Software Services Agreement

Effective Date: Feb 17th, 2025

This Agreement is entered into between MetaCell and Customer, and governs Customer’s access to and use of NeuroGlass offerings provided under Organization and Enterprise plans. If you are purchasing a Starter or Professional plan please refer to the Terms of Service. Capitalized terms used but not defined herein are defined in Exhibit A.

By accepting this Agreement as part of an Order, you agree to this Agreement on behalf of the entity for which you are acting (such as an employer) (“Customer”). You represent and warrant that you have full legal authority to bind Customer to this Agreement, and confirm Customer’s agreement to be party to this binding contract. If you do not have the authority to bind Customer or do not agree with the terms of this Agreement, you (and Customer) are not authorized to access or use the NeuroGlass Platform.

1. MetaCell Obligations

1.1. Access to the NeuroGlass Platform. Subject to the terms and conditions of this Agreement, MetaCell hereby grants Customer a limited, non-exclusive, non-transferable (subject to Section 9.6), non-sublicensable right in the Territory, during the Order Term, for Authorized Users to access and use the NeuroGlass Platform in connection with Customer’s own business purposes.

1.2. Protection of Customer Data. MetaCell will implement and maintain the security requirements set forth in Exhibit B.

2. Service Terms

2.1. Use Restrictions. Except as otherwise expressly authorized in this Agreement, Customer will not, and will not encourage or assist third parties to: (i) reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code, object code, or underlying structure, ideas, know-how, or algorithms relevant to the NeuroGlass Platform (except to the extent such a restriction is impermissible under applicable law); (ii) provide, sell, resell, transfer, sublicense, lend, distribute, rent, or otherwise allow others to access or use the NeuroGlass Platform; (iii) copy, modify, create derivative works of, or remove proprietary notices from the NeuroGlass Platform; or (iv) use the NeuroGlass Platform for personal or other non-commercial purposes.

2.2. Acceptable Use Policy. Customer will comply with NeuroGlass’s Acceptable Use Policy available at www.neuroglass.com/legal/aup/.

2.3. Account Management.

(a) As part of the registration process, Customer will appoint one or more administrative users for Customer’s NeuroGlass account. Each administrative user has the authority to manage Customer’s NeuroGlass account, add or remove Authorized Users, approve purchases, and otherwise act on behalf of Customer for purposes relating to the NeuroGlass Platform and this Agreement.

(b) Customer may enable Authorized Users to access and use the NeuroGlass Platform in accordance with the Documentation and any limitations in Customer’s Order Form. Each Authorized User’s account is personal to the Authorized User to which it is issued. Account credentials may not be shared or used by anyone other than the individual to whom they were provisioned. Customer is responsible for its Authorized Users’ compliance with this Agreement, and all activities of its Authorized Users.

(c) Customer is responsible for providing accurate and complete account information (including the list of domains and/or NeuroGlass accounts owned or controlled by Customer for purposes of domain capture or migrations) and maintaining the accuracy and completeness of such information. Customer is responsible for maintaining control over its Authorized Users’ accounts, including the confidentiality of usernames and passwords. MetaCell will not be responsible for any damages, losses, or liability to Customer, Authorized Users, or anyone else if any event leading to such damages, losses, or liability caused by lack of such control.

2.4 Customer Content. Customer authorizes MetaCell and its service providers to use Customer Content for the sole purpose of providing the NeuroGlass Platform and performing the activities contemplated by this Agreement (such as maintaining, securing, debugging, and otherwise performing quality control for the NeuroGlass Platform).

2.5. Feedback. Customer may voluntarily provide MetaCell feedback, comments, or suggestions concerning the NeuroGlass Platform or other services provided by NeuroGlass (collectively, “Feedback”). To the extent Customer provides Feedback, Customer hereby grants MetaCell the right to use such Feedback to maintain, improve, and enhance MetaCell’s products and services.

2.6. Usage Data. MetaCell will have the right to collect and analyze data and other information relating to the access, use, and performance of the NeuroGlass Platform (“Usage Data”) and MetaCell will be free (during and after the Order Term) to use Usage Data in de-identified and aggregated form to maintain, improve, and enhance MetaCell’s products or services. Examples of Usage Data include technical logs, metadata, telemetry data, and usage information about Customer Content, such as how many times it is accessed. For clarity, Usage Data excludes Customer Content itself.

