SUPISTA SOFTWARE-AS-A-SERVICE AGREEMENT

1. NATURE OF SERVICE

Supista is an AI-enabled, cloud-hosted, composable enterprise workflow, business intelligence, and ERP automation platform provided under a subscription-based Software-as-a-Service (SaaS) model.

The Platform enables business process automation, data management, analytics, reporting, and AI-assisted operational workflows. Supista is delivered as a hosted service and does not constitute a sale, transfer, or license of underlying software ownership to the Client.

Access to and use of the Platform is subject to the terms of this Agreement and the applicable subscription plan.

2. SECURITY FRAMEWORK

1. 2.1 Security Standards Positioning

   The Company maintains administrative, technical, and physical safeguards designed to protect Client Data against unauthorized access, disclosure, alteration, or destruction.

   The Company’s security program is aligned with industry-recognized standards and practices, including principles consistent with:

   • SOC 2 Trust Services Criteria (Security, Availability, Confidentiality)
   • ISO/IEC 27001-aligned information security controls
   • OWASP secure software development practices
   • Cloud infrastructure security best practices

   Where applicable, the Company’s data protection framework is designed to align with:

   • The General Data Protection Regulation (GDPR) for EU/EEA Clients
   • The California Consumer Privacy Act (CCPA), as amended by CPRA, and other applicable U.S. state privacy laws
   • The Digital Personal Data Protection Act (DPDP Act) for Indian Clients

   Where the Company processes personal data on behalf of the Client, it shall act as a data processor and implement appropriate technical and organizational measures consistent with applicable law.

2. 2.2 Infrastructure Security

   The Platform is cloud-hosted on enterprise-grade infrastructure and incorporates:

   • Role-based access control (RBAC)
   • Encryption of data in transit (TLS 1.2 or higher)
   • Encryption of data at rest using industry-standard encryption mechanisms
   • Multi-layer authentication for administrative access
   • Access logging and audit trails
   • Secure development lifecycle practices

3. 2.3 Access Control and Personnel Governance

   The Company enforces the principle of least privilege across internal systems.

   Administrative and production access is restricted to authorized personnel, employees, contractors, and approved sub-processors strictly on a need-to-know basis.

   All such personnel are:

   • Bound by written confidentiality and data protection obligations
   • Subject to internal security policies and access controls

   The Company remains responsible for its Authorized Personnel in connection with the Services. Activity logs are maintained and may be reviewed where applicable.

4. 2.4 Vulnerability Management and Incident Response

   The Company maintains ongoing security maintenance practices including:

   • Regular dependency and infrastructure updates
   • Security patch management protocols
   • Monitoring for known vulnerabilities
   • Documented incident response procedures

   In the event of a confirmed security incident affecting Client Data under the Company’s control, the Company shall notify the Client without undue delay and take commercially reasonable steps to mitigate and remediate the impact.

5. 2.5 Sub-Processors and Client-Engaged Third Parties

   The Company may engage approved sub-processors to support service delivery. Such sub-processors shall be contractually bound by confidentiality and security obligations consistent with this Agreement.

   Where the Client independently engages third-party service providers, consultants, integration partners, or external systems and elects to transmit or grant access to Client Data outside the Platform, the Company shall not be responsible for the security, processing, or protection of such data once under the control of such third parties. Data protection obligations relating to such third parties shall be governed by the Client’s contractual arrangements with them.

6. 2.6 Third-Party Communication and AI Integrations

   The Platform may integrate with third-party service providers, including but not limited to SMS gateways, messaging platforms (including WhatsApp), telephony or AI calling services, email providers, and AI/ML service providers.

   Where Client Data is transmitted to or processed through such third-party systems:

   • Such data shall be subject to the terms, privacy policies, and security practices of the respective third-party providers
   • The Company does not control the infrastructure or security practices of such third parties
   • The Company shall not be liable for any data breach, service outage, transmission failure, regulatory non-compliance, or unauthorized access arising from systems owned or operated by such third-party providers
   • The Company’s responsibility is limited to the proper configuration and transmission of data from the Platform to the designated third-party integration endpoint

3. DATA PROTECTION, PROCESSING & INTELLECTUAL PROPERTY

1. 3.1 Data Ownership and Platform IP

   The Client retains full ownership of its business data uploaded, generated, or processed through the Platform (“Client Data”).

