PREAMBLE AND RECITALS

This Service Level Agreement (hereinafter referred to as the "Agreement" or "SLA") is entered into by and between LANCELOT TECHNOLOGIES Ltd., a company duly organized and operating under applicable law, with its principal place of business accessible at www.Lancelot Technologies.com (hereinafter referred to as "the Provider," "LANCELOT TECHNOLOGIES," or "the Company"), and the party identified as a registered user, subscriber, customer, or contracting entity accessing or using the Provider's services (hereinafter referred to as "the Client," "Customer," or "End User").

WHEREAS, the Provider operates a technology platform and portfolio of services encompassing Software-as-a-Service (SaaS) solutions, information systems management, and cybersecurity services for both enterprise organizations and private individuals;

WHEREAS, the Client wishes to procure and utilize such services pursuant to the terms, conditions, and service standards set forth herein;

WHEREAS, both parties acknowledge that this Agreement shall constitute a legally binding instrument enforceable under applicable national and international law, including but not limited to treaties, regulations, and directives governing commercial services, data protection, and cybersecurity;

NOW, THEREFORE, in consideration of the mutual covenants, representations, warranties, and obligations set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

1 — DEFINITIONS AND INTERPRETATION

1.1 Definitions

For the purposes of this Agreement, the following terms shall have the meanings ascribed to them below, unless the context otherwise requires:

1.2 Interpretation

•        References to "including" or "includes" shall be construed as "including without limitation" and shall not be read as limiting the generality of any preceding words.

•        Headings and titles are for convenience only and shall not affect the interpretation of this Agreement.

•        References to statutes, regulations, or standards shall include any amendments, re-enactments, or successors thereto.

•        Unless the context otherwise requires, the singular includes the plural and vice versa.

•        Any obligation not to do something includes an obligation not to permit, authorize, or enable others to do that thing.

2 — SCOPE OF SERVICES

2.1 Service Portfolio

The Provider agrees to deliver the following categories of services to the Client, subject to the terms and conditions of this Agreement and any applicable Order Form:

2.1.1 Software-as-a-Service (SaaS) Solutions

•        Provision of cloud-hosted software applications accessible via the Platform;

•        User account management, access control, and multi-tenant environment administration;

•        Regular software updates, patches, and feature releases at no additional charge unless otherwise specified;

•        API access and integration capabilities as documented in the Provider's technical documentation;

•        Mobile application access where applicable and as specified in the relevant Order Form.

2.1.2 Information Systems Services

•        Systems design, architecture consulting, and implementation support;

•        Infrastructure management and optimization services;

•        Database administration, backup, and recovery services;

•        IT governance advisory and enterprise architecture consulting;

•        Digital transformation strategy and execution support;

•        Business continuity planning and disaster recovery solution design.

2.1.3 Cybersecurity Services

•        Vulnerability assessment and penetration testing (VAPT);

•        Security Operations Center (SOC) monitoring and managed detection & response (MDR);

•        Threat intelligence and risk assessment services;

•        Compliance consulting (ISO 27001, NIST CSF, SOC 2, PCI-DSS, and applicable national frameworks);

•        Incident response and digital forensics;

•        Security awareness training and simulated phishing campaigns;

•        Data Loss Prevention (DLP) implementation and management;

•        Identity and Access Management (IAM) consulting and implementation;

•        Zero-Trust architecture design and implementation support.

2.2 Service Tiers

The Provider offers the following service tiers, the specifications of which are set out in Schedule A (Service Tier Specifications) attached hereto:

3 — SERVICE AVAILABILITY AND PERFORMANCE STANDARDS

3.1 Uptime Commitment and Measurement

The Provider commits to maintaining Service Availability in accordance with the applicable service tier as set forth in Article 2.2. Uptime percentage shall be calculated on a calendar month basis using the following formula:

Uptime measurements shall be conducted by the Provider's internal monitoring systems, supplemented by independent third-party monitoring tools where applicable. Measurement data shall be made available to the Client upon written request and shall be the primary reference for SLA credit calculations.

3.2 Scheduled Maintenance

The Provider reserves the right to conduct scheduled maintenance windows during which Services may be temporarily unavailable or degraded. The following conditions apply to Scheduled Maintenance:

•        The Provider shall provide no less than seventy-two (72) hours' advance written notice for routine scheduled maintenance;

•        For emergency maintenance required to address critical security vulnerabilities or imminent service-threatening issues, the Provider shall provide reasonable advance notice and shall endeavor to minimize disruption;

•        Scheduled Maintenance shall, where possible, be conducted during low-traffic periods (typically between 02:00 and 06:00 local time of the primary service region);

•        Sovereign and Government tier clients shall receive no less than five (5) business days' advance notice for non-emergency scheduled maintenance;

•        Downtime attributable to properly notified Scheduled Maintenance shall be excluded from Uptime calculations.

