CyberArk SaaS Terms of Service (Global) Rev. 17 May 2024 Page 1 of 11 SAAS TERMS OF SERVICE CYBERARK SOFTWARE LTD. AND/OR ITS AFFILIATES (“CYBERARK”) IS WILLING TO GRANT ACCESS TO THE SAAS PRODUCTS TO YOU AS THE COMPANY OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SAAS PRODUCTS (REFERENCED BELOW AS “CUSTOMER”) ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS AGREEMENT (AS DEFINED BELOW). BY ENTERING INTO THIS AGREEMENT ON BEHALF OF THE CUSTOMER, YOU REPRESENT THAT YOU HAVE THE LEGAL AUTHORITY TO BIND THE CUSTOMER TO THIS AGREEMENT. CUSTOMER AND CYBERARK MAY EACH ALSO BE REFERRED TO AS A “PARTY” AND TOGETHER, THE “PARTIES”. PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SAAS PRODUCTS. THIS SAAS TERMS OF SERVICE (“AGREEMENT”) CONSTITUTES A LEGAL AND ENFORCEABLE CONTRACT BETWEEN CUSTOMER AND CYBERARK. BY INDICATING CONSENT ELECTRONICALLY, OR ACCESSING OR OTHERWISE USING THE SAAS PRODUCTS, CUSTOMER AGREES TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF CUSTOMER DOES NOT AGREE TO THIS AGREEMENT, DO NOT INDICATE CONSENT ELECTRONICALLY AND MAKE NO FURTHER USE OF THE SAAS PRODUCTS. 1. Access and Use 1.1. Access and Use. CyberArk grants Customer, during the Subscription Term, a non-exclusive, non- transferable right to access and use (and permit Authorized Users of Customer and its Affiliates’ to access and use) the SaaS Products and applicable Documentation solely for Customer’s and its Affiliates’ internal business purposes in accordance with the Documentation and in the quantity specified in the applicable Order. Such license grant is subject to payment of all applicable fees set forth in the Order or payment in accordance with an Indirect Order through a Channel Partner (as appropriate) and the terms and conditions of this Agreement. CyberArk may update or upgrade the SaaS Products from time-to-time. 1.2. Access and Use Restrictions. Customer shall not (directly or indirectly): (a) copy or reproduce the SaaS Products or the Documentation except as permitted under this Agreement; (b) exceed the subscribed quantities, Authorized users or other entitlement measures of the SaaS Products as set forth in the applicable Order; (c) remove or destroy any copyright, trademark or other proprietary marking or legends placed on or contained in the SaaS Products, Documentation or CyberArk Intellectual Property; (d) assign, sell, sublicense, distribute or otherwise transfer or make available the rights granted to Customer under this Agreement to any third party except as expressly set forth herein; (e) modify, reverse engineer or disassemble the SaaS Products; (f) except to the limited extent applicable laws specifically prohibit such restriction, decompile, attempt to derive the source code or underlying ideas or algorithms of any part of the SaaS Products, attempt to recreate the SaaS Products or use the SaaS Products for any competitive or benchmark purposes; (g) create, translate or otherwise prepare derivative works based upon the SaaS Products, Documentation or CyberArk Intellectual Property; (h) interfere with or disrupt the integrity or performance of the SaaS Products; (i) attempt to gain unauthorized access to the SaaS Products or its related systems or networks, or perform unauthorized penetrating testing on the SaaS Products; (j) use the SaaS Products in a manner that infringes on the Intellectual Property rights, publicity rights, or privacy rights of any third party, or to store or transfer defamatory, trade libelous or otherwise unlawful data; or (k) except as otherwise agreed by the Parties in the applicable BAA, store in or process with the SaaS Products any personal health data, credit card data, personal financial data or other such sensitive regulated data not required by the Documentation, or any Customer Data that is subject to the International Traffic in Arms Regulations maintained by the United States Department of State. Fees for the SaaS Products are based on use of the SaaS Products in a manner consistent with the Documentation. If Customer uses, or is reasonably suspected of using, the SaaS Products in violation of the Documentation or exceeding the licensed quantities or other entitlement measures as set forth in an applicable Order, Customer shall cooperate with CyberArk to resolve any non-compliance, which may include payment for any such overages at then-current applicable rates. 1.3. Login Access to the SaaS Products. Customer is solely responsible for ensuring: (i) that only appropriate Authorized Users have access to the SaaS Products, (ii) that such Authorized Users have been trained in proper use of the SaaS Products, and (iii) proper usage of passwords, tokens and access procedures with respect to logging into the SaaS Products. CyberArk may refuse registration of or suspend Customer's or a specific user’s access and use of the SaaS Products if CyberArk knows or reasonably suspects that Customer’s access or use is CyberArk SaaS Terms of Service (Global) Rev. 17 May 2024 Page 2 of 11 malicious or otherwise harmful to the Customer itself, the SaaS Products or CyberArk’s other customers. CyberArk will provide notice prior to such suspension if permitted by applicable law and unless CyberArk reasonably believes that providing such notice poses a risk to the security of the SaaS Products. CyberArk will promptly reinstate Customer’s access and use once the issue has been resolved. 