Managed Governance Services and Aurora Command Platform Agreement

Structure of Agreement; Scope; Contract Formation

This Managed Governance Services and Aurora Command Platform Agreement (this “Agreement”) is a binding legal agreement between Borealis Security, Inc., an Alaska corporation (“Borealis”), and the customer identified in the applicable Order Form (“Customer”).

This Agreement becomes effective only when an Order Form that references this Agreement is executed by both parties, or when Borealis otherwise issues written acceptance of Customer’s signed Order Form. No proposal, statement of work draft, invoice draft, or preliminary scoping communication obligates Borealis unless and until Borealis accepts an Order Form.

This Agreement governs Borealis’s managed-governance, implementation, operational-support, and related professional services, together with any Aurora Command platform access, reviewer-access functionality, onboarding, setup, or related deliverables included in the applicable Order Form (collectively, the “Services”).

Borealis provides governance implementation and operational support. Borealis is not a law firm, CPA firm, auditor, assessor, insurer, broker, MSP, MSSP, outsourced security operator, or certification body under this Agreement unless Borealis expressly agrees otherwise in a separate Borealis-signed writing that specifically overrides this Section.

If Customer separately purchases Aurora Command through Borealis’s designated self-service clickwrap flow, the self-service terms govern that self-service purchase. If Customer receives Aurora Command access through a signed Borealis Order Form under this Agreement, this Agreement and the applicable Order Form govern that included access to the extent of any conflict with any self-service terms.

Definitions

“Account” means the Aurora Command workspace, tenant, portal instance, or other logical environment made available for Customer.

“Account Administrator” means an Authorized User designated by Customer with administrative rights over Customer’s Account, users, settings, billing, sharing controls, or integrations.

“Advisor Access” means the scoped access rights Customer grants to Borealis personnel or contractors so Borealis can perform the Services inside Customer’s Aurora environment or through approved supporting systems.

“Authorized User” means an employee, contractor, advisor, or other individual authorized by Customer to access or use the Services on Customer’s behalf for Customer’s internal business purposes.

“Aurora Command” means Borealis’s hosted governance and evidence-management platform, reviewer-access functionality, related software, and associated hosted features made available under the applicable Order Form.

“Customer Data” means data, content, documents, records, files, text, images, configurations, prompts, evidence, policy materials, ticket references, infrastructure information, reviewer materials, and other information submitted to, uploaded to, imported into, generated within, or otherwise made available to the Services by or on behalf of Customer, excluding Service Data, Aggregated Data, and Borealis Materials.

“Deliverables” means the specific customer-facing work product, outputs, exports, governance records, packages, summaries, templates completed for Customer, or other artifacts expressly identified in an Order Form or Service Description as deliverables, excluding Borealis Materials, generic know-how, generic templates, taxonomies, workflows, software, and Service Data.

“Managed Governance Services” means the recurring operational, implementation, and governance-support services described in the applicable Order Form and Service Description, which may include cadence management, policy/evidence organization, framework mapping, questionnaire or reviewer-package support, readiness tracking, and similar implementation support.

“Order Form” means a written order form, proposal acceptance page, services schedule, or similar Borealis-issued commercial document that references this Agreement, identifies the Customer, and states the applicable Services, fees, term, and commercial details.

“Service Data” means usage information, logs, telemetry, operational metrics, technical data, activity history, billing metadata, support metadata, performance data, reviewer-access metadata, and similar data concerning Customer’s or Authorized Users’ use of the Services that does not constitute Customer Data in raw or intelligible form.

“Aggregated Data” means Service Data or other data derived from Customer’s use of the Services that has been aggregated and/or de-identified so that it does not identify Customer, any Authorized User, or any natural person, except as may be permitted by applicable law.

“Service Description” means the Borealis managed-governance service description, professional-boundaries exhibit, statement of work, or other scoped service description referenced in the applicable Order Form.

“Setup Commencement Event” means the first Borealis-recorded event showing that Borealis has begun onboarding or activation work for Customer, including scheduling or delivering kickoff, reserving onboarding capacity, provisioning a paid workspace, enabling Advisor Access, beginning document intake, instantiating templates or initial assessments, configuring supported connectors, or starting any other standard setup work.

“Subscription Services” means the Aurora Command access, hosted software, reviewer-access functionality, trust-center functionality, and related recurring hosted features included in the applicable Order Form, if any.

“Third-Party Service” means any third-party product, service, model provider, cloud platform, connector, API, repository, identity provider, ticketing system, documentation system, or other technology not owned by Borealis.

