Exhibit A.1

Cyber Front Platform Description

Cyber Front Security Control Validation Platform is designed to continuously assess the effectiveness of an organization’s cybersecurity defenses through automated breach and attack simulation. At its core, the platform features a Security Control Validation engine that simulates real-world cyber threats across network, endpoint, and email layers to evaluate both prevention and detection capabilities. These simulations are powered by a comprehensive and frequently updated threat library, which includes thousands of attack scenarios such as malware, ransomware, APTs, and vulnerability exploits. Users can also create custom attack chains using the Threat Builder tool (depending on the license level), enabling tailored assessments that reflect specific organizational risks.

In the Cyber Front Security Control Validation (SCV) Platform, simulation agents and attacker agents are two complementary components that work together to emulate real-world cyber threats and validate the effectiveness of security controls across an organization’s infrastructure.

Attacker Agents

Attacker agents are responsible for emulating the behavior of threat actors. They simulate a wide range of adversarial tactics, techniques, and procedures (TTPs) based on real-world threat intelligence, including malware execution, lateral movement, privilege escalation, and data exfiltration. These agents are deployed in various parts of the network or on endpoints to initiate and execute attack scenarios. They are designed to be non-destructive, meaning they mimic malicious behavior without causing harm or disruption to systems. Their primary role is to generate realistic attack traffic and behavior that can be observed and analyzed by security controls.

Simulation Agents

Simulation agents, on the other hand, act as the receiving or observing endpoints in the simulation process. They are deployed across the environment to monitor, validate, and report on how security controls respond to the simulated attacks initiated by attacker agents. These agents collect telemetry data, such as whether a firewall blocked a connection, an endpoint detected a payload, or a SIEM generated an alert. They also help in measuring the effectiveness of both prevention and detection mechanisms by capturing the outcome of each simulated attack step. 

A typical Simulation begins with attacker agents launching a series of simulated attacks based on predefined or custom scenarios. These attacks traverse the network, endpoint, or cloud layers, attempting to mimic the behavior of real adversaries. As the attacks unfold, simulation agents positioned throughout the environment observe the interactions and record how security controls respond—whether they block, detect, or miss the activity. 

All simulation results are mapped to the MITRE ATT&CK framework, providing standardized visibility into threat coverage and enabling organizations to benchmark their security posture against industry peers. Reporting capabilities include executive dashboards for high-level summaries and detailed technical reports that track performance trends over time. Cyber Front empowers organizations to proactively validate and optimize their security controls, ensuring continuous readiness against evolving cyber threats. 

The Mitigation Planner capability within the Cyber Front Security Control Validation (SCV) Platform is designed to bridge the gap between threat detection and actionable remediation. It operates as an intelligent, vendor-aware recommendation engine that not only identifies gaps in security controls but also provides precise, technology-specific guidance to remediate those gaps efficiently. 

The Detection Analytics capability in the Cyber Front Platform is a specialized module designed to evaluate and enhance the performance of an organization’s detection technologies, such as SIEMs (Security Information and Event Management) and EDRs (Endpoint Detection and Response). It plays a critical role in ensuring that these tools are not only deployed but are also effectively configured to detect and respond to real-world threats. 

At its core, Detection Analytics works by correlating the results of simulated attacks—executed by attacker agents—with the logs and alerts generated by detection systems. It identifies which attack techniques were successfully detected, which were missed, and whether the alerts were timely and actionable. This process helps uncover visibility blind spots and detection gaps that could allow adversaries to operate undetected within the environment. 

The Customer’s license to use the Platform is available in three different variations which are available for the Customer to select from being Cyber Front, Lite, Essentials, and Advanced. Each variation is designed to meet Customer’s size and specific needs. The level of cybersecurity risk detail provided depends on the variant of Platform license selected by Customer. The standard scope of Services for each variation is described below: 

Cyber Front Lite 

As part of the Cyber Front Lite product package, one attack module from the following list of modules can be chosen:

1. Network Infiltration: Simulates network-based attacks, previously known as Web Browser attacks.  
2. Endpoint: Focuses on attacks targeting Windows, Linux, and macOS systems, including light lateral movement capabilities.  
3. Web Application: Simulates attacks on web applications to identify vulnerabilities.  
4. E-mail: Tests email security by simulating phishing and other email-based threats.  
5. Data Exfiltration: Evaluates the risk of unauthorized data extraction and leakage.  
6. URL Filtering: Assesses URL filtering capabilities to block malicious web traffic.  

1 Simulation Agent and one Attacker Agent is included in the package, supporting one from three endpoint platforms (Windows, Linux, and macOS).  

Prevention mitigation for Network Infiltration module for a single vendor is included in the package, and benchmarking capabilities are also included.

Cyber Front Essentials

As part of the Cyber Front Essentials product package, up to three attack modules from the following list of modules can be chosen:

1. Network Infiltration: Simulates network-based attacks, previously known as Web Browser attacks.  
2. Endpoint: Focuses on attacks targeting Windows, Linux, and macOS systems, including light lateral movement capabilities.  
3. Web Application: Simulates attacks on web applications to identify vulnerabilities.  
4. E-mail: Tests email security by simulating phishing and other email-based threats.  
5. Data Exfiltration: Evaluates the risk of unauthorized data extraction and leakage.  
6. URL Filtering: Assesses URL filtering capabilities to block malicious web traffic.  

In addition, one of the following detection analytics modules can be chosen: 

1. DA for EDR (Endpoint Detection and Response): Provides detection analytics for EDR, tailored to specific vendors.  
2. DA for SIEM (Security Information and Event Management): Offers detection analytics for SIEM platforms, also vendor-specific.

Five Simulation Agents and one Attacker Agent is included in the package, supporting all three endpoint platforms (Windows, Linux, and macOS).  

Prevention mitigation is available for all supported vendors as part of Cyber Front, and benchmarking capabilities are also included.

Cyber Front Advanced

As part of the Cyber Front Advanced product package, all of the attack modules from the following list of modules can be chosen:

1. Network Infiltration: Simulates network-based attacks, previously known as Web Browser attacks.
2. Endpoint: Focuses on attacks targeting Windows, Linux, and macOS systems, including light lateral movement capabilities.
3. Web Application: Simulates attacks on web applications to identify vulnerabilities.
4. E-mail: Tests email security by simulating phishing and other email-based threats.
5. Data Exfiltration: Evaluates the risk of unauthorized data extraction and leakage.
6. URL Filtering: Assesses URL filtering capabilities to block malicious web traffic.

In addition, all of the following detection analytics modules is included: 

1. DA for EDR (Endpoint Detection and Response): Provides detection analytics for EDR, tailored to specific vendors.
2. DA for SIEM (Security Information and Event Management): Offers detection analytics for SIEM platforms, also vendor-specific.

Five Simulation Agents and one Attacker Agent is included in the package, supporting all three endpoint platforms (Windows, Linux, and macOS).  

Prevention mitigation is available for all supported vendors as part of Cyber Front, including Mitigation Planner, and benchmarking capabilities are also included.

Exhibit A.2

Cyber Front Additional Terms

Customer hereby agrees to the following terms and conditions:

1.1. Subscription

1.1. Customer agrees that it will use the Cyber Front services: (i) solely as contemplated by and in accordance with the CF Terms and any documentation provided by Mastercard, (ii) in the Territory and only for Customer’s legitimate internal business purpose.

