Vistaly 2.0
English Español Deutsch Français 日本語 Português

Master Subscription Agreement

Last revised: March 6, 2026

This Vistaly Master Subscription Agreement ("MSA") is effective as of the effective date of an applicable signed order form (such form an "Order Form" and such date the "Effective Date") and is by and between Vistaly Inc., a Delaware incorporated corporation with a place of business at 225A E Main Street Charlottesville, VA 22902 ("Vistaly"), and the customer set forth on the Order Form ("Customer") (each a "Party" and together the "Parties"). "Affiliate" means, with respect to a Party, any entity that directly or indirectly controls, is controlled by, or is under common control with such Party, where "control" means ownership of more than fifty percent (50%) of the outstanding voting securities or equivalent ownership interest of the entity. In the event of any inconsistency or conflict between the terms of the MSA and the terms of any Order Form, the terms of the Order Form control.

Section 1. Services. "Services" means the product(s) and service(s) that are ordered by Customer from Vistaly online or through an Order Form referencing this MSA, whether on a trial or paid basis, and to which Vistaly thereby provides access to Customer. Services exclude any products or services provided by third parties, even if Customer has connected those products or services to the Services. Subject to the terms and conditions of this MSA, Vistaly will make the Services available during the Term as set forth in an Order Form.

Section 2. Fees and Payment.

2.1. Fees. Customer will pay the fees specified in the Order Form (the "Fees").

2.2. Payment; Taxes. Vistaly will invoice Customer for Fees, either within the Services or directly, within thirty (30) days of the Effective Date. Customer will pay all invoiced Fees net thirty (30) days from the date of the invoice. In the event of non-payment of Fees by Customer for thirty (30) days after the due date of an invoice, Customer's access to the Services may be immediately suspended and Customer must pay all past-due amounts, including any applicable late fees, to regain access to the Services. Late payments will accrue interest at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted by applicable law. Fees do not include local, state, or federal taxes or duties of any kind and any such taxes will be assumed and paid by Customer, except for taxes on Vistaly based on Vistaly's income or receipts.

2.3. Price Changes. Vistaly may change prices for the Services from time to time. Any price changes will be effective upon the commencement of Customer's next Renewal Term; provided, that Vistaly shall provide Customer with at least sixty (60) days' prior written notice of any such fee increase before the expiration of the then-current Term or Renewal Term. In no event will any price increase exceed the greater of (a) eight percent (8%) of the then-current Fees or (b) the percentage increase in the U.S. Consumer Price Index for All Urban Consumers (CPI-U) over the preceding twelve (12) months.

2.4. Discounts and Promotional Pricing. Prices specified in the Order Form may include discounts or promotional pricing. These discounts or promotional pricing amounts may be temporary and may expire upon the commencement of a Renewal Term, without additional notice. Vistaly reserves the right to discontinue or modify any promotion, sale or special offer at its sole and reasonable discretion.

Section 3. Term and Termination.

3.1. Term. This MSA commences on the Effective Date and will remain in effect through the Initial Term and all Renewal Terms, as specified in the Order Form, unless otherwise terminated in accordance with this Section (the Initial Term and all Renewal Terms collectively the "Term").

3.2. Termination for Cause. A Party may terminate this MSA for cause (a) upon notice to the other Party of a material breach if such breach remains uncured after thirty (30) days from the date of the breaching Party's receipt of such notice; (b) if the other Party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors; or (c) immediately by Vistaly if Customer makes one of the Prohibited Uses below. Non-payment of Fees by Customer for sixty (60) days after issuance of an invoice, and any violation of the Prohibited Uses clause below will be considered material breaches of this MSA.

3.3. Non-Renewal. Either Party may elect not to renew this MSA or an applicable Order Form by providing written notice to the other Party in accordance with Section 12.5 at least thirty (30) days prior to the expiration of the then-current Term or Renewal Term.

3.4. Effect of Termination and Survival. Upon termination of an Order Form or this MSA (a) with respect to termination of the entire MSA, all Order Forms will concurrently terminate, (b) Customer will have no further right to use the Services under the terminated or canceled Order Forms and Vistaly will remove Customer's access to same, and (c) unless otherwise specified in writing, Customer will not be entitled to any refund of fees paid; provided, however, that in the event Customer terminates this MSA for Vistaly's uncured material breach pursuant to Section 3.2(a), Vistaly will refund to Customer a pro-rata portion of any prepaid Fees for the unused remainder of the then-current Term. The following Sections will survive termination: Section 2 (Fees and Payment), Section 4 (License and Use of the Services), Section 5 (Confidentiality), Section 6 (Data Practices), Section 7 (Privacy Practices), Section 8 (Intellectual Property Rights), Section 9.3 (Disclaimers), Section 10 (Indemnification), Section 11 (Limitation of Liability), Section 12 (Miscellaneous), and Exhibit D (Data Processing Addendum). Termination of this MSA will not limit a Party's liability for obligations accrued as of or prior to such termination or for any breach of this MSA.

3.5. Data Export. Upon termination or expiration of this MSA for any reason, Vistaly will make Customer's Service Data available for export via the platform's existing export functionality or in CSV or JSON format for a period of thirty (30) days following the effective date of termination or expiration. After such period, Vistaly will delete Customer's Service Data in accordance with its standard data retention practices, unless retention is required by applicable law.

Section 4. License and Use of the Services.

4.1. License. Vistaly hereby grants Customer a non-exclusive, non-transferrable, and non-sublicensable right to and license to access and use the Services as set forth in the Order Form.