Order Forms; Term Options; Document Hierarchy

Each Order Form forms part of this Agreement and governs only the Services, fees, term, billing cadence, setup fee, included usage, and other specific commercial details expressly stated in that Order Form.

An Order Form may provide for either (a) a fixed initial term, including a 12-month term billed annually or otherwise as stated in the Order Form, or (b) a month-to-month term. If an Order Form is silent, the default commercial interpretation is the one expressly accepted by Borealis in writing, and Borealis has no obligation to provide Services until that ambiguity is resolved.

Unless a separate Borealis-signed writing states otherwise, the order of precedence is: (a) the applicable Order Form, but only for the specific commercial details and expressly scoped Services stated there; (b) the applicable Service Description; (c) any accepted data processing addendum, but only for the processing of personal data to the extent it applies; (d) this Agreement; and (e) any incorporated acceptable-use, Trust Center, reviewer-access, or AI-feature terms to the extent the affected functionality is used.

No purchase order, procurement-portal term, vendor-registration term, invoice instruction, or other unilateral Customer term has any force or effect, even if referenced in payment, onboarding, support, or administrative communications and even if Borealis does not expressly reject it.

Borealis may reject any Order Form or proposed engagement before acceptance for fraud, sanctions, security, fit, staffing, data-posture, or operational reasons. If Borealis rejects an Order Form before any Setup Commencement Event, Borealis’s sole obligation is to return any unearned amounts actually received for that rejected order.

Services; Platform Access; Deliverable Acceptance

Subject to Customer’s timely payment and compliance with this Agreement, Borealis will provide the Services described in the applicable Order Form and Service Description during the applicable term.

If Aurora Command access is included, Borealis grants Customer, during the applicable term, a limited, non-exclusive, non-transferable, non-sublicensable right to access and use the included Subscription Services solely for Customer’s internal business purposes and solely in accordance with this Agreement, the applicable Order Form, the Documentation, and any incorporated use rules.

Unless Borealis expressly states otherwise in a Borealis-signed writing, the Services do not include any uptime SLA, service credits, dedicated infrastructure, data-residency commitment, custom development, bespoke integration engineering, managed detection and response, managed IT administration, legal analysis, audit opinion, assessment attestation, or certification commitment.

Borealis may use affiliates, contractors, subprocessors, and other service providers in performing the Services. Borealis remains responsible for their performance to the extent required by law, subject to the limitations in this Agreement.

Borealis may improve, modify, replace, or remove portions of Aurora Command or related workflows from time to time. During a current paid term, Borealis will not intentionally eliminate the core generally available functionality specifically committed for the paid service tier in a manner that is materially adverse to Customer, except as reasonably necessary for security, law, fraud prevention, abuse prevention, system integrity, Beta Features, or Third-Party Service changes. If Borealis materially reduces such core paid functionality in breach of this Section and does not cure within a reasonable period after notice, Customer’s sole and exclusive remedy is to terminate the affected Order Form and receive a pro rata refund of the unused prepaid recurring fees allocable to the affected remainder of the then-current paid term.

Deliverables, if any, are deemed accepted on the earliest of: (a) Customer’s use, reliance on, distribution of, filing of, publication of, or submission of the Deliverable to any third party; (b) Customer’s approval in writing or through Aurora Command; or (c) five (5) business days after delivery unless Customer provides Borealis with a written notice that specifically identifies a material and objective nonconformity to the applicable Order Form or Service Description. Borealis’s sole obligation for a timely and valid rejection is to reperform or correct the affected portion, if reasonably possible, and Sections 13 and 14 apply to any residual claim.

Customer Responsibilities; Dependencies; Access

Customer will designate a knowledgeable primary contact and any required Account Administrators, reviewers, or workstream owners, and will ensure that Borealis can reach decision-makers in time to keep the agreed cadence moving.

Customer will provide Borealis with timely, accurate, and complete information, documentation, access, approvals, and cooperation reasonably required to perform the Services, including access to Customer’s existing policies, evidence, prior deliverables, ticketing or documentation systems, infrastructure information, vendor information, and reviewer requests where applicable.

Customer is solely responsible for the substance, accuracy, completeness, legality, and suitability of Customer Data and for maintaining independent copies of records Customer must retain.

Customer is solely responsible for implementing, operating, monitoring, and testing Customer’s actual technical, administrative, and physical controls unless the applicable Order Form expressly states that Borealis itself will operate a specifically identified control. Borealis’s managed-governance engagement is not a substitute for Customer’s MSP, MSSP, internal IT, security engineering, legal team, auditor, or assessor.

