Service Agreement

This Anomity Service Agreement (the “Agreement”), made pursuant to an Order Form (as defined below), constitutes a binding contract between Deskfirst, Inc. and its subsidiaries (operating under the brand name “Anomity.ai”) (“Anomity”, “Deskfirst”, “we”, “us” or “our”) and the entity identified in the Order Form (“Customer”).

This Agreement applies solely to customers that have purchased the Anomity services pursuant to an Anomity-issued Order Form that has been accepted and executed by both parties, thereby qualifying such customer as an Enterprise Customer as defined in the Anomity Terms of Service. This Agreement does not apply to, and does not govern, any access to, or use of, the Anomity services that is not made pursuant to an executed Order Form, including evaluation, pilot, or proof-of-concept access made available without an executed Order Form. Such access is governed exclusively by Anomity’s Terms of Service or other applicable click-through or written terms (such as a separately executed proof-of-concept agreement).

(Anomity and Customer will each be referred to as a “Party” and both collectively, the “Parties”).

WHEREAS Anomity offers a software-as-a-service (SaaS) platform that gives the Customer’s security team a single dashboard showing AI agents, MCP servers, IDE extensions, plugins, skills, hooks, CLIs, and secrets running on the Customer’s managed employee endpoints, with the policy controls to govern them, delivered as a multi-tenant cloud application together with a lightweight endpoint daemon (the “Service”); and

WHEREAS Customer wishes to use the Service within its organization to inventory, classify, govern, and audit AI tooling on its managed endpoints.

NOW THEREFORE, in consideration of the mutual covenants hereinafter, by Customer agreeing to an Order Form which references this Agreement, the Parties agree as follows:

1. Definitions

Unless otherwise expressly stated herein, the terms defined in this Section, or parenthetically defined elsewhere, shall have the same meaning throughout this Agreement, and any and all Order Forms, attachments and amendments hereto.

1.1. “Anomity Technology” means Anomity’s products, technology tools, product designs, algorithms, software (in source and object forms, including the Endpoint Daemon and the Anomity Cloud), user interface designs, architecture, class libraries, objects and documentation (both printed and electronic), network designs, trade secrets, know-how, methodology, platforms, apps, application programming interfaces (“APIs”), the global agent registry, capability taxonomy, secret pattern library, classification rules, and any other tools or programs used by or for Anomity on its behalf with regard to its Service, and any related IP Rights related thereto throughout the world, and also including any derivatives, improvements, translations, enhancements or extensions of or to the foregoing. Anomity Technology excludes Customer Data.

1.2. “Anomity Cloud” means the multi-tenant SaaS application that ingests, classifies, stores, and presents Telemetry Data, evaluates Customer policies, generates Findings, and exposes the Dashboard and APIs.

1.3. “Authorized User” means a Customer User who has been granted credentials to access the Dashboard or related Service interfaces.

1.4. “Customer Data” means all data or information transmitted to, uploaded to, or generated through Customer’s use of the Service, including Telemetry Data collected by the Endpoint Daemon, configuration uploaded directly by Customer (such as policies, approvals, allow-lists), Authorized User account information, and Findings derived from any of the foregoing.

1.5. “Dashboard” means the web-based interface and APIs through which Authorized Users access the Service.

1.6. “Effective Date” has the meaning set forth in the applicable Order Form.

1.7. “Endpoint Daemon” means the lightweight background software process distributed by Anomity to Customer for installation on Managed Devices that discovers AI tool configuration files, redacts secrets locally, and transmits Telemetry Data to Anomity Cloud.

1.8. “Feedback” means information or content concerning enhancements, changes, or additions to the Service or other Anomity offerings, that are requested, desired or suggested by Customer or its Users.

1.9. “Findings” means policy evaluation outputs, alerts, classifications, capability inferences, dangerous-combination detections, and other analytical outputs generated by the Service from Customer Data. Findings are part of Customer Data.

