MRI Vendor Terms and Conditions

These Terms and Conditions are entered into between the MRI Software company named in the attached Purchase Order Document (“MRI”) and the Vendor named in the Purchase Order Document, and the authorized representatives of the Parties hereby agree to these Terms and Conditions to be effective as of the date of the Purchase Order Document (“Effective Date”). As used in these Terms and Conditions, “Party” means either Vendor or MRI, as appropriate, and “Parties” means Vendor and MRI.

1. Purpose and Scope

1.1    Agreement. These Terms and Conditions establish the general terms and conditions to which the Parties have agreed in order to facilitate the licensing of software and/or content, and/or other products and/or the provision of services and/or the purchase of products. All references to the “Agreement” shall include these Terms and Conditions and the Purchase Order Document.

1.2    Incorporation of Purchase Order Documents. “Purchase Order Document” means the document(s), regardless of its actual name, executed by the Parties which incorporates by reference the terms of this Agreement and describes order-specific information, such as description of Products and/or Services ordered.

2. Definitions

2.1    “Business Days” means Monday through Friday from 9 a.m. to 5 p.m. local time and excludes weekends and public holidays.

2.2    “Confidential Information” means, for the purposes of this Agreement, the terms and conditions of this Agreement, customer data and all non-public information about the disclosing party’s (or its suppliers’) business or activities that is proprietary and confidential, which shall include all business, financial, technical, and other information of either party, whether or not it is marked or designated by such party as “confidential or “proprietary” at the time of disclosure. Confidential Information shall also include MRI’s Intellectual Property. The Parties agree that the non-disclosure agreement executed previously by the Parties shall continue to apply in the context of this Agreement.

2.3    “Deliverables” means all goods, materials, work product, services, and other outputs to be provided by or on behalf of the Vendor under this Agreement, as more specifically described in the applicable Purchase Order Document.

2.4    “Vendor Property” means any works owned and created by Vendor, that are outside of the Services but are utilized by Vendor to perform such Services.

2.5    “Fee(s)” means the Fee owed by MRI to Vendor, payable thirty (30) days after receipt of Vendor’s undisputed invoice, as further set out in the Purchase Order Document.

2.6    “Initial Term” means the term set out in the Purchase Order Document, if any.

2.7    “Intellectual Property” means any and all intellectual property rights, recognized in any country or jurisdiction in the world, now or hereafter existing, and whether or not perfected, filed or recorded, including without limitation inventions, technology, patents rights (including patent applications and disclosures), copyrights, trade secrets, trademarks, service marks, trade dress, methodologies, procedures, processes, know-how, tools, utilities, techniques, various concepts, ideas, methods, models, templates, software, source code, algorithms, the generalized features of the structure, sequence and organization of software, user interfaces and screen designs, general purpose consulting and software tools, utilities and routines, and logic, coherence and methods of operation of systems, training methodology and materials, which MRI has created, acquired or otherwise has rights in, and may, in connection with the performance of Services hereunder, create, employ, provide, modify, create, acquire or otherwise obtain rights in.

2.8    “Losses” means direct losses, costs, claims, damages, attorneys’ fees, liabilities, penalties, court awards, final judgments, settlements and other similar costs and expenses.

2.9    “Onsite Rules of Conduct” means those rules set out by MRI if applicable.

2.10    “Products” means the Products which Vendor is authorised to provide to MRI under the terms and conditions of this Agreement, as further detailed and described in a Purchase Order Document.

2.11    “Protected Materials” means MRI products, content, software, services, Deliverables, license keys and MRI’s or its licensors’ Intellectual Property or Confidential Information.

2.12    “Security Requirements” means those requirements set out in Exhibit 1.

2.13    “Services” means the Services which Vendor is authorised to provide to MRI under the terms and conditions of this Agreement, as further detailed and described in a Purchase Order Document.

2.14    “Term” means the Initial Term and any Renewal Term (as defined below) as set out in the Purchase Order Document, if any.

2.15    “Trademark Usage Requirements” means those requirements found at https://www.mrisoftware.com/partner-resources/partner-marketing/ as modified and updated by MRI from time to time.

2.16    Headings are included in this Agreement for ease of reference only and shall not affect the interpretation or construction of this Agreement.

2.17    Unless the context otherwise requires (a) words in the singular shall include the plural and in the plural shall include the singular; (b) a reference to any statute, statutory provision, enactment, order, regulation, or other similar instrument shall be construed as a reference to the statute, enactment, order, regulation or instrument as amended by or under any subsequent statute, statutory provision, enactment, order, regulation or instrument or as contained in any subsequent re-enactment.

2.18    References to this Agreement are to this Agreement, as amended, supplemented, substituted, novated, or assigned.

2.19    A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality) and that person’s personal representatives, successors and permitted assigns.

2.20    Any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

3    Products and Services. Vendor shall provide the Products and/or Services specified in the applicable Purchase Order Document, in accordance with the terms and conditions of this Agreement and the applicable Purchase Order Document. In the event of any conflict or inconsistency between this Agreement and a Purchase Order Document, this Agreement shall prevail unless the Purchase Order Document expressly states that it is intended to override a specific provision of this Agreement. The Purchase Order Document shall incorporate the terms of this Agreement.

4    Trademark License. Vendor will not attempt to register any trademark, trade name or service mark that is confusingly similar to any MRI Intellectual Property. Vendor agrees to comply with the Trademark Usage Requirements for any use of MRI’s Intellectual Property during the Term.

5    Independent Contractor. Vendor acknowledges that its employees or third-party individuals engaged by Vendor are and never shall be regarded as an MRI employee, and Vendor acknowledges that it is an independent contractor and, as such, it is Vendor’s sole obligation to report as income all compensation received by Vendor from MRI for Services rendered.