1.4. Trial Services. If Customer is using a free trial, a proof of concept version of the SaaS Products, a beta version of the SaaS Products, or using the SaaS Products on any other free-of-charge basis as specified in an Order including any related support services to the extent provided by CyberArk in its sole discretion (collectively, “Trial Services”), CyberArk makes such Trial Services available to Customer until the earlier of: (i) the end of the free trial or proof of concept period or beta testing period as communicated by CyberArk or specified in an Order; (ii) the start date of any purchased version of such SaaS Products; or (iii) written notice of termination from CyberArk (“Trial Services Period”). CyberArk grants Customer, during the Trial Services Period, a non-exclusive, non- transferable right to access and use the Trial Services for Customer’s internal evaluation purposes in accordance with the Documentation and subject to the access and use restrictions set forth in this Agreement. Customer is authorized to use Trial Services only for evaluation and not for any business or productive purposes, unless otherwise authorized by CyberArk in writing. Any data Customer enters into the Trial Services and any configurations made to the Trial Services by or for Customer during the term of such Trial Services will be permanently lost unless Customer: (a) has purchased a subscription to the same SaaS Products as covered by the Trial Services; or (b) exports such data or configurations before the end of such free period. There is no guarantee that features or functions of the Trial Services will be available, or if available will be the same, in the general release version of the SaaS Products, and Customer should review the SaaS Products features and functions before making a purchase. CyberArk will be under no obligation to provide Customer any support services with respect to the Trial Services. Notwithstanding anything to the contrary, CyberArk provides the Trial Services “as is” and “as available” without any warranties or representations of any kind. To the extent permitted by law, CyberArk disclaims all implied warranties and representations, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose and non-infringement. Customer assumes all risks and all costs associated with its use of the Trial Services. Customer’s sole and exclusive remedy in case of any dissatisfaction or CyberArk’s breach of the Agreement with respect to such Trial Services is termination of the Trial Services. Any obligations on behalf of CyberArk to indemnify, defend, or hold harmless under this Agreement are not applicable to Customers using Trial Services. 1.5. Third Party Materials. The SaaS Products include Third-Party Materials, use of which is subject to their respective OSS Licenses as indicated in the Documentation. CyberArk warrants that the inclusion of such Third- Party Materials in the SaaS Products will not prevent Customer from exercising the license rights provided to Customer herein in respect of the SaaS Products or limit Customer’s ability to use the SaaS Products in accordance with the Documentation. Nothing herein shall derogate from mandatory rights Customer may have under any OSS Licenses, if any. Customer may obtain a copy of the source code for certain Third-Party Materials by following the instructions set forth in the Documentation. 1.6. Support. As part of its provision of the SaaS Products, CyberArk shall make available technical support to Customer in accordance with the Support Services terms applicable to the SaaS Products. Upon notification from CyberArk, Customer shall promptly; update any Agents on Customer systems that interact with the SaaS Products; and/or as applicable ensure that all Authorized Users download and install all available updates for locally installed components without undue delay. Customer acknowledges and agrees that its failure to timely install such updates may result in disruptions to or failures of the SaaS Products, security risks or suspension of Customer’s access to the SaaS Products, without any liability on the part of CyberArk to Customer. 1.7. SaaS Product Usage Analytics. CyberArk and its Affiliates shall be permitted to collect and use Usage Analytics for its reasonable business purposes and for Customer’s benefit (including research and development statistical analyses, monitoring and management of CyberArk’s Products). Other than for the purpose of providing the SaaS Products to Customer, in the event CyberArk discloses Usage Analytics or any part thereof to third parties (either during the Subscription Term of thereafter), such data shall be deidentified so that it will not identify Customer CyberArk SaaS Terms of Service (Global) Rev. 17 May 2024 Page 3 of 11 or its Authorized Users. The foregoing shall not limit in any way CyberArk’s confidentiality obligations pursuant to Section 4 below. 2. Payment and Taxes 2.1. Payment Terms. Without prejudice to Customer’s rights set out elsewhere in this Agreement, all SaaS Products fees are non-refundable and payable in advance. CyberArk may invoice for purchases of SaaS Products upon delivery. Where: (A) Customer is paying CyberArk directly, Customer shall pay all invoices within thirty (30) days of date of invoice, without any deduction or set-off (except for any amount disputed promptly and in writing by Customer in good faith), and payment will be sent to the address specified by CyberArk. Any amounts arising in relation to this Agreement not paid when due will be subject to a late charge of one and one-half percent (1 ½ %) per month on the unpaid balance or the maximum rate allowed by law, whichever is less; or (B) Customer places an Indirect Order, CyberArk grants the rights described in this Agreement in consideration for and subject to: (a) Customer’s agreement to comply with the pricing and payment terms of the Indirect Order, to be separately agreed between Customer and the applicable Channel Partner; and (b) Customer’s agreement to comply with its obligations set forth in this Agreement (including the restrictions on use of the SaaS Products). Notwithstanding the foregoing, the final sales price or rate shall be freely and independently determined between the applicable Channel Partner and Customer. For the avoidance of doubt, in the case of such an Indirect Order, any indication in this Agreement of an agreement between Customer and CyberArk for the price payable by Customer for such Indirect Order shall be null and void and not form a binding part of this Agreement and the provisions of this Agreement related to payment terms, pricing and/or order procedures shall not apply. 2.2. Taxes. The fees and charges covered by this Agreement are exclusive of any Indirect Taxes imposed or levied, currently or in the future based on applicable legislation, on the SaaS Products. Unless otherwise agreed between the Parties, Customer will be liable for compliance with reporting and payment of such Indirect Taxes in its tax jurisdiction. CyberArk shall include the Indirect Taxes on its invoice to Customer and remit such Indirect Taxes collected to the relevant authority if required by applicable law. CyberArk will be responsible for direct taxes imposed on CyberArk’s net income or gross receipts in its tax jurisdiction. Notwithstanding the forgoing, all payments made under this Agreement shall be in cleared funds, without any deduction or set-off, and free and clear of and without deduction from any Indirect Taxes or other withholdings of any nature. 