END USER LICENSE AGREEMENT

THIS AGREEMENT IS THE COMPLETE AND EXCLUSIVE AGREEMENT BETWEEN YOU AS THE END USER ("YOU" OR "END USER") AND CSR PROFESSIONAL SERVICES, INC. ("CSR") REGARDING ITS SUBJECT MATTER AND SUPERSEDES AND REPLACES ANY AGREEMENT, UNDERSTANDING, OR COMMUNICATION, WHETHER WRITTEN OR ORAL, PRIOR OR CONTEMPORANEOUS REGARDING SUCH SUBJECT MATTER. PLEASE READ CAREFULLY THIS END USER AGREEMENT. BY ADDING YOUR ELECTRONIC SIGNATURE BELOW, YOU AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT.

1. DEFINITIONS.The following words used in this End User Agreement have the following meanings:

"Affiliated Entity" means an entity that is a subsidiary of or a mother company of CSR.

"Confidential Information" means information, technology or services disclosed or made available by CSR to End User that End User should reasonably understand to be confidential, including: (i) unpublished or otherwise not publicly available or accessible prices and other terms of service, audit and security reports, product development plans, data center designs, server configuration designs, services, and other proprietary information or technology; and (ii) information that is marked or otherwise designated as confidential.

"Content" means any software, online service, feature or technology, data or other content that End User may provide to CSR pursuant to this Agreement. Content includes, but is not limited to, any of the foregoing that service users: (i) upload to the Services, and/or (ii) create and/or modify using the Services.

"Documentation" means any documentation which CSR makes available to End User and is associated with the Services, including URLs, i.e., addresses, for websites, technical information, policies or terms contained in or linked to by webpages or applications associated with the Services.

"Feedback" means any and all suggestions, comments, improvements, or other feedback about the Services that End User provides to CSR either directly or indirectly.

"Order" means any written order (either in electronic or paper form) that CSR provides to End User that describes the End User is receiving and that is signed by End User, either manually or electronically.

"Personally Identifiable Information" or "PII" means any data, either alone or in combination with other information, by which a natural person can be identified or located, or that can be used to identify or locate a natural person.

"Services" means the online service provided by CSR to assist End User to perform internal self-assessments concerning End User compliance with rules and best practices associated with Data Life Cycle Management relating to PII. Use of the Service does not guarantee compliance. End User is solely responsible for taking all actions necessary to ensure compliance.

2. ACCESS SERVICES.

2.1 Use and Access. Subject to the terms and conditions of this Agreement, for the duration of the term of this Agreement, CSR hereby grants to End User a non-exclusive, non-transferable, non-sublicenseable, revocable license in the Services solely for internal business purposes. During the term of this Agreement, End User may access the Services via the online interface that CSR provides to End User. This Agreement shall supersede any license terms included with the code in the file named "COPYING" or "LICENSE" or like caption in the Programmatic Interfaces, except where such code is governed by an open source license.

3. CSR'S OBLIGATIONS & WARRANTIES.

3.1 Provision of Services. Subject to End User's acceptance of this Agreement, CSR agrees to provide the Services. CSR, in its sole discretion, may change, discontinue, add, modify, re-price or remove features or functionality from the Services from time to time.

3.2 Warranties. CSR represents and warrants it has the full power and authority to enter into this Agreement and to grant End User the rights granted herein. CSR does not promise that the Services will be uninterrupted, error-free, or completely secure. End User acknowledges that there are risks inherent in Internet connectivity that could result in the loss of End User's privacy, confidential information, Content, and/or property. CSR has no obligation to provide security other than as stated in this Agreement. To the extent permitted by law, CSR disclaims any and all warranties, statutory or otherwise, not expressly stated in this Agreement, including the implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, and noninfringement. End User is solely responsible for the suitability of the services chosen. The Services are provided "AS IS". Any voluntary activities CSR may perform for End User at End User's request and without any additional charge are provided "AS IS".

4. END USER OBLIGATIONS & WARRANTIES.

4.1 Obligations. End User agrees to do each of the following: (i) comply with all applicable laws, rules and regulations, including those regarding data privacy, copyright, and export control, the Digital Millennium Copyright Act, and the terms of this Agreement; (ii) pay the fees for the Services when due, if any; (iii) use reasonable security precautions for providing access to the Services by its employees or other individuals to whom End User provides access including private keys and other security options; (iv) cooperate with CSR's reasonable investigation of outages, security problems, and any suspected breach of this Agreement; (v) comply with all license terms or terms of use for any software, content, service or website (including Content), which End User uses or accesses when using the Services; (vi) give CSR true, accurate, current, and complete information ("Account Information") when establishing End User's account associated with the Services; (vii) keep End User's billing contact and other Account Information up to date; and (viii) use commercially reasonable efforts to prevent unauthorized access to or use of the Services and immediately notify CSR of any known or suspected unauthorized use of End User's account, the Services, or any other breach of security.