2.7. Reservation of Rights. As between the parties, MetaCell owns all right, title, and interest in the NeuroGlass Platform, and Customer owns all right, title, and interest in the Customer Content. Except as expressly set forth in this Agreement, each party retains all right, title, and interest in and to its intellectual property rights. All rights not expressly granted are reserved, and no license, covenant, immunity, transfer, authorization, or other right will be implied, by reason of statute, estoppel, or otherwise, under this Agreement.

3. Charges and Payment

3.1. Fees. Customer will pay MetaCell all fees described in an Order in accordance with the terms therein. Unless otherwise specified herein or in an Order, (a) all fees are stated and solely payable in U.S. Dollars, (b) payment obligations are non-cancelable and not subject to setoff, (c) fees paid are non-refundable, and (d) quantities purchased cannot be decreased during the relevant Order Term. Customer is solely responsible for any bank fees, interest charges, finance charges, overdraft charges, and any other fees Customer incurs as a result of the charges billed by MetaCell. If the Order automatically renews, MetaCell may change the fees applicable to a renewal by providing Customer at least 45 days’ written notice of the new fees before the end of the then-current Order Term. For clarity, any change in fees will not apply to the then-current Order Term.

3.2. Payment. Unless otherwise specified in an Order or this Section, Customer will be invoiced annually in advance, with full payment due 30 days from the date of the applicable invoice. If Customer purchases its subscription online, fees are due at the time of purchase. Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower. In the event that Customer fails to pay the full amount owed under an Order, MetaCell may limit Customer’s access to the NeuroGlass Platform, in addition to any other rights or remedies MetaCell may have.

3.3. Taxes. Fees do not include taxes. Each party is responsible for the payment of all taxes (including any interest and penalties) in connection with this Agreement that are imposed on that party by law. For Customer, such taxes may include sales/use, gross receipts, value-added, GST, personal property, excise, consumption, and other similar taxes or duties. Each party will be responsible for its own income taxes, employment taxes, and real property taxes.

3.4. Withholding. All payments made by Customer to MetaCell under this Agreement will exclude any deduction or withholding. If any such deduction or withholding (including cross-border withholding taxes) is required by law, Customer will pay such additional amounts as are necessary so that the net amount received by MetaCell after such deduction or withholding will be equal to the full amount that MetaCell would have received if no deduction or withholding had been required. Each party will use commercially reasonable efforts to work with the other party to help obtain, reduce, or eliminate any necessary withholding, deduction, or royalty tax exemptions where applicable.

4. Confidentiality

4.1. Confidential Information. Each party (the “Discloser”) has disclosed or may disclose proprietary or non-public business, technical, financial, or other information in anticipation of this Agreement or during the term of this Agreement (“Confidential Information”) to the other party (the “Recipient”). Confidential Information of MetaCell expressly includes non-public information regarding features, functionality, and performance of the NeuroGlass Platform, and Confidential Information of the Customer expressly includes Customer Content. However, Confidential Information excludes any information that: (a) is or becomes generally available to the public without action or omission by Recipient; (b) was in the Recipient’s possession or known by it prior to receipt from the Discloser; (c) was rightfully disclosed to the Recipient without restriction by a third party; or (d) was independently developed by Recipient without use of or reference to any Confidential Information of the Discloser.

4.2. Obligations. The Recipient will use the Discloser’s Confidential Information only to exercise its rights and fulfill its obligations under this Agreement, including, in MetaCell’s case, to provide the NeuroGlass Platform to Customer. The Recipient will use reasonable care to protect against disclosure of the Discloser’s Confidential Information to parties other than the Recipient’s employees, contractors, Affiliates, agents, or professional advisors (“Representatives”) who need to know it and who have a legal obligation to keep it confidential. The Recipient will ensure that its Representatives are subject to confidentiality obligations that are no less restrictive than those herein. Notwithstanding the foregoing, the Recipient may disclose the Discloser’s Confidential Information: (a) if directed by Discloser; or (b) to the extent required by applicable legal process, provided that the Recipient uses commercially reasonable efforts to (i) promptly notify the Discloser in advance, to the extent permitted by law and (ii) comply with the Discloser’s reasonable requests regarding its efforts to oppose the disclosure. With respect to each Order, the obligations set forth herein will survive for the duration of the Order Term and five years following the expiration or termination of such Order.

