Page 1 of 19. MASTER SUBSCRIPTION AGREEMENT. THIS MASTER SUBSCRIPTION AGREEMENT (“Agreement”) is entered into as of March 3, 2022 (the “Effective. Date”) by and between PHYLUM, INC., a Delaware corporation (“We,” “Us,” “Our,” “Vendor” or “Phylum”), and. Blackstone Administrative Services Partnership L.P. (“You,” “Your” “Blackstone”, “Customer”, or “Client”, and together. with Phylum, collectively the “Parties” and individually referred to as a “Party”). 1. SCOPE OF AGREEMENT; DEFINTIONS. This Agreement covers the (i) License and permitted use of the Solutions, and (ii) access to Client Support and other Managed Services. Unless otherwise defined in this Section 1, the capitalized terms. used in this Agreement shall be defined in the context in which they are used. The following terms shall have the following. meanings: 1.1. Affiliate shall mean an entity that owns or controls, is owned or controlled by or is under common control or. ownership with a party and where control means with respect to Blackstone ownership of twenty percent (20%) common. ownership or any equivalent form of interest or control and as to Vendor fifty percent (50%) or more of the outstanding voting. securities of such person or entity. Control exists only as long as such person or entity meets the ownership requirements set. forth herein. 1.2. “Authorized User” means Your employee(s) (or other third-party consultants as authorized by You under Section. 3.5 of this Agreement) who is authorized by You to access or use the Solutions or access the Client Support in the manner. authorized in this Agreement and within the scope identified in an Order Form. 1.3. “Client Data” means any data and information provided or submitted by, or on behalf of, Client or its Authorized. Users for use with the Solutions. Blackstone owns all interest in and to all Client Data. 1.4. “Client Downtime” means downtime, failure, disruption or interruption in the Hosting caused by or attributable. to You, including, without limitation, (x) failure, interruption or disruption attributable to the actual or attempted acts or. omissions of Your (i) Authorized Users, (ii) employees or (iii) independent contractors or agents, or (y) technical failure of. Your telephone, computer, connectivity or any other equipment needed to access and use the Solutions, Client Support and. Documentation, as applicable. 1.5. “Client Support” means access to Phylum technical support as identified in Section 5 of this Agreement. 1.6. “Confidential Information” has the meaning set forth in Section 13 of this Agreement. 1.7. “Documentation” means the user guides and training materials made available by Us (whether online or in soft. copy format) that provide installation and/or operating instructions for use of the Solutions by You. 1.8. “Force Majeure” means an event caused by conditions beyond the reasonable control of such Party including, but not limited to, governmental action, terrorism, war, acts of public enemies, civil or military authority, fires, floods, or. other natural calamities, acts of God, telecommunications failure, electrical outages, any service failure or disruption caused. by other service providers, or systems, severe network outages in co- location site networks, error in the coding of electronic. files or any causes of like or different kind beyond the reasonable control of such Party. 1.9. “Hosting” means the hosting services provided by Us under a License. These services include the collection of. managed services, including system administration, hardware management, software system management, network. operations, backup and restoration activities, program management and crisis management activities, which are collectively. used to make the Solutions available online via a Phylum provided login link. Hosting will be provided pursuant to the. security requirements set forth in the Hosted Services Addendum attached hereto as Exhibit B. 1.10. “Integration Services” means integration services as specified in an Order Form. 1.11. “Law” means all laws, statutes, ordinances, codes, regulations, rules, orders, judgments, rulings, writs, injunctions, court and administrative decrees and other requirements imposed by any court, administrative agency or. commission, franchising or licensing authority or other governmental authority or instrumentality, whether local, state or. federal and other pronouncements having the effect of law of any such entity or any other laws or reported decisions of any. court thereof, including principles of common law. 1.12. “License” means Your right to access and use the Solutions specified in an Order Form. 1.13. “Managed Services” means the services that We will provide to You, pursuant to an Order Form. 1.14. “Order Form” means the document by which You order Licenses from Us and includes a description and fee. schedule of the applicable Solutions as well as payment terms. In addition, it describes the activities and deliverables to be. provided by Our Managed Services team, and our responsibilities and your responsibilities. The initial Order Form, if. applicable, is attached as Exhibit A to this Agreement. DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A05373060-9E7F-4 D9-849C-B 346303B63. Page 2 of 19. 1.15. “Order Term” means the period of time as identified on a fully executed Order Form during which You may use. or access the Solutions and Client Support, as applicable. 1.16. “Phylum Intellectual Property” means any software code, patents, programs, tools, documentation, training, or. other material related thereto, and all ownership rights in the Solutions and Documentation. 1.17. “Scheduled Maintenance” means downtime to the Solutions during which We perform upgrades, bug fixes or. other systems servicing to the Solutions or data center environment. 1.18. “Solutions” means the proprietary software that We will provide to You, pursuant to an Order Form, and all. updates, improvements, bug fixes, or other modifications. 1.19. “Term” shall have the meaning set forth in Section 4 of this Agreement. 2. ORDER FORMS. During the Term, the Parties may execute one or more Order Forms for You to order Licenses and. Managed Services from Us. We agree to provide the License and the Managed Services to You under the terms of this. Agreement pursuant to one or more Order Forms. The Parties shall negotiate and sign each Order Form separately. Each Order. Form shall set out a description and fee schedule of the applicable Solutions and Managed Services, payment terms and any. other additional terms that are agreed to by the Parties. Each Order Form shall be attached to this Agreement and incorporated. in this Agreement by reference. Exhibit A to this Agreement sets forth the initial Order Form, if applicable. In the event of. any conflict between the provisions of this Agreement and the terms of any Order Form(s), the conflict shall be resolved in. the following order of priority of interpretation: (a) the Order Form(s); and (b) this Agreement. You agree that the validity of. any Order Form(s) is not contingent on the delivery of any future functionality or features. 3. LICENSED RIGHTS. 3.1 License Grant. Subject to the terms and conditions of this Agreement and to Client’s payment of the applicable fees. included in the Order Form, as part of a License, We hereby grant to You, solely during the Order Term, a limited, non- exclusive, non-transferable (except as permitted under Section 14.2), and non-sublicensable license to install, execute, access, run, otherwise interact with the Solutions and related Documentation. The License Grant is limited to the Order Term and Size. of Delivery (number of users) set forth in the Order Form. Additional licenses to Solutions may be acquired through subsequent. Order Forms mutually agreed to in writing. You are not permitted to sell, resell, lease, rent, distribute, lease, loan, sublicense, transfer or otherwise allow the use of the. Solutions or any Documentation for the benefit of any unauthorized third party. You may not use the Solutions in a time- sharing arrangement or in any other unauthorized manner. Further, no license is granted to You in the human readable code. of the Solutions (source code). Except as provided below, this Agreement does not grant You any rights to patents, copyrights, trade secrets, trademarks, or any other rights in the Solutions and Documentation. 3.2 Restrictions on Use. You acknowledge that You are receiving licensed rights only. You shall not, directly or indirectly, or authorize any person or entity to: (i) reverse engineer, decompile, disassemble, re-engineer or otherwise create or attempt. to create or permit, allow, or assist others to create the source code (or the underlying ideas or algorithms) of the Solutions, or its structural framework; (ii) modify, copy or create derivative works of the Solutions; (iii) use the Solutions in whole or. in part for any purpose except as expressly provided under this Agreement or in any manner inconsistent with applicable law;. or (iv) interfere, disable or circumvent any access control or related device, process or procedure established with respect to. the Solutions. You acknowledge that You have been provided sufficient information such that You do not need to reverse. engineer the Solutions in any way to permit other products or information to interoperate with the Solutions. To the extent. the Solutions design permits modification, then You may modify the Solutions and use such modifications solely for Your. internal purposes and consistent with the license and this Agreement. You will not remove or alter any trademark, copyright, patent, or other proprietary rights notices or legends from the Solutions or other materials that may be furnished by Phylum. in connection with the licensed rights granted by this Agreement. 