6    Relationship between the Parties. This Agreement is non-exclusive. Nothing in this Agreement shall be construed to create an agency, joint venture, partnership or other form of business association between the Parties. Neither Party has the right or authority to make any contract, representation, or binding promise of any nature on behalf of the other Party, whether oral or written, without the express written consent of the other Party. Each Party shall be and remain solely responsible for wages, hours, and other conditions of employment of its own personnel during the Term. Each Party is liable for the performance or nonperformance of its employees and contractors, who shall be bound by the terms of this Agreement. Vendor represents and warrants that there is no present conflict of interest between Vendor’s other contracts for services, employment or endeavors, if any, and the Services to be provided pursuant to this Agreement and Vendor will ensure that no such conflict arises during the Term.

7. Assignment of Ownership of Intellectual Property

7.1    Vendor acknowledges and agrees that all Intellectual Property rights in the Services in any form, including without limitation any modifications, enhancements, results and derivatives thereof, belong to, and shall remain vested in, MRI, and the Vendor shall have no rights in or to the MRI Intellectual Property other than the right to use them in accordance with the terms of this Agreement. This Agreement does not grant the Vendor any rights to, or in, any patents, copyright, database right, trade secrets, trade names, trademarks (whether registered or unregistered), or any other rights or licenses in respect of the MRI Intellectual Property. Vendor Property shall continue to be owned by Vendor.

7.2    Additionally, except as otherwise specifically provided in this Agreement, Vendor shall not itself, or through any affiliate, employee, Vendor, contractor, agent or other third party: (i) sell, resell, distribute, host, lease, rent, license or sublicense, in whole or in part, the Protected Materials; (ii) decipher, decompile, disassemble, reverse assemble, modify, translate, reverse engineer or otherwise attempt to derive source code, algorithms, tags, specifications, architecture, structure or other elements of the Protected Materials, including the license keys, in whole or in part, for competitive purposes or otherwise; (iii) allow access to, provide, divulge or make available the Protected Materials to any person or entity; (iv) write or develop any derivative works based upon the Protected Materials (v) modify, adapt, translate or otherwise make any changes to the Protected Materials or any part thereof; (vi) use the Protected Materials to provide processing services to third parties, or otherwise use the same on a ‘service bureau’ basis; (vii) disclose or publish, without MRI’s prior written consent, performance or capacity statistics or the results of any benchmark test performed on the Protected Materials; or (viii) otherwise use or copy the Protected Materials except as expressly permitted herein.

7.3    Vendor shall notify MRI of the creation of any Intellectual Property, shall provide a copy of such Intellectual Property to MRI within thirty (30) calendar days of creation, and shall assign to MRI all right, title and interest in and to such Intellectual Property.

8. Warranties and Indemnification

8.1    Warranties. In addition to any specific Product and/or Services warranties set out in the applicable Purchase Order Document, if any, Vendor represents and warrants that: (i) if a corporation, it is a corporation duly incorporated, validly existing and in good standing; (ii) it has all requisite corporate power and authority to execute, deliver and perform its obligations hereunder; (iii) it is duly licensed, authorized or qualified to do business and is in good standing in every jurisdiction in which a license, authorization or qualification is required for the ownership or leasing of its assets or the transaction of business of the character transacted by it except when the failure to be so licensed, authorized or qualified would not have a material, adverse effect on its ability to fulfill its obligations hereunder; (iv) it shall comply with all laws and regulations applicable to the performance of its obligations hereunder and shall obtain all applicable permits and licenses required of it in connection with its obligations hereunder; and (v) it is not a party to any agreement with a third party, the performance of which is reasonably likely to affect adversely its ability or the ability of the other party to perform fully its respective obligations hereunder. Vendor represents and warrants that all Services rendered pursuant to this Agreement shall be performed by Vendor and its employees or its subcontractors as approved by MRI. Vendor shall be liable for the performance of its employees and subcontractors who will perform Services and agrees that those employees and subcontractors shall be bound by the terms of this Agreement. Vendor shall not hire any subcontractors to perform the Services without MRI’s prior written consent exercised in its sole discretion. Vendor represents and warrants that any Services performed at an onsite MRI facility under this Agreement will be in accordance with the Onsite Rules of Conduct (i) which may be amended by MRI from time to time in its sole discretion, and (ii) which may be added by mutual agreement of the Parties in connection with specific Purchase Order Document.

8.2    General Indemnity. Vendor shall, at its expense, defend, indemnify and hold MRI (including its affiliates) harmless from and against any and all Losses resulting from claims made by a third party arising from (i) any breach or alleged breach of any of Vendor’s representations and warranties hereunder; (ii) Vendor’s negligent acts, omissions and/or willful misconduct in providing the Services hereunder; (iii) the death or injury of any person or persons, including employees of MRI; or (iv) the damage or destruction of any physical property or properties, and attributable to or resulting from the performance of this Agreement by Vendor.

8.3    Intellectual Property Indemnity. Vendor shall defend, indemnify, and hold harmless MRI (including its affiliates, directors, officers, and employees) from and against any Losses resulting from any third-party claim arising out of or relating to any claim that Vendor’s Intellectual Property infringes any such third party’s Intellectual Property.

9. Limitation of Liability

9.1    EXCEPT FOR A BREACH OF SECTIONS 10, 11 OR IN CONNECTION WITH VENDOR’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 8 ABOVE, IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

9.2    WITHOUT LIMITING THE FOREGOING, IF ANY SERVICES WILL BE PERFORMED IN CALIFORNIA, VENDOR EXPRESSLY ACKNOWLEDGES THAT (i) VENDOR IS AWARE OF THE REQUIREMENTS OF CALIFORNIA LABOR CODE SECTION 2810 AND EXPRESSLY REPRESENTS THAT VENDOR’S FEES UNDER THIS AGREEMENT SUFFICE SO THAT VENDOR CAN AND WILL COMPLY WITH ALL APPLICABLE LOCAL, STATE, AND FEDERAL LAWS OR REGULATIONS GOVERNING THE LABOR OR SERVICES TO BE PROVIDED AND (ii) MRI MAY AND SHALL RELY UPON SUCH REPRESENTATION.