1.2. In order to provide the Cyber Front Risk services, Mastercard may rely on third-party platforms or service providers. When accessing or using the services, Customer may be required to interact directly with such third-party platforms. Customer acknowledges and agrees that the use of these platforms might be subject to additional terms and conditions (including additional privacy notices) of the respective third parties. By accessing or using the services provided through these platforms, Customer acknowledges and agrees to comply with the applicable third-party terms.

1.3. Except to the extent such restriction is expressly prohibited by applicable law, and other than as expressly set forth in the Agreement, Customer and its users shall not, and will not assist or permit any third party to: (a) disassemble, reverse engineer, decompile or otherwise attempt to derive source code of the Cyber Front services or any component thereof, (b) copy, reproduce, modify, alter or otherwise create any derivative works of, the Cyber Front services, any deliverables and/or reports, (c) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share or otherwise commercially exploit or make the Cyber Front services, any deliverable and/or any reports available to any third party, other than as otherwise contemplated by this Agreement, (d) use the Cyber Front services, any deliverables and/or reports to violate, misappropriate, or infringe the rights of any third party, (e) interfere with, disrupt or circumvent the integrity or performance of, or any feature of the Cyber Front services, any deliverables and/or reports or the data contained therein, including any security or access control mechanism, (f) attempt to gain unauthorized access to the Cyber Front services or its related systems or networks, or (g) attempt to do any of the foregoing.

1.4. Customer agrees that Mastercard’s Affiliates may perform any Cyber Front service under this Agreement and any services in support of the Cyber Front Hosted services. “Affiliate” means, in relation to a party, any other entity which directly or indirectly Controls, is Controlled by, or is under direct or indirect common Control with that party from time to time and “Control” means, in relation to a corporate entity, the power, by operation of law or as a matter of fact, to exercise, whether directly or indirectly, a decisive influence on the orientation of such entity’s management or the appointment of the majority of its directors; “Controls” and “Controlled” will be interpreted accordingly.

1.5. Customer agrees that its purchase of the Cyber Front services is neither contingent upon the delivery of any future functionality or features nor dependent upon any oral or written public comments made by the Mastercard Group with respect to future functionality or features. “Mastercard Group” means Mastercard and its Affiliates.

2. OWNERSHIP. The Mastercard Group is, and shall remain the sole owner of, and shall retain all right, title and interest in and to the Hosted Services and any related documentation, and any modifications, or improvements thereto or derivative works thereof, whether or not made by the Mastercard Group. The Mastercard Group reserves all rights in and to the foregoing, and Customer gains no rights or licenses hereunder, except as expressly granted in this Agreement.

3. CONFIDENTIALITY

3.1. Each party will regard any information (in writing, orally, or in any other form) provided to it by the other party and designated in writing, or if orally provided, indicated verbally by the disclosing party, as proprietary or confidential, to be confidential (“Confidential Information”).  Confidential Information shall also include (i) information which, to a reasonable person familiar with the disclosing party’s business and the industry in which it operates, is of a confidential or proprietary nature, regardless of whether designated as such in writing (including, without limitation, trade secrets, and, for Mastercard, Mastercard’s intellectual property rights or any data and information contained therein); and (ii) any documents prepared by the receiving party that contain, otherwise reflect, or, in whole or in part, are generated from disclosed Confidential Information.  The parties expressly agree that the Cyber Front services, any deliverables and/or reports and the terms and pricing in this Agreement are the Confidential Information of the Mastercard Group. Customer will not remove or destroy any proprietary markings or restrictive legends placed upon or contained in the Cyber Front services, any deliverables and/or reports. Information will not be deemed Confidential Information hereunder if such information: (i) is known by the receiving party prior to receipt from the disclosing party, without any obligation of confidentiality, as evidenced by receiving party’s tangible records; (ii) becomes known to the receiving party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (iii) becomes publicly known or otherwise publicly available, except through the acts or failure to act by the receiving party in breach of this Agreement; or (iv) is independently developed by the receiving party without reference to the Confidential Information as evidenced by receiving party’s tangible records.

3.2. Each party shall protect the other party’s Confidential Information in the same manner as it protects its own valuable confidential information, but in no event shall less than reasonable care be used.  A party will not disclose the other party’s Confidential Information to any third party, except (i) as permitted in writing by the disclosing party prior to any such disclosure, (ii) to employees, consultants, agents and subcontractors that have a need to know such information, provided that the receiving party shall advise each such third party of their obligations to keep such information confidential, and (iii) to the extent receiving party is legally compelled to disclose such Confidential Information pursuant to subpoena or the order of any governmental authority, provided that where possible and permitted by applicable law, the receiving party shall give advance notice of such compelled disclosure to the disclosing party, and shall cooperate with the disclosing party in connection with efforts to prevent or limit the scope of such disclosure and/or use of the Confidential Information.  Each party accepts responsibility for the actions of its agents, subcontractors, consultants, or employees.

3.3. Neither party shall make use of any of the other party’s Confidential Information except in its performance under this Agreement. Except as otherwise provided in this Agreement, at the end of the Term, or such earlier time as the disclosing party requests, the receiving party shall return to the disclosing party, or, at the disclosing party’s request, securely destroy all Confidential Information of the disclosing party in the possession of the receiving party.  Notwithstanding the foregoing, the receiving party is not obligated to destroy Confidential Information (i) commingled with other information of the receiving party if it would be a substantial administrative burden to excise such Confidential Information; (ii) contained in an archived computer system backup made in accordance with the receiving party's security or disaster recovery procedures; or (iii) required to be retained pursuant to applicable law, regulatory requirements, or post-termination obligations as stated in this Agreement, provided in each case that such Confidential Information remains subject to the obligations of confidentiality in this Section 3 until the eventual destruction.

3.4. The confidentiality obligations in this Section 3 shall apply during the term of the Agreement and for a period of three (3) years thereafter.
4. INDEMNIFICATION. Customer will, at its own expense, defend, indemnify and hold harmless the Mastercard Group and each of their employees, officers, directors, agents, representatives and contractors (“Mastercard Indemnitees”) from and against: (a) any third-party claim against the Mastercard Indemnitees arising out of or related to: (1) Customer’s or its users’ access to or use of the Cyber Front services, any deliverables and/or reports not in accordance with the terms of this Agreement, or (2) Customer’s or its users’ (i) breach of this Agreement, or (ii) gross negligence or willful misconduct in the performance of its obligations under this Agreement, provided that Mastercard: (x) promptly notifies Customer of such claim (provided that failure to do so shall not waive Customer’s obligations hereunder unless such failure materially hinders Customer’s defense of such claim), (y) reasonably cooperates with Customer in defense of the claim as reasonably requested by Customer and at Customer’s cost, and (z) gives full control and sole authority over the defense and settlement of such proceeding, provided that Customer may not settle any such claim or action without Mastercard’s prior written consent. Mastercard may participate in the defense and settlement of such claim or action with legal counsel of its own choosing and at its own cost; and (b) all liability, costs, expenses, losses (including but not limited to reasonable attorneys’ fees and all other professional costs and expenses) suffered or incurred by the Mastercard Indemnitees arising out of or in connection with a breach of Section 1.2 by Customer or it’s users.

