Common use of Project Terms Clause in Contracts

Project Terms. Customer Dependencies In addition to any other responsibilities or assumptions described in this Agreement, the Customer Dependencies are as follows and the Customer recognises that if it fails to comply with the following dependencies, Vodafone is relieved from performing or delivering the Service and may choose to suspend or terminate this Agreement: • Customer shall perform and complete the responsibilities and assumptions set out in the Customer Prerequisites section prior to the Service Commencement Date; • the Customer will consent to and authorize Vodafone to access the Customer Property and perform the Service; • Customer is solely responsible for: o defining the verified Target IP Addresses; o any legal consequences that can occur from providing Target IP Addresses that the Customer is not authorized to perform the Service on; o determining what third-party property, information, data or other assets is included within the Customer Property; o determining whether any third-party consent, notices, permissions or licenses are required for Vodafone to perform the Service; o obtaining any such consents, permissions or licenses or providing such notices (including from third-parties and Customer employees) necessary for Vodafone to perform its obligations under this Agreement; o ensuring the availability of the Customer personnel and resources for the duration of the Service as necessary for the performance of the Service, or as otherwise agreed upon by Vodafone and Customer. Customer will commit the necessary resources and management involvement to support the Service. Customer acknowledges that material impacts to the Service including the schedule, scope and estimated or agreed upon costs may result from Customer resources being unavailable; and o implementing a process to ensure that if Customer’s information security team detects Vodafone’s activities under the Service, such detection will be escalated to Customer’s senior management, or such other knowledgeable Customer personnel, who can intervene prior to such activity being reported outside of Customer’s organisation (e.g. to law enforcement) or, if such activity is reported outside of Customer’s organisation, Customer will promptly clarify that Vodafone was acting with Customer’s full knowledge and consent; • decisions to be made by the Customer will be made promptly and without delay; • Customer must provide necessary support for Vodafone obtaining any required visas and/or travel authorisations; • Customer will perform any remediation activities required to reinstate its systems and data after completion of the Service. Vodafone will have no liability for any losses arising out of Customer’s failure to do so; • any other Customer responsibility that Vodafone and Customer mutually agree upon in writing; • Customer shall be responsible for delivering all communications internal to Customer regarding the Service, including communications intended to inform Customer staff about the Service, any impact it may have on Customer employees and personnel, and any training necessary to impacted Customer employees and personnel; • Customer must be aware of the risks associated with the Service and must have taken the necessary pre-testing steps (e.g. data backup, internal communications etc.) to help minimize these risks. These can include: o careful selection of in-scope targets, for example, avoiding business critical systems in production environment, old/unstable systems, Operational Technology (OT) systems; o communicate timelines and scope of activities with involved staff/departments, such as, a Security Operation Centre, network administrators, system owners; and o ensure disaster recovery procedures are in place; • Customer shall use its commercially reasonable efforts to provide accurate and complete information, data and documentation in a timely manner, as required by Vodafone, and shall promptly notify Vodafone if it learns that any information, data or documentation previously provided to Vodafone is materially inaccurate or incomplete. • In the event of penetration testing that includes Customer cloud Infrastructure, the Customer will be responsible for getting the necessary approvals from the Cloud Service Provider and clarify the rules of engagement with Vodafone before the execution of the tests; • Customer acknowledges that Vodafone uses, among others, the following techniques, and that Customer does not object to this: o Technical operations, false signals, keys or identity to gain access to Customer’s automated systems; o Techniques that may copy and store data encountered on Customer’s automated systems; o A public telecommunication infrastructure or system to use computing capacity of Customer’s automated systems; and o Techniques that may process or transfer the data encountered on Customer’s automated systems, or append data to it; • Customer shall notify Vodafone directly if the Customer requires Vodafone to cease accessing the Customer’s Environment. Vodafone shall cease accessing the Customer’s Environment as soon as practicable upon receipt of such request; and • If Customer decides to remediate an exploited vulnerability that allowed Vodafone to gain an elevated level of access prior to the end of the engagement with Vodafone, Customer agrees to provide Vodafone with the same level of access obtained in a controlled secured manner so that Vodafone’s testing can continue. General Assumptions & Dependencies The general assumptions & dependencies applicable for this Service are: • All work is carried out on a fixed fee basis. • There will be no changes to the scope of the Service, as set out in this Agreement. • The Service is not warranted to: • detect or identify all security or network threats to, or vulnerabilities of Customer’s networks or other facilities, assets, or operations; • prevent intrusions into or any damage to Customer’s networks or other facilities, assets, or operations; • return control of a Customer or third party system where unauthorized access or control has occurred; or • meet or help Customer meet any Applicable Law, industry standard or any other requirements including the Payment Card Industry Data Security Standard. It is Customer’s sole responsibility to provide appropriate and adequate security for its company, its assets, systems and employees. • Customer