Customer is solely responsible for deciding what controls to implement, what statements to make, what reviewers to answer, what risks to accept, what exceptions to approve, and what deliverables to file, publish, certify, or submit to any auditor, insurer, customer, prospect, partner, or regulator.

Customer will promptly notify Borealis of material changes to Customer’s business, environment, legal posture, review scope, frameworks, reviewer requests, or supporting systems that could affect the Services or previously delivered materials.

Borealis may rely on instructions given through the Account or by Customer’s designated contacts and has no duty to verify internal authority allocations within Customer’s organization.

Professional Boundaries; No Legal Advice; Required Validation

Borealis is a cybersecurity and governance implementation firm. Borealis is not Customer’s law firm, attorney, CPA firm, accountant, auditor, assessor, certification body, insurer, broker, fiduciary, outsourced security team, outsourced compliance team of record, or virtual CISO of record unless Borealis expressly agrees otherwise in a separate Borealis-signed writing that specifically overrides this Section.

Any governance package, WISP, policy set, evidence map, risk register, vendor-review list, incident-readiness plan, questionnaire draft, reviewer package, framework mapping, AI output, state-law summary, checklist, template, or similar material prepared, surfaced, or maintained through the Services is an operational aid only. It may reflect customer-supplied information, public information, and Borealis’s generalized implementation experience as of a point in time. It is not legal advice, tax advice, accounting advice, audit advice, an attestation, a certification, or an opinion that Customer is compliant, secure, or review-ready.

Borealis does not guarantee the legal sufficiency, completeness, accuracy, currency, or reviewer acceptability of any Deliverable, mapping, recommendation, policy text, evidence package, AI output, state-law summary, or reviewer response. Standards, laws, customer environments, reviewer expectations, insurer positions, and framework interpretations can change; customer-provided information can be incomplete or inaccurate; and platform, human, or AI mistakes can occur.

Customer must independently review, validate, approve, and where appropriate obtain legal, privacy, compliance, accounting, insurance, audit, security, and business review of all materials before using them for any consequential purpose, including filings, certifications, board or management decisions, contractual representations, insurance renewals, customer diligence responses, procurement responses, audit responses, or regulatory communications.

Borealis does not promise that Customer will achieve or maintain legal compliance, audit readiness, certification, procurement approval, underwriting acceptance, customer approval, favorable reviewer outcomes, or any specific business result. Customer remains solely responsible for its program, controls, personnel, environment, decisions, and outcomes.

The fact that Borealis helps run a governance cadence, maintain evidence, draft responses, map frameworks, or prepare reviewer-ready packages does not create a professional-advisory duty of care to detect every issue, interpret law for Customer, identify every required control, maintain every deadline, or prevent Customer from making an inaccurate statement, incomplete submission, or mistaken decision.

Fees; Invoicing; Setup Fee; Payment; Taxes

Customer will pay all fees stated in each applicable Order Form, including recurring services fees, Subscription Services fees, setup or onboarding fees, approved out-of-scope fees, pass-through expenses if expressly allowed in the Order Form, taxes, and any other amounts properly chargeable under this Agreement.

Unless an Order Form expressly states otherwise, fixed-term fees are invoiced in advance, month-to-month fees are invoiced monthly in advance, and setup fees are invoiced on or before kickoff. Customer must pay each undisputed invoice within fifteen (15) days after the invoice date unless the Order Form states a shorter period and Borealis accepts it in writing.

A setup fee, if any, is charged for onboarding capacity, workspace activation, kickoff, document intake, initial assessment setup, supported connector or configuration work, and other standard activation activities. Unless the applicable Order Form expressly states otherwise, Borealis may begin setup immediately after acceptance of the Order Form. The setup fee becomes fully earned and non-refundable upon the first Setup Commencement Event reflected in Borealis’s records.

All fees are non-cancelable and non-refundable except as expressly stated in this Agreement or required by non-waivable law. Customer may not withhold, set off, recoup, or net any amount against fees owed to Borealis.

If Customer disputes an invoice, Customer must notify Borealis in writing with reasonable supporting detail within fifteen (15) days after the invoice date or the dispute is waived to the fullest extent permitted by law. Customer will timely pay all undisputed amounts while the parties work in good faith to resolve any timely and properly raised dispute.

Late amounts may accrue interest at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted by law, plus reasonable collection costs and attorneys’ fees to the extent permitted by law.

Fees are exclusive of all sales, use, value-added, goods and services, withholding, excise, and similar taxes, duties, or governmental assessments of any nature, except taxes based on Borealis’s net income. Customer is responsible for all such taxes associated with the Services, excluding taxes Borealis is prohibited by law from charging or collecting.

