WebCTRL Cloud Subscription Agreement

This Product Appendix applies solely to the extent WebCTRL® Cloud and/or iVu® Cloud (collectively, the “BAS Cloud Services”) are purchased under an applicable Order Form. This Appendix describes module specific functionality, dependencies, service levels, and limitations applicable to the BAS Cloud Services.

Processing of Personal Data is governed exclusively by the Data Processing Agreement (“DPA”), which is incorporated by reference and controls to the extent of any conflict with respect to Personal Data.

1. Scope and Purpose.

The BAS Cloud Services are cloud‑hosted building automation platforms providing centralized visibility, configuration, management, and analytics for building systems and equipment connected to Customer‑owned or Customer‑controlled building automation systems (“BAS”), including WebCTRL® and iVu® environments. The BAS Cloud Services are intended to support Customer’s internal facilities, energy, engineering, and maintenance workflows by enabling remote access to system data, alarms, trends, graphics, documentation, and configuration information across one or more sites. Where enabled and authorized by Customer, the BAS Cloud Services may support remote configuration changes and control commands initiated by authorized users. The BAS Cloud Services do not replace physical controllers, embedded safety interlocks, life‑safety systems, onsite operating procedures, or qualified personnel. Customer remains the operator of record for all connected systems and equipment.

2. DPA Data Class and Categories.

The BAS Cloud Services map to the DPA “Building & HVAC Telemetry” data class. Personal Data, when present, may include authenticated user and administrator identifiers, roles and permissions, audit logs, and technician notes. Product improvement, analytics, and service optimization are performed using De‑identified Data, as defined in the DPA.

3. Service Description and Features.

Subject to the applicable Order Form, the BAS Cloud Services may include:

3.1 Cloud User Interface.

A web based user interface providing multi site visibility into building systems, including dashboards, alarms, trends, reports, system graphics, documentation, and status views. Graphics, views, and content may be created, configured, or deployed by Customer or its authorized dealers or integrators.

3.2 Data Aggregation and Visualization.

Collection, aggregation, and display of telemetry, alarms, events, and configuration data originating from on premises controllers, gateways, and connected devices.

3.3 Configuration, Scheduling, and Control Support.

Where enabled, the ability for authorized users to perform remote configuration changes, scheduling updates, and control commands affecting connected BAS components, subject to Customer authorization, policies, and safeguards.

3.4 Analytics and Insights.

Reports, diagnostics, trends, and analytics intended to support operational review, troubleshooting, and planning

3.5 Integrations.

Optional integrations with other Carrier digital offerings or Customer systems, as specified in the applicable Order Form.

Customer acknowledges that any configuration changes or control actions are initiated by Customer authorized users and remain subject to Customer review, validation, and supervision.

4. Customer Responsibilities.

Customer is solely responsible for: (i) designing, operating, maintaining, and securing its BAS, HVAC, and related building systems; (ii) ensuring safe operation of equipment and compliance with all applicable laws, codes, regulations, and standards; (iii) configuring alarms, thresholds, schedules, notifications, workflows, and access controls; (iv) reviewing and responding to alarms, alerts, and system conditions; (v) implementing and enforcing lock‑out/tag‑out (LOTO), safety, emergency, and change‑management procedures; and (vi) approving, supervising, and validating any remote configuration changes or control commands initiated through the BAS Cloud Services. Provider does not validate Customer configurations, alarm settings, control logic, or operational decisions.

5. Alarm Visibility Disclaimer.

Visibility of alarms, alerts, events, or system conditions within the BAS Cloud Services does not constitute: (i) acknowledgment by Provider; (ii) monitoring or supervision by Provider; (iii) an obligation to notify Customer or third parties; or (iv) an assumption of responsibility for outcomes. Customer remains solely responsible for alarm management, escalation, and response.

6. Data Dependencies and Limitations.

The BAS Cloud Services depend on factors outside Provider’s control, including: (i) on‑premises controllers, gateways, and firmware; (ii) network connectivity and firewall configurations; (iii) sensor accuracy and calibration; and (iv) third‑party infrastructure or integrations. Provider does not guarantee the accuracy, completeness, timeliness, or uninterrupted availability of telemetry, alarms, analytics, or reports to the extent affected by such factors.

7. No Warranties of Outcome

The BAS Cloud Services do not guarantee: (i) equipment performance or uptime; (ii) energy savings or efficiency improvements; (iii) detection of all faults or unsafe conditions; (iv) compliance with laws, codes, or standards; or (v) prevention of damage, downtime, or loss. Customer bears all risk associated with reliance on the BAS Cloud Services.

8. High-Risk Use Prohibition

The BAS Cloud Services are not designed for, and Customer shall not use them for: (i) life‑safety or emergency response functions; (ii) automated control of critical building systems without human oversight; (iii) sole reliance for safety‑critical or regulatory determinations. Customer must maintain independent systems and procedures appropriate to the risk profile of its facilities.

9. Relationship to Physical Services

This Appendix governs only Customer’s access to and use of the BAS Cloud Services. Any installation, commissioning, maintenance, repair, monitoring, or emergency response services are governed exclusively by separate written service agreements, if any, and are outside the scope of this Appendix.

10. Service Levels; Credits (Exclusive Remedy)

10.1 Cloud UI Availability.

99.9% per calendar month, unless otherwise stated in the Order Form). Availability applies solely to the BAS Cloud Services user interface layer.

10.2 Exclusions.

Service Levels do not apply to: (i) telemetry freshness or ingestion timing; (ii) alarm transmission latency; (iii) analytics or reporting processing time; (iv) Customer networks, controllers, site conditions, or configurations; (v) third party systems or connectivity; (vi) scheduled maintenance or emergency maintenance; or (vii) force majeure events as defined in the Agreement. Telemetry ingestion targets are informational only and do not imply monitoring or response obligations.

10.3 Service Credits.

If applicable, Service Credits are Customer’s sole and exclusive remedy for failure to meet the availability commitment and apply only to the monthly subscription fees for the BAS Cloud Services, subject to a maximum credit cap of twenty five percent (25%) of the applicable monthly fees per billing period, unless otherwise stated in the Order Form.

10.4 Severity Classification.

Provider classifies support incidents based on severity and impact for support triage and prioritization purposes only. Severity classification does not represent a commitment regarding operational outcomes, optimization effectiveness, or business results. Provider will determine the final severity level in its reasonable discretion.

i) Priority 1 (P1) - Critical Service Impact: Complete loss of access to the BAS Cloud Services user interface for all authorized users, with no reasonable workaround.

ii) Priority 2 (P2) - Major Service Impact: Substantial degradation of core BAS Cloud Services UI functionality affecting a subset of users or features, where a workaround exists.

iii) Priority 3 (P3) - Minor Service Impact: Non‑critical issues with limited impact, including UI inconsistencies or delayed data display not preventing use.

iv) Priority 4 (P4) - Non‑Material Issues / Requests: Informational inquiries, configuration questions, documentation clarification, or enhancement requests.

10.5 Target Response Times.

Provider will use commercially reasonable efforts to acknowledge and begin triage according to the following targets:

Severity	Target Initial Reponse Time	Target Validation Time
P1	1 hour	4 hours
P2	4 hours	1 business day
P3	1 business day	3 business days
P4	2 business days	5 business days

Response Time means the time between Customer’s submission of a support ticket through Provider’s designated support channel and Provider’s initial confirmation of receipt.

Validation Time means the time within which Provider will: (i) review the reported issue, (ii) classify severity, and (iii) provide next steps or request additional information.

“Business Day” means 9:00 - 17:00 local time for the region from which Provider delivers support services, excluding weekends and holidays.

10.6 Target Remediation Efforts.

After classification, Provider will use commercially reasonable efforts to pursue resolution according to severity. Provider does not guarantee resolution within any specific time period.

This Master Subscription Agreement (“Agreement”) sets forth the general terms and conditions governing Customer’s subscription to and use of the Services. This Agreement is entered into between the entity identified as the licensor and service provider of the applicable Services in the corresponding product‑ or brand‑specific legal terms made available on Provider’s applicable legal webpage (the “Provider”) and the entity identified as “Customer” in the applicable Order Form. 

This Agreement establishes a single contractual framework under which Provider and Customer may enter into one or more order forms, statements of work, or similar ordering documents referencing this Agreement (each, an “Order Form”) for the provision and use of the Services. Each Order Form identifies the Customer, the applicable Services, and the commercial terms, and incorporates this Agreement and any applicable Product Appendices by reference. 

This Agreement and the applicable Product Appendices may be made available or hosted on one or more Provider or Provider‑affiliated brand webpages or portals for convenience. The applicable branding, hosting location, or point of access reflects the relevant Service offering but does not alter the identity of the contracting Provider, which is determined solely by the applicable product‑ or brand‑specific legal terms incorporated into this Agreement. 

Each Order Form, together with this Agreement and any applicable Product Appendices, forms a separate and binding contract between the Provider and Customer identified in that Order Form. Each Order Form identifies the applicable Services, subscription scope, and commercial terms and incorporates this Agreement and the applicable Product Appendices by reference. Each of Provider and Customer is a “Party” and together the “Parties.” 

WHEREAS, Provider, as part of the Carrier Global group of companies (collectively, “Carrier”), offers subscription‑based access to a portfolio of digital, hosted, connected, analytics‑enabled, and advisory services, which may include hosted software applications, connectivity‑dependent services, device‑enabled functionality, data analytics, and related insights (collectively, the “Services”); 

WHEREAS, the Services are made available on a subscription basis pursuant to one or more Order Forms, and may rely on third‑party networks, devices, platforms, or data sources outside of Provider’s direct control; 

WHEREAS, specific features, service levels, data categories, dependencies, limitations, and module‑ or service-specific terms applicable to particular Services are set forth in one or more product appendices incorporated by reference into this Agreement (each, a “Product Appendix”); 

NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, the Parties agree that Customer’s access to and use of the Services shall be governed by this Agreement, the applicable Order Form(s), and any incorporated Product Appendices.