must promptly notify Vodafone of any changes to information provided in either the External Infrastructure Penetration Test Questionnaire or the Internal Infrastructure Penetration Test Questionnaire (as relevant). • Vodafone may provide reasonable recommendations, advice or instructions on a particular course of action in the course of performing or as a result of the Service or in the Deliverables to be provided to Customer and if Customer chooses not to follow such reasonable recommendations, advice or instructions, Customer acknowledges that Vodafone shall not be responsible for any losses or claims made by the Customer that arise from Customer’s failure to follow such recommendations, advice or instructions. • While Vodafone will use reasonable care to carry out the Service in line with Good Industry Practice and in a manner designed to mitigate and reduce the risk of damage to Customer Property, Customer acknowledges that there is inherent risk in the provision of the security Service in accordance with this Agreement which may lead to operational degradation, performance impact, breach of Customer policies or industry standards, or otherwise impair Customer Property (each a “Customer Damage” and together the “Customer Damages”) and, Vodafone will not be liable to the Customer or its respective employees or any third parties of the Customer for Customer Damages arising from the foregoing. To the extent possible, prior to commencing any provisioning of the Service, Vodafone shall identify and inform the Customer of any Customer Damage associated with the Service. • Customer agrees that Vodafone has the right to anonymise and aggregate Customer Data that will not in any way reveal the Customer Data as being attributable to the Customer with other data and leverage anonymous learnings and insights regarding use of the Service (the anonymised data, “Vodafone Insights Data”), and that Vodafone owns Vodafone Insights Data and may use Vodafone Insights Data during and after the term of this Agreement solely to develop, provide, and improve Vodafone products and services. • Customer agrees that Vodafone is not liable to Customer for Customer Damages provided that Vodafone will use reasonable care to carry out the Service in line with Good Industry Practice and in accordance with the terms of this Agreement. • The Customer agrees that, to the extent permitted by Applicable Law, it shall not bring any claim against Vodafone or any Group Company, whether in tort or otherwise, in connection with the Service or otherwise in relation to the subject matter of this Agreement. • Customer acknowledges that, in providing the Service, Vodafone will access Customer Systems and data. Customer agrees that, in advance of the Agreement Start Date, it shall provide and maintain all necessary consents, permissions, notices and authorisations as that are necessary for Vodafone to perform the Service, including any of the foregoing from employees or third parties; valid consents from or notices to applicable data subjects; and authorisations from regulatory authorities, employee representative bodies or other applicable third parties (“Customer Consent”) in a timely manner as necessary for Vodafone to access and use such System and data to perform the Service under this Agreement, and/or to use any third-party System(s) or data that Vodafone may use or require access to in performing the Service. For purposes of this Clause, “System” means, as applicable, Customer’s or a third party’s computer environment, network, equipment, software and related services. • Customer agrees to provide and maintain the Customer Consents. • Vodafone shall perform the Service in line with the scope of the Service as set out in this Agreement, in accordance with Good Industry Practice, and in reliance on, and in line with, the Customer Consent. • Customer agrees to indemnify Vodafone on an unlimited basis to the extent the Customer fails to provide and maintain the Customer Consents. • Vodafone is not responsible for remedying any security issues, vulnerabilities or other problems discovered in the course of performing or as a result of the Service (where such Service is provided in accordance with the terms of this Agreement). • In providing the Service, Vodafone has no intention of committing any civil or criminal offences. • Customer acknowledges and agrees that, no act or omission of Vodafone arising out of or related to Vodafone’s provision of the Services will be deemed to exceed the authorisation as set out in this Agreement, provided that Vodafone has provided the Services in accordance with this Agreement and in line with the relevant agreed scope of services with the Customer and/or the applicable Order. • Customer must promptly notify Vodafone of any changes to Validation Information. • Customer agrees and authorises Vodafone, to retain any indicators of compromise, malware, anomalies, or other metadata found as part of, or related to the performance of the Service (“Metadata”) only for the purposes of gathering and compiling security event log data to look at trends, and real or potential security threats and improving Vodafone’s security services. Vodafone may analyse, copy, store, and use such Metadata provided that such Metadata is compiled or combined in an aggregated, anonymised or pseudonymised, de-identified manner that will not in any way reveal the Metadata as being attributable to the Customer. • To the extent permitted by Applicable Law, the Customer agrees that it shall not bring any claim against Accenture or any Accenture Group Company (or any other third party acting on behalf of Vodafone in providing the Service), whether in tort or otherwise, in connection with the Service or otherwise in relation to the subject matter of this Agreement. • The Customer is responsible for: (i) ensuring that the Customers’ use of the Service and associated Deliverables is in accordance with the terms of this Agreement; (ii) ensuring that the scope of the Service to be provided to the Customer meets the Customer’s requirements; and (iii) Customer’s compliance with all Applicable Laws and regulations applicable to Customer in connection with the use of the Service and/or Deliverables. • The Customer agrees to and authorises that Vodafone may, as necessary in performance of the Service: (i) access Customer Property and physically connect, disconnect, install, update, upgrade, manage