Agreement for Purchase of On Premise Software and Related Services

The following is applicable to You, with respect to the purchase of on-premise software and related services:

These Terms of Sale (“Terms”) represent the agreement (“Agreement”) that governs the purchase of on-premise software and related services (together, the “EntIT Goods”) from EntIT Software LLC (“EntIT” or “Our” or “We”) by the customer who completes the purchase order (“You” and “Customer”). Unless You have another valid agreement applicable to Your purchase and/or EntIT specifies different or additional terms applicable to Your purchase, these Terms will govern Your purchase in its entirety.

READ THESE TERMS CAREFULLY.

BY INDICATING YOUR CONSENT TO AGREE TO THESE TERMS, YOU ARE BOUND TO THESE TERMS WITH RESPECT TO YOUR PURCHASE. IF YOU ARE ACCEPTING THESE TERMS ON BEHALF OF ANOTHER PERSON OR A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT AND WARRANT THAT YOU HAVE FULL AUTHORITY TO BIND THAT PERSON, COMPANY, OR LEGAL ENTITY TO THESE TERMS. IF YOU DO NOT AGREE TO THESE TERMS, AND WE DELIVER THE EntIT GOODS, DO NOT USE, DOWNLOAD, INSTALL, COPY, OR ACCESS THE EntIT GOODS, AND PROMPTLY RETURN THE PRODUCT WITH PROOF OF PURCHASE AND OBTAIN A REFUND OF THE AMOUNT YOU PAID, IF ANY. IF YOU DOWNLOADED ANY SOFTWARE, CONTACT THE PARTY FROM WHOM YOU ACQUIRED IT.

1. Orders. “Order” means the accepted order including any supporting material which the parties identify as incorporated either by attachment or reference (“Supporting Material”). Available to Customer in hard copy or by accessing a designated EntIT website, examples of Supporting Material include: product lists, hardware or software specifications, standard or negotiated service descriptions, data sheets and their supplements, and statements of work (SOWs), published warranties and service level agreements.
2. Order Arrangements. Customer may place orders with EntIT through our website. Where appropriate, orders must specify a delivery date. If Customer extends the delivery date of an existing Order beyond ninety (90) days, then it will be considered a new order.
3. Prices and Taxes. Prices will be as quoted as set out on our website at the time an order is submitted to EntIT. Prices are exclusive of taxes, duties, and fees (including installation, shipping, and handling) unless otherwise quoted.
4. Invoices and Payment. Customer agrees to pay all invoiced amounts upon time of purchase. EntIT may suspend or cancel performance of open Orders for services if Customer fails to make payments when due.
5. Delivery. EntIT will use all commercially reasonable efforts to deliver products in a timely manner. EntIT may elect to deliver software and related product/license information by electronic transmission or via download.
6. Support Services. EntIT’s support services will be described in the applicable Supporting Material, which will cover the description of EntIT’s offering, eligibility requirements, service limitations and Customer responsibilities, as well as the Customer systems supported.
7. Eligibility. EntIT’s service, support and warranty commitments do not cover claims resulting from:

   a) Improper use, site preparation, or site or environmental conditions or other non-compliance with applicable Supporting Material;

   b) Modifications or improper system maintenance or calibration not performed by EntIT or authorized by EntIT;

   c) Failure or functional limitations of any non-EntIT software or product impacting systems receiving EntIT support or service;

   d) Malware (e.g. virus, worm, etc.) not introduced by EntIT; or

   e) Abuse, negligence, accident, fire or water damage, electrical disturbances, transportation by Customer, or other causes beyond EntIT’s control.