Borealis may change renewal pricing for future renewal terms by giving advance notice before the renewal on which the change will apply. For fixed-term renewals, Borealis’s default business practice is at least thirty (30) days’ prior notice unless a different timing is required or permitted for legal, security, tax, staffing, or third-party pass-through reasons.

Change Orders; Out-of-Scope Work; Customer Delays

Any material change to scope, cadence, deliverable assumptions, included frameworks, included review types, included customer cohorts, or included systems may require a written change order, a revised Order Form, or a new Order Form.

Unless the applicable Order Form expressly states otherwise, Borealis has no obligation to perform out-of-scope work. Borealis may, in its discretion, perform out-of-scope work at the rate or pricing method stated in the Order Form or, if none is stated, at Borealis’s then-current standard services rates.

Customer-caused delays, missing approvals, missing access, incomplete data, or materially changed assumptions may require schedule adjustments, reprioritization, additional fees, or a revised scope. Borealis is not responsible for missed deadlines, degraded outcomes, or additional effort caused by Customer’s delay, inaction, or inaccurate or incomplete inputs.

Customer Data; DPA; Privacy; Trust Center; Sharing

As between the parties, Customer retains all right, title, and interest in and to Customer Data. Subject to this Agreement, Customer grants Borealis a worldwide, non-exclusive, royalty-free right and license to host, copy, process, transmit, transform, display, store, analyze, and otherwise use Customer Data solely as reasonably necessary to provide, operate, secure, support, bill for, monitor, improve, and enforce the Services, to prevent fraud or abuse, to comply with law, and as otherwise directed by Customer.

Borealis may collect, generate, and use Service Data and Aggregated Data for lawful business purposes, including analytics, service administration, billing, support, security, fraud prevention, abuse prevention, benchmarking, performance optimization, feature development, and product improvement, provided Borealis does not disclose Customer Data in raw or intelligible form or identify Customer or any natural person through Aggregated Data except as permitted by law.

Unless Customer expressly opts in through a Borealis-approved written or in-product mechanism, Borealis will not use Customer Data or Customer-specific prompts, attachments, or responses derived from Customer Data to train generalized or shared machine-learning or generative-AI models made available to other customers or the public. Borealis may use Service Data, Aggregated Data, Feedback, and de-identified or synthetic materials that do not identify Customer or any natural person to improve the Services and related technologies.

If Customer directs Borealis to share materials, evidence, questionnaires, exports, links, or Trust Center materials with reviewers, insurers, auditors, prospects, partners, or other third parties, Customer is solely responsible for that direction and the consequences of the disclosure. Borealis may rely on instructions given through the Account or by Customer’s designated contacts.

If and to the extent Borealis processes personal data on Customer’s behalf in a manner that makes Borealis a processor, service provider, or contractor under applicable privacy law, Borealis will process that data only for the limited and specified purposes described in this Agreement and any applicable DPA. If Customer requires additional processor terms, Customer must accept Borealis’s then-current standard DPA or enter into a separate Borealis-signed writing. Borealis is not required to negotiate Customer paper for this managed-governance offering unless Borealis expressly agrees otherwise in writing.

Borealis may maintain security documentation, retention summaries, subprocessor information, audit-support materials, reviewer packages, and similar trust materials through an authenticated Trust Center, reviewer portal, or designated URL. Unless a specific trust document is expressly identified in this Agreement, an Order Form, or a Borealis-signed writing as contractually incorporated, Trust Center content is informational only and does not create a warranty, service-level commitment, certification, or professional-services promise.

Security; Confidentiality

Borealis will implement and maintain commercially reasonable administrative, technical, and organizational safeguards designed to protect Customer Data in Borealis-controlled systems against unauthorized access, acquisition, use, or disclosure.

If Borealis confirms a Security Incident involving unauthorized access to or acquisition of Customer Data in Borealis-controlled systems used to provide the Services, Borealis will notify Customer without undue delay, taking into account the time reasonably necessary to determine the scope of the incident, prevent additional harm, and restore service. Borealis may provide information in phases as it becomes reasonably available.

Each party will protect the other party’s Confidential Information using at least reasonable care and no less than the care it uses to protect its own similar confidential information. Each party may use the other party’s Confidential Information only as necessary to exercise its rights or perform its obligations under this Agreement.

Confidential Information does not include information the receiving party can demonstrate is or becomes public without breach of this Agreement, was already lawfully known without confidentiality obligation, is lawfully received from a third party without confidentiality obligation, or is independently developed without use of the disclosing party’s Confidential Information.