4.2. Authorized Users. Customer may designate and provide access to its (or its corporate affiliates') employees, independent contractors, or other agents to an account on the Services as authorized users (each an "Authorized User") up to the number of "seats" set forth in the Order Form (unlimited if not specified in the Order Form). Each account may be used only by a single, individual Authorized User, and Customer may be charged for additional seats (if applicable), or Vistaly may terminate the MSA for cause, if this requirement is circumvented. Customer is responsible for all use and misuse of the Services by Authorized User accounts and for adherence to this MSA by any Authorized Users, and references to Customer herein will be deemed to apply to Authorized Users as necessary and applicable. Customer agrees to promptly notify Vistaly of any unauthorized access or use of which Customer becomes aware.

4.3. Prohibited Uses. Customer and Authorized Users will not: (a) "frame," distribute, resell, or permit access to the Services by any third party other than for its intended purposes; (b) use the Services other than in compliance with applicable federal, state, and local laws; (c) interfere with the Services or disrupt any other user's access to the Subscription Service; (d) reverse engineer, attempt to gain unauthorized access to the Service, attempt to discover the underlying source code or structure of, or otherwise copy or attempt to copy the Services; (e) knowingly transfer to the Services any content or data that is defamatory, harassing, discriminatory, infringing of third party intellectual property rights, or unlawful; (f) transfer to the Services or otherwise use on the Services any routine, device, code, exploit, or other undisclosed feature that is designed to delete, disable, deactivate, interfere with or otherwise harm any software, program, data, device, system or service, or which is intended to provide unauthorized access or to produce unauthorized modifications; or (g) use any robot, spider, data scraping, or extraction tool or similar mechanism with respect to the Services.

Section 5. Confidentiality. As used herein, the "Confidential Information" of a Party (the "Disclosing Party") means all financial, technical, or business information of the Disclosing Party that the Disclosing Party designates as confidential at the time of disclosure to the other Party (the "Receiving Party") or that the Receiving Party reasonably should understand to be confidential based on the nature of the information or the circumstances surrounding its disclosure. For the sake of clarity, the Parties acknowledge that Confidential Information includes the terms and conditions of this MSA. Except as expressly permitted in this MSA, the Receiving Party will not disclose, duplicate, publish, transfer or otherwise make available Confidential Information of the Disclosing Party in any form to any person or entity without the Disclosing Party's prior written consent. The Receiving Party will not use the Disclosing Party's Confidential Information except to perform its obligations under this MSA, such obligations including, in the case of Vistaly, to provide the Services. Notwithstanding the foregoing, the Receiving Party may disclose Confidential Information to the extent required by law, provided that the Receiving Party: (a) gives the Disclosing Party prior written notice of such disclosure so as to afford the Disclosing Party a reasonable opportunity to appear, object, and obtain a protective order or other appropriate relief regarding such disclosure (if such notice is not prohibited by applicable law); (b) uses diligent efforts to limit disclosure and to obtain confidential treatment or a protective order; and (c) allows the Disclosing Party to participate in the proceeding. Further, Confidential Information does not include any information that: (i) is or becomes generally known to the public without the Receiving Party's breach of any obligation owed to the Disclosing Party; (ii) was independently developed by the Receiving Party without the Receiving Party's breach of any obligation owed to the Disclosing Party; or (iii) is received from a third party who obtained such Confidential Information without any third party's breach of any obligation owed to the Disclosing Party.

Upon termination or expiration of this MSA, each Party will, at the Disclosing Party's election, promptly return or destroy (and certify in writing such destruction of) all Confidential Information of the Disclosing Party in its possession or control, except to the extent that retention of such Confidential Information is required by applicable law or regulation, or is contained in standard backup media created in the ordinary course of business, provided such retained Confidential Information remains subject to the confidentiality obligations of this Section. The obligations of confidentiality set forth in this Section shall survive termination or expiration of this MSA for a period of three (3) years, except with respect to trade secrets, which shall be protected for so long as they remain trade secrets under applicable law.

Section 6. Data Practices.

6.1. Definitions. "Service Data" means a subset of Confidential Information comprised of electronic data, text, messages, communications, or other materials submitted to and stored within the Services by Customer in connection with use of the Services. Service Data may include, without limitation, any information relating to an identified or identifiable natural person ('data subject') where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity of that natural person (such information, "Personal Data"). Service Data does not include metrics and information regarding Customer's use of the Services, including information about how Authorized Users use the Services (such information, "Usage Data").

6.2. Ownership. Customer will continue to retain its ownership rights to all Service Data processed under the terms of this MSA and Vistaly will own all Usage Data.

6.3. Vistaly's Use of Data. Vistaly may use Service Data and Usage Data for the following purposes in accordance with this MSA:

6.3.1. Operating the Services. Vistaly may receive, collect, store and/or process Service Data based on Vistaly's legitimate interest in operating the Services. For example, Vistaly may collect Personal Data (such as name, phone number, or credit card information) through the account activation process. Vistaly will not use Customer's Service Data for the training of machine learning models unless Customer provides prior written consent to such use.

6.3.2. Communications. Vistaly may communicate with Customer or Authorized Users (i) to send product information and promotional offers or (ii) about the Services generally. If Customer or an Authorized User does not want to receive such communications, Customer may email support@vistaly.com. Customer and necessary Authorized Users will always receive transactional messages that are required for Vistaly to provide the Services (such as billing notices and product usage notifications).

6.3.3. Improving the Services. Vistaly may collect, and may engage third-party analytics providers to collect Usage Data to develop new features, improve existing features, or inform sales and marketing strategies based on Vistaly's legitimate interest in improving the Services. When Vistaly uses Usage Data, any Personal Data that was included in Service Data shall be anonymized and/or aggregated in such a manner that it no longer constitutes Service Data or Personal Data under applicable data protection laws. Any such third-party analytics providers will not share or otherwise disclose Usage Data, although Vistaly may make Usage Data publicly available from time to time, provided that such Usage Data is aggregated across multiple customers and cannot reasonably be used to identify Customer or any Authorized User.