8. Dependencies. EntIT’s ability to deliver services will depend on Customer’s reasonable and timely cooperation and the accuracy and completeness of any information from Customer needed to deliver the services.
9. Product Performance. All EntIT-branded hardware products are covered by EntIT’s limited warranty statements that are provided with the products or otherwise made available. Non-EntIT branded products receive warranty coverage as provided by the relevant third party supplier.
10. Software Performance. EntIT warrants that its branded software products will conform materially to their specifications and be free of malware at the time of delivery. EntIT warranties for software products will begin on the date of delivery and unless otherwise specified in Supporting Material, will last for ninety (90) days. EntIT does not warrant that the operation of software products will be uninterrupted or error-free or that software products will operate in hardware and software combinations other than as authorized by EntIT in Supporting Material.
11. Services Performance. Services are performed using generally recognized commercial practices and standards. Customer agrees to provide prompt notice of any such service concerns and EntIT will re-perform any service that fails to meet this standard.
12. Product Warranty Claims. When We receive a valid warranty claim for an EntIT software product, EntIT will either repair the relevant defect or replace the product. If EntIT is unable to complete the repair or replace the product within a reasonable time, Customer will be entitled to a full refund upon the prompt written confirmation by Customer that the relevant software product has been destroyed or permanently disabled.
13. Remedies. This Agreement states all remedies for warranty claims. To the extent permitted by law, EntIT disclaims all other warranties.
14. Intellectual Property Rights. No transfer of ownership of any intellectual property will occur under this Agreement. Customer grants EntIT a non-exclusive, worldwide, royalty-free right and license to any intellectual property that is necessary for EntIT and its designees to perform the ordered services.
15. Intellectual Property Rights Infringement. EntIT will defend and/or settle any claims against Customer that allege that an EntIT-branded product or service as supplied under this Agreement infringes the intellectual property rights of a third party. EntIT will rely on Customer’s prompt notification of the claim and cooperation with our defense. EntIT may modify the product or service so as to be non-infringing and materially equivalent, or We may procure a license. If these options are not available, We will refund to Customer the amount paid for the affected product in the first year or the depreciated value thereafter or, for support services, the balance of any pre-paid amount. EntIT is not responsible for claims resulting from any unauthorized use of the products or services.
16. License Grant. EntIT grants Customer a non-exclusive license to use the version or release of the EntIT-branded software listed in the Order. Permitted use is for internal purposes only (and not for further commercialization), and is subject to any specific software licensing information that is in the software product or its Supporting Material. For non-EntIT branded software, the third party’s license terms will govern its use.
17. Updates. Customer may order new software versions, releases or maintenance updates (“Updates”), if available, separately or through an EntIT software support agreement. Additional licenses or fees may apply for these Updates or for the use of the software in an upgraded environment. Updates are subject to the license terms in effect at the time that EntIT makes them available to Customer.
18. License Restrictions. EntIT may monitor use/license restrictions remotely and, if EntIT makes a license management program available, Customer agrees to install and use it within a reasonable period of time. Customer may make a copy or adaptation of a licensed software product only for archival purposes or when it is an essential step in the authorized use of the software. Customer may use this archival copy without paying an additional license only when the primary system is inoperable. Customer may not copy licensed software onto or otherwise use or make it available on any public external distributed network. Licenses that allow use over Customer’s intranet require restricted access by authorized users only. Customer will also not modify, reverse engineer, disassemble decrypt, decompile or make derivative works of any software licensed to Customer under this Agreement unless permitted by statute, in which case Customer will provide EntIT with reasonably detailed information about those activities.
19. License Term and Termination. Unless otherwise specified, any license granted is perpetual, provided however that if Customer fails to comply with the terms of this Agreement, EntIT may terminate the license upon written notice. Immediately upon termination, or in the case of a limited-term license, upon expiration, Customer will either destroy all copies of the software or return them to EntIT, except that Customer may retain one copy for archival purposes only.
20. License Transfer. Customer may not sublicense, assign, transfer, rent or lease the software or software license except as permitted by EntIT. EntIT-branded software licenses are generally transferable subject to EntIT’s prior written authorization and payment to EntIT of any applicable fees. Upon such transfer, Customer’s rights shall terminate and Customer shall transfer all copies of the software to the transferee. Transferee must agree in writing to be bound by the applicable software license terms. Customer may transfer firmware only upon transfer of associated hardware.
21. License Compliance. EntIT may audit Customer compliance with the software license terms. Upon reasonable notice, EntIT may conduct an audit during normal business hours (with the auditor’s costs being at EntIT’s expense). If an audit reveals underpayments then Customer will pay to EntIT such underpayments. If underpayments discovered exceed five (5) percent of the contract price, Customer will reimburse EntIT for the auditor costs.
22. Personal Information. Each party shall comply with their respective obligations under applicable data protection legislation. EntIT does not intend to have access to personally identifiable information (“PII”) of Customer in providing services. To the extent EntIT has access to Customer PII stored on a system or device of Customer, such access will likely be incidental and Customer will remain the data controller of Customer PII at all times. EntIT will use any PII to which it has access strictly for purposes of delivering the services ordered.
23. US Federal Government Use. If software is licensed to Customer for use in the performance of a US Government prime contract or subcontract, Customer agrees that consistent with FAR 12.211 and 12.212, commercial computer software, documentation and technical data for commercial items are licensed under EntIT’s standard commercial license.
24. Global Trade compliance. Products and services provided under these terms are for Customer’s internal use and not for further commercialization. If Customer exports, imports or otherwise transfers products and/or deliverables provided under these terms, Customer will be responsible for complying with applicable laws and regulations and for obtaining any required export or import authorizations. EntIT may suspend its performance under this Agreement to the extent required by laws applicable to either party.
25. Limitation of Liability. EntIT’s liability to Customer under this Agreement is limited to the greater of $1,000,000 or the amount payable by Customer to EntIT for the relevant Order. Neither Customer nor EntIT will be liable for lost revenues or profits, downtime costs, loss or damage to data or indirect, special or consequential costs or damages. This provision does not limit either party’s liability for: unauthorized use of intellectual property, death or bodily injury caused by their negligence; acts of fraud; willful repudiation of the Agreement; nor any liability which may not be excluded or limited by applicable law.
26. Force Majeure. Neither party will be liable for performance delays nor for non-performance due to causes beyond its reasonable control, except for payment obligations.
27. Termination. Either party may terminate this Agreement on written notice if the other fails to meet any material obligation and fails to remedy the breach within a reasonable period after being notified in writing of the details. If either party becomes insolvent, unable to pay debts when due, files for or is subject to bankruptcy or receivership or asset assignment, the other party may terminate this Agreement and cancel any unfulfilled obligations. Any terms in the Agreement which by their nature extend beyond termination or expiration of the Agreement will remain in effect until fulfilled and will apply to both parties' respective successors and permitted assigns.
28. General. This Agreement represents our entire understanding with respect to its subject matter and supersedes any previous communication or agreements that may exist. Modifications to the Agreement will be made only through a written amendment signed by both parties. The Agreement will be governed by the State of California, excluding rules as to choice and conflict of law, however, EntIT or its Affiliate may, bring suit for payment in the country where the Customer Affiliate that placed the Order is located. Customer and EntIT agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply.
29. Australian Consumers. If you acquired the software as a consumer within the meaning of the 'Australian Consumer Law' under the Australian Competition and Consumer Act 2010 (Cth) then despite any other provision of this Agreement, the terms at this URL apply: https://software.microfocus.com/about/software-licensing