1. Order of Precedence; Incorporated Documents

1.1 Incorporated Documents.

The following documents are incorporated by reference and form part of this Agreement: (a) each Order Form and/or Statement of Work (“SOW”); (b) the Data Processing Agreement (“DPA”); (c) the Product Appendices for any purchased module(s); and (d) Provider’s then-current Acceptable Use Policy (“AUP”) available upon request.

1.2. Order of Precedence.

In the event of conflict, the order of precedence is: (1) the Order Form/SOW (commercial terms only); (2) the DPA (solely with respect to the processing of Personal Data); (3) the Product Appendix applicable to the purchased module; (4) any Third-Party Provider Terms identified in the applicable Product Appendix; (5) this Agreement; and (6) the AUP or other referenced documents.

1.3. Entire Agreement for Commercial Terms.

Except for the DPA (which governs the processing of Personal Data), this Agreement together with the Order Forms/SOWs and Product Appendices constitutes the complete and exclusive statement of the Parties’ agreement regarding the Services. For clarity, Order Forms and SOWs define commercial terms only and do not modify Provider identity or the governing product- or brand-specific legal terms.

2. Definitions

2.1. “Authorized User” means an employee, contractor, or agent of Customer or its Affiliates who is authorized to access and use the Services.

2.2. “Customer “ means the entity identifies as “Customer” in the applicable Order Form.

2.3. “Customer Data” means data submitted to or generated in the Services by or for Customer, including Equipment/Telemetry Data and Personal Data to the extent provided by Customer. Customer Data excludes Service Data and Derived Data.

2.4. “Derived Data” means aggregated and de-identified analyses, statistics, insights, models, or learnings generated by Provider from processing of Customer Data and/or Service Data in connection with operating and improving the Services. Derived Data does not identify Customer or any data subject.

2.5. “Equipment/Telemetry Data” means machine‑generated or sensor data from connected devices, controllers, building systems, transportation refrigeration units (TRUs), containers, trailers, and other telematics endpoints. When linked to an identifiable person, it constitutes Personal Data under the DPA.

2.6. “Maintenance Window” means planned maintenance periods as described in Section 9.

2.7. “Personal Data” has the meaning set forth in the DPA.

2.8. “Product Appendix” means a schedule attached to this Agreement that describes module-specific features, service levels, data classes, and additional terms.

2.9. “Provider” means, with respect to a given Service, the Carrier or Carrier‑affiliated entity identified as the licensor and service provider in the applicable product‑ or brand‑specific legal terms made available on Provider’s applicable legal webpage, as incorporated into this Agreement by reference.

2.10. “Service Credit” means the credit against future fees described in the applicable Product Appendix as the sole and exclusive remedy for service level failures.

2.11. “Service Data” means operational data relating to the provision, access, and use of the Services (e.g., logs, event data, request metadata, performance metrics, device identifiers).

2.12. “Services” means the subscription based digital, telematics, analytics, connectivity dependent, and related services made available by Provider, which may include hosted software applications, APIs, device-enabled functionality, data analytics, modeling, simulation, and advisory insights, as described in an applicable Order Form and Product Appendix.

2.13. “Subscription Term” means the period identified in an Order Form during which Customer is entitled to access the Services.

2.14. “Third-Party Service” means a Service module branded as a Provider offering that is provided, in whole or in material part, via a third-party platform or network and for which availability, latency, data transmission, or functionality may depend on such third party platforms or networks outside Provider’s direct control.

2.15. “Third-Party Provider Terms” means supplemental terms of the underlying third party platform/network that apply to Customer’s use of a Third Party Service, as identified in the applicable Product Appendix.

3. Subscriptions; Fees; Taxes

3.1. Subscription Scope.

Customer’s access to the Services is limited to the modules, features, usage metrics, quantitative limits, and locations specified in the Order Form. Services are licensed on a non-exclusive, non-transferable basis for Customer’s internal business purposes.

3.2. Pricing Models.

Fees may be structured as seat-based, asset-based, consumption-based (including transactions, API calls, storage, compute, or messages), flat recurring, or a combination, as set out in the Order Form.

3.3. Overage and True-Up.

If actual usage exceeds purchased limits, Provider may invoice overage at then-current rates or require an upgrade. Customer will cooperate with reasonable usage verification including technical safeguards and semi-annual usage reporting.

3.4. Invoicing; Payment.

Unless otherwise stated, fees are invoiced in advance and payable net thirty (30) days from invoice date. Late amounts accrue interest at 1.5% per month (or the maximum permitted by law), and Provider may suspend the Services for undisputed amounts thirty (30) days overdue.

3.5. Renewal Pricing; Annual Uplift.

Fees for any Renewal Term will be as stated in the Order Form; if not stated, Provider’s then-current list price applies. For multi-year Subscription Terms, annual fees increase by the greater of five percent (5%) or CPI-U for the prior twelve (12) months unless otherwise agreed.

3.6. Third-Party Cost Pass-Through.

Provider may pass through documented increases in third-party connectivity, carrier, satellite, mapping, or similar costs upon thirty (30) days’ notice.

3.7. Taxes.

Fees are exclusive of taxes. Customer is responsible for all sales, use, VAT, GST, excise, and similar taxes except taxes based on Provider’s income. If withholding is required, Customer will gross-up payments so Provider receives the amount it would have received absent withholding, and will provide proof of remittance.

4. Access Rights; Acceptable Use

4.1. License Grant.

Subject to this Agreement and the applicable Order Form, Provider grants Customer a limited, non‑exclusive, non‑transferable right to access and use the Services on a subscription basis during the Subscription Term.

4.2. Restrictions.

Customer shall not (i) copy, modify, create derivative works of, or reverse engineer the Services; (ii) sublicense, rent, or provide the Services to third parties (including as a service bureau); (iii) access the Services to build a competitive product; (iv) remove proprietary notices; (v) conduct security testing (including penetration testing) without Provider’s prior written approval; or (vi) publish benchmarks of the Services without Provider’s prior written consent.

4.3. Acceptable Use Policy.

Customer will comply with Provider’s AUP, including prohibitions on unlawful, excessive, or abusive use; malware; and attempts to bypass technical controls.

4.4. Accounts and Credentials.

Customer is responsible for all activities under its accounts and for maintaining accurate registration and contact information.

4.5. APIs; Rate Limiting.

Provider may implement rate limits and technical safeguards to ensure platform stability and may throttle or suspend calls that materially degrade the Services, with prompt notice to Customer.

4.6. Customer Responsibilities for IoT/OT Deployments.

Customer is responsible for providing power, network connectivity, firewall/NAT policies, physical security, and environmental conditions required to operate devices and gateways, and for any site permits or approvals.

4.7. Third-Party Services.

Customer’s use of any Third Party Service is subject to the applicable Third Party Provider Terms identified in the Product Appendix. Security testing (including penetration testing) of a Third Party Service is prohibited unless expressly authorized in writing by Provider and the applicable third party provider.

5. Data Privacy; Security; Derived Data

5.1. DPA Controls.

The Parties’ respective privacy, data protection, and security obligations, including roles, purposes of processing, subprocessors, audits, international transfers, technical and organizational measures (TOMs), return and deletion, are governed exclusively by the DPA, which is incorporated by reference and prevails over this Agreement to the extent of conflict with respect to the processing of Personal Data.

5.2. No Special Categories.

The Services are not designed to process special categories of Personal Data (or children’s data) unless expressly agreed in a Product Appendix and the DPA.

5.3. Derived Data and Improvement Rights.

Provider may process Service Data and create or use Derived Data to operate, secure, analyze, and improve the Services, to develop new features, and for benchmarking, provided Derived Data does not identify Customer or any data subject. Product improvement will not rely on Personal Data except as permitted by the DPA or Customer’s documented instructions.

5.4. Security Incidents.

ecurity Incident notification and cooperation obligations are governed by the DPA.

5.5. No Data Localization Commitment.

Except where expressly agreed in an Order Form or Product Appendix, Provider does not represent or warrant that Customer Data or Personal Data will be stored, processed, or maintained within any particular country, region, or jurisdiction.

6. Intellectual Property; Feedback

6.1. Ownership.

Provider and its licensors own all right, title, and interest in and to the Services, Service Data, Derived Data, and all related IP rights. No rights are granted except as expressly stated.

6.2. Customer Data.

As between the Parties, Customer owns Customer Data. Provider may process Customer Data solely to provide and support the Services and as otherwise permitted under this Agreement and the DPA.

6.3. Feedback.

Customer grants Provider a perpetual, irrevocable, worldwide, royalty‑free license to use, reproduce, and otherwise exploit any suggestions, enhancement requests, or feedback provided by Customer or Authorized Users relating to the Services, without restriction or obligation.

6.4. Open Source and Third‑Party Components.

Certain components may be provided under open‑source licenses or third‑party terms. Provider will identify any such components in documentation upon request; such terms will govern those components to the extent of conflict.

7. Confidentiality

7.1. Definition.

“Confidential Information” means non‑public information disclosed by a Party that is designated as confidential or that should reasonably be understood to be confidential given the nature of the information and circumstances of disclosure, including software, product plans, security information, business and marketing plans, technology and technical information, and the terms of this Agreement. Provider Confidential Information includes the Services, performance information, and this Agreement.

7.2. Protection.

The receiving Party will use the same degree of care that it uses to protect the confidentiality of its own similar information (but not less than reasonable care), will not use Confidential Information except as permitted under this Agreement, and will limit access to those with a need to know who are bound by obligations no less protective.

7.3. Exclusions.

Confidential Information does not include information that is or becomes public without breach, was known without restriction prior to disclosure, is received from a third party without breach, or is independently developed.

