPL Software” means third party software provided by Darktrace on the Hardware to support use of the Software that is
licensed directly to Customer and the relevant Customer Affiliates by the relevant rights holder on the terms of the version
included or provided with it of the GNU General Public Licence, GNU Lesser General Public Licence or other comparable licence.

“Hardware” means any hardware device (including embedded firmware) shipped and installed as part of the Offering;

“Information Security Standards” means Darktrace’s information security code of conduct, as amended from time to time in
Darktrace’s sole discretion and available upon request;

“Intellectual Property” means patents, trademarks, service marks, rights (registered or unregistered) in any designs,
applications for any of the foregoing, trade or business names, copyright (including rights in computer software) and
topography rights, know-how and other proprietary knowledge and information, internet domain names, rights protecting
goodwill and reputation, database rights (including rights of extraction) and all rights and forms of protection of a similar
nature to any of the foregoing or having equivalent effect anywhere in the world and all rights under licences and consents
in respect of any of the rights and forms of protection mentioned in this definition (and “Intellectual Property Rights” will be
construed accordingly);

V01.04.2020 MCA SHRINKWRAP 11

DocuSign Envelope ID: 6BE73965-BAEF-4791 -B930-DABA9714DC55

1.2.

‘& DARKTRACE

“Offering” means collectively the Appliance(s), Software, Services and the Documentation;

“Open Source Software” means third party software that Darktrace distributes with the Software pursuant to a licence that
requires, as a condition of use, modification or distribution of such software, that the software or other software combined
and/or distributed with it be: (i) disclosed or distributed in source code form; (ii) licensed for the purpose of making derivative
works; (iii) redistributable at no charge; or (iv) redistributable but subject to other limitations;

“Product Order Form” has the meaning set forth in the introductory paragraphs;

“Personal Data” means, generally, information relating to an identified or identifiable natural person, or other regulated
data types as defined by applicable Data Privacy Laws;

“S ervices” means the Darktrace Support Services, and any Installation Services, training or professional services which may
be provided by Darktrace as specified in the Product Order Form;

“Support Service Options” means the optional support services, if any, as specified in the Product Order Form and further
described in the Support Services Data Sheet;

“Site(s)” means the Customer’s business location or its datacentre at the locations described in a Product Order Form;

“Software” means the Darktrace and the Third Party Software (in object code form) delivered to Customer as part of the
Offering or ona standalone basis, together with all enhancements, error corrections, and/or updates which are generally
made available by Darktrace as part of the Offering. The GPL Software does not form part of the Software and is licensed
to Customer and the Customer Affiliates directly on the terms of the applicable licences, provided that the GPL Software will
nevertheless be deemed to form part of the Software for the purposes of the Support Services, such that Darktrace will
support it as if it were part of the Software;

“Standard Support Services” means the standard support services provided by Darktrace as set out in the Darktrace Support
Services Data Sheet;

“Support Services Data Sheet” means the Documentation describing the terms of the Support Services.

“Third Party Licensors” means the suppliers of the Third Party Software to Darktrace; and

“Third Party Software” means: (i) any software or other technology that is licensed to Darktrace from Third Party Licensors for
the purpose of making the Offering available commercially; and (ii) Open Source Software.

Construction. In this Agreement (except where the context otherwise requires):

1.2.1. any reference to a clause or schedule is to the relevant clause or schedule of or to this Agreement and any reference
to a paragraph is to the relevant paragraph of the clause or schedule in which it appears;

1.2.2. the index and clause headings are included for convenience only and will not affect the interpretation of this Agreement;
1.2.3. use of the singular willinclude the plural and vice versa;
1.2.4. use of any gender will include any other gender;

1.2.5. any reference to persons includes natural persons, firms, partnerships, companies, corporations, associations,
organisations, governments, foundations and trust (in each case whether or not having separate legal personality);

mat yo

1.2.6. any phrase introduced by the terms “including”, “include”, “in particular’ or any similar expression will be construed as
illustrative and will not limit the sense of the words preceding those terms;

1.2.7. any reference to any other document is a reference to that other document as amended, varied, supplemented, or
novated (in each case, other than in breach of the provisions of this Agreement) at any time.