3.3 Performance Standards

In addition to Uptime commitments, the Provider undertakes to maintain the following performance standards for the Services:

4 — INCIDENT MANAGEMENT AND SUPPORT

4.1 Incident Classification

All Service Incidents shall be classified according to the following severity framework, which governs response times, escalation procedures, and remediation priorities:

4.2 Incident Reporting and Communication

Clients shall report Service Incidents through the following designated channels. The timestamp of the first report received through an official channel shall constitute the "Incident Start Time" for SLA measurement purposes:

•        Primary: Provider's online support portal at support.Lancelot Technologies.com;

•        Emergency (P1/P2): Dedicated emergency telephone line as communicated to the Client upon subscription;

•        Secondary: Email to info@lancelotech.com(for P3/P4 incidents only);

•        For Sovereign/Government tier clients: Dedicated account management contact as specified in the relevant Order Form.

The Provider shall maintain transparent communication throughout the Incident lifecycle, including:

•        Acknowledgment of receipt within the applicable response SLA timeframe;

•        Status updates at intervals no less frequent than every two (2) hours for P1 incidents;

•        Root Cause Analysis (RCA) report delivered within five (5) business days of P1/P2 Incident resolution;

•        Maintenance of a publicly accessible status page reflecting real-time Service status.

4.3 Escalation Procedures

Should the Client determine that an Incident is not being addressed with appropriate urgency or is not progressing toward resolution within the specified timeframes, the Client may invoke the escalation procedure:

1.     Level 1 — Support Team Lead: Escalation to the Provider's designated Support Team Lead, available within the initial response window.

2.     Level 2 — Service Delivery Manager: Escalation to the Provider's Service Delivery Manager if the Incident remains unresolved beyond 150% of the stated resolution target.

3.     Level 3 — Executive Management: Escalation to the Provider's C-suite or designated executive contact for P1 incidents unresolved beyond four (4) hours.

4.     Level 4 — Formal Dispute: Initiation of the formal dispute resolution procedure as set forth in Article 14 of this Agreement.

5 — SERVICE CREDITS AND REMEDIES

5.1 Service Credit Schedule

In the event that the Provider fails to meet the Uptime commitments specified in this Agreement during any calendar month, the Client shall be entitled to Service Credits in accordance with the following schedule:

5.2 Credit Claim Procedure

To receive Service Credits, the Client must submit a valid credit claim in writing within thirty (30) calendar days following the end of the calendar month in which the SLA breach occurred. The claim must include the Incident ticket reference numbers, timestamps, and description of the impact experienced. Failure to submit within this period shall constitute a waiver of the Client's right to Service Credits for that period.

5.3 Limitations and Exclusions

Service Credits shall not apply, and the Provider shall not be held in breach of its Uptime commitments, in the following circumstances:

•        Downtime caused by Force Majeure events as defined herein;

•        Downtime caused by the Client's own actions, configurations, or failures, including incorrect API usage or unauthorized modifications;

•        Downtime during properly notified Scheduled Maintenance Windows;

•        Downtime attributable to third-party services, providers, or infrastructure outside the Provider's direct control (including Internet backbone failures, DNS providers, or cloud infrastructure subcontractors), provided the Provider has exercised due diligence in selecting and monitoring such third parties;

•        Suspension of Services for breach of payment obligations or violation of Acceptable Use provisions;

•        Beta or preview features explicitly designated as such and not covered by production SLAs.

5.4 Service Credits as Exclusive Remedy

EXCEPT WHERE PROHIBITED BY APPLICABLE LAW, SERVICE CREDITS SHALL CONSTITUTE THE CLIENT'S SOLE AND EXCLUSIVE REMEDY, AND THE PROVIDER'S ENTIRE LIABILITY, FOR ANY FAILURE TO MEET THE UPTIME OR PERFORMANCE COMMITMENTS SET FORTH IN THIS AGREEMENT. SERVICE CREDITS SHALL NOT LIMIT THE CLIENT'S RIGHTS WITH RESPECT TO DATA PROTECTION BREACHES, FRAUD, OR GROSS NEGLIGENCE, WHICH SHALL BE GOVERNED BY ARTICLE 12 OF THIS AGREEMENT.

