This Epicz Lab Master Subscription Agreement (“MSA”) entered into by and between Epicz Lab AB, a Sweden corporation with a place of business at Vasagatan 12, 111 20 Stockholm, Sweden (“Epicz Lab”), and the entity or person (i) executing an order form for the Services that expressly references this MSA (“Order Form”), (ii) accepting an Order Form via private offer on a cloud service provider marketplace or (iii) signing up for and accessing the Services on a free trial basis (“Trial Services”) who, in each case, agrees to be bound by this MSA to the exclusion of all other terms (as applicable, “Customer”) (each of Customer and Vanta, a “Party”, and together, the “Parties”). The MSA consists of the terms and conditions set forth below and incorporates by reference any ancillary documents (e.g., attachments, addenda, exhibits) expressly referenced herein.

The “Effective Date” of this MSA is (a) the effective date of the first Order Form executed by the Parties, (b) the date Customer first accepts a private offer containing an Order Form or (c) in the case of Pilot Services, the date Customer receives its credentials to access the Services accepting this MSA through Epicz Lab’s pilot sign-up, as applicable.

1.1 Services. “Services” means the Epicz Lab products and services that are made available to Customer by Epicz Lab hereunder. Subject to the terms and conditions of this MSA, Epicz Lab will make the Services available to Customer for the service period of Customer’s subscription specified on the applicable Order Form (“Service Period”). Epicz Lab will provide the Services in accordance with the Service Level Agreement available at https://epiczlab.com/service-level-agreement/.

1.2 Support. Epicz Lab will provide commercially reasonable support during the Service Period in accordance with Epicz Lab’s Support Policy, available at https://epiczlab.com/support-policy.

1.3. Licenses. Subject to Customer’s compliance with the terms and conditions of this MSA (including any limitations and restrictions set forth on an applicable Order Form), Epicz Lab hereby grants Customer a non-exclusive, non-transferable, non-sublicensable limited right and license to access and use the Services, as applicable, solely during the applicable Service Period or Trial Service Period for Customer’s internal business purposes. Customer hereby grants Epicz Lab a non-exclusive, non-transferable, non-sublicensable right and license to use Customer Information solely to provide the Services to Customer. Notwithstanding anything to the contrary, Epicz Lab may generate, collect, use, and analyze usage data generated or derived from Customer’s use of the Services, including log data and metadata, to develop, improve, promote, support, and operate its products and services; provided that such Usage Data may only be shared with third parties in a manner that is aggregated and/or anonymized and does not identify Customer or any Authorized Users.

1.4 Customer Responsibilities. Customer may provide access to the Services through ensuring authorized use of credentials to its authorized employees, agents or contractors. Customer is responsible for compliance to all terms of this MSA, ensuring as well accuracy of data input, and Customer agrees to promptly notify Epicz Lab of any unauthorized access or use of which Customer becomes aware. Authorized Users are strictly prohibited from sharing their accounts or account passwords and their doing so is a material breach of this MSA by Customer.

1.5 AI Features and Disclaimer. Customer acknowledges that certain aspects of the Services may incorporate capabilities powered by artificial intelligence, machine learning, or related technologies developed by Epicz Lab and/or its technology partners (“AI Features”). These features are designed to enhance productivity and deliver intelligent insights but are offered as an optional component of the Services.  Customer understands and agrees that any content, suggestions, or outputs generated through AI Features (“AI Outputs”) are provided on an “as-is” basis. Epicz Lab does not guarantee the accuracy, completeness, reliability, or appropriateness of AI Outputs and disclaims all representations, warranties, or liability related thereto. It is the Customer’s sole responsibility to evaluate and verify AI Outputs before relying on them in any business or operational context. Use of AI Features is at Customer’s own discretion and risk.

1.6 Third Party Products. Customer may integrate Epicz Lab solutions and services with various third party products, applications and solutions. Customer’s use of these will be subject to the privacy policies and terms and conditions of such third party providers. Customer agrees that Epicz Lab makes no warranties regarding such Third Party integrations. Customer hereby waives any claim against Epicz Lab with respect to Customer’s handling of such Third Party solutions / integrations.

1.7 Publicity and Marketing. Epicz Lab may use Customer’s name, logo and trademarks to identify Customer as a client of Epicz Lab, on Epicz Lab website or other marketing materials.