7.4. Compelled Disclosure.

The receiving Party may disclose Confidential Information to the extent required by law or court order, provided it gives prompt notice and cooperates in seeking protective treatment.

8. Support, Service Levels, and Maintenance

8.1. Support.

Provider will provide technical support as described in the applicable Product Appendix.

8.2. Service Levels.

Service level commitments and Service Credits (exclusive remedy for service level failures) are set forth in the applicable Product Appendix.

8.3. Maintenance Windows.

Provider may perform planned maintenance up to two hundred forty (240) minutes per calendar month with at least seventy‑two (72) hours’ advance notice, and emergency maintenance as needed. Maintenance windows and emergency maintenance are excluded from availability calculations.

8.4. Exclusions.

Service Levels do not apply to: (a) issues caused by Customer systems, networks, configurations, or third party connectivity (including cellular, satellite, GPS, Wi Fi, or internet networks), (b) device, hardware, or sensor failures outside Provider’s control, (c) telemetry delays caused by Customer firewalls, proxies, VPNs, or on premises controllers, (d) beta, preview, early access, or non production features, (e) Third party APIs, data sources, or integrations, (f) scheduled maintenance or emergency maintenance, or (g) Force majeure events.

9. Warranties; Disclaimers

9.1. Limited Warranty.

During the Subscription Term, the Services will materially conform to Provider’s then‑current documentation. Customer’s exclusive remedy and Provider’s entire liability for breach of this warranty is repair, replacement, or reperformance of the non‑conforming Services.

9.2. Disclaimer.

EXCEPT AS EXPRESSLY PROVIDED IN SECTION 9.1, THE SERVICES ARE PROVIDED “AS IS” AND PROVIDER DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON‑INFRINGEMENT. PROVIDER DOES NOT WARRANT THAT THE OUTPUTS (INCLUDING PREDICTIONS, ALERTS, SCORES, RECOMMENDATIONS, OR ANALYTICS) WILL BE ACCURATE, COMPLETE, OR SUITABLE FOR OPERATIONAL, SAFETY CRITICAL, OR COMPLIANCE DETERMINATIONS. PROVIDER DOES NOT WARRANT THAT THE SERVICES WILL PREVENT EQUIPMENT FAILURE, REDUCE ENERGY CONSUMPTION, EXTEND ASSET LIFE, AVOID DOWNTIME, IDENTIFY ALL FAULTS, OR RESULT IN ANY PARTICULAR MAINTENANCE, COST, OR OPERATIONAL OUTCOME.

9.3. Third‑Party Networks.

For any Third Party Service, the Service may rely on a third party platform and external connectivity (e.g., cellular, satellite, GPS, roaming). Provider disclaims responsibility for such third party platforms and networks except to the extent within Provider’s reasonable control.

10. Indemnification

10.1. Provider IP Indemnity.

Provider will defend Customer against third‑party claims alleging that Customer’s authorized use of the Services directly infringes a U.S. patent, copyright, or trade secret, and will pay amounts finally awarded (or settled) to the extent arising from such claim. Provider has no obligation to the extent a claim arises from: (a) combinations with items not supplied by Provider; (b) Customer’s breach of this Agreement; (c) Customer Data or third‑party components; (d) use after Provider offers a non‑infringing alternative; or (e) industry‑standard features. If infringement is found or likely, Provider may (i) procure the right to continue use; (ii) modify the Services without material loss of functionality; or (iii) terminate the affected Order Form and refund prepaid fees for the unused portion of the Subscription Term. THIS SECTION STATES PROVIDER’S ENTIRE LIABILITY AND CUSTOMER’S EXCLUSIVE REMEDY FOR IP INFRINGEMENT.

10.2. Third Party Services.

This Section does not apply to claims to the extent arising from the third party platform or network underlying a Third Party Service, except for Provider provided branding, custom code, or configurations not supplied by such third party. In such case, Provider may (i) procure the right for Customer to continue use, (ii) modify or replace the module to be non infringing without material loss of functionality, or (iii) terminate the affected module and refund prepaid fees for the unused portion of the Subscription Term.

10.3. Customer Indemnity.

Customer will defend and indemnify Provider against third‑party claims arising out of (a) Customer Data (including allegations that Customer Data violates law or third‑party rights), (b) Customer’s or Authorized Users’ use of the Services in violation of this Agreement or applicable law, or (c) Customer’s gross negligence or willful misconduct.

10.4. Procedure.

The indemnified Party must provide prompt notice, reasonable cooperation, and grant sole control of the defense and settlement to the indemnifying Party (provided settlement fully releases the indemnified Party and does not impose obligations other than payment).

11. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, COVER, OR PUNITIVE DAMAGES, OR LOSS OF PROFITS, REVENUE, GOODWILL, OR DATA, EVEN IF ADVISED OF THE POSSIBILITY. EXCEPT FOR CUSTOMER’S PAYMENT OBLIGATIONS, EACH PARTY’S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED THE AMOUNTS PAID OR PAYABLE BY CUSTOMER FOR THE SERVICES GIVING RISE TO THE CLAIM IN THE TWELVE (12) MONTHS PRECEDING THE FIRST EVENT GIVING RISE TO LIABILITY. THE FOREGOING LIMITS APPLY TO ALL THEORIES OF LIABILITY AND ALL CLAIMS, INCLUDING INDEMNITY.

12. Term; Termination; Transition

12.1. Term; Renewal.

The “Term” of this Agreement shall correspond to the subscription term specified by the Parties in writing, whether in an Order Form or through another mutually agreed written instrument. Unless otherwise agreed in such written instrument, each subscription will automatically renew for successive one (1) year renewal terms unless either Party provides written notice of non renewal (email acceptable) at least sixty (60) days prior to the end of the then current subscription term. If applicable, Customer shall send any notice of non renewal to the Provider contact identified in the Parties’ written agreement. Except as expressly agreed in writing by the Parties, any renewal of a promotional or one time priced subscription will be billed at Provider’s then current list price. Notwithstanding anything to the contrary in this Agreement, any renewal in which Customer reduces subscription volume or subscription duration for any Services will result in re pricing at renewal without regard to the prior term’s per unit pricing.

12.2. Termination for Cause.

Either Party may terminate this Agreement for cause upon thirty (30) days’ written notice if the other Party materially breaches this Agreement and fails to cure such breach within the notice period. In addition, either Party may terminate this Agreement immediately if the other Party becomes the subject of a bankruptcy petition or any other proceeding relating to insolvency, receivership, liquidation, or assignment for the benefit of creditors.

12.3. Effect of Termination.

Upon termination or expiration, Customer will cease all access and pay all fees due.

12.4. Transition and Data Export.

For thirty (30) days after termination, upon request and subject to payment of applicable fees, Provider will make available a machine‑readable export of Customer Data then in Provider’s possession. Deletion of Personal Data will be handled under the DPA.

12.5. Switching Assistance.

Subject to applicable law, Provider will provide reasonable cooperation to facilitate Customer’s transition to another data processing service provider or to an on‑premise solution, including support for secure export of Customer Data in a commonly used, machine‑readable format. Any fees for such assistance will be limited to reasonable, cost‑based charges permitted by law.

13. Assignment; Modifications

13.1. Assignment.

Either Party may assign this Agreement in whole to an Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all assets, with written notice to the other Party. Any other assignment requires the non‑assigning Party’s prior written consent (not to be unreasonably withheld).

13.2. Modifications.

Provider may modify online terms and policies from time to time. Material changes to this Agreement will be notified at least thirty (30) days in advance and will not materially diminish Customer’s core contractual protections during a then‑current Subscription Term.

14. Subcontractors; International Trade; General

14.1. Subcontractors.

Provider may use subcontractors (including cloud providers and deployment partners) to provide the Services and remains responsible for their performance. Personal Data subprocessing is governed exclusively by the DPA.

14.2. Export Compliance.

Customer will comply with applicable export and import laws. Customer represents it is not located in a sanctioned jurisdiction or on a restricted party list.

14.3. Governing Law; Venue.

This Agreement is governed by is governed by the laws set forth below, without regard to conflict‑of‑laws principles, and excluding the United Nations Convention on Contracts for the International Sale of Goods (CISG):

14.3.1. Americas: For Customers with their principal place of business in North America, Central America, or South America, this EULA is governed by the laws of the State of New York, United States of America. The parties consent to exclusive jurisdiction and venue in the state and federal courts located in the State of New York.

14.3.2. Europe, Middle East, and Africa (EMEA):For Customers with their principal place of business in Europe, the Middle East, or Africa, this Agreement is governed by the laws of England and Wales. The courts of England shall have exclusive jurisdiction over any dispute arising out of or relating to this Agreement.

14.3.3. Asia-Pacific (APAC): For Customers with their principal place of business in the Asia‑Pacific region, this Agreement is governed by the laws of Singapore. The courts of Singapore shall have exclusive jurisdiction over any dispute arising out of or relating to this Agreement.

14.4. Notices.

Notices must be in writing and delivered by courier or email to the addresses in the Order Form.

14.5. Force Majeure.

Neither Party is liable for delay or failure to perform (except payment obligations) due to events beyond its reasonable control, including labor issues, acts of God, war, terrorism, epidemics, government actions, or internet/telecommunications failures.

14.6. Entire Agreement; Severability; Waiver.

This Agreement (including incorporated documents) constitutes the entire agreement. If any provision is unenforceable, the remaining provisions remain in effect. A waiver must be in writing and does not constitute a waiver of any other provision.

15. Artificial Intelligence Terms

15.1. Definitions.

15.1.1. “AI Features” means features of the Services that use machine learning, statistical modeling, rules engines, or other artificial intelligence techniques to generate predictions, scores, classifications, recommendations, or natural language outputs.