6 — DATA PROTECTION AND PRIVACY

6.1 Applicable Regulatory Framework

The Provider and Client acknowledge that the processing of Personal Data under this Agreement is subject to applicable data protection legislation, including but not limited to:

•        Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR) and any implementing legislation;

•        Israeli Privacy Protection Law 5741-1981 and Amendment No. 13 thereto (as applicable);

•        The Israeli Privacy Protection Regulations (Data Security) 5777-2017;

•        The Network and Information Security (NIS2) Directive (EU) 2022/2555 where applicable;

•        Any other applicable national or international data protection, privacy, or cybersecurity legislation.

6.2 Data Processing Roles and Responsibilities

With respect to Client Data containing Personal Data, the Provider shall act as a Data Processor and the Client shall act as the Data Controller, unless otherwise agreed in a separate Data Processing Agreement (DPA). The Provider undertakes to:

•        Process Personal Data solely on documented instructions from the Client and for no other purpose;

•        Ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations;

•        Implement and maintain appropriate technical and organizational security measures in accordance with Article 6.3;

•        Not engage sub-processors without prior specific or general written authorization from the Client, and impose equivalent data protection obligations on any authorized sub-processors;

•        Assist the Client in fulfilling its obligations to respond to data subject rights requests within legally required timeframes;

•        Delete or return all Personal Data upon termination of the Agreement, as instructed by the Client;

•        Provide all information reasonably necessary to demonstrate compliance and cooperate with audits.

6.3 Technical and Organizational Security Measures

The Provider shall maintain a comprehensive information security management system and implement the following minimum technical and organizational measures:

6.3.1 Data Protection at Rest and in Transit

•        AES-256 encryption for all Client Data stored on Provider infrastructure;

•        TLS 1.2 or higher for all data transmitted between Client systems and the Platform;

•        End-to-end encryption for sensitive communications involving classified or highly sensitive data.

6.3.2 Access Controls

•        Multi-factor authentication (MFA) enforced for all administrative and privileged access;

•        Role-based access control (RBAC) with principle of least privilege;

•        Regular access reviews and immediate de-provisioning upon personnel changes;

•        Privileged Access Management (PAM) for all critical infrastructure access.

6.3.3 Security Monitoring and Threat Detection

•        24×7 Security Operations Center (SOC) monitoring;

•        Security Information and Event Management (SIEM) system with automated alerting;

•        Intrusion Detection and Prevention Systems (IDS/IPS);

•        Continuous vulnerability scanning and management.

6.4 Personal Data Breach Notification

In the event of a Security Incident involving Personal Data, the Provider shall:

•        Notify the Client without undue delay, and no later than seventy-two (72) hours after becoming aware of the breach, where feasible;

•        Provide the Client with sufficient information to enable the Client to fulfill its own notification obligations to supervisory authorities and data subjects;

•        Cooperate fully with the Client and relevant regulatory authorities in the investigation and remediation of the breach;

•        Implement immediate containment measures and document all actions taken in a formal Incident Report.

6.5 Data Residency and Sovereignty

The Provider shall maintain Client Data within the geographic regions specified in the applicable Order Form or as agreed in writing. Where Sovereign or Government tier services are procured, the Provider shall provide written certification of data residency compliance upon request. Cross-border data transfers shall only be undertaken in compliance with applicable legal transfer mechanisms, including Standard Contractual Clauses or equivalent approved transfer mechanisms.

7 — CYBERSECURITY OBLIGATIONS

7.1 Provider Security Obligations

The Provider shall maintain and operate its Services in accordance with internationally recognized cybersecurity standards and shall at all times:

•        Hold and maintain certification to ISO/IEC 27001 (Information Security Management) or demonstrate equivalent security posture;

•        Conduct annual independent penetration testing of its production environment by qualified third-party security professionals;

•        Maintain a documented and tested vulnerability disclosure and patch management program;

•        Apply critical security patches within twenty-four (24) hours and high-severity patches within seventy-two (72) hours of official disclosure;

•        Conduct annual security awareness training for all personnel with access to Client Data;

•        Maintain written information security policies and procedures, reviewed annually;

•        Maintain appropriate cyber insurance coverage and provide evidence thereof upon request.

7.2 Client Security Obligations

The Client acknowledges shared responsibility for security outcomes and undertakes to:

•        Maintain the confidentiality of all account credentials and promptly notify the Provider of any suspected unauthorized access;

•        Ensure all Authorized Users employ strong authentication practices, including MFA where supported;

•        Maintain its own systems, endpoints, and networks in a secure and patched state;

•        Not conduct unauthorized security testing, scanning, or probing of the Provider's infrastructure;

•        Comply with the Provider's Acceptable Use Policy as set out in Schedule B;

•        Promptly report any suspicious activity or potential security incident observed in connection with the Services.

