1. DEFINITIONS & INTERPRETATION. In this DORA Schedule, the words "include" or "including" shall be construed without limitation to the words following.

1.1 “Affiliate(s)” means any entity that, directly or indirectly, controls, is controlled by, or is under common control with a party; and “control” means the direct or indirect possession of the power to direct or cause the direction of the management and policies of another entity, whether through the ownership of voting securities, by contract or otherwise.

1.2 “Applicable Law” means all federal, state, provincial, local and international laws, rules, regulations, directives, judgments and/or orders binding on or applicable to a party hereto or a party’s performance hereunder, whether in force before or after the Addendum Effective Date.

1.3 “Digital Operational Resilience Act” or “DORA” means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector.

1.4 "DPA" means the Flexera Data Processing Agreement available at https://www.flexera.com/legal/data-processing-agreement unless the parties have a separately executed Data Processing Agreement which shall prevail.

1.5 “Customer Data” means any data loaded by Customer into Flexera’s SaaS Products.

1.6 “Personal Data” has the meaning given to it in the DPA.

1.7 “Regulatory Authority” means all competent authorities and the resolution authorities of Customer or any of its Affiliates.

1.8 “Service Levels” means the service levels specified in the Agreement.

1.9 “competent authority”, “critical or important function”, “ICT Services”, “ICT third-party service Flexera” and “Lead Overseer” have the meaning given to them in the Digital Operational Resilience Act.

2. SUBCONTRACTING.

2.1 Except as expressly approved in writing by Customer in advance (such approval to be given or withheld in Customer sole discretion), Flexera shall not use subcontractors to provide any ICT Services supporting a critical or important function, or material parts thereof.

2.2 To the extent Flexera is permitted to use subcontractors to provide any ICT Services supporting a critical or important function, or material parts thereof, in accordance with clause 2.1 above, Flexera shall comply with all conditions Customer may impose in order to comply with all then-current regulatory standards.

2.3 Without prejudice to clauses 2.1 and 2.2 above, no written consent shall be required for the use of subcontractors engaged in the provision of any ICT Services which are not supporting critical or important functions (or material parts thereof), provided always that the process for the notice and objection set forth in the DPA shall continue to apply.

2.4 Without prejudice to the requirements of this DORA Schedule, Customer shall notify Flexera promptly upon becoming aware of any factor that means the ICT Services provided by Flexera support a critical or important function, or material parts thereof.

3. PERMITTED REGIONS.

3.1 The regions from which (i) the contracted or subcontracted functions and ICT Services will be provided; and (ii) the Customer Data is to be processed and stored, is further set out in the DPA and the attachments thereto.

3.2 If Flexera envisages changing such regions, Flexera will inform Customer in advance in accordance with the terms expressly prescribed in the DPA.

3.3 Without prejudice to Flexera's other obligations herein, upon Customer request Flexera shall confirm in writing the specific regions where the contracted or subcontracted functions and ICT Services relevant to Customer are provided, and the specific regions where the Customer Data is processed, including the storage regions.

4. CUSTOMER DATA.

4.1 Promptly upon written request from Customer, Flexera shall make Customer Data available to Customer in the form and format reasonably requested by Customer.

4.2 Flexera shall establish, maintain and comply with a written information security program that contains administrative, technical, and physical safeguards (including logical and physical controls) to ensure the security, availability, authenticity, integrity and confidentiality of Customer Data and to protect against threats or hazards to the integrity and security of, the unauthorized or accidental destruction, loss, alteration or use of, and the unauthorized access to, Customer Data.

4.3 Without prejudice to any existing provisions in relation to confidentiality or data protection in the Agreement, Flexera shall protect Customer Data and comply with all relevant legal requirements regarding the protection of Customer Data

6. SERVICE LEVELS.

6.1 Flexera shall perform the services in accordance with the Service Levels together with any RTO and RPO obligations detailed in Flexera’s security documentation relating to the services.

6.2 Flexera shall enable Customer to monitor Flexera’s performance against the Service Levels.

6.3 In the event that any Service Level(s) is not met, Flexera will take appropriate corrective actions so that the affected Service Level(s) is, and continues to be, met, without undue delay and, without prejudice to the foregoing, in accordance with the remedial obligations set forth in the applicable Service Levels.

8. COMPLIANCE WITH REGULATORY AUTHORITIES.

8.1 Flexera shall co-operate fully with Regulatory Authorities and their appointees.

8.2 Unless prohibited by Applicable Law or requested or directed not to do so by a Regulatory Authority, Flexera shall (i) notify Customer in writing promptly upon receipt of a request by a Regulatory Authority to provide any such co-operation and provide Customer with a copy of such request and (ii) provide Customer with such information as Customer may from time to time reasonably request in relation to such co-operation.

9. TERMINATION.

9.1 Customer may, without prejudice to its other rights and remedies (including its termination rights), terminate the Agreement in whole or in part immediately by written notice if:

9.1.1 Flexera commits a material breach of Applicable Laws;

9.1.2 circumstances are identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of service(s) rendered under the Agreement, including material changes adversely affecting the provision of any of the services and/or the Flexera’s situation;

9.1.3 there are evidenced weaknesses regarding the risk management and security of Customer Data (including its availability, authenticity, integrity and confidentiality) and Flexera and Customer are unable to agree a mutually acceptable action plan to remediate or mitigate such risks, such agreement not to be unreasonably conditioned or delayed. The requirement to agree an action plan does not apply where this would put Customer in breach of Applicable Law;

9.1.4 a Regulatory Authority can no longer effectively supervise Customer as a result of the conditions of, or circumstances related to, the Agreement; or

9.1.5 Termination is required by a Regulatory Authority for any other reason.

9.2 Where Flexera serves notice of termination of the Agreement in accordance with its terms, then notwithstanding any termination notice periods set out in the Agreement, termination shall only take effect on the later of (i) the termination period set out in the Agreement and (ii) the end of the transition period referred to in clause 14.

