Master Service Agreement

PLEASE READ THIS AGREEMENT BEFORE USING CHECKTIV’S SERVICES. BY ACCESSING OR USING THE CHECKTIV IDENTITY-VERIFICATION PLATFORM, YOU (“Customer”) SIGNIFY ACCEPTANCE OF AND AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT AS OF THE DATE YOU FIRST ACCESS THE SAAS SERVICES. IF YOU DO NOT AGREE, DO NOT ACCESS OR USE THE SERVICES.

This Master Service Agreement (“SaaS Agreement” or “Agreement”) is entered into between Customer and Autohost, Inc., operating as Checktiv (“Provider” or “Checktiv”), a corporation incorporated under the laws of Canada with its principal place of business at 280 Howland Ave, Suite PH18, Toronto, ON, M5R 0C3, Canada. Provider and Customer agree that the following terms and conditions apply to the Services.

Article I. Definitions

“Authorized User” means each Customer employee or contractor designated by Customer to access and administer the SaaS Services on Customer’s behalf.

“Customer Content” means all data and materials provided by Customer, or by Applicants through Customer’s verification workflows, to Provider for use in connection with the SaaS Services.

“Applicant” means an individual whose identity Customer verifies or screens using the SaaS Services.

“Data Controller” or “Controller” has the meaning given in the GDPR.

“Data Processing Agreement” or “DPA” means the data processing agreement between the parties governing Provider’s processing of Personal Data on Customer’s behalf, incorporated into this Agreement by reference.

“Documentation” means the user guides, online help, release notes, and other documentation Provider makes available regarding the use or operation of the SaaS Services.

“Force Majeure Event” means any delay, loss, damage, cost, or claim caused by or resulting from: (a) any prohibition, enactment, embargo, or other limitation imposed by any government or authority; (b) war, terrorism, industrial action, or civil commotion; (c) fire, storm, flood, or other casualty; (d) the failure or withdrawal of a public or utility service; (e) acts of God; or (f) any other cause beyond Provider’s reasonable control.

“GDPR” means the European General Data Protection Regulation 2016/679.

“Personal Data” means any information about an identified or identifiable individual that Provider processes on Customer’s behalf under this Agreement.

“SaaS Services” means the Checktiv identity-verification platform, hosted by Provider or its service providers and made available to Customer over a network on a term-use basis, as identified in a Schedule.

“Schedule” means a written document attached to or executed under this Agreement for the purpose of purchasing SaaS Services.

“Software” means the object-code version of any software to which Customer is provided access as part of the Services, including updates and new versions.

“Services” means, collectively, the SaaS Services, the Support Services, and the Maintenance Services.

“Service Level Failure” means a material failure of the SaaS Services to meet the Availability Requirement.

“Subscription Term” means the period during which Customer has access to the SaaS Services. Unless a Schedule states otherwise, the Subscription Term renews for successive 12-month periods unless either party delivers written notice of non-renewal at least 60 days before expiration of the then-current term.

“Support and Maintenance Services” means Provider’s standard customer support and maintenance services as described in Exhibit A.

Article II. SaaS Services

2.01 License. During the Subscription Term, Customer receives a non-exclusive, non-assignable, royalty-free, worldwide right to access and use the SaaS Services solely for its internal business operations, subject to this Agreement.

2.02 No Delivery. This Agreement is a services agreement. Provider will not deliver copies of Software to Customer.

Article III. Restrictions

Customer will not, and will not permit anyone to: (a) copy or republish the Services, Software, or Documentation; (b) make the Services available to any person other than Authorized Users; (c) use or access the Services, Software, or Documentation to provide service-bureau, time-sharing, or similar services to third parties; (d) modify or create derivative works based on the Services, Software, or Documentation; (e) remove, modify, or obscure any proprietary notices; (f) reverse engineer, decompile, or disassemble the Services, Software, or Documentation, except to the extent applicable law expressly permits; or (g) access the Services, Software, or Documentation to build a similar or competitive product.

