Common use of Materials and Software Clause in Contracts

Materials and Software. Vodafone may use certain third-party software products (“Third-Party Software”) in its provision of the Service. The Customer agrees and acknowledges that Customer will not be provided access to these products. Any output directly from the Third-Party Software that is used by Vodafone in connection with the provision of the Service to the Customer without further input from Vodafone is being provided on an “as-is” basis and is excluded from any warranties set out in this Agreement. • Vodafone reserves the right to: (i) change the hosting provider used to host any proprietary or Third- Party Software used for the provision of the Service; and (ii) change any Third-Party Software it uses to provide the Service to Customer, provided that such changes do not materially impact the Service. • With regard to any Third-Party Software provided as part of the Service, the Customer agrees not to, directly or indirectly do any of the following: (i) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code or underlying ideas or algorithms of the Third-Party Software; (ii) modify, translate, or create derivative works based on any element of the Third-Party Software or any related documentation; (iii) rent, lease, distribute, sell, resell, assign, or otherwise transfer its rights to use the Third-Party Software; (iv) use the Third-Party Software for any purpose other than the performance of the Service in accordance with this Agreement; (v) remove any proprietary notices from Third-Party Software or related materials furnished or made available to Customer; and/or (vi) permit any third party to access the Third-Party Software. • Vodafone may additionally utilize custom-developed software, scripts, exploits, and other technologies (“Custom Products”) in its provision of the Service. Such technologies may be deployed on Customer systems during the provision of the Service. Any such technologies remain Vodafone intellectual property, and Vodafone retains all corresponding rights to these technologies. Vodafone shall not be obligated to provide Customer with copies of, access to, or a license for such technologies. Acceptance Testing There is no acceptance testing applicable to this SOW unless specifically mentioned in the “Project and Services” section. Out of scope statement The following are not in scope for the Service: • any provision of any information that could identify specific Customer employees as having failed to identify any phishing activities; • any provision of services involving the collection of physical evidence, collection of evidence for admission in court including for criminal or civil litigation purposes, provision of evidence lockers, or ‘chain of custody’ collection of evidence; • any provision of expert testimony or litigation assistance or support services; • any provision of services involving retaliatory actions, hacking back or attribution that would breach Applicable Laws; • any implementation of suggested remediation activities unless agreed to by Vodafone and addressed under separate terms and conditions; • any installation of software, unless agreed by Vodafone and expressly consented to and authorized by Customer in writing, and which may require additional terms and conditions to be agreed; • any intentional interception of communications between Customer and a third-party, or between two or more third-parties, which is not authorized or directed by Customer as part of the Service. For the purposes of this paragraph, interception means intentionally modifying or interfering with Customer’s systems or the operation of such systems, or intentionally monitoring transmissions made by means of Customer’s system, such that some or all of the contents of the communications are made available to Vodafone while such contents are being transmitted. If unintentional interception does occur, Vodafone shall promptly after becoming aware inform Customer; • any provision of a regulated service. Vodafone is not licensed or certified in any country, state, or province as a public accountant, auditor, legal advisor, or private investigator, and is not being retained to provide any accounting services, accounting guidance, audit or internal control advisory services, tax or legal advice or investigatory services that would require a license; • any targeted investigation of any individuals. For the avoidance of doubt, Vodafone may in the course of providing the Service, identify the internet profile (IP address, geographic location, potential aliases/usernames) of potential threat actor(s) or individual(s) involved in a perceived security threat, but the Service does not include any targeted investigation into such individual(s); and any incident response services/activities. The services detailed in this SOW shall be provided remotely and constitute Vodafone’s complete scope of work and all other services (and the provision of services onsite) are out of scope.