5. LIMITED WARRANTY; DISCLAIMER OF LIABILITY

5.1. During any applicable term, Mastercard warrants that the applicable Cyber Front services will function in material accordance with the specifications for such Cyber Front services, as solely determined by Mastercard and as may be updated by the Mastercard Group from time to time. The Mastercard Group provides no warranty regarding any use of the Cyber Front services not in accordance with this Agreement and not specifically licensed pursuant to this Agreement.

5.2. EXCEPT AS EXPRESSLY PROVIDED IN SECTION 5.1, AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE MASTERCARD GROUP DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, TERMS AND CONDITIONS, WHETHER EXPRESS OR IMPLIED, REGARDING THE CYBER FRONT SERVICES, RELATED DOCUMENTATION OR INFORMATION, AND OTHER MATERIALS AND SERVICES, AND SPECIFICALLY DISCLAIM THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, SATISFACTORY QUALITY, MERCHANTABLE QUALITY, NONINFRINGEMENT AND THOSE ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE. THE CYBER FRONT SERVICES ARE PROVIDED “AS IS” AND ON AN “AS AVAILABLE” BASIS AND THE MASTERCARD GROUP DOES NOT WARRANT THAT THE FUNCTIONS OR INFORMATION CONTAINED IN THE CYBER FRONT SERVICES OR IN ANY UPDATE WILL MEET THE REQUIREMENTS OF CUSTOMER OR THAT THE OPERATION OF THE CYBER FRONT SERVICES WILL BE UNINTERRUPTED OR FREE FROM ERRORS OR OTHER PROGRAM LIMITATIONS. THE INFORMATION PROVIDED BY THE CYBER FRONT SERVICES AND/OR CONTAINED IN ANY DELIVERABLE AND/OR REPORS MAY CONTAIN TECHNICAL OR TYPOGRAPHICAL ERRORS. THE MASTERCARD GROUP DOES NOT GUARANTEE ITS ACCURACY OR COMPLETENESS. ALL INFORMATION PROVIDED BY THE MASTERCARD GROUP IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY, AND SUBSCRIBER ACKNOWLEDGES THAT SUBSCRIBER USES ANY SUCH INFORMATION AT ITS OWN RISK.

5.3. To the maximum extent permitted by applicable law, Mastercard’s sole and exclusive obligation and Subscriber’s sole and exclusive remedy for any failure of the Hosted Services, including the Hosted Services’ failure to meet the warranty in Section 5.1, is limited to the correction, adjustment or replacement of the failed Cyber Front service which examination indicates, to Mastercard’s satisfaction, to be defective or, at Mastercard’s sole option, termination of subscription and access rights to the failed Cyber Front Hosted service and a refund of the pro-rata amount of any pre-paid fees paid by Customer to Mastercard for the failed Cyber Front service for the remainder of the term of the affected Cyber Front service.  

5.4. THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL EITHER CUSTOMER OR THE MASTERCARD GROUP BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES, OR ANY PENALTIES, CLAIMS FOR LOST DATA, REVENUE, PROFITS, COSTS OF PROCUREMENT OR SUBSTITUTE GOODS OR SERVICES OR BUSINESS OPPORTUNITIES, ARISING OUT OF OR RELATED TO THE SUBJECT MATTER OF THIS AGREEMENT, UNDER ANY CAUSE OF ACTION OR THEORY OF LIABILITY, WHETHER IN CONTRACT OR IN TORT INCLUDING NEGLIGENCE, EVEN IF A PARTY HAS BEEN ADVISED OF SUCH DAMAGES.

5.5. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, AND EXCLUDING LIABILITY FOR NON-PAYMENT BY CUSTOMER OF AMOUNTS DUE UNDER THE AGREEMENT, IN NO EVENT SHALL THE AGGREGATE LIABILITY OF EACH PARTY AND ITS AFFILIATES HEREUNDER ARISING OUT OF OR RELATED TO THE SUBJECT MATTER OF THIS AGREEMENT, REGARDLESS OF THE FORUM, AND REGARDLESS WHETHER ANY CAUSE OF ACTION OR CLAIM IS BASED ON CONTRACT, TORT, OR OTHERWISE, EXCEED THE FEES PAID OR PAYABLE BY CUSTOMER TO MASTERCARD, FOR THE CYBER FRONT SERVICES DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT(S) GIVING RISE TO LIABILITY.  

6. Termination

6.1. In the event a change in law or regulation prohibits or impairs the Mastercard Group’s ability to provide the Cyber Front services, or any portion thereof (“Adverse Change”), Mastercard may suspend the provision of, and Customer’s right to access and use, the Cyber Front services, or such affected portion thereof, for the duration of the Adverse Change, as may be necessary for the Mastercard Group to address the Adverse Change. If Mastercard, in its sole discretion, reasonably determines that it is unable to modify the Cyber Front services to address the Adverse Change, Mastercard may terminate such Cyber Front  services or this Agreement upon written notice to Customer with no further liability to Subscriber.

6.2. At any time, the Mastercard Group may terminate any Cyber Front service: (a) upon ninety (90) days’ notice, if the Mastercard Group discontinues such Cyber Front service in one or more of the jurisdictions in which such Cyber Front service is provided under this Agreement; (b) upon thirty (30) days’ notice or earlier, if required by applicable law or the relevant authority, if the Mastercard Group is required by such law or governing authority to cease providing such Cyber Front service in one or more of the countries in which such Cyber Front service is provided under this Agreement; (c) immediately, if the Mastercard Group receives a claim or notice alleging that such Cyber Front service infringes or violates a third party’s intellectual property rights; or (d) immediately, if Customer breaches Section 1.2 above.

7. Governing Law and Jurisdiction. These Cyber Front Terms shall be governed by and construed in accordance with the Laws of New York, US and the jurisdiction of the courts of Westchester County, New York, US.

Exhibit B.1

Mastercard Services Terms and Conditions

The Mastercard Services Terms and Conditions set forth in this Exhibit (the “Terms and Conditions”) will apply to the Services provided to Customer by Mastercard or any of its Affiliates (“Mastercard") as outlined in the Agreement, or an applicable add-on extension thereof. Capitalized terms used but not defined herein have the meanings set forth in the Agreement.

1. Products/Services

1.1. Mastercard will provide to Customer the advisory support (“Services”), pursuant to these Terms and Conditions.

1.2. Mastercard will ensure that all Services be performed by qualified individuals in a professional and workmanlike manner. Mastercard may also use the services of third parties (“Mastercard Suppliers”) or its Affiliates in providing the Services. 

1.3. All insights, reports, and other materials provided by Mastercard in connection with the Services (“Deliverables”) may be developed using data, databases, systems, tools and information contained in the Mastercard Data Warehouse, which is comprised of information provided by third parties and may contain certain errors, omissions or inaccuracies.  Subject to Section 1.5 of these Terms and Conditions, Mastercard will have no responsibility for any errors, omissions or inaccuracies in the underlying data from the Mastercard Data Warehouse or data otherwise provided by or on behalf of Customer or any third party. 

1.4. Mastercard represents and warrants that its provision of the Services as set forth in the Agreement, are permitted under (a) all applicable laws and regulations, and privacy policies or other statements or disclosure, and (b) the terms of Mastercard’s contracts with its customers, contractors, suppliers or other third parties. 