A party may disclose Confidential Information to its employees, affiliates, contractors, advisors, insurers, financing sources, and prospective acquirers who have a need to know and are bound by confidentiality obligations at least as protective as those in this Agreement. A party may also disclose Confidential Information to the extent required by law, subpoena, court order, or regulatory demand, provided that, unless legally prohibited, the receiving party uses commercially reasonable efforts to give prompt notice and a reasonable opportunity to seek confidential treatment or protective relief.

Intellectual Property; Deliverables; Feedback

As between the parties, Borealis and its licensors retain all right, title, and interest in and to the Services, Aurora Command, Borealis Materials, software, workflows, templates, taxonomies, methodologies, prompts, system instructions, generic controls content, generic policy language, and all related intellectual-property rights. Except for the limited rights expressly granted to Customer, no license is granted by implication, estoppel, or otherwise.

Subject to Customer’s compliance with this Agreement, Borealis grants Customer a perpetual, worldwide, non-exclusive, royalty-free license to use, reproduce, modify, distribute internally, and otherwise exploit Deliverables prepared specifically for Customer for Customer’s internal business purposes. Customer does not acquire ownership of Borealis’s preexisting materials, software, generic templates, generic frameworks content, taxonomies, workflows, or know-how incorporated into or used to create any Deliverable.

Borealis may retain and use residual know-how, ideas, techniques, concepts, methods, and improvements of a general nature developed or learned in the course of performing the Services, so long as Borealis does not disclose Customer Confidential Information in violation of this Agreement.

If Customer provides suggestions, requests, corrections, or other feedback regarding the Services (“Feedback”), Borealis may use, disclose, reproduce, modify, distribute, and otherwise exploit that Feedback for any purpose without restriction or compensation, and Customer assigns to Borealis any rights Customer may have in that Feedback.

Third-Party Services; Customer Systems; Customer-Supplied Tools

The Services may interoperate with, depend on, or use Third-Party Services, including customer-selected repositories, ticketing systems, model providers, identity providers, scheduling systems, and document or evidence stores. Customer’s use of any Third-Party Service is governed solely by that third party’s terms and policies.

Borealis is not liable for any unavailability, inaccuracy, outage, API change, suspension, termination, fee, retention practice, security event, data corruption, or other act or omission of any Third-Party Service or Customer system. Borealis may disable or stop supporting an affected integration or workflow without liability if the third party changes its technology, economics, terms, legal status, or security posture, or if Borealis reasonably determines continued support is inadvisable.

Limited Warranty; Exclusive Remedy

Each party represents and warrants that it has the full right, power, and authority to enter into this Agreement and perform its obligations under it.

Borealis warrants that it will perform the Managed Governance Services in all material respects in accordance with the applicable Order Form and Service Description when Customer timely provides the required cooperation, access, and information.

Customer’s sole and exclusive remedy, and Borealis’s sole obligation, for breach of Section 13.2 is for Customer to notify Borealis in writing during the affected term or within thirty (30) days after the breach is discovered, provide reasonable supporting detail, and allow Borealis a reasonable opportunity to cure through re-performance or correction. If Borealis does not cure the verified material nonconformity within a reasonable period, Customer may terminate the affected Order Form, and Borealis will refund the unused prepaid recurring fees allocable to the directly affected portion of the term after the effective date of termination. This Section states Borealis’s entire liability and Customer’s exclusive remedy for any breach of warranty or Services nonconformity.

Disclaimers

EXCEPT FOR THE EXPRESS WARRANTY IN SECTION 13.2, THE SERVICES, SUBSCRIPTION SERVICES, SETUP SERVICES, AI FEATURES, OUTPUTS, DELIVERABLES, DOCUMENTATION, TRUST CENTER MATERIALS, THIRD-PARTY SERVICES, AND ALL RELATED MATERIALS ARE PROVIDED “AS IS” AND “AS AVAILABLE.” TO THE MAXIMUM EXTENT PERMITTED BY LAW, BOREALIS AND ITS LICENSORS DISCLAIM ALL WARRANTIES AND REPRESENTATIONS, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, QUIET ENJOYMENT, ACCURACY, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING, USAGE, OR TRADE.

WITHOUT LIMITING THE FOREGOING, BOREALIS DOES NOT WARRANT OR REPRESENT THAT THE SERVICES OR ANY DELIVERABLE, OUTPUT, PACKAGE, MAPPING, OR RECOMMENDATION WILL BE ERROR-FREE, COMPLETE, CURRENT, LEGALLY SUFFICIENT, REVIEWER-ACCEPTABLE, SECURE FROM ALL THREATS, OR FIT FOR CUSTOMER’S PARTICULAR PURPOSE, OR THAT THEY WILL SATISFY ANY LEGAL, REGULATORY, CONTRACTUAL, AUDIT, PROCUREMENT, INSURANCE, OR CERTIFICATION REQUIREMENT OR RESULT IN ANY PARTICULAR OUTCOME.