5. Warranties

5.1. Mutual Warranties. Each party represents and warrants to the other that: (a) this Agreement has been duly executed and delivered and constitutes a valid and binding agreement enforceable against the executing party in accordance with its terms; (b) the execution, delivery, and performance of this Agreement by the executing party does not violate the terms or conditions of any other agreement to which it is a party or by which it is otherwise bound or require authorization or approval from any third party; and (c) it will perform its rights and obligations under this Agreement in accordance with applicable law.

5.2. MetaCell Warranties. MetaCell represents and warrants to Customer during the applicable Order Term that: (a) MetaCell will provide access to the NeuroGlass Platform and any applicable support services in substantive conformity with the Documentation; and (b) MetaCell will employ applicable industry standard measures to protect the NeuroGlass Platform, in the form provided to Customer by MetaCell, against software viruses, Trojan horses, worms, or other similar malicious programs or code.

5.3. DISCLAIMER. EXCEPT FOR THE EXPRESS REPRESENTATIONS AND WARRANTIES STATED IN THIS SECTION 5, THE PARTIES MAKE NO REPRESENTATION OR WARRANTY OF ANY KIND WHETHER EXPRESS, IMPLIED (EITHER IN FACT OR BY OPERATION OF LAW), OR STATUTORY, AS TO ANY MATTER WHATSOEVER RELATING TO THIS AGREEMENT. METACELL EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUALITY, ACCURACY, TITLE, AND NON-INFRINGEMENT. NON-NEUROGLASS RESOURCES ARE PROVIDED BY THIRD PARTIES, NOT METACELL, AND ANY USE OF NON-NEUROGLASS RESOURCES IS SOLELY BETWEEN CUSTOMER AND THE APPLICABLE THIRD PARTY PROVIDER. METACELL DOES NOT WARRANT OR SUPPORT, AND WILL NOT HAVE ANY RESPONSIBILITY OR LIABILITY OF ANY KIND FOR, NON-NEUROGLASS RESOURCES.

6. Limitations of Liability

6.1. Limitation on Indirect Liability. EXCEPT FOR EXCLUDED CLAIMS, UNDER NO CIRCUMSTANCES, AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, WARRANTY, OR ANY OTHER THEORY OF LIABILITY), WILL EITHER PARTY, ITS AFFILIATES AND ITS OR THEIR CONTRACTORS, EMPLOYEES, AGENTS, OR THIRD-PARTY PARTNERS, LICENSORS, OR SUPPLIERS (COLLECTIVELY, ITS “PARTY REPRESENTATIVES”), BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES (INCLUDING LOSS OF PROFITS, DATA, OR USE OR COST OF COVER) ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE USE OF OR THE INABILITY TO USE THE NEUROGLASS PLATFORM, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

6.2. Limitation on Amount of Liability. EXCEPT FOR EXCLUDED CLAIMS, UNDER NO CIRCUMSTANCES, AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, WARRANTY, OR ANY OTHER THEORY OF LIABILITY), WILL THE TOTAL LIABILITY OF EITHER PARTY, ITS AFFILIATES, AND ITS OR THEIR PARTY REPRESENTATIVES FOR ANY AND ALL DAMAGES AND CAUSES OF ACTION ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE USE OF OR THE INABILITY TO USE THE NEUROGLASS PLATFORM, EXCEED, IN THE MAXIMUM AGGREGATE, THE FEES PAID AND PAYABLE TO METACELL UNDER THE CUSTOMER’S APPLICABLE ORDER IN THE TWELVE-MONTH PERIOD PRIOR TO THE DATE ON WHICH THE DAMAGE OCCURRED.

6.3. IN GENERAL. EACH PROVISION OF THIS AGREEMENT THAT PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES, OR EXCLUSION OF DAMAGES IS TO ALLOCATE THE RISKS OF THIS AGREEMENT BETWEEN THE PARTIES. THIS ALLOCATION IS REFLECTED IN THE PRICING OFFERED BY NEUROGLASS TO CUSTOMER AND IS AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN THE PARTIES. EACH OF THESE PROVISIONS IS SEVERABLE AND INDEPENDENT OF ALL OTHER PROVISIONS OF THIS AGREEMENT. THE LIMITATIONS IN THIS SECTION 7 WILL APPLY TO THE MAXIMUM EXTENT NOT PROHIBITED BY LAW AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY IN THIS AGREEMENT.