and operate equipment, tools and software on Customer Property; and (ii) to the extent required to comply with Applicable Laws, take such actions with respect to Customer Property required by law enforcement authorities or regulatory authorities. Materials and Software • Vodafone may use certain third-party software products (“Third-Party Software”) in its provision of the Service. The Customer agrees and acknowledges that Customer will not be provided access to these products. Any output directly from the Third-Party Software that is used by Vodafone in connection with the provision of the Service to the Customer without further input from Vodafone is being provided on an “as-is” basis and is excluded from any warranties set out in this Agreement. • Vodafone reserves the right to: (i) change the hosting provider used to host any proprietary or Third-Party Software used for the provision of the Service; and (ii) change any Third-Party Software it uses to provide the Service to Customer, provided that such changes do not materially impact the Service. • With regard to any Third-Party Software provided as part of the Service, the Customer agrees not to, directly or indirectly do any of the following: (i) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code or underlying ideas or algorithms of the Third-Party Software; (ii) modify, translate, or create derivative works based on any element of the Third-Party Software or any related documentation; (iii) rent, lease, distribute, sell, resell, assign, or otherwise transfer its rights to use the Third-Party Software; (iv) use the Third-Party Software for any purpose other than the performance of the Service in accordance with this Agreement; (v) remove any proprietary notices from Third-Party Software or related materials furnished or made available to Customer; and/or (vi) permit any third party to access the Third-Party Software. • Vodafone may additionally utilize custom-developed software, scripts, exploits, and other technologies (“Custom Products”) in its provision of the Service. Such technologies may be deployed on Customer systems during the provision of the Service. Any such technologies remain Vodafone intellectual property, and Vodafone retains all corresponding rights to these technologies. Vodafone shall not be obligated to provide Customer with copies of, access to, or a license for such technologies. Acceptance Testing There is no acceptance testing applicable to this SOW unless specifically mentioned in the “Project and Services” section. Out of scope statement The following are not in scope for the Service: • any Penetration Testing of applications; • any assessment of any systems outside of Customer’s networks (with the exception of any such system that is: (i) within Customer facilities; and (ii) managed directly by Customer; and (iii) communicated with by Customer-owned assets; is considered in- scope for the purposes of the Penetration Testing Services). Vodafone and Customer further agree that any interaction with Customer’s third-party cloud services providers will be done in a manner consistent with the Customer’s normal interaction with those third-parties; • any remediation of identified vulnerabilities or other security issues; • any review and analysis of any data or equipment: (i) belonging to an individual outside of their employment with the Customer, without appropriate consent; or (ii) belonging to a third-party where Customer does not have control,

Project Terms. Customer Dependencies In addition to any other responsibilities or assumptions described in this Agreement, the Customer Dependencies are as follows and the Customer recognises that if it fails to comply with the following dependencies, Vodafone is relieved from performing or delivering the Service and may choose to suspend or terminate this Agreement: • Customer shall perform and complete the responsibilities and assumptions set out in the Customer Prerequisites section prior to the Service Commencement Date; • the Customer will consent to and authorize authorise Vodafone to access the Customer Property and perform the ServiceService as described in this Agreement; • Customer is solely responsible for: o defining the verified Target IP Addresses; o any legal consequences that can occur from providing Target IP Addresses that the Customer is not authorized to perform the Service on; on o determining what third-party property, information, data or other assets is are included within the Customer Property; o determining whether any third-party consentconsents, notices, permissions or licenses are required for Vodafone to perform the Service; o obtaining any such consents, permissions or licenses or providing such notices (including from third-parties and Customer employees) necessary for Vodafone to perform its obligations under this Agreement; o ensuring the availability of the Customer personnel and resources for the duration of the Service as necessary for the performance of the Service, or as otherwise agreed upon by Vodafone and Customer. Customer will commit ; o committing the necessary resources and management involvement to support the Service. Customer acknowledges that material impacts to , in each case as reasonably necessary for the Service including performance of the schedule, scope and estimated or agreed upon costs may result from Customer resources being unavailableService; and o implementing a process to ensure that if Customer’s information security team detects Vodafone’s activities under the Service, such detection will be escalated to Customer’s senior management, or such other knowledgeable Customer personnel, who can intervene prior to such activity being is not reported outside of Customer’s organisation (e.g. to law enforcement) or, if such activity is inadvertently reported outside of Customer’s organisation, Customer will promptly clarify that Vodafone was acting with Customer’s full knowledge and consent; • Customer acknowledges that material impacts to the Service may result from Customer resources being unavailable; • decisions to be made by the Customer will must be made promptly and without delay; • Customer must provide necessary support for Vodafone obtaining any required visas and/or travel authorisationsagrees that the findings of the External Vulnerability Scan and the Internal Vulnerability Scan are only accurate and correct as of the