Subject to the limited licenses granted in this Agreement, Provider owns all right, title, and interest in and to the Software, Services, Documentation, and other deliverables, including all modifications, improvements, upgrades, derivative works, and feedback, and all intellectual property rights in them. Customer assigns to Provider all right, title, and interest it may have in the foregoing.

Article IV. Customer Responsibilities

4.01 Assistance. Customer will provide commercially reasonable information and assistance to enable Provider to deliver the SaaS Services. Provider’s ability to deliver the SaaS Services may depend on the accuracy and timeliness of that information.

4.02 Compliance with Laws. Customer will comply with all applicable laws in connection with its use of the Services, including laws related to data protection and privacy, biometric information, consumer protection, anti-discrimination, background screening, and international communications. Customer acknowledges that Provider exercises no control over the content of information transmitted by Customer or its Applicants through the SaaS Services. Customer is responsible for establishing a lawful basis for each verification, for providing all required notices to and obtaining all required consents from Applicants (including any consent required for biometric processing and for sanctions, watchlist, or background-check screening), and for using verification results lawfully. Before enabling any sanctions, watchlist, or background-check screening, Customer certifies that it has a permissible purpose for the screening under the FCRA and similar laws, that where the screening is used for employment purposes it has made the disclosures and obtained the authorizations required by 15 U.S.C. 1681b(b)(2), that it will provide any required pre-adverse-action and adverse-action notices, and that it complies with applicable fair-chance and ban-the-box laws.

4.03 Unauthorized Use; False Information. Customer will: (a) notify Provider immediately of any unauthorized account use or known or suspected security breach; (b) use reasonable efforts to stop any known or suspected unauthorized use of the SaaS Services; and (c) not provide false identity information to access or use the SaaS Services.

4.04 Authorized Users. Customer is solely responsible for the acts and omissions of its Authorized Users. Provider is not liable for any loss of data, including unauthorized access to Personal Data, caused by an Authorized User.

4.05 Customer Input. Customer is solely responsible for collecting, inputting, and updating Customer Content and for ensuring that Customer Content does not: (a) infringe or misappropriate any third party’s intellectual property right; or (b) contain anything obscene, defamatory, harassing, or malicious.

4.06 License from Customer. Subject to this Agreement, Customer grants Provider a limited, non-exclusive, non-transferable license to copy, store, configure, perform, display, and transmit Customer Content solely as necessary to provide the SaaS Services and as permitted by the DPA.

4.07 Third-Party API Access. Customer is responsible for obtaining and paying for any third-party software or APIs required for its integration with the SaaS Services.

4.08 Ownership and Restrictions. Customer retains ownership of and intellectual property rights in Customer Content. Provider and its licensors retain all ownership and intellectual property rights in the Services, Software, and Documentation. Third-party technology used with the platform is governed by the applicable third-party license.

4.09 Suggestions. Customer grants Provider a royalty-free, worldwide, irrevocable, perpetual license to use and incorporate any suggestions, enhancement requests, or other feedback relating to the SaaS Services.

4.10 Non-Solicitation. During the Subscription Term and for one year after, Customer will not directly or indirectly solicit for employment any person employed or engaged by Provider and involved with the Services, except that a general advertisement not specifically directed at such persons, and the hiring of anyone who responds to it, is not a breach of this Section.

Article V. Orders and Payments

5.01 Orders. Customer orders SaaS Services under a Schedule. All Services are governed by this Agreement and the applicable Schedule. If a Schedule conflicts with this Agreement, the Schedule controls.

5.02 Invoicing and Payment. Unless a Schedule states otherwise, Provider invoices Customer monthly. The default payment method is credit card, due on the invoice date; if Customer is approved to pay by invoice, payment is due within thirty (30) days. All fees are stated and payable in U.S. dollars.