1.5. Customer is responsible for: (a) obtaining all consents, information and materials from third parties (other than from Mastercard Suppliers) necessary for Mastercard to provide the Services or as otherwise required this Agreement; and (b) Customer’s use of and operation of all Deliverables as well as its implementation of any advice or recommendations provided in connection with the Services. 

1.6. Customer represents and warrants that: (a) its provision of any data, including but not limited to Personal Data, as further defined below (“Customer Data”) to Mastercard or a Mastercard Supplier, or such party’s receipt of Customer Data from the Customer or another party, in connection with the Services, and (b) the use, analysis, and processing of such Customer Data by Mastercard (and Mastercard.  

1.7. After receipt of a Deliverable, Customer will have 30 business days to provide Mastercard with written notice if the Deliverable reasonably does not comply with the specifications set forth in the Agreement.  In such event, Mastercard will re-perform the Services to bring the Deliverables in conformance with the specifications set forth in the Agreement within a reasonable period of time and Customer will reasonably cooperate with Mastercard for any such re-performance.

2. Term

2.1. Unless terminated sooner pursuant to below, these Terms and Conditions will be coterminous with the Agreement, and these Terms and Conditions will be deemed to expire or terminate simultaneously with the expiration or termination of the Agreement (unless an add-on extension to the Agreement is executed, in which case, these Terms and Conditions will expire or terminate simultaneously with the expiration or termination of such extension). 

2.2. Any add-on extension, and these Terms and Conditions may be terminated by one Party upon written notice to the other Party: (a) in the event that such other Party has materially breached an obligation representation or warranty and fails to cure the breach within 30 business days of receiving written notice of the breach; (b) as of the date on which proceedings are instituted against a Party seeking relief under any bankruptcy, insolvency or similar law. 

2.3. In the event a change in law or regulatory requirement, or any proposed change to a Service by a third party provider, prohibits or impairs Mastercard’s ability to provide a Service, or any portion thereof in a territory/ies, (“Adverse Change”), Mastercard may suspend the provision of the affected Service, or such affected portion thereof, in such territory/ies for the duration of the Adverse Change, as may be necessary for Mastercard to address the Adverse Change. If Mastercard, in its sole discretion, reasonably determines that it is unable to modify the affected Service to address the Adverse Change, Mastercard may (a) modify the Services in the Agreement to delete such territory/ies, Products or Services, or (b) terminate the applicable Agreement, upon thirty (30) days’ prior written notice to Customer with no further liability to either Party for such termination. 

2.4. If Mastercard decides, in its sole discretion, to discontinue offering the Services, or any portion thereof, in a territory for any reason, Mastercard may elect to (a) modify the Services in the Agreement to delete such territory/ies, or Services, or (b) terminate the Agreement, upon 30 days’ prior written notice to Customer with no further liability to either Party for such termination.

3. Fees, Payment and Taxes

3.1. Mastercard’s fees and payment terms for the Services will be set forth in the Agreement or an applicable add-on extension (“Fees”).  

4. License and Use of Deliverables

4.1. Upon full payment of the Fees and Other Costs by Customer for the Services set forth in the Agreement, Mastercard hereby grants to Customer a perpetual, fully paid-up, nontransferable, non-exclusive license to use the applicable Deliverables, (a) without the right to resell, assign, transfer or sublicense such Deliverables in any way, and (b) solely for Customer’s internal business purposes, relinquishing Mastercard of any liability for Customer’s use of such Deliverables. 

4.2. Customer retains ownership of Customer Data and any other confidential information it provides to Mastercard.  Mastercard shall own and be free to use for any purpose any ideas, concepts, general skills, know-how or techniques resulting from or acquired or used in the course of or arising out of the performance of the Services, including any suggestions, enhancement requests, recommendations or other feedback provided by Customer relating to the Services.  The Services and all Deliverables provided by Mastercard to Customer, as well as all materials, concepts, processes and methodologies employed by Mastercard or a Mastercard Supplier in connection with the Services, are and will remain the sole and exclusive property of Mastercard (or such Mastercard Supplier). 

4.3. Customer will not, and shall not permit or authorize any person, or other third parties to: (a) use the Services, or any data analytics or insights in the Deliverables in a manner so as to reverse engineer or aid any other party to reverse engineer the data contained in the Deliverables; (b) create derivative works based on the Services, the Deliverables, or Mastercard's intellectual property; (c) copy, frame or mirror any part of the Services, the Deliverables, or Mastercard's intellectual property; (d) access the Services or Mastercard's intellectual property in order to build a competitive product or service, or to copy any features, functions, or graphics of such Services, the Deliverables, or Mastercard's intellectual property;  or (e) except as expressly permitted under the Agreement, copy, modify, or reproduce the Services, Deliverables, or Mastercard's intellectual property in any way.  Customer will not remove any identification, copyright or proprietary or other notices from the Deliverables or any copies thereof. Customer will not use any Deliverable in a manner that would violate any applicable law, regulation, or third-party rights. 

4.4. Customer grants Mastercard a worldwide, fully paid-up license to copy, display and use Customer’s name and logo (“Customer Marks”): (a) as necessary to perform Services; (b) to identify Customer as a customer of Mastercard and its Affiliates on its website and marketing materials; and (c) with Customer’s prior written approval, to issue publicity or announcements concerning Mastercard’s engagement with the Customer for the purpose of a case study or investor relations announcements.  Customer warrants and represents to Mastercard that Customer owns all right, title, and interest in and to Customer’s Marks and has the authority to license to Mastercard the rights granted hereunder. Except as otherwise set out in these Terms and Conditions and the Agreement, each Party will obtain the written consent of the other Party prior to the issuance of any press release, announcement or any other form of publicity, concerning these Terms and Conditions and the Agreement.

5. Compliance with Laws

5.1. The Parties will ensure that their respective obligations under these Terms and Conditions and the Agreement and business activities related thereto are performed in accordance with all applicable laws and regulations, including, but not limited to, all applicable anti-bribery and corruption laws and other applicable laws.  Customer will not export, directly or indirectly, any Deliverables acquired from Mastercard under these Terms and Conditions to any country for which the U.S. Government or any agency thereof at the time of export requires an export license or other government approval without first obtaining such license or approval. 

5.2. The Parties will comply with: (a) all applicable international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements relating in any way to the privacy, confidentiality or security of Personal Data including but not limited to, the EU General Data Protection Regulation 2016/679 (“GDPR”); California Consumer Privacy Act (Cal. Civ. Code 1798.100 et seq.); the Gramm-Leach-Bliley Act; laws regulating unsolicited email communications; security breach notification laws; laws imposing minimum security requirements; laws requiring the secure disposal of records containing certain Personal Data; and all other similar international, federal, state, provincial, and local requirements; and (b) the Payment Card Industry Data Security Standards, in each case, to the extent they apply to the Services.  Subject to any applicable law, Customer agrees that Mastercard may transfer data to any country in which any Mastercard Affiliate does business. 

