Master Subscription Agreement

This Master Subscription Agreement (“MSA”) is executed by the parties to the Services Order. By executing a Services Order, the parties agree to be bound by the applicable Service Orders, this MSA, and any other attachments that are incorporated by reference (collectively, the “Agreement”). Capitalized terms will have the meanings defined throughout and in Section 13. In consideration of the mutual promises and obligations in the Agreement, the sufficiency of which is hereby acknowledged, the parties agree as follows.

1 SERVICES

1.1 License Grant. Subject to the terms of the Agreement, Genesys grants Customer a non-transferable, non-exclusive Subscription to access and use the Genesys Cloud Service during the Subscription Term.

1.2 Professional Services. Customer may retain Genesys to perform Professional Services as set forth in a mutually acceptable Statement of Work (“SOW”).

1.3 Training. Customer may retain Genesys to provide training as set forth in a Services Order.

1.4 Equipment. Genesys may offer Equipment for resale or renting on a pass-through basis under limited circumstances. All Equipment is provided “AS-IS” without warranty of any kind and is excluded from the scope of any Genesys warranty or indemnification obligations. In the event Customer rents Equipment, Customer must pay such Fees as reflected in the Services Order. Customer must secure and protect rented Equipment at Customer’s location(s). In the event rented Equipment is lost, stolen or damaged, Customer agrees to reimburse Genesys for reasonable replacement costs. Upon termination of the Services Order, Customer will promptly return rented Equipment to Genesys in good condition, reasonable wear and tear excepted. Shipping terms are F.O.B. In the event Customer purchases Equipment from Genesys, Customer must pay such Fees as reflected in the Services Order and title to such Equipment transfers to Customer upon full payment. Customer will retain purchased Equipment upon termination or expiration of the Agreement. Any other equipment or facilities required by Customer to access the Genesys Cloud Services will be provided by and paid for by Customer.

1.5 Support. Genesys will provide uptime and support and described in the Genesys PureConnect Cloud Services Support Policy, attached as Exhibit A.

1.6 Data Security. Genesys security and privacy policies for the Genesys PureConnect Cloud Service, which are incorporated by reference, are attached hereto as Exhibit B. Customer must comply with all applicable Genesys security guidelines, which will be in accordance with industry standards. Customer is solely responsible for the content its Customer Data.

2 TERM, INVOICING, AND PAYMENT

2.1 Ramp Period. Upon the Effective Date, the parties will implement the system (as described in the applicable SOW). Once implementation is complete, the Customer enters a Ramp Period. The purpose of the Ramp Period is to allow a phased-in implementation and allow the Customer to roll out the service internally. During the Ramp Period, Customer will be billed monthly in arrears based on actual usage. Any Infrastructure Provisioning Fees will be invoiced upon the Effective Date, as such Fees are needed to provide Genesys Cloud Service during the Ramp Period.

2.2 Invoicing During the Subscription Term. At the end of the Ramp Period, the Customer will begin the Initial Subscription Term of the applicable Services Order (defined therein). During the Term, the Customer will be invoiced the applicable Fees based on actual usage, subject to monthly minimum commitments (as set forth in the Services Order). Upon the expiration of the Term, the Agreement shall auto-renew on a monthly basis at then-current list price. Either party may notify the other of its intent to not renew the Agreement in writing, at least thirty (30) days prior to the renewal date. Upon such notification, the Agreement will cease to auto-renew and expire at the end of the then-current term.

2.3 Due Date. Payments will be due within thirty (30) days from and after the date of the applicable invoice.

2.4 Fees. Unless otherwise stated in a Services Order or this MSA: (i) all Fees are quoted and payable in the currency set forth in the applicable Services Order, (ii) initial payments, and deposits may be invoiced in advance, (iii) recurring Fees, overage and other Fees will be invoiced in arrears, and (iv) Customer will be invoiced for the Professional Services Fees as set forth in the SOW.

2.5 Travel and Other Expenses. Customer will reimburse all pre-approved travel and other expenses incurred in connection with the Services.

2.6 Taxes and Regulatory Fees. Fees are exclusive of applicable Taxes and Regulatory Fees. Customer will reimburse Genesys for Taxes and Regulatory Fees arising in connection with the Services.

2.7 Late Fees. Without prejudice to any other rights of Genesys under the Agreement, Fees, expenses and other amounts not received by Genesys by the date due may be subject to a charge on the outstanding balance from the date due until the date of actual payment of the lesser of one and a half percent (1½%) per month or the maximum charge permitted by Law.

3 TERMINATION

3.1 Termination for Cause. Either party will have the right to terminate the Agreement by written notice to the other party if: (i) the other party has breached a material obligation under the Agreement and such breach remains uncured for a period of thirty (30) days after written notice of such breach is sent to the other party; or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors. Upon any termination of the Agreement by Customer for breach by Genesys, Genesys will refund any prepaid Fees covering the remainder of the Subscription Term after the effective date of termination. Upon any termination of the Agreement by Genesys for breach by Customer, Customer must pay any unpaid Fees covering the remainder of the Subscription Term after the effective date of termination, and prepaid fees will not be refunded. Termination of the Agreement by a party will be without prejudice to any right or remedy of such party under the Agreement or applicable Law. If this MSA is used to support more than one Services Order or Statement of Work (i.e., forming multiple Agreements), this MSA will survive with respect to each separate Agreement until each is terminated or expires.

3.2 Suspension of Use. Notwithstanding any term in the Agreement to the contrary, Genesys reserves the right to suspend the Genesys Cloud Services, or portion thereof, or reject or cancel the transmission of any information through the Genesys Cloud Service based upon (i) reasonable belief that the use of the Services is in violation of applicable Laws, (ii) Customer’s failure to pay amounts when due, or (iii) an imminent compromise to the security or integrity of the network. As practicable depending on the circumstances, Genesys will provide written notice of the suspension and keep Customer reasonably informed of Genesys’ efforts to restore the Services. Service level credits issued under a Service Level Agreement may apply depending on the circumstances of the suspension. Genesys reserves the right to impose a re-start fee in the event of any suspension under the Agreement due to Customer’s breach.

3.3 Service Order Conditions. Except as otherwise stated in a Services Order, upon execution by both parties, each Services Order will be a non-cancelable, non-refundable order by Customer. The Fees and Subscription Term for stated on each Services Order will be applicable only for that Services Order. Fees will apply during periods of suspension and as incurred for unauthorized use of the Genesys Cloud Service. Customer’s purchase of the Genesys Cloud Service is not conditioned on the availability of any future service or enhancement.

3.4 Transition Services. Transition services to facilitate migration of the services to a replacement provider, to archive or migrate Customer Data, or to otherwise wind-down the services (“Transition Services”) are excluded from the scope of this Agreement. Genesys will make Transition Services available to Customer subject to the parties’ execution of a separate SOW, at Genesys’ then-current time and material rates. If Customer is in breach of the Agreement as of the termination date, Genesys may condition its performance of Transition Services upon Customer’s pre-payment in full for Transition Services and other outstanding amounts.

4 INTELLECTUAL PROPERTY

4.1 Existing IP Ownership. Each party retains all rights, title and interest in and to its Existing Intellectual Property.