9.3    THE ENTIRE CUMULATIVE LIABILITY OF MRI AND ITS REPRESENTATIVES FOR ANY REASON UNDER THIS AGREEMENT SHALL BE LIMITED TO USD $100,000/GPB £100,000/AUD $100,000 DEPENDING ON YOUR REGION. THE PARTIES EXPRESSLY ACKNOWLEDGE AND AGREE THAT MRI HAS ENTERED INTO THIS AGREEMENT IN RELIANCE UPON THE LIMITATIONS OF LIABILITY SPECIFIED HEREIN, WHICH ALLOCATE THE RISK BETWEEN MRI AND VENDOR AND FORM A BASIS OF THE BARGAIN BETWEEN THE PARTIES.

10. Confidentiality

10.1    Confidential Information will not include information that: (i) is in or enters the public domain without breach of this Agreement; (ii) the receiving party lawfully receives from a third party without restriction on disclosure and without breach of a nondisclosure obligation; (iii) the receiving Party rightfully knew prior to receiving such information from the disclosing party; or (iv) the receiving Party develops independent of any information originating from the disclosing Party.

10.2    Each Party agrees that: (i) it will not disclose to any third party any Confidential Information disclosed to it by the other Party except as expressly permitted in this Agreement; (ii) it will not use any Confidential Information disclosed to it by the other Party except as necessary to perform its obligations under this Agreement; and (iii) it will take all reasonable measures to maintain the confidentiality of all Confidential Information of the other Party in its possession or control, which will in no event be less than the measures it uses to maintain the confidentiality of its own information of similar importance. Notwithstanding the foregoing, each Party may disclose Confidential Information to the extent required by a court of competent jurisdiction or other governmental authority or otherwise as required by law, provided that such Party uses reasonable efforts to request confidential treatment or a protective order before such disclosure; or on a “need-to-know” basis under an obligation of confidentiality to its legal counsel and accountants.

10.3    Vendor acknowledges and agrees that Vendor’s breach of the provisions under this Section 10 will result in irreparable harm to MRI and that MRI will have the right to enforce this Agreement and any of its provisions by injunction, specific performance and/or other equitable relief without prejudice to any other rights and remedies that MRI may have.

10.4    Nothing in this Agreement shall relieve any Party of any of its obligations under any separate non-disclosure agreement between the Parties, including any obligation with respect to procedures for handling customer data or other similarly sensitive information.

10.5    Notwithstanding anything to the contrary contained in this Agreement, Vendor agrees to comply with the Security Requirements and Onsite Rules of Conduct, as may be amended by MRI from time to time.

11    Data Security. Vendor shall comply with MRI’s then-current policies and guidelines regarding the secure handling of MRI data. Vendor shall comply with all applicable laws, rules and regulations relating to its receipt or use of MRI data. In addition, Vendor shall use its commercially reasonable efforts in handling and protecting the collection, transmission and storage of MRI data and MRI Confidential Information, provided that such efforts shall not be less than customary industry standards exercised by MRI and its customers.

12. Term, Termination and Survival

12.1    Term. Unless otherwise terminated in accordance with the terms of this Agreement, the term of this Agreement shall commence on the Effective Date and shall continue thereafter for the Initial Term. Upon expiration of the Initial Term, this Agreement shall automatically expire, unless the Parties expressly agree in writing to extend or renew the Agreement prior to such expiration (each a “Renewal Term”).

12.2    Termination for Cause. Either Party may terminate this Agreement due to a material breach of this Agreement by the other Party, if such material breach remains uncured for a period of thirty (30) calendar days following issuance of written notice by the non-breaching Party.

12.3    Termination for MRI. MRI may terminate this Agreement upon thirty (30) calendar days advance written notice to the Vendor for any reason, including but not limited to, in the event of a merger, sale, or acquisition of all or substantially all of the assets of either MRI or Vendor or in the event that Vendor assigns or transfers this Agreement or any Purchase Order Document to a direct or indirect competitor of MRI.

12.4    Effect of Termination. Upon termination or expiration of this Agreement, or at any prior time upon the request of MRI, Vendor will promptly deliver to MRI, all material memoranda, notes, records, drawings, manuals, disks, documents, media, equipment, papers, badges, access codes or other information, obtained by Vendor from MRI or otherwise pertaining to the Services or to MRI’s business, including all copies thereof. Vendor acknowledges that all such materials are the property of MRI, and Vendor agrees not to retain any copies of such materials after the termination or expiration of this Agreement. Notwithstanding the foregoing, Vendor may maintain copies of customary business records documenting its performance of this Agreement as contractually obligated as of the date of termination of this Agreement.

12.5    Survival. The effectiveness of the terms of Sections 3 (“Products and Services”), 4 (“Trademark License”), 5 (“Independent Contractor”), 6 (“Relationship between the Parties”), 7 (“Assignment of Ownership of Intellectual Property”), 8 (“Warranties and Indemnification”), 9 (“Limitation of Liability”), 10 (“Confidentiality”), 11 (Data Security), 12 (“Term, Termination and Survival”), this Section, and any Exhibits as may apply shall survive the termination or expiration of the Agreement.

13. Miscellaneous

13.1    Publicity and Advertising. Upon receipt of the other party’s written consent, each party may use the other party’s logo, name, trade name, trademarks and icons (collectively, the “Logos”) for certain marketing and promotional purposes. If a party notifies the other party of any incorrect usage of its Logos, the notified party shall promptly correct such usage. All use of a party’s Logos by the other party shall inure to the benefit of the party owning the Logos and such owning party shall be the sole party entitled to register its Logos. Notwithstanding any other provision of this Agreement, Vendor may not issue press releases or endorsements (either through websites, email, or otherwise) which reference MRI or include statements attributable to MRI without the prior written consent of MRI, which consent must include the written approval of only MRI’s Marketing or Legal Department. No press release or endorsement which references MRI or includes a statement by MRI shall be made except as provided above.