7.3 Cybersecurity Incident Response

In the event of a Security Incident affecting the Services, the parties agree to cooperate in accordance with the following framework:

5.     Identification: Either party identifying a Security Incident shall notify the other within the timeframes specified in Article 4.2.

6.     Containment: The Provider shall implement immediate containment measures and provide the Client with a preliminary impact assessment within four (4) hours of P1 Security Incidents.

7.     Eradication and Recovery: The Provider shall document and execute a remediation plan, with the Client's cooperation as required.

8.     Post-Incident Review: A formal Root Cause Analysis shall be provided within five (5) business days, including recommendations for preventing recurrence.

9.     Evidence Preservation: Both parties shall preserve all relevant logs, records, and evidence in accordance with applicable legal and regulatory requirements.

8 — SUBSCRIPTION, FEES, AND PAYMENT

8.1 Subscription Terms

Access to and use of the Services shall be subject to the payment of applicable subscription fees as set out in the Client's Order Form or as published on the Provider's website. Subscription terms may be monthly or annual and shall auto-renew unless either party provides written notice of non-renewal no less than thirty (30) days prior to the end of the then-current subscription term.

8.2 Fee Structure and Adjustments

The Provider reserves the right to adjust subscription fees upon no less than sixty (60) days' advance written notice to the Client. Fee adjustments shall take effect at the commencement of the next renewal period. The Client's continued use of the Services following the effective date of a fee adjustment shall constitute acceptance thereof. In the event the Client does not accept an adjustment, the Client may terminate the subscription in accordance with Article 9.

8.3 Payment Terms

•        All fees are due upon the commencement of the applicable subscription term or renewal, unless otherwise specified in the Order Form;

•        Payment may be made via credit card, bank transfer, or such other methods as the Provider may designate;

•        Late payments shall accrue interest at the rate of 1.5% per month, or the maximum rate permitted by applicable law, whichever is lower;

•        The Provider reserves the right to suspend Services upon thirty (30) days' written notice where fees remain overdue, subject to dispute resolution provisions;

•        All fees are exclusive of applicable taxes, duties, and levies, which shall be borne by the Client.

8.4 Refund Policy

Subscription fees are generally non-refundable, except where:

•        The Client exercises a statutory right of cancellation within any cooling-off period mandated by applicable consumer protection law;

•        The Provider materially fails to deliver the contracted Services and fails to remedy such failure within a reasonable cure period;

•        The Agreement is terminated by the Client for cause in accordance with Article 9.3;

•        A prepaid annual subscription is terminated by the Provider without cause prior to the subscription period end, in which case a pro-rated refund shall be provided for the unused portion.

9 — TERM, TERMINATION, AND SUSPENSION

9.1 Term

This Agreement shall commence on the Effective Date and shall remain in full force and effect for the duration of the active subscription term, and shall continue for successive renewal periods unless terminated in accordance with this Article.

9.2 Termination for Convenience

Either party may terminate this Agreement for convenience by providing no less than thirty (30) calendar days' written notice to the other party. Such termination shall take effect at the end of the then-current billing cycle. Annual subscribers terminating for convenience shall not be entitled to a refund of prepaid fees except as expressly provided in Article 8.4.

9.3 Termination for Cause

Either party may terminate this Agreement immediately upon written notice if the other party:

•        Materially breaches any provision of this Agreement and fails to cure such breach within thirty (30) days of written notice specifying the breach;

•        Becomes insolvent, makes an assignment for the benefit of creditors, or is subject to bankruptcy or liquidation proceedings;

•        Commits fraud, misrepresentation, or willful misconduct in connection with the Services;

•        In the case of Client: uses the Services in violation of applicable law or in a manner that poses a direct threat to the Provider's infrastructure or other clients.

9.4 Effect of Termination

Upon termination of this Agreement for any reason:

•        All licenses and rights granted to the Client shall immediately cease;

•        The Provider shall provide the Client with a thirty (30) day data export window during which the Client may retrieve all Client Data in a standard machine-readable format;

•        Following the data export window, the Provider shall securely delete all Client Data, unless retention is required by applicable law;

•        Any accrued but unpaid fees shall remain due and payable;

•        Provisions of this Agreement that by their nature survive termination shall remain in full force and effect.