4.2 Warranties. End User represents and warrants it has the full power and authority to enter into this Agreement and to grant CSR the rights granted herein. End User represents and warrants that the Content does not and shall not violate or infringe any intellectual property right of any third party. End User represents and warrants that he is at least 18 years of age. If End User is entering into this Agreement on behalf of an employer, company, or other legal entity, End User must have the legal right and authority to enter into this Agreement and bind that entity to this Agreement.

5. CONFIDENTIALITY & PII.

5.1 Confidential Information. End User agrees not to use CSR's Confidential Information except in connection with End User's authorized use of the Services. End User agrees not to disclose CSR's Confidential Information to any third person or party for a period of five (5) years following the termination or expiration of this Agreement except where the Confidential Information: (i) was in End User's possession prior to receipt from CSR; (ii) is publicly known or readily ascertainable by proper means; (iii) is rightfully received by End User from a third party without a duty of confidentiality; (iv) is disclosed by CSR to a third party without a duty of confidentiality on the third party; (v) is independently developed or learned by End User; or (vi) is disclosed by End User with CSR's prior written approval. End User will provide reasonable prior notice to CSR and will request a protective order if End User is required to reveal the Confidential Information under a subpoena, court order or other operation of law.

5.2 Collection of PII. End User's access to the Services is via a CSR-controlled website. CSR collects PII through End User's access and use of the Services. CSR reserves the right to sell, rent or lease End User's PII to affiliated service providers and suppliers to manage or support its business operations, provide professional services, deliver complete products, services and customer solutions and to assist CSR with marketing and communication initiatives. Suppliers and service providers are required by contract to keep confidential and secure the information received from CSR. From time to time, CSR may participate in marketing initiatives with other companies, including websites "powered by" another company on behalf of CSR. As part of these initiatives, certain CSR Services and marketing communications may be delivered at the same time as those from other companies. CSR may also transfer End User's PII to other affiliated business entities in the US and worldwide. By accessing CSR Services, registering for an account, or otherwise providing CSR with End User's PII, the End User consents to the transfer of End User's PII to entities affiliated with CSR.

5.3 CSR Access to Content. CSR reserves the right to access Content as required to provide the Services and as otherwise provided in this Agreement. CSR will not use or disclose Content to non-CSR affiliated entities except: (i) with consent or as otherwise directed or instructed by End User; (ii) in furtherance of or in connection with performing Services pursuant to this Agreement; (iii) to respond to duly authorized information requests of police, law enforcement, or other governmental authorities; (iv) to comply with any applicable law, regulation, subpoena, discovery request or court order; (v) to investigate and help prevent security threats, fraud, or other illegal, malicious, or inappropriate activity; (vi) to enforce/protect the rights and properties of CSR or its affiliates or subsidiaries; or (vii) with the prior informed consent of the data subject about whom the PII pertains.

5.4 Data Controller. End User shall retain the role of the data controller of the Content it uploads or provides as part of the Services. CSR is a service provider to End User and has the role of data processor. CSR does not own or otherwise act as data controller of the Content. End User has the sole responsibility to verify that the security and privacy protections offered by the Services are adequate and in compliance with all applicable laws governing the type of data included in the Content, which is uploaded for or provided to the Services.

5.5 Data Centers. The data centers in which the infrastructure for the Services and Content are housed are located in the United States of America and any obligations of CSR pursuant to this Agreement may be performed by any CSR company, subsidiary, affiliate or authorized third party.

5.6 Unauthorized Access. CSR is not responsible to End Users or any third party for unauthorized access to Service User's Content or the unauthorized use of the Services by a third party.

5.7 Communications. CSR communicates with our End Users through emails and notices posted on our website. Examples of these notifications include, but are not limited to: (1) welcome and engagement communications - providing you information about our service and reminders on status and how to best utilize our systems' features (2) service communications - this will cover availability, security and other issues in regards to our services. These message can be initiated from our systems or from your partner providing you access to our systems. You may change your email and contact preferences at any time by signing into your account and changing your privacy and notification settings.

Please be aware that all service based emails and notifications cannot be opt out of receiving due to the nature of the communication.