13.2    No Assignment. This Agreement may not be assigned or delegated to any other person or entity by Vendor without the express written consent of MRI. Notwithstanding any limitations on the transferability of licenses set forth herein, MRI may assign this Agreement to its parent corporation or any affiliate thereof (provided that the assignee is capable of performing this Agreement) without such consent or to any successor by operation of law, or by reason of the sale or transfer of all or substantially all of its stock or assets to another entity. This Agreement shall be binding upon and inure to the benefit of the parties hereto and their respective successors, permitted assigns, and legal representatives, and such parties shall be fully liable for the performance of any assigning party’s obligations or representations hereunder.

13.3    Notices. Unless otherwise stated, all notices required under this Agreement shall be in writing and shall be considered given (i) when delivered personally; (ii) five (5) calendar days after mailing, when sent certified mail, return receipt requested and postage prepaid; (iii) one (1) Business Day after dispatch, when sent via a commercial overnight carrier, fees prepaid; or (iv) at the time of transmission, when sent by email.

13.4    Law and Jurisdiction. The Agreement shall be governed by and construed in accordance with the laws of the jurisdiction in which the applicable MRI entity that is a party to this Agreement is incorporated or otherwise established, without giving effect to its principles of conflict of laws. Any dispute arising out of or in connection with this Agreement shall be litigated in the state or federal courts (or, where applicable, any competent courts) located within such jurisdiction, to whose exclusive jurisdiction the Parties hereby consent.

13.5    Waiver. Any waiver hereunder must be made in writing and signed by the Party to be charged. The failure at any time to require the other Party’s performance of any obligation under this Agreement shall not affect the right subsequently to require performance of such obligation.

13.6    Force Majeure. Except with respect to delays or failures caused by the negligent act or omission of either Party, any delay in or failure of performance by either Party under this Agreement will not be considered a breach of this Agreement and will be excused to the extent caused by any occurrence beyond the reasonable control of such Party including, but not limited to, acts of God, power outages, failures of the Internet, provided that the Party affected by such event shall immediately begin or resume performance as soon as practicable after the event has abated. Excusable delays do not include lockout, shortage of labor, lack of or inability to obtain raw materials, fuel or supplies or any other industrial disturbance. In the event that Vendor is not able to resume performance within ten (10) calendar days after the force majeure event has commenced, MRI shall have the right to terminate this Agreement immediately upon written notice to Vendor.

13.7    Authority. Vendor warrants and represents that Vendor has full power and authority to enter into this Agreement and to make the assignment of rights contained herein.

13.8    Severability. If any provision of this Agreement is found illegal or unenforceable, such provision will be deemed restated, in accordance with applicable law, to reflect as nearly as possible the original intention of the Parties, and the remainder of the Agreement will continue in full force and effect.

13.9    No Third Party Beneficiaries. This Agreement is intended for the sole and exclusive benefit of the Parties and is not intended to benefit any third party. Only the Parties to this Agreement may enforce it.

13.10    Counterparts. This Agreement may be executed in counterparts, each of shall constitute an original, and all of which shall constitute one agreement.

13.11    Ethical Practices. Vendor understands that MRI maintains policies stating that its employees and their immediate families may not give or accept a gift (including discounts) that might indicate the intent to improperly influence the business relationship between MRI and any supplier, customer, partner, distributor or other third party. Vendor understands that MRI employees should never accept a gift (including any discount) that is given to create a sense of obligation on the employee’s part with the intention of changing their behavior, and that MRI employees may never receive any gift from an MRI competitor. To the extent the policies are described above, Vendor agrees to take no action that would violate these policies. Vendor represents and warrants that it shall at all times comply with the US Foreign Corrupt Practices Act, the UK Bribery Act, and any similar anti-bribery law, rule or regulation that is applicable to MRI or Vendors business. Vendor also agrees to certify annually in writing to MRI that it is complying with the foregoing sentence and shall cause its key personnel to attend MRI’s annual anti-bribery training. If Vendor has any questions regarding these policies, it should contact: MRI Software LLC, 28925 Fountain Parkway, Solon, OH 44139.

13.12    Non-Solicitation. During the Term and for a period of one (1) calendar year following its termination, neither Party will employ or solicit for employment directly or through other parties, without the other party’s written permission, any individual employed by the other Party. If a Party breaches this provision, such Party shall pay to the non-breaching Party a sum equal to 150% of the hired employee’s annual salary while such employee was employed by the non-breaching Party, and such payment shall be made within thirty (30) calendar days of hiring such employee.

13.13    Entire Agreement. This Agreement together with the Exhibit(s) attached hereto and any Purchase Order Document issued hereunder, represents the entire agreement of the parties hereto related to the subject matter hereof, and any prior agreements, promises, negotiations, or representations, whether oral or written, not expressly set forth in this Agreement are superseded and of no force and effect. This Agreement may be modified only in a writing signed by an authorized representative of each Party. The Parties hereby agree that this Agreement and any amendments thereto, are not binding unless executed by an authorized representative of each Party.

E1.1    Definitions. For the purposes of this Exhibit 1, the following additional definitions shall apply. In the case of conflict between the definition in this Exhibit 1 and those set out in the Agreement, the definitions in this Exhibit 1 shall apply and prevail in respect of the interpretation of this Exhibit 1 only.

E1.1.1    “Applicable Law” means (i) any statute, regulation, by law, ordinance or subordinate legislation in force from time to time to which a Party to this Agreement is subject insofar as the same relates to that Party’s performance under this Agreement; the common law as applicable to the Parties to this Agreement from time to time, including European Union laws or the laws of the European member state to which MRI or Vendor is subject; (ii) any binding court order, judgment or decree given in respect of either party; (iii) any applicable industry code, or standard enforceable by law; and (iv) any applicable direction, rule or order that is binding on a Party hereto and that is made or given by anybody having jurisdiction over a Party or any of that party’s assets, resources or business.