   The Company retains all rights, title, and interest in and to Supista, including but not limited to:

   • Platform architecture
   • Source code and object code
   • AI models and algorithms
   • Workflow engines
   • Schema frameworks
   • Configurations and system designs
   • Enhancements, upgrades, and derivative works

   Nothing in this Agreement transfers ownership of the Platform or its intellectual property to the Client.

2. 3.2 Data Processing

   The Client grants the Company the limited right to process Client Data solely for:

   • Providing the Services
   • Support and maintenance
   • Performance optimization
   • Security monitoring
   • Service improvement and enhancement

   Processing may involve approved sub-processors subject to contractual confidentiality and data protection obligations.

3. 3.3 Data Residency and Geographic Processing

   Client Data shall be stored and processed in secure data centers aligned with the Client’s principal area of operations:

   1. India – Data centers located in India, in compliance with applicable Indian laws
   2. United States – Data centers located in the United States or other permitted jurisdictions consistent with applicable U.S. laws
   3. European Union (EU/EEA) – Data centers located within the EU/EEA in compliance with GDPR and applicable EU data protection laws

   Cross-border transfers, where required for service delivery or disaster recovery, shall be subject to appropriate safeguards consistent with applicable law.

4. 3.4 Data Deletion and Retention

   Upon written request or termination, Client Data shall be deleted within ninety (90) days, subject to:

   • Backup retention cycles
   • Legal or regulatory retention requirements

   The Company may retain anonymized and aggregated usage data for security, analytics, and platform improvement purposes, provided such data does not identify the Client or contain Confidential Information.

4. SERVICE LEVEL AGREEMENT (SLA)

1. 4.1 Availability Commitment

   The Company targets:

   • 99.5% Monthly Uptime Availability

   excluding:

   • Scheduled maintenance
   • Force majeure events
   • Third-party infrastructure outages
   • Client-caused disruptions

2. 4.2 Scheduled Maintenance

   • Advance notice provided where feasible
   • Maintenance windows typically scheduled during non-business hours

3. 4.3 Incident Response Targets

   Severity Levels:

   • Critical (System Down): Response within 4 business hours, target restoration in 24 hours
   • High (Major Feature Impacted): Response within 8 business hours, resolution in 2–3 business days
   • Medium: Response in 1 business day, resolution in next release cycle
   • Low / Enhancement: Considered for roadmap prioritization

5. BUSINESS CONTINUITY & DISASTER RECOVERY

1. 5.1 Disaster Recovery

   The Company maintains disaster recovery procedures including:

   • Automated backups
   • Infrastructure redundancy
   • Recovery processes

2. 5.2 Recovery Objectives

   • Target Recovery Time Objective (RTO): 48 hours
   • Target Recovery Point Objective (RPO): 24 hours

   These are commercially reasonable targets, not guarantees.

6. ACCEPTABLE USE

The Client shall use the Services solely for lawful business purposes and in compliance with all applicable laws and regulations. The Client shall ensure that all authorized users comply with the obligations set forth in this Section.

The Client shall not, and shall ensure that its authorized users do not:

1. Use the Services in violation of any applicable law, regulation, or third-party rights
2. Infringe intellectual property, confidentiality, privacy, or proprietary rights of any person
3. Upload, transmit, or distribute unlawful, fraudulent, abusive, deceptive, or harmful content
4. Introduce viruses, malware, trojans, or other malicious code into the Platform
5. Attempt to gain unauthorized access to any system, account, network, or data
6. Interfere with or disrupt the integrity, availability, or security of the Services
7. Circumvent authentication, access controls, or security mechanisms
8. Use the Services to send unsolicited communications or messages in violation of applicable anti-spam, telecommunications, or data protection laws
9. Share login credentials with unauthorized individuals
10. Use the Services for criminal, fraudulent, or abusive activities
11. Use AI-generated outputs, communication modules, or automation tools in a manner that violates applicable laws or regulatory requirements

The Client is solely responsible for:

• The legality, accuracy, and integrity of all data and content uploaded to the Platform
• Obtaining all necessary consents for communications initiated through the Services
• Compliance with applicable data protection, messaging, and telecommunications laws

The Company reserves the right to suspend or restrict access to the Services in the event of a violation of this Section, without prejudice to any other remedies available under this Agreement.