1.10. “IP Rights” or “Intellectual Property Rights” means all intellectual property rights comprising or relating to patents, trademarks, tradenames, internet domain names (whether or not trademarks), registered by any authorized private registrar or governmental authority, web addresses, web pages, websites and URLs; works of authorship, expressions, designs and design registrations, whether or not copyrightable, including copyrights and copyrightable works, software and firmware, data, data files, and databases and other specifications and documentation; trade secrets; and all industrial and other intellectual property rights, and all rights, interests and protections that are associated with, equivalent or similar to, or required for the exercise of, any of the foregoing, however arising, in each case whether registered or unregistered and including all registrations and applications for, and renewals or extensions of, such rights or forms of protection pursuant to the laws of any jurisdiction throughout any part of the world.

1.11. “Managed Device” means an endpoint device (Windows, macOS, or Linux) on which Customer or its IT administrators have installed the Endpoint Daemon, including devices issued to or used by Customer’s employees, agents, contractors, and other personnel that Customer has lawful authority to monitor.

1.12. “Order Form” means the order form that Customer has accepted or signed (including, but not limited to, by way of Customer issuing a purchase order pursuant to a quote or proposal provided by Anomity), specifying, among others, Customer’s details, the duration of the provision of the Service to Customer, the fees and payment terms applicable to this Agreement, the usage metrics, the licensed number of Managed Devices and Authorized Users, and any in-scope integrations and rollout plan. The Order Form is incorporated into and forms an integral part of this Agreement, as further detailed in Section 4.1 hereto.

1.13. “Professional Services” means services provided by Anomity to Customer such as deployment, consulting, implementation, training, integration, or other professional services regarding the Service, that are provided to Customer pursuant to an Order Form or statement of work.

1.14. “Service Data” means meta-data and analytics about how Customer uses the Service, the performance of the Service when used by Customer, and the Service’s compatibility and interoperability. Service Data explicitly excludes Customer Data.

1.15. “Subscription Term” means the time period during which Anomity agrees to provide to Customer, and Customer is permitted to use, the Service as specified in an Order Form.

1.16. “Telemetry Data” means configuration metadata about AI tools, MCP servers, extensions, plugins, skills, hooks, CLIs, permission grants, and related artifacts collected by the Endpoint Daemon from Managed Devices, together with device identifiers (such as hostname, OS, machine UUID), the username under which the AI tool is configured, redacted secret fingerprints (hashes), and change events. Telemetry Data does not include source code, prompts, model outputs, or the plaintext values of secrets, all of which are excluded by design.

1.17. “Users” means Customer’s employees, agents, contractors and others, who have been authorized or enabled, directly or indirectly, by Customer to use or be reflected by the Service, including Authorized Users.

2. Usage Rights

2.1. Subject to this Agreement and each applicable Order Form, including without limitation Customer’s payment of the subscription fees, Customer may, during the applicable Subscription Term, access and use the Service made available by Anomity to Customer within Customer’s organization solely for Customer’s internal security, governance, audit and compliance purposes.

2.2. Customer’s right to use the Service is expressly limited to the number of Managed Devices, Authorized Users, and other usage limitations as indicated by the Order Form.

2.3. Customer covenants that Customer and its Users will use the Service only in compliance with all applicable laws and regulations (including employment, privacy, and surveillance laws applicable to monitoring of employee endpoints), this Agreement, and any reasonable use policies or instructions issued by Anomity in writing.

2.4. Customer shall designate the Authorized Users of the Service, provided that such usage is in accordance with this Agreement. Customer must ensure that Users fully comply with this Agreement. Customer shall be liable to Anomity for all acts or omissions of its Users that use and deal with the Service on its behalf, as though Customer had performed those acts or omissions. Customer shall not authorize access to or permit use of the Service by persons other than its Users. Anomity may suspend and/or terminate any User’s access to the Service in the event Anomity reasonably believes that such User has violated any provision of this Agreement or Anomity Terms of Service, which shall apply to such Users’ use of the Service.

2.5. Customer is solely responsible for installing the Endpoint Daemon only on devices it has lawful authority to monitor, for providing any notices and obtaining any consents that may be required under applicable law (including in respect of employee monitoring), and for keeping Authorized User access lists current.