6.3.4. Connecting to Third-Party Services. Customer may wish to connect third-party services to the Services (e.g., connecting Vistaly to Customer's single-sign-on service to verify 2FA status of Customer's employees). When Customer uses a third-party service to connect with Vistaly, logs into the Services through a third-party authentication service, or otherwise provides Vistaly with access to information from a third-party service, Vistaly may obtain other information, including Personal Data, from those third parties and combine that Service or Usage Data based on Vistaly's legitimate interest in providing Customer with functionality that supports the Services. Any access that Vistaly may receive to such information from a third-party service is always in accordance with the features and functionality, particularly as to authorization, of that service. By authorizing Vistaly to connect with a third-party service, Customer authorizes Vistaly to access and store any information provided to Vistaly by that third-party service, and to use and disclose that information in accordance with this MSA.

6.3.5. Third-Party Service Providers. Customer agrees that Vistaly may provide Service Data and Personal Data to authorized third-party service providers, only to the extent necessary to provide or secure the Services. Any such third-party service providers will only be given access to Service Data and Personal Data as is reasonably necessary to provide the Services and will be subject to (a) confidentiality obligations which are commercially reasonable and substantially consistent with the standards described in this MSA; and (b) their agreement to comply with the data transfer restrictions applicable to Personal Data as set forth below.

6.4. Service Data Safeguards. (i) Vistaly will not sell, rent, or lease Service Data to any third party, and will not share Service Data with third parties, except as permitted by this MSA and to provide or secure the Services. (ii) Vistaly will maintain commercially reasonable appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of Service Data.

6.5. Data Breach Notification. In the event Vistaly becomes aware of any unauthorized access to, or acquisition, disclosure, or use of, Service Data (a "Data Breach"), Vistaly will: (a) notify Customer in writing without unreasonable delay, and in no event later than seventy-two (72) hours after becoming aware of the Data Breach; (b) promptly investigate the Data Breach, take commercially reasonable steps to mitigate its effects, and keep Customer reasonably informed of the status of the investigation; (c) provide Customer with such information as Customer may reasonably request regarding the nature and scope of the Data Breach, including the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the Data Breach; and (d) reasonably cooperate with Customer in Customer's efforts to comply with applicable breach notification laws and regulations.

Section 7. Privacy Practices.

7.1. Privacy Policy. Vistaly operates the Services and, as applicable, handles Personal Data, pursuant to the privacy policy available at vistaly.com/v2/privacy-policy.

7.1.1. Customer as Controller. To the extent Service Data constitutes Personal Data, the Parties agree that Customer determines the purpose and means of processing such Personal Data, and Vistaly processes such information on behalf of Customer.

7.2. Hosting and Processing. Service Data will be hosted primarily in the United States. Vistaly may replicate or process Service Data in other regions as necessary to provide or secure the Services, provided that appropriate data transfer safeguards are maintained in compliance with applicable law.

7.3. Sub-Processors. Customer acknowledges and agrees that Vistaly may use third-party data processors engaged by Vistaly who receive Service Data from Vistaly for processing on behalf of Customer and in accordance with Customer's instructions (as communicated by Vistaly) and the terms of its written subcontract (the "Sub-Processors"). Such Sub-Processors may access Service Data to provide or secure the Services. Vistaly will be responsible for the acts and omissions of Sub-Processors to the same extent that Vistaly would be responsible if Vistaly was performing the services directly under the terms of this MSA. The names and locations of all current Sub-Processors used for the processing of Personal Data under this MSA, if any, are set forth in the Privacy Policy. Vistaly will provide Customer with at least fourteen (14) calendar days' prior written notice of any new Sub-Processor, including the name, location, and nature of processing. If Customer reasonably objects to a new Sub-Processor on data protection grounds, the Parties will work in good faith to resolve the objection within seven (7) working days. If no resolution is reached, Customer may terminate the affected Order Form upon written notice.

7.4. Data Processing Addendum. To the extent that Vistaly processes Personal Data on behalf of Customer, the terms of the Data Processing Addendum attached hereto as Exhibit D will apply and are incorporated into and form part of this MSA.

Section 8. Intellectual Property Rights. Each Party will retain all rights, title and interest in any patents, inventions, copyrights, trademarks, domain names, trade secrets, know-how and any other intellectual property and/or proprietary rights ("Intellectual Property Rights"), and Vistaly and its licensors in particular will exclusively retain such rights in the Services and all components of or used to provide the Services. No rights are granted to Customer except as expressly set forth in this MSA. If Customer or any Authorized User provides suggestions, enhancement requests, recommendations, or other feedback regarding the Services ("Feedback"), Customer hereby grants Vistaly a non-exclusive, royalty-free, worldwide, and perpetual license to use, modify, and incorporate such Feedback into the Services or Vistaly's other products and services. Feedback will not be considered Customer's Confidential Information. Nothing in this Section obligates Customer to provide any Feedback.

Section 9. Representations, Warranties, and Disclaimers.

9.1. Authority. Each Party represents that it has validly entered into this MSA and has the legal power to do so.

9.1.1. Customer Warranties. Customer represents and warrants that: (a) all information provided to Vistaly in connection with Customer's registration for and use of the Services is accurate and complete, and Customer will promptly update such information to maintain its accuracy; (b) Customer's use of the Services and all Service Data will comply with applicable laws and regulations; and (c) Customer has all necessary rights, licenses, and consents to provide Service Data to Vistaly for processing as contemplated by this MSA, and such Service Data does not infringe or misappropriate any third party's intellectual property rights or violate any third party's rights of privacy or publicity.