7. Term and Termination

7.1. Term. The term of this Agreement will commence on the Subscription Start Date of the first Order entered into between the parties and will continue until all Orders hereunder expire or until terminated in accordance with this Section 8, whichever happens first.

7.2 Termination. Either party may terminate an individual Order or this Agreement upon written notice to the other party, if the other party materially breaches this Agreement and such breach is incapable of cure, or with respect to a breach capable of cure, the breaching party does not cure such breach within 30 days of receiving notice of it. Either party may terminate or suspend an individual Order or this Agreement upon written notice to the other party without a cure period if (a) the other party breaches any of the terms relating to such party’s intellectual property rights or Confidential Information, or (b) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation, or assignment for the benefit of creditors.

7.3. Effect of Termination. Termination of this Agreement will result in termination of all ongoing Orders; however, termination of a single Order will not result in termination of this Agreement or any other ongoing Orders. If Customer terminates under Section 8.2, MetaCell will provide Customer a pro rata refund of prepaid unused fees applicable to the remainder of the Order Term for any terminated Order. If this Agreement or any Order is terminated for any other reason, Customer will not receive a refund and will pay all fees as if the Order had not been terminated. Upon any termination, to the extent permitted by applicable law, MetaCell will make all Customer Content then held by MetaCell pursuant to the applicable Order available to Customer for electronic retrieval for a period of 30 days, but thereafter MetaCell will delete or retain any stored Customer Content as directed by Customer. The following sections of this Agreement will survive any expiration or termination of this Agreement: 2, 4, 5.3, and 7-9.

8. Miscellaneous

8.1. Affiliates. A Customer Affiliate may enter into an Order under this Agreement and, in such case, by entering into the Order, the Affiliate agrees to be bound by the terms and conditions of this Agreement with respect to such Order and such Affiliate will be considered to be Customer, as such term is used herein, with respect to such Order. This Agreement is intended for the benefit of the parties who have entered into an Order under this Agreement and their respective permitted successors and assigns, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.

8.2. Product-Specific Terms. Certain MetaCell offerings are subject to Product-Specific Terms (such as optional beta features, free trials, and NeuroGlass APIs). If Customer elects to use such offerings, the applicable Product-Specific Terms apply.

8.3. Force Majeure. Neither party will have any liability for failures or delays resulting from that party experiencing a Force Majeure Event. If a party experiences a Force Majeure Event, such party will: (a) promptly notify the other party of occurrence of the Force Majeure Event; and (b) use reasonable efforts to limit damages to the other party and to resume its performance under this Agreement. If a Force Majeure Event causes a party to fail to comply with its obligations under this Agreement for 30 or more consecutive days, either party may terminate this Agreement upon written notice, without liability. “Force Majeure Event” means any event or circumstance (other than a party’s inability to satisfy payment obligations) that is outside a party’s reasonable control, whether or not foreseeable.

8.4. Notices. All notices, requests, consents, claims, demands, waivers, and other communications under this Agreement (each, a “Notice”) must be in writing (electronic mail sufficient) and sent to:

MetaCell: Contact identified in the Order

With a copy to: info@metacell.us

Customer: Contact identified in the Order

8.5. Severability; No Waiver. The invalidity or unenforceability of any provision of this Agreement will not affect the validity or enforceability of any other provision hereof and it is the intent and agreement of the parties that this Agreement will be deemed amended by modifying such provision to the extent necessary to render it valid, legal, and enforceable while preserving its intent or, if such modification is not possible, by substituting another provision that is legal and enforceable and achieves the same objective. No failure or delay by either party in exercising any right under this Agreement will constitute a waiver of that right.

8.6. Assignment. This Agreement is not assignable or transferable by either party without the other party’s prior written consent, except that either party may (without the other party’s prior written consent) assign this Agreement, in whole, in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of such party’s assets. Any purported assignment in violation of this section is null and void.

8.7. Service Providers. For the avoidance of doubt, MetaCell may engage third party service providers to support its performance of this Agreement. Nevertheless, MetaCell will remain responsible for compliance with this Agreement.