9.5 Suspension

The Provider may suspend access to the Services immediately and without prior notice in the following circumstances:

•        Where the Client's use of the Services poses an imminent threat to the security, integrity, or availability of the Provider's systems or other clients' data;

•        Where legally required to do so by a competent governmental or judicial authority;

•        Where the Client is in material breach of the Acceptable Use Policy.

In all other cases of suspension (including non-payment), the Provider shall provide no less than forty-eight (48) hours' advance written notice. The Provider shall lift any suspension promptly upon resolution of the underlying cause.

10 — INTELLECTUAL PROPERTY RIGHTS

10.1 Provider Intellectual Property

The Client acknowledges that the Provider retains all right, title, and interest in and to the Platform, Services, software, documentation, methodologies, know-how, and all related intellectual property rights (collectively, "Provider IP"). Nothing in this Agreement shall be construed as a transfer of any Provider IP to the Client. The Client is granted a limited, non-exclusive, non-transferable, revocable license to access and use the Services solely for its internal business purposes during the term of this Agreement.

10.2 Client Data Ownership

The Client retains all right, title, and interest in and to Client Data. The Client grants the Provider a limited, non-exclusive license to access, process, store, and use Client Data solely to the extent necessary to provide the Services and fulfill obligations under this Agreement. The Provider shall not use Client Data for any other purpose, including product development, marketing, or sale to third parties.

10.3 Feedback and Suggestions

Where the Client provides feedback, suggestions, or recommendations regarding the Services, the Provider may use such input to improve its products and services. The Client hereby grants the Provider a non-exclusive, royalty-free, perpetual license to incorporate such feedback into its products, without obligation to compensate the Client therefor.

10.4 Prohibited Activities

The Client shall not, and shall not permit any third party to:

•        Reverse engineer, decompile, disassemble, or attempt to derive the source code of any software component of the Services;

•        Copy, modify, distribute, sell, or resell the Services or any portion thereof without the Provider's express written consent;

•        Remove or obscure any proprietary notices, labels, or marks on the Services;

•        Use the Provider's trademarks, logos, or branding without prior written authorization;

•        Create derivative works based upon the Services or the Provider's documentation.

11 — CONFIDENTIALITY

11.1 Confidential Information

Each party (as "Disclosing Party") may disclose to the other party (as "Receiving Party") information that is confidential in nature. "Confidential Information" means any non-public information disclosed by either party in connection with this Agreement, including but not limited to: technical information, business plans, pricing, client data, security architectures, and proprietary methodologies, whether disclosed in written, oral, electronic, or any other form.

11.2 Obligations of Confidentiality

Each Receiving Party undertakes to:

•        Hold all Confidential Information in strict confidence using no less than the same degree of care it uses to protect its own confidential information, but in no event less than reasonable care;

•        Use Confidential Information solely for the purposes of performing its obligations or exercising its rights under this Agreement;

•        Not disclose Confidential Information to any third party without the Disclosing Party's prior written consent, except as permitted herein;

•        Limit access to Confidential Information to those personnel and authorized sub-processors who have a legitimate need-to-know and are bound by equivalent confidentiality obligations.

11.3 Exclusions

Confidentiality obligations shall not apply to information that: (a) is or becomes publicly available through no act or omission of the Receiving Party; (b) was rightfully known to the Receiving Party prior to disclosure; (c) is received from a third party without restriction; or (d) is independently developed by the Receiving Party without use of Confidential Information.

11.4 Compelled Disclosure

Where a Receiving Party is compelled to disclose Confidential Information pursuant to applicable law, court order, or governmental authority, the Receiving Party shall: (i) provide prompt written notice to the Disclosing Party to the extent legally permissible; (ii) cooperate with the Disclosing Party in seeking a protective order or similar relief; and (iii) disclose only the minimum information required to comply with the legal obligation.

11.5 Survival

The obligations of confidentiality set forth in this Article shall survive the termination or expiration of this Agreement for a period of five (5) years, except with respect to trade secrets, for which such obligations shall survive indefinitely.

12 — WARRANTIES, REPRESENTATIONS, AND DISCLAIMERS

12.1 Provider Warranties

The Provider represents and warrants that:

•        It has full power and authority to enter into this Agreement and to perform its obligations hereunder;

•        The Services shall be provided with reasonable skill and care, in a professional and workmanlike manner consistent with recognized industry standards;

•        The Services shall operate in material conformity with the applicable documentation and specifications;

•        It has obtained and shall maintain all necessary licenses, permits, and authorizations required to provide the Services;

•        The Platform does not, to the Provider's knowledge, infringe upon the intellectual property rights of any third party;

•        It shall comply with all applicable laws and regulations in the provision of the Services.