9.2. Warranties. Vistaly warrants that during an applicable Term: (i) the services will be performed in a professional and workmanlike manner, in accordance with industry standards; (ii) the services will conform to the specifications set forth in the applicable service level agreement (if any); (iii) Vistaly has all necessary rights to provide the Services; (iv) Vistaly will perform the Services in material compliance with applicable data protection and privacy laws; and (v) Vistaly will maintain commercially reasonable administrative, physical, and technical security safeguards designed to protect the confidentiality, integrity, and availability of Service Data. The Services will conform to the service levels set forth in Exhibit C (Service Level Agreement), if applicable. If Vistaly breaches a warranty in this Section, Customer will notify Vistaly in writing, and Vistaly will use commercially reasonable efforts to cure such breach within thirty (30) days. If Vistaly fails to cure within such period, Customer may terminate this MSA pursuant to Section 3.2.

9.2.1. AI-Powered Features. Certain features of the Services utilize artificial intelligence and machine learning technologies. AI-generated outputs, including but not limited to interview summaries, opportunity solution trees, and synthesized insights, are provided for informational purposes and are not guaranteed to be accurate, complete, or suitable for any particular purpose. Customer acknowledges that AI-generated content should be reviewed by qualified personnel before reliance or use in decision-making. Vistaly does not warrant that AI-generated outputs will be error-free or meet Customer's specific requirements.

9.3. Disclaimers. EXCEPT AS SPECIFICALLY SET FORTH IN THIS SECTION AND ANY APPLICABLE SERVICE LEVEL AGREEMENT, THE SERVICES, INCLUDING ALL SERVER AND NETWORK COMPONENTS, ARE PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS, WITHOUT ANY WARRANTIES OF ANY KIND TO THE FULLEST EXTENT PERMITTED BY LAW, AND Vistaly EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. CUSTOMER ACKNOWLEDGES THAT Vistaly DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE, ERROR FREE, OR FREE FROM VIRUSES OR OTHER MALICIOUS SOFTWARE, AND NO INFORMATION OR ADVICE OBTAINED BY CUSTOMER FROM VISTALY OR THROUGH THE SERVICES SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THIS MSA. THE PARTIES ADDITIONALLY AGREE THAT VISTALY WILL HAVE NO LIABILITY OR RESPONSIBILITY FOR CUSTOMER'S VARIOUS COMPLIANCE PROGRAMS, AND THAT THE SERVICES, TO THE EXTENT APPLICABLE, ARE ONLY TOOLS FOR ASSISTING CUSTOMER IN MEETING THE VARIOUS COMPLIANCE OBLIGATIONS FOR WHICH IT SOLELY IS RESPONSIBLE. FOR THE AVOIDANCE OF DOUBT, THE DISCLAIMERS IN THIS SECTION 9.3 DO NOT LIMIT OR MODIFY VISTALY'S EXPRESS WARRANTIES IN SECTION 9.2 OR ITS DATA PROTECTION OBLIGATIONS IN SECTIONS 6 AND 7.

Section 10. Indemnification.

10.1. Indemnification by Vistaly. Vistaly will indemnify and hold Customer harmless from and against any third party claim against Customer alleging that Customer's use of a Service as permitted by this MSA infringes or misappropriates a third party's valid patent, copyright, trademark, or trade secret (an "IP Claim"). Vistaly will, at its expense, defend such IP Claim and pay damages finally awarded against Customer in connection therewith, including the reasonable fees and expenses of the attorneys engaged by Vistaly for such defense, provided that (a) Customer promptly notifies Vistaly of the threat or notice of such IP Claim; (b) Vistaly will have the sole and exclusive control and authority to select defense attorneys, and defend and/or settle any such IP Claim (however, Vistaly will not settle or compromise any claim that results in liability or admission of any liability by Customer without prior written consent); and (c) Customer fully cooperates with Vistaly in connection therewith. If use of a Service by Customer has become, or, in Vistaly's opinion, is likely to become, the subject of any such IP Claim, Vistaly may, at its option and expense, (i) procure for Customer the right to continue using the Service(s) as set forth hereunder; (ii) replace or modify a Service to make it non-infringing; or (iii) if options (i) or (ii) are not commercially reasonable or practicable as determined by Vistaly, terminate Customer's subscription to the Service(s) and repay, on a pro-rata basis, any Fees previously paid to Vistaly for the corresponding unused portion of the Term for such Service(s). Vistaly will have no liability or obligation under this Section with respect to any IP Claim if such claim is caused in whole or in part by (x) Vistaly's compliance with designs, data, instructions, or specifications provided by Customer; (y) modification of the Service(s) by anyone other than Vistaly or use of the Service(s) in violation of (i) this MSA, (ii) written instructions provided by Vistaly, or (iii) the product features of the Service(s); or (z) the combination, operation or use of the Service(s) with other hardware or software where a Service would not by itself be infringing. The provisions of this Section state the sole, exclusive, and entire liability of Vistaly to Customer and constitute Customer's sole remedy with respect to an IP Claim brought by reason of access to or use of a Service by Customer, Customer's agents, or Authorized Users.

10.2. Indemnification by Customer. Customer will indemnify and hold Vistaly harmless against any third party claim (a) arising from or related to use of a Service by Customer, Customer's agents, or Authorized Users in breach of this MSA; or (b) alleging that Customer's Service Data infringes or misappropriates a third party's valid patent, copyright, trademark, or trade secret; provided (i) Vistaly promptly notifies Customer of the threat or notice of such claim; (ii) Customer will have the sole and exclusive control and authority to select defense attorneys, and defend and/or settle any such claim (however, Customer will not settle or compromise any claim that results in liability or admission of any liability by Vistaly without prior written consent); and (iii) Vistaly fully cooperates in connection therewith.