6. INTELLECTUAL PROPERTY.

6.1 Content. End User hereby grants and agrees to grant to CSR, under all Intellectual Property Rights (defined below) embodied in the Content, a non-exclusive, perpetual, irrevocable, worldwide, royalty-free, fully paid-up license to use, import, distribute, modify and distribute modifications of, perform, create and distribute derivative works of, copy, and display Content, solely in connection with CSR's provision of Services (including support of Services) to End User. As used herein, Intellectual Property Rights includes, but is not limited to patents, whether issued or pending, registered and common law trademarks, copyrights, know-how, and trade secrets. The license granted in this Section 6.1 includes the right of CSR to sublicense the Content to its subsidiaries, affiliates, business associates and any third parties providing all or part of the Services on behalf of CSR to achieve the foregoing.

6.2 Feedback. CSR shall own all right, title and interest in and to the Feedback from End Users relating to the Services. End User hereby irrevocably assigns to CSR all right, title, and interest in and to the Feedback and agrees to provide CSR with any assistance CSR may request to document, perfect, and maintain CSR's rights in the Feedback. CSR hereby grants End User a non-exclusive, non-revocable license to exploit such Feedback in any way it in its discretion may choose.

6.3 ID Stay Safe Certification. Upon End User's self-certification pursuant to the [CSR Readiness Program], CSR will provide to End User code containing the ID Stay Safe Seal that End User may post on its website (the "ID Stay Safe Code") and a certificate that End User may display at its place of business (the "ID Stay Safe Certificate"). CSR is the owner of all right, title and interest in and to the trademarks ID Stay Safe and the ID Stay Safe Seal (the "ID Stay Safe Marks") and all goodwill associated therewith. End User acknowledges and agrees that (i) it shall only use the ID Stay Safe Marks with CSR's approval and upon End User's self-certification pursuant to the [CSR Readiness Program]; (ii) it shall only use the ID Stay Safe Marks in the form and manner approved by CSR and only while its certification pursuant to the [CSR Readiness Program] is current; (iii) it shall immediately cease all display of the ID Stay Safe Certificate and all use of the ID Stay Safe Marks on its website and in other marketing and promotional materials upon expiration of its certification pursuant to the [CSR Readiness Program]; (iv) it shall stop all use of the ID Stay Safe Marks in the event of receipt of written request by CSR; (v) it shall in no way modify, alter or permit others to modify or alter the ID Stay Safe Marks, the ID Stay Safe Code or the ID Stay Safe Certificate, including but not limited to by modifying the expiration date associated therewith.

7. TERM, SUSPENSION AND TERMINATION.

7.1 Term. The term of this Agreement shall commence on the date that End User commences use the Services.

7.2 Suspension. CSR, in its sole discretion, may suspend provision of Services to End User without liability if: (i) CSR reasonably believes that the Services are being used (or have been or will be used) by End User in violation of this Agreement; (ii) End User does not cooperate with CSR's investigation of any suspected violation of this Agreement; (iii) CSR believes that Services provided to End User have been accessed or manipulated by a third party without End User's consent or in violation of this Agreement; (iv) CSR reasonably believes that suspension of the Services is necessary to protect CSR's network, CSR's other End Users, or others in general; (v) the continued use of the Services by the End User may adversely impact the Services or the systems or content of CSR or any other CSR End User; (vi) CSR reasonably believes that the use of the Services by End User may expose CSR, its affiliates, or any third party to liability; or (vii) suspension is required by law. CSR will give End User reasonable advance notice of a suspension and an opportunity to cure the grounds on which the suspension are based, unless CSR determines, in CSR's reasonable commercial judgment, that either suspension on shorter or contemporaneous notice or immediate suspension without notice is necessary to protect CSR, its other End Users, or any third party from operational, security, or other risk or the suspension is ordered by a court or other judicial body. If the suspension was based on End User's breach of End User's obligations under this Agreement, then CSR may continue to charge End User fees (if applicable) for the Services during the suspension, and may charge End User a reasonable reinstatement fee upon reinstatement of the Services, which shall be at CSR's sole discretion.

7.3 Access to Data. At CSR's sole discretion, End User may not have access to Content stored in the Services during a suspension, and CSR shall not be liable to End User for any damages or losses End User may incur as a result of such suspension. Unless CSR determines otherwise, or End User requests deletion of Content, End User will have access to Content following termination or expiration of this Agreement for at least five (5) days after the effective date of termination or expiration, and CSR shall not be liable to End User for any damages or losses End User may incur as a result of not having access to Content.

7.4 Termination Prohibitions. (i) If End User is registered on system for greater than or equal to sixty (60) days then they may not cancel service. (ii) If End User downloads two (2) or more offerings, which include but are not limited to, best practices, privacy practices and policy templates, then the end user may not cancel service. (iii) If End User activates the "score me" function then the End User may not cancel service.