3.3 Phylum Ownership. This Agreement confers a limited license for You to access and use the Solutions solely in. connection with your internal operations. Nothing set forth herein shall be construed as conferring unto You, and You hereby. disclaim, any ownership rights to Phylum’s Intellectual Property. In furtherance of the foregoing, You expressly affirm that. We shall retain sole and exclusive ownership, right, title, and interest in and to the Phylum Intellectual Property, and any and. all derivative works based upon Phylum Intellectual Property. We reserve all rights not expressly granted herein. Except as. expressly set forth herein, no right or license is granted hereunder, express or implied or by way of estoppel, to any intellectual. property rights. All rights not specifically granted hereunder are reserved to Us. All trademarks, service marks and brands not. owned by Us are marks of their respective providers. 3.4 Feedback. Client hereby grants to Phylum a royalty-free, worldwide, transferable, sublicensable, irrevocable, perpetual. license to use or incorporate into the Solutions any suggestions, enhancement requests, recommendations or other feedback. provided by Client, including Authorized Users, relating to the Solutions. Phylum will not identify Client as the source of. DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A05373060-9E7F-4 D9-849C-B 346303B63. Page 3 of 19. any such feedback. Any Feedback is provided AS IS without warranty of any kind and Blackstone shall not be responsible. for any action taken or business decision made by Vendor with respect to the Feedback. 3.5 Responsibility. You are responsible for all use of the Solutions and for all Authorized Users’ compliance with the license. and this Agreement. Any breach of this Agreement by any Authorized User shall be deemed to have been a breach by You. License to access and use the Solutions, as applicable, as well as any Documentation, is solely for your internal business use. within the scope defined on an Order Form and in accordance with the Documentation. We will provide access to the Solutions. to Authorized Users. Access means providing a way to use the Solutions where We operate and manage the Solutions on behalf of. You via the Hosting. You may allow Your third-party consultants to access and use the Solutions, Hosting and Client Support as Authorized Users. solely for Your internal use permitted hereunder, provided You ensure that such third-party consultant access to and use of the. Solutions, Hosting and Client Support complies with the terms of this Agreement. 4. TERM AND TERMINATION. 4.1 Term. The term of this Agreement will begin on the Effective Date and shall continue in full force and effect as long as. any Order Form remains in effect, unless earlier terminated in accordance with the Agreement (the “Term”). Unless otherwise. stated in the applicable Order Form, the term of an Order Form will begin on the effective date of the Order From and continue. in full force and effect for one (1) year and will automatically renew in one (1) year increments unless Blackstone terminates. the Agreement by providing written notice to Vendor at least thirty (30) days prior to the applicable anniversary of the. Effective Date (the “Order Term”), provided Vendor has provided Blackstone with at least ninety (90) days of such impending. renewal. For purpose of clarity, an invoice for the upcoming term is not considered written notice of renewal. 4.2 Termination. This Agreement and any outstanding Order Forms may be terminated (a) by either Party if the other Party. has breached a material obligation hereunder and has failed to cure such breach within thirty (30) days of receiving notice. thereof; or (b) by either Party, immediately, if any proceeding is commenced by, for or against either Party under any. bankruptcy, insolvency or debtor’s relief law for the purpose of seeking a reorganization of such Party’s debts, and such. proceeding is not dismissed within ninety (90) calendar days of its commencement. Blackstone may terminate this Agreement. for convenience upon thirty (30) days’ prior written notice to Vendor. 4.3 Effect of Termination. Upon expiration or termination of this Agreement for any reason, (a) all Licenses and rights. granted hereunder will immediately terminate; (b) You shall immediately (i) cease (and shall cause Your employees and any. Authorized Users to immediately cease) all use of the Solutions, Hosting, Client Support and Documentation; and; (ii) return. to or destroy, at Our reasonable option and request, all tangible materials and all copies thereof, in whatever media, then in. Your possession or control, containing or embodying any of Our Confidential Information; and (c) each Party shall take such. other actions as the disclosing Party may reasonably request to ensure that no Confidential Information remains in the. receiving Party’s or any of its employees’ or Authorized Users’ possession or control and shall, at the disclosing Party’s. request, deliver to the disclosing Party a written certificate of compliance with this Section 4.3, which certificate shall be. reasonably satisfactory to the disclosing Party; and (d) any undisputed fees owed by You to Us hereunder shall become. immediately due and payable to Us subject to issuance of an invoice by Us. 5. CLIENT SUPPORT. During an Order Term, as part of a License to the Solutions, We will provide You with access to. Client Support for the Solutions in accordance with the Order Form Client Support set forth in the applicable Order Form. Your access to Client Support expires at the end of an Order Term. Client Support is limited to technical support directly. related to use of the Solutions included on the applicable Order Form. We will make reasonable telephone or email based. technical support available to Your personnel. When Our staff is unavailable, We will provide voice mail and email access. that will be checked periodically. All support requests will be prioritized according to the severity of the support request, as. We determine in Our discretion. The Client Support hours and policies are subject to change at Our option. You will appoint. at least one person as Your authorized Client Support contact who must complete training on the operation and maintenance. of the Solutions as We specify. Client Support may be provided remotely via telephone or web-based services. If in- person. training is requested, the parties will agree on the rates to perform the training. You will be responsible for reimbursing Us for. travel pursuant to Section 7.3 of the Agreement. 6. HOSTING. During an Order Term, as part of a License to the Solutions, We will provide You with access to Hosting to. enable You to access and use the Solutions in accordance with this Agreement, which shall be comprised of access to a web. portal or the website with password protected access to our managed data center environment. We will use commercially. reasonable efforts to make the Solutions available to the Internet for access by You 99% of the available time, excluding any. outages on account of or caused by Client Downtime, any maintenance updates of the Solutions or any Force Majeure event. We reserve the right to modify the Solutions or Hosting at any time provided there is no degradation in the functionality of. the Solutions or Hosting and agree to notify You of any such modifications. In the event, such modifications affect. functionality in a an adverse manner You may terminate the affected Order Form without further liability and receive a refund. DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A05373060-9E7F-4 D9-849C-B 346303B63. Page 4 of 19. of all unused prepaid amounts. We will coordinate Scheduled Maintenance during off-hours of the normal workweek or on. weekends (Saturday/Sunday) and we will provide written notice of Scheduled Maintenance at least five (5) business days in. advance. We will coordinate with You regarding the scheduling of any emergency maintenance. 7. ORDERS; PROVISIONING; FEES. 7.1 Fees. You shall pay all fees specified in an Order Form. Except as otherwise specified herein, or in an Order Form, all. fees are (i) based on the Licenses ordered and not actual usage, and (ii) payment obligations are non-cancellable and non- refundable except in the case of Our uncured breach. This Agreement may accommodate multiple Order Forms, each of. which shall be incorporated into and become a part of this Agreement upon acceptance by Us. The duration and type of. Licenses provided to You shall also be identified on the Order Form. 7.2 Payment Terms. Unless agreed to otherwise in an Order Form, We will issue an invoice for all fees due under this. Agreement annually in advance and, upon renewal, the fees shall be due and payable to Us at least sixty (60) days prior to. the anniversary of the Effective Date. All invoices shall be sent to Blackstone at the following email address: BXTIFinance@blackstone.com. You agree to pay undisputed invoices within sixty (60) days after the date of Our invoice, unless otherwise specified in an Order Form. Fees shall be fixed during the term set forth in the applicable Order Form and. if renewed, and unless otherwise set forth in an Order Form, Fees shall not be increased by more than the lesser of (i) two. (2%) percent of the Fees applicable in the immediately prior term and (ii) the increase (if any) in the most recently published. Consumer Price Index (based on the last 12 months) for All Urban Consumers published by the U.S. Department of Labor, Bureau of Labor Statistics. If Vendor does not invoice Blackstone for any Fees or Blackstone approved expenses within one. hundred and eighty (180) days after the date the Services were accepted by Blackstone, Vendor shall be deemed to have. waived the right to be paid for such Fees and expenses and Vendor may not subsequently submit to Blackstone any invoices. for such Fees and expenses. 7.3 Expenses. Blackstone will reimburse Vendor for documented and actual business travel or other expenses that have been. pre-approved by Blackstone in writing and that are required by Vendor in furtherance of the duties specified in an applicable. SOW. Expenses will not be reimbursed without detailed receipts and backup for any expenses invoiced to Blackstone. 7.4 Taxes. Fees stated in the Order Form do not include applicable taxes. Blackstone will be responsible solely for sales, use, excise, value-added, services, consumption and other similar taxes that are assessed and lawfully imposed on and required to. be paid by the Blackstone (and for which no exemption is available). Vendor shall be responsible for and pay all taxes that. are based on or measured by Vendor’s income, receipts (including any capital gains or minimum taxes), capital, doing. business, excess profits, net worth, franchise, property, and Vendor personnel-related taxes. 