4.2 Restricted Use. Customer is granted no rights in or to Genesys Cloud Services except as expressly set forth under a Services Order. Customer must not: (i) create Derivative Works based on the Genesys Cloud Services, (ii) reverse engineer the Genesys Cloud Services, or (iii) access the Genesys Cloud Services to build a competitive product or service. Genesys Cloud Services include tools that can be used to create content related to Customer Data. The algorithms, compilations, collation methods and anonymized analyses created through the use of Genesys Cloud Services are considered Derivative Works and therefore are retained by Genesys. Customer retains, however, non-anonymized analyses of Customer Data obtained from its use of such tools.

4.3 Customer Data. As between Genesys and Customer, the Customer Data are the proprietary material of Customer and will be considered Customer’s Confidential Information. Customer grants Genesys a non-exclusive, non-sublicenseable (except to parties working on Genesys’ behalf), non-transferable, royalty-free license to access, process, store, transmit, and otherwise make use of the Customer Data as directed by Customer or as necessary to provide the Services and to otherwise fulfill its obligations under and in accordance with the Agreement.

4.4 Feedback. To the extent not already owned by Genesys and subject in each case to Section 12.1 to the extent Customer is identified by name or logo, Customer, on behalf of itself and its Related Parties, hereby grants Genesys a perpetual, exclusive, royalty-free, worldwide license to use or disclose (or choose not to use or disclose), and create derivative works of Feedback for any purpose, in any way, in any media worldwide.

5 WARRANTY DISCLAIMERS

5.1 EXCEPT AS EXPRESSLY PROVIDED IN THE AGREEMENT, THE SERVICES ARE PROVIDED TO CUSTOMER ON AN “AS IS” “WHERE IS” AND “AS AVAILABLE” BASIS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. GENESYS MAKES NO REPRESENTATIONS OR WARRANTIES THAT USE OF THE GENESYS CLOUD SERVICE WILL BE UNINTERRUPTED, TIMELY, COMPLETE, OR ERROR-FREE.

6 LIMITATION OF LIABILITY

6.1 LIMITATION. THE CUMULATIVE AGGREGATE LIABILITY OF A PARTY AND ALL OF ITS RELATED ENTITIES UNDER THE AGREEMENT WILL NOT EXCEED THE FEES PAID TO GENESYS DURING THE TWELVE MONTHS IMMEDIATELY PRIOR TO THE COMMENCEMENT OF THE DISPUTE FOR THE SERVICES THAT ARE THE SUBJECT OF THE DISPUTE.

6.2 INDIRECT DAMAGES. IN NO EVENT WILL EITHER PARTY OR ANY OF ITS RELATED ENTITIES BE LIABLE TO THE OTHER PARTY OR ANY OF ITS RELATED ENTITIES FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES (INCLUDING LOST PROFITS, REVENUE, DATA OR USE), WHETHER IN CONTRACT, TORT, OR OTHERWISE, EVEN IF SUCH PARTY OR ANY OF ITS RELATED ENTITIES HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IF AN AGREED REMEDY FAILS OF ITS ESSENTIAL PURPOSE OR IS HELD UNENFORCEABLE FOR ANY OTHER REASON.

6.3 CARVE-OUTS. THIS LIMITATION OF LIABILITY WILL NOT OPERATE TO: (I) REDUCE ANY AMOUNTS DUE AS FEES; (II) LIMIT LIABILITY ARISING IN CONNECTION WITH INDEMNIFICATION OBLIGATIONS; OR (III) LIMIT LIABILITY FINALLY DETERMINED TO HAVE RESULTED FROM A PARTY’S GROSS NEGLIGENCE OR WILFULL MISCONDUCT.

7 CONFIDENTIALITY

7.1 Recipient Obligations. During the Confidentiality Period, recipient must: (i) protect the confidentiality of all Confidential Information using the same degree of care that it uses to protect the confidentiality of its own Confidential Information of like kind (but in no event less than reasonable care) to prevent unauthorized use or disclosure; (ii) not use any Confidential Information except as expressly authorized in the Agreement; and (iii) not disclose, orally or in writing, any Confidential Information to any person, other than an employee, consultant or agent of recipient bound by terms at least as restrictive as those set forth in this Agreement with a need to know such Confidential Information.

7.2 Exceptions. The obligations in Section 7.1, however, will not apply to any information which:

(A) is already in the public domain or becomes available to the public through no breach of the Agreement by recipient

(B) was in the recipient’s possession without obligation of confidence prior to receipt from discloser, as proven by recipient’s written records;

(C) is received by the recipient without obligation of confidence from a third party free to disclose such information to recipient; or

(D) is independently developed by recipient without use of the Confidential Information.

7.3 Compelled Disclosure. Nothing in this Agreement will prevent a party from disclosing Confidential Information to the extent required by applicable Law, judicial or administrative process. But the recipient must: (i) notify discloser of any duty to disclose, affording opportunity for discloser to take protective actions (except to the extent notice is prohibited by Law), and (ii) disclose only as much of the Confidential Information as required, maintaining all proprietary notices applicable to such Confidential Information.

7.4 Effect of Termination. Upon written request in connection with termination of the Agreement, each party must deliver to the other party or destroy all copies of such other party’s Confidential Information. Genesys will retain Customer Data for thirty (30) days, during which time Customer may request a copy. Genesys may retain Customer Data in backup media for an additional period of up to twelve (12) months, or longer if required by Law. Notwithstanding the foregoing, recipient may retain an archival record of Confidential Information to the extent required under applicable Law subject to recipient’s compliance with the remaining terms of this section.

8 COMPLIANCE WITH LAWS

8.1 Each party must comply with all applicable Laws in connection with the performance of its obligations under this Agreement.

9 USE OF THE SERVICE

9.1 Restrictions on Use. Customer will not use the Genesys Cloud Service for any of the following:

(A) to store, process, or transmit material (including Customer Data) that is tortious or in violation of Law;

(B) to transmit Malicious Code;

(C) to transmit 911 or any emergency services (or reconfigure to support or provide such use);

(D) to interfere with, unreasonably burden, or disrupt the integrity or performance of the Services or third-party data contained in the Genesys Cloud Service;

(E) to attempt to gain unauthorized access to systems or networks;

(F) to provide the Services to non-User third parties, including, by resale, license, lend or lease; or

(G) Customer will use commercially reasonable efforts to prevent and block any prohibited use by Customer personnel or Customer’s Users.

9.2 Security. Customer will maintain any reasonable, appropriate administrative, physical, and technical level of security regarding its account ID, password, antivirus and firewall protections, and connectivity with the Services.

9.3 Phone Lines. Customer must maintain strict security over all VoIP Services lines. Customer acknowledges that Genesys does not provide Customer the ability to reach 911 or other emergency services and Customer agrees to inform any individuals who may be present where the Services are used, or who use the Services, of the non-availability of 911 or other emergency dialing.

9.4 Sensitive Information. If the Genesys Cloud Service will be used to transmit or process Sensitive Information, Customer will ensure that all Sensitive Information is captured and used solely via the use of available Security Features.