8. INDEMNIFICATION. End User will defend indemnify and hold CSR, CSR employees, CSR agents, affiliates, subsidiaries, or suppliers (the "CSR Indemnitees") harmless from and against any and all losses arising out of or in connection with any allegation, action, suit or proceeding brought by a third party arising out of the Service User's actual or alleged (i) gross negligence, (ii) willful misconduct, (iii) violation of law, (iv) failure to meet the security obligations required by this Agreement, (v) misappropriation or infringement of a third party's intellectual property right, or violation of this Agreement, or (vi) any claim arising from a customer of End User ("Third Party Claim"), including paying the cost of defending the Third Party Claim (including reasonable attorney fees) and any damages, award, fine, settlement, or other amount and all other losses, which are incurred by the CSR Indemnitees as a result of the Third Party Claim ("Losses"). End User's obligations under this Section include Third Party Claims arising out of the acts or omissions of End User employees, any other person to whom End User has given access to the Services, End User offering and/or Content, and any person who gains access to the Services, End User offering and/or Content as a result of End User's failure to use reasonable security precautions, even if the acts or omissions of such persons were not authorized by End User. In connection with any Third Party Claims pursuant to this Section, CSR will (i) give End User prompt written notice of such claim; and (ii) cooperate reasonably with End User (at End User's expense) in providing information in connection with End User's defense of such claim and Losses arising out of such claim.

9. LIMITATION ON DAMAGES. IN NO EVENT WILL CSR'S AGGREGATE LIABILITY FOR DIRECT DAMAGES UNDER THIS AGREEMENT EXCEED THE SUM OF U.S. $2,000.00. TO THE FULLEST EXTENT PERMITTED UNDER LAW, CSR WILL HAVE NO OBLIGATION OR LIABILITY (WHETHER ARISING IN CONTRACT, WARRANTY, TORT, NEGLIGENCE, PRODUCT LIABILITY, OR OTHERWISE) FOR ANY INCIDENTAL, INDIRECT, PUNITIVE, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LIABILITIES (INCLUDING LOST PROFITS, LOSS OF INCOME, REVENUE, GOODWILL, REPUTATION OR SAVINGS, LOSS OR UNAVAILABILITY OF OR DAMAGE TO DATA OR SOFTWARE RESTORIATION), EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LIABILITIES, ARISING WITH RESPECT TO: (i) USE OR INABILITY TO USE THE SERVICES OR END USER OFFERING; (ii) COST OF PROCUREMENT OF SUBSTITUTE GOODS AND SERVICES; (iii) UNAUTHORIZED ACCESS TO, ALTERATION OF, OR DELETION, DAMAGE, DESTRUCTION OR LOSS OF SERVICE USERS' CONTENT, DATA, OR TRANSMISSIONS BY THIRD PARTIES; AND/OR (iv) ANY OTHER MATTER RELATING TO THE SERVICE, THE END USER OFFERING, OR ARISING UNDER THIS AGREEMENT.

10. GENERAL.

10.1 Changes to this Agreement. CSR may modify this Agreement at CSR's sole discretion. Any such modified Agreement shall be posted on www.csrreadiness.com. Any such changes made during the term of this Agreement will become effective thirty (30) days after the date CSR posts, links to, or provides notice of such modified Agreement. End User's continued use of the Services after such thirty (30) day period shall constitute acceptance of such modified Agreement.

10.2 Survival. All provisions that by their nature are intended to survive expiration or termination of this Agreement shall survive expiration or termination of this Agreement.

10.3 Notices. All notices, requests, demands and other communications hereunder shall be in writing and shall be deemed to have been duly given when delivered in person or two (2) business days after it is sent prepaid, via a recognized world-wide overnight courier or two (2) business days after it is sent by facsimile with an acknowledgment of receipt to the notice address set forth beneath the signatures on this Agreement. Any party hereto may, from time to time, by written notice to the other party, designate a different address, which shall be substituted for the one specified for such party.