12.2 Client Representations

The Client represents and warrants that:

•        It has full legal authority to enter into this Agreement and to submit Client Data to the Services;

•        Client Data and the Client's use of the Services do not violate any applicable law, regulation, or third-party rights;

•        All information provided to the Provider during the registration and subscription process is accurate, complete, and current;

•        It shall use the Services solely in accordance with this Agreement and applicable law.

12.3 Disclaimer of Warranties

EXCEPT AS EXPRESSLY SET FORTH IN ARTICLE 12.1, THE SERVICES ARE PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE PROVIDER EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ACCURACY. THE PROVIDER DOES NOT WARRANT THAT THE SERVICES WILL BE ENTIRELY ERROR-FREE OR THAT ALL DEFECTS WILL BE CORRECTED, BUT UNDERTAKES TO ADDRESS DEFECTS IN ACCORDANCE WITH THE INCIDENT MANAGEMENT PROCEDURES SET FORTH HEREIN.

13 — LIMITATION OF LIABILITY AND INDEMNIFICATION

13.1 Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL, OR PUNITIVE DAMAGES (INCLUDING LOSS OF PROFITS, LOSS OF REVENUE, LOSS OF BUSINESS OPPORTUNITY, OR LOSS OF DATA) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE USE OR INABILITY TO USE THE SERVICES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE PROVIDER'S TOTAL CUMULATIVE LIABILITY TO THE CLIENT FOR ANY AND ALL CLAIMS ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, SHALL NOT EXCEED THE TOTAL FEES PAID BY THE CLIENT TO THE PROVIDER IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

13.2 Exceptions to Limitation

The limitations of liability set forth in Article 13.1 shall not apply to:

•        Liability for death or personal injury caused by either party's negligence;

•        Liability for fraud or willful misconduct;

•        The Provider's indemnification obligations under Article 13.4;

•        Breaches of confidentiality obligations under Article 11;

•        Liability for data protection breaches arising from the Provider's non-compliance with applicable law, up to the maximum extent permitted by data protection legislation.

13.3 Client Indemnification

The Client shall defend, indemnify, and hold harmless the Provider and its officers, directors, employees, agents, and subcontractors from and against any claims, liabilities, damages, losses, costs, and expenses (including reasonable legal fees) arising out of or in connection with: (a) the Client's breach of this Agreement; (b) the Client's use of the Services in violation of applicable law; (c) Client Data infringing the rights of any third party; or (d) the Client's gross negligence or willful misconduct.

13.4 Provider Indemnification

The Provider shall defend, indemnify, and hold harmless the Client from and against any claims that the Services, as delivered by the Provider and used by the Client in accordance with this Agreement, infringe the intellectual property rights of any third party, provided that the Client: (a) promptly notifies the Provider of any such claim; (b) grants the Provider sole control of the defense; and (c) cooperates reasonably with the Provider's defense efforts.

14 — DISPUTE RESOLUTION

14.1 Informal Resolution

The parties shall attempt in good faith to resolve any dispute, controversy, or claim arising out of or relating to this Agreement (a "Dispute") through informal negotiation. Either party may initiate such negotiations by providing written notice specifying the nature of the Dispute. The parties shall endeavor to resolve the Dispute within thirty (30) calendar days of such notice.

14.2 Mediation

If the Dispute is not resolved through informal negotiation within thirty (30) days, either party may refer the matter to non-binding mediation before a mutually agreed mediator. The costs of mediation shall be shared equally between the parties.

14.3 Arbitration

If the Dispute remains unresolved following mediation, or if either party declines mediation, the Dispute shall be finally resolved by binding arbitration in accordance with the rules of a mutually agreed international arbitration institution (including, without limitation, the International Chamber of Commerce (ICC) or the United Nations Commission on International Trade Law (UNCITRAL) Arbitration Rules). The arbitral award shall be final and binding and may be enforced in any court of competent jurisdiction.

14.4 Governing Law and Jurisdiction

This Agreement shall be governed by and construed in accordance with applicable law as specified in the Client's Order Form or, absent such specification, the laws of the State of Israel. For Clients domiciled within the European Union, matters relating to GDPR compliance shall be subject to the laws of the applicable EU member state. The parties consent to the exclusive jurisdiction of the courts specified in the relevant Order Form for any matter not subject to arbitration under this Article.