7. CONFIDENTIALITY

1. 7.1 Definition of Confidential Information

   “Confidential Information” means all non-public information disclosed by one Party (“Disclosing Party”) to the other Party (“Receiving Party”), whether in written, electronic, oral, or other form, including but not limited to business, technical, financial, operational, commercial, or strategic information, trade secrets, source code, data, and documentation.

   Confidential Information does not include information that:

   1. is or becomes publicly available without breach of this Agreement
   2. was lawfully known to the Receiving Party prior to disclosure
   3. is independently developed without use of the Disclosing Party’s Confidential Information
   4. is lawfully obtained from a third party without confidentiality restrictions

2. 7.2 Confidentiality Obligations

   The Receiving Party shall:

   • Use Confidential Information solely for purposes of this Agreement
   • Protect such information using at least the same degree of care it uses to protect its own confidential information, and in no event less than reasonable care
   • Restrict access to employees, contractors, affiliates, and advisors strictly on a need-to-know basis
   • Ensure such personnel are bound by confidentiality obligations

3. 7.3 Compelled Disclosure

   If the Receiving Party is required by law, regulation, or court order to disclose Confidential Information, it shall, where legally permitted, provide prompt notice to the Disclosing Party and cooperate in seeking protective measures.

4. 7.4 Survival

   The obligations under this Section shall survive termination or expiration of this Agreement for a period of three (3) years, and indefinitely with respect to trade secrets.

8. AUDIT RIGHTS

Upon reasonable prior written notice, the Client may request:

• Summary of security practices
• Compliance documentation
• Security questionnaire responses

On-site audits require mutual agreement and confidentiality protections.

9. LIMITATION OF LIABILITY

1. 9.1 Limitation of Aggregate Liability

   To the maximum extent permitted by applicable law, the total aggregate liability of the Company arising out of or in connection with this Agreement, whether in contract, tort (including negligence), strict liability, or otherwise, shall not exceed the total fees actually paid by the Client to the Company under this Agreement during the twelve (12) months immediately preceding the event giving rise to the claim.

2. 9.2 Exclusion of Indirect and Consequential Damages

   In no event shall the Company be liable for any:

   • Indirect, incidental, special, exemplary, or consequential damages
   • Loss of profits, revenue, business opportunity, or goodwill
   • Loss of production or operational downtime
   • Supply chain disruptions
   • Data loss not caused by the Company’s gross negligence
   • Regulatory penalties or compliance failures arising from Client misuse or misconfiguration of the Platform
   • Reliance on AI-generated outputs, automated workflows, or system-generated recommendations

   This exclusion applies regardless of the theory of liability and even if the Company has been advised of the possibility of such damages.

3. 9.3 Exceptions

   The limitations set forth in this Section shall not apply to:

   • The Company’s willful misconduct or fraud
   • Breach of confidentiality obligations
   • Infringement of intellectual property rights
   • Liability that cannot be limited under applicable law

4. 9.4 Exclusive Remedy

   The remedies expressly set forth in this Agreement shall constitute the Client’s sole and exclusive remedies for any claims arising out of or relating to the Services.

10. INDEMNIFICATION

1. 10.1 Mutual Indemnification

   Each Party (“Indemnifying Party”) shall defend, indemnify, and hold harmless the other Party, its affiliates, directors, officers, employees, and agents (“Indemnified Party”) from and against any third-party claims, losses, damages, liabilities, costs, and reasonable legal expenses arising out of or relating to:

   • Breach of its representations, warranties, or obligations under this Agreement
   • Violation of applicable law
   • In the case of the Company, any claim that the Platform infringes a third party’s intellectual property rights
   • In the case of the Client, misuse of the Platform, unlawful data processing, or content uploaded by the Client

2. 10.2 Indemnification Procedure

   The Indemnified Party shall:

   • Promptly notify the Indemnifying Party of any claim
   • Provide reasonable cooperation in the defense of the claim
   • Allow the Indemnifying Party to control the defense and settlement, provided no settlement imposes liability or admission of fault on the Indemnified Party without its prior written consent

3. 10.3 Exclusions

   The Company shall have no indemnification obligation for claims arising from:

   • Modifications not made by the Company
   • Combination of the Platform with third-party systems not authorized by the Company
   • Use of the Platform in violation of this Agreement

11. SUSPENSION, TERMINATION AND INSOLVENCY

1. 11.1 Suspension

   The Company may suspend access to the Platform, in whole or in part, upon written notice, if:

   • The Client fails to make payment when due
   • The Client commits a material breach of this Agreement and fails to cure such breach within thirty (30) days of notice
   • Continued access poses a security risk to the Platform or other users
   • The Client engages in illegal, fraudulent, or unauthorized use of the Platform

   Suspension shall not relieve the Client of its payment obligations.