5.3. The Data Processing Agreement (“DPA”) currently located at Data Processing Agreement| Mastercard Services (https://vault.pactsafe.io/s/294cfd22-c6b3-4fb2-9cd7-486000c5e0c6/uc0do2rtk.html ) will apply to all Processing of Personal Data subject to Privacy and Data Protection Law (as these terms are defined in the DPA) in the context of these Terms and Conditions. The terms of the DPA are expressly incorporated by reference into of these Terms and Conditions and will prevail over any contradictory term otherwise contained in these Terms and Conditions solely with respect to the Processing of Personal Data subject to Privacy and Data Protection Law. To the extent Europe Data Protection Law applies and notwithstanding any other term in these Terms and Conditions, Mastercard Europe SA is entering into these Terms and Conditions solely for the purpose of compliance with Europe Data Protection Law and does not have any other obligations to Customer in respect of these Terms and Conditions.

6. Indemnification; Disclaimers; Limitation of Liability

6.1. Each Party will defend, indemnify and hold harmless the other Party, and its employees, officers, agents, Affiliates, representatives, and contractors from and against any claims, demands, loss, damage or expense (including reasonable attorneys’ fees) relating to or arising solely out of third party claims: (a) relating to such indemnifying Party’s acts of gross negligence or willful misconduct in connection with its performance under these Terms and Conditions or an Agreement, or (b) in the case of Customer, third party claims relating to the use of Deliverables or combination, modification or use of the Deliverables with materials not provided by Mastercard or materials required by Customer to be included in the Deliverables. 

6.2. NOTWITHSTANDING ANY OTHER PROVISION TO THE CONTRARY SET FORTH IN THESE TERMS AND CONDITIONS, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER UNDER ANY LEGAL THEORY, TORT, CONTRACT, OR STRICT LIABILITY, FOR ANY SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES, FOR LOSS OF PROFITS, GOODWILL, OR ECONOMIC LOSS, REGARDLESS OF WHETHER A PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES; PROVIDED, HOWEVER, THAT A PARTY’S WAIVER OF ITS RIGHT TO RECEIVE SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES SHALL NOT APPLY IN THE EVENT OF A BREACH OF A PARTY’S CONFIDENTIALITY OBLIGATIONS DESCRIBED IN SECTION 7 OF THESE TERMS AND CONDITIONS. 

6.3. EXCEPT AS SPECIFICALLY DESCRIBED HEREIN, MASTERCARD MAKES NO WARRANTIES, EXPRESS OR IMPLIED, CONCERNING THE SERVICES AND THE DELIVERABLES AND WITHOUT LIMITATION, MASTERCARD HEREBY EXCLUDES AND DISCLAIMS ALL EXPRESS OR IMPLIED WARRANTIES AND CONDITIONS TO THE EXTENT PERMITTED BY LAW, INCLUDING BUT NOT LIMITED TO, (A) ANY IMPLIED WARRANTY OF MERCHANTABILITY, (B) COURSE OF DEALING, (C) NON-INFRINGEMENT, OR (D) FITNESS FOR A PARTICULAR PURPOSE. 

6.4. Except with respect to (a) the Parties’ indemnification obligations under Section 6.1 of these Terms and Conditions; or (b) Customer’s breach of its obligations under Sections 3 or 4 of these Terms and Conditions, the maximum aggregate liability of any Party arising out of or relating to these Terms and Conditions or the Advisory Support described in the Agreement, whether it arises by statute, contract, tort or otherwise, will not exceed the amount of the Fees or the value of the Services and Deliverables in such the Agreement under which the claim is brought. If no such fees or value of the Services and Deliverables is stated in the Agreement, then such maximum aggregate liability will be limited in all respects to US$50,000 over the term of such thet. Nothing in these Terms and Conditions excludes or limits the liability of either Party for (a) death or personal injury caused by its negligence, (b) any matter which it would be illegal for the Party to exclude or attempt to exclude its liability, or (c) fraud or fraudulent misrepresentation.

7. Confidentialit

7.1. For purposes of these Terms and Conditions, and the Agreement,  “Confidential Information” means the provisions of these Terms and Conditions and the Agreements and any information, Deliverables, insights, Customer Data, Mastercard Supplier data, reports, data, materials, processes, methodologies and concepts, in whatever form embodied (e.g., oral, written, electronic) or owned by Mastercard or Customer, including Personal Data and any non-public information about individuals or consumers of Mastercard or Customer and their respective Affiliates, no matter how or by what party such information, materials, or concepts were transmitted, disclosed, directly or indirectly by either Party in the course of discussions, provisioning of  Deliverables or other work undertaken between the Parties during the performance of these Terms and Conditions or the Agreement. “Personal Data” means any information relating to an identified or identifiable individual, regardless of the media in which it is contained. 

7.2. Except with respect to Personal Data, Confidential Information will not include any information which: (a) is already in the public domain at the time of disclosure through a source other than the Receiving Party; (b) enters the public domain after disclosure through no fault of the Receiving Party; (c) is already known to the Receiving Party at the time of disclosure (as evidenced by written records); (d) was independently developed by the Receiving Party without use of or reference to any Confidential Information (as evidenced by written records); or (e) is subsequently disclosed to the Receiving Party by third parties having no obligation of confidentiality to the Disclosing Party. 

7.3. For purposes of these Terms and Conditions the term of the confidentiality obligations will remain in effect during the Term and for seven years thereafter, except for non-public information about individuals or consumers of Mastercard or Customer, which will be maintained in confidence indefinitely. 

7.4. Upon the written request of the Disclosing Party, the Receiving Party will securely destroy or render unreadable or undecipherable all originals and copies of the Confidential Information, in every media format, in the Receiving Party’s possession, custody or control, and provide certification of destruction. The foregoing will not apply to the extent information must be retained pursuant to applicable legal or regulatory requirements or for purposes of the Receiving Party’s commercially reasonable disaster recovery procedures, provided such information will continue to be subject to Section 7 of these Terms and Conditions.

8. General Terms

8.1. Customer agrees and acknowledges that Mastercard will not provide any legal, regulatory or compliance advice in the course of provision of Services, which will be the sole responsibility of the Customer. Mastercard may provide certain proposed materials and make certain recommendations in connection with these Terms and Conditions or a the Agreement. Customer acknowledges and agrees that the Deliverables, including the recommendations suggested by Mastercard in connection with these Terms and Conditions, do not constitute legal or investment advice and Mastercard does not otherwise warrant that execution of any recommendations or guidelines contained in the Deliverables will result in compliance with applicable laws or will be up to date, complete or accurate at the time of any such execution. Customer is responsible for reviewing and evaluating the appropriateness of these same materials and recommendations, as well as any decisions made or actions taken by Customer in response to such proposed materials and recommendations to Customer, against Customer’s risk-tolerances and/or other criteria. Mastercard makes no warranty or guarantees that: (a) any assessment and recommendations arising from the Services will be effective; or (b) the Services may provide statistically significant results with respect to any analysis, whether as a result of the fact that relevant data does not support the drawing of statistically significant results or because the data was corrupted, inaccurate, or incomplete in any way. 

8.2. Mastercard and Customer acknowledge and agree that the analyses and data included in the Services will be subject to all relevant laws and regulations for each applicable country, as well as Mastercard’s contractual obligations and internal confidentiality, privacy, and data analytics guidelines and policies (“Applicable Standards”). In no event will Mastercard be obligated to supply or share any information or data which Mastercard determines, in its sole discretion, would cause Mastercard to be in violation of any such Applicable Standards. Mastercard reserves the right, in its sole discretion, to apply adjustments in order to achieve conformance with such Applicable Standards. 