8.8. No Partnership. No agency, partnership, joint venture, or employment is created as a result of this Agreement, and neither party has any authority of any kind to bind the other party.

8.9. Governing Law and Dispute Resolution. The governing law that will apply in any dispute or lawsuit arising out of or in connection with this Agreement, and the venue that will have exclusive jurisdiction over any such dispute or lawsuit, will be as specified in the table below, without regard to choice or conflicts of law rules. The United Nations Convention on Contracts for the International Sale of Goods is specifically disclaimed.

‍

‍

8.10. Export Control. The NeuroGlass Platform and Customer’s use thereof is subject to export control and economic sanctions laws and regulations (collectively, “Export Controls”), including the U.S. Export Administration Regulations, the laws, statutes, regulations, rules, and executive orders administered by the Office of Foreign Assets Control of the U.S. Department of the Treasury (“OFAC”). MetaCell and Customer each represents that it is not on (or owned or controlled by any person identified on) the OFAC Specially Designated Nationals and Blocked Persons List or any other list of prohibited or restricted parties promulgated under Export Controls. Customer must comply with all applicable Export Controls in its access to and use of the NeuroGlass Platform and Customer Content. Customer will not access or use the NeuroGlass Platform, export, re-export, distribute, assign, or otherwise engage in any transaction relating to the NeuroGlass Platform or any Customer Content in violation of Export Controls. For the avoidance of doubt, MetaCell may take measures required by law or governmental authority to comply with its obligations under Export Controls and OFAC (such as suspending access to the NeuroGlass Platform, terminating this Agreement, or blocking the relevant Customer Content).

8.11. Anti-Corruption. Neither party has received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from an employee or agent of the other party in connection with this Agreement. Reasonable gifts and entertainment provided in the ordinary course of business do not violate the above restriction.

8.12. Government Use. This Section 9.12 only applies if Customer is a government or public sector entity. Customer represents and warrants to MetaCell that it is entering into this Agreement in compliance with any applicable public procurement laws and regulations. If Customer is a U.S. government or U.S. public sector entity (or use of the NeuroGlass Platform is for the U.S. government), the NeuroGlass Platform and Documentation are “commercial products” (as defined at 48 C.F.R. §2.101), consisting of “commercial computer software” and “commercial computer software documentation” (as used in 48 C.F.R. §12.212 and 48 C.F.R. §227.7202, as applicable). In accordance with 48 C.F.R. §12.212 and 48 C.F.R. §227.7202-1, as applicable, the rights of the U.S. Government to use, modify, reproduce, release, perform, display, or disclose commercial computer software and commercial computer software documentation associated with the NeuroGlass Platform will be as provided in this Agreement. If a U.S. Government agency or end user has a need for rights not conveyed under these terms, it must negotiate with MetaCell to determine if there are acceptable terms for transferring such rights, and a mutually acceptable addendum to this Agreement will be required in any applicable contract or agreement. The sections in this Agreement titled “Governing Law and Dispute Resolution,” “Indemnification by Customer,” any auto-renewal terms, and any other terms inconsistent with applicable law are hereby waived to the extent necessary to conform to applicable law.

8.13. Interpretation. Whenever the words “including,” “include,” “includes,” or “such as” are used herein, they will be deemed to be followed by the phrase “without limitation.”

8.14. Entire Agreement. This Agreement supersedes all other agreements between the parties relating to its subject matter. In the event of any conflict among any Orders, any Product-Specific Terms, and the terms of this MetaCell Software Services Agreement, the order of precedence will be: (a) the Product-Specific Terms; (b) the terms of this MetaCell Software Services Agreement; and (c) the Orders (from newest to oldest) unless such Order expressly overrides the foregoing terms. The parties agree that any terms and conditions stated in a Customer purchase order or other Customer ordering documentation (including any vendor management portal) are void.

Exhibit A – Definitions

1. Defined Terms. The following capitalized terms will have the meanings set forth below:

1.1. “Affiliate” means, with respect to any entity, any other entity that, directly or indirectly through one or more intermediaries, controls, is controlled by, or under common control with such entity. As used in this definition, “control” (including, with correlative meanings, “controlled by” or “under common control with”) means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such entity, whether through ownership of voting securities, by contract or otherwise.