3. Rights in Intellectual Property 3.1. Intellectual Property. Except for the rights granted in this Agreement, all rights, title, and interest in and to the SaaS Products, Documentation, and CyberArk Intellectual Property are hereby reserved by CyberArk, its Affiliates or licensors. Except as provided for herein, all rights, title, and interest in and to Customer Intellectual Property are hereby reserved by Customer, its Affiliates or licensors. Nothing in this Agreement shall transfer ownership of any Intellectual Property rights from one Party to the other. 3.2. Customer Data. Customer owns all right, title and interest in all Customer Data. Nothing in this Agreement shall be construed to grant CyberArk any rights in Customer Data beyond those expressly provided herein. Customer grants CyberArk and its Affiliates the limited, non-exclusive, worldwide license to view and use the Customer Data solely for the purpose of providing and improving the SaaS Products. 3.3. Suggestions. To the extent that Customer provides CyberArk with Suggestions, such Suggestions shall be free from any confidentiality restrictions that might otherwise be imposed upon CyberArk pursuant to this Agreement, and may be implemented by CyberArk in its sole discretion. Customer acknowledges that any CyberArk products or materials incorporating any such Suggestions shall be the sole and exclusive property of CyberArk. 3.4. AI Features. Certain features within the SaaS products use algorithmic analysis, artificial intelligence and/or machine learning technologies (“AI Features”). Use of the AI Features is subject to the Documentation and CyberArk SaaS Terms of Service (Global) Rev. 17 May 2024 Page 4 of 11 CyberArk’s Responsible AI Policy found at https://www.cyberark.com/trust/responsible-ai/ Information regarding opting-out of AI Features is located in the Documentation. 4. Confidentiality 4.1. Confidential Information. The Parties acknowledge that each may disclose certain valuable confidential and proprietary information to the other Party. The receiving Party may only use the disclosing Party’s Confidential Information to fulfil the purposes of this Agreement and in accordance with the terms of this Agreement. The receiving Party will protect the disclosing Party’s Confidential Information by using at least the same degree of care as the receiving Party uses to protect its own Confidential Information of a like nature (but no less than a reasonable degree of care) to prevent the unauthorized use, dissemination, disclosure or publication of such Confidential Information. Notwithstanding the foregoing, the receiving Party may disclose Confidential Information to its (and its Affiliates) employees, advisors, consultants, and agents on a need-to-know basis and provided that such party is bound by obligations of confidentiality substantially similar to those contained herein. This section 4 supersedes any and all prior or contemporaneous understandings and agreements, whether written or oral, between the Parties with respect to Confidential Information and is a complete and exclusive statement thereof. Additionally, the obligations set forth in section 5.4 and not this section 4 herein apply to Customer Data. 4.2. Exceptions. Information will not be deemed Confidential Information if it: (i) is known to the receiving Party prior to receipt from the disclosing Party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing Party; (ii) becomes known (independently of disclosure by the disclosing Party) to the receiving Party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing Party; (iii) becomes publicly known or otherwise ceases to be secret or confidential, except through a breach of this Agreement by the receiving Party; or (iv) is independently developed by the receiving Party without use of or reliance upon the disclosing Party’s Confidential Information, and the receiving Party can provide evidence to that effect. The receiving Party may disclose Confidential Information pursuant to the requirements of a court, governmental agency or by operation of law but shall (to the extent permissible by law) limit such disclosure to only the information requested and give the disclosing Party prior written notice sufficient to permit the disclosing Party to contest such disclosure. 4.3. Advertising and Publicity. Neither Party shall make or permit to be made any public announcement concerning the existence, subject matter or terms of this Agreement or relationship between the Parties without the prior written consent of the other Party except as expressly permitted in this section. Customer grants CyberArk and its Affiliates during the term of the Agreement the right to use Customer's trade names, logos, and symbols (“Customer Marks”) in its public promotional materials and communications for the sole purpose of identifying Customer as a CyberArk customer. CyberArk shall not modify the Customer Marks, or display the Customer Marks any larger or more prominent on its promotional materials than the names, logos, or symbols of other CyberArk customers. The foregoing promotional materials and communications may be created, displayed, and reproduced without Customer’s review, provided that they are in compliance with this section and any Customer Marks usage guidelines provided by Customer to CyberArk in writing. 