8.3. Neither Party shall be liable for loss or damage or be deemed to be in default under these Terms and Conditions or the Agreement if its failure to perform its obligations results from or is attributable to any act of God, natural disaster, fire, strike, embargo, war, threat of terrorism, insurrection, strike, riot or other cause or circumstance beyond the reasonable control of the Party; provided however that the foregoing shall not excuse any failure to exercise diligence by a Party to minimize the scope, extent, duration and adverse effect of any such delay in performance, on the other Party. 

8.4. Any notice shall be in writing and shall be addressed to the Party entitled to such notice at such address indicated in the Agreement or as the Parties may inform each other from time to time, and shall be given by (a) an overnight registered mail or courier delivery service or (b) email transmission (other than notice of breach, termination or intellectual property claim). Any notice given under sub-clause (a) shall be deemed to have been received three calendar days after mailing, and any notice given in accordance with sub-clause (b) shall be deemed to have been received one calendar day after its transmission by email.  

8.5. A failure or delay of either Party to enforce any provision of or exercise any right under these Terms and Conditions or the Agreement thereof shall not be construed to be a waiver. No waiver by a Party or any amendment to these Terms and Conditions shall be effective unless expressly made in a signed writing, which writing shall not be an e-mail.  

8.6. If any provision of these Terms and Conditions or the Agreement thereof, are held by a court of competent jurisdiction to be unenforceable or invalid in any respect, such unenforceability or invalidity shall not affect any other provision, and these Terms and Conditions or such the Agreement thereof, shall then be construed as if such unenforceable or invalid provisions had never been part thereof.  

8.7. All representations and warranties, and all commitments to indemnify, defend, hold harmless, or relating to confidentiality, limitations on liability, rights and obligations upon termination, and jurisdiction, and any other provision by its nature that is meant to survive shall survive any termination of these Terms and Conditions.  

8.8. These Terms and Conditions or any the Agreement thereof shall not be assigned by either Party without the prior written consent of the other Party, which consent will not be unreasonably withheld, provided that Mastercard may assign its rights and obligations under these Terms and Conditions to an Affiliate without prior written consent of the Customer. Any assignment or delegation made without the appropriate express written approval as required herein shall be null and void. Nothing in these Terms and Conditions or the Agreement is intended to confer any benefit on any third party (whether referred to herein by name, class, description, or otherwise) or any right to enforce a term of these Terms and Conditions or such the Agreement. 

8.9. These Terms and Conditions including the Agreement thereof evidence the entire agreement and understanding between Mastercard and the Customer with respect to the transactions contemplated in such the Agreement thereof, and supersedes all prior agreements, representations, statements, negotiations and undertakings between the Parties, whether oral or written, concerning such transactions, except in respect of any fraudulent misrepresentations made by either Party.  

8.10. These Terms and Conditions and all Agreements thereof and the respective rights and obligations of the Parties shall be governed and construed in accordance with the Laws of New York, US and the jurisdiction of the courts of Westchester County, New York, US.

8.11. Notwithstanding anything to the contrary in this Terms and Conditions, Customer authorizes Mastercard to: 1. Process, including, where necessary, to aggregate or anonymize, Customer Data to effectuate the Service; 2. Use Customer Data for the following business purposes and in compliance with all applicable laws: (a) in connection with Mastercard's internal operations, including for legal, accounting, or auditing purposes; (b) to maintain and improve the quality of Mastercard's services; (c) to develop, improve and deliver existing and new products or services; (d) to secure Mastercard’s personnel, products, or systems  and  to conduct  risk management, including fraud monitoring and prevention, and (e) with the consent of the data subject. With respect to each of the activities of this section, Mastercard will not disclose any Customer Data  to any third party unless such Customer Data does not identify any individual or Customer; and 3. Anonymize  Customer Data, and aggregate it with other data collected by Mastercard, to create compilations, reports, analyses and insights, provided that such compilations, reports, analyses and insights do not identify, or attempt to identify, any individual or Customer. 

8.12. Unless otherwise expressly provided herein, any remedies stated herein are non-exclusive. In addition to these remedies, the Parties shall be entitled to pursue any other remedies that they may have at law or in equity.

Exhibit C.1

Cyber Crisis Additional Terms

Customer hereby agrees to the following terms and conditions:

a)  Customer Responsibilities

Customer agrees to undertake and be responsible for the following:

• Making available key stakeholders, designated personnel, and relevant documentation to support Mastercard’s information-gathering efforts, including meetings, interviews, and presentation reviews, to help Mastercard understand internal processes, channels, issuer information, constraints, timing, production, and budgets.
• Providing Mastercard with all necessary data, insights, and information in a timely manner.
• Ensuring, to the best of Customer’s ability, that mutually agreed milestones are met within the established timelines.
• Collaborating with Mastercard to align on major objectives, engagement tactics (e.g., channels, treatment, participant selection, timing, test criteria, resources), success criteria, and reporting requirements.
• Ensuring that core project stakeholders of Customer support Mastercard in driving alignment across relevant business units on key outcomes and priorities.

b) Customer Acknowledgments and Agreements

Customer acknowledges and agrees that:

• In providing the Cyber Crisis Services and preparing the Report under this Agreement, Mastercard may use data, services and reports from third-party providers and may use third-party providers’ platforms for hosting and supporting the cybersecurity analysis tools used in connection with this Agreement. The Cyber Crisis Services may be provided by affiliates of Mastercard. The term “Report” as used in this Agreement shall mean the “Lessons Learned” report.
• The time frame for delivery of any Report is dependent upon the timely sharing of data and availability of relevant Customer employees for certain meetings and information sharing purposes. Such data and employee availability requirements will be provided to Mastercard as soon as practicable after the Effective Date.
• The Report will be based on the scope of the Cyber Crisis Services described in this Agreement. Any comments by Customer on the Report must be made within a period of up to fifteen (15) days after the Report is made available to Customer.
• The quality of the Report provided under this Agreement depends on correctness and fullness of responses, data and other information provided by Customer and Mastercard assumes no liability for incomplete or inaccurate responses, data and information provided by the Customer.
• Customer is solely responsible for any implementation of any advice and/or recommendations provided by Mastercard and/or contained in any Report. Further, the Report will be used by the Customer at its own risk and Mastercard does not guarantee that implementation of any recommendation contained in the Report will remediate any and/or all risks that the Customer is facing and/or may face in the future.
• Mastercard may process Customer provided Customer information, including responses to cybersecurity-related questions and outputs from technical assessments, to prepare, furnish, and deliver aggregated or grouped reports, with insights enabling customer(s) to benchmark their existing cyber security posture in the market, as well as other insights. For the avoidance of doubt, no personal data is needed or processed in order to produce such reports. These reports are intended to provide benchmarking insights and will not include personal data or identify any individual customer.
• Mastercard and/or any Mastercard third party provider will not provide legal, finance or tax advice to Customer. Customer acknowledges and agrees that Mastercard is acting solely as a consultant and in an advisory capacity only with respect to all aspects of this Agreement. Customer understands and agrees that the entire process described in this Agreement will be conducted by the Customer in accordance with its own policies as well as all local applicable laws and regulations, and that Customer will be liable for any actions resulting from the recommendations provided under this Agreement. Customer acknowledges and agrees to seek the advice of its legal counsel for any legal questions Customer may have relating to selection and hiring of outside resources, personnel and/or third parties, business terms, compliance with applicable laws, provisions, negotiations, contractual documents, financial and/or tax structure of the Cyber Crisis Services, the Report and/or this Agreement. 
• In order to provide the Cyber Crisis Services, Mastercard may rely on third-party platforms or service providers. When accessing or using the services, Customer may be required to interact directly with such third-party platforms. Customer acknowledges and agrees that the use of these platforms might be subject to additional terms and conditions (including additional privacy notices) of the respective third parties. By accessing or using the services provided through these platforms, Customer acknowledges and agrees to comply with the applicable third-party terms.