Annual Commitment fees, if any, are prepaid according to the Schedule, with the first payment invoiced on execution. Prepaid amounts are non-refundable once the applicable billing period begins. Overages, if any, are invoiced monthly in arrears at the rates in the Schedule. The full Annual Commitment remains due over the contract term regardless of usage.

Customer must notify Provider in writing of any disputed charge within 60 days of the invoice date; disputes submitted after that period are waived.

5.03 Expenses. Customer will reimburse Provider for reasonable, pre-approved, out-of-pocket expenses incurred in performing the Services.

5.04 Taxes. Provider will bill applicable taxes as a separate line item. Customer is responsible for all sales, use, value-added, and similar taxes relating to its purchase and use of the Services, excluding taxes on Provider’s net income.

Article VI. Term and Termination

6.01 Term. This Agreement begins on the date Customer first accesses the Services and continues for the Subscription Term unless terminated earlier under its express provisions.

6.02 Renewal. This Agreement automatically renews for successive one-year terms unless either party gives written notice of non-renewal at least sixty (60) days before the end of the then-current term.

6.03 Termination. Either party may terminate immediately on a material breach by the other party that is not cured within thirty (30) days after notice.

6.04 Suspension for Non-Payment. Provider may suspend the SaaS Services if Customer fails to timely pay undisputed amounts, after notice and a continued failure of fifteen (15) days. Suspension does not release Customer’s payment obligations.

6.05 Effect of Termination. On termination or expiration: (a) Provider will cease providing the SaaS Services and all usage rights end; (b) if Provider terminates for Customer’s uncured material breach, all committed fees for the remaining Subscription Term under each affected Schedule become immediately due and payable as a debt for the capacity Customer committed to purchase (not as a penalty); and if Customer terminates for Provider’s uncured material breach, Provider will refund prepaid fees for SaaS Services not yet performed. Provider will handle Customer Content and Personal Data after termination as set out in the DPA.

Article VII. Service Levels

7.01 Required Levels. Provider will use commercially reasonable efforts to make the SaaS Services available at least 99% of the time, measured per calendar month (the “Availability Requirement”), excluding: (a) Customer failure; (b) Customer or Authorized User internet connectivity; (c) a Force Majeure Event; (d) failure of any software, hardware, system, network, or facility not supplied by Provider; (e) Scheduled Downtime; or (f) suspension or termination under Section 6.04.

7.02 Scheduled Downtime. Provider will use commercially reasonable efforts to schedule routine maintenance between 12 a.m. and 9 a.m. ET and to give at least 48 hours’ notice of scheduled outages. Scheduled Downtime will not exceed twelve (12) hours in any one-month period.

7.03 Service Support. Provider may amend the Support and Maintenance Services from time to time on notice to Customer.

Article VIII. Warranties

8.01 Mutual. Each party represents and warrants that it is duly organized and validly existing, has the power and authority to enter into and perform this Agreement, has duly authorized this Agreement, and that this Agreement is a valid and binding obligation enforceable against it.

8.02 Provider. Provider represents that it will perform the Services using personnel of suitable skill and experience and in a professional manner consistent with commercially reasonable industry standards.

8.03 Customer. Customer represents that it has and will maintain the rights and consents necessary for Provider to process Customer Content as contemplated by this Agreement and the DPA without violating any third party’s rights or any law.

8.04 Disclaimer. Except for the express warranties in Sections 8.01 through 8.03, the Services, Software, and Documentation are provided “AS IS,” and Provider disclaims all other conditions and warranties, express, implied, statutory, or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement. Without limiting the foregoing, Provider does not warrant that the Services will meet Customer’s requirements, operate without interruption, achieve any intended result, be compatible with other software or systems except as expressly specified in writing, or be secure, accurate, complete, or error-free. Verification and screening results are intended to support, not replace, Customer’s own judgment. All third-party materials are provided “AS IS.”