Materials and Software. Vodafone may use certain third-party software products (“Third-Party Software”) in its provision of the Service. The Customer agrees and acknowledges that Customer will not be provided access to these products. Any output directly from the Third-Party Software that is used by Vodafone in connection with the provision of the Service to the Customer without further input from Vodafone is being provided on an “as-is” basis and is excluded from any warranties set out in this Agreement. • Vodafone reserves the right to: (i) change the hosting provider used to host any proprietary or Third- Party Software used for the provision of the Service; and (ii) change any Third-Party Software it uses to provide the Service to Customer, provided that such changes do not materially impact the Service. • With regard to any Third-Party Software provided as part of the Service, the Customer agrees not to, directly or indirectly do any of the following: (i) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code or underlying ideas or algorithms of the Third-Party Software; (ii) modify, translate, or create derivative works based on any element of the Third-Party Software or any related documentation; (iii) rent, lease, distribute, sell, resell, assign, or otherwise transfer its rights to use the Third-Party Software; (iv) use the Third-Party Software for any purpose other than the performance of the Service in accordance with this Agreement; (v) remove any proprietary notices from Third-Party Software or related materials furnished or made available to Customer; and/or (vi) permit any third party to access the Third-Party Software. • Vodafone may additionally utilize custom-developed software, scripts, exploits, and other technologies (“Custom Products”) in its provision of the Service. Such technologies may be deployed on Customer systems during the provision of the Service. Any such technologies remain Vodafone intellectual property, and Vodafone retains all corresponding rights to these technologies. Vodafone shall not be obligated to provide Customer with copies of, access to, or a license for such technologies. Acceptance Testing There is no acceptance testing applicable to this SOW unless specifically mentioned in the “Project and Services” section. Out of scope statement The following are not in scope for the Service: • Review and analysis of data that is not Repository Data and data outside of the Environment. Vodafone will not make any provision of enquiries in relation to, and is not responsible for reporting on, any information that could identify specific Customer employees as having failed to identify any phishing activities; documents or matters other than the Repository Data. • any provision of services involving the collection of physical evidence, collection of evidence for admission in court including for criminal or civil litigation purposes, provision of evidence lockers, or ‘chain of custody’ collection of evidence; • any provision of expert Expert testimony or litigation assistance or support services; services • Provision of any provision of services involving retaliatory actions, hacking back or attribution that would breach Applicable Laws; • any implementation of suggested remediation activities unless agreed to by Vodafone and addressed under separate terms and conditions; • any installation of software, unless agreed by Vodafone and expressly consented to and authorized by Customer in writing, and which may require additional terms and conditions to be agreed; • any intentional interception of communications between Customer and a third-party, or between two or more third-parties, which is not authorized or directed by Customer as part of the Service. For the purposes of this paragraph, interception means intentionally modifying or interfering with Customer’s systems or the operation of such systems, or intentionally monitoring transmissions made by means of Customer’s system, such that some or all of the contents of the communications are made available to Vodafone while such contents are being transmitted. If unintentional interception does occur, Vodafone shall promptly after becoming aware inform Customer; • any provision of a regulated service. Vodafone is not licensed or certified in any country, state, or province as a public accountant, auditor, auditor or legal advisor, or private investigator, investigator and is not being retained to provide any accounting services, accounting guidance, audit or internal control advisory services, tax or legal advice or investigatory services that would require a license; . • any targeted investigation Data collection for Endpoints or networks not addressed by the deployed Scripts or Network Sensors. • Remediation activities and/or mitigation efforts resulting from the identification of a cyber risk or hygiene issue unless agreed under a separate contract with Vodafone. • Quality assurance or review of any individuals. For the avoidance implementation of doubt, mitigations or recommendations made by Vodafone may in the course of providing the Service. • Any intentional interception of communications between Customer and a third party or between two or more third parties that is not authorized or directed by Customer in the Service Order as part of Vodafone’s delivery of the Service. For the purposes of this paragraph, identify interception means modifying or interfering with the internet profile (IP addressEnvironment or its operation, geographic locationor monitoring transmissions made by means of the Environment, potential aliases/usernames) such that some or all of the contents of the communication are made available to Vodafone while being transmitted and as a direct result of Vodafone’s performance of the Service in line with the scope agreed in the Service Order. • Incident response and digital forensics services, including any response related to cyber risks or hygiene issues identified in the course of providing the Service. • Threat hunting services, including proactive search for the presence of potential threat actor(s) active breach or individual(s) involved in a perceived security threatcompromise(s), but malware infection(s), or general adversary activity inside the Service does not include any targeted investigation into such individual(s); and any incident response services/activities. Customer network or resident on Endpoints The services detailed in this SOW shall be provided remotely and constitute Vodafone’s complete scope of work and all work. All other services (and the provision of services onsite) are out of scopescope for the Service.