E1.1.2    “Confidential Information” means information which (i) is proprietary to, about, or created by a specific person or company; (ii) gives the specified person or company some competitive business advantage or the opportunity of obtaining such advantage, or the disclosure of which could be detrimental to the interests of the specified person or company; (iii) is designated as Confidential Information by the specified person or company, or from all the relevant circumstances should reasonably be assumed by the receiving party to be confidential and proprietary to the specified person or company.

The following subcategories of Confidential Information are also defined:

(a) Secret Information: The highest subcategory of Confidential Information. Secret Information grants, or can be used to grant or otherwise obtain, access to any other type of Confidential Information.

(b) Sensitive Information: The middle subcategory of Confidential Information. Sensitive Information is any information that could be misused in such a way as to jeopardize the financial position of its owner, or of the person or company described by the information

(c) Restricted Information: The lowest subcategory of Confidential Information. Restricted Information is information that is not Sensitive Information, but whose permissible use has been restricted by its owner or custodian. Unauthorized disclosure of Restricted Information could cause inconvenience to the person or company it describes, but no direct financial or legal harm.

Confidential Information includes, but is not limited to, the following types of information and other information of a similar nature, whether or not reduced to writing or designated as Confidential:

(a) Personal Data: shall mean any information relating to a Data Subject. Vendor shall treat all Personal Data of MRI as Confidential Information and subject to all restrictions outlined in the Agreement regarding the same. Personal Data may contain:

(i) Secret Information: MRI passwords, private encryption keys, and private signature keys.

(ii) Sensitive Information: MRI account numbers, Social Security numbers, taxpayer identification numbers, account balances, account activity, financial information, medical records, legal records, and records of customer services and other data relating to the products and services offered, received, or purchased by customers of MRI or Vendor.

(iii) Restricted Information: names, street or e-mail addresses, telephone numbers.

(b) Confidential Corporate Information: consisting of any of the following:

(i) Secret Information: Computer account IDs, passwords for computer or database systems, private encryption keys, SSL keys, computer source code relating to encryption/decryption, special access privileges, known security vulnerabilities, the results of security audits and reviews, and any information explicitly designated Secret by MRI or by Vendor.

(ii) Sensitive Information: Any of the following:

(A) Work Products: Work product resulting from or related to work or projects performed or to be performed for MRI or Vendor, or for customers of MRI or Vendor (including all media on which such information is contained);

(B) Business Operations: Internal MRI or Vendor personnel and financial information, names and other information about Vendors (including without limitation Vendor characteristics, services and agreements), purchasing and internal cost information, internal services and operational manuals, and the manner and methods of conducting MRI’s or Vendor’s business;

(C) Marketing and Development Operations: Marketing and development information regarding MRI’s or Vendor’s operations (including without limitation marketing and development plans, price and cost data, price and fee amounts, pricing and billing policies, quoting procedures, marketing techniques and methods of obtaining business, forecasts and forecast assumptions and volumes, and future plans and potential strategies of MRI or Vendor which have been or are being discussed);

(D) Other Proprietary Data: Information relating to MRI’s or Vendor’s proprietary business information (including without limitation information pertaining to business transactions and financial performance) or proprietary rights prior to any public disclosure thereof, and information regarding acquiring, protecting, enforcing, and licensing proprietary rights (including without limitation patents, copyrights and trade secrets).

(E) Designated Information: Notwithstanding the above, any information explicitly designated as Sensitive Information by MRI or by Vendor.

(F) Restricted Information: Aggregated or anonymous customer information (any customer information other than Personal Data), contractual information or obligations not designated as Sensitive Information, and any information explicitly designated as Restricted Information by MRI or by Vendor.

E1.1.3    “Controller” means the natural or legal person which determines (individually or jointly or in common with others) the purposes for which and the manner in which any MRI Personal Data is or will be Processed. For the purposes of this Agreement, the MRI shall be deemed the Controller.

E1.1.4    “Data Breach” means an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

E1.1.5    “DPIAs” means data protection impact assessments.

E1.1.6    “Data Protection Legislation” means any Applicable Law relating to the Processing, privacy, and use of Personal Data including, without limitation: (i) EU Council Directives 95/46/EC and 2002/58/EC; (ii) the Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”); (iii) the California Consumer Privacy Act, (iv) any corresponding or equivalent national laws or regulations; or (v) approved codes of conduct or approved certification mechanisms issued by any relevant regulatory authority.

E1.1.7    “Data Subject” means an identifiable natural person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person which is provided by the Controller to MRI or Vendor. Data Subjects may include customers of MRI, employees, and staff and contractors of MRI.

E1.1.8    “Disaster Recovery and Business Continuity Plan” means Vendor’s disaster recovery and business continuity plan with contingency measures as are reasonable within its industry.

E1.1.9    “EEA” means the European Economic Area.

E1.1.10    “Information Security Program” means Vendor’s documented information security plan.

E1.1.11    “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and “Process” and “Processed” will be interpreted accordingly.

E1.1.12    “Processing Instructions” means the written instructions for Processing the Controller’s Personal Data, as set out in this Exhibit 1 and in the Agreement and otherwise as provided in writing by or on behalf of Vendor to MRI or an MRI affiliate from time to time.

E1.1.13    “Processor” means the natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.

E1.1.14    “Security Manager” means each Party’s primary and an alternate single point of contact for security issues, as set out in the Agreement and/or the applicable Purchase Order Document.

E1.1.15    “Sub-contractor” means any third party engaged by Vendor in provision of the Services or otherwise delivering any part of the Services.