c) Other Legal Provisions

i. Representations. Each party represents and warrants that: (i) the individual executing this Agreement on its behalf is duly authorized to do so and has the authority to bind such party; (ii) this Agreement constitutes a valid and binding obligation, enforceable against such party; and (iii) such party is in compliance with all applicable federal, provincial, and local laws and regulations relevant to the subject matter of this Agreement.

ii. Reservation of Rights. Mastercard reserves all rights not expressly granted to Customer in connection with this Agreement. Except for the limited rights necessary to participate in the selected Cyber Crisis Service(s) and receive the associated Report, no rights, title, or interest in any Mastercard intellectual property, tools, or materials are granted to Customer by implication or otherwise.

iii. Confidentiality. Any data, material, content and/or Report provided by Mastercard in connection with this Agreement, and all information disclosed by one party to another by any means, which has been identified as confidential and/or can be understood as confidential by any person, shall be considered “Confidential Information”. Each party agrees to maintain the confidentiality of such Confidential Information, protect the other party’s Confidential Information in the same manner as it protects its own valuable confidential information, and not to disclose Confidential Information to any third party without prior written consent of the other party, except as required by law and/or as necessary to provide the Cyber Crisis Services.

iv. Compliance with Anti-Bribery and Corruption Laws.  Each party shall comply and shall ensure that each of its subcontractors and personnel complies with all applicable anti-bribery and corruption laws applicable to business dealings and any implementing regulations in respect of any such laws. Customer warrants, represents, and covenants to Mastercard that Customer and each of its employees, subcontractors and personnel has not and shall not, in connection with the activities contemplated herein, in connection with any other business activities involving Mastercard: (i) make, promise or offer to make any payment or transfer of anything of value or any other advantage directly or indirectly through a representative, intermediary agent or otherwise to any Government Official (as defined below) or to any other person for the purpose of improperly influencing any act, omission to act  or decision of such official or individual or securing an improper advantage to assist the parties in obtaining or retaining business; or (ii) accept anything of value from any third party seeking to influence any act or decision of Customer or in order to secure an improper advantage to that third party. “Government Official” is defined as any employee or officer of a government of a country, state or region, including any federal, regional or local government or department, agency, enterprise owned or controlled by the such government, any official of a political party, any official or employee of a public international organization, any person acting in an official capacity for, or on behalf of, such entities, and any candidate for political office. Any violation and/or breach of this clause will constitute a material breach of this Agreement.

v. Disclaimer. Mastercard may provide certain proposed materials and make certain recommendations in connection with this Agreement, including, without limitation, the Reports. Customer is responsible for reviewing and evaluating the appropriateness of these materials and recommendations, as well as any decisions made or actions taken by Customer in response to such proposed materials and recommendations against Customer’s own risk-tolerances and/or other criteria. Furthermore, any reliance upon any forecasts, revenue projections or indications of financial opportunities provided or identified by Mastercard, shall be made or undertaken entirely at Customer’s own discretion and determination, after Customer’s own thorough review and consideration of all risks involved.

Further, content, materials and the Report created under this Agreement, including, but not limited to lessons learned summaries, cyber crisis playbooks, performance metrics, and strategic recommendations are generated using Mastercard and third-party licensed cybersecurity and analytics platforms that may incorporate artificial intelligence (“Ai”) technologies. The content, materials and the Report are for use by the Customer for internal business purposes and informational purposes only. Content generated by the platforms, including ai-generated outputs, is not verified for accuracy, completeness, or reliability. Mastercard makes no representations nor warranties regarding the accuracy of the content or the non-infringement of third-party intellectual property rights in any generated materials. Mastercard disclaims all liability for decisions made or actions taken based on the contents of the Report. All intellectual property rights pertaining to the information used to generate the Report are the property of Mastercard including any data or content uploaded to the platforms, subject to the terms of the platform license contained in this Agreement. Redistribution, external sharing, or commercial use of the Report is prohibited without prior written consent from Mastercard and, where applicable, the platform provider. Use of the Report by the Customer and/or any third party is at their own risk. The Customer assumes full responsibility for the interpretation, use, and distribution of all content, including derivative works. The Cyber Crisis Services are provided on a fixed-fee basis, are non-refundable, and may not be carried forward into future periods. Additional services require a separate agreement. There are no acceptance criteria or termination for convenience provisions applicable to these services.

vi. Limitation of Damages. NOTWITHSTANDING ANY OTHER PROVISION TO THE CONTRARY SET FORTH IN THIS AGREEMENT, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER UNDER ANY LEGAL THEORY, TORT, CONTRACT, OR STRICT LIABILITY, FOR ANY SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES, FOR LOSS OF PROFITS, GOODWILL, OR ECONOMIC LOSS, REGARDLESS OF WHETHER A PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES.

vii. Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY LAW AND EXCLUDING LIABILITY FOR NON-PAYMENT BY CUSTOMER OF AMOUNTS DUE UNDER THE AGREEMENT, IN NO EVENT SHALL THE AGGREGATE LIABILITY OF EACH PARTY AND ITS AFFILIATES HEREUNDER ARISING OUT OF OR RELATED TO THE SUBJECT MATTER OF THIS AGREEMENT, REGARDLESS OF THE FORUM, AND REGARDLESS WHETHER ANY CAUSE OF ACTION OR CLAIM IS BASED ON CONTRACT, TORT, OR OTHERWISE, EXCEED THE LOWER OF: (A) THE FEES PAID OR PAYABLE BY CUSTOMER TO MASTERCARD FOR THE CYBER CRISIS SERVICES AND (B) $250,000.

viii. Assignment. Customer may not assign or transfer any of its rights or obligations under this Agreement, whether voluntarily, involuntarily, by operation of law or otherwise, without the prior written consent of Mastercard. Any attempted assignment or transfer without such consent shall be null and void.

ix. Governing Law and Jurisdiction. These Cyber Crisis Terms shall be governed by, and construed in accordance with the Laws of New York, US and the jurisdiction of the courts of Westchester County, New York, US.

Exhibit D

RiskRecon Platform and Service Description

This Service Description details certain functional specifications of the Hosted Services that may be updated by Mastercard, in its sole discretion, from time to time.

RiskRecon provides risk-prioritized action plans and supports security measurements available on demand through our Hosted Services. These assessments are produced entirely by RiskRecon and do not require any invasive scanning, hacking, or Subscriber´s proprietary information.