2.6. During the Subscription Term, Customer may change the usage parameters, capacity limits, and other metrics applicable to its use of the Service by mutual written agreement (email being sufficient) with Anomity. Where such changes are agreed, they are incorporated by reference into the Order Form and apply pursuant to the conditions mutually agreed to, including with respect to any new fees agreed to in light of the change.

2.7. The Customer and Anomity shall adhere to any other terms and conditions agreed to under the Order Form.

2.8. Customer and its Authorized Users are responsible for maintaining the confidentiality of their Service login credentials, of any API tokens issued for the Dashboard, and of the per-device daemon credentials issued to Managed Devices.

2.9. Customer acknowledges that classification of MCP servers, capability inference, dangerous-combination detection, secret-pattern matching, AI-assisted remediation suggestions, and other analytical outputs of the Service are produced through a combination of curated registries, deterministic rules, statistical heuristics, and machine learning models. Due to the probabilistic nature of these methods, there may be instances where Findings or other Service outputs do not accurately represent real conditions on a Managed Device. Customer acknowledges and agrees as follows:

2.9.1. Findings and other Service outputs may be inaccurate, incomplete, false-positive, or false-negative, and they are not the sole source of truth or factual information about the security posture of any Managed Device or organization.

2.9.2. The Service is not a substitute for professional security advice, regulatory compliance review, or legal counsel.

2.9.3. It is Customer’s responsibility to assess the accuracy and suitability of Findings and other Service outputs for its specific use case, including conducting human review when necessary. Customer’s use of Findings and other Service outputs is solely at its own risk.

2.9.4. Customer must not use Findings or other Service outputs to take decisions about an individual that could have legal or material consequences for that individual (such as those related to hiring, termination, discipline, credit, education, employment, housing, insurance, legal matters, or medical issues) without independent human review and an appropriate lawful basis. Customer may not use Findings to categorize individuals based on biometric data or to deduce or infer sensitive attributes such as race, political opinions, religious beliefs, or sexual orientation.

2.9.5. The Service may generate incomplete, incorrect, or otherwise imperfect Findings or AI-assisted remediation suggestions that do not reflect Anomity’s views. References to third-party products or services within the Service do not imply endorsement of or affiliation with Anomity.

2.9.6. Due to the nature of the underlying analytics, Findings produced for one Customer may be similar or identical to Findings produced for other Customers in respect of comparable AI tooling, and similarity does not constitute disclosure of any other Customer’s Customer Data.

3. Service Restrictions

3.1. Customer and its Users shall not:

3.1.1. distribute, rent, lease, sublicense, transfer or assign the Service or any part thereof to any third party, including the Endpoint Daemon, other than installing the Endpoint Daemon on Managed Devices in accordance with this Agreement;

3.1.2. allow any third party to use the Service, other than its own personnel, agents, and contractors acting on its behalf in compliance with this Agreement;

3.1.3. remove, or in any manner alter, any product identification, proprietary, trademark, copyright or other notices contained in the Service or in the Endpoint Daemon;

3.1.4. knowingly interfere with, burden or disrupt the Service’s functionality;

3.1.5. work around any technical limitations of the Service or use any tool to enable features or functionalities that are otherwise disabled, inaccessible, or undocumented in the Service;

3.1.6. breach the security of the Service, or identify, probe, or scan any security vulnerabilities in the Service, other than such activities performed in mutual agreement with Anomity;

3.1.7. knowingly transmit any virus, worm, Trojan horse, or other malicious or harmful code or attachment;

3.1.8. use robots, crawlers, or similar applications to scrape, harvest, collect or compile content from or through the Service;

3.1.9. decompile, disassemble, reverse engineer, or otherwise attempt to identify the source code, trade secrets, or know-how in or underlying the Service or Anomity Technology, including the Endpoint Daemon and any client-side components;

3.1.10. access and use the Service in order to develop, or create, or permit others to develop or create, a product or service competing with the Service, or to build, train, or fine-tune any model;

3.1.11. install, deploy, or operate the Endpoint Daemon on any device that Customer does not have lawful authority to monitor, or operate the Endpoint Daemon for the purpose of unauthorized surveillance of any individual; or

3.1.12. submit to the Service intentionally fabricated or misleading Telemetry Data designed to evade or distort policy evaluation.