European Union. The offerings of this website are not available to consumers in the EU. With respect to EU customers, the terms and conditions within this European Union section apply:

Germany.

Personal Information. Customer and EntIT shall comply with their respective obligations under applicable data protection legislation as a controller and processor, respectively. Customer shall remain the controller of Customer Personal Data (as defined in the Exhibit) at all times. Exhibit “Data Protection Regulations” forms part of this Agreement and takes precedence over any conflicting terms herein or in any Supporting Material.

Security. Information about security controls are provided at the microfocus.com website or can be otherwise provided at Customer’s request.

EXHIBIT - DATA PROTECTION REGULATIONS GERMANY (Version January 1, 2013)

To the extent EntIT has access to Customer´s personal data for performing Software-as-a-Service (“SaaS”) or Software Support (either hereinafter referenced as “Services”) the Parties agree to apply the terms described in subsection 1.1. EntIT shall apply those technical and organizational measures required by the exhibit to § 9 BDSG as set out in subsection 1.2 below.

1.1. Provisions pursuant to Sections 9, 11 of the German Federal Data Protection Act (BDSG):

Underlying Contract. The terms of the agreement on commissioned data processing are based upon the Services contract concluded between the Parties, including the appendixes describing the services (data sheets) (the “Contract”). On the basis of the aforementioned Contract, EntIT will process the Customer's personal data. The Contract defines the scope, nature, and purpose of the collection, processing and/or use of personal data by EntIT, the type of personal data to be processed and the persons affected by the handling of personal data. The Customer may also provide additional written instructions. The duration of the commissioned data processing will be governed by the Contract.