Article IX. Limitation of Liability

9.01 Exclusions. Except as provided in Section 9.03 (Excluded Claims), neither party will be liable under any theory for: (a) loss of production, use, business, revenue, or profit, or diminution in value; (b) impairment or interruption of the Services; (c) loss, corruption, or recovery of data, including Personal Data; (d) breach of data or system security; or (e) consequential, incidental, indirect, special, aggravated, punitive, or exemplary damages, even if advised of the possibility and notwithstanding the failure of any limited remedy of its essential purpose.

9.02 Cap. Except for the Excluded Claims in Section 9.03, each party’s total aggregate liability arising out of or relating to this Agreement will not exceed the total fees paid or payable by Customer under the applicable Schedule during the twelve (12) months immediately preceding the first event giving rise to the liability (or, if the liability arises in the first 12 months, the annualized fees for that Schedule). This applies notwithstanding the failure of any limited remedy of its essential purpose.

9.03 Excluded Claims. The exclusions in Section 9.01 and the cap in Section 9.02 do not apply to: (a) Customer’s payment obligations; (b) either party’s indemnification obligations under Article X; (c) breach of Article XI (Confidentiality); (d) liability under the DPA, which is governed by the DPA’s own liability provisions; or (e) a party’s gross negligence, willful misconduct, or fraud.

Article X. Indemnification

10.01 Provider Indemnification. Provider will defend, indemnify, and hold harmless Customer and its officers, directors, employees, agents, and permitted assigns from losses arising from a third-party action to the extent it alleges that: (a) Customer’s use of the Services (excluding Customer Content and third-party materials) in compliance with this Agreement infringes an intellectual property right; or (b) Provider has been the subject of a data breach involving Customer Content caused by Provider’s breach of its obligations. This does not apply to losses arising from: (c) use of the Services in combination with materials or services not provided or authorized by Provider; (d) modification of the Services other than by or with the written approval of Provider; or (e) Customer’s failure to implement modifications made available by Provider.

10.02 Customer Indemnification. Customer will defend, indemnify, and hold harmless Provider and its affiliates and their respective officers, directors, employees, agents, and permitted assigns from losses arising from a third-party action that arises out of or relates to: (a) Customer Content, including its processing under this Agreement; (b) Customer’s verification workflows and any decision or action Customer takes based on verification results, including any failure to obtain required notices or consents or to comply with the FCRA or similar laws; (c) any allegation that, if true, would be a breach of Customer’s representations, warranties, or obligations; or (d) the negligence or willful misconduct of Customer or its Authorized Users.

10.03 Procedure. The indemnified party will promptly notify the indemnifying party of any action, the indemnifying party will control the defense (using counsel reasonably acceptable to the indemnified party), and the indemnified party will cooperate at the indemnifying party’s expense and may participate with its own counsel at its own expense. Failure to give prompt notice relieves the indemnifying party only to the extent it is prejudiced.

10.04 Mitigation. If the Services are or may be subject to an infringement claim, Provider may, at its option and expense: (a) obtain the right for Customer to continue using the Services; (b) modify or replace the Services to make them non-infringing while preserving materially equivalent functionality; or (c) terminate the affected Services on notice and refund prepaid, unused fees.

10.05 Sole Remedy. This Article states Customer’s sole remedies and Provider’s sole liability for third-party intellectual-property claims.

Article XI. Confidentiality

11.01 Definition. “Confidential Information” means information disclosed by a party that is marked or identified as confidential, is deemed confidential by this Agreement, or that a reasonable person would understand to be confidential given the nature of the information and circumstances of disclosure. Customer Content is Customer’s Confidential Information; the Services, Software, and Documentation are Provider’s Confidential Information.

11.02 Obligations. During the term and for five (5) years after, each party will protect the other’s Confidential Information using at least reasonable care, will use it only to exercise rights and perform obligations under this Agreement, and will not disclose it except to personnel and contractors bound by confidentiality obligations on a need-to-know basis.

11.03 Exceptions. Confidentiality obligations do not apply to information that is or becomes public through no fault of the receiving party, was known to the receiving party without restriction before disclosure, is independently developed without use of the Confidential Information, or is lawfully received from a third party without restriction.