CUSTOMER IS SOLELY RESPONSIBLE FOR ITS COMPLIANCE PROGRAM, SECURITY PROGRAM, LEGAL AND REGULATORY OBLIGATIONS, HUMAN REVIEW, DISCLOSURES, FILINGS, IMPLEMENTATION OF CONTROLS, OPERATION OF CONTROLS, TESTING OF CONTROLS, CERTIFICATIONS, AND DECISIONS TO SHARE, SUBMIT, RELY ON, OR ACT ON ANY OUTPUT, DELIVERABLE, OR OTHER SERVICE RESULT.

Borealis is not responsible for stale or inaccurate Customer Data, omitted information, changed laws, changed standards, changed reviewer expectations, internal or third-party control failures, auditor or assessor judgments, insurer or customer decisions, technical implementation gaps left with Customer or its IT providers, or platform, workflow, or AI mistakes, outages, or delays.

Indemnification

Customer will defend, indemnify, and hold harmless Borealis, its affiliates, and their respective officers, directors, employees, contractors, successors, and assigns from and against any and all third-party claims, demands, actions, suits, investigations, damages, liabilities, losses, judgments, settlements, penalties, fines, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to: (a) Customer Data, Deliverables or Output used by Customer, or Customer’s use, disclosure, or processing thereof; (b) Customer’s or any Authorized User’s use of the Services, a Customer-Supplied API Key, or any Third-Party Service in violation of this Agreement or applicable law; (c) Customer’s breach of Sections 5, 6, 7, 9, 10, or 11; (d) allegations that Customer Data, Customer’s instructions, or Customer’s use of the Services infringes, misappropriates, or violates any third-party right or applicable law; or (e) Customer’s decisions, filings, statements, certifications, reviewer communications, procurement responses, or compliance actions.

Borealis will promptly notify Customer of any claim for which Borealis seeks indemnification, permit Customer to control the defense and settlement with counsel reasonably acceptable to Borealis, and provide reasonable cooperation at Customer’s expense. Customer may not settle any claim in a manner that admits fault of Borealis, imposes obligations on Borealis, or fails to fully release Borealis without Borealis’s prior written consent.

Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT WILL BOREALIS OR ITS AFFILIATES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, GOODWILL, BUSINESS, USE, OR DATA, OR FOR THE COST OF SUBSTITUTE GOODS OR SERVICES, OR FOR FINES, PENALTIES, REMEDIATION COSTS, AUDIT COSTS, CERTIFICATION COSTS, RE-PERFORMANCE COSTS, PROCUREMENT DELAYS, LOST BUSINESS OPPORTUNITIES, INCREASED INSURANCE PREMIUMS, OR THIRD-PARTY CLAIMS AGAINST CUSTOMER ARISING FROM CUSTOMER’S REPRESENTATIONS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IF A LIMITED REMEDY FAILS OF ITS ESSENTIAL PURPOSE.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE AGGREGATE LIABILITY OF BOREALIS AND ITS AFFILIATES ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE SERVICES WILL NOT EXCEED THE TOTAL AMOUNT OF FEES ACTUALLY PAID BY CUSTOMER TO BOREALIS UNDER THE APPLICABLE ORDER FORM DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

The exclusions and limitations in this Section apply regardless of the form of action, whether in contract, tort (including negligence), strict liability, statute, or otherwise. Nothing in this Section limits Customer’s payment obligations, Customer’s indemnification obligations, Customer’s liability for breach of Sections 5, 6, 7, 10, or 11, or either party’s liability to the extent such limitation is prohibited by non-waivable law.

Customer acknowledges that the pricing of the Services reflects this allocation of risk and that Borealis would not enter into this Agreement without the disclaimers and limitations in this Agreement.

Term; Renewal; Suspension; Termination; Effect

This Agreement begins on the effective date of the first accepted Order Form and continues until all Order Forms have expired or been terminated and all payment obligations are satisfied.

Each Order Form will have the term stated in that Order Form. Unless the Order Form states otherwise, a fixed initial term automatically renews for successive renewal terms of the same length, and a month-to-month term automatically renews monthly, unless either party gives at least thirty (30) days’ prior written notice of non-renewal before the next renewal date.