3.2. Anomity has no obligation to monitor that Customer’s use of the Service complies with this Agreement but may elect to do so. Anomity may suspend the provision of the Service to the Customer upon notice and good-faith discussion with the Customer if Anomity reasonably believes that the Customer is in violation of the foregoing in a manner detrimental to Anomity or to the proper operation of the Service.

3.3. CUSTOMER MAY NOT USE THE SERVICE FOR ANY ACTIVITY THAT CONSTITUTES, OR ENCOURAGES CONDUCT THAT WOULD CONSTITUTE, A CRIMINAL OFFENSE, GIVE RISE TO CIVIL LIABILITY, OR OTHERWISE VIOLATE ANY APPLICABLE LAW.

4. Subscription Plans, Fees

4.1. The Service is offered via paid subscription plans (each a “Subscription Plan” or “Subscription”). Subscription Plans are purchased pursuant to a separately negotiated and mutually agreed Order Form, offered by Anomity at its sole discretion. Each Order Form will include the name of the Subscription Plan, the number of Managed Devices and/or Authorized Users licensed, the term of the Subscription (the “Subscription Term”), the in-scope integrations, and any agreed Professional Services.

4.2. The minimum number of Managed Devices in an Order Form is one (or such other minimum as set out in the Order Form).

4.3. Customer agrees to pay Anomity all applicable fees and taxes for the Subscription in accordance with the Order Form (the “Subscription Fees”). Subscription Fees are stated in US dollars, unless stated otherwise. Anomity may change the Subscription Fees from time to time. Any changes made to the Subscription Fees will apply to Customer’s next Subscription Term upon renewal of the subscription, and Anomity will notify the Customer about such changes prior to the Subscription renewal.

4.4. Unless stated differently in the Order Form, Anomity will invoice Subscription Fees in advance for each Subscription Term, with payment due net thirty (30) days from the date of invoice, and Customer shall add to all fees due hereunder any applicable taxes.

4.5. Failure to pay Subscription Fees may result in the suspension or cancellation of the Subscription Plan. Anomity may, at its sole discretion, attempt to collect unpaid Subscription Fees at a later time, either directly or through a third-party collection agency, to the extent permitted by applicable law.

4.6. Customer agrees to pay the Subscription Fees through the payment method selected from one of the payment methods offered for the use of the Subscription Plan (which may include credit card, ACH, wire transfer, or invoice). By providing Anomity with payment information for a payment method and by signing the applicable Order Form, Customer confirms that its payment method will be charged for the applicable Subscription Fees, either directly by us or through a Third-Party Payment Processor (as described below) or our affiliates. Customer is responsible for any commission or surcharges introduced by Customer’s selected payment method.

4.7. Anomity may use third-party services that are integrated into the Service for the purpose of processing credit card, debit card, or other payment transactions, such as Stripe (“Third-Party Payment Processor”). Any payments processed through a Third-Party Payment Processor are subject to the applicable terms and conditions of the Third-Party Payment Processor. By using the Third-Party Payment Processor, Customer agrees to be bound by the applicable terms and conditions of such Third-Party Payment Processor. Where Anomity invoices Customer directly, no Third-Party Payment Processor terms apply to such invoices.

4.8. Customer is responsible for all transactions (one-time, recurring, and refunds) processed through the Service by the Third-Party Payment Processor. Anomity shall not be liable for any loss or damage resulting from any wrong or invalid transactions processed for Customer by the Third-Party Payment Processor.

4.9. Sales tax, VAT, and other taxes may apply to the Subscription Plan. Customer is responsible for all applicable taxes other than taxes on Anomity’s net income. Where taxes apply, we will charge the tax when required by applicable law.