9.5 Recordings. As between Genesys and Customer, Customer acknowledges that Recordings are solely within Customer’s discretion and control. Customer accepts sole responsibility for determining the method and manner of performing recording such that it is compliant with all applicable Laws and for instructing the services accordingly. Customer must ensure that Recordings will be made only for diagnostic, quality assurance, archival, or Support purposes, and in any event only for purposes required or in compliance with all applicable Laws. Customer will ensure that either: (i) Recordings will not knowingly include any bank account number, payment card number, authentication code, Social Security number, or other personal or Sensitive Information, except as allowed or required by all applicable Laws; or (ii) Recordings are encrypted. Customer must not modify, disable, or circumvent the Recording encryption feature within the Services and must otherwise ensure that it will use the Services in compliance with the encryption feature.

10 CUSTOMER DATA

10.1 Geographic Boundaries. Customer acknowledges and agrees that the Customer Data may be transferred or stored outside the country where Customer and its customers are located in order to carry out the Services and Genesys’ other obligations under the Agreement.

10.2 Customer Data Consents. Customer represents and warrants that it has obtained all consents necessary for Genesys to collect, access, process, store, transmit, and otherwise use Customer Data in accordance with the Agreement.

10.3 Responsibility for Customer Data. Customer must comply with all requirements of Law in respect of Customer Data and Messages. Genesys may, but is not obligated to, review or monitor any Customer Data. Genesys expressly disclaims any duty to review or determine the legality, accuracy or completeness of Customer Data used through the Services.

10.4 PCI. If Customer, End Users or Persons provide payment card information to the Services, Customer retains responsibility for its compliance with all applicable standards, including the Payment Card Industry Data Security Standards (“PCI-DSS”). The Genesys PureConnect Cloud Service is PCI compliant, provided that Customer purchases the Premium Services described in Exhibit B, Section 10. Customer agrees to not send PCI data without purchasing the applicable Premium Services.

10.5 EU Data Security. Each party will comply with the European Union Directive 95/46/EC (the “EU Directive”) or similar Laws within or outside of the EU (“Similar Data Security Laws”), as each applies to the performance of such party’s obligations under the Agreement. To the extent that either party is a Data Processor such party must only process Personal Data in accordance with the instructions of the Data Controller. (The terms “Data Processor”, “Data Controller” and “Personal Data” are as defined in the EU Directive, and denote analogous terms under Similar Data Security Laws.) The Data Processor must promptly notify Data Controller if it receives any complaint, notice or communication which relates directly or indirectly to the processing of Personal Data under the Agreement, and provide full co-operation and assistance in relation to any such complaint, notice or communication.

10.6 Restriction on Modification. Genesys will not modify, disclose, or access Customer Data except to provide the Services and perform Support to prevent or address service issues or technical problems, at Customer’s request in connection with Support, or to the extent otherwise permitted in the Agreement.

11 INDEMNIFICATION

11.1 Genesys Indemnification. Genesys will Indemnify Customer for a finding that the Genesys Cloud Service has or continues to infringe(d) such third party’s intellectual property rights, identified in a patent or copyright that is enforceable in the United States.

(A) Notwithstanding the foregoing, Genesys will not be liable and will have no obligation for any claim arising from or based upon:

(1) the use of the Genesys Cloud Service outside the scope or terms, or upon or after the termination of the Agreement;

(2) if the claim would not have arisen without: (i) any modification of the Genesys Cloud Service by Customer or a party acting under Customer’s direction or control; (ii) the combination of the Service with any technology (including software), equipment or other device, product or service that causes any modification, intentional or inadvertent, to the Services; or (iii) use of the Genesys Cloud Services after receipt of notice from Genesys to discontinue such use; or

(3) Customer’s actions against the third-party intellectual property holder.

(B) In the event that it is determined or Genesys believes that the Genesys Cloud Service has violated the third party’s intellectual property rights, Genesys will:

(1) obtain for Customer the right to continue using the Genesys Cloud Service,

(2) replace or modify the Genesys Cloud Service so that it becomes non-infringing while retaining substantially similar functionality; or

(3) if neither of the foregoing remedies can be reasonably effected by Genesys, terminate Customer’s right to use the Genesys Cloud Service and refund to Customer the Fees paid for the Genesys Cloud Service in the amount of the lesser of the: (i) prepaid, unused Fees; or (ii) Fees paid during the immediately prior twelve (12) month period.

(C) The provisions of this Section 11 state the sole, exclusive, and entire liability of Genesys and are Customer’s sole remedy with respect to the infringement of third party intellectual property rights.

11.2 Customer Indemnification. Customer will Indemnify Genesys from any claim, loss, or damage arising in connection with Customer’s use of the Genesys Cloud Services (including any activities undertaken by Customer’s Related Parties).

11.3 Indemnification Procedures. The Indemnified party must take all reasonable steps to mitigate any potential expenses and will provide the Indemnifying party with: (i) prompt written notice of any such claim or actions, or possibility thereof upon becoming aware of it; and (ii) relevant information (subject to confidentiality restrictions the Indemnified party owes to third parties), authority and reasonable assistance to settle or defend and such claim or action. The Indemnified party must tender sole control and authority over, and reasonably assist with the defense or settlement of such claim or action. Notwithstanding the foregoing, the Indemnified party will have the right to retain counsel of its own choice, at its own expense, in respect of the subject of the Indemnification, for purposes including services as co-counsel, or to monitor the defense provided by the Indemnifying party’s appointed counsel. The Indemnified party will have the right to approve counsel selected by the Indemnifying party, which approval will not be unreasonably withheld or delayed.

12 MISCELLANEOUS

12.1 Marketing. Customer grants Genesys the right to use Customer’s name and logo to identify Customer as a Genesys customer. Subject to prior written approval of content, Customer grants Genesys the right to issue a media release after execution of the Agreement announcing that Customer has become a Genesys customer, and to make other announcements and place promotion in various publications and media. Except as set forth in a mutually agreed written public statement, Customer will not imply or state that Customer is affiliated with or endorsed by Genesys, publicize the existence of the Agreement, or disclose any of its terms.

12.2 Assignment. Genesys may assign this Agreement, in whole or in part, to companies owned by, or under common control with, Genesys. Otherwise, neither party may assign its rights or obligations under the Agreement, either in whole or in part, except: (i) with respect to a sale of substantially all of the assets of its business, merger, or change in the party’s ownership, or (ii) with the prior written consent of the other party. Without limiting the preceding sentence, the rights and liabilities of the parties hereto will bind and inure to the benefit of their respective successors and assigns.

12.3 Government Usage. This is a commercial item agreement. If the Services are acquired by or on behalf of the U.S. Government, a state or local government, or a prime contractor or subcontractor (of any tier) of the foregoing, such government customers and users must obtain only those commercial license rights set forth in the Agreement.