SECTION 11. LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT, NEGLIGENCE OR OTHERWISE) WILL EITHER PARTY TO THIS MSA, OR THEIR AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SERVICE PROVIDERS, SUPPLIERS OR LICENSORS BE LIABLE TO THE OTHER PARTY OR ANY AFFILIATE FOR ANY LOST PROFITS, LOST SALES OR BUSINESS, LOST DATA (BEING DATA LOST IN THE COURSE OF TRANSMISSION VIA CUSTOMER'S SYSTEMS OR OVER THE INTERNET THROUGH NO FAULT OF VISTALY), BUSINESS INTERRUPTION, LOSS OF GOODWILL, COSTS OF COVER OR REPLACEMENT, OR FOR ANY TYPE OF INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL, OR PUNITIVE LOSS OR DAMAGES, OR ANY OTHER INDIRECT LOSS OR DAMAGES INCURRED BY THE OTHER PARTY OR ANY AFFILIATE IN CONNECTION WITH THIS MSA OR THE SERVICES REGARDLESS OF WHETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF OR COULD HAVE FORESEEN SUCH DAMAGES.

NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS MSA, AND EXCLUDING (I) THE PARTIES' INDEMNIFICATION OBLIGATIONS UNDER SECTION 10 AND (II) THE ENHANCED LIABILITY OBLIGATIONS SET FORTH BELOW, EITHER PARTY'S AGGREGATE LIABILITY TO THE OTHER ARISING OUT OF THIS MSA OR THE SERVICES WILL IN NO EVENT EXCEED THE AMOUNTS PAID OR PAYABLE BY CUSTOMER TO VISTALY UNDER THIS MSA DURING THE TWELVE (12) MONTHS PRECEDING THE CLAIM (THE "GENERAL CAP").

NOTWITHSTANDING THE FOREGOING GENERAL CAP, WITH RESPECT TO (A) A PARTY'S BREACH OF ITS OBLIGATIONS UNDER SECTION 5 (CONFIDENTIALITY) OR (B) A PARTY'S BREACH OF ITS DATA PROTECTION OBLIGATIONS UNDER SECTIONS 6 AND 7, SUCH PARTY'S AGGREGATE LIABILITY WILL NOT EXCEED TWO (2) TIMES THE GENERAL CAP (THE "ENHANCED CAP").

NOTWITHSTANDING THE FOREGOING, THE GENERAL CAP AND ENHANCED CAP SHALL NOT APPLY TO: (A) EITHER PARTY'S INDEMNIFICATION OBLIGATIONS UNDER SECTION 10; (B) EITHER PARTY'S LIABILITY ARISING FROM FRAUD, WILLFUL MISCONDUCT, OR GROSS NEGLIGENCE; (C) CUSTOMER'S PAYMENT OBLIGATIONS FOR FEES DUE UNDER THIS MSA; OR (D) LIABILITY THAT CANNOT BE LIMITED UNDER APPLICABLE LAW.

CUSTOMER ACKNOWLEDGES AND AGREES THAT THE ESSENTIAL PURPOSE OF THIS SECTION AND THE PARTIES' INDEMNIFICATION OBLIGATIONS IS TO ALLOCATE THE RISKS UNDER THIS MSA BETWEEN THE PARTIES AND LIMIT POTENTIAL LIABILITY GIVEN THE FEES, WHICH WOULD HAVE BEEN SUBSTANTIALLY HIGHER IF VISTALY WERE TO ASSUME ANY FURTHER LIABILITY OTHER THAN AS SET FORTH HEREIN. VISTALY HAS RELIED ON THESE LIMITATIONS IN DETERMINING WHETHER TO PROVIDE CUSTOMER WITH THE RIGHTS TO ACCESS AND USE THE SERVICES PROVIDED FOR IN THIS MSA.

Section 12. Miscellaneous.

12.1. Entire Agreement. This MSA and the applicable Order Form(s) constitute the entire agreement, and supersedes all prior agreements, between Vistaly and Customer regarding the subject matter hereof.

12.2. Assignment. Either Party may, without the consent of the other Party, assign this MSA to any affiliate or in connection with any merger, change of control, or the sale of all or substantially all of such Party's assets provided that (1) the other Party is provided prior notice of such assignment and (2) any such successor agrees to fulfill its obligations pursuant to this MSA. Subject to the foregoing restrictions, this MSA will be fully binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns.

12.3. Severability. If any provision in this MSA is held by a court of competent jurisdiction to be unenforceable, such provision will be modified by the court and interpreted so as to best accomplish the original provision to the fullest extent permitted by law, and the remaining provisions of this MSA will remain in effect.

12.4. Relationship of the Parties. The Parties are independent contractors. This MSA does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the Parties.

12.5. Notices. All notices provided by Vistaly to Customer under this MSA may be delivered in writing (a) by nationally recognized overnight delivery service ("Courier") or U.S. mail to the contact mailing address provided by Customer on the Order Form; or (b) electronic mail to the electronic mail address provided for Customer's account owner. Customer must give notice to Vistaly in writing by Courier, U.S. mail, or electronic mail to legal@vistaly.com, or by Courier or U.S. mail to 225A E Main Street Charlottesville, VA 22902. All notices shall be deemed to have been given immediately upon delivery by electronic mail; or, if otherwise delivered upon the earlier of receipt or two (2) business days after being deposited in the mail or with a Courier as permitted above.