V01.04.2020 MCA SHRINKWRAP 12

DocuSign Envelope ID: 6BE73965-BAEF-4791 -B930-DABA9714DC55

‘& DARKTRACE

Appendix 2: Data Processing Agreement

1. DEFINITIONS. For the purposes of this DPA, the terms defined in this Appendix shall have the meanings as set forth in the
Agreement. Any terms not specifically defined by this DPA or the Agreement shall have the meaning given by GDPR.

2. SUBJECT MATTER OF THE DATA PROCESSING AGREEMENT
2.1 This Data Processing Agreement (“DPA”) applies to the processing of Customer Personal Data under the Agreement.
2.2 Customer will be the Data Controller and Darktrace will be the Data Processor as defined under GDPR. Each Party agrees

that it shall comply with its obligations as a Data Controller and a Data Processor, respectively under the Data Privacy Laws
in exercising its rights and performing its obligations under this Agreement.
2.3 This DPA is an Appendix to the Agreement.

3. NATURE AND PURPOSE OF PROCESSING REGULATED DATA
3.1 The Data Processor shall process Personal Data in order to provide the Support Services as set forth in the Support
Services Datasheet.
3.2 In the event that the Data Controller has purchased Antigena Email, the additional data protection provisions of the

Antigena Email Schedule shall apply and be incorporated into this DPA.

4. TYPES AND CATEGORIES OF PERSONAL DATA
4.1 Categories of Data Subjects.
- Employees including volunteers, agents, temporary workers, independent contractors;
- Contractors

- Customer clients, prospects

- Suppliers, vendors

- Advisors, consultants and other professional experts

- Customer officers, directors

- And any other categories of Data Subjects that may be contained in the Data Controller's network.
4.2 Types of Personal Data:

- IP addresses

- Host names

- File names

- Email addresses

- And any other types of Personal Data that may be contained in the Data Controller's network.

5. RIGHTS AND OBLIGATIONS OF THE CONTROLLER
5.1 The Data Controller hereby instructs the Data Processor to take such steps in the processing of Personal Data as are
reasonably necessary for the performance of the Data Processor’ s obligations under the Agreement, and agrees that such
instructions, comprising the terms of this DPA and the Agreement, constitute its full and complete instructions as to the
means by which Personal Data shall be processed by the Data Processor.

6. RIGHTS AND OBLIGATIONS OF THE PROCESSOR
6.1 The Data Processor shall only process Personal Data in accordance with the Data Controller’s written instruction as
specified herein and shall not use Personal Data except to deliver the Offering and the Services as instructed by the
Agreement, unless such processing is required by law to which the Data Processor is subject, in which case the Data
Processor shall, to the extent permitted by law, inform the Data Controller of that legal requirement prior to carrying
out the applicable processing.

6.2 The Data Processor shall immediately inform the Data Controller if, in the Data Processor’s reasonable opinion, an
instruction from the Data Controller infringes the Data Privacy Laws.
6.3 The Data Processor shall not transfer Personal Data outside the European Economic Area (“EEA”) without the prior

written consent of the Data Controller and not without procuring provision of adequate safeguards (as defined by the
European Commission from time to time);

6.4 In the event that the UK ceases to be a member of the European Union or ceases to be considered by the European
Commission to be an adequate country pursuant to Article 45 of GDPR, then the parties agree that Darktrace shall apply
the EU Model Clauses as set out at hittps://www.darktrace.com/en/resources/legal-customer-model-clauses.pdf, to
any relevant transfer of data and such EU Model Clauses shall be deemed incorporated from the date of first transfer.

6.5 The Data Processor shall take reasonable steps to ensure the reliability of its agents and employees who have access to
any Personal Data.

V01.04.2020 MCA SHRINKWRAP 13

DocuSign Envelope ID: 6BE73965-BAEF-4791 -B930-DABA9714DC55

7.

8.

10.

11.

12.