12.4 Professional Services. Genesys will perform Professional Services on a time and materials basis unless otherwise stated in an SOW. Genesys will control how the Professional Services are performed and may use subcontractors in the performance of the Services. Genesys reserves the right to make all staffing decisions in its sole and reasonable discretion. Genesys warrants that it will perform the Professional Services in a professional and workman-like manner. Customer will make available at no charge all technical data, computer facilities, programs, files, documentation, test data, sample output, office space, equipment and other assistance as reasonably requested by Genesys in the performance of Professional Services. Genesys retains sole and exclusive ownership of all materials created in connection with its performance of the Professional Services, including but not limited to: methodologies, know-how, source and object code; specifications, configurations, designs, architecture, processes, techniques, concepts, discoveries, and, inventions made or developed (collectively, “PS Creations”), in addition to all Derivative Works of the foregoing. To the extent, and for any reason the foregoing statement of ownership is not effective, Genesys will have a royalty-free, worldwide, transferable, sublicenseable, irrevocable, perpetual license to use, including the incorporation into the Genesys Cloud Service, all PS Creations. Unless otherwise set forth in the Statement of Work, Customer is hereby granted a license to use the PS Creations solely in connection with, and under the same provisions as, its use of the Genesys Cloud Services.

12.5 Survival. The provisions of the Agreement regarding payment, confidentiality, assignment, licenses, definitions, limitation of liability, intellectual property and any provision which by its nature should survive, will survive the termination of the Agreement. If any provision of the Agreement is held to be invalid or unenforceable, the remaining provisions of the Agreement will remain in full force.

12.6 Force Majeure. Neither party will be responsible for acts of Force Majeure.

12.7 Governing Law. This Agreement will be governed by the laws set forth in Table 1 below, based on the Customer’s domicile, without reference to conflicts of law provisions. The parties agree to submit to the personal and exclusive jurisdiction of such courts and that venue therein is proper and convenient as set forth in Table 1. In the event more than one Genesys entity is or becomes a party the Agreement, the governing law will be California and United States federal law; and, the California state courts in and for San Mateo County, California (or, if there is federal jurisdiction), the United States District Court for the Northern District of California, each of which will have the personal and exclusive jurisdiction, which such jurisdiction is acknowledged to be proper and convenient. The UN Convention for the International Sale of Goods will not apply to the Agreement in whole or in part. In any dispute under the Agreement, the prevailing party will be entitled to recover its cost of enforcing its claim, including but not limited to attorney fees.

12.8 Authority to Execute. The party executing the Agreement on behalf of the parties represents and warrants that he or she has been duly authorized under the party’s charter documents and applicable law to do so.

12.9 Independent Contractors. The parties are acting as independent contractors. Nothing in the Agreement will be construed to create a partnership, joint venture or agency relationship between the parties.

12.10 Third party beneficiaries. No third-party beneficiary relationships are created by this Agreement.

12.11 Notices. All notices under the Agreement must be in writing and will be deemed to have been given when:

(A) personally delivered;

(B) sent by electronic facsimile transmission;

(C) sent by registered mail, postage prepaid (which notice will be deemed to have been received on the third (3rd) business day following the date on which it is mailed); or

(D) sent overnight by a commercial overnight courier that provides a receipt (which notice will be deemed to be received on the next business day after mailing), both to the address set forth on the title page hereto (or such other designee/address a party may provide by giving notice to the other party in compliance with the Agreement), and in the case of a notice to Genesys, with a mandatory copy to the attention of Vice President, Commercial Licensing, at the same address.

12.12 Waiver. No provision of the Agreement may be waived unless such waiver is in writing and signed by the party against which the waiver is to be effective.

12.13 Headings. Headings are for convenience only and do not affect the interpretation of this Agreement.

12.14 Complete Agreement; Amendment. The Agreement constitutes the complete agreement between the parties and supersedes all prior agreements and representations, written or oral, concerning the subject matter of the Agreement. In the event of a conflict between the terms of a Services Order and the other provisions of the Agreement, the terms of the Services Order will take precedence; however, MSA Sections 6, 8, 9, 10 and this section 12.13 may only be modified in the Services Order by a direct reference to such MSA sections. The Agreement may not otherwise be modified or amended except in a writing signed by a duly authorized representative of each party. The terms of the Agreement will supersede the terms in any Customer purchase order or other ordering document.

12.15 Execution; Digitized Copies. The parties agree that this MSA may be executed by any means of signature, including electronic commerce or transmission, including facsimile, email, or acknowledgement through a webpage. The Agreement may be executed in two (2) or more counterparts, each of which is deemed an original, but which together constitute one contract or document. Signed digitized copies of the Agreement and other associated documents, including attachments and amendments will legally bind the parties to the same extent as original documents.

13 DEFINITIONS

13.1 Confidential Information: Any information disclosed by one party to the other party, or otherwise learned by the recipient from the discloser, marked “confidential” or disclosed or learned under circumstances that would lead a reasonable person to conclude that the information was confidential. Notwithstanding the foregoing, Genesys Confidential Information includes but is not limited to Covered Products and the terms of this Agreement and Customer Confidential Information includes but is not limited to Customer Data. In addition, whether or not marked “confidential” or otherwise identifiable as confidential, the following information will be deemed Confidential Information of the discloser: inventions, product development plans, education materials, pricing, marketing plans, and customer lists.

13.2 Confidentiality Period: The longer of: (i) three (3) years after termination of the Agreement; or (ii) indefinitely with respect to trade secrets, Customer Data, and the Covered Products.

13.3 Customer: The non-Genesys (or non-Genesys Related Party) party to the Agreement identified on the cover page of this Agreement or in a Services Order.

13.4 Customer Data: (i) all data submitted through the Genesys Cloud Service by Customer or Users; and (ii) the non-anonymized content of any reports generated by the Genesys Cloud Service regarding Customer’s use of the Genesys Cloud Service.

13.5 Derivative Work: A new or modified work that is based on or derived from all or any part of the Genesys Cloud Service, including without limitation, a revision, modification, translation, localization, adaptation, abridgment, port, condensation or expansion, in any form, of the Genesys Cloud Service, or any work that would infringe any copyright if created without the authorization of the copyright holder or any other intellectual property right in the Genesys Cloud Service or that uses trade secrets or other Confidential Information embodied in or used by the Genesys Cloud Service.

13.6 Effective Date: The effective date of the Agreement, or portion thereof (e. g. a Services Order or SOW executed after the original Services Order) which is the date of the last signature of, or as otherwise stated in, the linking Services Order or SOW.

13.7 Equipment: Third party product provided on a pass-through basis without warranty from Genesys

13.8 Existing Intellectual Property: All technology, know-how, software, data, ideas, formulae, processes, charts, Confidential Information, and any other materials or information and all worldwide intellectual property rights therein and thereto: (i) owned or controlled by either party on the Effective Date; or (ii) developed by either party outside the scope of the Agreement and which does not use the other party’s Existing Intellectual Property or Confidential Information.

13.9 Fees: The various charges for the Genesys Cloud Service, Professional Services, Support, and other related services, as set forth in the applicable Services Order.

13.10 Feedback: any suggestions, enhancement requests, recommendations, report, feedback, proposals, anonymized statistical data or other information concerning the Genesys Cloud Service provided by Customer to Genesys hereunder. Notwithstanding anything to the contrary contained in this Agreement, in no event will Feedback be deemed Customer Existing Intellectual Property unless such Feedback existed on or before the Effective Date.