12. BUSINESS CONTINGENCY AND SECURITY.

12.1 Flexera shall have, be able to immediately implement, and regularly test, business contingency plans.

12.2 Flexera shall have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services to Customer in accordance with the requirements of the Regulatory Authorities.

12.3 Flexera conducts annual penetration testing on Flexera systems no less frequently than once every twelve (12) months as further documented in the security terms set forth in the Agreement. In the event that the Lead Overseer or Regulatory Authority determines the services provided by Flexera to support a critical or important function and (i) the customer is in scope of the threat-led penetration testing obligations set forth in Art. 26-27 of DORA; and (ii) the Lead Overseer includes Flexera in scope of the test, then Flexera shall support a threat-led penetration test through provision of relevant documentation and penetration test summaries, in line with industry practices and Flexera’s internal security protocols.

13. MONITORING.

PART I – The following provisions 13.1 through 13.4 (inclusive) apply to all DORA regulated Customers.

13.1 For the purposes of this clause 13, "Auditor" means Customer, the Lead Overseer, the Regulatory Authorities or any third-party auditor appointed by Customer, the Lead Overseer or a Regulatory Authority.

13.2 Insofar as any of the following clauses would restrict the audit or inspection rights of the Auditor in a manner that would put Customer in breach of Applicable Law that clause will be disapplied.

13.3 The Auditor shall, subject to professional secrecy obligations or to an NDA with comparable and reasonable confidentiality obligations concluded with Flexera, have a right to request copies of documentation if they are critical to the operations of Flexera (“Information Requests”).

13.4 All Information Requests shall be carried out during normal business hours and provided that the Auditor has notified Flexera at least fourteen (14) business days in advance. Flexera shall submit all relevant files, books, receipts, and other documents and provide comprehensive information specific to the request by the Auditor (and provided that any such disclosure would not result in Flexera breaching its confidentiality obligations to other customers, except where required by law).

PART II – The following provisions 13.5 through 13.11 (inclusive) apply to the extent that the services provided by Flexera under the Agreement are deemed by the Lead Overseer or the Regulatory Authorities to support critical or important functions of the Customer.

13.5 Should the information provided under clause 13.4 not satisfy the Auditor, the Auditor shall have unrestricted rights of access, inspection and audit of Flexera, Flexera Affiliates and Flexera personnel’s (including, where applicable, subcontractors’) information, systems and facilities, including the right to take copies of relevant documentation on-site if such documentation is critical to the operations of Flexera, and notwithstanding any other contractual arrangements or implementation policies, Flexera shall fully cooperate with all such access, audit or inspection.

13.6 Unless prohibited by Applicable Law or requested or directed not to do so by a Lead Overseer or a Regulatory Authority, Customer will provide Flexera with advance written notice as soon as it becomes aware of an audit request of a Regulatory Authority, or an appointed third party of a Regulatory Authority, and provide as much detail about such audit as reasonably requested by Flexera. Flexera shall then, during normal business hours and with a minimum of five (5) business days advance notice, grant the Regulatory Authority, on-site access to all persons, premises, documents, and systems associated with the Services specific to Customer only (“Audit”).

13.7 Without restricting the information and inspection rights under this DORA Schedule, it is acknowledged that such Information Request and Audit will be subject to preserving the security and confidentiality of content and intellectual property of Flexera and its customers, and Customer shall use reasonable endeavors to minimize disruption to Flexera - including performance of its obligations under the Agreement - and Flexera's arrangements with other customers.

13.8 Flexera will cooperate during the onsite inspections and audits performed by the Auditor and grant unrestricted access to information and data as well as access to business premises, as required by Applicable Law. Customer shall provide Flexera with details on the scope, procedures to be followed and frequency of the Inspections and Audits.

13.9 Where the Flexera incurs costs in relation to an audit carried out by Customer pursuant to this clause 13, Customer shall reimburse the Flexera for the reasonable costs of the audit incurred by the Flexera, provided that the costs are approved by Customer in writing in advance. Notwithstanding the foregoing, in the event that the audit identifies a material breach of Flexera's obligation under the Agreement or Applicable Law, the Flexera agrees to reimburse Customer for all costs incurred in connection with the audit.

13.10 Where the exercise of the rights in clause 13 affect the rights of other clients of Flexera, the parties will agree on alternative assurance levels.

13.11 Unless prohibited by Applicable Law or requested or directed not to do so by a Lead Overseer or a Regulatory Authority, Flexera shall (i) notify Customer in writing promptly upon becoming aware that a Lead Overseer or a Regulatory Authority intends to exercise any of its rights in clause 13 and provide Customer with such information as Customer may from time to time reasonably request in relation to the exercise of such rights and (ii) on Customer’ written request, provide details on the scope, procedures to be followed and frequency of inspections and audits by Regulatory Authorities.

14. EXIT. Following service by either party of notice of termination of the Agreement, or part thereof, or in the case that the Agreement is due to expire, in whole or in part, Flexera shall at reasonable cost to be negotiated and agreed between the parties acting reasonably and in good faith:

14.1 continue to provide the impacted services for such transition period as is reasonably required by Customer to allow transition to Customer, or an alternative Flexera, to complete with minimal risk of disruption to Customer or, where appropriate, to ensure the effective resolution and restructuring of Customer; and

14.2 provide such exit support for such transition period as is reasonably required by Customer to allow Customer to migrate to another ICT third-party service Flexera or change to an in-house solution, and the Agreement (or the relevant part thereof) shall continue in force during such periods.