1.8 Feedback. Epicz Lab welcomes input from its Customers to help continuously improve its Services. If Customer elects to share any comments, ideas, proposals, suggestions, or other forms of feedback regarding the functionality, usability, or performance of the Services (“Feedback”), such Feedback is entirely voluntary. Customer hereby grants Epicz Lab a non-exclusive, royalty-free, worldwide, irrevocable, transferable, and perpetual license to use, adapt, incorporate, and commercialize the Feedback in any manner Epicz Lab deems appropriate, including within future versions of its products or related offerings. This license includes the right to sublicense through multiple tiers and to seek intellectual property protection for any enhancements that originate from or are inspired by such Feedback. Epicz Lab will, however, ensure that no use of Feedback compromises its confidentiality obligations under Section 3. As between the Parties, Epicz Lab shall retain sole ownership of any resulting innovations or derivative works.

2.1.1. Fees. “Fees” means the fees payable by Customer to Epicz Lab for the applicable Services, as set forth on the Order Form. Customer is responsible for all Fees set forth in the Order Form. Epicz Lab will invoice Customer for such Fees using the billing information set forth therein. 
Except as expressly set forth in this MSA, all payment obligations are non-cancelable and Fees are non-refundable and not subject to set off. In the event of non-payment of Fees by Customer for fifteen (15) days after the due date of an invoice, Epicz Lab reserves the right to (i) immediately suspend Customer’s access to the Services until Customer pays the entire remaining balance of Fees and/or (ii) charge interest on past due amounts at the lesser of one and a half percent (1.5%) or the highest interest rate allowed by law. Epicz Lab will promptly restore Customer’s access to the Services once such non-payment is cured.

2.1.2. Fee Disputes. If Customer has a bona fide belief that an invoice is incorrect, Customer must contact Epicz Lab within thirty (30) days of the date of the applicable invoice ("Dispute Period"). Upon receipt of such notice, Epicz Lab and Customer will work together in good faith to resolve the dispute and, if such disputed amount(s) are deemed legitimate, Customer agrees to pay such amounts promptly upon resolution of the dispute (and in any event, within 30 days thereafter). If Customer does not notify Epicz Lab of a dispute within the Dispute Period, all invoiced Fees will be deemed legitimate and owing in accordance with this MSA.

2.1.3. Taxes. Fees do not include taxes, levies, duties or similar governmental assessments of any nature, including, for example, any sales, use, GST, value-added, withholding, or similar taxes, whether domestic or foreign, or assessed by any jurisdiction (“Taxes”). Customer is responsible for paying all Taxes associated with its purchase of the Services, excluding Taxes based on Epicz Lab’s net income or receipts, property or employees.

2.2. Price Changes; Discounts and Promotions. Prices specified in the Order Form may include discounts or promotional pricing. Epicz Lab may change prices for the Services and/or discontinue or change any promotion, sale, or special offer in its sole discretion; provided that any such changes or discontinuations will only be effective upon the commencement of Customer’s next Service Period and will not impact the Fees payable for the then-current Service Period. Epicz Lab will provide Customer with reasonable notice of any Fee increases prior to the expiration of the then-current Service Period.

3.1 Confidentiality Each Party will use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but no less than reasonable care) to keep confidential all material and information, regardless of whether technical, financial or commercial, received in whatever form from the other Party or its Affiliates and marked as confidential, or that should be understood to be confidential ("Confidential Information"). For the avoidance of doubt any Autoliv Data shall be considered Confidential Information.
A Party shall have the right to:
1. use Confidential Information only for the purposes of the Agreement;
2. copy Confidential Information only to the extent necessary for the purposes of the Agreement; and
• disclose Confidential Information to its employees, advisors and contractors and its Affiliates (including, for clarity, their employees, advisors and contractors) that need to know Confidential Information for the purposes of the Agreement.

The confidentiality obligations set out in this Section shall not, however, be applied to any material or information: i) that is generally available or otherwise public, other than if it is public through a breach of this Agreement on the part of the receiving Party or its Affiliates; or ii) that a Party or its Affiliate has received from a third party without any obligation of confidentiality; or iii) that was in the possession of the receiving Party or any of its Affiliates prior to receipt of the same from the other Party or its Affiliate without any obligation of confidentiality related thereto; or iv) that a Party or its Affiliate has independently developed without using material or information received from the other Party or its Affiliates; The Party receiving Confidential Information agrees to keep in a safe, secure and confidential place all materials forming part of the Confidential Information. Each Party shall cease using Confidential Information received from the other Party or its Affiliate promptly upon termination of the Agreement or when the respective Party or its Affiliates no longer needs the Confidential Information in question for the purposes of the Agreement.

3.2 Privacy and Security Practices. Epicz Lab will implement and maintain appropriate administrative, physical and technical safeguards during the Service Period to protect the security, confidentiality and integrity of Customer Information.