11.04 Permitted Disclosures. A party may disclose Confidential Information to the extent required by law or court order, using reasonable efforts to give prior notice where permitted.

Article XII. General Provisions

12.01 Non-Exclusive Service. The SaaS Services are provided on a non-exclusive basis. Nothing prevents Provider from providing the SaaS Services or other technology to other parties.

12.02 Personal Data and Data Protection. Provider’s performance may require it to process, transmit, or store Personal Data on Customer’s behalf. The DPA governs all such processing and is incorporated into this Agreement by reference. As between the parties, Customer is the Controller and Provider is the processor of Applicant Personal Data, and Customer is responsible for complying with applicable data protection laws, including establishing a lawful basis, providing required notices, and obtaining required consents, before submitting Personal Data to the SaaS Services. Customer is responsible for determining the purposes and means of the processing it instructs and for informing Provider of any special categories of data and any restrictions or cross-border-transfer requirements that apply.

12.03 Assignment. Neither party may assign this Agreement without the other’s consent, not to be unreasonably withheld, except that either party may assign to an acquirer of all or substantially all of its business or assets to which this Agreement relates. This Agreement binds and benefits the parties’ successors and permitted assigns. Either party may use subcontractors but remains responsible for their performance.

12.04 Notices. Notices must be in writing and are deemed given: (a) five business days after mailing by registered or certified mail; (b) when transmitted by email, provided a copy is promptly sent by another permitted means; or (c) when delivered personally or by courier. Notices are sent to the address in this Agreement or the Schedule.

12.05 Force Majeure. Each party is excused from performance to the extent prevented by a cause beyond its reasonable control and without its fault, including acts of God, strikes, riots, terrorism or war, epidemics, and communication or power failures.

12.06 Waiver. A waiver is effective only if in writing and signed by the waiving party, and does not waive any other or subsequent breach.

12.07 Severability. If any term is invalid or unenforceable, it will be reformed to the minimum extent necessary, and the rest remains in effect.

12.08 Entire Agreement; Order of Precedence. This Agreement consists of, in descending order of precedence in case of conflict: (1) the DPA, solely as to the processing of Personal Data and data-protection liability; (2) the applicable Schedule, as to commercial terms it expressly addresses; (3) the body of this Agreement and its Exhibits; and (4) the Privacy Policy. Except as so ordered, this Agreement is the entire agreement of the parties and supersedes all prior communications on its subject matter. It may be amended only in a writing signed by both parties. Pre-printed terms in any purchase order are rejected.

12.09 Survival. Article III; the accrued-payment, dispute-bar, and post-termination payment obligations of Article V and Section 6.05; Sections 4.06, 4.08, and 4.09; and Articles VIII through XII survive expiration or termination of this Agreement.

12.10 Publicity. Provider may include Customer’s name and logo in its customer lists and on its website. Any press release requires Customer’s prior approval.

12.11 Export Regulations. The Services are subject to the economic-sanctions and export-control laws of Canada (including the Special Economic Measures Act, the United Nations Act, the Justice for Victims of Corrupt Foreign Officials Act, and the Export and Import Permits Act) and the United States (including U.S. OFAC sanctions and the Export Administration Regulations), and other applicable jurisdictions. Customer represents and warrants that it, its Authorized Users, and (to its knowledge) its Applicants are not (a) located in, ordinarily resident in, or organized under the laws of any country or region subject to comprehensive sanctions, or (b) a person identified on any applicable denied-party, sanctions, or restricted-party list, or owned 50% or more or controlled by any such person. Customer will comply with those laws and will not use, export, re-export, or make the Services available in violation of them, including to support any prohibited end-use or end-user.

12.12 No Third-Party Beneficiaries. This Agreement confers no rights on any third party.

12.13 Independent Contractors. The parties are independent contractors, and nothing creates any other relationship.

12.14 Statistical Information. Provider may compile aggregated and de-identified statistical information about the performance of the Services for the purpose of operating and improving the Services, provided it does not identify Customer or any individual.