15.1.2. “Customer Inputs” means prompts, instructions, configurations, thresholds, labelled examples, training feedback, or other content Customer submits to AI Features.

15.1.3. “AI Outputs” means predictions, scores, classifications, recommendations, explanations, summaries, or other content generated by AI Features for Customer.

15.1.4. “Model Artifacts” means models, parameters, weights, embeddings, rules, pipelines, and other artifacts developed or used by Provider or its licensors to power AI Features.

15.2. Inputs, Training, and Derived Data.

Provider may process Customer Inputs to deliver AI Features and to create Derived Data as set out in the Agreement. Provider will not use Personal Data within Customer Inputs to train or retrain Model Artifacts for generalized use across customers, except (i) as permitted by the DPA using De‑identified/aggregated data, or (ii) with Customer’s documented instructions. Provider owns Model Artifacts and Derived Data; Customer owns Customer Data and AI Outputs as between the Parties, subject to Section 15.6.

15.3. AI Acceptable Use.

Customer will not use AI Features to: (a) make decisions that produce legal or similarly significant effects about a person without appropriate human review; (b) process special categories of Personal Data unless expressly permitted in an Appendix and the DPA; (c) create or disseminate content that is unlawful, deceptive, or infringes third‑party rights; (d) perform fully automated operational control of physical equipment without human-in-the-loop safeguards; or (e) perform benchmark publication or model evaluation except as allowed by Section 4.5.

15.4. Explainability; Evaluation; Rate Limits.

15.4.1. Explainability. AI Features may be probabilistic and non-deterministic; explanations, feature importance, or confidence scores (if provided) are estimates and not guarantees.

15.4.2. Evaluation. Customer may internally evaluate AI Features. Publishing or sharing public benchmarks or comparative evaluations of the AI Features or Model Artifacts requires Provider’s prior written consent.

15.4.3. Rate Limits. Provider may implement usage caps, content filters, and safety systems and may suspend AI Features to protect the Services or third parties, with prompt notice to Customer.

15.5. Human Oversight.

AI Outputs are advisory and intended to assist qualified personnel. Customer is responsible for (i) reviewing material AI Outputs; (ii) choosing thresholds, actions, or workflows; and (iii) ensuring compliance with applicable laws, industry standards, and SOPs. For any automated actions Customer enables (e.g., remote control commands), Customer remains responsible for safety, regulatory compliance, and outcomes.

15.6. AI Outputs; Rights.

As between the Parties, and subject to Provider’s rights in the Services, Model Artifacts, and Derived Data, Customer owns AI Outputs generated for Customer’s use. Customer grants Provider a non-exclusive, worldwide license to use AI Outputs solely to provide and support the Services (including quality, safety, and abuse detection). Provider does not claim ownership of Customer Inputs.

15.7. Content Safeguards; Accuracy.

AI Outputs may contain errors, may not be unique, and may not reflect real-time conditions. Provider disclaims responsibility for decisions made or actions taken in reliance on AI Outputs; Customer must validate outputs appropriate to the use case.

15.8. Third‑Party Models.

AI Features may use third‑party or foundation models subject to additional terms. Provider remains responsible for service delivery under the Agreement; Customer agrees to any pass-through terms provided in the applicable Appendix or documentation for such models.

15.9. Regulated Use.

AI Features are not designed for life-support, clinical diagnosis, or other high-risk uses. For regulated workflows (e.g., GxP, cold-chain compliance), AI Features support advisory outputs; Customer is responsible for validation, recordkeeping, and regulatory determinations.

15.10. Privacy & Security.

Personal Data processing for AI Features is governed by the DPA. Provider may retain safety/abuse and quality logs, including limited samples of Customer Inputs and AI Outputs, for security and troubleshooting consistent with the DPA.

15.11. AI Indemnities.

15.11.1. Provider IP Indemnity (AI). Provider’s IP indemnity in §10.1 applies to AI Features as part of the Services but excludes claims based on Customer Inputs or Customer’s use of AI Outputs contrary to the Agreement or documentation.

15.11.2. Customer Indemnity (AI). Customer will defend and indemnify Provider from claims arising from Customer Inputs or Customer’s use of AI Outputs (including where such content is unlawful, infringes third‑party rights, or violates the AUP or this Section 15).

15.12. Export Controls.

Customer will not use AI Features in violation of export, sanctions, or trade laws, and will not provide access to restricted parties or in embargoed jurisdictions.

15.13. Updates.

Provider may improve, retrain, replace, or deprecate AI Features or underlying Model Artifacts, provided changes do not materially diminish core functionality during a then-current Subscription Term.

This Data Processing Agreement (“DPA”) forms part of and is incorporated into Agreement between Customer and Provider and applies solely to Provider’s Processing of Personal Data on behalf of Customer in connection with the Services (the “Agreement”). Capitalized terms not defined herein have the meanings set forth in the Agreement.

1. Parties; Incorporation; Scope.

1.1 Parties.

This DPA is entered into between: (i) the Customer entity identified in the Agreement (“Customer”) and (ii) the Provider entity identified in the Agreement . Each may be referred to as a “Party” and together, the “Parties.”

1.2 Incorporation; Order of Precedence.

This DPA is incorporated by reference into and forms part of the Agreement. In the event of any conflict between this DPA and the Agreement regarding the Processing of Personal Data, this DPA will control. If and to the extent the Standard Contractual Clauses (as defined below) apply, they will control over this DPA to the extent of any conflict.

1.3 Scope.

This DPA applies only to the Processing of Personal Data by Provider as Processor (or “service provider/processor” under U.S. State Privacy Laws) on behalf of Customer as Controller (or “business”). This DPA does not govern the Parties’ respective rights and obligations regarding: (a) Service Data (as defined below), except to the extent Service Data constitutes Personal Data processed on Customer’s behalf; (b) Derived Data (as defined below), which is not Personal Data; or (c) Equipment/Telemetry Data that is not Personal Data, which is addressed in Annex IV and/or the Agreement.

1.4 Coverage of Affiliates.

(a) Provider Affiliates. Provider Affiliates may Process Personal Data on Provider’s behalf. Provider Affiliates that Process Personal Data on behalf of Provider are deemed Subprocessors and are subject to the obligations of this DPA.

(b) Customer Affiliates. Customer Affiliates may use the Services only if expressly authorized in the Agreement (e.g., Order Form/SOW or schedule). Each such Customer Affiliate will be deemed a separate Controller with respect to its own Personal Data.

1.5 Term.

This DPA remains in effect for the duration of Provider’s Processing of Personal Data on behalf of Customer and until Provider has completed its obligations under Section 12 (Return and Deletion).

2. Definitions.

For purposes of this DPA:

2.1 “Affiliate” means any entity controlling, controlled by, or under common control with a Party, where “control” means ownership of greater than 50% of voting interests or equivalent power to direct management.

2.2 “(Applicable) Data Protection Laws” means all data protection, privacy, and security laws and regulations applicable to Provider’s Processing of Personal Data under the Agreement, including, where applicable, (i) the European Union General Data Protection Regulation (“GDPR”), (ii) the UK GDPR and the UK Data Protection Act; (iii) the Swiss Federal Act on Data Protection; and (iv) U.S. state privacy laws, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other similar U.S. state laws (collectively, “U.S. State Privacy Laws”).

2.3 “Customer Data” means data submitted to or generated in the Services by or for Customer, including Personal Data and Equipment/Telemetry Data to the extent provided or controlled by Customer. Customer Data excludes Service Data or Derived Data.

2.4 “De-identified Data” means data that has been de-identified or anonymized such that it cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person. De‑identified Data is not Personal Data. Provider will maintain and apply measures designed to prevent re-identification and will not attempt to re-identify De-identified Data.

2.5 “(Data) Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, as defined under the GDPR. The term “Controller” is used in this DPA solely for purposes of describing the Parties’ roles under applicable Data Protection Laws and is intended to encompass functionally equivalent concepts (such as “business”) under other applicable legal regimes, without expanding or modifying the obligations set forth in this DPA or the Agreement.

2.6 “(Data) Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller, as defined under the GDPR. The term “Processor” is used in this DPA solely for describing the Parties’ roles and is intended to encompass functionally equivalent concepts (such as “service provider” or “processor”) under other applicable Data Privacy Laws, without expanding or modifying the obligations set forth in this DPA or the Agreement.

2.7 “Derived Data” means aggregated and de-identified analyses, statistics, models, benchmarks, learnings, or insights generated by Provider from Processing of Customer Data and/or Service Data in connection with operating, securing, and improving the Services, provided Derived Data does not identify Customer or any data subject.

2.8 “Equipment/Telemetry Data” means machine-generated data from connected devices, sensors, controllers, building systems, transportation refrigeration units (TRUs), refrigerated containers and trailers, and other telematics endpoints. Equipment/Telemetry Data constitutes Personal Data only to the extent it is reasonably linkable to an identified or identifiable natural person (for example, operator/driver IDs or precise geolocation tied to a specific individual).

2.9 “Personal Data” means any information relating to an identified or identifiable natural person that is Processed by Provider on behalf of Customer under the Agreement, including “personal information” or “personal data” as defined in Applicable Data Protection Laws.

2.10 “Process” / “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure, or destruction.

2.11 “Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

2.12 “Service Data” means operational data relating to the provision, access to, and use of the Services (e.g., logs, event data, request metadata, performance metrics, and system telemetry), excluding Customer Data and Derived Data.

2.13 “Subprocessor” means any third party, including any Provider Affiliate, engaged by or on behalf of Provider to process Personal Data on Provider’s behalf.

2.14 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision (EU).

2.15 “UK Addendum” means the UK International Data Transfer Addendum to the SCCs (or any successor recognized under UK law).

2.16 “Swiss Addendum” means the modifications/adaptations required for the SCCs to comply with Swiss data protection law and guidance of the Swiss FDPIC.