1.2. “Agreement” means this Software Services Agreement (together with its exhibits and addenda), and any Product-Specific Terms.

1.3. “Authorized Users” means employees, contractors, and other persons associated with the Customer or its Affiliates who access or use the NeuroGlass Platform through the Customer’s account.

1.4. “Customer Content” means applications, data, and materials that are developed by Customer or its Authorized Users on the NeuroGlass Platform or uploaded to the NeuroGlass Platform by Customer or its Authorized Users.

1.5. “Documentation” means MetaCell-provided documentation available at https://help.neuroglass.com or such successor link identified by MetaCell.

1.6. “Excluded Claims” means damages resulting from (1) either party’s willful misconduct or gross negligence, or (2) infringement by a party of the other party’s intellectual property rights.

1.7. “MetaCell” means MetaCell, LLC.

1.8. “NeuroGlass Platform” means the NeuroGlass offering identified in an Order, including any related mobile and desktop applications, custom deployments, early access features, and Documentation.1.9. “Non-NeuroGlass Resources” means applications and materials that are developed or otherwise provided by a party other than MetaCell, including dataset, algorithms, services, products, platforms, integrations, and code components.

1.10. “Order” means an ordering document or online order that is entered into between Customer and MetaCell and specifies, among other things, details relating to the number of Authorized Users.

1.11. “Order Term” means the subscription term length set forth in the applicable Order or, with respect to early access features, the evaluation period set forth by MetaCell.

1.12. “Product-Specific Terms” means the terms and conditions available at www.neuroglass.com/legal/product-specific-terms/, which apply to certain NeuroGlass offerings.

1.13. “Territory” means worldwide with the exception of: (1) jurisdictions that are embargoed or designated as supporting terrorist activities by the United States Government; and (2) jurisdictions whose laws do not permit engaging in business with MetaCell or use of the MetaCell Platform.

Exhibit B – NeuroGlass Security Standards

1. Definitions. For purposes of this Exhibit B, the following terms apply:

1.1. “Authorized Affiliate” means any of Customer's Affiliate(s) which: (i) (a) is subject to the Data Protection Laws; and (b) is permitted to use the NeuroGlass Platform pursuant to the Agreement between Customer and MetaCell but has not signed its own Order Form with MetaCell and is not a "Customer" as defined under the Agreement; and (ii) if and to the extent MetaCell processes Personal Data for which such Affiliate(s) qualify as the Controller (as defined under applicable Data Protection Laws).

1.2. “Customer Data” means Customer Content and Customer Personal Data.

1.3. “Customer Personal Data” means Personal Data pertaining to Customer’s logged-in Authorized Users of the NeuroGlass Platform Processed by MetaCell on behalf of Customer (or an Authorized Affiliate) under this Agreement.

1.4. “Data Protection Laws” means all data privacy, data protection, and cybersecurity laws, rules and regulations of the United States, the European Union, and the United Kingdom, and similar national laws of Switzerland, to which the Customer Personal Data are subject. “Data Protection Laws” will include the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act (“CPRA”), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, and the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK Data Protection Act 2018 (“UK GDPR”), the Singapore Personal Data Protection Act of 2012 (“PDPA”) and the Swiss Federal Act on Data Protection (“Swiss FADP”), that are applicable to the Processing of Personal Data under the Agreement.

1.5. “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.

1.6. “Process” or “Processing” means any operation or set of operations which is performed on Customer Data or sets of Customer Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.7. “Security Incident(s)” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to MetaCell.

1.8. “Subprocessor” means MetaCell’s vendors and third party service providers that Process Customer Data.

1.9. “Systems” means the applications, databases, infrastructure, and platforms under MetaCell’s control that are utilized to provide the NeuroGlass Platform to Customer.

2. Policies and Codes of Conduct

2.1. MetaCell maintains an Information Security Policy and reviews it at least annually, including after any major changes occur in applicable law or regulatory guidance or are otherwise made to the Systems.

2.2. MetaCell maintains codes of conduct and other policies covering anti-bribery and corruption, whistle-blowing, and other ethics policies (such as anti-money laundering and anti-slavery), and communicates these policies to all relevant staff. MetaCell’s codes of conduct are available upon request.