point in time the scans are carried out; • Customer will perform any remediation activities required to reinstate its systems and data after completion of the Service. Vodafone will have no liability for any losses arising out of Customer’s failure to do so; • any other Customer responsibility that Vodafone and Customer mutually agree upon in writing; • Customer shall be responsible for delivering all communications internal to Customer regarding the Service, including communications intended to inform Customer staff about the Service, any impact it may have on Customer employees and personnel, and any training necessary to impacted Customer employees and personnel; • Customer must be aware of the risks associated with the Service and must have taken the necessary pre-testing steps (e.g. data backup, internal communications etc.) to help minimize these risks. These can include: o careful selection of in-scope targets, for example, avoiding business critical systems in production environment, old/unstable systems, Operational Technology (OT) systems; o communicate timelines and scope of activities with involved staff/departments, such as, a Security Operation Centre, network administrators, system owners; and o ensure disaster recovery procedures are in place; • Customer shall use its commercially reasonable efforts to provide accurate and complete information, data and documentation in a timely manner, as required by Vodafone, and shall promptly notify Vodafone if it learns that any information, data or documentation previously provided to Vodafone is materially inaccurate or incomplete. ; • In the event of penetration testing an External Vulnerability Assessment that includes Customer cloud Infrastructure, the Customer customer will be responsible for getting the necessary approvals from the Cloud Service Provider and clarify the rules of engagement with Vodafone before the execution of the tests; tests • Customer acknowledges that Vodafone usesagrees that, among others, the following techniques, and that Customer does not object in order to this: o Technical operations, false signals, keys or identity to gain access to Customer’s automated systems; o Techniques that may copy and store data encountered on Customer’s automated systems; o A public telecommunication infrastructure or system to use computing capacity of Customer’s automated systems; and o Techniques that may process or transfer the data encountered on Customer’s automated systems, or append data to it; • Customer shall notify Vodafone directly if the Customer requires Vodafone to cease accessing the Customer’s Environment. Vodafone shall cease accessing identify vulnerabilities in the Customer’s Environment as soon as practicable upon receipt of such request; through the Service, Vodafone will consider to be in-scope all Customer Property, including any third-party property, data or other assets within Customer’s networks. Vodafone shall procure that Customer expressly consents and • If Customer decides to remediate an exploited vulnerability that allowed authorises Vodafone to gain an elevated level of access prior to and evaluate such Customer Property and assets in the end provision of the engagement with Vodafone, Customer agrees to provide Vodafone with the same level of access obtained in a controlled secured manner so that Vodafone’s testing can continueService. General Assumptions & Dependencies The general assumptions & dependencies applicable for this Service are: • All work is carried out on a fixed fee basis. • There will be no changes to the scope of the Service, as set out in this Agreement. • The Service is not warranted to: • detect or identify all security or network threats to, or vulnerabilities of Customer’s networks or other facilities, assets, or operations; • prevent intrusions into or any damage to Customer’s networks or other facilities, assets, or operations; • return control of a Customer or third party system where unauthorized access or control has occurred; or • meet or help Customer meet any Applicable Law, industry standard or any other requirements including the Payment Card Industry Data Security Standard. It is Customer’s sole responsibility to provide appropriate and adequate security for its company, its assets, systems and employees. • Customer must promptly notify Vodafone of any changes to the information provided by Customer in either the External Infrastructure Penetration Test Questionnaire or the Internal Infrastructure Penetration Test Questionnaire (as relevant)Vulnerability Assessment Request Form. • Vodafone may provide reasonable recommendations, advice or instructions on a particular course of action in the course of performing or as a result of the Service or in the Deliverables to be provided to Customer and if Customer chooses not to follow such reasonable recommendations, advice or instructions, Customer acknowledges that Vodafone shall not be responsible for any losses or claims made by the Customer that arise from Customer’s failure to follow such recommendations, advice or instructions. • While Vodafone will use reasonable care to carry out the Service in line with Good Industry Practice and in a manner designed to mitigate and reduce the risk of damage to Customer Property, Customer acknowledges that there is inherent risk in the provision of the security Service in accordance with this Agreement which may lead to operational degradation, performance impact, breach of Customer policies or industry standards, or otherwise impair Customer Property (each a “Customer Damage” and together the “Customer Damages”) and, Vodafone will not be liable to the Customer or its respective employees or any third parties of the Customer for Customer Damages arising from the foregoing. To the extent possible, prior to commencing any provisioning of the Service, Vodafone shall identify and inform the Customer of any Customer Damage associated with the Service. • Customer agrees that Vodafone has the right to anonymise and aggregate Customer Data that will not in any way reveal the Customer Data as being attributable to the Customer with other data and leverage anonymous learnings and insights regarding use of the Service (the anonymised data, “Vodafone Insights Data”), and that Vodafone owns Vodafone Insights Data and may use Vodafone Insights Data during and after the term of this Agreement solely to develop, provide, and improve