8. SOLUTIONS MONITORING. We may monitor all use of the Solutions for security and operational purposes. We may. suspend Your access to the Solutions in the event that You are engaged in, or We in good faith believe You are engaged in or is. supporting, any unauthorized conduct (including any violation of this Agreement, any applicable law or third party right). We. will provide written notice prior to any suspension. You agree that We will not be liable to You or to any affiliate or user or any. other third party if We exercise Our suspension rights as permitted by this Section. 9. CLIENT DATA AND RESPONSIBILITIES. 9.1 License; Ownership. Client is solely responsible for any and all obligations with respect to the accuracy, quality and. legality of Client Data. Client will obtain all third party licenses, consents and permissions needed for Phylum to use the Client. Data to provide the Solutions. Without limiting the foregoing, Client will be solely responsible for obtaining from third parties. all necessary rights for Phylum to use the Client Data submitted by or on behalf of Authorized Users for the purposes set forth. in this Agreement. Client grants Phylum a non-exclusive, worldwide, royalty-free and fully paid license during the Term (a). to use the Client Data as necessary for purposes of providing and improving the Solutions, (b) to use the Client trademarks, service marks, and logos as required to provide the Solutions, and (c) use the Client Data in an aggregated and anonymized. form to: (i) improve the Solutions and Phylum’s related products and services; (ii) provide analytics and benchmarking. services; and (iii) generate and disclose statistics regarding use of the Services, provided, however, that no Client-only statistics. will be disclosed to third parties without Client’s consent. The Client Data, and all worldwide intellectual property rights in it, is the exclusive property of Client. All rights in and to the Client Data not expressly granted to Phylum in this Agreement are. reserved by Client. 9.2 Client Warranty. Client represents and warrants that any Client Data will not (a) infringe any copyright, trademark, or. patent; (b) misappropriate any trade secret; (c) be deceptive, defamatory, obscene, pornographic or unlawful; (d) contain any. viruses, worms or other malicious computer programming codes intended to damage Phylum’s system or data; and (e). otherwise violate the rights of a third party. Phylum is not obligated to back up any Client Data; the Client is solely responsible. for creating backup copies of any Client Data at Client’s sole cost and expense. Client agrees that any use of the Solutions. contrary to or in violation of the representations and warranties of Client in this Section 9.2 constitutes unauthorized and. improper use of the Solutions. DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A05373060-9E7F-4 D9-849C-B 346303B63. Page 5 of 19. 9.3 Client Responsibility for Data and Security. Client and its Authorized Users will have access to the Client Data and will. be responsible for all changes to and/or deletions of Client Data and the security of all passwords and other access protocols. required in order the access the Solutions. Client will have the ability to export Client Data out of the Solutions and is. encouraged to make its own back-ups of the Client Data. Client will have the sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Client Data. 10. WARRANTIES AND DISCLAIMERS. 10.1. Vendor represents and warrants that: (i) It is an entity duly organized, validly existing and in good standing under the laws of the jurisdiction of its. organization and it has all rights, authorizations or licenses to provide the Services to Blackstone and Blackstone’s. use as authorized herein, will not infringe, misappropriate, or otherwise violate the rights of any third party;. (ii) It has the right to enter into this Agreement and perform its obligations under this Agreement without violating the. terms or provisions of any other agreement or contract to which it is a party;. (iii) It shall perform its obligations under this Agreement in compliance with all applicable laws, regulations, and. ordinances;. (iv) It is not a party identified on any governmental export exclusion lists. (v) It shall comply with the confidentiality and data privacy obligations described in this Agreement or any addendum. 10.2. EXCEPT AS DESCRIBED IN SECTION 10.1, WE MAKE NO WARRANTIES, EXPRESS, IMPLIED OR. STATUTORY, TO YOU, THE AUTHORIZED USERS OR ANY OTHER PARTY, FOR THE SOLUTIONS, DOCUMENTATION, CLIENT SUPPORT, HOSTING OR MANAGED SERVICES, WHICH ARE PROVIDED “AS IS.”. PHYLUM MAKES NO (AND HEREBY DISCLAIMS) ALL OTHER WARRANTIES, REPRESENTATIONS OR. CONDITIONS, WHETHER WRITTEN, ORAL, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING BUT NOT LIMITED. TO THE IMPLIED WARRANTIES OF ANY COURSE OF DEALING, TRADE USAGE OR PRACTICE, SYSTEM. INTEGRATION, DATA ACCURACY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE OR. OTHER WARRANTIES FOR TITLE, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR AGAINST LATENT. DEFECTS. PHYLUM DOES NOT WARRANT THAT THE SOLUTIONS WILL OPERATE UNINTERRUPTED OR ERROR- FREE, OR THAT ALL ERRORS CAN BE CORRECTED. 11. LIMITATION OF LIABILITY. NOTWITHSTANDING ANYTHING HEREIN TO THE CONTRARY, IN NO. EVENT SHALL EITHER PARTY, THEIR AFFILIATES, OR ANY OF THEIR RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES OR AGENTS, BE LIABLE TO THE OTHER PARTY FOR LOST PROFITS, LOST DATA, OR FOR SPECIAL, INCIDENTAL, ENHANCED OR CONSEQUENTIAL DAMAGES OF ANY KIND, EVEN IF ADVISED IN ADVANCE OF. THE POSSIBILITY THEREOF. IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY TO THE OTHER. PARTY UNDER THIS AGREEMENT OR ANY ORDER FORM OR FROM ANY OR ALL CLAIMS OR CAUSES EXCEED. THE GREATER OF $50,000 OR THREE TIMES THE AMOUNT OF THE AGGREGATE FEES PAID OR PAYABLE FROM. YOU FOR THE TWELVE (12) MONTH PERIOD PRECEDING THE OCCURRENCE OF THE LAST EVENT GIVING RISE. TO LIABILITY. THIS LIMITATION OF LIABILITY IS INTENDED TO APPLY IN THE AGGREGATE AND WITHOUT. REGARD TO WHETHER OTHER PROVISIONS OF THIS AGREEMENT HAVE BEEN BREACHED OR HAVE. PROVEN INEFFECTIVE. NOTWITHSTANDING THE FOREGOING, NO LIMITATION OR EXCLUSION OF. LIABILITY SHALL APPLY WITH RESPECT TO ANY CLAIMS BASED ON A BREACH OF CONFIDENTIALITY OR. DATA PROTECTION OBLIGATONS SET FORTH IN THIS AGREEMENT, OR ON EITHER PARTY'S GROSS. NEGLIGENCE, FRAUD OR WILLFUL MISCONDUCT, OR WITH RESPECT TO ANY CLAIMS FOR PERSONAL. INJURY OR PROPERTY DAMAGE, OR TO VENDOR'S INDEMNIFICATION OBLIGATIONS. The Parties acknowledge and agree that the disclaimers, exclusions and limitations of liability set forth in this Section form an. essential basis of this Agreement and that, absent any of such disclaimers, exclusions or limitations of liability, the terms of this. Agreement, including, without limitation, the economic terms, would be substantially different. 12. INDEMNIFICATION. 12.1 Indemnification by Phylum. Vendor shall defend with counsel reasonably acceptable to Blackstone (or settle at. Vendor's sole expense), hold harmless and indemnify Blackstone, its affiliates, assignees and each of its and their managing. directors, its officers, directors, employees, agents, volunteers and subcontractors (collectively, the “Indemnified Parties”) on. an ongoing basis from and against any and all suits, claims and proceedings (each a “Claim”) resulting in expenses and losses, including court costs and reasonable attorneys' fees, damages, costs, or liability (collectively “Losses”) incurred by the. Indemnified Parties which arise out of the performance or non-performance by Vendor of Services contemplated by this. Agreement, including Losses arising from and relating to (i) the act, omission, fault, negligence, breach, willful misconduct. or fraud of Vendor and/or its contractors, employees or agents in the performance of duties under this Agreement; (ii) the. breach by Vendor of any covenant, warranty or condition of this Agreement; (iii)any infringement of any patent, trademark, DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A05373060-9E7F-4 D9-849C-B 346303B63. Page 6 of 19. copyright, trade secret or other intellectual property or proprietary right of any third party arising out of the performance of. Services or arising out of the acquisition or use by the Indemnified Parties of any Services, software, materials, equipment, combination, concepts, information or process designed, procured or delivered by Vendor pursuant to or in connection with. this Agreement; (iv) the breach of any confidentiality or data protection obligations and (v) any failure by Vendor or its. Personnel to comply with applicable law and regulations in the performance of its duties under this Agreement. Blackstone. may, at its expense, assist in such defense if it chooses, provided that Vendor shall control such defense and all negotiations. relative to the settlement of any such claim. The Vendor shall obtain Blackstone's prior written consent, which consent shall. not be unreasonably withheld or delayed, for any settlement or compromise of any claim that does not include the. unconditional release of Blackstone from the indemnified liability hereunder or requires any specific performance, non- pecuniary remedy or for the payment of any amount by Blackstone. If the Services become the subject of a Claim, or Vendor. reasonably believes that use of the Services may become the subject of a Claim, then Vendor may, at its own expense. and option, at least one of the following: (i) procure for Blackstone the right to continue use of the Service at no. additional cost to Blackstone for such right; (ii) replace the Service with a non-infringing product while maintaining. the Service’s essential specifications; (iii) modify the Service so that it becomes non-infringing while maintaining the. Service's essential specifications; or (iv) refund to Blackstone the Fees paid for the Service. This indemnity shall not be. Blackstone's sole remedy. This Section 12.1 states the sole and exclusive remedy of Client and the entire liability of Phylum, or any of the officers, directors, employees, shareholders, contractors or representatives of the foregoing, for infringement. claims and actions. 