10.4 Export laws. CSR reserves the right to locate the infrastructure for providing the Services in any country or location permitted under applicable laws and regulations. End User, or any third party authorized by End User, sends to or through the Services may be subject to US and other national export and import laws and regulations. If End User, or any third party authorized by End User, chooses to use these Services, End User and any third party authorized by End User do so on their own initiative and are responsible for compliance with all applicable laws and regulations, and for obtaining required export and import authorizations, where applicable. End User, and any third party authorized by End User, may not, in violation of applicable laws and regulations, transfer, or authorize the transfer, of any Services (a) into U.S. embargoed countries or (b) to anyone on the U.S. Treasury Department's List of Specially Designated Nationals or the U.S. Commerce Department's Table of Denial Orders or Entity List of proliferation concern, or the U.S. State Department's Debarred Parties List. By using these Services, End User represents and warrants that End User or any third party authorized by End User is not located in, under the control of, or a national or resident of any such country, or is included on any such government list. In addition, End User, and any third party authorized by End User, may not use the Services for the development, design, manufacture, production, stockpiling, or use of nuclear, chemical or biological weapons, weapons of mass destruction, or missiles, in a country listed in Country Groups D: 4 and D: 3, as set forth in Supplement No. 1 to the Part 740 of the United States Export Administration Regulations. End User, and any third party authorized by End User, will not transfer to or through the Services any data, materials or other items controlled for export under the International Traffic in Arms Regulations ("ITAR"), US Export Administration Regulations ("EAR"), or other applicable regulations (such data, materials or other items, the "Controlled Data") unless prior written authorization has been received from CSR, and (i) End User, and any third party authorized by End User, has provided CSR not less than 10 days' prior written notice that Controlled Data will be transferred to or through the Services and (ii) where necessary, End User, and any third party authorized by End User, have received prior written authorization from the U.S. Government and /or other national authorities to transfer the Controlled Data to CSR. End User is responsible, and will reimburse CSR, for all costs, expenses or damages incurred by CSR in connection with End User, and any third party authorized by End User, transfer of Controlled Data. If End User has questions concerning these requirements or requires special solutions to comply with applicable export/import laws and regulations, End User should contact End User's CSR account manager.

10.5 Assignment. Either party may assign this Agreement to an entity that acquires, directly or indirectly, substantially all of its assets or merges with it. Except as described in this section, neither this Agreement nor any rights under this Agreement, in whole or in part, will be assignable or otherwise transferable by End User without the express written consent of CSR. Any attempt by End User to assign any of its rights or delegate any of its duties under this Agreement without the prior written consent of CSR will be null and void.

10.6 Force Majeure. Neither CSR nor End User will be in violation of this Agreement if the failure to perform the obligation is due to an event beyond either party's control, such as significant failure of a part of the power grid, significant failure of the Internet, natural disaster, war, riot, insurrection, epidemic, strikes or other organized labor action, terrorism, or other events of a magnitude or type for which precautions are not generally taken in the industry.

10.7 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of New York excluding the application of its conflicts of laws provisions. The parties hereto hereby consent to the jurisdiction of the courts of the State of New York and the applicable appellate jurisdictions and waive any contention that any such court is an improper venue for enforcement of this Agreement. Application of the United Nations Convention on Contracts for the International Sale of Goods is hereby excluded.

10.8 Relationship of the Parties. The parties' relationship is that of independent contractors and not business partners. Neither of the parties is the agent for the other, and neither party has the right to bind the other on any agreement with a third party.

10.9 No Waiver. CSR's failure to exercise or delay in exercising any of its rights under this Agreement will not constitute a waiver, forfeiture, or modification of such rights. CSR's waiver of any right under this Agreement will not constitute a waiver of any other right under this Agreement or of the same right on another occasion. CSR's waiver of any right under this Agreement must be in writing.

10.10 Severability. If any provision in this Agreement is held invalid or unenforceable by a body of competent jurisdiction, such provision will be construed, limited or, if necessary, severed to the extent necessary to eliminate such invalidity or unenforceability. The remaining provisions of this Agreement will remain in full force and effect.

10.11 Binding Effect. This Agreement shall be binding upon the legal representatives, heirs, employees, agents, affiliates, successors and assigns of the respective parties hereto.

10.12 Waiver. Any waiver by any party of any act, failure to act or breach on the part of the other party shall not constitute a waiver by such waiving party of any prior or subsequent act, failure to act or breach by such other party.

10.13 Headings. The subject headings of the various sections of this Agreement are included for purposes of convenience only and shall not affect the construction or interpretation of any of its provisions.

10.14 Third Parties. Except as expressly provided herein, nothing herein expressed or implied is intended or shall be construed to confer upon or give any person other than the parties hereto, and their permitted successors and assigns, any rights or remedies under or by reason of this Agreement.

Electronic Signature

The End User Agreement will not be "signed" in the sense of a traditional paper document. To accept, the user must enter any alpha/numeric character(s) or combination thereof of his or her choosing, preceded and followed by the forward slash (/) symbol: An acceptable signature for a user named John Doe would be /John Doe/.

End User Agreement form effective as of September 18, 2017



Last Updated: 9/18/2017