Vodafone products and services. • Customer agrees that Vodafone is not liable to Customer for Customer Damages provided that Vodafone will use reasonable care to carry out the Service in line with Good Industry Practice and in accordance with the terms of this Agreement. • The Customer agrees that, to the extent permitted by Applicable Law, it shall not bring any claim against Vodafone or any Group Company, whether in tort or otherwise, in connection with the Service or otherwise in relation to the subject matter of this Agreement. • Customer acknowledges that, in providing the Service, Vodafone will access Customer Systems and data. Customer agrees that, in advance of the Agreement Start Date, it shall provide and maintain all necessary consents, permissions, notices and authorisations as that are necessary for Vodafone to perform the Service, including any of the foregoing from employees or third parties; valid consents from or notices to applicable data subjects; and authorisations from regulatory authorities, employee representative bodies or other applicable third parties (“Customer Consent”) in a timely manner as necessary for Vodafone to access and use such System and data to perform the Service under this Agreement, and/or to use any third-party System(s) or data that Vodafone may use or require access to in performing the Service. For purposes of this Clause, “System” means, as applicable, Customer’s or a third party’s computer environment, network, equipment, software and related services. • Customer agrees to provide and maintain the Customer Consents. • Vodafone shall perform the Service in line with the scope of the Service as set out in this Agreement, in accordance with Good Industry Practice, and in reliance on, and in line with, the Customer Consent. • Customer agrees to provide and maintain the Customer Consents. • Customer agrees to indemnify Vodafone on an unlimited basis to the extent the Customer fails to provide and maintain the Customer Consents. • Vodafone is not responsible for remedying any security issues, vulnerabilities or other problems discovered in the course of performing or as a result of the Service (where such Service is provided in accordance with the terms of this Agreement). • In providing the Service, Vodafone has no intention of committing any civil or criminal offences. • Customer acknowledges and agrees that, no act or omission of Vodafone arising out of or related to Vodafone’s provision of the Services will be deemed to exceed the authorisation as set out in this Agreement, provided that Vodafone has provided the Services in accordance with this Agreement and in line with the relevant agreed scope of services with the Customer and/or the applicable Order. • Customer must promptly notify Vodafone of any changes to Validation Information. • Customer agrees and authorises Vodafone, to retain any indicators of compromise, malware, anomalies, or other metadata found as part of, or related to the performance of the Service (“Metadata”) only for the purposes of gathering and compiling security event log data to look at trends, and real or potential security threats and improving Vodafone’s security services. Vodafone may analyse, copy, store, and use such Metadata provided that such Metadata is compiled or combined in an aggregated, anonymised or pseudonymised, de-identified manner that will not in any way reveal the Metadata as being attributable to the Customer. • To the extent permitted by Applicable Law, the Customer agrees that it shall not bring any claim against Accenture or any Accenture Group Company (or any other third party acting on behalf of Vodafone in providing the Service), whether in tort or otherwise, in connection with the Service or otherwise in relation to the subject matter of this Agreement. • The Customer is responsible for: (i) ensuring that the Customers’ use of the Service and associated Deliverables is in accordance with the terms of this Agreement; (ii) ensuring that the scope of the Service to be provided to the Customer meets the Customer’s requirements; and (iii) Customer’s compliance with all Applicable Laws and regulations applicable to Customer in connection with the use of the Service and/or Deliverables. • The Customer agrees to and authorises that Vodafone may, as necessary in performance of the Service: (i) access Customer Property and physically connect, disconnect, install, update, upgrade, manage and operate equipment, tools and software on Customer Property; and (ii) to the extent required to comply with Applicable Laws, take such actions with respect to Customer Property required by law enforcement authorities or regulatory authorities. Materials and Software • Vodafone may use certain third-party software products (“Third-Party Software”) in its provision of the Service. The Customer agrees and acknowledges that Customer will not be provided access to these products. Any output directly from the Third-Party Software that is used by Vodafone in connection with the provision of the Service to the Customer without further input from Vodafone is being provided on an “as-is” basis and is excluded from any warranties set out in this Agreement. • Vodafone reserves the right to: (i) change the hosting provider used to host any proprietary or Third-Third- Party Software used for the provision of the Service; and (ii) change any Third-Party Software it uses to provide the Service to Customer, provided that such changes do not materially impact the Service. • With regard to any Third-Party Software provided as part of the Service, the Customer agrees not to, directly or indirectly do any of the following: (i) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code or underlying ideas or algorithms of the Third-Party Software; (ii) modify, translate, or create derivative works based on any element of the Third-Party Software or any related documentation; (iii) rent, lease, distribute, sell, resell, assign, or otherwise transfer its rights to use the Third-Party Software; (iv) use the Third-Party Software for any purpose other than the performance of the Service in accordance with this Agreement; (v) remove any proprietary notices from Third-Party Software or related materials furnished or made available to Customer; and/or (vi) permit any third party to access the Third-Party Software. • Vodafone may additionally utilize custom-developed software, scripts, exploits, and