KPMG Risk Hub - SaaS Terms and Conditions (UAE) These Terms and Conditions (“Terms”) govern the use of the KPMG Risk Hub software-as-a-service platform (the “Service”) offered by KPMG Lower Gulf Limited (“KPMG”) via the Microsoft Azure Marketplace. By purchasing, accessing, or using the Service, you (the “Customer”) acknowledge that you have read and agree to be bound by these Terms. These Terms focus on licensing of the Service, support commitments, and usage rights and limitations, and are governed by the laws of the United Arab Emirates as described below. Important Eligibility Note: This Service is not available to any KPMG audit clients (including audit clients of any KPMG member firm). If a Customer becomes an audit client of KPMG or any KPMG member firm during the term, KPMG may terminate the Service as described in Section 5 below to comply with professional independence requirements. 1. License Grant and Authorized Use KPMG grants the Customer a limited, non-exclusive, non-transferable, and non-sublicensable right during the agreed subscription term to access and use the Risk Hub Service solely for the Customer’s own internal business purposes. This license permits use of the Service only in accordance with these Terms and any applicable Azure Marketplace transaction documents. All rights not expressly granted to the Customer are reserved by KPMG and its licensors. • Authorized Users: The Service may be used only by the Customer’s employees or contractors who are bound by these Terms (collectively, “Authorized Users”). The Customer is responsible for all use of the Service by its Authorized Users and shall ensure such users maintain the confidentiality of any access credentials. • Scope of Use: The Service is provided as a hosted SaaS solution. The Customer may access and use the Service online for its internal operations and processing of its own data. The Service and any accompanying user documentation are to be used only for the Customer’s legitimate business needs and in accordance with all applicable laws and regulations. 2. Usage Restrictions The Customer shall not, and shall not permit any affiliate, third party, or Authorized User to, do any of the following with respect to the Service (including any underlying software or content): • No Resale or Transfer: Sell, rent, lease, sublicense, distribute, or otherwise deal in or make the Service (or any part of it) available to any third party (except Authorized Users within Customer’s organization). The license is for the Customer’s internal use only and any attempted transfer or distribution of the Service or software is prohibited. • No Reverse Engineering: Copy, modify, decompile, disassemble, reverse engineer, or otherwise attempt to derive source code or trade secrets from any software component of the Service, except to the limited extent (if any) such actions are expressly permitted by applicable law notwithstanding this restriction. • No Derivative Works: Create any derivative works based on the Service or on any KPMG confidential information or proprietary content embedded in the Service. The Customer shall not use the Service or KPMG’s confidential information to develop or improve a competing product or service. • No Service Bureau Use: Use the Service to provide services to third parties as a service bureau, or otherwise use the Service on behalf of or for the benefit of any entity besides the Customer’s own organization (for example, no timesharing or outsourcing use). • Authorized Users Only: Allow any person or entity other than Authorized Users to access or use the Service without KPMG’s prior written consent . The Customer may not share access credentials with third parties or unlicensed users. If the Customer is allowed to extend use to any affiliate or third party by separate agreement, the Customer remains liable for any such use. • No Unlawful or Prohibited Use: Use the Service in any manner that violates applicable laws or regulations, including (without limitation) all applicable UAE laws, or in any manner that infringes the rights of any third party. The Customer is solely responsible for ensuring that its use of the Service (including all data input into the Service) is in compliance with all applicable laws. KPMG may implement technical restrictions in the Service to enforce the permitted scope of use (for example, user count limits or access constraints). The Customer agrees not to circumvent or attempt to disable any such technical measures. If the Customer’s use of the Service exceeds the contracted scope or otherwise breaches these Terms, KPMG reserves the right to suspend or limit the Customer’s access until the issue is resolved. 3. Support and Maintenance KPMG will provide technical support and maintenance services for the Service as part of these Terms: • Support Availability: KPMG will use commercially reasonable efforts to respond to Customer support requests and resolve incidents in a timely manner. Support is generally provided during normal business hours (Monday to Friday during KPMG’s standard support hours) or as otherwise specified in the Azure Marketplace offering or related documentation. All requests for support or assistance should be directed to KPMG’s support channels (and not to any third-party cloud or software providers). KPMG will keep the Customer informed of issue resolution progress and may provide a support manual or knowledge base for self-help. • Service Levels and Uptime: KPMG will use reasonable endeavors to ensure that the Service is available to the Customer with minimal downtime. The Service is intended to be available 24x7, except