3. Roles; Customer Instructions; Purpose Limitation.

3.1 Roles.

For purposes of this DPA and the Processing of Personal Data under the Agreement, Customer is the Data Controller (or where applicable under U.S. State Privacy Laws, the “business”); Provider is the Data Processor (or, where applicable, the “service provider” or “processor”), solely with respect to Personal Data processed on Customer’s behalf in accordance with under this DPA.

3.2 Documented Instructions.

Provider shall process Personal Data solely in accordance with Customer’s documented instructions as set forth in: (a) the Agreement, (b) this DPA (including its Annexes), and (c) Customer’s lawful configurations and written directions issued by Customer’s authorized representatives, and only for the purposes of providing, operating, maintaining, securing, and supporting the Services and complying with applicable law.

3.3 Instruction Legality.

Provider shall promptly inform Customer if Provider reasonably believes that an instruction violates Applicable Data Protection Laws. Provider is not required to comply with an instruction that is unlawful or would cause Provider to violate Applicable Data Protection Laws.

3.4 Permitted Essential Processing.

Notwithstanding Section 3.2, Provider may Process limited Personal Data as necessary to: (i) ensure security and integrity of the Services; (ii) prevent, detect, and remediate fraud, abuse, or misuse; (iii) debug and repair errors; (iv) provide billing, account administration and support; and (v) or comply with applicable legal obligations, in each case consistent with Applicable Data Protection Laws.

3.5 Prohibited Data; Special Categories; Children.

Unless expressly agreed in writing with appropriate safeguards (e.g., in a Product Appendix and/or Order Form/SOW): (a) the Services are not designed to Process special categories of Personal Data or sensitive data requiring heightened protection (e.g., health/medical subject to HIPAA, payment card data subject to PCI DSS, biometric identifiers for identification, precise government IDs, or criminal offense data); and (b) the Services are not direct to children and are not designed to Process children’s Personal Data. Customer will not submit such data to the Services absent written agreement. If Provider becomes aware that prohibited data has been submitted, Provider will notify Customer and delete or return such data as instructed unless retention is required by law.

3.6 Data Minimization.

Provider will limit Processing to Personal Data reasonably necessary for the instructed purposes and will support correction/deletion actions initiated by Customer using available Service functionality.

4. Confidentiality.

4.1 Confidentiality Obligations.

Provider will ensure that all persons authorized to Process Personal Data are subject to binding confidentiality obligations no less protective than those set forth in the Agreement. Provider shall limit access to Personal Data to personnel with a strict need-to-know, periodically review access rights, promptly revoke access when no longer required, and provide appropriate privacy and security training.

4.2 Non-Personal Customer Data.

For avoidance of doubt, confidentiality obligations applicable to Customer Data that is not Personal Data are governed by the Agreement.

5. Security Measures (Technical and Organizational Measures).

5.1 TOMs.

Provider shall implement and maintain appropriate technical and organizational measures (“TOMs”) designed to protect Personal Data against unauthorized or unlawful processing and accidental loss, destruction, or damage, as described in Annex II.

5.2 Risk-Based Program; Variance by Offering.

Provider maintains a documented, risk-based information security program appropriate to the nature of the Services. Because Provider’s offerings, hosting environments, and third-party dependencies vary, the specific control implementations and security evidence (e.g., reports, certifications, summaries) may vary by offering; however, Provider will maintain an overall level of protection appropriate to the risk.

5.3 Updates.

Provider may update TOMs from time to time to maintain or improve security and compliance, provided the overall level of protection is not materially diminished.

6. Security Incidents.

6.1 Notification.

Provider shall notify Customer without undue delay and in any event within seventy-two (72) hours after confirmation of a Security Incident affecting Customer Personal Data. Where Provider reasonably suspects a material incident may involve Customer Personal Data and early notice is needed for Customer to meet legal obligations, Provider will provide notice consistent with this Section.

6.2 Contents.

Notice will include, to the extent known at the time: (i) the nature of the Security Incident, (ii) the categories and approximate number of affected data subjects and records; (iii) likely consequences; (iv) measures taken or proposed to address the Security Incident and mitigate adverse effects; and (v) a point of contact.

6.3 Investigation; Mitigation & Cooperation.

Provider will investigate the Security Incident, take reasonable steps to remediate, and document corrective actions. Provider will reasonably cooperate with Customer’s reasonable instructions regarding the Security Incident, except where prohibited by law, not technically feasible, would compromise security, or would adversely affect other customers. For multi-customer incidents, Provider may coordinate response and limit disclosures to what is reasonably necessary and appropriate in light of confidentiality, security, and legal constraints.

7. Subprocessor.

7.1 General Authorization; List.

Customer authorizes Provider to engage Subprocessors to Process Personal Data on Provider’s behalf.

7.2 Subprocessor List URL; Notice.

Provider will maintain an up-to-date list of Subprocessor (via URL or schedule) identifying each Subprocessor’s name, role, processing activities and location(s). Provider will provide at least thirty (30) days’ prior notice of additions or replacements by updating the Subprocessor List URL and providing notice to Customer via email or other method specified in the Agreement’s notice provisions.

7.3 Objection Right.

Customer may reasonably object to a new Subprocessor by notifying Processor promptly in writing, stating reasonable grounds, within ten (10) business days after receipt of notice. If Customer objects, Processor will use commercially reasonable efforts to provide a reasonable workaround to avoid the Subprocessor’s Processing of Customer Personal Data. If no workaround is available within thirty (30) days, either Party may terminate the affected Services without penalty (and any refunds, if applicable, will be handled in accordance with the Agreement).

7.4 Flow-down; Liability.

Provider will impose on each Subprocessor obligations no less protective than those set out in this DPA and in particular providing sufficient guarantees for Personal Data protection. Provider remains responsible for the acts and omissions of its Subprocessors in connection with this DPA.

7.5 Third-Party Service Boundary.

Certain modules may be “Third Party Services” under the Agreement and may involve third party platforms/networks outside Provider’s direct control. Such third parties are treated as Subprocessors only to the extent they Process Personal Data on Provider’s behalf. Otherwise, Customer’s use of Third Party Services is governed by the Agreement, the applicable Product Appendix, and any applicable Third Party Provider Terms.

8. Assistance; Data Subject Rights; DPIAs; Regulatory Requests.

8.1 Data Subject Requests (DSARs).

Taking into account the nature of Processing, Provider will provide reasonable assistance (including appropriate technical and organizational measures, where feasible) to enable Customer to respond to data subject requests under Applicable Data Protection Laws (e.g., access, correction, deletion, restriction, portability, objection, and applicable U.S. opt outs). Provider will not respond to a data subject request directly unless legally required or authorized by Customer. Customer is responsible for verifying the requester’s identity and for communications with data subjects unless Customer authorizes Provider in writing to respond.

8.2 GDPR/UK GDPR Articles 32-36.

Provider will provide reasonable assistance to Customer to support Customer’s compliance with obligations under GDPR/UK GDPR Articles 32-36 (security obligations support, Personal Data breach notification support, DPIAs, and prior consultation), considering the nature of the Services and the information available to Provider.

8.3 Compelled Disclosures.

If Provider receives a legally binding request from a governmental authority for Personal Data or Customer Data processed on Customer’s behalf, Provider shall: (a) assess whether the request is valid and enforceable under Applicable Data Protection Laws, including GDPR Article 48 where applicable; (b) challenge or seek to narrow the request where there are reasonable grounds to do so, including where the request conflicts with Applicable Data Protection Laws; (c) notify Customer without undue delay prior to disclosure, unless prohibited by law; (d) disclose only the minimum data required, and only after exhausting available legal remedies; and (e) where disclosure is required notwithstanding conflict, document the legal basis and scope of disclosure. Nothing in this Section requires Provider to violate applicable law, nor does it obligate Provider to challenge a request where doing so would be unlawful, futile, or disproportionate in light of the circumstances.

8.4 Proportionality; Fees.

Provider’s assistance obligations are limited to assistance that is commercially reasonable and proportionate to the nature of the Processing and Services. If Customer requests assistance that materially exceeds standard support associated with the Services, Provider may charge reasonable fees upon prior notice and mutual agreement on scope.

8.5 Switching Assistance.

For avoidance of doubt, switching and transition assistance (including post termination export support) is governed by the Agreement, except as expressly stated in this DPA for Personal Data return/deletion.

9. International Data Transfers.

9.1 Transfer Mechanisms.

Where Provider or its Subprocessors transfer Personal Data from the EEA, UK, or Switzerland to a country not recognized as providing adequate protection, the Parties will rely on: (a) SCCs (EU 2021/914) (Modules as applicable); (b) the UK Addendum for UK transfers; and (c) the Swiss Addendum for Swiss transfers. The SCCs and applicable Addenda are incorporated by reference, and completed by Annex I (details) and Annex II (TOMs). Any disclosure of Personal Data pursuant to a request from a non EEA governmental authority shall be subject to Section 8.3 and shall be made only in accordance with GDPR Article 48, the SCCs, and Applicable Data Protection Laws.

For Transfers from Data Controller:	Module Two: Controller-to-Processor Transfers shall apply
For onward transfers from Data Processor:	Module Three: Processor-to-Processor shall apply
For each Module, where applicable:	The optional docking clause in article 7 of the SCCs will not apply.
	In Clause 9 of the SCCs 'Option 2 - General written authorisation' will apply and the time period for prior notice of sub-processor changes will be as set forth in Article 8 of the DPTA.
	In Clause 11 of the SCCs the optional language on a complaint with an independent dispute resolution body will not apply;
	In Clause 17 (Option 1), the SCCs will be governed by German laws;
	In Clause 18(b) of the SCCs, disputes will be resolved before the courts of Frankfurt am Main, Germany

9.2 Intra-Group Transfers Under BCRs.

For Personal Data transfers to Provider’s Affiliates that are covered by the Carrier Binding Corporate Rules (“BCRs”), such transfers shall be made in accordance with the BCRs. The BCRs are available at: https://www.carrier.com/us/en/bcr. This subsection applies only to intra group transfers to Provider Affiliates included within the scope of the approved BCRs and does not limit or replace the transfer mechanisms set out in Section 9.1 for transfers to other recipients.