E1.1.16    “Sub-Processor” means any organization Processing Personal Data on behalf of MRI where MRI is not the Controller.

E1.2    Security, Generally. Vendor shall ensure that it has in place appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to the Personal Data, which are appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures and not less protective as outlined herein. During the Term, Vendor shall maintain an Information Security Program and shall provide it to MRI on request. Vendor agrees to comply with all of its own requirements, as updated following any recommendations from MRI, contained in such Information Security Program. Vendor’s Information Security Program shall include, at a minimum, appropriate controls and measures in relation to: (i) physical security at all Vendor locations involved in the provision of the Services; (ii) technical security with respect to the Personal Data in Vendor’s possession; (iii) organizational security arrangements regarding the employees and other representatives of Vendor, its affiliates, and its subcontractors, including training and awareness, staff vetting procedures and other security measures (e.g. use of passwords and security credentials); (iv) highest or most appropriate industry standard levels of encryption of Personal Data in proportion to the nature of the Personal Data but not less than as described herein; (v) Disaster Recovery and Business Continuity Plan; (vi) vulnerability testing and security audits; and (vii) data breach procedures. Additionally, Vendor’s Information Security Program shall comply with all Data Protection Legislation. Vendor may update its Information Security Program from time to time in its sole discretion. Upon the occurrence of a disaster, Vendor must evaluate the cause of the disaster as soon as possible, attempt to remediate the cause, and, if the outage will be sustained or cannot be remediated promptly, take appropriate actions to minimize the impact of the disaster to MRI, such as implementing its Disaster Recovery and Business Continuity Plan. MRI shall not be charged an additional fee for any disaster recovery or business continuity services, including backups and database restorations, performed by Vendor due to a disaster at Vendor hosting location or otherwise caused by Vendor. Vendor shall evaluate the effectiveness of its Information Security Program on a commercially reasonable periodic basis, but no less frequently than annually and (if it, acting reasonably, considers it necessary to do so) update the same. MRI may, from time to time, advise Vendor of recent security threats that have come to its attention. The Parties shall discuss and mutually agree upon whether Vendor shall be required to implement such security modifications to its software, policies, or procedures. Vendor must implement all agreed modifications within a mutually agreeable time to ensure that the privacy and integrity of any Confidential Information is preserved.

E1.3 Controlling Access to Confidential Information

E1.3.1    Confidential Information stored on Vendor’s systems must be stored behind firewalls with access to such data limited.

E1.3.2    Secret Information must never be stored in clear text on Vendor’s systems. At a minimum, financial services industry-standard encryption techniques must be employed to safeguard Secret Information in Vendor’s systems from retrieval by unauthorized persons. Vendor should strive to adopt best industry practices where appropriate. Whenever possible, message digest algorithms such as SHA-1 or MD5 should be used to hash and verify the user’s password, and “salt” should be added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings.

E1.3.3    Passwords used to control Vendor’s staff, subcontractors, or other agents’ access to Confidential Information must at a minimum conform to the requirements in E1.14.4. Passwords used by MRI are not required to conform to these policies; however, Vendor must ensure that MRI does not have access to Confidential Information other than that which pertains to them.

E1.4 Transmitting Confidential Information

E1.4.1    Unless restricted by law, Vendor must not electronically transmit Secret Information or Sensitive Information over publicly accessible networks without using 128-bit SSL or another mechanism that affords similar or greater security and confidentiality. If legal restrictions limit the use of 128-bit SSL encryption technology, Vendor must use the strongest encryption technology permitted.

E1.4.2    Confidential Information must never be passed in a URL (e.g., using a Get method) in a manner that potentially exposes the information to third parties and causes such information to appear in log files.

E1.4.3    If Vendor is Processing Personal Data of Data Subjects of the EU or UK, then Vendor shall Process Personal Data only within the EEA or in a jurisdiction in respect of which the European Commission has issued a finding of the adequacy of the protection of Personal Data and the rights and freedoms of individuals. Any Personal Data stored on Vendor’s system must be stored behind a firewall.

E1.5 Maintaining a Secure Environment

E1.5.1    Vendor must promptly install any security-related fixes identified by its hardware or software vendors, if the security threat being addressed by the fix is one that threatens the privacy or integrity of any Confidential Information covered by this Agreement. Such upgrades must be made as soon as they can safely be installed and integrated into Vendor’s existing architecture and systems.

E1.5.2    MRI may, from time to time, advise Vendor of recent security threats that have come to its attention, and require Vendor to implement specific modifications to its software, policies, or procedures that may be necessary to counter these threats. Vendor must implement these modifications within a mutually agreeable time or must obtain written permission from MRI to take some other course of action to ensure that the privacy and integrity of any Confidential Information is preserved.

E1.5.3    Vendor must immediately notify MRI if it knows or suspects that Confidential Information has been compromised or disclosed to unauthorized persons, or if there has been any meaningful or substantial deviation from the requirements contained in the Agreement. Vendor agrees that MRI shall have the right to control and direct any response and/or correction of any such compromise or disclosure.

E1.5.4    Notwithstanding the minimum standards set forth in this Exhibit 1, Vendor should monitor and periodically incorporate reasonable industry-standard security safeguards.

E1.6 Electronic Mail

E1.6.1    Vendor shall not send any Secret Information or Sensitive Information in an email over publicly accessible networks unless the email is encrypted using a previously-approved encryption mechanism or is otherwise made secure with an approach that has been mutually agreed upon in advance by MRI and Vendor.