Borealis may suspend or restrict access to all or any part of the Services immediately, with or without notice, if Borealis reasonably determines that: (a) Customer has failed to pay amounts due; (b) Customer or any Authorized User has breached this Agreement or any incorporated use rule; (c) Customer’s use presents a security risk, legal risk, fraud risk, sanctions risk, abuse risk, or material risk of harm to Borealis, the Services, other customers, or third parties; (d) Borealis is required to do so by law, court order, regulator, payment processor, or third-party provider; or (e) the Services or any component thereof are being modified, maintained, or protected. Suspension does not relieve Customer of payment obligations.

Either party may terminate this Agreement or an affected Order Form upon written notice if the other party materially breaches this Agreement and fails to cure the breach within ten (10) days after notice, except that Borealis may terminate immediately for nonpayment, fraud, sanctions risk, illegal use, misuse of Borealis Materials, unauthorized access, use of prohibited data, or any breach that by its nature cannot be cured.

Customer may not terminate a fixed-term Order Form for convenience during its committed term. If Customer purports to terminate a fixed-term Order Form for convenience, suspends participation without Borealis’s uncured material breach, or otherwise causes Borealis to stop performance without contractual cause, all remaining committed recurring fees for the unexpired portion of that fixed term become immediately due and payable, together with any earned setup fee, approved out-of-scope charges, and any committed third-party pass-through amounts if the Order Form makes them chargeable. Customer acknowledges that fixed-term pricing reflects discounted committed pricing, Borealis’s allocation of reserved service capacity and implementation resources, and Borealis’s decision to forego other work in reliance on that commitment.

A month-to-month Order Form may be terminated for convenience by either party on at least thirty (30) days’ prior written notice. A fixed-term Order Form may be terminated by Borealis for convenience on at least thirty (30) days’ prior written notice. If Borealis terminates a fixed-term Order Form for convenience and not for cause or risk reasons, Borealis will refund the unused prepaid recurring fees allocable to the period after the effective termination date, but Borealis is not required to refund setup fees already earned or fees for Services already performed or irrevocably committed.

Upon expiration or termination: (a) Customer’s rights to access and use the Services cease, except to the extent Borealis expressly provides limited post-termination export access; (b) any amounts owed to Borealis become immediately due and payable; and (c) Borealis may disable the Account and delete or deprovision credentials, integrations, and configurations in the ordinary course.

Unless Borealis expressly agrees otherwise in a Borealis-signed writing, Customer’s ordinary access to Aurora Command and related workspace data ends when the applicable paid term ends or the applicable Order Form terminates. Customer is responsible for exporting any data it wants to retain before that effective end date. After the paid term ends, Borealis may immediately disable ordinary access and, in the ordinary course, will target deletion of the terminated workspace from primary production systems within fourteen (14) days after the end of the paid term, subject to legal retention, backup retention, security logging, disaster-recovery media, fraud prevention, and other protected archival systems that are deleted later in the ordinary course. Borealis is not required to keep a terminated workspace accessible, recoverable, or downloadable after the paid term ends.

Dispute Resolution; Arbitration; Class Waiver

Informal Resolution. Before either party commences arbitration or court proceedings, except for provisional relief expressly permitted below, the complaining party must provide the other party with a written notice of dispute describing the claim and the relief requested. The parties will attempt in good faith to resolve the dispute informally for at least sixty (60) days after that notice before commencing arbitration or court proceedings.

Agreement to Arbitrate. Except for disputes that qualify for small claims court and claims for provisional injunctive or other equitable relief necessary to protect a party’s Confidential Information, intellectual property, service integrity, or payment rights pending completion of arbitration, any dispute, claim, or controversy arising out of or relating to this Agreement, any Order Form, or the Services will be resolved by binding arbitration on an individual basis.

Arbitration Rules; Seat; Forum. The arbitration will be administered by the American Arbitration Association under its Commercial Arbitration Rules in effect when the arbitration is commenced, except as modified by this Agreement. The seat and legal place of arbitration is Anchorage, Alaska, although either party may request that hearings occur remotely by video, teleconference, or document submission to the fullest extent permitted by the applicable rules.

Individual Proceedings Only. TO THE MAXIMUM EXTENT PERMITTED BY LAW, EACH PARTY MAY BRING CLAIMS AGAINST THE OTHER ONLY IN ITS INDIVIDUAL CAPACITY AND NOT AS A PLAINTIFF, CLAIMANT, CLASS MEMBER, REPRESENTATIVE, PRIVATE ATTORNEY GENERAL, OR RELATOR IN ANY PURPORTED CLASS, COLLECTIVE, CONSOLIDATED, MASS, REPRESENTATIVE, OR OTHER PROCEEDING. THE ARBITRATOR MAY NOT CONSOLIDATE MORE THAN ONE PERSON’S CLAIMS OR OTHERWISE PRESIDE OVER ANY FORM OF REPRESENTATIVE, CLASS, OR CONSOLIDATED PROCEEDING EXCEPT TO THE LIMITED STAGED EXTENT EXPRESSLY SET FORTH IN SECTION 18.5.