Materials and Software. Vodafone may use certain third-party software products (“Third-Party Software”) in its provision of the Service. The Customer agrees and acknowledges that Customer will not be provided access to these products. Any output directly from the Third-Party Software that is used by Vodafone in connection with the provision of the Service to the Customer without further input from Vodafone is being provided on an “as-is” basis and is excluded from any warranties set out in this Agreement. • Vodafone reserves the right to: (i) change the hosting provider used to host any proprietary or Third- Third-Party Software used for the provision of the Service; and (ii) change any Third-Party Software it uses to provide the Service to Customer, provided that such changes do not materially impact the Service. • With regard to any Third-Party Software provided as part of the Service, the Customer agrees not to, directly or indirectly do any of the following: (i) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code or underlying ideas or algorithms of the Third-Party Software; (ii) modify, translate, or create derivative works based on any element of the Third-Party Software or any related documentation; (iii) rent, lease, distribute, sell, resell, assign, or otherwise transfer its rights to use the Third-Party Software; (iv) use the Third-Party Software for any purpose other than the performance of the Service in accordance with this Agreement; (v) remove any proprietary notices from Third-Party Software or related materials furnished or made available to Customer; and/or (vi) permit any third party to access the Third-Party Software. • Vodafone may additionally utilize custom-developed software, scripts, exploits, and other technologies (“Custom Products”) in its provision of the Service. Such technologies may be deployed on Customer systems during the provision of the Service. Any such technologies remain Vodafone intellectual property, and Vodafone retains all corresponding rights to these technologies. Vodafone shall not be obligated to provide Customer with copies of, access to, or a license for such technologies. Acceptance Testing There is no acceptance testing applicable to this SOW unless specifically mentioned in the “Project and Services” section. Expenses Where a physical presence at a Customer site is required for an Incident Response (“Onsite Response”) as agreed between Vodafone and the Customer as part of the triage call set out in the Service Methodology section above, Vodafone will seek to use local resources (resource already based in the Customer’s country) but where this is not possible then resource from another country will be deployed. An Onsite Response is subject to the Customer Authorised Personnel agreeing, in writing to Vodafone, to pay all travel and expenses incurred by Vodafone to support the Onsite Response (“Onsite Response Expenses”). Vodafone will maintain and provide evidence of all Onsite Response Expenses incurred and provide to Customer where requested. Should the total amount of the Onsite Response Expenses for any one Onsite Response exceed, or are likely to exceed, the equivalent of five thousand Euros (€5,000), Vodafone will seek pre-approval in writing from the Customer. Vodafone will invoice the Customer the total value of the Onsite Response Expenses in the month following the completion of the Onsite Response. Out of scope statement The following are not in scope for the Service: • any provision of any information that could identify specific Customer employees as having failed to identify any phishing activities; • any provision of services involving the collection of physical evidence, collection of evidence for admission in court including for criminal or civil litigation purposes, provision of evidence lockers, or ‘chain of custody’ collection of evidence; • any provision of expert testimony or litigation assistance or support services; • any provision of services involving retaliatory actions, hacking back or attribution that would breach Applicable Laws; • any implementation of suggested remediation activities unless agreed to by Vodafone and addressed under separate terms and conditions; • any installation of software, unless agreed by Vodafone and expressly consented to and authorized by Customer in writing, and which may require additional terms and conditions to be agreed; • any intentional interception of communications between Customer and a third-party, or between two or more third-parties, which is not authorized or directed by Customer as part of the Service. For the purposes of this paragraph, interception means intentionally modifying or interfering with Customer’s systems or the operation of such systems, or intentionally monitoring transmissions made by means of Customer’s system, such that some or all of the contents