5. Security and Processing of Personal Data 5.1. Customer Data Content. As between CyberArk and Customer, Customer is solely responsible for: (i) the content, quality and accuracy of Customer Data as made available by Customer and by Authorized Users; (ii) providing notice to Authorized Users with regards to how Customer Data will be collected and used for the purpose of the SaaS Products; (iii) ensuring Customer has a valid legal basis for processing Customer Data and for sharing Customer Data with CyberArk (to the extent applicable); and (iv) ensuring that the Customer Data as made available by Customer complies with applicable laws and regulations including Applicable Data Protection Laws. 5.2. Data Protection Laws. The Parties shall comply with their respective obligations under the Applicable Data Protection Laws. In particular, if Customer is established in the European Economic Area (“EEA”), in Switzerland, in the United Kingdom (“UK”) or in California, or will, in connection with the SaaS Products, provide CyberArk with personal data relating to an individual located within the EEA, Switzerland, the UK or California, the Parties shall comply with the Data Processing Addendum found at https://www.cyberark.com/CyberArk-Data-Processing- Addendum.pdf (“DPA”) which in such case is hereby incorporated into this Agreement. CyberArk SaaS Terms of Service (Global) Rev. 17 May 2024 Page 5 of 11 5.3. HIPAA. (Health Insurance Portability and Accountability Act) To the extent that (a) Customer is established in the United States; and (b) is a “covered entity” or a “business associate” and includes "Protected Health Information" (as these terms are defined in the Business Associate Agreement (“BAA”)) in Customer Data, the Parties shall comply with the BAA found at https://www.cyberark.com/lgl/CyberArk-BAA.pdf. In such case, the terms of the BAA are hereby incorporated into this Agreement by reference. 5.4. Security of Customer Data. CyberArk shall: (i) ensure that is has in place appropriate administrative, physical and technical measures designed to protect the security and confidentiality of Customer Data against any accidental or illicit destruction, alteration or unauthorized access or disclosure to third parties; and (ii) access and use the Customer Data solely to perform its obligations in accordance with the terms of this Agreement, and as otherwise expressly permitted in this Agreement. CyberArk shall not materially diminish its security controls with respect to Customer Data during a particular SaaS Products term. The obligations set forth in this Section 5.4 are in addition to any confidentiality, privacy, security or other requirements contained in the BAA or DPA, as applicable. 5.5. Bring Your Own Key. If Customer chooses to enable the “Bring Your Own Key” functionality for data encryption made available by CyberArk for certain SaaS Products (“BYOK”), Customer acknowledges that (i) Customer shall bear sole responsibility for the hosting, use, protection, rotation and management of such encryption key and any loss, damage, unavailability or non-performance resulting therefrom; (ii) Customer shall provide CyberArk with access to the encryption key at all times in order to encrypt Customer Data and proper performance of the SaaS Products; and (iii) CyberArk has no control over the encryption key and specifically is unable to de- encrypt, restore, recover or otherwise retrieve Customer Data in the event the encryption key is lost, damaged or otherwise not made available to CyberArk. If BYOK functionality is enabled by Customer, CyberArk disclaims any and all responsibility and liability for unavailability or non-performance of the SaaS Products caused by loss, damage or any unavailability of the encryption key. 6. Warranties 6.1. Limited SaaS Products Warranty. During the applicable Subscription Term, CyberArk warrants that: (a) the SaaS Products will perform in substantial conformity with the Documentation; and (b) CyberArk will use industry standard measures designed to detect viruses, worms, Trojan horses or other unintended malicious or destructive code in the SaaS Products. The foregoing warranties are void if the failure of the SaaS Products has resulted from negligence, error, or misuse of the SaaS Products (including use not in accordance with the Documentation) by Customer, the Authorized User or by anyone other than CyberArk. Customer shall be required to report any breach of warranty to CyberArk within a period of thirty (30) days of the date on which the incident giving rise to the claim occurred. CyberArk’s sole and exclusive liability, and Customer’s sole and exclusive remedy, for breach of these warranties will be for CyberArk, at its expense, to use reasonable commercial efforts to correct such nonconformity within thirty (30) days of the date that notice of the breach was provided; and, if CyberArk fails to correct the breach within such cure period, Customer may terminate the affected Order and, in such event, CyberArk shall provide Customer with a pro-rata refund of any unused pre-paid fees paid for the period following termination as calculated on a monthly basis for the affected SaaS Products. Without derogating from CyberArk’s obligations under this Agreement, Customer warrants that it shall take and maintain appropriate steps within its control to protect the confidentiality, integrity, and security of its Confidential Information and Customer Data, including: (i) operating the SaaS Products in accordance with the Documentation and applicable law and; and (ii) dedicating reasonably adequate personnel and resources to implement and maintain the security controls set forth in the Documentation. Customer will be responsible for the acts and omissions of its Authorized Users. 6.2. Compliance with Law. Each Party shall comply with all applicable, laws and regulations in connection with the performance of its obligations and the exercise of its rights under this Agreement. 6.3. Disclaimer. Any and all warranties, expressed, incorporated or implied, are limited to the extent and period mentioned in this Agreement. To the maximum extent allowed by applicable law, CyberArk disclaims (and disclaims on behalf of its licensors and/or contributors to any Third-Party Materials) all other warranties, conditions and other terms, whether express or implied or incorporated into this Agreement by statute, common law or otherwise, including the implied conditions and warranties of merchantability and fitness for a particular purpose. CyberArk will have no responsibility or liability for delays, failures or losses (i) attributable or related in any way to the use or CyberArk SaaS Terms of Service (Global) Rev. 17 May 2024 Page 6 of 11 implementation of third-party hardware, software or services not provided by CyberArk; or (ii) use of the SaaS Products not in accordance with the Documentation. 