13.11 Force Majeure: Delays or failures on performance resulting from acts beyond the control of a party. Such acts include acts of God, provider blockades, denial of service, attacks, strikes, lockouts, riots, acts of war, terrorism, epidemics, Laws effective after the Effective Date, fire, communication line failures, power failures, earthquakes or other disasters natural or man-made.

13.12 Full Production: The day upon which the earlier of the following occurs: (i) Customer reaches the agreed Minimum Monthly User/agent commitment counts as shown in the Services Order; (ii) Customer notifies Genesys of its intent to end the Ramp Period; or (iii) the Ramp Period expires.

13.13 Genesys: The applicable entity listed in Table 1. Such party is the entity executing this Agreement.

13.14 Genesys Cloud Service(s): The individual services and use of features and functionality of Genesys proprietary software and supporting facilities, all as further described a Services Order. The term “Genesys Cloud Service” excludes Professional Services, Support and the use of Third-Party Applications.

13.15 Genesys PureConnect Cloud Service(s): The specific cloud service platform provided under this Agreement.

13.16 Indemnify (and all forms of the word (e. g. Indemnification): Agreement to indemnify and defend the other party and its Related Parties from and against any and all third-party claims, demands, sums of money, actions, rights, causes of action, obligations, allegations and liabilities of any kind or nature whatsoever, and from any resulting liabilities, damages, losses, and costs (including, but not limited to, attorney fees and disbursements) arising from or relating, directly or indirectly, to the use, act, omission, or manner set forth as the subject of and giving rise to the claim.

13.17 Infrastructure Provisions Fee: The Fee set forth in a Services Order due to be paid to Genesys by Customer for the provisioning of the applicable Genesys infrastructure environment.

13.18 Initial Subscription Term: The minimum term for the initial Subscription under each Services Order.

13.19 Laws: Laws, statutes, regulations, directives, rules, standards and the like of any territorial division (e. g. federal, national, state, province, etc.).

13.20 Live: The earlier of: (i) the day in which there is at least one (1) User of the Genesys PureConnect Cloud Services in an environment capable of supporting the agreed Minimum Monthly User/agent commitment counts as shown in the Services Order; or (ii) upon implementation completion (as described in the applicable SOW).

13.21 Malicious Code: Viruses, worms, time bombs, corrupted files, Trojan horses and other harmful or malicious code, files, scripts, agents, programs, or any other similar code that may interrupt, limit, damage the operation of Genesys’ or another’s computer or property.

13.22 Minimum Monthly User: The minimum commitment that Customer has committed to, as set forth in the Services Order.

13.23 Professional Services (or PS): The professional services described in a Statement of Work executed by the parties.

13.24 Provision Date: The date of the notice from Genesys to Customer that the applicable Genesys Cloud Service under a Services Order has been made available to Customer or was scheduled to be available to Customer but for delays caused by Customer and Customer’s representatives.

13.25 Ramp Period: The period (shown in the Services Order) not to exceed ninety (90) days, during which Customer will transition to Full Production. The default Ramp Period is zero (0) days if not specified. The Ramp Period will begin on the Live date.

13.26 Recordings: Recorded inbound or outbound Genesys VoIP Service transmission, performed by Customer, via the Genesys Cloud Service as set forth in the applicable User Guide.

13.27 Related Entities: A party’s past, present and future officers, directors, employees, and other personnel, agents, insurers, reinsurers, servants, attorneys, parent company, subsidiaries and affiliates.

13.28 Renewal Subscription Term(s): Each subsequent term after the Initial Subscription Term.

13.29 Security Features: The features and functionality associated with the Genesys Cloud Service used to help secure transmitted data. Security Features may include secure SIP/RTP, voice connection encryption, Private Variables, log masking, or other similar features.

13.30 Sensitive Information: All sensitive or Confidential Information used in connection or transmitted by the Services including but not limited to personal health information (PHI), personally-identifiable information (PII) and payment card information.

13.31 Services: The Genesys Cloud Service, Professional Services, and all related services or deliverables provided under the Agreement.

13.32 Service Level Agreement: An agreement to perform services in accordance with specific metrics, subject to a defined set of remedies. The Service Level Agreement, if applicable, is set forth in the Supplemental Terms for the Genesys Cloud Service as identified in the Services Order.

13.33 Services Order(s): The document by which Customer orders Genesys Cloud Service, or other goods and services that Customer may purchase from Genesys. Services Order will include: (i) a description of items being ordered, including Subscription Term, and the quantity, (ii) Supplemental Terms, (iii) Fees, method of determining Fees, and pricing terms, (iv) billing address; and (v) other addresses for the parties, if applicable. Genesys reserves the right to waive any or all the aforementioned requirements either in writing or by fulfilment of the Order.

13.34 Subscription: Term-based grant, for a specified time to use a specific quantity and type of Genesys Cloud Service, all as described in the applicable a Services Order, and applicable Supplemental Terms (one or more sets of Supplemental Terms, each an exhibit to the Services Order). Subscriptions exclude services and expenses associated with decommissioning Customer’s use of the Genesys Cloud Service, migration of Customer Data, and storage and retrieval of records associated with Customer’s use of the Services.

13.35 Subscription Term: The Phase-In Services (if applicable), Initial Subscription Term, and all Renewal Subscription Terms.

13.36 Support: the maintenance and support of the Genesys Cloud Service, subject to the terms and policies set forth in the applicable Support Guide.

13.37 Support Level: The applicable level of Support as selected by Customer and elected under the Services Order.

13.38 Taxes and Regulatory Fees: Any direct or indirect local, state, federal or foreign taxes, levies, duties or similar governmental assessments of any nature, including regulatory fees (such as USF), fines, penalties, value-added, use or withholding taxes. Taxes and Regulatory Fees will not include charges based upon Genesys’ income or employees.

13.39 Term: Any term (time period) under the Agreement (e. g. Subscription Term, License Term).

13.40 Third-Party Applications: Third party or Customer-developed online, Web-based applications and offline software products that are provided by Customer or third parties, that may or may not interoperate with the Genesys Cloud Service.

13.41 User: An individual who: (i) is authorized by Customer; and, (ii) has been supplied a user identification and password(s) by Customer to access the Genesys Cloud Services on Customer’s behalf.

Table 1. Governing Law, Jurisdiction, Notices.

Exhibit A

Genesys PureConnect Cloud Support Policy

1 SUPPORT INCIDENT PRIORITY LEVELS

1.1 Incidents. Incidents will be categorized and handled according to an assigned severity level. The assigned severity level for a problem may be mutually determined by both parties during the problem resolution process, but Genesys Technical Support will have final authority as to the actual designation. Genesys Technical Support uses commercially reasonable efforts to respond to each support incident within the applicable response time and reach resolution of Code Red and high impact issues within the timeframes described in the table below:

1.2 MACs. Upon Customer request and with Customer cooperation, Genesys will make administrative moves, additions and/or changes (MACs). The MAC will be scheduled during posted business hours and will be completed within one business day after receipt of the request. All requests must be made using https://isupportweb.inin.com. Customer will pay the amounts stated in the Services Order for MACs.