2. 11.2 Termination

   Either Party may terminate this Agreement:

   1. For material breach not cured within thirty (30) days after written notice
   2. Immediately, if the other Party engages in unlawful conduct or violates applicable law in connection with the Services

   Upon termination:

   • The Client’s access rights shall cease
   • Outstanding fees shall become immediately due
   • Post-termination data handling shall be governed by Section 3

3. 11.3 Effect of Termination

   Termination shall not affect:

   • Accrued rights and obligations
   • Confidentiality obligations
   • Intellectual property ownership
   • Limitation of liability provisions

4. 11.4 Insolvency and Service Discontinuation

   In the event the Company:

   • Becomes insolvent
   • Files for bankruptcy
   • Enters liquidation
   • Permanently discontinues the Supista Platform

   and such event materially results in the permanent cessation of Services, the Company shall use commercially reasonable efforts to facilitate business continuity for Enterprise Clients.

   For the purposes of this Agreement, an “Enterprise Client” shall mean a Client whose recurring subscription fees exceed USD 2,000 (Two Thousand United States Dollars) per month under an active subscription agreement.

   Subject to applicable insolvency laws and protection of the Company’s intellectual property rights, the Parties may agree to implement a source code escrow or controlled release mechanism for such Enterprise Clients.

   Any release of source code shall:

   • Be limited to the Client’s licensed deployment
   • Be solely for internal operational continuity
   • Not transfer ownership of Supista
   • Not permit resale, sublicensing, or commercial exploitation
   • Be subject to separate written escrow terms, if applicable

   Nothing herein shall be construed as an automatic transfer of intellectual property.

12. FORCE MAJEURE

Neither Party shall be liable for any failure or delay in performing its obligations under this Agreement (other than payment obligations) to the extent such failure or delay is caused by events beyond its reasonable control (“Force Majeure Event”), including but not limited to:

• Acts of God, natural disasters, flood, fire, earthquake, or epidemic
• War, terrorism, civil unrest, governmental actions, or regulatory restrictions
• Strikes or labor disputes not limited to the affected Party’s workforce
• Widespread power failures or telecommunications disruptions
• Failures or outages of third-party hosting providers, cloud infrastructure, or internet service providers
• Cyberattacks or security incidents not caused by the affected Party’s gross negligence or willful misconduct

The affected Party shall:

• Promptly notify the other Party of the Force Majeure Event
• Use commercially reasonable efforts to mitigate its impact
• Resume performance as soon as reasonably practicable

If a Force Majeure Event continues for more than thirty (30) consecutive days and materially affects the Services, either Party may terminate the affected Services upon written notice without liability, except for payment obligations accrued prior to the Force Majeure Event.

13. GOVERNING LAW AND DISPUTE RESOLUTION

1. 13.1 Governing Law

   This Agreement shall be governed by and construed in accordance with the laws applicable to the Client’s principal place of business, as follows:

   1. Clients with Principal Operations in India
      • This Agreement shall be governed by the laws of India
      • The courts of New Delhi, India shall have exclusive jurisdiction
   2. Clients with Principal Operations Outside India
      • Where the Client’s principal place of business is outside India, this Agreement shall be governed by the laws of Singapore
      • The courts of Singapore shall have exclusive jurisdiction

2. 13.2 Amicable Resolution

   In the event of any dispute arising out of or in connection with this Agreement, the Parties shall first attempt to resolve the dispute through good-faith negotiations within thirty (30) days of written notice.

   If the dispute remains unresolved after such a period, either Party may initiate proceedings before the competent courts specified above.

14. AMENDMENTS

The Company may amend or update this Agreement from time to time to reflect changes in law, regulatory requirements, security standards, operational practices, or enhancements to the Services.

For material changes that adversely affect the Client’s rights or obligations, the Company shall provide prior notice through reasonable means, including email or in-platform notification. Such changes shall become effective thirty (30) days after notice unless otherwise required by law.

Non-material changes may take effect upon publication or notification.

Continued access to or use of the Services after the effective date of any amendment constitutes acceptance of the revised Agreement.

Amendments shall not apply retroactively and shall not affect rights or obligations accrued prior to the effective date of such amendment.