12.2 Indemnification by Client. Client will defend at its expense any suit brought against Phylum, and will pay any. settlement Client makes or approves, or any damages finally awarded in such suit, insofar as such suit is based on a claim. arising out of or relating to Client’s breach or alleged breach of Sections 9.2. This Section 12.2 states the sole and exclusive. remedy of Phylum and the entire liability of Client, or any of the officers, directors, employees, shareholders, contractors or. representatives of the foregoing, for the claims and actions described herein. 12.3 Procedure. The indemnifying party’s obligations as set forth above are expressly conditioned upon each of the. foregoing: (a) the indemnified party will promptly notify the indemnifying party in writing of any threatened or actual claim. or suit but failure to give such notice shall not relieve a party of its obligations except to the extent the indemnifying party can. demonstrate actual, material prejudice to its ability to mount a defense because of such failure; (b) the indemnifying party will. have sole control of the defense or settlement of any claim or suit; and (c) the indemnified party will cooperate with the. indemnifying party to facilitate the settlement or defense of any claim or suit. 13. CONFIDENTIALITY: 13.1 Confidential Information. Confidential Information shall mean (a) with respect to Blackstone, any non-public. information whether or not explicitly identified as proprietary or confidential, that is in written, spoken or contained on. computer systems of Blackstone, and furnished by Blackstone to Vendor or otherwise made available or accessible to Vendor. in the provision or performance of Services and any other information which given its nature and the circumstances. surrounding its disclosure should reasonably be construed to be confidential including, without limitation, information. concerning business methods, business plans, vendor information, Client Data, methodologies, internal policies and. procedures, pricing terms, code, inventions, analyses, any business, technical, and financial information, documentation, data, specifications, audit reports, auditor opinion letters, user identification and passwords, and any third party software or systems. and related information maintained by Blackstone which Vendor may require in order to render Services hereunder, and. Personal Data and (b) with respect to Vendor the Solutions, Documentation, Client Support, Managed Services, Hosting and. other related data, information or materials (the “Confidential Information”). 13.2 Publicity and News Releases. Vendor agrees that it shall not, without the prior written consent of Blackstone in each. instance, (i) use in advertising, publicity, marketing or other promotional materials or activities, the name, tradename, trademark, trade device, service mark or symbol, or any abbreviation adaptations, contraction or simulation thereof, of. Blackstone or any of its affiliates or their respective partners or employees or (ii) represent, directly or indirectly, that any. product or any service provided by Vendor has been approved or endorsed by Blackstone or any of its affiliates. Vendor and its. contractors, employees and agents shall not hold themselves out as an employee, affiliate, or subsidiary of Blackstone at any. time while performing or providing the Services under this Agreement. Any materials provided to Vendor by Blackstone. pursuant to this Agreement or in connection with Vendor’s provision or performance of Services hereunder, bearing any. Blackstone names, logos, styles, or trademarks may be used by Vendor only as necessary to provide or perform Services under. this Agreement. This provision shall survive termination or expiration of this Agreement. 13.2 Obligations. Each party (the “Recipient”) acknowledges that it may, in the course of performing its responsibilities. under this Agreement, be exposed to or acquire Confidential Information of the other party or its affiliates (the “Discloser”). or their clients or to third parties to whom the other party owes a duty of confidentiality. Recipient agrees to hold the. Confidential Information in confidence and will protect such Confidential Information from unauthorized disclosure or use. with at least the same degree of care used to protect its own confidential or proprietary information but not less than a. DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A05373060-9E7F-4 D9-849C-B 346303B63. Page 7 of 19. reasonable degree of care. Recipient agrees not to copy, reproduce, sell, assign, license, market, transfer or otherwise dispose. of, give, or disclose such information to third parties or to use such information for any purposes whatsoever other than the. performance of this Agreement. Vendor shall advise each of its Personnel, and if applicable approved subcontractors (and. their employees), who may be exposed to the Confidential Information of their obligations to keep such information. confidential. 13.3 Exclusions. Confidential Information shall not include information which such Party can document (a) is publicly. known through lawful means; (b) was rightfully in the possession of or independently developed by such Party at the time of. disclosure thereof by the other Party; (c) is disclosed to such Party without confidential or proprietary restriction by a third. party who rightfully possesses the information (without confidential or proprietary restriction) and did not learn of it, directly. or indirectly, from the other Party or (d) is required to be disclosed by law, a court order or competent government authority, provided that in such case the receiving Party shall promptly inform the disclosing Party of such requirement and shall. cooperate with the disclosing Party to allow such Party to obtain a protective order. 13.4 If Recipient is requested to disclose all or any part of any Confidential Information under a subpoena, or inquiry issued. by a court of competent jurisdiction or by a judicial or administrative agency or legislative body or committee, Recipient. shall, if permitted by law, (i) immediately notify Discloser of the existence, terms and circumstances surrounding such. request; (ii) consult with Discloser on the advisability of taking legally available steps to resist or narrow such request and. cooperate with Discloser on any such steps it considers advisable; and (iii) if disclosure of the Confidential Information is. required or deemed advisable, exercise its best efforts to obtain an order, stipulation or other reliable assurance acceptable to. Discloser that confidential treatment shall be accorded to such portion of the Confidential Information to be disclosed. Discloser shall reimburse Recipient for reasonable legal fees and expenses incurred in Recipient's effort to comply with this. provision. 13.5 Upon the termination or expiration of this Agreement or any Ordering Document (or earlier if requested by. Blackstone), Vendor shall at its cost return to Blackstone (or destroy) all copies of documents, papers or other material which. may contain or be derived from the Confidential Information (excluding for purposes of this Section 8.d, this Agreement), including all Work Product, which are in Vendor's possession or control, together, if requested by Blackstone, with a. certificate signed by Vendor in form and substance satisfactory to Blackstone, stating that all the Confidential Information. has been returned. 13.6 Equitable Relief. Upon any breach of this Section 13 or threat thereof, the Party whose Confidential Information is. at issue shall be entitled as a matter of right without proof of actual damages, to seek injunctive and other equitable relief, in. addition to any other remedies available to it at law or hereunder. 14. INFORMATION SECURITY. 14.1 The exclusions described in Section 13.3 shall not apply to any information that would otherwise be considered. Confidential Information and that is or relates to identifiable personal or financial information provided by individual. employees, consumers or customers to Blackstone and its affiliates and any list, description or other grouping of employees, consumers or customers that is derived using any such information (all such information, “Nonpublic Personal Information”). Any such Nonpublic Personal Information shall remain confidential in all circumstances. Vendor will implement, monitor, and. maintain appropriate security measures, policies, and procedures to (1) ensure the security and confidentiality of Nonpublic. Personal Information, (2) protect against any anticipated threats or hazards to the security or integrity of Nonpublic Personal. Information, and (3) protect against unauthorized access to or use of Nonpublic Personal Information. Vendor shall periodically. provide, at Blackstone’s written request, current information, and documentation (including, but not limited to, audits of its. security measures, policies and procedures, summaries of test results, or other equivalent evaluations) confirming Vendor has. satisfied its obligations under the preceding sentence. 14.2 Vendor shall (i) only process or use Confidential Information for the purpose of providing the Services and. performing its obligations under this Agreement; (ii) implement and maintain administrative, technical and physical safeguards. (the “Security Procedures”) designed to: (a) ensure the security and confidentiality of Confidential Information and of. “Nonpublic Personal Information” (as that term is defined under Section 6809(4) of the Gramm-Leach-Bliley Act, and its. applicable implementing regulations); (b) protect against any anticipated or reasonably likely threats or hazards to the security. or integrity of Confidential Information and Nonpublic Personal Information; (c) protect against any actual or suspected. unauthorized access to or use, disclosure, procession or acquisition of Confidential Information and Nonpublic Personal. Information that could result in harm or inconvenience to Blackstone, its employees, customers or consumers; and (d) ensure. the proper disposal of Confidential Information and Nonpublic Personal Information. Vendor shall identify to Blackstone a. Vendor representative who will serve as a 24/7 data security contact. 