for scheduled maintenance windows or required emergency maintenance. KPMG will schedule routine maintenance during off-peak hours when possible and will provide advance notice to the Customer for any planned significant downtime. The Customer acknowledges that occasional maintenance or updates may temporarily render the Service unavailable, and KPMG will work to minimize any disruption. • Updates and Upgrades: The Customer agrees that KPMG may apply updates, upgrades, patches, or other modifications to the Service from time to time to improve functionality, security, or performance. KPMG will maintain the Risk Hub platform by implementing software updates and enhancements (at least two updates per calendar year are planned) and will notify Users of scheduled system upgrades. Such updates may change the functionality or user interface of the Service; however, they will not materially reduce the core features of the Service during the subscription term. • Data Backups: As part of maintenance, KPMG will take appropriate measures, including regular backups, to protect Customer data stored in the Service against loss or damage. In the event of any system issue, KPMG will work to restore availability and recover data from backups as needed. (The Customer is also encouraged to maintain its own backups or exports of critical data as a best practice.) • Support Scope: Support services are limited to addressing issues or errors in the Service and providing general guidance on use of the Service. Support does not include dedicated consulting, on-site assistance, or support for third-party systems outside the Service’s control, unless otherwise agreed. If the Customer requires assistance that exceeds standard support (for example, extensive training beyond provided materials or help with custom integrations), KPMG may require a separate agreement or charge for such additional services. 4. Customer Responsibilities The Customer bears the following responsibilities in connection with its use of the Service: • Customer Data and Content: The Customer is solely responsible for the accuracy, quality, and legality of the data and content it inputs into the Service. The Customer must obtain all necessary rights and consents to use such data with the Service. Prohibited Data: The Customer will not upload or transmit any data that is illegal under applicable law (e.g. data that is defamatory or violates privacy laws) or that contains viruses or malicious code. KPMG is not responsible for any Customer data that does not comply with these requirements, and the Customer shall indemnify KPMG for any third-party claims arising from such data. • Compliance with Laws: The Customer must use the Service in compliance with all laws and regulations applicable to its business and the jurisdiction in which it operates, including all applicable laws of the United Arab Emirates. Any guidance, templates, or content provided within the Risk Hub Service are for informational purposes only and do not constitute legal, accounting, or other professional advice. The Customer is solely responsible for obtaining its own legal or professional advice to ensure compliance with its regulatory obligations. Use of the Service does not guarantee compliance with any law or regulation, and the Customer remains responsible for its own compliance requirements. • Security and Access: The Customer must safeguard its account credentials and ensure that only Authorized Users access the Service. If the Customer becomes aware of any unauthorized access or misuse of its account, it shall promptly notify KPMG. The Customer shall use reasonable security measures to protect its systems and network when accessing the Service. KPMG reserves the right to suspend access to the Service if unauthorized or fraudulent activity is detected and will cooperate with the Customer to restore normal use once security is assured. • Cooperation: The Customer will reasonably cooperate with KPMG in connection with support or maintenance activities. This includes providing necessary information about issues, assisting with troubleshooting steps, and making available knowledgeable personnel to communicate with KPMG’s support team. The Customer shall also ensure its systems meet any minimum requirements (e.g. supported web browser versions, connectivity) for using the Service as documented by KPMG. 5. Independence and Audit Client Exclusion KPMG provides the Service subject to strict professional independence rules. This offering is not available to any entity that is an audit client of KPMG or of any member firm of the KPMG global network. By entering into these Terms, the Customer affirms that it is not a KPMG audit client and is not acting on behalf of a KPMG audit client. If during the term of the subscription the Customer becomes an audit client of KPMG (or if the Customer is acquired by or merges with an entity that is a KPMG audit client), KPMG may immediately terminate the Service and this Agreement to comply with auditor independence regulations. Such termination for independence reasons shall be deemed a termination for cause by KPMG. In the event of termination due to auditor independence requirements, Section 9 below (Effect of Termination) will apply, and the Customer will be provided a pro-rata refund of any pre-paid fees covering the remaining term (if applicable), except to the extent prohibited by Azure Marketplace rules. The Customer acknowledges that KPMG’s obligation to adhere to professional ethical standards is paramount. KPMG shall not be obligated to perform (and shall be entitled to suspend or cease) any Service that, in KPMG’s reasonable judgment, would risk impairing its independence or violating any professional standards or laws applicable to KPMG’s auditing services. This Section 5 prevails over any contrary provision of these Terms. 