Correcting, blocking, and deleting data. EntIT may only correct, delete or block data processed within the scope of the Contract in accordance with the instructions provided by the Customer. If a person asks EntIT for information about his/her data or requests that EntIT correct or delete his/her data, EntIT shall immediately forward the request to the Customer.

Obligations of EntIT. To ensure proper processing of personal data, EntIT will only use personnel who have entered into confidentiality agreements pursuant to Section 5 of the BDSG. If the security measures implemented by EntIT do not satisfy the requirements of the Customer, the Customer will notify EntIT immediately. Any errors or irregularities that are identified by the Customer when checking the results, and brought to EntIT's attention, will be immediately rectified by EntIT. EntIT will process personal data and other operating data belonging to the customer only in accordance with the instructions provided by the Customer. EntIT will not use the data transmitted for data processing for any other purpose, nor will EntIT retain this data for any longer than required by the Customer, save to the extent required by legal retention periods. Copies or duplicates must not be created without informing the Customer. If EntIT believes that an instruction from the Customer violates data protection legislation, EntIT must notify the Customer. This duty to notify will not include a comprehensive legal review. Subcontracts may only be awarded to subcontractors following written consent by the Customer. A Customer's consent may only be withheld if the Customer has a material reason for doing so. The Customer's consent will be deemed to have been given with respect to subcontractors named by EntIT prior to the conclusion of the Contract or which are regularly used by EntIT to provide standardized services. If a subcontractor is a company within EntIT's corporate group and is based in the European Union (EU) or the European Economic Area (EEA) or a safe third country, a subcontract may be awarded to the subcontractor without the prior written consent of the Customer. Irrespective of this, EntIT will always be obliged to exercise due caution when choosing subcontractors and to inform the Customer accordingly. Furthermore, EntIT must ensure that the data processing provisions agreed with the Customer also apply to all subcontracts awarded to subcontractors. If a subcontractor is operating outside the European Union (EU) or European Economic Area (EEA), an adequate level of data protection must be established pursuant to Sections 4b and 4c of the BDSG. To this end, the Customer hereby authorizes EntIT to execute a controller to processor EU Model Contract (C (2010) 593) on its behalf to cover the transfer of any Customer personal data which originates from the EEA to any EntIT Affiliate supporting the Services and being located in a country which does not have a finding of adequacy pursuant to Article 25(6) of Directive 95.46/EC (the “Model Contract”).

EntIT will immediately inform the Customer of any incidents that must be reported pursuant to Section 42a of the BDSG, any serious operational malfunctions, and any suspected privacy violations or other irregularities that arise while processing the Customer's data. EntIT has appointed a competent and reliable data protection officer pursuant to Section 4f of the BDSG.

Control rights of the Customer. The Customer or a representative appointed by the Customer has a right of control with regard to proper processing of personal data and other operational data processed on behalf of the Customer. The rights of control will be exercised in consultation with EntIT. EntIT is obliged to assist the Customer in such controls and any controls of the competent authorities. These controls must be carried out in consideration of the business processes and EntIT's need for security and confidentiality. The control of standardized services will be performed by controlling the test documents professionally created and submitted by EntIT. EntIT is also obliged to apply the control rights of the Customer to the subcontractors of EntIT tasked with processing the Customer's data.

Deletion of data and return of data carriers. After completion of the contractual work or earlier if requested by the Customer - at the latest upon termination of the Contract - EntIT must return to the Customer all documents, processing results, usage results, and data sets that relate to the contractual relationship, or to destroy them in a manner compatible with data protection legislation following prior approval by the Customer. The same will apply to test material and rejected material. The manner in which data is deleted must be demonstrated upon request. EntIT must retain any documentation serving as proof of commissioned data processing and proper data processing beyond the end of the Contract in accordance with the respective retention periods. To ease the burden on EntIT, EntIT can choose to hand over such documentation when the Contract terminates.

1.2 Technical and Organizational Measures pursuant to Section 9 of the German Federal Data Protection Act (BDSG) and the Annex to this Act:

Overview of EntIT Technical and Organizational Measures

EntIT has defined its information security policy in order to make sure the appropriate controls are in place.