E1.7 Reviews, Audits, and Remedies

E1.7.1    Vendor agrees that MRI shall have a right to verify Vendor’s compliance with this Exhibit 1. Upon fourteen (14) days’ prior written notice to Vendor, MRI (or its agent) may enter Vendor’s premises and inspect such of Vendor’s books, records, facilities and computer systems as MRI and Vendor shall mutually agree is necessary to ensure that Vendor complies with the terms, covenants, and conditions of this Exhibit 1. MRI or its agent shall comply with Vendor’s standard policies and procedures that apply to third party companies that have access to Vendor’s premises, and MRI or its agent shall access Vendor’s premises during normal Business Hours. Notwithstanding the foregoing, if MRI in good faith believes that a threat to security exists that could affect Confidential Information, Vendor must provide MRI or its agent access to its premises immediately upon request by MRI.

E1.7.2    MRI may inspect or employ third parties to conduct studies of Vendor’s operational processes, systems, vulnerability scan results and computer network security to determine Vendor’s compliance with this Exhibit 1. MRI agrees to coordinate the scheduling of any such study with Vendor to minimize disruption to Vendor’s business. Vendor agrees to cooperate with MRI to commence such a study within thirty (30) days from Vendor’s receipt of written notice of MRI’s intent to conduct, or to employ a third party to conduct, such a study. At Vendor’s request, MRI will require any third party it employs to conduct such a study to sign a nondisclosure agreement pursuant to which it agrees not to disclose any Confidential Information. MRI will make the results of any such study available to Vendor and, depending on the seriousness of any problems found, may require Vendor to remedy any and all such deficiencies in a timely fashion. Costs of such audits shall be borne by MRI, unless Vendor is deemed, as a result of such an audit, to be in material nonconformity with the Agreement.

E1.7.3    Notwithstanding any time-to-cure provision in this Agreement to the contrary, it shall be completely within MRI’s discretion to require correction of any demonstrated security-related problem within a shorter period of time. MRI shall provide written notice of the problem to Vendor, and Vendor must immediately take appropriate steps to correct the problem. If Vendor fails to correct any demonstrated security problem within a commercially reasonable time, factoring in the work that must be completed to address the problem, and resulting in the material disclosure or threatened disclosure of MRI’s Confidential Information, MRI may instruct Vendor to take such interim measures as are necessary to protect MRI’s Confidential Information. If Vendor fails or refuses to take those interim and/or permanent measures which are necessary to prevent the material disclosure of MRI’s Confidential Information within a commercially reasonable time, MRI may terminate any and all affected agreements between MRI and Vendor for cause.

E1.8    Compliance with Laws and Regulations. Vendor shall comply with all Applicable Laws, including the Data Protection Legislation. Vendor shall attend (remotely) at least once per calendar year, MRI’s training with respect to the Foreign Corrupt Practices Act and the U.K. Bribery Act. If Vendor transmits data in or out of the European Union, Vendor represents and warrants it shall fully comply with all provisions of all applicable Data Protection Legislation.

E1.9    Changes to Requirements. MRI may, in its sole discretion, amend the requirements set out in this Exhibit 1 from time to time, as required by law or otherwise.

E1.10    Contact Information. The Relationship Manager for each Party shall designate a Security Manager, whose details shall be set out in the Agreement and/or the applicable Purchase Order Document. Both parties agree that either the primary or the alternate Security Manager will be available at all times (“24/7/365”). Any updates to the same shall be given promptly in writing to the other Party.

E1.11 Disaster Recovery and Business Continuity Plan

E1.11.1    To protect the accuracy and integrity of Personal Data, all such Personal Data must be backed up regularly (no less often than weekly), and the backups stored in secure, environmentally controlled, limited-access facilities. Vendor shall implement and maintain a Disaster Recovery and Business Continuity Plan. Upon the occurrence of a disaster, Vendor must promptly evaluate the cause of the disaster, attempt to remediate the cause and, if the outage will be sustained or cannot be remediated promptly, then it will promptly implement the Disaster Recovery and Business Continuity Plan. MRI shall not be charged an additional fee for any disaster recovery or business continuity services, including backups and database restorations, performed by Vendor due to a disaster (whether at the Vendor hosting location or otherwise).

E1.11.2    Vendor shall evaluate the effectiveness of its Disaster Recovery and Business Continuity Plan on a commercially reasonable periodic basis, but not less frequently than annually. Vendor may modify the Disaster Recovery and Business Continuity Plan from time to time, in its sole discretion, provided that such modifications do not materially or negatively modify the services provided in the Disaster Recovery and Business Continuity Plan as of the execution of this Agreement. Vendor must promptly provide the then-current Disaster Recovery and Business Continuity Plan to the MRI upon request.

E1.12    Vulnerability Testing and Security Audit. Vendor shall conduct regular penetration and vulnerability testing of its information technology infrastructure and networks, run on the internal and external network, at a commercially reasonable frequency not less frequently than monthly as well as after any change in the network configuration (e.g., new system component installations, changes in network topology, firewall rule modifications, or product upgrades). Upon MRI’s request, Vendor shall provide a letter of attestation to MRI that the testing occurred. Vendor may modify the scope of such penetration and vulnerability testing provided however, that the scope shall not materially and negatively change from the execution of this Agreement. During the Term, Vendor shall comply with industry standard practices for audit and security procedures.

E1.13 Data Breach

E1.13.1    Vendor will make best endeavors, which are at least the highest industry standard, to protect the security of such Personal Data transferred by MRI. In the event that Vendor becomes aware or reasonably suspects that a Data Breach involving Personal Data has occurred or is likely to occur, Vendor will use best endeavors to within one (1) Business Day, but not more than two (2) Business Days: (i) investigate the cause of the Data Breach; (ii) notify MRI of the Data Breach and provide sufficient information to allow MRI to report the Data Breach, or at MRI’s request, notify the Data Subject; (iii) contain and remedy (or provide a plan to remedy) any Data Breach; (iv) take reasonable steps to mitigate the effects of and to minimize any damage resulting from the Data Breach; (v) assist MRI in remediating or mitigating any potential damage from a Data Breach to the extent that such remediation or mitigation is within MRI’s control; (vi) take reasonable steps to restore the security and integrity of any systems related to this Agreement.