6. No Advisory or Other Professional Services The Service provided under these Terms is limited strictly to the provision of the software platform and standard support as described herein. No consulting, advisory, auditing, or other professional services are provided or included under this Agreement. The parties agree that: • No Advisory Services: KPMG’s offering of the Risk Hub Service does not constitute or include any form of advisory or consulting service (such as management consulting, financial advice, auditing, or regulatory consulting). Any guidance, analyses, alerts or reports generated by or through the Service are intended to assist the Customer’s internal workflows but do not constitute professional advice from KPMG. The Customer should consult its own advisors for any advice in areas such as legal, accounting, tax, or compliance, and remains responsible for decisions taken based on results or outputs from the Service. • Separate Engagement for Additional Services: If the Customer desires any professional services outside the scope of these Terms – for example, customization of the Service beyond standard configuration, implementation consulting, training beyond the included standard training, or any form of advice – a separate written agreement with KPMG would be required. KPMG’s standard Risk Hub subscription does not include special customizations or additional consulting services beyond the hosted software and support. Any such additional services, if agreed, would be subject to separate fees and terms. • Independence and Purpose: Providing this Service to the Customer does not create a client relationship in the sense of audit, tax, or advisory engagement. The Service is a technology tool provided on a subscription basis. The Customer agrees that it is not relying on KPMG for any advisory outcomes, and KPMG disclaims any duties beyond those expressly set forth in these Terms. By keeping the scope of this Agreement limited to the licensing of the SaaS platform and associated support, both parties acknowledge that no other commitments or services (such as implementation consulting or regulatory advice) are being provided under these Terms. 7. Intellectual Property and Ownership All intellectual property rights in and to the Service, including the underlying software, technology, templates, documentation, and content provided by KPMG, are and shall remain the exclusive property of KPMG or its licensors. The Service is KPMG’s proprietary software offering, and no rights are granted to the Customer to use KPMG’s name, logos, or other trademarks, except as necessary for use of the Service in accordance with these Terms. • License, Not Sale: The Customer is granted a subscription license to use the Service; no purchase or sale of software or intellectual property is occurring. No title or ownership of the software or any part of the Service is transferred to the Customer. KPMG and its licensors retain all right, title, and interest in the Service and all copies, modifications, and derivative works of the software (including any that may be created by or for the Customer in violation of these Terms). • Restrictions on IP Use: The Customer shall not remove, obscure, or alter any copyright, trademark, or proprietary notices affixed to or contained within the Service or related documentation. Any feedback or suggestions provided by the Customer to KPMG regarding the Service may be used by KPMG without obligation, and any improvements or modifications to the Service made by KPMG remain KPMG’s property. • Third-Party Components: To the extent the Service incorporates any third-party software or open-source components, such components are owned by their respective owners and are licensed to Customer under the applicable license terms. KPMG represents that it has the necessary rights to provide all functionality of the Service to the Customer under these Terms. 8. Term and Termination Term: The term of this Agreement corresponds to the subscription period for the Service as set out in the Azure Marketplace transaction or private offer accepted by the Customer. The subscription will begin on the date the Customer’s access to the Service is activated and continue for the agreed term (e.g. an annual or monthly period), unless terminated earlier in accordance with these Terms. Subscription renewals, if any, will be handled via Azure Marketplace or as otherwise agreed in writing. Termination by Customer: The Customer may terminate the subscription by providing notice of non-renewal through Azure Marketplace (effective at the end of the then-current term) or by terminating for cause if KPMG materially breaches these Terms and fails to cure such breach within a reasonable period after written notice. No refund of fees is due for termination by Customer for convenience during a term (Azure Marketplace terms may apply additional rules for cancellation). Termination/Suspension by KPMG: KPMG may suspend or terminate the Customer’s access to the Service (in whole or in part) upon written notice to the Customer if: (a) the Customer materially breaches these Terms (including non-compliance with the usage restrictions or failure to pay any applicable fees) and does not cure the breach within 30 days of notice; or (b) continued provision of the Service to the Customer would violate applicable law or professional regulations, or would compromise