2.3. MetaCell implements processes designed to ensure the ongoing compliance with these policies and to identify and enable MetaCell to take action against any areas of non-compliance. Failure to comply with policies are addressed through appropriate disciplinary actions.

3. Information Security Program

​​3.1. MetaCell assigns responsibility for information security management to senior personnel.

3.2. MetaCell implements technical and organizational measures designed to protect against unauthorized or unlawful processing of Customer Data and against accidental loss or destruction of, or damage to, Customer Data, including a written information security program, which includes policies, procedures, and technical and physical controls designed to ensure the security, availability, integrity, and confidentiality of Customer Data.

4. Background Checks and Confidentiality

4.1. MetaCell conducts pre-employment background screening on employees and contractors who will access Customer Data in the ordinary course of performing their job responsibilities, to the extent legally permissible and practicable in the applicable jurisdiction.

4.2. MetaCell requires all MetaCell employees and Subprocessors to execute a confidentiality agreement as a condition of employment or engagement and to follow policies on the protection of Customer Data.

5. Access Control

5.1. MetaCell assigns unique User IDs to authorized individual users to access Systems. All access to Systems must be authorized and authenticated.

5.2. MetaCell access rights to Customer Data are based on the principle of least privilege and designed to ensure that persons entitled to use a System have access only to the Customer Data for which they have a business need.

5.3. MetaCell maintains an accurate and up to date list of all personnel who have access to Systems and has a process to promptly disable within one business day of transfer or termination.

5.4. MetaCell periodically reviews and revokes Systems access rights, as needed, and logs and monitors such access.

5.5. Non-privileged users are prohibited from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.

5.6. MetaCell maintains a password management policy designed to ensure strong passwords consistent with industry standard practices and requires the use of multi-factor authentication to access Systems. Passwords are promptly changed if MetaCell becomes aware that an account has been compromised.

5.7. MetaCell implements controls designed to ensure that Systems access is subject to appropriate authentication and user access controls:

• User IDs are unique and authorized;
• User accounts are granted the minimum required privileges to enable a user to perform their designated function;
• Access to audit trails is restricted and logged;
• Default accounts are deleted or disabled where possible and suitably authorized and controlled where this is not possible;
• Privileged accounts (e.g., administrator, root) are only used when technically required under change control procedures and not for day-to-day system operation;
• Where privileged account access is used, this access is logged and reviewed and access can be attributed to a named individual.

6. Logging, Audit, and Accountability

6.1. MetaCell creates, protects, and retains Systems audit records to maintain integrity and enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate Systems activity.

6.2. MetaCell reviews and analyzes Systems audit records on a regular basis to detect significant unauthorized activity with respect to Systems. Actions of NeuroGlass users can be uniquely traced to those users so they can be held accountable for their actions.

7. System Change Control

​​7.1. MetaCell establishes a configuration baseline for Systems using applicable information security standards, manufacturer recommendations, or industry standard practices. Monitoring is performed to validate that Systems are configured according to the established configuration baseline.

7.2. The introduction of new systems are controlled, documented, and enforced by the use of formal change control procedures including documentation, specifications, testing, quality control, recovery, and managed implementation.

7.3. MetaCell employs controls designed to secure source code, including version control, segregation of source code repositories, and least privilege access principles. MetaCell maintains separate and isolated environments for its development, testing, and production. MetaCell customer instances are logically separated.

7.4. MetaCell follows a structured secure development methodology, adheres to secure coding standards, and undergoes security assessment activities (e.g., dynamic and static scans) to identify and remediate security vulnerabilities before being released to production.

7.5. MetaCell employs reasonable controls designed to remove or disable unnecessary ports and services from Systems in accordance with the vendors’ recommendations and settings.

8. Vulnerability Management

8.1. MetaCell maintains up-to-date anti-malware software, has implemented a vulnerability management program with regular scanning for vulnerabilities, subscribes to a vulnerability notification service, has a method for prioritizing vulnerability remediation based on risk, and has established remediation timeframes based on risk rating.

8.2. Once a patch is released, and the associated security vulnerability has been reviewed and assessed for its applicability and importance, the patch is applied and verified in a timeframe which is commensurate with the risk posed to Systems.