14.3 Vendor warrants and covenants its Security Procedures will, at all times during the term of this Agreement, (i). comply with all laws and regulations applicable to Vendor, (ii) meet or exceed the then current information security standards. and practices that are commonly utilized by the leading service providers in Vendor’s industry that have access to Confidential. Information or Nonpublic Personal Information, and (iii) in no event offer less protection than that which the Vendor affords. DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A05373060-9E7F-4 D9-849C-B 346303B63. Page 8 of 19. to its own confidential information and materials. 14.4 Vendor further agrees, unless otherwise agreed by Blackstone in writing, it will not modify the Security Procedures. in any way that might reasonably be expected to reduce the overall scope or level of security protections that (i) were in effect. as of the Effective Date of this Agreement or (ii) were enhanced or increased after the Effective Date. 14.5 An Information Security Incident means (i) the failure of Vendor’s administrative, technical, and physical. safeguards and other security measures set forth in Section 14.3 or (ii) a mistake or malicious act by one of Vendor’s employees, agents or approved contractors that results in the loss of any data. 14.6 If Vendor becomes aware of any actual or suspected Information Security Incident, Vendor will take appropriate. actions to contain and mitigate the Information Security Incident, including notifying Blackstone immediately in writing, but. at most within twenty-four (24) hours, of learning of the Information Security Incident (subject to any delay requested by an. appropriate law enforcement agency). Such notice shall summarize in reasonable detail the effect on Blackstone, if known, of. the Information Security Incident and the corrective action taken or to be taken by Vendor. 14.7 Vendor shall promptly take all necessary and advisable corrective actions and shall cooperate fully with Blackstone. in all reasonable and lawful efforts to prevent, mitigate or rectify such Information Security Incident. Vendor shall (i). investigate such Information Security Incident and perform a root cause analysis thereon; (ii) remediate the effects of such. Information Security Incident; and (iii) provide Blackstone with such assurances as Blackstone shall request that such. Information Security Incident is not likely to recur. The content of any filings, communications, notices, press releases or. reports related to any Information Security Incident must be approved by Blackstone prior to any publication or communication. thereof. 14.8 Upon the occurrence of an Information Security Incident involving Non-public Personal Information in the. possession, custody, or control of Vendor or for which Vendor is otherwise responsible, Vendor shall reimburse Blackstone on. demand for all Notification Related Costs incurred by Blackstone arising out of or in connection with any such Information. Security Incident. “Notification Related Costs” shall include Blackstone’s internal and external costs associated with. addressing and responding to the Information Security Incident, including but not limited to: (a) preparation and mailing or. other transmission of legally required notifications and related communications that Blackstone deems reasonably appropriate;. (b) establishment of a call center or other communications procedures in response to such Information Security Incident (e.g., customer service FAQs, talking points and training); (c) public relations and other similar crisis management services; (d) legal, consulting and accounting fees and expenses associated with Blackstone’s investigation of and response to such Information. Security Incident; and (e) costs for commercially reasonable credit monitoring, identity protection and similar services that. Blackstone deems are advisable under the circumstances. 15. INSURANCE. 15.1. During the term of this Agreement, Vendor shall maintain insurance in the minimum amounts as follows: Workers Compensation Statutory Workers Compensation in accordance with. all state and local requirements of the state(s) in which. work is to be performed. Employers Liability insurance with minimum. occurrence limits as follows. Bodily injury by accident $1,000,000 each accident. Bodily injury by disease $1,000,000 policy limit. Bodily injury by disease $1,000,000 each employee. Commercial General Liability Insurance, written on an. occurrence basis, including bodily injury, property. damage, personal injury, advertising injury, products. and completed operations, and contractual liability, in. an amount not less than. Each Occurrence Limit $1,000,000. Products/Completed Operations Aggregate Limit. $1,000,000. Advertising Injury and Personal Injury Limit. $1,000,000. General Aggregate $2,000,000. Umbrella or Excess Liability Insurance not less than $5,000,000 general aggregate. Professional Liability or Errors & Omissions Insurance $5,000,000 per claim and $5,000,000 in the aggregate;. (If coverage is written on a claims–made basis, the. coverage must be maintained for a period of three years. post completion of contract or purchase of run-off or. tail coverage.) Cyberinsurance $1,000,000 covering any and all loss, damage, liability, cost, or expense arising from, or in any way attributable. to, an “Information Security Incident” involving. DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A05373060-9E7F-4 D9-849C-B 346303B63. Page 9 of 19. 15.2. All insurance policies provided and maintained by Vendor shall be underwritten by insurers that are rated “A-VII”. or higher. Vendor shall be responsible for any self-insured retentions, deductibles or self-insurance associated with the. coverages described in this Section. 15.3. Vendor’s coverage shall be primary and non-contributory to the fullest extent afforded by the policies and. applicable law. 15.4. The Commercial General Liability Insurance, Commercial Automobile Insurance, Employer’s Liability Insurance, Cyberinsurance and Umbrella or Excess Liability Insurance shall include a waiver of the insurers’ subrogation rights and. coverage and shall name Blackstone as an Additional Insured. 15.5. Certificates of Insurance and evidence of the foregoing endorsements shall be provided to Blackstone upon request. Such certificates shall provide that the insurer will give thirty (30) days’ written notice to Blackstone prior to cancellation of. any policy or endorsement. 15.6. The insurance requirements in this Section do not create a limitation of Vendor’s liability under this Agreement. If any claim by Blackstone against Vendor is a claim covered by an insurance policy maintained by Vendor, any recovery of. proceeds under such policy will be paid to Blackstone to the extent Blackstone’s damages exceed the limitations of liability. contained in this Agreement. 16. MISCELLANEOUS PROVISIONS. 16.1 Affiliate Orders. Each of Client’s Affiliates may enter into an Order Form with Vendor and each such Affiliate shall. be responsible for all of its obligations under such Order Form and shall be considered “Client” with respect to that. Order Form. Each Affiliate will pay for the Services set forth in such Order Form and be entitled to enforce the terms of. this Agreement. The rights and interests which are granted hereunder include the right of Client and an Affiliate to. purchase and use the Services, provided that, in each case, each Affiliate complies with the terms of this Agreement. If. a “Client” who enters into an Order Form permits one or more Affiliates access and use of licenses that Client has. purchased under such Order Form, such Client shall be fully liable for the acts and omissions of such Affiliates, and its. and their employees, agents and contractors. The rights and damages of an Affiliate of a party to the Agreement shall. be deemed the rights and damages of such party. 16.2 Notices. All notices relating to this Agreement shall be in writing, signed by the Party giving or making such notice or. communication, and shall be delivered by: (a) personal delivery; (b) electronic transmission; (c) certified or registered. mail, return receipt requested by electronic mail; or (d) recognized overnight courier service. Notices shall be deemed. given upon personal delivery, three (3) business days after deposit in the mail, one (1) business day if delivered by. overnight courier, or upon acknowledgment of electronic transmission. Notice shall be sent as follows: From Vendor to Blackstone: From Blackstone to Vendor: Mr. John Finley, General Counsel. The Blackstone Group, Inc. Phylum, Inc. 345 Park Avenue 29592 Fairway Dr. New York, NY 10154. With a copy to: Evergreen, CO 80439. With a copy to: Personal Information in Vendor’s possession, custody, or control, or for which Vendor is otherwise. responsible. The Cyberinsurance required to be. maintained by Vendor shall include, without limitation, coverage for legal fees; notifications;. investigation/forensic and restoration costs; crisis. management/public relations; credit. monitoring/identity protection services; call center. expenses; network interruption and extra. expense/business interruption; and cyber threat. extortion costs. Property Insurance Full replacement value of any and all property of. Vendor that may be used on Blackstone premises in. connection with the Vendor’s duties. DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A05373060-9E7F-4 D9-849C-B 346303B63. Page 10 of 19. Mr. John Stecher. The Blackstone Group, Inc. 345 Park Avenue. New York, NY 10154. Kevin Furgal, Attorney-at-Law. 3129 Tiger Run Ct. #214. Carlsbad, CA 92010. 16.3 Assignment. Neither Party may assign this Agreement without the express written consent of the other Party. Notwithstanding the foregoing, either Party may assign its rights or delegate its obligations without such consent to an entity. that acquires all or substantially all of the business or assets of such party to which this Agreement pertains, whether by merger, reorganization, acquisition, sale, or otherwise. The Agreement, including both its obligations and benefits, shall inure to the. benefit of and be binding upon the Parties and their respective successors, transferees and assigns. 