10. Audits; Compliance Evidence.

10.1 Compliance Evidence.

Provider shall make available to Customer, upon request and subject to confidentiality, reasonable information necessary to demonstrate compliance with this DPA, which may include applicable third-party audit reports or certifications (if maintained for the relevant offering), security summaries, and/or responses to reasonable security questionnaires.

10.2 Audit Rights.

Customer may conduct a targeted audit of Provider’s compliance with this DPA no more than once per year upon at least thirty (30) days’ prior written notice, during business hours, and subject to confidentiality and minimal disruption to Provider’s operations. Onsite audits are permitted only where the compliance evidence provided does not reasonably address documented compliance concerns, or following a material Security Incident where audit is reasonably necessary to verify remediation.

10.3 Restrictions; No Security Testing Rights Granted.

Nothing in this DPA grants Customer any right to perform penetration testing, vulnerability scanning, or other security testing of the Services except as expressly permitted in writing by Provider in accordance with the Agreement.

10.4 Costs.

Each party bears its own costs in connection with an audit, except that if an audit reveals material non-compliance with this DPA, Provider will reimburse Customer for reasonable, documented audit costs. Provider may charge reasonable fees for extraordinary audit requests upon prior notice and agreement.

11. Records; Demonstration of Compliance.

Provider will maintain records of Processing activities to the extent required by Applicable Data Protection Laws and will make available information reasonably necessary to demonstrate compliance with this DPA as set forth in Section 10.

12. Return and Deletion.

12.1 Return/Deletion Upon Termination.

Upon termination or expiration of the Services, Provider will, at Customer’s option, return or delete Customer Personal Data in Provider’s possession or control, except to the extent retention is required by law.

12.2 Sequencing with Post-Termination Export.

Where the Agreement provides a post termination export period for Customer Data, Provider will not delete Customer Personal Data needed for such export until the earlier of (i) completion of the export requested by Customer in accordance with the Agreement, or (ii) expiration of the applicable export period, after which Provider will proceed with return/deletion in accordance with this Section 12.

12.3 Timing.

Provider will complete return/deletion within a commercially reasonable timeframe, generally within ninety (90) days after the deletion trigger described in Sections 12.1-12.2, unless the Parties agree otherwise in writing or longer retention is required by law.

12.4 Backups and Logs.

Customer Personal Data may remain in backups and disaster recovery systems until overwritten in accordance with Provider’s standard retention cycles and in security logs/audit trails maintained for security and compliance. Any retained data remains subject to appropriate security and confidentiality and will not be accessed except as required for permitted purposes.

12.5 Subprocessors.

Provider will ensure Subprocessors delete or return Customer Personal Data consistent with this Section 12 upon termination of their subprocessing.

13. U.S. State Privacy Laws (Including CCPA/CPRA).

To the extent U.S. State Privacy Laws apply to Provider’s Processing of Personal Data under the Agreement:

13.1 Service Provider/Processor Commitments.

Provider will: (a) Process Personal Data solely to perform the Services and the business purposes described in the Agreement and this DPA (including security, integrity, debugging, fraud prevention, account administration, and compliance); (b) not “sell” or “share” Personal Data (as those terms are defined under CCPA/CPRA) and not Process Personal Data for cross context behavioral advertising; (c) not retain, use, or disclose Personal Data outside the direct business relationship with Customer except as permitted by Applicable Data Protection Laws; (d) not combine Personal Data with personal data received from other sources except as permitted for service providers/processors (including to maintain or improve the Services using De identified and/or aggregated outputs) and as otherwise permitted by law; (e) flow down the restrictions in this Section 13 to its Subprocessors; and (f) provide the same level of privacy protection for Personal Data as required under Applicable Data Protection Laws for the Processing in scope.

13.2 Customer Disclosures.

Customer discloses Personal Data to Provider solely for the limited and specified purposes set forth in the Agreement and this DPA.

14. Customer Responsibilities.

Customer is responsible for: (a) establishing a lawful basis for Processing and providing required notices and obtaining consents where required; (b) ensuring that its instructions are lawful and do not cause Provider to violate Applicable Data Protection Laws; (c) configuring and using the Services appropriately, including managing access controls, user permissions, credentials, and any geolocation/retention settings provided in the Services; (d) ensuring Personal Data submitted is accurate, up to date, and limited to what is necessary; and (e) ensuring it does not submit prohibited data except as expressly agreed in writing with appropriate safeguards.

15. Miscellaneous.

15.1 Limitation of Liability.

The limitations and exclusions of liability set forth in the Agreement apply to this DPA to the maximum extent permitted by law.

15.2 Changes to This DPA.

Provider may update this DPA (including its Annexes) from time to time to reflect changes in the Services, Subprocessors, or Applicable Data Protection Laws. Provider will post the updated DPA and will indicate the effective date. Material changes will not apply retroactively and will become effective thirty (30) days after posting, unless required sooner to comply with Applicable Data Protection Laws. Customer’s continued use of the Services after the effective date constitutes acceptance of the updated DPA. Notwithstanding the foregoing, Provider may update the Subprocessor List URL as described in Section 7.2.

15.3 Severability.

If any provision of this DPA is held invalid or unenforceable, the remaining provisions will remain in full force and effect. 15.4 No Third Party Beneficiaries. Except as expressly provided in the SCCs (where applicable), this DPA does not confer any rights or remedies on any third party.

15.5 Conflicting Legal Obligations.

Where compliance with Customer’s instructions or Provider’s obligations under this DPA would cause Provider to violate applicable law (including data protection, cybersecurity, state secrecy, or data localization laws), Provider shall be excused from performance to the extent of the conflict and shall promptly notify Customer. The Parties shall cooperate in good faith to implement a lawful alternative that preserves, to the extent reasonably practicable, the intended purpose of the Processing.

A. List of Parties and Roles 

Data Exporter (Controller): Customer (and authorized Customer Affiliates identified in the Agreement, if any) 

Data Importer (Processor): Provider (and its Subprocessors listed at the Subprocessor List URL) 

B. Description of the Transfer / Processing 

1. Categories of Data Subjects. 

Customer employees, contractors, administrators, field technicians/service personnel, drivers/operators (where applicable), and other authorized end users of the Services. 2) Categories of Personal Data. Depending on the Services and Customer’s configuration, may include:

• account identifiers and contact details (name, business email, phone, username); 
• authentication data and access/role/permission information; 
• identifiers associated with devices/equipment/telematics endpoints, to the extent linkable to individuals; 
• audit logs, event logs, and alarm logs attributable to a user/account; 
• geolocation/route data where linked to an identifiable individual (e.g., driver/operator identifier); 
• support case data and ticket metadata; and 
• free text fields entered by Customer users (excluding special categories of Personal Data, which are not applicable unless expressly agreed in writing).

3) Special Categories / Sensitive Data.

Not applicable.

4) Nature of Processing. 

Collection, recording, organization, structuring, storage, hosting, retrieval, consultation, use, disclosure by transmission (to authorized users and Subprocessors), alignment/combination as instructed, restriction, and deletion/return.

5) Purposes of Processing. 

Provide, operate, maintain, secure, and support the Services; perform Customer’s documented instructions; prevent fraud and misuse; ensure service integrity; provide billing/account administration; and comply with law. Product improvement and analytics occur via De identified and/or aggregated outputs as permitted by the Agreement and this DPA.

6) Frequency of Transfers. 

Continuous and/or periodic, depending on Service use. 

7) Duration of Processing / Retention. 

For the term of the Agreement, plus any transition/export period described in the Agreement, and thereafter until completion of return/deletion obligations under Section 12, subject to permitted backup/log retention. 

C. Competent Supervisory Authority.

The Data Protection Authority in Hessen, Germany.

Provider maintains a documented, risk based information security program appropriate to the Services, including measures such as:

1. Governance & Risk: security policies; risk assessments; asset management; training; third party risk management. 
2. Access Controls: least privilege; role based access; unique IDs; MFA for administrative access where supported; periodic access reviews; secure credential practices.
3. Encryption & Keys: encryption in transit and at rest where appropriate; secure key management with restricted access and appropriate operational controls. 
4. Secure Development: secure SDLC practices appropriate to the offering, such as code review, change control, and vulnerability management.
5. Monitoring & Logging: logging/monitoring appropriate to detect unauthorized access; incident response procedures. 
6. Vulnerability Management: processes to identify, triage, and remediate vulnerabilities based on risk and severity. 
7. BC/DR: backup and recovery processes appropriate to the offering. 
8. Physical Security: physical security controls for facilities/data centers used to host the Services (as applicable). 
9. Subprocessor Security: contractual security obligations and diligence appropriate to Subprocessor role.

Security evidence. Subject to confidentiality, Provider will provide reasonable evidence of security controls for in scope offerings upon request, which may include third party reports/certifications (if maintained), executive summaries, and/or questionnaire responses.

Provider maintains an up-to-date list of Subprocessors authorized to process Personal Data on Provider’s behalf, and provides advance notice of material changes in accordance with Section 7.

This Annex governs Equipment/Telemetry Data that does not constitute Personal Data. If Equipment/Telemetry Data becomes Personal Data (i.e., is reasonably linkable to an individual), the body of this DPA and Annex I apply. 

1. Permitted Processing. 

Provider may Process non Personal Equipment/Telemetry Data for diagnostics, monitoring, analytics, predictive maintenance, optimization, benchmarking, security, and improvement of the Services. 