4.1 Roles and Relationship. To the extent that Epicz Lab processes any Personal Data on behalf of Customer while providing the Services, the Parties acknowledge and agree that:

• Customer acts as the “Controller” and Epicz Lab acts as the “Processor,” or equivalent roles under applicable Data Protection Laws, and
• Such processing shall be subject to the terms of this Agreement and, where applicable, the Epicz Lab Data Processing Addendum (“DPA”), incorporated by reference or executed separately between the Parties.

4.2 Scope of Processing. Epicz Lab will process Personal Data solely:
• To deliver the Services and support under this Agreement,
• In accordance with Customer’s documented instructions, and
• As required by applicable law, provided Epicz Lab gives prior notice to Customer (unless legally prohibited).

4.3 Security Measures. Epicz Lab will maintain industry standard technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access. These measures are further detailed in Epicz Lab’s  Security Overview, as updated from time to time.

4.4 Subprocessors. Customer authorizes Epicz Lab to engage subprocessors to process Personal Data on its behalf, subject to:
• Written agreements with subprocessors imposing equivalent data protection obligations; and
• Epicz Lab remaining fully responsible for their acts and omissions.
A list of current subprocessors is available at [Insert Subprocessor URL]. Epicz Lab will notify Customer of any material changes.

4.5 International Transfers. Where Epicz Lab processes or transfers Personal Data outside of the European Economic Area (EEA) or other jurisdictions requiring cross-border safeguards, Epicz Lab shall ensure appropriate safeguards are in place, including but not limited to Standard Contractual Clauses, adequacy decisions, or other lawful mechanisms.

4.6 Assistance and Cooperation. Epicz Lab shall provide reasonable assistance to Customer for:
• Data subject rights requests (e.g., access, deletion),
• Regulatory inquiries or audits (limited to Epicz Lab’s role),
• Security incident notifications related to Personal Data, in each case as required under applicable Data Protection Laws and to the extent such obligations apply to Epicz Lab’s processing activities.

4.7 Retention and Return. Upon termination or expiry of this Agreement, Epicz Lab will, at Customer’s written request, return or delete all Personal Data, unless retention is required by applicable law or permitted for ongoing legal or operational obligations.

4.8 Supplemental DPA. The Parties may enter into a separate Data Processing Addendum (DPA) to expand upon or further formalize the obligations under this clause. In the event of a conflict between the MSA and a signed DPA, the terms of the DPA shall prevail solely with respect to the processing of Personal Data.

5.1 Commencement. This MSA commences on the Effective Date and will remain in effect until all Order Forms have expired or been terminated in accordance with this section 9. The Service Period for each Order From shall be set forth therein. If the Order Form does not specify a Service Period, the Service Period shall be one (1) year from signature of Order Form, with automatic renewal for successive one- (1) year Service period, unless Customer provides Epicz Lab with written notice of termination at least thirty (30) days prior to the end of the then current Service Period. A party may terminate this Agreement OR an Order Form with immediate effect upon written notice to the other Party under the following circumstances: i) if the other Party commits a material breach of its obligations under this Agreement and does not rectify such material breach by a specified date, which shall be no earlier than sixty (60) business days after the date of the initial written notice thereof; or ii) if the other Party becomes insolvent, ceases to do business, or seeks protection under any bankruptcy or comparable proceedings.

6.1 Limitation of Liability. Neither party shall be liable for indirect, special, or consequential damages. Provider’s total liability shall not exceed the total fees paid by Customer in the twelve (12) months preceding the event. Neither Party will be liable towards the other Party for any indirect, punitive, special, incidental or consequential damages in connection with or arising out of this Agreement (including loss of business, revenue, profits, use, data or other economic advantage), however they arise, whether based on contract or in tort, including negligence, and even if that Party has previously been advised of, or could reasonably have foreseen, the possibility of such damages. Each Party's total, aggregated liability, under or in connection with this Agreement shall in no event exceed any Subscription Fees paid by Customer to Epicz Lab during the past twelve (12) months immediately preceding the date of a claim. Nothing contained in this Agreement excludes or limits the liability of any Party for: i) death or personal injury caused by such person’s negligence; ii) fraud; iii) any matter with respect to which it would be illegal for such person to exclude or limit its liability, iv) willful or intentional misconduct; or v) breaches of Confidentiality Section.

7.1 Governing Law. This Agreement shall be governed by the substantive laws of Sweden excluding its rules of conflict of laws. Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Arbitration Institute of the Stockholm Chamber of Commerce. The seat of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceedings shall be English. 7.2 Entire Agreement. This Agreement, including all Order Forms and SLA, constitutes the entire agreement between the parties and supersedes all prior agreements, proposals, or representations.