8.3. Penetration testing and vulnerability scanning is conducted on the Systems at least annually. Any remediation items identified as a result of the assessment are resolved as soon as possible on a timetable commensurate with the risk. Upon request, MetaCell will provide summary details of the penetration tests performed, findings, and whether the identified issues have been resolved.

8.4. MetaCell uses commercially reasonable efforts to regularly identify software vulnerabilities and, in the case of known software vulnerabilities, to provide relevant updates, upgrades, and bug fixes.

8.5. MetaCell deploys intrusion detection processes to monitor and respond to alerts which could indicate potential compromise of Customer Data.

8.6. MetaCell deploys a log management solution and retains logs produced by intrusion detection systems for a minimum period of one year.

9. Capacity Planning

9.1. MetaCell maintains a capacity management program that continuously and iteratively monitors, analyzes, and evaluates the performance and capacity of the Systems.

10. Security Incidents

10.1. MetaCell maintains an information security incident management program that addresses management of Security Incidents.

10.2. MetaCell maintains an incident response plan that specifies actions to be taken in the event of a Security Incident.

10.3. Upon becoming aware of a Security Incident, MetaCell agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Customer. A delay in giving such notice requested by law enforcement and/or in light of MetaCell’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident. MetaCell’s notification of or response to a Security Incident will not be construed as an acknowledgement by MetaCell of any fault or liability with respect to the Security Incident.

10.4. MetaCell will take reasonable measures to mitigate the risks of further Security Incidents.

11. Subprocessors

11.1. MetaCell will conduct a risk-based review of all Subprocessors designed to ensure that they implement appropriate technical and organizational measures.

11.2. MetaCell will enter into agreements with its Subprocessors that require such Subprocessors to secure and protect Customer Data by using at least the same degree of care outlined in this Exhibit B.

12. Data Retention

12.1. At the expiry or termination of this Agreement, MetaCell will, at Customer’s request, delete or return all Customer Data (excluding any back-up or archival copies which will be deleted in accordance with MetaCell’s data retention schedule), except where MetaCell is required to retain copies under applicable laws, in which case MetaCell will isolate and protect that Customer Data from any further Processing except to the extent required by applicable laws.

13. Secure Disposal

13.1. MetaCell implements controls designed to ensure the secure disposal of Customer Data in accordance with applicable law taking into account available technology so that Customer Data cannot be read or reconstructed.

13.2. Media will be securely erased electronically before disposal by overwriting or degaussing, or physically destroyed prior to disposal or reassignment to another system. Media cleansing/wipe products and processes prior to disposal comply with NIST SP 800-88 standard, “Guidelines for Media Sanitization” (or its successor) or equivalent industry standards.

14. Risk Assessments

14.1. MetaCell maintains a risk assessment program that includes regular risk assessments and controls for risk identification, analysis, monitoring, reporting, and corrective action.

14.2. At least annually, MetaCell will perform risk assessments (either internally or with contracted, independent resources) to identify risks to Customer Data, risks to MetaCell’s business assets (e.g., technical infrastructure), threats against those elements (both internal and external), the likelihood of those threats occurring, and the impact upon the organization.

15. Asset Management

15.1. MetaCell will have an asset management program that classifies and controls hardware and software assets throughout their life cycle.

16. Business Continuity and Disaster Recovery

16.1. MetaCell will use industry standard practices for redundancy, robustness, and scalability designed to maintain the availability of the NeuroGlass Platform.

16.2. MetaCell implements and maintains contingency plans to address emergencies or other occurrences (for example, fire, vandalism, system failure, and natural disaster) that could damage or destroy Systems or Customer Data, including a data backup plan and a disaster recovery plan with at least annual testing of such plans. MetaCell may not modify such plans to provide materially less protection to the Customer without the Customer’s prior written consent, which may not be unreasonably conditioned or withheld.

16.3. Backups are taken and recovery is tested on a regular basis.

17. Security and Privacy Training

17.1. MetaCell conducts mandatory training for MetaCell employees and relevant contingent workers, at least annually, on business ethics, privacy, and information security awareness. These trainings are reviewed for relevance and updated as needed, annually.

17.2. Teams associated with development efforts impacting Customer Data, undergo specific training focused on well-defined and secured coding practices.

18. Data Protection Governance

18.1. MetaCell assigns responsibility for data protection to senior personnel.