7. Indemnification 7.1. Infringement Indemnity. CyberArk shall defend and indemnify Customer and/or its Affiliates and their officers, directors and employees against all third-party claims, suits and proceedings and all directly related losses, liabilities, damages, costs and expenses (including reasonable attorneys’ fees) resulting from the violation, misappropriation, or infringement of such third party’s patent, copyright, trademark or trade secret caused by Customer’s use of the SaaS Products in accordance with this Agreement and the Documentation. 7.2. Customer Data and Use Indemnity. Customer shall defend and indemnify CyberArk and/or its Affiliates and their officers, directors and employees against any third-party claims, suits and proceedings (including those brought by a government entity), and all directly related losses, liabilities, damages, costs and expenses (including reasonable attorneys’ fees) resulting from: (i) an alleged infringement or violation by the Customer Data of such third-party’s patent, copyright, trademark, trade secret; or (ii) CyberArk’s use of the Customer Data violating applicable law, provided that such use is in accordance with the terms of this Agreement and (where applicable) with the terms of the DPA and/ or the BAA. 7.3. Process. Each Party’s defense and indemnification obligations herein will become effective upon, and are subject to: (a) the indemnified Party’s prompt notification to the indemnifying Party of any claims in writing; and (b) the indemnified Party providing the indemnifying Party with full and complete control, authority and information for the defense of the claim, provided that the indemnifying Party will have no authority to enter into any settlement or admission of the indemnified Party’s wrongdoing on behalf of the indemnified Party without the indemnified Party’s prior written consent (not to be unreasonably withheld). At the indemnifying Party’s request, the indemnified Party shall reasonably cooperate with the indemnifying Party in defending or settling any claim. 7.4. Exclusions. The above CyberArk obligations to defend and indemnify will not apply in the event that a claim arises from or relates to: (a) use of the SaaS Products not in accordance with the Documentation and this Agreement; (b) Customer’s use of the SaaS Products in violation of applicable laws; (c) any modification, alteration or conversion of the SaaS Products not created or approved in writing by CyberArk; (d) any combination of the SaaS Products with any computer, hardware, software, data or service not provided by CyberArk; (e) CyberArk’s compliance with specifications, requirements or requests of Customer; or (f) Customer’s gross negligence or willful misconduct. 7.5. Remedies. If a SaaS Product becomes, or CyberArk reasonably determines that a SaaS Product is likely to become, subject to a claim of infringement for which CyberArk must indemnify Customer as described above, CyberArk may at its option and expense: (a) procure for Customer the right to continue to access and use that SaaS Product, (b) replace or modify that SaaS Product so that it becomes non-infringing without causing a material adverse effect on the functionality provided by that SaaS Product, or (c) if neither of the foregoing options are available in a timely manner on commercially reasonable terms, terminate the affected Order and provide Customer with a pro-rata refund of any unused pre-paid fees paid for the period following termination as calculated on a monthly basis for that SaaS Product. This section titled “Indemnification” states the sole liability of CyberArk and the exclusive remedy of Customer with respect to any indemnification claims arising out of or related to this Agreement. 8. Limitation of Liability 8.1. Maximum Liability. Except for liability caused by CyberArk’s intellectual property infringement indemnification obligations in section 7.1, Customer’s data infringement indemnity in section 7.2, or Customer’s payment obligations herein, in no event will either Party’s maximum aggregate liability arising out of or related to this Agreement, regardless of the cause of action and whether in contract, tort (including negligence), warranty, indemnity or any other legal theory, exceed the total amount paid or payable to CyberArk under this Agreement during the twelve (12) month period preceding the date of initial claim. 8.2. No Consequential Damages. Neither Party will have any liability to the other Party for any loss of profits or revenues, loss of goodwill, or for any indirect, special, incidental, consequential or punitive damages arising out of, or in connection with this Agreement, however caused, whether in contract, tort (including negligence), warranty, CyberArk SaaS Terms of Service (Global) Rev. 17 May 2024 Page 7 of 11 indemnity or any other legal theory, and whether or not the Party has been advised of the possibility of such damages. 8.3. Construction. This Agreement is not intended to and will not be construed as excluding or limiting any liability which cannot be limited or excluded by applicable law, including liability for (a) death or bodily injury caused by a Party’s negligence; or (b) gross negligence, willful misconduct, or fraud. 9. Assignment. Neither Party may assign any of its rights or obligations under this Agreement without the other Party’s prior written consent, which will not be unreasonably withheld. Notwithstanding the foregoing, either Party may assign any and all of its rights and obligations under this Agreement to a successor in interest in the event of a merger or acquisition or to an Affiliate, upon written notice to the other Party. 