of the communications are made available to Vodafone while such contents are being transmitted. If unintentional interception does occur, Vodafone shall promptly after becoming aware inform Customer; • any provision of a regulated service. Vodafone is not licensed or certified in any country, state, or province as a public accountant, auditor, legal advisor, or private investigator, and is not being retained to provide any accounting services, accounting guidance, audit or internal control advisory services, tax or legal advice or investigatory services that would require a license; • any targeted investigation of any individualsforensic data collection from Customer employee-owned personal mobile phones, tablets or e- readers. For the avoidance of doubt, Vodafone may in the course of providing Customer-owned business mobile phones, tablets or e-readers will be included within the Service, identify the internet profile (IP address, geographic location, potential aliases/usernames) ; • any implementation of potential threat actor(s) or individual(s) involved a Remediation Plan and any post-implementation monitoring of Customer systems and networks. Any such services will be subject to a separate contract to be agreed in a perceived security threat, but the Service does not include any targeted investigation into such individual(s)writing between Vodafone and Customer; and • any incident response services/activitiesimprovement of any Customer tool. The Except for any required Onsite Responses, the services detailed in this SOW shall be provided remotely and constitute Vodafone’s complete scope of work and all work. All other services (and the provision of services onsite) are out of scope.

Materials and Software. Vodafone may use certain third-party software products (“Third-Party Software”) in its provision of the Service. The Customer agrees and acknowledges that Customer will not be provided access to these products. Any output directly from the Third-Party Software that is used by Vodafone in connection with the provision of the Service to the Customer without further input from Vodafone is being provided on an “as-is” basis and is excluded from any warranties set out in this Agreement. • Vodafone reserves the right to: (i) change the hosting provider used to host any proprietary or Third- Third-Party Software used for the provision of the Service; and (ii) change any Third-Party Software it uses to provide the Service to Customer, provided that such changes do not materially impact the Service. • With regard to any Third-Party Software provided as part of the Service, the Customer agrees not to, directly or indirectly do any of the following: (i) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code or underlying ideas or algorithms of the Third-Party Software; (ii) modify, translate, or create derivative works based on any element of the Third-Party Software or any related documentation; (iii) rent, lease, distribute, sell, resell, assign, or otherwise transfer its rights to use the Third-Party Software; (iv) use the Third-Party Software for any purpose other than the performance of the Service in accordance with this Agreement; (v) remove any proprietary notices from Third-Party Software or related materials furnished or made available to Customer; and/or (vi) permit any third party to access the Third-Party Software. • Vodafone may additionally utilize custom-developed software, scripts, exploits, and other technologies (“Custom Products”) in its provision of the Service. Such technologies may be deployed on Customer systems during the provision of the Service. Any such technologies remain Vodafone intellectual property, and Vodafone retains all corresponding rights to these technologies. Vodafone shall not be obligated to provide Customer with copies of, access to, or a license for such technologies. Acceptance Testing There is no acceptance testing applicable to this SOW unless specifically mentioned in the “Project and Services” section. Expenses Where a physical presence at a Customer site is required for an Incident Response (“Onsite Response”) as agreed between Vodafone and the Customer as part of the triage call set out in the Service Methodology section above, Vodafone will seek to use local resources (resource already based in the Customer’s country) but where this is not possible then resource from another country will be deployed. An Onsite Response is subject to the Customer Authorised Personnel agreeing, in writing to Vodafone, to pay all travel and expenses incurred by Vodafone to support the Onsite Response (“Onsite Response Expenses”). Vodafone will maintain and provide evidence of all Onsite Response Expenses incurred and provide to Customer where requested. Should the total amount of the Onsite Response Expenses for any one Onsite Response exceed, or are