Coordinated Filings; Staged Bellwether Process. If twenty-five (25) or more arbitration demands asserting substantially similar claims are filed against Borealis or related parties within a one-hundred-eighty (180)-day period by or with the assistance of the same law firm, law firms acting in coordination, or coordinated counsel, the parties agree, to the fullest extent permitted by the applicable arbitral rules, to administer those demands in a staged process rather than proceeding with all demands at once. The parties will first select ten (10) demands as bellwethers, with Borealis selecting five (5) and claimants’ counsel selecting five (5). All remaining demands will be stayed pending completion of the bellwether arbitrations and a good-faith mediation. All applicable statutes of limitation and contractual filing deadlines for the stayed demands will be tolled from the date those demands were first submitted to the administrator until the stay is lifted.

Confidentiality of Dispute Process. The parties will maintain the confidentiality of any arbitration, including the demand, pleadings, discovery, testimony, hearing, and award, except as reasonably necessary to prosecute or defend the dispute, enforce an award or court order, comply with law, or disclose to attorneys, accountants, insurers, auditors, financing sources, or prospective acquirers bound by confidentiality obligations.

Limitation Period. To the maximum extent permitted by law, any claim or cause of action arising out of or relating to this Agreement or the Services must be filed within one (1) year after the claim or cause of action arose, or it is forever barred.

Jury Trial Waiver. If for any reason a dispute proceeds in court rather than arbitration, each party knowingly and irrevocably waives any right to a jury trial to the fullest extent permitted by law.

Miscellaneous

Governing Law. This Agreement and any dispute arising out of or relating to it or the Services will be governed by the laws of the State of Alaska and applicable federal law, without regard to conflict-of-laws rules that would require the application of another jurisdiction’s laws.

Notices. Except where this Agreement expressly permits notice through the Services or email, legal notices under this Agreement must be in writing and sent by nationally recognized courier, certified mail, or email to the address or email designated by the receiving party in the applicable Order Form or by later written notice. Support or ticket communications do not constitute legal notice unless this Agreement expressly states otherwise.

Assignment. Customer may not assign, transfer, delegate, or sublicense this Agreement or any rights or obligations under it, whether by operation of law or otherwise, without Borealis’s prior written consent. Any purported assignment in violation of this Section is void. Borealis may assign or transfer this Agreement without Customer’s consent in connection with a merger, acquisition, corporate reorganization, sale of assets, financing transaction, or by operation of law.

Force Majeure. Borealis is not liable for any delay, interruption, or failure to perform resulting from causes beyond its reasonable control, including acts of God, labor disputes, internet or telecommunications failures, utility failures, cyberattacks, cloud provider failures, epidemics, pandemics, war, terrorism, riots, civil unrest, governmental action, sanctions, embargoes, or natural disasters.

Independent Contractors. The parties are independent contractors. This Agreement does not create any partnership, joint venture, agency, fiduciary, employment, or franchise relationship between the parties. Neither party has authority to bind the other.

Entire Agreement. This Agreement, together with the applicable Order Forms, Service Descriptions, and any accepted DPA or expressly incorporated policies, is the entire agreement between the parties regarding its subject matter and supersedes all prior or contemporaneous proposals, statements, understandings, and agreements relating to that subject matter. No amendment or waiver is binding unless made in a separate Borealis-signed writing or, where this Agreement expressly permits, through a later accepted Order Form or approved online flow.

Severability; Waiver. If any provision of this Agreement is held unenforceable, that provision will be enforced to the maximum extent permitted and the remaining provisions will remain in full force and effect. A waiver of any breach or provision is effective only if in writing and signed by the waiving party. No failure or delay in exercising any right constitutes a waiver.

Survival. Sections that by their nature should survive termination survive, including Sections 6 through 19 and any accrued payment obligations.

No Third-Party Beneficiaries. This Agreement is solely for the benefit of Borealis and Customer. No affiliate, personnel member, reviewer, auditor, insurer, regulator, customer of Customer, referral recipient, or other third party is an intended beneficiary of this Agreement, any Order Form, or any Service Description, except to the extent a separate Borealis-signed writing expressly states otherwise.