12.6. Governing Law, Jurisdiction, Venue. This MSA will be governed by the laws of the Commonwealth of Virginia, without reference to conflict of laws principles. Any disputes under this MSA shall be resolved in a court of general jurisdiction in the Commonwealth of Virginia. Customer hereby expressly agrees to submit to the exclusive personal jurisdiction and venue of such courts for the purpose of resolving any dispute relating to this MSA or access to or use of the Services by Customer, its agents, or Authorized Users.

12.7. Export Compliance. The Services and other software or components of the Services that Vistaly may provide or make available to Customer are subject to U.S. export control and economic sanctions laws as administered and enforced by the Office of Foreign Assets and Control of the United States Department of Treasury. Customer agrees to comply with all such laws and regulations as they relate to access to and use of the Services. Customer will not access or use the Services if Customer or any Authorized Users are located in any jurisdiction in which the provision of the Services, software, or other components is prohibited under U.S. or other applicable laws or regulations (a "Prohibited Jurisdiction") and Customer will not provide access to the Services to any government, entity, or individual located in any Prohibited Jurisdiction. Customer represents and warrants that (a) it is not named on any U.S. government list of persons or entities prohibited from receiving U.S. exports, or transacting with any U.S. person; (b) it is not a national of, or a company registered in, any Prohibited Jurisdiction; (c) it will not permit any individuals under its control to access or use the Services in violation of any U.S. or other applicable export embargoes, prohibitions or restrictions; and (d) it will comply with all applicable laws regarding the transmission of technical data exported from the United States and the countries in which it and Authorized Users are located.

12.8. Anti-Corruption. Customer agrees that it has not received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from any of Vistaly's employees or agents in connection with this MSA. Reasonable gifts and entertainment provided in the ordinary course of business do not violate the above restriction. If Customer learns of any violation of the above restriction, Customer will use reasonable efforts to promptly give notice to Vistaly.

12.9. Publicity and Marketing. Vistaly may use Customer's name, logo, and trademarks solely to identify Customer as a client of Vistaly on Vistaly's website and other marketing materials, subject to Customer's prior written consent, which may be withheld in Customer's sole discretion, and in accordance with Customer's trademark usage guidelines. Vistaly may share aggregated and/or anonymized information regarding use of the Services with third parties for marketing purposes to develop and promote Services. Vistaly never will disclose aggregated and/or anonymized information to a third party in a manner that would identify Customer as the source of the information or Authorized Users or others personally.

12.10. Amendments. This MSA may only be amended by a written instrument signed by authorized representatives of both Parties. Vistaly's failure to enforce at any time any provision of this MSA does not constitute a waiver of that provision or of any other provision of this MSA.

12.11. Force Majeure. Neither Party will be liable for any delay or failure to perform its obligations under this MSA (other than payment obligations) to the extent such delay or failure results from causes beyond such Party's reasonable control, including but not limited to acts of God, natural disasters, pandemics or epidemics, government actions or orders, terrorism, war, civil unrest, failures of third-party telecommunications or power supply, or denial-of-service attacks. The affected Party will promptly notify the other Party of the force majeure event and use commercially reasonable efforts to mitigate its effects. If a force majeure event continues for more than sixty (60) days, either Party may terminate this MSA upon written notice to the other Party.

12.12. Insurance. Vistaly will maintain insurance coverages as set forth in Exhibit B (Insurance Coverage), or substantially equivalent coverage, during the Term. Certificates of insurance will be provided upon Customer's written request.

12.13. Exhibits. The following Exhibits, to the extent applicable, are incorporated into and form part of this MSA: Exhibit A (Order Form), Exhibit B (Insurance Coverage), Exhibit C (Service Level Agreement), and Exhibit D (Data Processing Addendum). In the event of any conflict between the provisions of the MSA body and any Exhibit, the following order of precedence will apply: (1) Order Form, (2) Data Processing Addendum, (3) this MSA, (4) Service Level Agreement, (5) other Exhibits.

Exhibit B — Insurance Coverage

Vistaly will maintain, at its own expense, the following minimum insurance coverages with carriers rated A- VII or better by A.M. Best (or equivalent) during the Term and for a period of two (2) years thereafter:

Coverage Minimum Limit
Commercial General Liability $1,000,000 per occurrence / $2,000,000 aggregate
Technology Errors & Omissions $2,000,000 per claim / $2,000,000 aggregate
Cyber Liability / Network Security & Privacy $2,000,000 per claim / $2,000,000 aggregate
Workers' Compensation Statutory limits
Employer's Liability $1,000,000 per occurrence

Exhibit C — Service Level Agreement

1. Uptime Commitment. Vistaly will use commercially reasonable efforts to make the Services available with a Monthly Uptime Percentage of at least 99.9%. "Monthly Uptime Percentage" means the total number of minutes in a calendar month minus the number of minutes of Unavailability, divided by the total number of minutes in that calendar month.

2. Unavailability. "Unavailability" means a period during which the Services are materially inaccessible or inoperable for Customer, excluding: (a) scheduled maintenance, provided Vistaly gives at least forty-eight (48) hours' advance notice via email; (b) force majeure events as described in Section 12.11 of the MSA; (c) issues caused by Customer's equipment, network connections, or misuse of the Services; and (d) outages of third-party services outside Vistaly's reasonable control.

3. Service Credits. If Vistaly fails to meet the Monthly Uptime Percentage in any calendar month, Customer may request a service credit as follows:

Monthly Uptime Percentage Service Credit (% of monthly Fees)
99.0% – < 99.9% 5%
95.0% – < 99.0% 10%
< 95.0% 15%

4. Credit Cap. The total service credits issued to Customer in any single calendar month will not exceed twenty percent (20%) of the monthly Fees applicable to the affected Services for that month.