likely to exceed, the equivalent of five thousand Euros (€5,000), Vodafone will seek pre-approval in writing from the Customer. Vodafone will invoice the Customer the total value of the Onsite Response Expenses in the month following the completion of the Onsite Response. Out of scope statement The following are not in scope for the Service: • any provision of any information that could identify specific Customer employees as having failed to identify any phishing activities; • any provision of services involving the collection of physical evidence, collection of evidence for admission in court including for criminal or civil litigation purposes, provision of evidence lockers, or ‘chain of custody’ collection of evidence; • any provision of expert testimony or litigation assistance or support services; • any provision of services involving retaliatory actions, hacking back or attribution that would breach Applicable Laws; • any implementation of suggested remediation activities unless agreed to by Vodafone and addressed under separate terms and conditions; • any installation of software, unless agreed by Vodafone and expressly consented to and authorized by Customer in writing, and which may require additional terms and conditions to be agreed; • any intentional interception of communications between Customer and a third-party, or between two or more third-parties, which is not authorized or directed by Customer as part of the Service. For the purposes of this paragraph, interception means intentionally modifying or interfering with Customer’s systems or the operation of such systems, or intentionally monitoring transmissions made by means of Customer’s system, such that some or all of the contents of the communications are made available to Vodafone while such contents are being transmitted. If unintentional interception does occur, Vodafone shall promptly after becoming aware inform Customer; • any provision of a regulated service. Vodafone is not licensed or certified in any country, state, or province as a public accountant, auditor, legal advisor, or private investigator, and is not being retained to provide any accounting services, accounting guidance, audit or internal control advisory services, tax or legal advice or investigatory services that would require a license; • any targeted investigation of any individualsforensic data collection from Customer employee-owned personal mobile phones, tablets or e- readers. For the avoidance of doubt, Vodafone may in the course of providing Customer-owned business mobile phones, tablets or e-readers will be included within the Service, identify the internet profile (IP address, geographic location, potential aliases/usernames) ; • any implementation of potential threat actor(s) or individual(s) involved a Remediation Plan and any post-implementation monitoring of Customer systems and networks. Any such services will be subject to a separate contract to be agreed in a perceived security threat, but the Service does not include any targeted investigation into such individual(s)writing between Vodafone and Customer; and • any incident response services/activitiesimprovement of any Customer tool. The Except for any required Onsite Responses, the services detailed in this SOW shall be provided remotely and constitute Vodafone’s complete scope of work and all work. All other services (and the provision of services onsite) are out of scope. Data Protection 1. Where Vodafone processes Personal Data, the relevant section of the clause headed “Data” of the Professional Services General Terms shall apply. 2. Vodafone shall only act as Data Processor in respect of any Personal Data processed on behalf of Customer for the performance of the following deliverables: 1. Deliverable 1: Periodic Status Report; 2. Deliverable 2: Remediation Plan; 3. Deliverable 3: Incident Response Report; and 4. Deliverable 4: Explanatory Presentation (the “Processor Services”). Where Customer shares Personal Data with Vodafone for the Processor Services, the Customer warrants and undertakes that it has complied with all necessary obligations imposed on it under Applicable Law including ensuring that it has either (i) obtained all necessary consents to transfer the Personal Data to Vodafone; or (ii) secured another lawful basis, in accordance with Applicable Privacy Law, to share such Personal Data with Vodafone for the processing envisaged by this Agreement and has provided appropriate privacy notices to the relevant data subjects (as required by Applicable Privacy Law) to enable it to share the Personal Data with Vodafone for the purposes envisaged by this Agreement. Payment Card Industry Vodafone does not warrant that the Service will be payment card industry (“PCI”) requirements Compliant or that the Service will enable Customer to be compliant with Applicable Privacy Law.