4.10. Subscription Updates. During a Subscription Term, Customer may update its Subscription Plan by either (i) increasing the number of Managed Devices, Authorized Users, or other licensed metric; (ii) reducing the number of Managed Devices, Authorized Users, or other licensed metric (subject to any minimums set out in the Order Form); or (iii) changing (but not cancelling) the Subscription Term (for example, from a monthly to a yearly Subscription Term). Upon such Subscription update, the Subscription Term may restart and Customer will be charged the pro-rated applicable amount of Subscription Fees based on the remaining time left in the previous Subscription Term, at our then-current rates (unless indicated otherwise in an Order Form).

4.11. The Subscription Fees are non-cancellable and non-refundable. Anomity will not refund or provide credits for any unused period within the Subscription Term, except where this Agreement is terminated by Customer for Anomity’s uncured material breach pursuant to Section 8.2(i), in which case Anomity will refund any prepaid, unused Subscription Fees attributable to the period after the effective date of termination. Customer is solely responsible for paying all Subscription Fees for the Subscription Plan that Customer subscribed for.

4.12. If Customer, acting in good faith, disputes any portion of a fee that Anomity invoiced, Customer shall remit to Anomity full payment of the undisputed portion in accordance with the provisions of this Section 4, and provide Anomity, on or before the original due date of the disputed fee, a written and reasoned notification of the disputed portion of the fee (laying down, in reasonably sufficient detail, the grounds for the dispute), to the extent such information is available at that time as soon as reasonably practicable.

4.13. Failure to settle any overdue fee (not disputed in good faith pursuant to the foregoing) within twenty-one (21) calendar days of its original due date will constitute a material breach of this Agreement and, without limiting any remedies available to Anomity, Anomity may, following written notice to Customer: (i) terminate this Agreement; or (ii) suspend performance of or access to the Service, until payment is made current. Late payments shall bear interest at the rate of six percent (6%) per annum or the maximum rate permitted by applicable law, whichever is lower. Customer will reimburse Anomity for legal costs and attorneys’ fees Anomity incurs in the course of collecting Customer’s overdue fees.

5. Intellectual Property

5.1. All right, title and interest in the Service and all Anomity Technology, including any and all IP Rights related thereto, are the sole property of Anomity. All rights in and to the Service or Anomity Technology not expressly granted to Customer in this Agreement are hereby reserved by Anomity. Customer owns all right, title and interest in and to Customer Data.

5.2. Customer acknowledges and agrees that, solely in connection with Anomity’s provision of the Service, Anomity is hereby granted a limited, revocable, non-exclusive, internal, royalty-free license, solely during the Subscription Term, to access, host, classify, evaluate against Customer’s policies, and maintain Customer Data for the limited purposes of delivering the Service to Customer, generating Findings for Customer, and supporting Customer’s use of the Service as described herein.

5.3. The Service is offered to Customer for use and access only in accordance with the terms of this Agreement and is not sold or licensed in any other way.

5.4. Except for Customer’s limited access to use the Service during the Subscription Term, this Agreement does not grant or assign to Customer any other license, right, title, or interest in or to the Service or Anomity Technology, or the Intellectual Property rights associated with them. All rights, title and interest, including copyrights, patents, trademarks, trade names, trade secrets, and other intellectual property rights, and any goodwill associated therewith, in and to the Service and Service Data (but not Customer Data), including the Endpoint Daemon, the Anomity Cloud, the global agent registry, the capability taxonomy, the secret pattern library, the classification rules, computer code, graphic design, layout, and the user interfaces of the Service, whether or not based on or resulting from Feedback, are and will remain at all times owned by, or licensed to, Anomity.

5.5. Customer may provide Anomity with Feedback, including information pertaining to bugs, errors and malfunctions of the Service, performance of the Service, content and accuracy of the Service, the Service’s compatibility and interoperability, and information or content concerning enhancements, changes or additions to the Service that Customer requests, desires or suggests. Customer hereby assigns, without charge, all right, title and interest in and to the Feedback to Anomity, including the right to make commercial use thereof, for any purpose Anomity deems appropriate.