10. Restricted Rights and Export Control 10.1. Export Control. The exportation of the SaaS Products and Documentation, and all related technology and information thereof are subject to U.S. laws and regulations pertaining to export controls and trade and economic sanctions, including the U.S. Export Administration Act, Export Administration Regulations, the Export Control Reform Act, and the Office of Foreign Assets Control’s sanctions programs, the laws of the State of Israel, and the laws of any country or organization of nations within whose jurisdiction Customer (or its Authorized Users who may use or otherwise receive the SaaS Products as expressly authorized by this Agreement) operates or does business, as amended, and the rules and regulations promulgated from time to time thereunder. Specifically, Customer hereby undertakes not to export, re-export, access or grant access to the SaaS Products and all related technology, information, materials and any upgrades thereto to: (a) any Prohibited Persons; (b) any country to which such export, re-export or access from is restricted or prohibited per the foregoing applicable laws; or (c) otherwise in violation of any applicable export or import restrictions, laws or regulations. Customer also certifies that it is not a Prohibited Person nor owned, controlled by, or acting on behalf of a Prohibited Person. 10.2. Commercial Computer Software and FedRAMP Products. If Customer is an agency or contractor of the United States Government, Customer acknowledges and agrees that: (i) the SaaS Products (including any software forming a part thereof) were developed entirely at private expense; (ii) the SaaS Products (including any software forming a part thereof) in all respects constitute proprietary data belonging solely to CyberArk; (iii) the SaaS Products (including any software forming a part thereof) are not in the public domain; and (iv) the software forming a part of the SaaS Products is “Commercial Computer Software” as defined in sub-paragraph (a)(1) of DFARS section 252.227-7014 or FAR Part 12.212. Customer shall provide no rights in the Software (including any software forming a part thereof) to any U.S. Government agency or any other party except as expressly provided in this Agreement. If Customer places an Order for SaaS Products which are designated as “FedRAMP Authorized,” the CyberArk Rider to SaaS Terms of Service for FedRAMP Products found at https://www.cyberark.com/contract- terms/ is incorporated herein and will apply to CyberArk’s provision of such SaaS Products. 11. Professional Services. Customer may separately purchase from CyberArk professional services in relation to the SaaS Products as may be generally available by CyberArk to its customers, pursuant to CyberArk’s then applicable professional services terms. 12. Term and Termination 12.1. Term. This Agreement will be effective upon Customer’s first access of a SaaS Product and shall remain in force during the applicable Subscription Term of the SaaS Product or throughout Customer’s continued use of the SaaS Product, as applicable. 12.2. Termination. Either Party may terminate this Agreement immediately upon notice to the other Party if the other Party: (i) materially breaches this Agreement and fails to remedy such breach within thirty (30) days after receiving written notice of the breach from the other Party; or (ii) commences bankruptcy or dissolution proceedings, has a receiver appointed for a substantial part of its assets or ceases to operate in the ordinary course of business. In addition, a Party may terminate this Agreement, a SOW, or an Order , in whole or in part, or cease provision of the SaaS Products if required to comply with applicable law or regulation, and such termination will not constitute a CyberArk SaaS Terms of Service (Global) Rev. 17 May 2024 Page 8 of 11 breach of this Agreement by the terminating Party. CyberArk reserves the right to suspend Customer’s access to the applicable SaaS Products upon written notice to Customer if: (a) an invoice is more than thirty (30) days past due; or (b) a material breach of this Agreement fails to be cured within thirty (30) days. CyberArk will promptly reinstate Customer’s access and use of the SaaS Products/provision of the Professional Services once the issue has been resolved. Upon termination or expiration of the Agreement or an Order, (x) any accrued rights and obligations will survive; (y) all outstanding fees and other charges under the Agreement or Order (as applicable) will become immediately due and payable, and (z) Customer will have no further right to access or use the applicable SaaS Products or professional services. If Customer is converting its perpetual self-hosted software licenses to a SaaS Product, the applicable previously licensed perpetual self-hosted software licenses will be terminated, along with any associated support services, in accordance with the terms of the applicable Order. 12.3. Effects of Termination/Expiration. Upon termination or expiration of an applicable Subscription Term, CyberArk may immediately deactivate Customer’s account, and: (i) Customer will have no further right to access or use the SaaS Products, except for the limited right to access or use the SaaS Products for purposes of exporting Customer Data in accordance with the applicable Documentation; and (ii) each Party shall return or destroy any tangible Confidential Information of the other Party within its possession or control that is not contained on the SaaS Products promptly upon receiving written request from the other Party. Customer acknowledges that it is responsible for exporting any Customer Data to which Customer desires continued access after termination/expiration, and CyberArk shall have no liability for any failure of Customer to retrieve such Customer Data and no obligation to store or retain any such Customer Data beyond 40 days following termination or expiration of the Customer’s Subscription Term. Any Customer Data contained on the SaaS Products will be deleted within 60 days of termination or expiration of Customer’s Subscription Term. 13. Miscellaneous 13.1. Independent Contractors. Nothing in this Agreement will be construed to imply a joint venture, partnership or principal-agent relationship between CyberArk and Customer, and neither Party will have the right, power or authority to obligate or bind the other in any manner whatsoever. 