I. PHYSICAL ACCESS CONTROLS

The EntIT Physical Security Policy includes the following controls for working areas and data centers:

The perimeter physical security including, but not limited to, access control, health and safety regulations, protection against the damage of external and environmental threats (fire, flood, etc).

The physical access control is handled through the use of digital IDs, CCTV, finger prints, and more.

Access points such as delivery and loading areas and other points where unauthorized persons may enter the premises are controlled.

Appropriate controls are taken to avoid theft or loss of company or personal equipment.

Equipment is protected from power failures and other disruptions caused by failures in supporting utilities using different method like generators, UPSs, and alternate power supplies in a way that minimize the effect of power failures.

Power and telecommunications cabling carrying data or supporting information services should be protected from interception or damage.

Classified information relies on paper or media is disposed in a secure manner.

All visitors are required to provide government issued ID, their visits are logged and they are escorted at all times and required to wear clearly identifiable visitor credentials

Monitor all entry/exit points

Locked cabinets and cage areas

Alarm systems monitored 24x7x365

High sensitivity fire/smoke detection systems are implemented

UPS and backup power generators

At least two independent power supplies into the building.

Robust external network connectivity infrastructure

Physical locks required on portable computers within secured work areas

II. ACCESS CONTROLS / ACCESS LIMITATION CONTROLS

Users are required to request access through either automated or manual methods.

All grants to access require documentation indicating the grant of access.

Access to the Security team’s SharePoint site must be approved by an administrator on the SaaS Security team and logged.

All access requests related to EntIT tools must be documented and stored in a central repository.

Utility programs capable of overriding system, object, network, virtual machine and application controls shall be restricted based on a pre-defined credential set.

Access to systems with shared network infrastructure must be restricted to authorized personnel. Networks shared with external entities shall have a documented plan detailing the compensating controls used to separate network traffic between organizations.

EntIT policies and procedures for employees are intended to ensure that:

Prior to employment, the employees’ background is appropriately obtained

The employees understand and aware of the terms of their employment

The information security guidelines are clearly briefed to the employees

An information security awareness program exists and implemented

A formal disciplinary process for handling security breaches is established

Employment termination or role change is conducted in a controlled and secured manner

III. INPUT CONTROLS

Access to log information must be restricted based on user roles and the principles of “need-to-know” and the usage of shared accounts is prohibited.The audit policies are reviewed annually to determine if there is a requirement to enhance audit information.

IV. JOB CONTROLS

Access to materials and use of proprietary software shall be appropriately restricted following the rule of least privilege based on job function as per established user access policies and procedures.

VI. AVAILABILITY CONTROLS

EntIT has developed a business continuity management process which includes:

A plan framework for improving EntIT’s resilience against the disruption of its ability to provide an expected service level to its customers

A rehearsed method of restoring the ability to supply key products and services upon a disaster

VII. DATA SEPARATION

Production and non-production environments shall be separated to prevent unauthorized access or changes to information assets. Access for making changes to production environments is closed to developers except in special circumstances. In those cases, developer access is granted temporarily and for specific tasks, monitored, and closed when the access is no longer needed.

Spain.

Personal Information. Customer and EntIT shall comply with their respective obligations under applicable data protection legislation as a controller and processor, respectively. Customer shall remain the controller of Customer Personal Data (as defined in the Exhibit) at all times. Exhibit “Data Protection Regulations” forms part of this Agreement and takes precedence over any conflicting terms herein or in any Supporting Material.

Security. Information about EntIT’s security controls are provided at the microfocus.com website or can be otherwise provided at Customer’s request.

EXHIBIT - DATA PROTECTION REGULATIONS FOR SPAIN

Definitions

(i) The terms “controller”, “data subject”, “processor”, “process, “processed” or “processing” and “personal data” used in this Addendum shall be as defined in the Spanish legislation (Law 15/1999, 13th December, of Personal Data Protection and the Royal Decree 1720/2007 of 21st December).

(ii) “Customer Personal Data” means personal data of which Customer or its affiliates is the controller and which EntIT processes in the course of providing SaaS or software support (either hereinafter called “Services”).