5.6. Anonymized and aggregated data. Anomity may compile statistical, usage, and threat-intelligence information derived from Customer Data, provided that such information is aggregated and de-identified such that it does not identify Customer or any individual (“Aggregated Data”). Aggregated Data may be used by Anomity for any lawful business purpose, including improving and operating the Service, building and maintaining its global agent registry, capability taxonomy and secret pattern library, and producing security research. Anomity will not include Customer-identifying information in any Aggregated Data shared externally without Customer’s prior written consent.

6. Confidentiality and Data Protection

6.1. “Confidential Information” shall mean any and all information disclosed by one party (“Disclosing Party”) to the other (“Receiving Party”) regarding past, present, or future marketing and business plans, customer lists, lists of prospective customers, technical, financial or other proprietary or confidential information of the Disclosing Party, formulae, concepts, discoveries, data, designs, ideas, inventions, methods, models, research plans, procedures, designs, formulations, processes, specifications and techniques, prototypes, samples, analyses, computer programs, trade secrets, methodologies, techniques, non-published patent applications and any other data or information, as well as improvements and know-how related thereto. Customer Data is Customer’s Confidential Information. The Anomity Technology, the global agent registry, capability taxonomy, secret pattern library, classification rules, and the source code of the Endpoint Daemon and the Anomity Cloud are Anomity’s Confidential Information.

6.2. Each party will, and will cause each of its personnel and agents to: (a) not disclose the other party’s Confidential Information to any third party; (b) not use the other party’s Confidential Information for any purpose other than to perform its obligations or exercise its rights under this Agreement; and (c) protect the confidentiality of the Confidential Information of the other party in the same manner that it protects the confidentiality of its own proprietary and confidential information of like kind, but in no event shall either party exercise less than reasonable care in protecting such Confidential Information. Notwithstanding this Section, each party shall be able to disclose Confidential Information of the other party to its personnel and agents (including, without limitation, Authorized Users) who have a need to know for the Receiving Party to perform its obligations or exercise its rights under this Agreement, provided such personnel or agents have been previously advised of the confidential nature of the information and have written obligations of confidentiality to the Receiving Party.

6.3. The obligations set forth in this Section shall not apply to information that: (i) is now or subsequently becomes generally available in the public domain through no fault or breach on Receiving Party’s part; (ii) Receiving Party can demonstrate in its prior established records to have had rightfully in Receiving Party’s possession prior to disclosure of the same by the Disclosing Party; (iii) Receiving Party can demonstrate by written records that it had rightfully obtained the same from a third party who has the right to transfer or disclose it, without default or breach of confidentiality obligations; (iv) Disclosing Party has provided its prior written approval for disclosure; or (v) Receiving Party is required to disclose pursuant to a binding order or request by court or other governmental authority, or a binding provision of applicable law, provided that, to the extent permissible, Receiving Party provides the Disclosing Party notice of the requested disclosure as soon as practicable, to allow the Disclosing Party, if it so chooses, to seek an appropriate protective or preventive order.

6.4. Data Protection. Under the scope of this Agreement, the Service involves the processing of personal data of individuals reflected in Telemetry Data (including, in particular, Customer’s personnel associated with Managed Devices). Such processing shall be governed by applicable data protection laws and the Anomity Data Processing Addendum, available at: https://anomity.ai/legal/data-processing-addendum.

6.5. Security Measures. Anomity maintains an information security program designed to protect Customer Data, including the controls described in the Anomity Trust Center and as further described in Exhibit B (Security Overview). Without limitation, the Endpoint Daemon performs on-device redaction of secrets such that plaintext secret values never leave the Managed Device; only metadata and a hashed fingerprint reach Anomity Cloud.

7. Professional Services

7.1. To the extent mutually agreed upon in the applicable Order Form or a separate statement of work, during the Subscription Term, Anomity, either directly or with the assistance of third parties, may provide Customer with Professional Services such as deployment assistance, MDM packaging guidance, integration with Customer’s ticketing, alerting, identity and SIEM systems, policy authoring workshops, and training.