other technologies (“Custom Products”) in its provision of the Service. Such technologies may be deployed on Customer systems during the provision of the Service. Any such technologies remain Vodafone intellectual property, and Vodafone retains all corresponding rights to these technologies. Vodafone shall not be obligated to provide Customer with copies of, access to, or a license for such technologies. Acceptance Testing There is no acceptance testing applicable to this SOW unless specifically mentioned in the “Project and Services” section. Out of scope statement The following are not in scope for the Service: • any Penetration Testing of applications; • any assessment of any systems outside of the Customer’s networks (with the exception of any such system that is: (i) within Customer facilities; and (ii) managed directly by Customer; and (iii) communicated with by Customer-owned assets; is considered in- in-scope for the purposes of the Penetration Testing ServicesService). Vodafone and Customer further agree agrees that any interaction with Customer’s third-party cloud services providers will be done in a manner consistent with the Customer’s normal interaction with those third-parties; • any vulnerability assessment of applications; • any manual vulnerability identification or exploitation outside of the capabilities of the defined vulnerability scanning tool; • any remediation of identified vulnerabilities or other security issues; • any review and analysis of any data or equipment: (i) belonging to an individual outside of their employment with the Customer, without appropriate consent; or (ii) belonging to a third-party where Customer does not have control, custody and/or authorisation to possess such data or equipment, or all necessary consents/authorisation for Vodafone to access such data or equipment in order to perform the Service set out in this Agreement; • any provision of services involving the collection of physical evidence, collection of evidence for admission in court including for criminal or civil litigation purposes, provision of evidence lockers, or ‘chain of custody’ collection of evidence; • any provision of expert testimony or litigation assistance or support services; • any provision of services involving retaliatory actions, hacking back or attribution that would breach Applicable Laws; • any installation of software, unless agreed by Vodafone and expressly consented to and authorised by Customer in writing, and which may require additional terms and conditions to be agreed; • any intentional interception of communications between Customer and a third-party, or between two or more third-parties, which is not authorised or directed by Customer as part of the Service. For the purposes of this Paragraph, interception means intentionally modifying or interfering with Customer’s systems or the operation of such systems, or intentionally monitoring transmissions made by means of Customer’s system,

Project Terms. Customer Dependencies In addition to any other responsibilities or assumptions described in this Agreement, the Customer Dependencies are as follows and the Customer recognises that if it fails to comply with the following dependencies, Vodafone is relieved from performing or delivering the Service and may choose to suspend or terminate this Agreement: • Customer shall perform and complete the responsibilities and assumptions set out in the Customer Prerequisites section prior to the Service Commencement Date; • the Customer will consent to and authorize Vodafone to access the Customer Property and perform the Service; • Customer is solely responsible for: o defining the verified Target IP Addresses; o any legal consequences that can occur from providing Target IP Addresses that the Customer is not authorized to perform the Service on; o determining what third-party property, information, data or other assets is included within the Customer Property; o determining whether any third-party consent, notices, permissions or licenses are required for Vodafone to perform the Service; o obtaining any such consents, permissions or licenses or providing such notices (including from third-parties and Customer employees) necessary for Vodafone to perform its obligations under this Agreement; o ensuring the availability of the Customer personnel and resources for the duration of the Service as necessary for the performance of the Service, or as otherwise agreed upon by Vodafone and Customer. Customer will commit the necessary resources and management involvement to support the Service. Customer acknowledges that material impacts to the Service including the schedule, scope and estimated or agreed upon costs may result from Customer resources being unavailable; and o implementing a process to ensure that if Customer’s information security team detects Vodafone’s activities under the Service, such detection will be escalated to Customer’s senior management, or such other knowledgeable Customer personnel, who can intervene prior to such activity being reported outside of Customer’s organisation (e.g. to law enforcement) or, if such activity is reported outside of Customer’s organisation, Customer will promptly clarify that Vodafone was acting with Customer’s full knowledge and consent; • decisions to be made by the Customer will be made promptly and without delay; • Customer must provide necessary support for Vodafone obtaining any required visas and/or travel authorisations; • Customer will perform any remediation activities required to reinstate its systems and data after completion of the Service. Vodafone will have no liability for any losses arising out of Customer’s failure to do so; • any other Customer responsibility that Vodafone and Customer mutually agree upon in writing; • Customer shall be responsible for delivering all communications internal to Customer regarding the Service, including communications intended to inform Customer staff about the Service, any impact it may have on Customer employees and personnel, and any training necessary to impacted Customer employees and personnel; • Customer must be aware of the risks associated with the Service and must have taken the necessary pre-testing steps (e.g. data backup, internal communications etc.) to help minimize these risks. These can include: o careful selection of in-scope targets, for example, avoiding business critical systems in