‘& DARKTRACE

SECURITY

71

Taking into account the nature, scope, context and purposes of processing, the Data Processor has implemented
and will maintain the administrative, physical, technical and organisational measures as described in the Darktrace
Information Security Policy to protect any Personal Data accessed or processed by it against unauthorised or unlawful
processing or accidental loss, destruction, damage or disclosure. The parties agree that for the purposes of the
processing hereunder, the measures contained within the Darktrace Information Security Policy are appropriate, given
the nature of the data to be processed and the harm that might result from such unauthorised or unlawful processing
or accidental loss, destruction, disclosure, access or damage.

PERSONAL DATA BREACH NOTIFICATION

8.1

In the event that the Data Processor suffers a Personal Data Breach, the Data Processor shall inform the Data Controller
within twenty-four (24) hours upon learning of the same and reasonably cooperate with the Data Controller to mitigate
the effects and to minimise any damage resulting therefrom. To the extent reasonably possible, the notification to the
Data Controller shall include: (i) a description of the nature of the incident, including where possible the categories and
approximate number of data subjects concerned and the categories and approximate number of Personal Data records
concerned; (ii) the name and contact details of the Data Processor’s data protection officer or another contact point
where more information can be obtained; (iii) a description of the likely consequences of the incident; and (iv) a
description of the measures taken or proposed to be taken by the Data Processor to address the incident including,
where appropriate, measures to mitigate its possible adverse effects

SUBPROCESSORS

9.1

9.2

9.3

Save as expressly provided herein, the Data Processor will not use subprocessors for the processing of Personal Data.
For the purposes of providing Support Services alone: (i) The Data Controller hereby authorises the Data Processor to use
its affiliates specified in the Support Services Datasheet to process Personal Data (the “Affiliate Subprocessors”); (ii) The
Data Processor shall have in place with the Affiliate Subprocessors a written agreement equivalent to the terms contained
herein to protect Personal Data; and (iii) The EU Model Clauses shall apply to the extent the processing of Personal Data
by the Affiliate Subprocessors involves a transfer of Personal Data which originates in the EEA to a third country outside
of the EEA. For such purposes, the Data Controller hereby authorises the Data Processor to enter into the EU Model
Clauses with the Affiliate Subprocessors on the Data Controller’s behalf.

Save for the foregoing, the Data Processor shall not engage any subprocessors without the prior written authorisation of
the Data Controller. In the event that the Data Controller authorises the use by the Data Processor of any other
subprocessors, the Data Processor shall procure that such subprocessors enter into a written agreement containing
provisions no less stringent than this DPA.

The Data Processor shall be fully liable for any breach by the subprocessors of any data protection obligations set
out in this Clause.

ASSISTANCE WHEN HANDLING REQUESTS FROM DATA SUBJECTS

10.1

AUDIT
11.1

Taking into account the nature of processing and the information available to the Data Processor, the Data Processor will
provide reasonable support to the Data Controller: (i) in complying with any legally mandated request for access to or
correction of any Personal Data by a data subject under Chapter III GDPR (and where such request is submitted to the
Data Processor, the Data Processor will promptly notify the Data Controller of it); (ii) in responding to requests or
demands made to the Data Controller by any court or governmental authority responsible for enforcing privacy or data
protection laws; or (iii) in its preparation of a Data Protection Impact Assessment.

The Data Processor agrees to maintain ISO 27001 certification for the duration of the Term. The Data Processor will use
an external auditor to verify that its security measures meet ISO 27001 standards in accordance with the ISO certification
process. On the Data Controller's written request, and subject to appropriate confidentiality obligations, the Data
Processor will make available to the Data Controller: (i) a copy of the current certificate in relation to the ISO 27001
certification; and (ii) Information reasonably requested by the Data Controller in writing with regards to the Data
Processor’s processing of Personal Data under this DPA. The Data Controller agrees to exercise any right it may have to
conduct an audit or inspection under GDPR (or the EU Model Clauses if they apply) by requesting the foregoing
information.

RETURN/DESTRUCTION OF PERSONAL DATA

12.1

Upon termination of the Agreement, the Data Processor shall delete or return all Personal Data in accordance with the
Data Controller's written instructions.

V01.04.2020 MCA SHRINKWRAP 14

DocuSign Envelope ID: 6BE73965-BAEF-4791 -B930-DABA9714DC55

Appendix 3: Darktrace Insurance

V01.04.2020 MCA SHRINKWRAP

‘& DARKTRACE

15