2 PURECONNECT CLOUD UPTIME COMMITMENTS

2.1 Uptime Commitments. Genesys will endeavor to provide the Genesys PureConnect Cloud Service with an Uptime Percentage of at least 99.99%. If Genesys is unable to provide the PureConnect Cloud Service at that Uptime Percentage, Customer is entitled to request a credit in accordance with the table below (“Uptime Credit(s)”):

2.2 Uptime Credit Calculation. The Uptime Credit provided to Customer will be calculated as the applicable Credit Percentage multiplied by the monthly Fees for the Minimum Monthly Commitment for the affected PureConnect Service.

2.3 Uptime Credit Request. To receive any Uptime Credit, Customer must request the Uptime Credit no later than thirty (30) days after the end of the month during which the Uptime Credit was earned and must not be past due on any invoices. Customer will not be entitled to the Uptime Credit if the failure was not caused by Genesys, including without limitation, failures caused by: (i) interruption in data or voice service (local or long distance); (ii) Customer’s internet connection, network, equipment, software (other than the Genesys PureConnect Cloud Service), facility, databases or operator error; and (iii) alterations, modifications, configurations, or customizations of the Genesys PureConnect Cloud Service, other than those undertaken and performed by Genesys. The Uptime Credit is the Customer’s sole remedy for any failure to meet the Uptime Percentage.

2.4 Reports. Genesys will provide an automated report to Customer within five (5) days of the end of each month. The report will show all support incidents opened during that month including: (a) the incident number; (b) the date and time the incident was opened; (c) the Customer site impacted; (d) close date/time for the fix or work-around; (e) the total Hard Outage time.

2.5 Termination for Repeated Uptime Failure. Customer may terminate this Agreement for cause and without penalty if Customer experiences Uptime Percentages of less than 98.000% in three (3) months during a rolling six (6) month period. To exercise this termination right, Customer must notify Genesys of its intent to terminate per this section within thirty (30) days of a triggering event. Such termination will be effective thirty (30) days following such notification.

3 SUPPORT POLICIES

3.1 Support Policies. Additional support policies, procedures, and services will be provided in a Customer Handbook. Genesys will have no obligation to take any action to correct a problem reported by Customer if Genesys determines that the problem arises from: (i) use of the Genesys PureConnect Cloud Services contrary to this Agreement or documentation to Customer by Genesys; (ii) Customer’s use of the Genesys PureConnect Cloud Services in combination with equipment or third party software not certified by Genesys; or (iii) an issue not included in standard support services as defined in the Customer Handbook. Support will be provided by telephone, web ticketing and remote access and does not include support at any Customer site.

3.2 After-Hours Support. After Hours support is subject to an additional charge of $250 per incident. A support request will be considered After Hours if the support request is non-Critical and made on a holiday or outside the hours identified in Customer Handbook. Unless otherwise identified on the Order Form, Customer Time Zone will be the time zone of the primary PureConnect data center serving the Customer.

3.3 Excused Outages.

(A) Planned Maintenance. Planned maintenance will not involve any activity that is anticipated to have a material or adverse effect on the live, operational functioning of the Genesys PureConnect Cloud Services. Genesys will provide forty-eight (48) hours advanced notice prior to any planned maintenance event. Genesys will perform planned maintenance between the hours of 12:00 A.M. and 5:00 A.M. within the time zone of the Customer’s primary PureConnect data center.

(B) Planned Outages. Planned outages involve any activities which are anticipated to cause interruption to the operational functioning of the PureConnect Services (operating system patches, service updates, equipment reboot, etc.). Genesys will provide Customer with at least two (2) weeks advanced e-mail notice prior to conducting any planned outage. Additional email notification will be provided forty-eight (48) hours prior to any planned outage event. Genesys will perform planned outages between the hours of 12:00 A.M. and 5:00 A.M. within the time zone of the Customer’s primary PureConnect data center.

(C) Emergency Maintenance. Emergency maintenance involves any activity where Genesys may or may not be to anticipate an interruption to the operational functioning of the Genesys PureConnect Cloud Services (operating system patches, service updates, equipment reboot, etc.).

3.4 Network Assessment. For any VoIP implementation, Customer’s network must meet the following standards:

(A) Quality of Services (“QoS”) must be enabled on all VoIP-related network devices and endpoints and configured in accordance with the QoS for the xIC Platform whitepaper.

(B) Full Duplex must be enabled on all network devices.

(C) RTP latency in one direction must be less than 150 ms for voice traffic.

(D) RTP jitter must be less than 30 ms.

(E) RTP packets must include highest markings for service priority queuing (ex. DSCP for Cisco devices).

(F) Network segments must not exceed a packet loss rate of one percent (1%).

(G) Network bandwidth must accommodate approximately 88kb/s for calls using audio codec G711 and 32kb/s for calls using audio codec G729 (not including overhead for VPN encryption/decryption, if applicable).

(H) VLAN settings must be set in accordance with the QoS for the xIC Platform whitepaper.

3.5 Customer Network Deficiencies. If Genesys determines that Customer’s network does not meet the standards listed above, Customer must rectify the failures. Customer will not be entitled to receive Hard Outage credits unless and until Customer’s network meets the standards. If the Customer chooses to engage Genesys to assist in rectifying the failures, Customer will pay Genesys at its current rates in accordance with a Statement or Work to perform a full network assessment. At any time if it is reasonably determined by Genesys that Customer’s network does not meet these standards, then any support provided as a result of the network inadequacy will be provided at the rates stated in the Service Order.

4 DEFINITIONS

4.1 Code Red: The Genesys PureConnect Cloud Service’s operational ability to receive, route and deliver Customer purchased interaction services is not operational and cannot reasonably function for greater than 10% of Minimum Monthly User commitment as identified in the Service Order.

4.2 Hard Outage: The Genesys PureConnect Cloud Services cannot receive, route, or place calls with the primary server, switchover server or via remote survivability. Hard Outage does not include: (i) excused outages as described in Section 3(c) of this Exhibit; or (ii) incidents due to customer managed equipment and/or applications (email server, web chat server, etc.).

4.3 High: Non-business critical features of the Genesys PureConnect Cloud Services are impaired or non-functional (for example: Interaction Supervisor, Interaction Recorder).

4.4 Initial Response: The difference between the time an automated alert or Customer support request (phone or web ticket) is received by the Genesys service management system and the time it is assigned to a PureConnect Support representative within the service management system.

4.5 Low: Requests for information on Genesys PureConnect Cloud Services, policies, processes, or procedures members of Customer’s business, management, or technical staff teams.

4.6 Mean Time to Restoration: Average duration of the outage from the time of an automated alert or Customer reported incident.

4.7 Medium: Non-disabling or cosmetic errors with little or no impact on the Genesys PureConnect Cloud Services.

4.8 Uptime Percentage: The Uptime Percentage equals 1 – (total minutes of Hard Outage / (# days in the month * 1440)).

Exhibit B

Genesys PureConnect Cloud Security Policy

This Security Policy describes the minimum requirements for information security and data protection provided by Genesys to Customer related to the provision of Genesys PureConnect Cloud Services under the Agreement. This Security Policy is applicable to the extent that Genesys has access and control over Customer Data. For the purposes of this Exhibit, “Data Center” means a data center where Genesys houses servers and other components used to deliver the Genesys PureConnect Cloud Service.