Data Processing

To the extent EntIT has access to Customer Personal Data for performing Services, in accordance with article 12 of the Law 15/1999, 13th December, of Personal Data Protection (“Ley Orgánica de Protección de Datos de Carácter Personal”), and the Royal Decree 1720/2007 of 21st December (“Real Decreto 1720/2007 de 21 de Diciembre por el que se aprueba el Reglamento de Desarrollo de la Ley Orgánica 15/1999”):

EntIT shall process such data only in accordance with the instructions of the Customer and solely for the purposes set forth in this Agreement.

EntIT shall not communicate the above referred data to any third party even for their preservation and shall destroy or return to the Customer, at customer choice, any personal data in his possession upon termination of this agreement.

EntIT shall maintain the secret and confidentiality of the personal data.

Customer hereby appoints EntIT as a processor of Customer Personal Data. Customer and EntIT shall comply with all data protection laws to which they are subject, as a controller and processor respectively, and which are applicable to their information security, privacy and data protection obligations in connection with Customer Personal Data.

EntIT shall only process Customer Personal Data as required to provide Services and in accordance with the Customer’s written instructions (which may be specific instructions or instructions of a general nature as set out in this Agreement or as otherwise notified by the Customer to EntIT under this Agreement) and to the extent that such instructions are not compatible with EntIT’s obligations under this Agreement they shall be implemented as agreed by the parties. Unless otherwise agreed, EntIT shall implement the security measures required in the section 1ª, Chapter III, Title VIII of the above mentioned Royal Decree.

EntIT has implemented the EntIT technical and organisational measures to protect Customer Personal Data against accidental, unauthorised or unlawful processing, destruction, loss, damage or disclosure, details of which are provided at the microfocus.com website or can otherwise be provided on Customer’s request. These include:

Physical access controls

Access Controls

Access Limitation Controls

Input Controls

Job Controls

Availability Controls

Data Separation

EntIT will ensure that all employees involved in the processing of Customer Personal Data are authorized personnel with a need to access the data, are bound by appropriate confidentiality obligations and have undergone appropriate training in the protection of personal data.

Where the Supporting Material identifies categories of Customer Personal Data or other Customer-provided data that are to be returned to Customer upon termination, EntIT will supply such data to Customer in the agreed format and will delete from EntIT’s own systems any remaining copies of such Customer Personal Data or other data, unless legislation applicable to it prevents it from doing so.

EntIT will within five (5) business days of receipt, refer to Customer any queries from data subjects in connection with Customer Personal Data, for Customer to deal with.

EntIT will on written request of Customer promptly amend or delete any Customer Personal Data to the extent that Customer is not able to amend or delete the data itself.

Customer Personal Data will be transferred to EntIT’s parent company, Hewlett Packard Company in the United States of America, and onward to other affiliate and third party subcontractors located outside the EEA and Switzerland who support the Services, a list of which is available upon request.

If and to the extent EntIT is acting as a data processor or sub-processor with respect to Customer Personal Data pertaining to residents of the European Economic Area or Switzerland ("EEA+ Data Subjects"), the EU Standard Contractual Clauses (Processors) (short: “Model Contract”) shall apply and supersede any conflicting terms of this Exhibit to the extent EEA+ Data Subjects are concerned. Between EntIT and the Customer, this Exhibit shall prevail in case of any conflicts or inconsistencies with the Model Contract. Any losses suffered by data exporter or data importer (both as defined in the Model Contract) shall be treated as if they had been suffered by Customer or EntIT respectively and shall in all cases be recovered by Customer or EntIT subject to any limits on that party’s liability contained in this Agreement in section “limitation of liability”. Nothing in that section “limitation of liability “ shall limit the liability of either party in relation to a claim by a data subject under a Model Contract.

When EntIT obtains formal approval for binding corporate rules for processors (BCR-P), the parties may agree to rely on the BCR-P for transfers of Customer Personal Data. The relevant information and additional contract terms will be provided to Customer on request.

EntIT will ensure that any affiliate or third party subcontractor involved in processing Customer Personal Data enters into a written agreement with EntIT (which may be an inter-company agreement in the case of affiliates), which includes obligations substantially similar to those contained in this Addendum and appropriate to the nature of the processing involved.

Switzerland or other EEA countries not listed above.