E1.13.2    Provided that it would not violate Applicable Laws, Vendor shall immediately inform MRI if it receives a complaint or request from a Data Subject relating to either Party’s obligations under Applicable Law relevant to this Agreement, including any claim from a Data Subject or any notice, investigation or other action from a regulatory authority and provide MRI with details of such complaint or request.

E1.13.3    Vendor shall reasonably cooperate with any remediation efforts undertaken by MRI to correct, delete, modify, or hold Personal Data of the Data Subjects.

E1.14 Data Processing

E1.14.1    As Processor or Sub-Processor, Vendor shall only act upon and Process Personal Data for the purposes of performing its obligations under the Agreement, subject to any instructions provided by MRI. Personal Data will be used by Vendor in accordance with and for the purposes set out in those instructions and only where reasonably necessary to perform obligations under this Agreement.

E1.14.2    Additionally, Vendor shall be permitted to Process Personal Data, without regard to instructions provided by MRI, if required to do so by Applicable Law; in such case, Vendor shall promptly notify MRI of that legal requirement before Processing, unless that Applicable Law prohibits such notification. If Vendor is ever unsure as to the parameters or lawfulness of instructions provided by MRI, then Vendor will, as soon as reasonably practicable, revert to MRI.

E1.14.3    Vendor shall comply with its obligations as a Processor or Sub-processor, as appropriate under the applicable Data Protection Legislation in relation to the Processing of Personal Data by it under this Agreement.

E1.14.4    Where Vendor is authorized to access the Personal Data under this Agreement, such access may only be granted if Vendor has met each of the following: (i) the access can be uniquely identified (e.g., by a unique User ID), with the exception of “root” password access provided by Vendor to its core system administration team; (ii) the staff member, subcontractor, or other agent requesting the access has entered a correct password or other authorizing token to indicate that he/she is the authorized user of this account. If passwords are the only method used for authentication, they must satisfy certain minimal standards mutually agreeable to MRI and Vendor (i.e., 8 characters minimum length, required use of special and/or mixed-case characters, no words that could be found in a dictionary, and required to be changed every 90 days) that make them sufficiently robust to effectively resist both educated guessing and brute-force attacks; (iii) in all cases, access permissions must be established in a manner that allows only for the minimum access level(s) required for each staff member, subcontractor, or other agent to perform his or her job function; (iv) the ability to read, write, modify or delete Confidential Information must be limited to those individuals who are specifically authorized to perform those data maintenance functions; (v) the date, time, requestor, and nature of the access (i.e., read-only or modify) has been recorded in a log file; and (vi) procedures must be in place to modify or revoke access permissions to the Personal Data when staff members leaves Vendor or when their job responsibilities change and access is no longer required.

E1.14.5    Printed material that contains Personal Data must be stored in secured areas to which access is limited to those staff members who have a business need to access it. It must also be disposed of in a secure manner. At a minimum, financial services industry-standard protections must be employed to ensure the secure storage and destruction of sensitive Personal Data (as defined under Applicable Law). Whenever possible, secure disposal alternatives such as on-site shredding prior to recycling or placement in publicly accessible trash bins with subsequent off-site shredding by a licensed contractor should be implemented.

E1.14.6    Vendor shall reasonably cooperate and provide information to the MRI in order to assist MRI in completion of its DPIAs and shall reasonably provide consultations with (or notifications to) relevant regulators which are necessary pursuant to Data Protection Legislation in relation to the Personal Data and the Agreement.

E1.14.7    Vendor shall use best endeavors to within one (1) Business Day but not more than two (2) Business Days, forward to MRI any requests from Data Subjects in respect of Personal Data pursuant to Data Protection Legislation (including the ability to correct, delete, block or port Personal Data and rights of access) and, unless prohibited by Applicable Law, reasonably cooperate with MRI in complying with any such Data Subject’s exercise of his/her rights in relation to such Personal Data as is Processed by Vendor.

E1.14.8    Vendor shall maintain such records and information as are necessary to demonstrate its compliance with Data Protection Legislation in relation to the Processing of Personal Data on behalf of MRI under this Agreement, containing as a minimum the information required under Data Protection Legislation, which shall be made available to MRI upon request. Vendor shall cooperate with MRI to ensure compliance with its obligations under the Data Protection Legislation in respect of Personal Data taking into account the nature of Processing.

E1.15    Duration of Processing. Processing of the Personal Data by Vendor shall be for the shorter of: (i) MRI remaining customer, as it relates to the Personal Data of the MRI; or (ii) the Term, subject to restrictions outlined by Applicable Law. Unless required by Applicable Law to retain such Personal Data, Vendor shall promptly, but at least in the timeframe requested by MRI, delete all Personal Data that it is Processing or has Processed, including without limitation from all backup systems.

E1.16    Scope of Personal Data. Vendor may Process the following types/categories of Personal Data for the following categories of Data Subject:

Type of Data:

Personal Data;

Contact Details;

Financial or Payment Details;

Files, Images, or Videos;

Employment Information;

Contractor Insurance Information;

Contractor CIS Information;

VAT Information.

Data Subjects Impacted:

Customers, tenants, and clients of MRI;

Customer employees and staff;

Customer Vendors or other professional experts;

Customer contractors, agents, and suppliers;

Children as customers or tenants;

Investors;

Lenders and borrowers.

E1.12    Personnel. Vendor shall ensure that its personnel will not Process Personal Data: (i) except in accordance with the provisions of this Exhibit 1; and (ii) procure that personnel are contractually obligated to maintain the security and confidentiality of any Personal Data. Vendor shall take all steps necessary to ensure that the personnel Processing Personal Data receive adequate training on compliance with this Agreement and the Data Protection Legislation applicable to the Processing.

E1.12    Sub-Contractors. Vendor shall not permit Sub-Contractors to Process MRI Personal Data without the prior written authorization of MRI.