16.4 Survival of Certain Provisions. Sections 1, 3.2, 3.3, 4.3, 7, 10, 11, 12, 13 and 16 hereof shall survive termination or. expiration of this Agreement. 16.5 Choice of Law. The Agreement shall be construed in accordance with the laws of the State of New York, applicable. to contracts entered into and to be performed therein without regard to principles of conflict of laws. Each of the Parties agree. that in no event will this Agreement be governed by the U.N. Convention on Contracts for the International Sale of Goods. 16.6 Force Majeure. Neither party shall be liable for any breach of this Agreement due to any circumstances outside such. party’s reasonable control including, but not limited to, acts of God, fire, acts of government, war, military operation or riot, accidents, embargo, industrial actions (expressly excluding any labor issues which shall be deemed to be within the control of. the affected party), terrorist threat, hereinafter referred to as a "Force Majeure Event". In case of a Force Majeure Event, the. affected party shall notify the other party in writing providing it with all relevant information thereto. If a Force Majeure Event. precludes Vendor from providing Services under this Agreement, Blackstone shall have the right to suspend payment for such. Services (or, in the event Blackstone has pre-paid for such services, obtain a pro-rata refund from Vendor for the Force Majeure. Event period) until Vendor is able to resume providing such Services. Unless otherwise set forth in this Agreement, if the. Force Majeure Event continues for more than fifteen (15) consecutive days and the Vendor is the affected party, the Blackstone. may immediately terminate this Agreement upon written notice to Vendor. Neither party shall be entitled to claim relief under. this Section to the extent the effect of the force majeure event could have been avoided or mitigated by the proper performance. of its disaster recovery and business continuity obligations. 16.7 Construction. Phylum and Client each acknowledge and agree that the Agreement was fully negotiated by the Parties. and, therefore, no provision of the Agreement shall be interpreted against any Party because such Party or its legal. representative drafted such provision. 16.8 Amendment; Waiver. No amendment or modification of this Agreement shall be valid or binding upon the Parties. unless in writing and signed by an authorized officer of each Party. No failure or delay on the part of either Party in the exercise. of any right or privilege hereunder shall operate as a waiver thereof of the exercise of any other right or privilege hereunder, nor shall any single or partial exercise of any such right or privilege preclude other or further exercise thereof or of any other. right or privilege. 16.9 Severability. If any provision of this Agreement is held to be ineffective, unenforceable or illegal for any reason, such. decision shall not affect the validity or enforceability of any or all of the remaining portions thereof. 16.10 Exclusion of Alternative Terms. This Agreement contains the exclusive set of terms applicable to the Services, notwithstanding any other set of terms (i) that may be embedded in or displayed by the Services, during or after installation or. operation of the Services, (ii) to which the Services may refer, (iii) that may accompany or be packaged with the Services, or. (iv) that may be presented at any time to Blackstone personnel or agents orally, online, electronically or in writing (the. foregoing, collectively, “Other Terms”), whether or not any Blackstone personnel or agent assents to the Other Terms online, electronically or otherwise at any time. Such Other Terms shall be void with respect to Blackstone. 16.11 Entire Agreement. This Agreement, and the applicable exhibits, constitutes the entire agreement of the parties with. respect to the subject matter hereof and supersedes all prior agreements, proposals, and understandings, whether written or. oral, between the parties with respect to such subject matter. The terms and conditions of this Agreement shall prevail. regardless of any preprinted or conflicting terms on a Client’s purchase order; any preprinted or conflicting terms shall be. null and void, unless expressly stated on an Order Form. 16.12 Counterparts. This Agreement may be executed in counterparts, each of which will be deemed an original, but all of. which together will constitute one and the same instrument. This Agreement may be executed by scanned signatures. This. Agreement may also be executed and delivered by PDF or any electronic signature complying with the U.S. federal ESIGN. Act of 2000 (e.g., www.docusign.com). DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A05373060-9E7F-4 D9-849C-B 346303B63. Page 11 of 19. 16.13 Relationship of Parties. Each of the parties is an independent contractor and this Agreement will not establish any. relationship of partnership, joint venture, employment, franchise or agency between them. Neither Party will have the power. to bind the other or incur obligations on the other’s behalf. IN WITNESS WHEREOF, the Parties have caused this Agreement to be executed and delivered as of the Effective Date, and represent that the persons whose signatures appear below are duly authorized: BLACKSTONE ADMINISTRATIVE SERVICES PHYLUM, INC. PARTNERSHIP L.P. BY: BLACKSTONE HOLDINGS I – SUB GP L.L.C. Its general partners. By: By: Name: John Stecher Name: Title: Chief Technology Officer Title: Date: Date: DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A. 3/30/2022. 05373060-9E7F-4 D9-849C-B 346303B63 President Peter Morgan. 4/6/2022. dehn, Stoner. # Dee, 8 ¢ 06 oy. Dudu! Yidicgan. oh EIEN BN. Page 12 of 19. Exhibit A. ORDER FORM. Order Form Prepared For: Phylum Contact: Name: James Chiappetta Name: Peter Morgan. Title: SVP Cybersecurity Title: President. Address: 345 Park Avenue Phone: 920.203.4600. City, State, Zip: New York, New York, 10154 Email: pete@phylum.io. Email: james.chiappetta@blackstone.com. Order Term: Period of Performance: March 30, 2022 – March 30, 2023. Scope: During the Order Term, Phylum will provide licenses to Client for the following Solutions: Total Number of Developers: 200. Fees: Phylum License Price $75 USD per developer per month. Monthly Total $15,000 USD. Total Annual Fee $180,000 USD. Early adopter discount 90%. Total Fee after application of discount $20,000 USD. Standard Client Support Services:  Available during normal business hours of 8:00 a.m. to 5:00 p.m. (MT) on weekdays, exclusive of. holidays at support@phylum.io.  Slack is available during normal business hours of 8:00 a.m. to 5:00 p.m. (MT) on weekdays, exclusive of holidays  The initial kick-off and training is conducted via online meetings and will be coordinated by Phylum. Additional Terms and Conditions: 1. This Order Form is subject to the terms and conditions of the Phylum Master Subscription Agreement. (“MSA”) executed by the parties as of even date herewith. 2. The renewal cap set forth in Section 7.2 of the MSA shall not apply to this Order Form. Prior to any. renewal the parties shall negotiate in good faith to agree upon renewal pricing provided such pricing. shall reflect a minimum of 50% off the list Phylum license price, not to exceed a cost of $50 per developer. per month. 3. All terms not otherwise defined in this Order Form shall have the meanings as set forth in the MSA. 4. The parties agree that this Order Form is confidential and subject to the Mutual Non-Disclosure Agreement. between the Parties dated October 5, 2021. In WITNESS WHEREOF, the Parties have caused this Order Form to be executed and delivered as of the dates set. forth below, and represent that the persons whose signatures appear below are duly authorized. BLACKSTONE ADMINISTRATIVE SERVICES PHYLUM, INC. PARTNERSHIP L.P. BY: BLACKSTONE HOLDINGS I – SUB GP L.L.C. Its general partners. By: By: Name: John Stecher Name: Title: Chief Technology Officer Title: Date: Date: DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A. 3/30/2022. 05373060-9E7F-4 D9-849C-B 346303B63 President Peter Morgan. 4/6/2022. dehn, Stoner. # Dee, 8 ¢ 06 oy. Dudu! Yidicgan. oh EIEN BN. Page 13 of 19. EXHIBIT B. Blackstone Hosted Services Addendum. This Addendum forms a part of, is incorporated by this reference into, and is governed by the Master Subscription Agreement dated. March 3, 2022 between Customer and Vendor (the “Agreement”). This Addendum supplements the Agreement and applies to the. products and services (“Solutions”) covered by the Agreement. In the event of a conflict or inconsistency, the terms of this. Addendum shall supersede those of the Agreement. Capitalized terms used but not defined in this Addendum have the meanings. given to them in the Agreement. 1. GENERAL. Pursuant to the Agreement, Vendor is providing Customer a comprehensive software and service hosting solution (the “Hosted. Service”). As part of the Hosted Service, Vendor will undertake to format, configure, operate, administer and monitor the provision. of the Hosted Service, which will comport with all technical specifications and standards set forth in this Addendum. [The Hosted Service will be hosted on the equipment (the “Hosted System”) of a third party (the “Hosted System Provider”), which. equipment is necessary to access, use and operate the Hosted Service and any other Solutions provided under the Agreement. The. Hosted System Provider is initially: [Amazon Web Services (AWS) US-East-1, US-West-2 Vendor has thoroughly examined. Customer’s current computer networking platform and its document hosting and data security requirements and confirms that the. Hosted System will interact and operate with the Hosted Services and provide a secured cloud hosting environment in accordance. with the specifications of this Addendum and in accordance with industry standards for the protection of confidential information. Vendor shall ensure that the Hosted Service operates as efficiently (and without defect) as possible in conjunction with the Hosted. System, including ensuring that all new general releases, patches, fixes and other software updates are installed continuously on a. pre-arranged scheduled basis on the Hosted System for Customer’s use. Vendor shall notify Customer in the event that any such. release, patch, fix or update is installed and shall provide Customer sufficient documentation and instruction necessary to effectively. utilize the same. Vendor shall inform Customer as soon as practicable, in writing, whenever there are any changes to the Hosted. System Provider’s contractual terms (including pricing) or those of any future Hosted System provider, to the extent affecting the. Hosted Service or any of the Solutions. 