Personal Information. Customer and EntIT shall comply with their respective obligations under applicable data protection legislation as a controller and processor, respectively. Customer shall remain the controller of Customer Personal Data (as defined in the Exhibit) at all times. Exhibit “SaaS Data Protection Regulations” forms part of this Agreement and takes precedence over any conflicting terms herein or in any Supporting Material.

Security. Information about SaaS’ security controls are provided at the microfocus.com website or can be otherwise provided at Customer’s request.

EXHIBIT - DATA PROTECTION REGULATIONS

Definitions

(i) The terms “controller”, “data subject”, “processor”, “process, “processed” or “processing” and “personal data” used in this Addendum shall be as defined in European Directive 95/46/EC.

(ii) “Customer Personal Data” means personal data of which Customer or its affiliates is the controller and which EntIT processes in the course of providing SaaS or software support (each hereinafter called “Services”).

Data Processing

Customer hereby appoints EntIT as a processor of Customer Personal Data. Customer and EntIT shall comply with all data protection laws to which they are subject, as a controller and processor respectively, and which are applicable to their information security, privacy and data protection obligations in connection with Customer Personal Data.

EntIT shall only process Customer Personal Data as required to provide Services and in accordance with the Customer’s written instructions (which may be specific instructions or instructions of a general nature as set out in this Agreement or as otherwise notified by the Customer to EntIT under this Agreement) and to the extent that such instructions are not compatible with EntIT’s obligations under this Agreement they shall be implemented as agreed by the parties.

EntIT has implemented the EntIT technical and organisational measures to protect Customer Personal Data against accidental, unauthorised or unlawful processing, destruction, loss, damage or disclosure, details of which are provided at the microfocus.com website or can otherwise be provided on Customer’s request. These include:

Physical access controls

Access Controls

Access Limitation Controls

Input Controls

Job Controls

Availability Controls

Data Separation

EntIT will ensure that all employees involved in the processing of Customer Personal Data are authorized personnel with a need to access the data, are bound by appropriate confidentiality obligations and have undergone appropriate training in the protection of personal data.

Where the Supporting Material identifies categories of Customer Personal Data or other Customer-provided data that are to be returned to Customer upon termination, EntIT will supply such data to Customer in the agreed format and will delete from EntIT’s own systems any remaining copies of such Customer Personal Data or other data, unless legislation applicable to it prevents it from doing so.

EntIT will within five (5) business days of receipt, refer to Customer any queries from data subjects in connection with Customer Personal Data, for Customer to deal with.

EntIT will on written request of Customer promptly amend or delete any Customer Personal Data to the extent that Customer is not able to amend or delete the data itself.

Customer Personal Data will be transferred to EntIT’s parent company, Hewlett Packard Company in the United States of America, and onward to other affiliate and third party subcontractors located outside the EEA and Switzerland who support SaaS, a list of which is available upon request.

If and to the extent EntIT is acting as a data processor or sub-processor with respect to Customer Personal Data pertaining to residents of the European Economic Area or Switzerland ("EEA+ Data Subjects"), the EU Standard Contractual Clauses (Processors) (short: “Model Contract”) shall apply and supersede any conflicting terms of this Exhibit to the extent EEA+ Data Subjects are concerned. Between EntIT and the Customer, this Exhibit shall prevail in case of any conflicts or inconsistencies with the Model Contract. Any losses suffered by data exporter or data importer (both as defined in the Model Contract) shall be treated as if they had been suffered by Customer or EntIT respectively and shall in all cases be recovered by Customer or EntIT subject to any limits on that party’s liability contained in this Agreement in section “limitation of liability”. Nothing in that section “limitation of liability “ shall limit the liability of either party in relation to a claim by a data subject under a Model Contract.

When EntIT obtains formal approval for binding corporate rules for processors (BCR-P), the parties may agree to rely on the BCR-P for transfers of Customer Personal Data. The relevant information and additional contract terms will be provided to Customer on request.

EntIT will ensure that any affiliate or third party subcontractor involved in processing Customer Personal Data enters into a written agreement with EntIT (which may be an inter-company agreement in the case of affiliates), which includes obligations substantially similar to those contained in this Addendum and appropriate to the nature of the processing involved.