1 SECURITY PROGRAM

1.1 Security Certifications. Genesys has implemented and will maintain an information security program that follows generally accepted system security principles embodied in the ISO 27001 standard designed to protect the Customer Data as appropriate to the nature and scope of the Genesys PureConnect Cloud Services provided. Genesys currently hold the following certifications: SSAE-16 SOC2 Type II, ISO 27001 and ISO 9001. A copy of the most current SSAE16 SOC2 attestation report and ISO certificates will be provided to Customer upon written request. Genesys has developed and will maintain an information security and awareness program that is delivered to all its employees and appropriate contractors at the time of hire or contract commencement and annually thereafter. The awareness program is delivered electronically and includes a testing aspect with minimum requirements to pass.

1.2 Security Awareness and Training. Genesys has developed and will maintain an information security and awareness program that is delivered to all employees and appropriate contractors at the time of hire or contract commencement and annually thereafter. The awareness program is delivered electronically and includes a testing aspect with minimum requirements to pass.

1.3 Policies and Procedures. Genesys will maintain appropriate policies and procedures to support the information security program. Policies and procedures will be reviewed annually and updated, as necessary.

1.4 Change Management. Genesys will utilize a change management process based on industry standards to ensure that all changes to Customer’s environment are appropriately reviewed, tested, and approved.

1.5 Data Storage and Backup. Genesys will create backups of critical Customer Data according to documented backup procedures. Customer Data will be stored and maintained solely on designated backup storage media within the Data Center(s). Backup data will not be stored on portable media. Customer Data stored on backup media will be protected from unauthorized access. Backup data for critical non-database production servers will be retained for approximately thirty (30) days. Backup data for critical production database servers and transactional data will be retained for a minimum of seven (7) days.

1.6 Anti-Virus and Anti-Malware Protection. Genesys will utilize industry standard anti-virus and anti-malware protection solutions to ensure that all servers in Customer’s Genesys PureConnect Cloud Service environment are appropriately protected against malicious software such as trojan horses, viruses, and worms. The solution will be centrally managed and configured to ensure updates are applied in a timely manner. Genesys will use standard industry practice to ensure that the Genesys PureConnect Cloud Services as delivered to Customer does not include any program, routine, subroutine, or data (including malicious software or “malware,” viruses, worms, and Trojan Horses) that are designed to disrupt the proper operation of the Genesys PureConnect Cloud Services, or which, upon the occurrence of a certain event, the passage of time, or the taking of or failure to take any action, will cause the Genesys PureConnect Cloud Services to be destroyed, damaged, or rendered inoperable. Customer acknowledge that the use of license keys will not be a breach of this section.

1.7 Penetration Testing. On at least an annual basis, Genesys will conduct a vulnerability assessment and penetration testing engagement with an independent qualified vendor. Issues identified during the engagement will be appropriately addressed within a reasonable time-frame commensurate with the identified risk level of the issue. A cleansed version of the executive summary of the test results will be made available to Customer upon written request and will be subject to non-disclosure and confidentiality agreements.

1.8 Vulnerability and Patch Management. Genesys will maintain a vulnerability management program based on industry standard practices that routinely assesse the Data Center environment. Routine network and server scans will be scheduled and completed on a regular basis. The scan results will be analyzed to confirm identified vulnerabilities, and remediation will be scheduled within a timeframe commensurate with the relative risk. Genesys will monitor a variety of vulnerability advisory services to ensure that newly identified vulnerabilities are appropriately evaluated for possible impact to the Genesys PureConnect Cloud Service. Critical and high risk vulnerabilities will be promptly addressed following the patch management and change management processes.

1.9 Data Destruction. Genesys will follow industry standard processes for the secure destruction of Customer Data that becomes obsolete or is no longer required under the Agreement. Retired or decommissioned equipment that formerly held Customer Data and is scheduled for destruction will be securely destroyed using a qualified vendor who will provide a certificate of secure destruction.

2 NETWORK SECURITY

2.1 Network Controls. Genesys will employ effective network security controls based on industry standards to ensure that Customer Data is segmented and isolated from other customer environments within the Data Center. Controls include, but are not limited to:

(A) Segregated Firewall Services. Customer environments are segmented using physical and contextual firewall instances

(B) Network-Based Intrusion Detection System (NIDS). Genesys has implemented industry standard network intrusion detection systems at Internet egress points across the Genesys PureConnect Cloud Service environment.

(C) No Wireless Networks. Wireless networks are not utilized within the Data Center environments.

(D) Data Connections between Customer and the Genesys PureConnect Cloud Service Environment. Genesys uses SSL/TLS and/or MPLS circuits to secure connections between browsers, client apps, and mobile apps to the Genesys PureConnect Cloud Service. Connections traversing a non-dedicated network (i.e. the Internet) will use SSL/TLS.

(E) Data Connections between Genesys PureConnect Cloud Service Environment and Third Parties. Transmission or exchange of Customer Data with Customer and any third parties authorized by Customer to receive the Customer Data will be conducted using secure methods (e.g. SSL/TLS, HTTPS, SFTP).

(F) Encrypted Recordings. Genesys encrypts call recordings and chat sessions. Customer may elect to implement a unique password, known only to Customer, to protect the encryption keys used to secure the call recordings and chat sessions.

(G) Encryption Protection. Genesys uses industry standard methods to support encryption. For asymmetric key encryption, Genesys uses RSA 2048 bit keys. For symmetric key encryption, Genesys uses AES-128 bit keys. For hashing, Genesys uses SHA1 and SHA2.

(H) Logging and Monitoring. Genesys will log security events from the operating perspective for all servers providing the Genesys PureConnect Cloud Service to Customer. Genesys will monitor and investigate events that may indicate a security incident or problem. Event records will be retained for ninety (90) days.

3 USER ACCESS CONTROL

3.1 Access Control. Genesys will implement appropriate access controls to ensure only authorized users have access to Customer Data within the Genesys PureConnect Cloud Service environment.

3.2 Customer’s User Access. Customer is responsible for managing user access controls within the application. Customer defines the usernames, roles, and password characteristics (length, complexity, and expiration timeframe) for its users. Customer is entirely responsible for any failure by itself, its agents, contractors or employees (including without limitation all its users) to maintain the security of all usernames, passwords and other account information under its control. Except in the event of a security lapse caused by Genesys’ gross negligence or willful action or inaction, Customer is entirely responsible for all use of the Genesys PureConnect Cloud Service through its usernames and passwords whether or not authorized by Customer and all charges resulting from such use. Customer will immediately notify Genesys if Customer becomes aware of any unauthorized use of the Genesys PureConnect Cloud Service.

3.3 Our User Access. Genesys will create individual user accounts for each of its employees or contractors that have a business need to access Customer Data or Customer systems within the Genesys PureConnect Cloud Service environment. The following guidelines will be followed with regard to Genesys user account management:

(A) User accounts are requested and authorized by Genesys management.