2. Rights and Derived Data. 

Customer retains rights in raw non Personal Equipment/Telemetry Data it provides or controls. Provider may create, use, and own Derived Data, provided Derived Data does not identify Customer or any individual and does not include Customer Confidential Information. 

3. EU Data Act. 

To the extent the European Union Data Act applies, Customer shall be deemed the “user” of the connected products and related services for purposes of exercising statutory access and portability rights, unless otherwise specified in an applicable Order Form or Product Appendix. Provider shall support Customer’s legally required access to and portability of non personal or mixed Equipment/Telemetry Data generated through Customer’s use of the Services using standard technical means appropriate to the relevant offering. This provision does not expand Provider’s obligations with respect to Personal Data, which remain governed exclusively by the body of this DPA. 

4. No Re-Identification. 

Provider will not attempt to re identify any individual from non Personal Equipment/Telemetry Data or Derived Data and will maintain safeguards designed to prevent re identification. 5) Retention. Non Personal Equipment/Telemetry Data will be retained in accordance with service requirements, regulatory obligations, and Provider’s standard operational retention schedules.

This Acceptable Use Policy (“AUP”) forms part of and is incorporated by reference into the Master SaaS Subscription Agreement (the “Agreement”) between the entity identified as “Provider” in the applicable Order Form (“Provider”) and the customer entity identified in the applicable Order Form (“Customer”).

This AUP may be made available or hosted on one or more Carrier or Carrier affiliated brand webpages or portals for convenience; however, the branding or hosting location does not determine the contracting parties. The “Provider” is solely the Provider entity identified in the applicable Order Form.

Capitalized terms used but not defined in this AUP have the meanings given in the Agreement or, where applicable, the Data Processing Agreement (the “DPA”).

This Acceptable Use Policy (“AUP”) forms part of and is incorporated by reference into the Master SaaS Subscription Agreement (the “Agreement”) between [Provider Name] (“Provider”) and the customer entity that has executed an Order Form (“Customer”). Capitalized terms used but not defined in this AUP have the meanings given in the Agreement or the Data Processing Agreement (the "DPA").

1. Scope and Applicability

1.1. Applicability.

This AUP applies to all access to and use of the Services by Customer and its Authorized Users. The Services include the subscription based software, cloud services, platforms, modules, features, and related offerings identified in the applicable Order Form(s) and any applicable Product Appendices, whether branded as Abound™, Lynx™, SensiWatch®, Automated Logic®, Nlyte®, or otherwise made available by Provider (each, a “Module” and collectively, the “Services”).

1.2. Conflicts.

Privacy, data protection, subprocessors, international data transfers, security incident notification, and technical and organizational measures (TOMs) are governed exclusively by the DPA. In the event of a conflict between this AUP and the DPA concerning processing of Personal Data, the DPA controls. In the event of a conflict between this AUP and the Agreement on matters other than Personal Data, the Agreement controls.

1.3. Responsibility for Users.

Customer is responsible for the acts and omissions of any person who accesses the Services under Customer’s accounts or on Customer’s behalf, including employees, contractors, agents, and service providers (collectively, “Authorized Users”).

2. Definitions

2.1. “AI Features” means features of the Services that use machine learning, statistical modeling, rules engines, or other artificial intelligence techniques to generate predictions, scores, classifications, recommendations, or natural-language outputs.

2.2. “Content” means any data, information, text, images, video, audio, software, or other materials submitted to, uploaded to, generated in, or transmitted through the Services by or on behalf of Customer, including Customer Data, Customer Inputs, and AI Outputs.

2.3. “Customer Inputs” means prompts, instructions, configurations, thresholds, labeled examples, training feedback, or other content Customer submits to any AI Features.

2.4. “External Inputs” means data originating from Customer’s systems, devices, controllers, sensors, refrigeration units, vehicles, facilities, gateways, third-party platforms, or networks (including cellular, satellite, and GPS) that the Services ingest, poll, or receive via APIs or protocols (e.g., SNMP, Modbus, BACnet).

3. General Prohibited Conduct.

Customer and its Authorized Users shall not, and shall not permit any third party to:

3.1. Use the Services in violation of applicable law, including export controls, sanctions, anti-corruption, competition, or privacy laws; or to support activities of restricted parties or in embargoed jurisdictions.

3.2. Access or attempt to access accounts, systems, or data without authorization; probe, scan, or test the vulnerability of any system or network; breach or circumvent any security or authentication measures; or intentionally introduce malware, ransomware, spyware, or other malicious code.

3.3. Interfere with or disrupt the integrity or performance of the Services or any third-party network (including cellular, satellite, GPS, or internet backbones), including via excessive API calls, traffic flooding, or resource exhaustion.

3.4. Misrepresent identity or affiliation; engage in fraud, deception, or other abusive practices; or use false headers or identifiers to conceal origin of requests or Content.

3.5. Upload, store, process, or transmit Content that is unlawful, defamatory, harassing, obscene, hateful, or infringes, misappropriates, or violates any intellectual property, privacy, or publicity rights.

3.6. Use or access the Services to build, train, or improve a substantially similar or competitive product or service, or publish product benchmarks or comparative tests without Provider’s prior written consent.

3.7. Sell, resell, sublicense, lease, or provide the Services to third parties (including operation as a service bureau or managed service) unless expressly permitted in the Agreement.

3.8. Share or reuse credentials except as expressly permitted; fail to maintain the confidentiality and security of credentials; or permit multiple individuals to use a single-named account.

3.9. Use messaging or notifications features to send spam, unlawful marketing, or other unsolicited communications; fail to provide legally required opt-outs and sender identification.

4. Data and Privacy Guardrails.

4.1. DPA Controls.

Personal Data processing, including roles (controller/processor), purpose limitation, TOMs, subprocessors, international transfers, audit rights, and return/deletion, is governed exclusively by the DPA.

4.2. Lawful Basis and Notices.

Customer will only submit Personal Data to the Services with a lawful basis and will provide required notices to data subjects. Customer is responsible for accuracy, minimization, and configuration of retention and geolocation settings in the Services.

4.3. Special Categories.

Customer will not submit special categories of personal data (including health, biometric, precise geolocation tied to an identifiable person, or children’s data) unless expressly permitted in a Product Appendix and the DPA with appropriate safeguards in place.

4.4. Third-Party Data Rights.

Customer is responsible for obtaining all rights, licenses, and consents necessary for any third-party data or External Inputs it contributes or connects to the Services.

5. API, Integration, and Data Handling Rules.

5.1. Documented APIs; Credentials.

Customer will use only documented APIs with issued credentials and will comply with usage limits, pagination, concurrency, and rate limiting. Automated scraping or crawling of user interfaces is prohibited.

5.2. No Unauthorized Collection.

Customer will not intercept, packet-capture, or otherwise collect data from other customers or from unauthorized endpoints; man-in-the-middle techniques and device “shims” are prohibited.

5.3. Third-Party Systems.

Customer is responsible for API keys, device credentials, and any licenses or fees for third-party systems and devices integrated with the Services. The AUP applies to those connections and integrations.

5.4. Caching and Storage.

Customer will not cache or store data contrary to documentation, retention guidance, or the DPA and will promptly remove data when access is revoked.

6. IoT/OT and Remote Command Safety

6.1. Site Safety.

Where Modules enable remote actions (e.g., BAS setpoints, reefer TRU start/stop or setpoint changes), Customer must maintain human-in-the-loop controls, role-based permissions, and rollback policies and will follow lock-out/tag-out (LOTO) and site safety practices.

6.2. Protective Limits.

Customer will not disable or bypass safety interlocks, alarms, or protective thresholds designed to prevent equipment harm or unsafe conditions.

6.3. Instrumentation.

Customer is responsible for sensor selection and placement, calibration, firmware updates, physical security of devices and gateways, and local network segmentation and firewall policies.

7. AI Feature Use (If Enabled)

7.1. Advisory Outputs.

AI predictions, scores, recommendations, summaries, and generative outputs (collectively, “AI Outputs”) are advisory and may be probabilistic or non-deterministic. Customer will validate AI Outputs appropriate to the use case and will not rely on AI Outputs as the sole basis for decisions producing legal or similarly significant effects about an individual without appropriate human review.

7.2. Prohibited AI Uses.

Customer will not: (a) attempt to remove, disable, or circumvent safety filters; (b) generate or disseminate unlawful, deceptive, or harmful content; (c) train or retrain competitive models using the Services or AI Outputs except as permitted by the Agreement; or (d) misrepresent AI Outputs as human-generated where such misrepresentation would violate law or rights of others.

7.3. Inputs and Outputs.

Customer is responsible for the legality of its Customer Inputs and its downstream use of AI Outputs, including compliance with sectoral obligations (e.g., GxP and SOPs for life sciences).

8. Service-Specific Provisions

8.1. Abound™ HVAC Performance and BAS Cloud.

These Modules are not a substitute for onsite mechanical/electrical safety procedures. Automated overrides must not violate OEM limits or site SOPs.

8.2. Lynx™ Fleet.

Customer will respect geofencing rules and road/port/carrier regulations and will not use geolocation to track individuals without a lawful basis and required notices. Remote reefer control must follow documented fleet policies and permissions.

8.3. Lynx™ Logix & Lynx™ Factor.

Risk predictions are probabilistic and not guarantees. Customer remains responsible for logistics decisions. Publication of model performance, benchmarks, or comparative evaluations requires Provider’s prior written consent.

8.4. SensiWatch®.

Excursion flags support compliance; Customer’s quality management system (QMS) governs final quality decisions and regulatory reporting. Customer will configure retention/approvals consistent with SOPs.

8.5. DCIM Module.

The DCIM Module is informational and not a real-time control system. Customer is responsible for change approvals and physical execution of work orders and must validate environmental/electrical readings with independent instrumentation where safety-critical.