KPMG’s independence (see Section 5 above). In addition, KPMG reserves the right to suspend the Service immediately in the event the Customer’s use poses a security risk or could adversely impact the Service or other customers (in which case KPMG will work with the Customer in good faith to resolve the issue and resume Service). Effect of Termination: Upon any expiration or termination of the Agreement or subscription term for any reason: • The Customer’s rights to access and use the Service will immediately cease. The Customer shall promptly discontinue all use of the Service and delete or destroy any locally stored KPMG software or confidential materials related to the Service (if any). • KPMG will, upon the Customer’s written request made at or before termination, provide the Customer with a copy of its data stored in the Service (for example, by providing an export of Customer data in a commonly used format such as Excel). KPMG may charge a reasonable fee if extraordinary efforts are required to extract or deliver such data. Any request for data export must be made no later than 30 days after termination effective date. • Following termination, KPMG will delete the Customer’s data from the active Service environment in line with KPMG’s data retention and deletion policies. KPMG is not obligated to retain Customer data after the termination effective date, except to the extent required by law or expressly agreed in writing. It is the Customer’s responsibility to ensure it has obtained the needed data exports prior to data deletion. • Any provisions of these Terms which by their nature should survive termination (such as confidentiality, limitations of liability, accrued rights to payment, and governing law) shall survive. Termination shall not relieve the Customer from liability for breaches occurring prior to termination. If termination is due to a breach by the Customer, KPMG reserves any legal rights and remedies, including the right to pursue fees due (for the full term, in case of an unpermitted early termination by Customer) and compensation for misuse of the Service. If termination is for KPMG’s convenience or due to an independence conflict, the Customer will be entitled to a pro-rata refund of any pre-paid unused fees (if applicable, and handled according to Azure Marketplace refund policies). 9. Disclaimer of Warranties As-Is Service: The Service is provided on an “as is” and “as available” basis. To the maximum extent permitted by applicable law, KPMG makes no warranties or conditions, express or implied, concerning the Service, its availability, accuracy, or performance. KPMG expressly disclaims all implied warranties, including but not limited to implied warranties of merchantability, fitness for a particular purpose, title, non-infringement, and any warranties arising from course of dealing or usage of trade. • KPMG does not warrant that the Service will be error-free or uninterrupted, or that all defects will be corrected. While KPMG will use reasonable efforts as described in these Terms to maintain and support the Service, the Customer acknowledges that complex software is never wholly free from errors or vulnerabilities, and downtime may occur. • No information or advice (written or oral) given by KPMG, its employees, or agents shall create any warranty. The Customer has independently evaluated the Service and is relying on its own judgment in using the Service. The Customer assumes all responsibility for results obtained from the use of the Service and for conclusions drawn from such use. • Third-Party Services: KPMG makes no warranty regarding any third-party services or integrations that the Customer may use in conjunction with the Service. Any such third-party services are subject to their own terms and are outside the scope of KPMG’s responsibility. Some jurisdictions do not allow the exclusion of certain warranties. If UAE law or other applicable law prohibits the disclaimer of any warranty in this Section 9, then such warranty is not disclaimed but is limited in duration to 30 days from the start of the Service or the minimum period permitted by law. 10. Customer agrees to defend, indemnify, and hold Service Provider and its officers, directors, employees, consultants, and agents harmless from and against any and all damages, costs, liabilities, expenses (including, without limitation, reasonable attorneys’ fees), and settlement amounts incurred in connection with any claim arising from or relating to Customer’s: (i) breach of any of its obligations/responsibilities set forth in Section 4 (Customer Obligations); (ii) Customer’s gross negligence or willful misconduct; (iii) actual or alleged use of the Application in violation of these SaaS Terms or applicable law by Customer or any Authorized Users; (iv) any actual or alleged infringement or misappropriation of third party intellectual property rights arising from data provided to Service Provider by the Customer or otherwise inputted into the Application, whether by the Customer, an Authorized User or otherwise including Customer Work Product (as defined below); and/or (v) any violation by Customer or its Authorized Users, of any terms, conditions, agreements or policies of any third party service provider. “Customer Work Product” means that data and those forms developed or acquired by Customer for internal business purposes independent from Service Provider or the Application. 