13.2. Notices. All Notices will be in writing and will be deemed to have been duly given: (a) when delivered by hand; (b) three (3) days after being sent by registered or certified mail, return receipt requested and postage prepaid; (c) one (1) day after deposit with a nationally recognized overnight delivery or express courier service; or (d) when provided via email when the sender has received a delivery/read receipt. Notices for CyberArk should be sent to the following addresses: (i) for physical Notices the address specified for CyberArk in section 13.4 “Governing Law and Jurisdiction” and; (ii) for electronic Notices to: contract-notices@cyberark.com. In the event that Customer has any technical support-related queries, the contact information for support can be found at: https://www.cyberark.com/customer-support/. 13.3. Force Majeure. With the exception of Customer’s payment obligations herein, neither Party will be liable to the other Party for any delay or failure to perform which is due to fire, pandemic, virus, epidemic, travel advisories as to health, security and/or terrorism, flood, lockout, transportation delay, war, acts of God, governmental rule or order, strikes or other labor difficulties, or other causes beyond its reasonable control. However, in such event, both Parties will resume performance promptly after the cause of such delay or failure has been removed. 13.4. Governing Law and Jurisdiction. Each Party agrees to the applicable governing law below without regard to choice or conflicts of law rules, and to the exclusive jurisdiction of the applicable courts below with respect to any dispute, claim, action, suit or proceeding (including non-contractual disputes or claims) arising out of or in connection with this Agreement, or its subject matter or formation. To the extent not prohibited by applicable law, each of the Parties hereby irrevocably waives any and all right to trial by jury in any legal proceeding arising out of or related to this Agreement. CyberArk SaaS Terms of Service (Global) Rev. 17 May 2024 Page 9 of 11 CyberArk entity entering into Agreement: With Principal Office at: Choice of Law: Exclusive Jurisdiction: CyberArk Software, Inc. 60 Wells Avenue, Newton, MA 02459, U.S.A. Laws of Commonwealth of Massachusetts, U.S.A. Courts of Boston, Massachusetts, U.S.A. Cyber-Ark Software (UK) Ltd. One Pear Place, 152-158 Waterloo Road, London, SE1 8BT, U.K. Laws of England and Wales Courts of London, England CyberArk Software Ltd. 9 Hapsagot St. Park Ofer 2, P.O. Box 3143, Petach-Tikva 4951040, Israel Laws of Israel Courts of Tel Aviv Jaffa, Israel CyberArk Software Canada Inc. TD Canada Trust Tower, 161 Bay Street, 27th Floor, PO Box 508 Toronto, Ontario, M5J 2S1, Canada Laws of Ontario and the federal laws of Canada applicable therein Courts of Toronto, Ontario, Canada CyberArk Software (Singapore) Pte. Ltd. 250 North Bridge Road, #14-01, Raffles City Tower, Singapore 179101 Laws of Singapore Courts of Singapore CyberArk Software (Japan) K.K. Otemachi One Tower 6F, 1-2-1, Otemachi, Chiyoda-ku, Tokyo Laws of Japan Courts of Japan CyberArk Software (India) Private Limited My Home Twitza, 4th Floor, Plot Nos.30/A, Survey No.83/1, Beside Skyview, APIIC - Hyderabad Knowledge City, Hyderabad Telangana 500081 Laws of India Courts of Hyderabad, India CyberArk Software (Australia) Pty Ltd Level 26, Suite 1, 259 George Street, Sydney NSW 2000 Laws of Victoria, Australia Courts of Melbourne, Australia CyberArk Turkey Siber Güvenlik Yazılımı A.Ş. Plaza Cubes, Barbaros Mahallesi, Kardelen Sokak Palladium Tower 2/1 34746 Atasehir, Istanbul Laws of Israel Courts of Tel Aviv Jaffa, Israel 13.5. Entire Agreement, Execution, and Modification. This Agreement supersedes all prior agreements and representations between the Parties regarding the subject matter of this Agreement. The terms and conditions contained in any Order issued by Customer will be of no force or effect, even if the Order is accepted by CyberArk. CyberArk may make changes to these Terms of Service from time to time. If CyberArk makes a material change to any of the foregoing, CyberArk will inform Customer by e-mail to the e-mail address(es) noted on the Order (or subsequently designated by Customer in writing as a contact for notifications from CyberArk), or through a banner or other prominent notice within the SaaS Products, or through the CyberArk support platform. If Customer does not agree to the change, Customer must so notify CyberArk by e-mail to contract-notices@cyberark.com within thirty (30) days after CyberArk’s notice. If Customer so notifies CyberArk, then Customer will remain governed by the most recent terms of service applicable to Customer until the end of the then-current year of the Subscription Term and the updated terms shall apply upon the commencement of the subsequent Subscription Term. 13.6. Severability and Waiver. This Agreement shall be deemed severable, and the invalidity or unenforceability of any term or provision hereof shall not affect the validity or enforceability of this Agreement or of any other term or provision hereof. Should any term or provision of this Agreement be declared void or unenforceable by any court of competent jurisdiction, the Parties intend that a substitute provision will be added to this Agreement that, to the greatest extent possible, achieves the intended commercial result of the original provision. The failure of either Party CyberArk SaaS Terms of Service (Global) Rev. 17 May 2024 Page 10 of 11 to enforce any rights granted to it hereunder or to take action against the other Party in the event of any breach hereunder will not be deemed a waiver by that Party as to subsequent enforcement of rights or subsequent actions in the event of future breaches. 