production environment, old/unstable systems, Operational Technology (OT) systems; o communicate timelines and scope of activities with involved staff/departments, such as, a Security Operation Centre, network administrators, system owners; and o ensure disaster recovery procedures are in place; • Customer shall use its commercially reasonable efforts to provide accurate and complete information, data and documentation in a timely manner, as required by Vodafone, and shall promptly notify Vodafone if it learns that any information, data or documentation previously provided to Vodafone is materially inaccurate or incomplete. • In the event of penetration testing that includes Customer cloud Infrastructure, the Customer will be responsible for getting the necessary approvals from the Cloud Service Provider and clarify the rules of engagement with Vodafone before the execution of the tests; • Customer acknowledges that Vodafone uses, among others, the following techniques, and that Customer does not object to this: o Technical operations, false signals, keys or identity to gain access to Customer’s automated systems; o Techniques that may copy and store data encountered on Customer’s automated systems; o A public telecommunication infrastructure or system to use computing capacity of Customer’s automated systems; and o Techniques that may process or transfer the data encountered on Customer’s automated systems, or append data to it; • Customer shall notify Vodafone directly if the Customer requires Vodafone to cease accessing the Customer’s Environment. Vodafone shall cease accessing the Customer’s Environment as soon as practicable upon receipt of such request; and • If Customer decides to remediate an exploited vulnerability that allowed Vodafone to gain an elevated level of access prior to the end of the engagement with Vodafone, Customer agrees to provide Vodafone with the same level of access obtained in a controlled secured manner so that Vodafone’s testing can continue. General Assumptions & Dependencies The general assumptions & dependencies applicable for this Service are: • All work is carried out on a fixed fee basis. • There will be no changes to the scope of the Service, as set out in this Agreement. • The Service is not warranted to: • detect or identify all security or network threats to, or vulnerabilities of Customer’s networks or other facilities, assets, or operations; • prevent intrusions into or any damage to Customer’s networks or other facilities, assets, or operations; • return control of a Customer or third party system where unauthorized access or control has occurred; or • meet or help Customer meet any Applicable Law, industry standard or any other requirements including the Payment Card Industry Data Security Standard. It is Customer’s sole responsibility to provide appropriate and adequate security for its company, its assets, systems and employees. • Customer must promptly notify Vodafone of any changes to information provided in either the External Infrastructure Penetration Test Questionnaire or the Internal Infrastructure Penetration Test Questionnaire (as relevant). • Vodafone may provide reasonable recommendations, advice or instructions on a particular course of action in the course of performing or as a result of the Service or in the Deliverables to be provided to Customer and if Customer chooses not to follow such reasonable recommendations, advice or instructions, Customer acknowledges that Vodafone shall not be responsible for any losses or claims made by the Customer that arise from Customer’s failure to follow such recommendations, advice or instructions. • While Vodafone will use reasonable care to carry out the Service in line with Good Industry Practice and in a manner designed to mitigate and reduce the risk of damage to Customer Property, Customer acknowledges that there is inherent risk in the provision of the security Service in accordance with this Agreement which may lead to operational degradation, performance impact, breach of Customer policies or industry standards, or otherwise impair Customer Property (each a “Customer Damage” and together the “Customer Damages”) and, Vodafone will not be liable to the Customer or its respective employees or any third parties of the Customer for Customer Damages arising from the foregoing. To the extent possible, prior to commencing any provisioning of the Service, Vodafone shall identify and inform the Customer of any Customer Damage associated with the Service. • Customer agrees that Vodafone has the right to anonymise and aggregate Customer Data that will not in any way reveal the Customer Data as being attributable to the Customer with other data and leverage anonymous learnings and insights regarding use of the Service (the anonymised data, “Vodafone Insights Data”), and that Vodafone owns Vodafone Insights Data and may use Vodafone Insights Data during and after the term of this Agreement solely to develop, provide, and improve Vodafone products and services. • Customer agrees that Vodafone is not liable to Customer for Customer Damages provided that Vodafone will use reasonable care to carry out the Service in line with Good Industry Practice and in accordance with the terms of this Agreement. • The Customer agrees that, to the extent permitted by Applicable Law, it shall not bring any claim against Vodafone or any Group Company, whether in tort or otherwise, in connection with the Service or otherwise in relation to the subject matter of this Agreement. • Customer acknowledges that, in providing the Service, Vodafone will access Customer Systems and data. Customer agrees that, in advance of the Agreement Start Date, it shall provide and maintain all necessary consents, permissions, notices and authorisations as that are necessary for Vodafone to perform the Service, including any of the foregoing from employees or third parties; valid consents from or notices to applicable data subjects; and authorisations from regulatory authorities, employee representative bodies or other applicable third parties (“Customer Consent”) in a timely manner as necessary for Vodafone to access and use such System and data to perform the Service under this Agreement, and/or to use any third-party System(s) or data that Vodafone may use or require access to in performing the Service. For purposes of this Clause, “System” means, as applicable, Customer’s or