2. SECURITY. The following standards are designed to employ a layered approach to security from technical application specifications to process, procedures and policy. A. Application Security. Vendor shall implement the following best practices with regards to development and deployment of the application. Vendor shall maintain, at no expense to Customer, appropriate systems security for the Hosted Service in accordance with. commercially reasonable industry standards and practices designed to protect all data and information provided by or on. behalf of Customer that is input into, displayed on, or processed by the Hosted Service and all output therefrom (“Customer. Data”) from theft, unauthorized disclosure, and unauthorized access. Such systems security includes, among other things, the following practices and procedures with respect to the Hosted Service: (i) implementation of application vulnerability. tests and provision to Customer of evidence of tests and results; (ii) all communications to web security layer transmitted. using robust secure protocol; and (iii) the following safeguards: Authentication.  All access is authenticated and communication secured using industry best practices.  Systems identity is tied to an individual user by the use of credentials and/or by second factor authentication.  Provide reasonable authentication controls that conforms to industry recognized standards. Authorization.  Ensure that only authorized users are allowed to perform actions within their privileged level. DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A05373060-9E7F-4 D9-849C-B 346303B63. Page 14 of 19.  Control access to protected resources based upon role or privileged level.  Prevent privilege escalation attacks. Secure Coding Practices.  Developers should be trained on secure developing best practices.  Applications should be written in a secure manner to implement common security best practices, such as input. validation, session management, SQL injection, and cross site scripting mitigation.  These requirements should be validated by tools such as dynamic application scanning and/or static code analysis Password and Account Management.  Password should follow best practices, including: o Encrypting password using salt/hash. o Enforcing password complexity. o Limiting failed attempts before account lockout. o Not allowing clear passwords. o Password reset does not send credentials.  Where appropriate, Vendor shall securely log (with time and date) commands requiring additional privileges. to enable a complete audit trail of activities. B. Data Security. Vendor shall implement the following best practices. Data at Rest.  Customer Data encrypted using industry best practices.  Backups of Customer Data have the same controls as production data. Data in Motion.  Customer Data ingested from client should be encrypted (e.g., SFTP, certificate based authentication).  Customer Data sent over browser should use TLSv1.0 or better. Multi-tenancy.  In a multitenant environment, Vendor should provide appropriate security controls and robust cryptographic. methods to protect and isolate Customer Data from other tenants. Administrative Access and Environmental Segregation.  Applying principle of least privilege - proper controls should be in place to ensure that access is limited to. administrators who must see Customer Data.  Where possible confidential data should be masked with one way hashing algorithms.  Customer Data should not be replicated to non-production environments. Personally Identifiable information.  Personally identifiable information, as defined under the privacy laws of the applicable jurisdictions. worldwide (“PII”), should be secured using one way hashing algorithm and should only be accessible by. defined list of personnel approved by Customer. C. Threat Management. Vendor shall implement the following best practices. Malware. Vendor shall install commercially reasonable malicious code detection software, including virus detection and. malware detectors, on all systems underlying the Hosted Service and used to access, process or store Customer. Data, including the firewall, server, and web application levels. In addition, all anti-virus definition files shall be. updated continuously, on a scheduled basis, following the availability of such updates by the software provider, DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A05373060-9E7F-4 D9-849C-B 346303B63. Page 15 of 19. and the malicious code detection software shall provide protection consistent with generally accepted. industry standards and best practices of leading companies in the critical data storage and security. industry. Vendor shall ensure that the Hosted Service does not and shall not contain any disabling code (defined as computer. code designed to interfere with the normal operation of the Hosted Service) or any program routine, device or other. undisclosed feature (such as a time bomb, virus, software lock, drop-dead device, malicious logic, worm, Trojan. horse, or trap door) that is designed to delete, disable, deactivate, interfere with or otherwise harm the Hosted. Service or Customer Data. Intrusion Detection. Vendor shall implement and maintain an intrusion detection monitoring process at the network and/or host level. to protect the Hosted Service and to detect unwanted or hostile network traffic. Vendor shall update its intrusion. detection software continuously, on a scheduled basis following the availability of updates by the software. provider. Vendor shall implement measures to ensure that Vendor is alerted when the system or service detects. unusual or malicious activity. Vendor shall notify Customer within five (5) days of any significant intrusion. Penetration tests. As a way to validate vendor threat management capabilities, Customer has the right to perform, or to have a third. party perform, independent intrusive application penetration tests on its segmented data and directories of the. Hosted Service infrastructure at its own expense, no more than twice per year, and Vendor shall reasonably. facilitate the same. In addition, Vendor shall conduct penetration tests at least once per year on its client-wide. cloud computing environment and will provide Customer written copies of such penetration tests performed by. Vendor or its subcontractors no more than thirty (30) days after Vendor receives the results or reports. D. Infrastructure Security. Vendor shall configure the Infrastructure (e.g., servers and network devices) and platforms (e.g., OS and web servers) to be. secure following these best practices. Audit Logging.  Vendor shall monitor and log all system access to the Hosted Service to produce an audit trail that includes, but is not limited to, web server logs, application logs, system logs, and network event logs.  The logs should be stored off system to reduce risk or loss due to tampering. Network Security.  Vendor shall comply with industry standards, separating perimeter networks from endpoints hosted in the. private network using Industry standard firewalls. Vendor shall update its firewall software continuously, on. a scheduled basis, following the availability of updates by the software provider.  Vendor shall test its perimeter devices continuously, on a scheduled basis and, if deficiencies are discovered, Vendor shall promptly troubleshoot and remediate security deficiencies discovered as a result of such testing. or as a result of logging access attempts, based upon the risk of the deficiency. Vulnerability Management. In addition to the third-party vulnerability assessments described above, Vendor shall. implement commercially reasonable processes designed to protect Customer Data from system vulnerabilities, including:  Perimeter Scanning: Vendor shall perform perimeter scanning through the use of embedded adaptors within. Vendor’s infrastructure providing information to an external reporting tool. Vendor shall produce reports. monthly and make them available to Customer on a monthly basis upon written request. DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A05373060-9E7F-4 D9-849C-B 346303B63. Page 16 of 19.  Internal Infrastructure Scanning: Vendor shall perform internal infrastructure scanning. through the use of embedded adaptors within Vendor’s infrastructure providing information to an external. reporting tool through a VISA-approved PCI scanning vendor. Vendor shall produce reports monthly and. make them available to Customer on a monthly basis upon written request.  Application Vulnerability Scanning: Vendor shall perform application vulnerability scanning on the Hosted. Service before code is released in to production. Vendor shall produce reports shortly thereafter and make. them available to Customer following a written request.  Malware Scanning: Vendor shall perform anti-malware scanning on all servers utilized in performing the. Hosted Service, under a central management platform. Secure Configuration.  Vendor shall comply with industry standards for platform hardening and secure configuration in order to. reduce attack surface. Hardening procedures should be enforced before system is put into production. E. Security Procedures. Vendor shall implement the following best practices. Incident Response.  