14.5 Emergency Relief

Notwithstanding the foregoing, either party may seek emergency injunctive or other equitable relief from a court of competent jurisdiction where necessary to prevent irreparable harm, including in cases of imminent data breach, intellectual property infringement, or violation of confidentiality obligations.

15 — BUSINESS CONTINUITY AND DISASTER RECOVERY

15.1 Business Continuity Planning

The Provider shall maintain and regularly test a comprehensive Business Continuity Plan (BCP) that ensures the continued delivery of critical Services in the event of a major disruption. The BCP shall be reviewed and updated at least annually and following any significant Incident.

15.2 Recovery Objectives

The Provider commits to the following recovery objectives for production services, subject to tier-specific variations as set out in Schedule A:

16 — COMPLIANCE AND AUDIT RIGHTS

16.1 Regulatory Compliance

The Provider shall at all times operate its Services in compliance with applicable laws, regulations, and internationally recognized standards, including but not limited to ISO/IEC 27001, ISO/IEC 22301, SOC 2 Type II, GDPR, and applicable Israeli privacy and cybersecurity legislation. The Provider shall maintain documentary evidence of such compliance and shall make it available to the Client or its designated auditors upon reasonable request.

16.2 Client Audit Rights

Enterprise and Sovereign/Government tier Clients shall have the right to conduct, or commission an independent third party to conduct, an audit of the Provider's security and compliance posture no more than once per calendar year, upon thirty (30) days' advance written notice. Audits shall be conducted during normal business hours, shall not unreasonably interfere with the Provider's operations, and shall be subject to appropriate confidentiality protections. The Client shall bear the cost of such audits unless the audit reveals a material non-compliance, in which case the Provider shall bear reasonable audit costs.

16.3 Certifications and Reports

The Provider shall, upon request, provide the Client with:

•        Copies of current ISO 27001 certificates or equivalent;

•        SOC 2 Type II audit reports (subject to appropriate NDA);

•        Penetration testing summary reports (redacted as appropriate);

•        GDPR Data Processing Impact Assessments where relevant;

•        Business Continuity and Disaster Recovery test results.

17 — ACCEPTABLE USE POLICY

17.1 Permitted Use

The Services are provided for lawful business and personal use in accordance with this Agreement and applicable law. Clients and Authorized Users may use the Services to access the features and functionalities described in the Provider's documentation for legitimate operational purposes.

17.2 Prohibited Use

The following activities are strictly prohibited in connection with the Services:

•        Transmitting, storing, or processing any content that is unlawful, harmful, threatening, abusive, defamatory, obscene, or otherwise objectionable;

•        Engaging in any activity that violates applicable export control laws, sanctions, or embargoes;

•        Attempting to gain unauthorized access to other clients' data or to restricted portions of the Provider's infrastructure;

•        Conducting or facilitating any form of distributed denial-of-service (DDoS) attack, malware distribution, phishing, or other malicious cyber activity;

•        Mining cryptocurrency or conducting any unauthorized resource-intensive computation on Provider infrastructure;

•        Circumventing or attempting to circumvent any security controls, access restrictions, or license enforcement mechanisms;

•        Using the Services to develop or test offensive cyber capabilities without the Provider's express written authorization;

•        Violating any applicable privacy law or processing Personal Data in a manner inconsistent with this Agreement.

17.3 Enforcement

The Provider reserves the right to investigate any suspected violation of this Acceptable Use Policy and to take appropriate action, including suspension or termination of Services, reporting to law enforcement authorities, and pursuing legal remedies.

18 — AMENDMENTS, UPDATES, AND NOTIFICATIONS

18.1 Amendments to this Agreement

The Provider reserves the right to amend this Agreement from time to time to reflect changes in law, regulatory requirements, industry standards, or Provider operational practices. Amendments shall be communicated to the Client via email to the registered account address and/or via notice on the Provider's website no less than thirty (30) calendar days prior to the effective date of the amendment. The Client's continued use of the Services following the effective date of an amendment shall constitute acceptance of the amended terms. Clients who do not accept an amendment may terminate the Agreement in accordance with Article 9.2.

18.2 Notification Methods

Official communications under this Agreement shall be made in writing via:

•        Email to the registered account address (for operational notices, SLA reports, and incident communications);

•        Registered post or courier to the registered business address (for formal legal notices, including termination);

•        In-platform notifications (for minor updates, maintenance schedules, and feature announcements).

Notices shall be deemed received: upon confirmation of email delivery or, absent such confirmation, twenty-four (24) hours after dispatch; or upon actual delivery in the case of posted notices.