13.7. Definitions and Interpretation. The following definitions and rules of interpretation apply in this Agreement: “Affiliate” means a company controlling, controlled by, or under common control with a Party (an entity will be deemed to have control if it owns over 50% of another entity or the ability to direct the management of the entity by contract or otherwise). “Agents” means CyberArk’s proprietary software, systems and locally-installed software agents and connectors including mobile applications that interact with the SaaS Products as may be provided by CyberArk in connection with the SaaS Products. “Applicable Data Protection Laws” means all applicable privacy and data protection laws, their implementing regulations, regulatory guidance and secondary legislations, each as updated or replaced from time to time, including: (a) the General Data Protection Regulation (EU 2016/679) (the “GDPR”) and any applicable national implementing laws; (b) the UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018; (c) the Privacy and Electronic Communications Directive (2002/ 58/ EC) and any applicable implementing laws, including the Privacy and Electronic Communications Regulations 2003 (SI 2003/ 2426) (“EC Directive”); (d) the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); (e) U.S. legislation (e.g. the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”); and (f) any other laws that may be applicable. “Authorized Users” means employees, agents, consultants, contractors, or vendors authorized by Customer to use the SaaS Products solely for the internal use of Customer and its Affiliates, subject to the terms and conditions of this Agreement. For the avoidance of doubt, licenses associated with SaaS Products purchased as a bundle (under a single product code) cannot be separated between different Authorized Users. “Channel Partner” means a third-party business entity that CyberArk has appointed as an approved partner to as applicable, distribute, re-sell and support the SaaS Products. “Confidential Information” means all information provided by the disclosing Party to the receiving Party concerning the disclosing Party or its Affiliates’ business, products or services that is not generally known to the public, including information relating to customers, vendors, trade secrets, prices, products, services, computer programs and other intellectual property and any other information which a Party should reasonably understand to be considered Confidential Information whether or not such information is marked “Confidential” or contains such similar legend by the disclosing Party at the time of disclosure. “Customer Data” means all data and/or content uploaded to the SaaS Products by Customer (including where applicable Authorized Users), and in all data derived from it (other than Usage Analytics). “CyberArk” means the CyberArk legal entity providing the SaaS Product to Customer pursuant to this Agreement, at the address specified in section 13.4 “Governing Law and Jurisdiction. “Documentation” means the user guides, installation documents, and specifications for the SaaS Products that are made available from time to time by CyberArk in electronic or tangible form and found at docs.cyberark.com, including the documentation located therein under the ‘Security’ section for the relevant SaaS Products, but excluding any sales or marketing materials. “Indirect Order” means an Order for the Software or Services from a Channel Partner of Customer’s choosing pursuant to an independent commercial agreement. CyberArk SaaS Terms of Service (Global) Rev. 17 May 2024 Page 11 of 11 “Indirect Taxes” means excise, sales, use, gross-turnover, value added, goods and services tax or other similar types of indirect taxes on turnover and/or revenues, duties, customs or tariffs (however designated, levied or based and whether foreign or domestic, federal, state or province). “Intellectual Property” means a Party’s proprietary material, technology, or processes (excluding the SaaS Products and Documentation), including services, software tools, proprietary framework and methodology, hardware designs, algorithms, objects and documentation (both printed and electronic), network designs, know- how, trade secrets and any related intellectual property rights throughout the world (whether owned or licensed by a third party) and any derivatives, improvements, enhancements or extensions of such Intellectual Property conceived, reduced to practice, or developed. “Notice” means any formal legal notice or equivalent communication required or permitted under this Agreement. “Order” means CyberArk’s quote accepted by Customer via Customer’s purchase order or other ordering document received by CyberArk (directly or indirectly through a Channel Partner) to order CyberArk’s SaaS Products, which references the SaaS Products, pricing, payment terms, quantities, expiration date and other applicable terms set forth in an applicable CyberArk quote or ordering document. “OSS Licenses” means the respective open source licenses that the Third-Party Materials are subject to. “Prohibited Persons” means anyone on the U.S. Commerce Department’s Denied Persons, Entity, or Unverified Lists or the U.S. Treasury Department’s list of Specially Designated Nationals and Consolidated Sanctions list. “SaaS Products” means the software-as-a-service products specified in the Order as further described in the Documentation (including any updates and upgrades to the SaaS Products provided by CyberArk in its sole discretion, and any software, systems and locally-installed software agents and connectors that interact with the SaaS Products as may be provided by CyberArk in connection with the SaaS Products), provided that any free trial SaaS software, proof of concept of the SaaS Products, beta version of the SaaS Products, or any other free-of- charge software product will be subject to Section 1.4 of this Agreement. “Subscription Term” means the period of time during which Customer is subscribed to the SaaS Products, as specified in an Order and which shall begin upon delivery of the SaaS Products. “Suggestions” means, any feedback, ideas or suggestions for improvements, new features, customer experience, functionalities, corrections, enhancements or changes to the SaaS Products suggested by Customer to CyberArk, excluding any Customer Data and Customer Intellectual Property. “Support Services” means the maintenance and technical support services for the SaaS Products provided by CyberArk to Customer as part of an active SaaS Products subscription, set out at https://www.cyberark.com/maintenance-support-terms.pdf. “Third-Party Materials” means open source software programs that are made available by third parties under their respective OSS Licenses. “Usage Analytics” means data generated or collected in connection with Customer’s access, use and configuration of the SaaS Products and data derived from it (e.g. metadata, types of applications or accounts utilized or interacting with the SaaS Products). Any words following the terms including or include shall be regarded as examples only and not construed as an exhaustive list.