(B) Strong password controls are systematically enforced.

(C) Connections are required to be made via secure VPN using strong passwords that expire every ninety (90) days.

(D) Dormant or unused accounts are disabled after ninety (90) days of non-use.

(E) Session time-outs are systematically enforced.

(F) User accounts are promptly disabled upon employee termination or role transfer, eliminating a valid business need for access.

4 BUSINESS CONTINUITY AND DISASTER RECOVERY

4.1 Disruption Protection. The Genesys PureConnect Cloud Service will be deployed and configured in a high-availability design and the Genesys PureConnect Cloud Service will be deployed across geographically separate Data Centers to provide optimal availability of the Genesys PureConnect Cloud Service. The Data Center environment is physically separated from the Genesys corporate network environment so that a disruption event involving the corporate environment does not impact the availability of the Genesys PureConnect Cloud Service.

4.2 Business Continuity. Genesys will maintain a corporate business continuity plan designed to ensure that ongoing monitoring and support services will continue in the event of a disruption event involving the corporate environment.

4.3 Disaster Recovery. The Genesys PureConnect Cloud Service will be deployed in a high-availability, geographically redundant design such that a disruption event at a single Data Center will trigger a system fail-over to the back-up Data Center to minimize disruption to the Genesys PureConnect Cloud Service. Customer is responsible for defining specific parameters regarding fail-over.

5 SECURITY INCIDENT RESPONSE

5.1 Security Incident Response Program. Genesys will maintain a Security Incident response program based on industry standards designed to identify and respond to suspected and actual Security Incidents involving Customer Data. The program will be reviewed, tested and, if necessary, updated on at least an annual basis. “Security Incident” means a confirmed event resulting in the unauthorized use, deletion, modification, disclosure, or access to Customer Data.

5.2 Notification. In the event of a confirmed breach involving the unauthorized release or disclosure of Customer Data or other security event requiring notification under applicable law, Genesys will notify Customer within seventy-two (72) hours and will reasonably cooperate so that customer can make any required notifications in connection with such event, unless Genesys is specifically requested by law enforcement or a court order not to do so.

5.3 Notification Details. Genesys will provide the following details regarding the confirmed Security Incident to Customer: (i) date that the Security Incident was identified and confirmed; (ii) the nature and impact of the Security Incident; (iii) actions already taken by Genesys; (iv) corrective measures to be taken; and (v) evaluation of alternatives and next steps.

5.4 Ongoing Communications. Genesys will continue providing appropriate status reports to Customer regarding the resolution of the Security Incident, continually work in good faith to correct the Security Incident and to prevent future such Security Incidents. Genesys will cooperate, as reasonably requested by Customer, to further investigate and resolve the Security Incident.

6 DATA CENTER PROTECTIONS

6.1 Data Center Co-Location. Genesys contracts with third-party providers for Data Center colocation space. Data Center providers and related services are reviewed on an annual basis to ensure that they continue to meet the needs of Genesys and its customers. Each Data Center provider maintains certification based on their independent business models. Security and compliance certifications and/or attestation reports for the Data Center(s) relevant to Customer’s Genesys PureConnect Cloud Service will be provided upon written request and may require additional non-disclosure agreements to be executed.

6.2 Physical Security. Each Data Center is housed within a secure and hardened facility with the following minimum physical security requirements: (a) secured and monitored points of entry; (b) surveillance cameras in facility; (c) on-site access validation with identity check; (d) access only to persons on an access list approved by Genesys; (e) on-site network operations center staffed 24x7x365.

6.3 Environmental Controls. Each Data Center is equipped to provide redundant external electrical power sources, redundant uninterruptible power supplies, backup generator power, and redundant temperature and humidity controls.

7 RIGHT TO AUDIT

7.1 Customer or its designated representative will have the right to audit Genesys records and systems related to the performance of the Genesys PureConnect Cloud Service under this Agreement, upon ten (10) business days’ prior written notice. Genesys agrees to cooperate in good faith with Customer to determine and implement a mutually agreeable resolution to any significant concerns identified during any such audit. Any audits performed by Customer or its designated representatives under this Agreement will be conducted a maximum of one (1) time during any twelve (12) month period during which this Agreement remains in force. Audits will be conducted during normal business operating hours and will be conducted in a manner that minimizes any disruption to Genesys normal daily operations.

8 PRIVACY

8.1 Genesys has developed and will maintain a privacy program designed to respect and protect Customer Data under our control. Genesys will not rent, sell or otherwise share any Customer Data with outside parties. Customer Data will only be used or accessed for providing the Genesys PureConnect Cloud Service.

9 INDUSTRY SPECIFIC CERTIFICATIONS

9.1 Genesys security and operational controls are based on industry standard practices and are certified to meet ISO 27001, ISO 9001, and SSAE16/ISAE3402 Service Organization Control (SOC) guidelines. Genesys will configure the solution and the Genesys PureConnect Cloud Service based on Customer’s specifications as defined in a mutually agreed upon Statement of Work (SOW); however Customer is solely responsible for achieving and maintaining any industry specific certifications required for its business (e.g. PCI DSS, HIPAA, GLBA, NIST 800-53, FedRAMP, etc.).

10 PREMIUM SERVICES

10.1 Additional Services. The standard security controls listed prior to this Section 10 meet industry standards and are sufficient for most customers. Customers requiring a higher level of assurance may need to contract for additional “Premium Services” as described in this Section 10. If an industry specific certification is required for Customer’s business relative to the Genesys PureConnect Cloud Service, Customer agrees to contract for the additional “Premium Services” required to meet the industry specific certification. For an additional fee, Genesys will implement the following controls and procedures designed to meet the certification requirements of certain industry standards (PCI DSS, HIPAA, etc.) where appropriate for Customer Genesys PureConnect Cloud Service environment within the Data Center. Additional controls may include, but may not be limited to:

(A) Remote Access. Genesys authorized employees and contractors will require two-factor authentication to access Customer’s Genesys PureConnect Cloud Service environment within the Data Center.

(B) Vulnerability and Patch Management. Genesys will conduct quarterly vulnerability scans of Customer’s Genesys PureConnect Cloud Service environment within the Data Center. Critical and high risk vulnerabilities will be addressed within thirty (30) days, following the documented change management and patch management procedures. Medium and lower risk vulnerabilities will be remediated within ninety (90) days.

(C) Logging and Monitoring. Genesys will conduct reviews of infrastructure event logs daily. Identified issues and concerns will be risk ranked and addressed according to documented vulnerability management procedures. Infrastructure logs will be maintained for one year, with ninety (90) days availability on local storage.

Certification Audits. Genesys will contract with qualified third-party assessors to conduct industry specific certification audits of the Genesys PureConnect Cloud Service within the Data Center. Certification audits will be conducted on an annual basis. The resulting certification or executive summary of the audit report will be provided to Customer upon written request. Genesys currently maintains PCI DSS 3.0 certification for a specific deployment model within the U.S. Data Centers located in Carmel, Indiana and Englewood, Colorado. PCI certification does not extend to any other Data Center.