19 — THIRD-PARTY SERVICES AND SUB-PROCESSORS

19.1 Third-Party Integrations

The Services may integrate with or provide access to third-party software, APIs, and services. Such third-party services are subject to their own terms and conditions, and the Provider assumes no liability for the availability, accuracy, security, or functionality of third-party services. The Client's use of third-party integrations is at its own risk.

19.2 Sub-Processors

The Provider may engage sub-processors to assist in the delivery of the Services. The Provider shall maintain and make available to the Client an up-to-date list of sub-processors upon request. The Provider shall ensure that all sub-processors are bound by data protection obligations at least equivalent to those set forth in this Agreement. The Provider shall remain liable to the Client for the acts and omissions of its sub-processors as if they were the Provider's own acts and omissions.

20 — GENERAL PROVISIONS

20.1 Entire Agreement

This Agreement, together with all Schedules, Order Forms, and any Data Processing Agreement executed between the parties, constitutes the entire agreement between the parties with respect to its subject matter and supersedes all prior agreements, understandings, negotiations, and representations, whether written or oral, relating to the same subject matter.

20.2 Severability

If any provision of this Agreement is found by a court or arbitral tribunal of competent jurisdiction to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it valid and enforceable, and the remaining provisions shall continue in full force and effect.

20.3 Waiver

No failure or delay by either party in exercising any right or remedy under this Agreement shall constitute a waiver of that right or remedy. No waiver shall be effective unless made in writing and signed by an authorized representative of the waiving party.

20.4 Assignment

The Client may not assign or transfer any of its rights or obligations under this Agreement without the prior written consent of the Provider, which shall not be unreasonably withheld. The Provider may assign this Agreement in connection with a merger, acquisition, corporate reorganization, or sale of substantially all of its assets, provided the assignee assumes all obligations hereunder. Any attempted assignment in violation of this Article shall be void.

20.5 Force Majeure

Neither party shall be in breach of this Agreement nor liable for any delay in performing, or failure to perform, any of its obligations under this Agreement if such delay or failure results from Force Majeure events. The affected party shall promptly notify the other party in writing of the Force Majeure event and its expected duration, and shall use reasonable endeavors to mitigate its effects. If a Force Majeure event continues for more than sixty (60) days, either party may terminate the Agreement upon written notice without liability, other than for fees in respect of Services already rendered.

20.6 Independent Contractors

The parties are independent contractors and this Agreement does not create any partnership, joint venture, employment, agency, or franchise relationship between the parties. Neither party has the authority to bind the other party or to incur any obligation on behalf of the other party.

20.7 Language

This Agreement is executed in the English language. In the event of any conflict between an English version and any translation, the English version shall prevail. For Sovereign/Government clients in jurisdictions where local law mandates a specific language for contracts, a certified translation shall be appended as a Schedule, with the English version remaining authoritative.

20.8 Counterparts and Electronic Execution

This Agreement may be executed in one or more counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures shall be deemed equivalent to original signatures for all purposes of this Agreement, in accordance with applicable electronic signature legislation.

EXECUTION AND SIGNATURES

By accessing the Services, accepting this Agreement electronically, or executing an Order Form that references this SLA, the parties acknowledge that they have read, understood, and agree to be bound by all terms and conditions set forth herein. This Agreement shall become legally binding upon the Client's acceptance or upon the commencement of Services, whichever occurs first.

A — SERVICE TIER SPECIFICATIONS

This Schedule forms an integral part of the Service Level Agreement and sets forth the detailed specifications for each service tier. Tier specifications are subject to review and update on an annual basis, with thirty (30) days' advance written notice to Clients.

B — ACCEPTABLE USE POLICY (SUMMARY)

This Schedule provides a summary of acceptable use obligations. Clients must ensure all Authorized Users are informed of and comply with these requirements. The full Acceptable Use Policy is published at www.Lancelot Technologies.com/acceptable-use and is incorporated herein by reference.

•        Services may only be used for lawful purposes and in compliance with applicable legislation.

•        Transmission or storage of malicious code, exploits, or content facilitating illegal activity is strictly prohibited.

•        Unauthorized access attempts, security probing, or exploitation of vulnerabilities are prohibited.

•        Clients bear full responsibility for the actions of their Authorized Users.

•        Resource usage must remain within contracted limits; excessive usage affecting other clients may result in throttling or suspension.

•        The Provider's support channels must not be used abusively or in bad faith.

C — CONTACT DIRECTORY AND ESCALATION MATRIX

Contact details for operational purposes are maintained in the Client's secure account portal. For legal and formal notices, the following address shall apply:

]