5. Claim Process. To receive a service credit, Customer must submit a written request to support@vistaly.com within thirty (30) days of the Unavailability incident, including the dates, times, and a description of the Unavailability. Service credits will be applied against future invoices and are not redeemable for cash.

6. Sole Remedy. Service credits are Customer's sole and exclusive remedy for Vistaly's failure to meet the Monthly Uptime Percentage.

7. Chronic Failure. If the Monthly Uptime Percentage falls below 95.0% for three (3) consecutive calendar months, Customer may terminate the affected Order Form upon written notice to Vistaly.

Exhibit D — Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Master Subscription Agreement ("Principal Agreement") between the Customer (the "Company") and Vistaly, Inc. (the "Processor") (together the "Parties").

WHEREAS

(A) The Company acts as a Data Controller with respect to Company Personal Data.

(B) The Company wishes to engage the Processor to process Company Personal Data in connection with the Services.

(C) The Parties seek to implement a data processing addendum that complies with the requirements of applicable Data Protection Laws, including the GDPR and UK GDPR.

(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

1.1.1 "DPA" means this Data Processing Addendum and all Annexes;

1.1.2 "Company Personal Data" means any Personal Data processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement;

1.1.3 "Contracted Processor" means the Processor or a Subprocessor;

1.1.4 "Data Protection Laws" means: (a) the GDPR; (b) the UK GDPR and the UK Data Protection Act 2018; (c) the Swiss Federal Act on Data Protection ("FADP"); and (d) to the extent applicable, the data protection or privacy laws of any other country, in each case as amended, replaced, or superseded from time to time;

1.1.5 "EEA" means the European Economic Area;

1.1.6 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation);

1.1.7 "UK GDPR" means the GDPR as retained in United Kingdom domestic law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019;

1.1.8 "Data Transfer" means a transfer of Company Personal Data to a country outside of the EEA (or, in respect of the UK GDPR, outside of the United Kingdom) which does not benefit from an adequacy decision by the relevant authority;

1.1.9 "Services" has the meaning given in the Principal Agreement;

1.1.10 "Subprocessor" means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with this DPA;

1.1.11 "Standard Contractual Clauses" or "SCCs" means (a) for transfers subject to the GDPR, the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914, Module Two (Controller to Processor); (b) for transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office ("UK Addendum"); and (c) for transfers subject to the Swiss FADP, the SCCs as recognized by the Swiss Federal Data Protection and Information Commissioner, in each case as amended or replaced from time to time;

1.2 The terms "Controller," "Data Subject," "Member State," "Personal Data," "Personal Data Breach," "Processing," and "Supervisory Authority" shall have the same meaning as in the GDPR (or, where applicable, the UK GDPR), and their cognate terms shall be construed accordingly.

2. Processing of Company Personal Data

2.1 Processor shall: (a) comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and (b) not Process Company Personal Data other than on the Company's documented instructions, unless required by applicable law, in which case the Processor shall (to the extent permitted by law) inform the Company of that legal requirement before Processing.

2.2 The Company instructs Processor to process Company Personal Data as described in Annex I (Description of Processing).

3. Processor Personnel

Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to Company Personal Data, ensuring that access is strictly limited to those individuals who need access as strictly necessary for the purposes of the Principal Agreement, and that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Processor shall implement and maintain technical and organizational security measures as described in Annex II (Technical and Organizational Measures) to protect Company Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures shall be appropriate to the risk and shall include, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, Processor shall take into account the risks presented by Processing, in particular from a Personal Data Breach.

5. Subprocessing

5.1 Processor is authorized to use the sub-processors listed at vistaly.com/v2/sub-processors (the "Sub-Processor List").

5.2 Processor shall provide the Company with at least fourteen (14) calendar days' prior written notice before engaging any new sub-processor not on the Sub-Processor List, including the name, location, and nature of processing. If the Company objects on legitimate data protection grounds within that period, the Parties shall negotiate in good faith for seven (7) working days. If no resolution is reached, the Company may terminate the affected Order Form upon written notice, and Vistaly shall refund a pro-rata portion of prepaid Fees for the unused remainder of the Term.

5.3 Processor shall ensure that each sub-processor is bound by data protection obligations at least as protective as those in this DPA. Processor shall remain liable for the acts and omissions of its sub-processors.

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organizational measures for the fulfillment of the Company's obligations to respond to Data Subject requests under applicable Data Protection Laws.

6.2 Processor shall: (a) promptly notify the Company if it receives a request from a Data Subject; and (b) not respond to that request except on the Company's documented instructions or as required by applicable law (in which case Processor shall inform the Company before responding, to the extent permitted by law).

7. Personal Data Breach

7.1 Processor shall notify the Company without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data Breach affecting Company Personal Data, providing sufficient information for the Company to meet its obligations under Data Protection Laws.

7.2 Processor shall cooperate with the Company and take reasonable steps as directed by the Company to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

8. Data Protection Impact Assessment

Processor shall provide reasonable assistance to the Company with data protection impact assessments and prior consultations with Supervisory Authorities required under Articles 35 or 36 of the GDPR (or equivalent provisions of other Data Protection Laws), solely in relation to Processing of Company Personal Data.

9. Deletion or Return of Company Personal Data

9.1 Upon termination or expiration of the Principal Agreement, Processor shall, at the Company's election, return or delete all Company Personal Data within thirty (30) days, unless retention is required by applicable law. The Company may export its data during the 30-day period described in Section 3.5 of the Principal Agreement.