12.15 Governing Law. This Agreement and all matters arising out of or relating to it are governed by the laws of the Province of Ontario and the federal laws of Canada applicable there. Any action must be instituted in the courts of the Province of Ontario, and each party submits to the non-exclusive jurisdiction of those courts.

12.16 Compliance with Laws. Provider will comply with all laws applicable to its delivery of the Services.

12.17 Dispute Resolution. Except for claims relating to intellectual property rights, if a dispute arises relating to this Agreement, the parties will, within fifteen (15) days of a written request, hold a meeting of individuals with decision-making authority to attempt in good faith to resolve it before pursuing other remedies. If not resolved within fifteen (15) days after that meeting, either party may pursue any lawful remedy.

12.18 Consumer Reports and the Fair Credit Reporting Act (United States). The Services provide identity-verification technology and, where Customer enables them, facilitate third-party sanctions, watchlist, and background-check screening configured by Customer. (a) Provider’s identity-verification outputs (for example, confirming that a name matches a presented document, document authenticity, and facial match or liveness) are provided for identity-authentication and fraud-prevention purposes and are not furnished for the purpose of serving as a factor in establishing a consumer’s eligibility for credit, insurance, employment, housing, or another permissible-purpose transaction, and are not intended to be ‘consumer reports.’ (b) Where Customer enables sanctions, watchlist, or background-check screening, the results may constitute ‘consumer reports,’ and the screening provider and/or Customer may be a ‘consumer reporting agency’ or a user of consumer reports under the U.S. Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. (‘FCRA’), and similar laws. Provider does not assemble or evaluate consumer information for the purpose of furnishing consumer reports on its own account, does not perform the functions of, and does not intend to act as, a ‘consumer reporting agency.’ The parties acknowledge that whether any output is a ‘consumer report’ and whether any party is a ‘consumer reporting agency,’ ‘reseller,’ or ‘user’ is determined by the FCRA based on the parties’ actual functions, and not by this Section. As between the parties, Customer is the user of any consumer report and is solely responsible for FCRA and similar-law compliance, including permissible purpose (1681b), required disclosures and authorizations (including 1681b(b)(2) for employment), pre-adverse-action and adverse-action notices (1681m, 1681b(b)(3)), applicable state mini-FCRA, ban-the-box, and fair-chance laws, and reporting-period limits (1681c); where the underlying screening is performed by a third-party consumer reporting agency, that agency retains the consumer-reporting-agency obligations (including 1681e(b) accuracy and 1681i reinvestigation) for the data it compiles. Customer will defend, indemnify, and hold harmless Provider from all obligations and claims under the FCRA and similar laws.

Exhibit A - Support and Maintenance Services

1. Support and Maintenance Services. Support and Maintenance Services are included in this Agreement and entitle Customer to:

• Telephone or electronic support to help Customer locate and correct Problems.
• Bug fixes and code corrections to bring the SaaS Services into substantial conformity with their operating specifications.
• All extensions, enhancements, and other changes that Provider, in its discretion, makes generally available to subscribers of the SaaS Services without charge.
• Up to two (2) dedicated contacts designated by Customer in writing who will have access to Support Services.

2. Response and Resolution Goals.

• “Business Hours” are 9 a.m. to 5 p.m. ET, Monday through Friday, excluding holidays.
• “Fix” means a repair of a Services component that remedies a Problem.
• “Problem” means a defect in the Services relative to normal or expected operation.
• “Respond” means acknowledgment of a Problem received.
• “Workaround” means a process that lets Customer avoid a Problem without substantially impairing use of the SaaS Services.

3. Accessing Support. Provider offers an online self-service support center, available through the platform’s “Help” option or the Checktiv help website, covering topics such as getting started, configuration and preferences, interpreting results, and best practices. The support email address is support@autohost.ai.