9. Network and Connectivity; Fair Use

9.1. Third-Party Networks.

Cellular, satellite, GPS, and internet backbones are outside Provider’s control. Customer will not use the Services to overload or attack networks or to impair other users. Network availability, coverage, latency, and accuracy may vary by region and provider.

9.2. Fair Use.

Abusive usage patterns that materially degrade service for others are prohibited. Provider may apply rate limits, quotas, and traffic shaping to protect platform stability.

10. Security Responsibilities

10.1. Account Security.

Customer will implement strong passwords, SSO/MFA where available, least-privilege role-based access control (RBAC), and timely revocation of access for separated personnel. Customer is responsible for activities under its accounts.

10.2. Testing; Disclosure.

Security testing (including penetration tests) requires Provider’s prior written approval and must follow Provider’s coordinated vulnerability disclosure process. Customer will not conduct denial-of-service or resource-exhaustion testing.

11. Reporting Suspected Violations or Security Issues

Customer will promptly report any suspected violations of this AUP or security issues to Provider using the contact information specified in the applicable Order Form or otherwise designated by Provider. Such reports should include, to the extent reasonably available, applicable timestamps (UTC), affected Module(s), tenant identifier, and a description of the observed behavior.

12. Enforcement; Suspension; Termination

12.1. Investigation.

Provider may investigate any suspected violation of this AUP or the Agreement, including by reviewing Customer’s use of the Services and Content as permitted by the Agreement and applicable law.

12.2. Remedial Actions.

Provider may remove or disable access to Content; throttle requests; isolate environments; or suspend access to any Module where reasonably necessary to (a) protect the Services or third parties, (b) address a security, safety, or legal risk, or (c) comply with law or requests of governmental authorities.

12.3. Notice and Cure.

Where feasible and lawful, Provider will provide prior notice and an opportunity to cure before suspension. Provider may implement immediate suspension without prior notice if urgent action is required to address security, safety, or legal risks.

12.4. Repeat or Egregious Violations.

Provider may terminate the affected Order Form(s) or the Agreement for repeated or egregious violations, in accordance with the Agreement.

13. Law Enforcement and Government Requests

Provider may disclose basic subscriber information or Content to governmental authorities only as required by applicable law, regulation, legal process, or to protect life, safety, or property. Where legally permitted, Provider will provide notice to Customer prior to disclosure and will limit disclosure to the minimum necessary to comply with law.

14. Sanctions; Export; High-Risk Uses

Customer will not access or use the Services in violation of U.S. or other applicable export control or sanctions laws, or permit access by restricted parties or in embargoed jurisdictions. The Services are not designed for life support, emergency response, or other high-risk uses where failure could reasonably result in severe injury, environmental harm, or significant property damage without appropriate safeguards.

15. Modifications; Survival

15.1. Modifications.

Provider may update this AUP from time to time. Material changes will be notified at least thirty (30) days in advance and will not materially diminish Customer’s core contractual protections during a then-current Subscription Term.

15.2. Survival.

Sections 1.3, 3 through 15 survive any termination or expiration of the Agreement to the extent necessary to enforce their terms.

16. Contact

Questions regarding this AUP should be directed to Provider at the contact information specified in the applicable Order Form.  

1. Purpose; Incorporation; Order of Precedence

1.1 International Supplement.

This International Supplement (the “Supplement”) forms part of and is incorporated into the Acceptable Use Policy (the “AUP”) that is incorporated by reference into the Master SaaS Subscription Agreement (the “Agreement”) between the entity identified as “Provider” in the applicable Order Form (“Provider”) and the customer entity identified in the applicable Order Form (“Customer”).

1.2 Applicability.

This Supplement applies to Customer’s and its Authorized Users’ access to or use of the Services outside the United States, or in any jurisdiction where local law imposes requirements addressed by this Supplement, regardless of where Customer is organized.

1.3 Order of Precedence.

Privacy, data protection, subprocessors, international data transfers, Security Incident notification, and technical and organizational measures are governed exclusively by the Data Processing Agreement (the “DPA”). In the event of a conflict between this Supplement (or the AUP) and the DPA with respect to Processing of Personal Data, the DPA controls. For all other conflicts, the Agreement controls.

1.4 No Separate AUP.

This Supplement supplements (and does not replace) the AUP’s general prohibited conduct, security responsibilities, enforcement, and other baseline requirements, which remain fully applicable worldwide

2. Definitions.

2.1 “Applicable Local Laws” means laws and regulations applicable to Customer’s use of the Services in the relevant jurisdiction(s), including (where applicable) privacy/data protection, employment/labor, telecommunications, mapping/geolocation, content/platform governance, cybersecurity, sanctions/export, and consumer protection laws. Capitalized terms not defined in this Supplement have the meanings in the Agreement or the DPA.

3. Global/Regional Law Compliance (Customer Obligations).

3.1 Compliance with Applicable Local Laws.

Customer is responsible for ensuring that its configuration and use of the Services (including enabling features, collecting inputs, and using outputs) complies with Applicable Local Laws in each jurisdiction where Customer operates or uses the Services.

3.2 Lawful Basis; Notices; Minimization (Personal Data).

To the extent Customer submits or makes available Personal Data to the Services, Customer will ensure it has a lawful basis and provides required notices (and obtains consents where required), and will limit Personal Data to what is necessary for Customer’s instructed purposes, consistent with Customer responsibilities described in the DPA.

3.3 Prohibited Data; Special Categories; Children.

Customer will not submit or otherwise make available to the Services: (a) special categories of Personal Data or other prohibited data; or (b) Personal Data relating to children. The Services are not intended for use by or in connection with children, and Provider does not knowingly process children’s Personal Data.

4. Worker/Driver Monitoring; Works Councils; Geolocation

4.1 Worker/Driver Monitoring Requirements.

Where Customer uses the Services to monitor employees, contractors, or drivers (including through identifiers or geolocation), Customer will comply with Applicable Local Laws governing workplace monitoring, including (where applicable) consultation, notice, consent, works council approvals, union requirements, and restrictions on tracking and retention.

4.2 Geolocation Controls.

Customer is responsible for configuring geolocation, retention, and access controls in the Services in a manner consistent with Applicable Local Laws and Customer’s internal policies.

5. Telecommunications / Connectivity / Import-Use Rules (Outside U.S.)

5.1 Telecom and SIM/Device Rules.

Customer will comply with Applicable Local Laws relating to telecommunications connectivity, SIM registration, spectrum rules, import/use approvals, mapping/geofencing restrictions, and any local licensing obligations for devices, gateways, or connectivity components Customer deploys or connects to the Services.

6. International Data Transfers (DPA-Driven)

6.1 Transfers Governed by DPA.

Where the DPA applies, international transfers of Personal Data (including from the EEA, UK, or Switzerland) are governed exclusively by the DPA’s transfer mechanism provisions (including SCCs, the UK Addendum, and the Swiss Addendum, as applicable).

6.2 No Expansion.

Nothing in this Supplement expands Provider’s obligations regarding transfers beyond those set forth in the DPA.

7. Government / Regulatory Requests and Disclosures (Personal Data)

7.1 Compelled Disclosures Governed by DPA.

If Provider receives a legally binding request for Personal Data processed on Customer’s behalf, Provider’s obligations to assess, challenge/narrow, notify (where permitted), and minimize disclosure are governed by the DPA.

7.2 Customer Cooperation.

Customer will reasonably cooperate with Provider’s lawful efforts to respond to valid governmental requests consistent with the DPA and applicable law, including by providing information reasonably necessary to validate Customer’s relationship to the requested data.

8. Security Testing; Vulnerability Scanning; Regional Restrictions

8.1 No Security Testing Without Written Approval.

Customer will not conduct penetration testing, vulnerability scanning, or other security testing of the Services except as expressly permitted in writing by Provider in accordance with the Agreement and consistent with the DPA’s restrictions.

8.2 Local Law Compliance.

Where Customer is authorized to perform any security testing, Customer must comply with Applicable Local Laws that restrict unapproved scanning, encryption testing, or interference with networks/systems.

9. Security Incidents (Personal Data) – DPA Controls

9.1 Personal Data Security Incidents.

Security Incident notification timelines and content for incidents affecting Customer Personal Data are governed exclusively by the DPA (including the DPA’s notice timing and required contents).

9.2 Reporting to Provider.

Customer will promptly report suspected AUP violations or security issues using the contact information specified in the applicable Order Form or otherwise designated by Provider, and will include (to the extent reasonably available) timestamps (UTC), affected Module(s), tenant identifier, and a description of observed behavior, consistent with the AUP.

10. Content / Platform Governance; Notice-and-Takedown (Where Applicable)

10.1 Unlawful Content.

Customer will not use the Services to store, transmit, or disseminate unlawful content and will comply with Applicable Local Laws regarding illegal/harmful content restrictions, notice-and-takedown obligations, and cooperation with competent authorities, to the extent applicable to Customer’s use case

11. Sanctions / Export / Restricted Parties (Multi-Jurisdictional)

11.1 Sanctions and Export Compliance.

Customer will not access or use the Services in violation of applicable export control or sanctions laws and will not provide access to restricted parties or in embargoed jurisdictions, consistent with the AUP baseline.

12. Language; Localization; Local Supplements

12.1 English Controls; Convenience Translations.

This Supplement and the AUP are drafted in English. Translations may be provided for convenience; in the event of a conflict, the English version controls unless prohibited by Applicable Local Laws.

12.2 Local Supplements.

Provider may publish jurisdiction-specific supplements addressing mandatory local requirements. Where a local supplement expressly applies, it will govern solely for the covered jurisdiction and only to the extent of any conflict with this Supplement.

13. Contact.

Questions regarding this Supplement should be directed to Provider using the contact information specified in the applicable Order Form or otherwise designated by Provider.