10. Audit Rights

10.1 Upon request and no more than once per year, Processor shall provide the Company with a copy of its most recent SOC 2 Type II report (or equivalent third-party audit report) covering the Services. If such report does not reasonably address the Company's data protection concerns, or in the event of a Personal Data Breach or reasonable evidence of non-compliance, the Company (or its designated independent auditor, subject to reasonable confidentiality obligations) may conduct an audit of Processor's processing activities with at least thirty (30) days' prior written notice. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Processor's operations. The Company shall bear the costs of any such audit unless the audit reveals material non-compliance by Processor.

11. International Data Transfers

11.1 The Company acknowledges that Vistaly, Inc. is certified under the EU-U.S. Data Privacy Framework ("DPF"), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework, as administered by the U.S. Department of Commerce. Vistaly's current DPF certification can be verified at dataprivacyframework.gov. Transfers of Company Personal Data from the EEA, United Kingdom, or Switzerland to the United States shall be made in reliance on the DPF and the applicable adequacy decisions of the European Commission, UK Secretary of State, or Swiss Federal Council, as applicable.

11.2 In the event that the DPF (or any relevant adequacy decision) is invalidated, suspended, or otherwise ceases to provide a lawful basis for transfers of Company Personal Data, the Standard Contractual Clauses shall automatically apply to such transfers as follows:

(a) For transfers subject to the GDPR: Module Two (Controller to Processor) of the SCCs shall apply, with the Company as data exporter and Processor as data importer. For Clause 7, the optional docking clause shall apply. For Clause 9, Option 2 (general written authorization with 14-day notice) shall apply. For Clause 11, the optional language shall not apply. For Clause 17, the SCCs shall be governed by the laws of the EU Member State in which the Company is established. For Clause 18, disputes shall be resolved before the courts of the EU Member State in which the Company is established.

(b) For transfers subject to the UK GDPR: the UK Addendum to the EU SCCs shall apply, with the mandatory information tables completed as set forth in Annex I.

(c) For transfers subject to the Swiss FADP: the SCCs shall apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner.

11.3 Processor shall maintain its DPF certification for the duration of this DPA. In the event Processor's DPF certification lapses or is withdrawn, Processor shall promptly notify the Company, and the SCCs shall apply as set forth in Section 11.2 above.

11.4 Processor shall conduct and document a transfer impact assessment where required by the SCCs (Clause 14) and shall implement supplementary measures as necessary to ensure an essentially equivalent level of protection for Company Personal Data.

12. General Terms

12.1 Confidentiality. Each Party must keep this DPA and information it receives about the other Party confidential, subject to the terms of Section 5 of the Principal Agreement.

12.2 Notices. All notices under this DPA shall be given in accordance with Section 12.5 of the Principal Agreement.

12.3 Limitation of Liability. The liability of the Processor under this DPA is subject to, and not in addition to, the limitations set forth in Section 11 of the Principal Agreement (including the Enhanced Cap applicable to data protection obligations).

13. Governing Law and Jurisdiction

13.1 This DPA is governed by the laws of the Commonwealth of Virginia, USA; provided that, to the extent required by mandatory provisions of applicable Data Protection Laws, the relevant Data Protection Law shall apply.

13.2 Disputes under this DPA shall be resolved in accordance with Section 12.6 of the Principal Agreement.

14. Amendments

14.1 This DPA may only be amended by written agreement of both Parties. Such amendments will comply with applicable Data Protection Laws. Vistaly may update this DPA to reflect changes required by applicable Data Protection Laws upon thirty (30) days' written notice to the Company.

Annex I — Description of Processing

Element Description
Subject Matter Processing of Personal Data in connection with the provision of the Vistaly platform for organizing product strategy and customer feedback.
Duration For the Term of the Principal Agreement plus the 30-day data export period.
Nature and Purpose Storage, organization, retrieval, and display of Company Personal Data as necessary to provide the Services; authentication and access management; analytics (on Usage Data only, in anonymized/aggregated form); backup and disaster recovery.
Types of Personal Data Name, email address, job title, profile photo, IP address, browser/device information, authentication credentials (hashed), and any Personal Data that Customer or Authorized Users input into the Services.
Categories of Data Subjects Customer's employees, contractors, and agents who are Authorized Users; individuals whose Personal Data is included in Customer's Service Data (e.g., customer feedback participants, interviewees).
Data Exporter The Company (Customer), acting as Controller.
Data Importer Vistaly, Inc., acting as Processor.

Annex II — Technical and Organizational Security Measures

Measure Description
Encryption Data encrypted in transit (TLS 1.2+) and at rest (AES-256). Database encryption at rest using AWS-managed keys.
Access Controls Role-based access controls with principle of least privilege. Multi-factor authentication required for all employees with access to production systems. Access reviews conducted quarterly.
Network Security Web application firewall (WAF), intrusion detection/prevention systems, network segmentation between production and non-production environments. Regular vulnerability scanning.
Data Backup & Recovery Automated daily backups with 30-day retention. Backups encrypted and stored in geographically separate AWS regions.
Incident Management Documented incident response plan with defined roles, escalation procedures, and post-incident review. Breach notification procedures aligned with 72-hour requirement.
Personnel Security Background checks on employees with access to Personal Data. Mandatory security awareness training upon hire and annually thereafter. Confidentiality agreements for all personnel.
Physical Security Cloud infrastructure hosted by Amazon Web Services (AWS) data centers that maintain ISO 27001, SOC 2 Type II, and SOC 3 certifications, among others. Vistaly does not maintain physical data center infrastructure; physical security controls — including facility access, surveillance, and environmental protections — are managed entirely by AWS in accordance with its compliance programs.
Business Continuity Documented business continuity and disaster recovery plans. Redundant infrastructure to minimize single points of failure.
Vendor Management Third-party risk assessments conducted before engaging sub-processors. Sub-processors required to maintain security standards at least as protective as those described herein.