Our patented or patent-pending solution has the ability to:

• Discover vendor Internet facing assets  
• Gather relevant technical attributes, and 
• Analyze with proprietary rules engines and statistical techniques.

By combining these results with legitimate threat intelligence sources and exception-based analyst review, RiskRecon produces assessments containing dozens of security criteria. These Reports provide detailed, descriptive root cause analyses and management dashboard summaries.

Using the Hosted Services requires no deployment or IT support so Subscriber focus can be entirely on the assessments and actionable data we produce. We provide our entire solution via a SaaS subscription service hosted and maintained by us.  Our solution consists of several, separately subscription-components:

RiskRecon Discover™

RiskRecon Discover™ is a fully automated solution that produces security scores and risk-prioritized issue counts.  This is an entirely machine-driven approach that requires no RiskRecon analyst involvement.  
For this service, Subscriber supplies a list of their third parties that contains: 1) each company’s name and 2) one domain name for each company (e.g., Nike, nike.com).  RiskRecon uses these inputs to initiate an automated scan that identifies any hosts associated with the domain(s) submitted and then conducts a passive security analysis of the associated domain(s), domain hosts, and domain email servers.    

• Scores and Ratings Diagnostic 

RiskRecon Discover™ produces an initial analysis that provides scores and issue counts along with summaries for overall portfolio performance.  This provides a one-time performance summary and establishes a performance baseline for the aggregate portfolio and each individual vendor. 

• Ongoing Score Tracking and Alerting 

Once the initial RiskRecon Discover™ diagnostic is completed, RiskRecon will then regularly update each third party’s performance approximately every 2 weeks using the same automated process.  For each of the more than 40 RiskRecon security measures, Subscriber administrators have the ability to configure alerting thresholds specific to your organization’s risk policy.  This results in: 

a. Access to regularly updated scores and risk-prioritized ratings 

b. Automated alerts whenever specific vendor security issues exceed Subscriber’s risk tolerance 

c. Insight into aggregate and individual vendor performance trends

RiskRecon Advisor™ 

RiskRecon Advisor™ delivers a more comprehensive assessment that includes not just scores and issue counts, but also detailed evidence and findings, automated action plans, and full IT and 4th party risk profiles.  Examples when Subscriber may require these capabilities are: 

• After reviewing the initial RiskRecon Discover™ diagnostic, Subscriber identifies poor performing vendors that require additional investigation
• When receiving a RiskRecon Discover™ alert or new information from other sources, Subscriber requires further information to understand root cause of performance change and recommended actions
• As part of the new vendor RFP or onboarding process, Subscriber’s third-party risk program requires detailed vendor assessment
• Subscriber organization already has identified some higher risk vendor relationships which require ongoing security monitoring to identify any material findings, determine performance gaps, and recommend remediation steps
• Subscriber desires objective validation of vendor’s security questionnaire responses

RiskRecon Advisor™ solution combines: (a) an analyst-built company profile, (b) analyst trained supervised machine learning model, and (c) RiskRecon automated scanning service.   As with the RiskRecon Discover™, Subscriber supplies a company name and at least one company domain name.  But rather than a fully automated process, the next step involves a RiskRecon analyst who curates and builds a subsidiary profile of the company to ensure complete coverage of the entity, including all subsidiaries. The analyst then initiates a supervised machine learning model to recognize company and subsidiary domains and networks automatically.

RiskRecon algorithms discover systems based on the supervised machine learning model and conduct a passive analysis of every domain, domain hosts, email servers, and so forth. To ensure data quality, analysts review exceptions in cases where the algorithms cannot determine domain or network ownership automatically with a high degree of confidence. 

Subscriber receives comprehensive ratings, evidence and action plans. This solution provides the accuracy and depth needed for Subscriber to understand root causes for each security gap, understand corrective actions recommended, share confidently with Subscriber’s vendors, and collaborate on remediation steps. 

Subscribers can choose from two different update schedules for the RiskRecon Advisor™ service: 

• Snapshot Report: To obtain one-time report with all above information on an existing vendor or a new vendor that you wish to assess before signing contracts.  This one-time report remains available during the subscription term, but the information is not updated once published. 
• Continuous Monitoring:  Subscriber receives regularly updated assessment information, refreshed approximately every 2 weeks, which contains comprehensive data from the most recent scan plus historical ratings trends.  Since this scan is fully refreshed approximately every 2 weeks, Subscriber can set alerts.  Subscriber can set these notifications based on (a) overall vendor score changes (b) individual security criteria score changes and/or (c) specific events that exceed Subscriber-defined risk policy.

Subscriber’s subscription for RiskRecon Advisor™ – Continuous Monitoring service, can also take advantage of RiskRecon Collaborate™ and RiskRecon Search™ modules (see descriptions below and note that these modules may be subscribed separately).

RiskRecon Own Enterprise™ 

RiskRecon Own Enterprise™ monitoring service is designed specifically for the exacting demands of an organization that assesses its own organization’s security performance.   

Just like RiskRecon Advisor™, the RiskRecon Own Enterprise™ solution combines: (a) an analyst-built company profile, (b) analyst trained supervised machine learning model, and (c) RiskRecon automated scanning service.   As an additional step, RiskRecon analysts perform a monthly manual review of your assessment to maintain lowest false positives and false negatives possible.  The entire RiskRecon analysis is updated approximately every 2 weeks but if any errors are identified, Subscriber can request an updated scan be initiated outside the standard 2-week cycle.

This service also includes ongoing, scheduled reviews between our experienced analysts and Subscriber security team(s).  During these reviews, Subscriber may request RiskRecon staff to conduct investigations into specific issues, create custom reports and perform additional research, and collaborate with other departments in Subscriber’s organization to advise on remediation steps.

Included in the foregoing Hosted Services are the following additional features:

RiskRecon Collaborate™

With RiskRecon Collaborate™, Subscriber can share their RiskRecon Advisor™ vendor action plan with the appropriate third-party.  By sharing, Subscriber identifies areas of concern for vendor to review and automatically provides all supporting evidence and recommended remediation steps.  Furthermore, Subscriber’s third parties can track issue resolution status and flag items as false positives or having compensating controls.  RiskRecon analysts will review any items marked as false positives and, if validated as errors, update the appropriate RiskRecon results.    

If Subscriber or the third-party have any questions during the collaboration process, RiskRecon provides live help support to both Subscriber and the third party.  As an additional service, RiskRecon, upon request, will also provide vendor with unlimited access to their entire RiskRecon Advisor™ assessment – no fees, no data masking, no time limits.

RiskRecon                                                                                                           Search™

An ad-hoc search module that enables Subscriber to produce custom reports based on any combination of RiskRecon IT profile, ratings and security finding categories.  RiskRecon Search™ is commonly used to identify vendor exposure to new security vulnerabilities; discover fourth-party dependencies; and identify geo-location risks.

RiskRecon API™

Subscription to RiskRecon API code and right to establish real-time connection to our Hosting Service to electronically consume data into Subscriber’s system of choice.

RiskRecon Privacy

RiskRecon Privacy Rating is designed to enable companies to evaluate and manage the privacy risks associated with their enterprise and third-party vendors, partners, and suppliers. This product leverages the existing RiskRecon technologies to provide risk scores and insights to help manage privacy risks and strengthen their data protection measures.