a third party’s computer environment, network, equipment, software and related services. • Customer agrees to provide and maintain the Customer Consents. • Vodafone shall perform the Service in line with the scope of the Service as set out in this Agreement, in accordance with Good Industry Practice, and in reliance on, and in line with, the Customer Consent. • Customer agrees to indemnify Vodafone on an unlimited basis to the extent the Customer fails to provide and maintain the Customer Consents. • Vodafone is not responsible for remedying any security issues, vulnerabilities or other problems discovered in the course of performing or as a result of the Service (where such Service is provided in accordance with the terms of this Agreement). • In providing the Service, Vodafone has no intention of committing any civil or criminal offences. • Customer acknowledges and agrees that, no act or omission of Vodafone arising out of or related to Vodafone’s provision of the Services will be deemed to exceed the authorisation as set out in this Agreement, provided that Vodafone has provided the Services in accordance with this Agreement and in line with the relevant agreed scope of services with the Customer and/or the applicable Order. • Customer must promptly notify Vodafone of any changes to Validation Information. • Customer agrees and authorises Vodafone, to retain any indicators of compromise, malware, anomalies, or other metadata found as part of, or related to the performance of the Service (“Metadata”) only for the purposes of gathering and compiling security event log data to look at trends, and real or potential security threats and improving Vodafone’s security services. Vodafone may analyse, copy, store, and use such Metadata provided that such Metadata is compiled or combined in an aggregated, anonymised or pseudonymised, de-identified manner that will not in any way reveal the Metadata as being attributable to the Customer. • To the extent permitted by Applicable Law, the Customer agrees that it shall not bring any claim against Accenture or any Accenture Group Company (or any other third party acting on behalf of Vodafone in providing the Service), whether in tort or otherwise, in connection with the Service or otherwise in relation to the subject matter of this Agreement. • The Customer is responsible for: (i) ensuring that the Customers’ use of the Service and associated Deliverables is in accordance with the terms of this Agreement; (ii) ensuring that the scope of the Service to be provided to the Customer meets the Customer’s requirements; and (iii) Customer’s compliance with all Applicable Laws and regulations applicable to Customer in connection with the use of the Service and/or Deliverables. • The Customer agrees to and authorises that Vodafone may, as necessary in performance of the Service: (i) access Customer Property and physically connect, disconnect, install, update, upgrade, manage and operate equipment, tools and software on Customer Property; and (ii) to the extent required to comply with Applicable Laws, take such actions with respect to Customer Property required by law enforcement authorities or regulatory authorities. Materials and Software • Vodafone may use certain third-party software products (“Third-Party Software”) in its provision of the Service. The Customer agrees and acknowledges that Customer will not be provided access to these products. Any output directly from the Third-Party Software that is used by Vodafone in connection with the provision of the Service to the Customer without further input from Vodafone is being provided on an “as-is” basis and is excluded from any warranties set out in this Agreement. • Vodafone reserves the right to: (i) change the hosting provider used to host any proprietary or Third-Party Software used for the provision of the Service; and (ii) change any Third-Party Software it uses to provide the Service to Customer, provided that such changes do not materially impact the Service. • With regard to any Third-Party Software provided as part of the Service, the Customer agrees not to, directly or indirectly do any of the following: (i) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code or underlying ideas or algorithms of the Third-Party Software; (ii) modify, translate, or create derivative works based on any element of the Third-Party Software or any related documentation; (iii) rent, lease, distribute, sell, resell, assign, or otherwise transfer its rights to use the Third-Party Software; (iv) use the Third-Party Software for any purpose other than the performance of the Service in accordance with this Agreement; (v) remove any proprietary notices from Third-Party Software or related materials furnished or made available to Customer; and/or (vi) permit any third party to access the Third-Party Software. • Vodafone may additionally utilize custom-developed software, scripts, exploits, and other technologies (“Custom Products”) in its provision of the Service. Such technologies may be deployed on Customer systems during the provision of the Service. Any such technologies remain Vodafone intellectual property, and Vodafone retains all corresponding rights to these technologies. Vodafone shall not be obligated to provide Customer with copies of, access to, or a license for such technologies. Acceptance Testing There is no acceptance testing applicable to this SOW unless specifically mentioned in the “Project and Services” section. Out of scope statement The following are not in scope for the Service: • any Penetration Testing of applications; • any assessment of any systems outside of Customer’s networks (with the exception of any such system that is: (i) within Customer facilities; and (ii) managed directly by Customer; and (iii) communicated with by Customer-owned assets; is considered in- scope for the purposes of the Penetration Testing Services). Vodafone and Customer further agree that any interaction with Customer’s third-party cloud services providers will be done in a manner consistent with the Customer’s normal interaction with those third-parties; • any remediation of identified vulnerabilities or other security issues; • any review and analysis of any data or equipment: (i) belonging to an individual outside of their employment with the Customer, without appropriate consent; or (ii) belonging to a third-party where Customer does not have control, .