Vendor shall maintain security incident management policies and procedures, including detailed security. incident escalation procedures. Vendor agrees to comply with all applicable laws relating to the handling, processing and protection of PII. In the event of a breach of any of Vendor’s security or confidentiality. obligations hereunder, Vendor agrees to (i) notify Customer by telephone and e-mail of such an event within. twenty four (24) hours of discovery; and (ii) upon Customer’s written approval, inform all such individuals of. such breach, or assist Customer in providing such notice; provided, in any case, Vendor shall bear the costs. of any such notification and reasonable costs for procuring credit bureau services related to the PII that gave. rise to the breach. Vendor shall be solely responsible for its subcontractors. Vendor will also promptly perform. an investigation into the breach, take appropriate remedial measures, and provide Customer with the name of. a single Vendor security representative who can be reached with security questions or security concerns. twenty-four (24) hours per day, seven (7) days per week, during the scope of Vendor’s investigation. Patch Management.  Vendor shall use a patch management process and toolset to keep all servers up to date with appropriate. security and feature patches. Documented Remediation Process.  Vendor shall use a documented remediation process designed to timely address all identified threats and. vulnerabilities with respect to the Hosted Service. High severity findings should be remediated within thirty. (30) days or reported to Customer. Employee Termination Procedures.  Vendor shall promptly terminate all credentials and access to privileged password facilities of a Vendor. employee in the event of termination of his or her employment. F. Governance. Vendor should implement the following best practices. Security Policy.  Vendor shall maintain, at no expense to Customer, an information security policy that is approved annually. by Vendor and published and communicated to all Vendor employees and relevant third parties. Vendor shall. maintain a dedicated security and compliance function to design, maintain, and operate security in support of. its “trust platform” in line with industry standards. This function shall focus on developing policies and. procedures for system integrity, risk acceptance, risk analysis and assessment, risk evaluation, risk. DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A05373060-9E7F-4 D9-849C-B 346303B63. Page 17 of 19. management and treatment, and statements of applicability. Vendor shall provide evidence of a security. policy. Security Reviews.  Customer and Vendor shall meet at least once annually, such meetings to be attended by senior level. management, to discuss (i) the effectiveness of the Hosted Service’s security platform; and (ii) and any. updates, patches, fixes, innovations or other improvements made to electronic data security and cloud. computing environments by other commercial providers or for other Vendor customers that Vendor or. Customer believe will improve the effectiveness of the Hosted Service’s security platform for Customer. Third Party Audits and Compliance Standards.  Vendor shall provide Customer with a copy of any security audit (including SSAE 16, AICPA Service. Organization Control Reports or independent audits) that is performed no more than thirty (30) days after. Vendor receives the results or reports. Customer has the right to, or to engage a third party on its behalf to, visit Vendor’s offices up to four (4) times per calendar year in order to conduct due diligence and auditing. procedures on Vendor’s business operations related to the Hosted Service in terms of technical infrastructure, cloud interaction, organization, quality, quality control, personnel involved with services for Customer, and. general resources in terms of skills and personnel are concerned. o SSAE 16 Audit. If application, Vendor will furnish evidence of a successful SSAE-16 audit upon Customer request. to the extent permitted by law and subject to applicable regulatory restrictions and confidentiality. obligations. Vendor must verify that the audit certifies all Infrastructure and applications that support. and deliver services to Customer Data. o ISO 27001 Audit. If applicable, Vendor will furnish evidence of a successful ISO 27001 audit upon Customer request. to the extent permitted by law and subject to applicable regulatory restrictions and confidentiality. obligations. Vendor must verify that the audit certifies all Infrastructure and applications that support. and deliver services to Customer Data. o PCI-DSS Compliance. If applicable, Vendor shall maintain, at no expense to Customer, policies, practices, and procedures. sufficient to comply with the Payment Card Industry Data Security Standard, as the same may be. amended from time to time, with respect to the Hosted Service. o Vulnerability Assessments. At least annually and at no expense to Customer, Vendor shall conduct an application vulnerability. assessment with respect to the handling of data relating to the Hosted Service, which assessment will. be performed by a qualified independent third party. Upon Customer’s request, Vendor shall provide. Customer with copies of documentation relevant to such assessment to the extent permitted by law. and subject to applicable regulatory restrictions and confidentiality obligations. G. Physical Security. Vendor should implement the following best practices. Vendor shall limit access to its facilities utilized in performing the Hosted Service to employees and employee-accompanied. visitors using commercially reasonable Internet-industry standard physical security methods. At a minimum, such methods. shall include visitor sign-ins, restricted access key cards or locks for employees, limited access to server rooms and archival. backups, and burglar/intrusion alarm systems. H. Right to Audit. Client has the right to, or to engage a third party on its behalf to, at its own expense, to Vendor’s offices once per calendar. year in order to conduct due diligence and auditing procedures on Vendor’s business operations related to the Hosted Service. DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A05373060-9E7F-4 D9-849C-B 346303B63. Page 18 of 19. in terms of technical infrastructure, cloud interaction, organization, quality, quality control, personnel. involved with services for Client, and general resources in terms of skills and personnel are concerned. I. Disaster Recovery. Vendor should implement the following best practices. Vendor shall have a disaster recovery plan in place for the restoration of critical process and operations of the Hosted. Service at the hosting location from which the Hosted Service is provided. Vendor shall also have an annually tested. business continuity plan in place to assist Vendor in reacting to a disaster in a planned and tested manner. Vendor shall. provide Customer with a copy of its then-current plan promptly following Customer’s written request for same. The goals. of such a plan must differ between a failure that is contained within the Hosted System provider’s datacenter (“Type A. Incident”) and a failure in which an entire Hosted System provider datacenter is not available (“Type B Incident”). Key. features and goals of the plans shall include: Recovery Point Objective (RPO).  Backup state frequency up to one (1) hour of user data in a Type A Incident and up to twenty-four (24) hours in a Type B. Incident. Recovery Time Objective (RTO). Recovery time objective is three (3) hours after a critical system malfunction is detected. Up to one (1) hour. assigned for attempting to fix existing conditions without resorting to full disaster recovery procedure and. two (2) additional hours for full disaster recovery.  Vendor shall provide notification to Customer for any disaster that causes the Hosted Service to be down and. unavailable within 30 minutes of such disaster. Within one (1) day after such disaster, Vendor will recover. the Hosted Service and Customer Data.  If Vendor’s disaster recovery plan is invoked, (a) Vendor shall execute such plan and restore the Hosted. Service to the service availability service level required pursuant to this Addendum, and (b) Customer shall. be treated with at least equal the same priority as any other Vendor customer. Backup Management.  Vendor shall perform full backups of the database(s) containing Customer Data no less than once per day. without interruption of the Hosted Service. Vendor shall also provide off-site archival storage on no less than. a weekly basis of all backups of the database(s) containing Customer Data on secure server(s) or other. commercially acceptable secure media. Such data backups will be encrypted, sent off-site to a secure location. each business day and stored/retained for seven (7) years. Vendor shall also make back-up copies of data and. information critical to the continuity of its business to ensure delivery of the hosted service in the event of a. disaster or disruption and Vendor shall conduct periodic tests to ensure the effectiveness of its back-up. systems.  In order to recover from a Type B Incident, the required backed up data is replicated over at least three. geographically dispersed data centers at any point in time. Backup snapshots may be periodically sent to. another datacenter. Data retention for a Type A Incident utilizes twenty-four (24) hourly snapshots, fourteen. (14) daily snapshots and three (3) monthly snapshots. This backup policy is designed to allow for a partial. restore of the system as well as a full system restore. DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A05373060-9E7F-4 D9-849C-B 346303B63. Page 19 of 19. This Addendum may not be modified except in writing signed by an authorized signatory for each party. The invalidity or. unenforceability of any provision of this Addendum shall not affect the other provisions hereof, all of which shall remain enforceable. in accordance with their terms. The undersigned parties have caused this Addendum to be executed by their respective duly. authorized representatives. CUSTOMER VENDOR. Blackstone Administrative Services Partnership L.P. PHYLUM, INC. By: Blackstone Holdings I - Sub GP L.L.C. By: ____________________________ By: Name: John Stecher Name: Title: Chief Technology Officer Title: Date: ____________________ Date: ____________________. DocuSign Envelope ID: F72C114F-FAFB-4EE1-B192-DDC22048212A. 3/30/2022. 05373060-9E7F-4 D9-849C-B 346303B63. 4/6/2022. Peter Morgan. President. dehn, Stoner. # Dee, 8 ¢ 06 oy. Dudu! Yidicgan. oh EIEN BN.