11. Limitation of Liability To the extent permitted by law, in no event will KPMG (including its officers, directors, employees, and affiliates) be liable to the Customer for any: (a) indirect, special, incidental, punitive, or consequential damages; (b) loss of profits, loss of business opportunity, revenue, or anticipated savings; (c) loss of or damage to data, business interruption, or loss of use of the Service; or (d) claims by third parties (except as explicitly provided for). The foregoing exclusion of liability applies even if KPMG has been advised of the possibility of such damages or losses, and regardless of the theory of liability (contract, tort, or otherwise). KPMG’s total aggregate liability for all claims arising under or in connection with these Terms or the Service (whether in contract, tort (including negligence) or otherwise) shall be limited to the amount of fees paid or payable by the Customer for the Service in the twelve (12) months immediately preceding the event giving rise to the claim, or if the duration of use has been shorter, then the total amount paid for the Service. If the Service is provided free of charge or as a trial, KPMG’s total liability shall be limited to USD $100. • Exceptions: Nothing in these Terms excludes or limits liability for death or personal injury caused by KPMG’s gross negligence or willful misconduct, or for KPMG’s fraud or fraudulent misrepresentation, or any liability which cannot be excluded under applicable law. • The Customer acknowledges that the fees (if any) paid for the Service reflect the allocation of risk set forth in these Terms and that KPMG would not be able to offer the Service economically without these limitations of liability. This Section 10 will survive and remain in effect for a period of two(2) years following any termination or expiration of the Agreement. 11. Compliance with UAE Laws Each party shall comply with all laws and regulations that are applicable to its performance under these Terms. In particular, KPMG and the Customer will comply with all applicable United Arab Emirates federal and local laws in connection with the Service. This includes (without limitation) laws relating to data protection and privacy, export control, anti-bribery and sanctions, and any other regulatory requirements relevant to the provision or use of the Service in the UAE. The Customer represents that it has obtained any licenses or approvals required by UAE law to use the Service (if applicable to the Customer’s industry or data). The Customer shall not use, export, or re-export the Service or any software or data in violation of any export laws or sanctions regulations, including UAE export control laws. KPMG may terminate or suspend the Service immediately if it is determined that providing the Service to the Customer or allowing certain data in the Service would violate UAE law or any other applicable law. If the nature of the Service or the data processed requires compliance with specific UAE regulations (for example, financial free zone regulations, UAE Central Bank guidelines, etc.), the Customer is responsible for informing KPMG and ensuring that its use of the Service is permitted under those regulations. KPMG will reasonably assist the Customer in providing information about the Service needed for the Customer’s regulatory compliance (e.g. information about security certifications or data hosting location), upon request. 12. Governing Law and Dispute Resolution This Agreement and any disputes or claims arising out of or in connection with it (including non-contractual disputes or claims) shall be governed by the laws of the United Arab Emirates, without regard to its conflict of laws principles. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods does not apply to this Agreement. In the event of any controversy or claim arising between the parties out of or relating to the Service or these Terms, the parties shall first attempt in good faith to resolve the matter informally. If a dispute cannot be resolved amicably, it shall be submitted to the exclusive jurisdiction of the courts of Dubai, UAE, or if so elected by KPMG, to binding arbitration under a reputable arbitration center in the UAE. Each party irrevocably submits to the jurisdiction of such courts (or arbitral tribunal) and waives any objections to venue on the grounds of inconvenient forum or similar. Notwithstanding the foregoing, KPMG may seek injunctive or other equitable relief in any jurisdiction to protect its intellectual property or confidential information. By agreeing to these Terms, both parties confirm that they have the authority to bind their respective organizations and that they intend for these Terms to create legal, valid, and binding obligations enforceable in accordance with its terms. These Terms (together with any Azure Marketplace transaction details and any referenced schedules or documents) constitute the entire agreement between KPMG and the Customer regarding the Service and supersede any prior agreements or understandings related to the subject matter. Any modifications to these Terms must be in writing and agreed by both parties (except that KPMG may update these Terms as required for compliance with UAE law or Azure policies, in which case notice will be provided to the Customer in accordance with Azure Marketplace procedures). ________________________________________ Last Updated: May 15, 2025. These Terms and Conditions are published for the KPMG Risk Hub offering on Azure Marketplace. By clicking “Get it now” or otherwise accepting a Marketplace offer for the Service, you acknowledge that you have read and agreed to these Terms. Please ensure you read them carefully before using the Service. All use of the Service must remain in compliance with these Terms and with applicable laws