Materials and Software. Vodafone may use certain third-party software products (“Third-Party Software”) in its provision of the Service. The Customer agrees and acknowledges that Customer will not be provided access to these products. Any output directly from the Third-Party Software that is used by Vodafone in connection with the provision of the Service to the Customer without further input from Vodafone is being provided on an “as-is” basis and is excluded from any warranties set out in this Agreement. • Vodafone reserves the right to: (i) change the hosting provider used to host any proprietary or Third- Third-Party Software used for the provision of the Service; and (ii) change any Third-Party Software it uses to provide the Service to Customer, provided that such changes do not materially impact the Service. • With regard to any Third-Party Software provided as part of the Service, the Customer agrees not to, directly or indirectly do any of the following: (i) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code or underlying ideas or algorithms of the Third-Party Software; (ii) modify, translate, or create derivative works based on any element of the Third-Party Software or any related documentation; (iii) rent, lease, distribute, sell, resell, assign, or otherwise transfer its rights to use the Third-Party Software; (iv) use the Third-Party Software for any purpose other than the performance of the Service in accordance with this Agreement; (v) remove any proprietary notices from Third-Party Software or related materials furnished or made available to Customer; and/or (vi) permit any third party to access the Third-Party Software. • Vodafone may additionally utilize custom-developed software, scripts, exploits, and other technologies (“Custom Products”) in its provision of the Service. Such technologies may be deployed on Customer systems during the provision of the Service. Any such technologies remain Vodafone intellectual property, and Vodafone retains all corresponding rights to these technologies. Vodafone shall not be obligated to provide Customer with copies of, access to, or a license for such technologies. Acceptance Testing There is no acceptance testing applicable to this SOW unless specifically mentioned in the “Project and Services” section. Out of scope statement The following are not in scope for the Service: • any provision Penetration Testing of applications; • any assessment of any information systems outside of Customer’s networks (with the exception of any such system that could identify specific is: (i) within Customer employees as having failed facilities; and (ii) managed directly by Customer; and (iii) communicated with by Customer-owned assets; is considered in- scope for the purposes of the Penetration Testing Services). Vodafone and Customer further agree that any interaction with Customer’s third-party cloud services providers will be done in a manner consistent with the Customer’s normal interaction with those third-parties; • any remediation of identified vulnerabilities or other security issues; • any review and analysis of any data or equipment: (i) belonging to identify any phishing activitiesan individual outside of their employment with the Customer, without appropriate consent; or (ii) belonging to a third-party where Customer does not have control, custody and/or authorization to possess such data or equipment, or all necessary consents/authorization for Vodafone to access such data or equipment in order to perform the Service set out in this SoW; • any provision of services involving the collection of physical evidence, collection of evidence for admission in court including for criminal or civil litigation purposes, provision of evidence lockers, or ‘chain of custody’ collection of evidence; • any provision of expert testimony or litigation assistance or support services; • any provision of services involving retaliatory actions, hacking back or attribution that would breach Applicable Laws; • any implementation of suggested remediation activities unless agreed to by Vodafone and addressed under separate terms and conditionsapplicable laws; • any installation of software, unless agreed by Vodafone and expressly consented to and authorized by Customer and Vodafone in writing, and which may require additional terms and conditions to be agreed; • any intentional interception of communications between Customer and a third-third- party, or between two or more third-parties, which is not authorized or directed by Customer as part of the Service. For the purposes of this paragraph, interception means intentionally modifying or interfering with Customer’s systems or the operation of such systems, or intentionally monitoring transmissions made by means of Customer’s system, such that some or all of the contents of the communications are made available to Vodafone while such contents are being transmitted. If unintentional interception does occur, Vodafone shall promptly after becoming aware inform Customer; • any provision of a regulated service. Vodafone is not licensed or certified in any country, state, or province as a public accountant, auditor, legal advisor, or private investigator, and is not being retained to provide any accounting services, accounting guidance, audit or internal control advisory services, tax or legal advice or investigatory services that would require a license; • any targeted investigation of any individuals. For the avoidance purposes of doubtclarity, Vodafone may in the course of providing the Service, identify the internet profile (IP address, geographic location, potential aliases/usernames) of potential threat actor(s) or individual(s) involved in a perceived security threat, but the Service does not include any targeted investigation into such individual(s); and • any incident response services/activities; and • at no point will Vodafone perform deliberate denial of service testing or excessive brute force attacks. The services detailed in this SOW shall be provided remotely and constitute Vodafone’s complete scope of work and all other services (and the provision of services onsite) are out of scope.