8. Term and Termination

8.1. Term. Unless otherwise specified in the applicable Order Form, this Agreement commences upon the Effective Date and will continue for a period of twelve (12) months thereafter. The Agreement automatically renews at the end of each Subscription Term, unless either party notifies the other party of non-renewal at least thirty (30) days prior to the end of the then-current Subscription Term. The Subscription shall be renewed for a Subscription Term equal in length and price to the original Subscription Term, unless Anomity provides Customer with a prior written notice of any changes Anomity makes to the Subscription, subject to applicable tax changes and excluding any discount or other promotional offers Anomity may offer.

8.2. Termination for Cause. Either party may terminate this Agreement for cause: (i) upon thirty (30) days written notice of a material breach to the other party, provided such breach remains uncured following thirty (30) days following receipt of the notice thereof; if a breach is of a nature that cannot be cured, then the non-breaching party may terminate the Agreement immediately upon notice to the other party; or (ii) if the other party becomes the subject of a petition in bankruptcy or any proceeding relating to insolvency, receivership, or liquidation, which proceedings are not dismissed within sixty (60) days of their commencement, or assignment for the benefit of creditors.

8.3. Effect of Termination. Upon the effective date of termination or expiration of this Agreement: (i) Anomity will cease providing the Service to Customer, and the Endpoint Daemon shall cease to be authorized to transmit Telemetry Data to Anomity Cloud; and (ii) any and all undisputed payment obligations of Customer for Service provided through the date of termination will immediately become due. Within thirty (30) calendar days of termination or expiration of this Agreement, or at the Disclosing Party’s request, each Party will return or securely destroy all Confidential Information of the other Party (as the other Party may elect) in its possession or control (including all copies thereof, in any media). In addition, each Party shall purge its computer systems and database of the other Party’s Confidential Information. Notwithstanding the foregoing return-and-destroy obligations, a Party (a) may retain copies of the other Party’s Confidential Information in order to comply with any applicable legal or accounting record-keeping requirements; and (b) shall not be required to return or destroy any electronic backups of the other Party’s Confidential Information made in the normal course of business, provided that such Party continues to comply with all of the confidentiality and security obligations in this Agreement with respect to such information.

8.4. Customer Data on Termination. Upon expiration or termination of this Agreement, Customer access and permissions to the Dashboard and APIs will be restricted and then permanently deleted. Anomity may give Customer, at its sole discretion, restricted access for a period of time (usually up to thirty (30) days) after the termination time (the “Grace Period”), during which Customer may export historical Findings, audit trails, and other Customer Data, as long as Customer did not breach the Agreement. Following the Grace Period, all Customer Data will be permanently deleted in accordance with the Anomity Data Processing Addendum, save for backups retained in accordance with our standard retention practices.

8.5. Subscription Cancellation. Customer may cancel its Subscription Plan as set forth in the Order Form or by providing written non-renewal notice in accordance with Section 8.1. Upon cancellation, the Subscription auto-renewal will be cancelled, and Customer’s Subscription Plan will remain available to it until the end of the then-current Subscription Term.

8.6. Anomity shall not have any liability either to Customer or to any User in connection with the termination of the Subscription Plan in accordance with this Agreement. Unless expressly indicated herein otherwise, the termination shall not relieve Customer from its obligation to pay due Subscription Fees.

8.7. Surviving Provisions. Sections 4–6, 8.3, 8.4, and 9–12 of this Agreement will survive termination or expiration of this Agreement.

9. Warranties, Disclaimers & Limitation of Liability

9.1. Mutual Representations and Warranties. Each party represents and warrants that it has full right, power, and authority to agree to this Agreement and to perform its obligations and duties under the Agreement, and that the performance of such obligations and duties does not and will not conflict with or result in a breach of any other agreement of such party or any judgment, order, or decree by which such party is bound. Each party shall use the Service only for lawful purposes and in accordance with this Agreement. Each party will comply with all applicable laws and regulations in its performance and use under this Agreement and, in the event of a failure to comply by a party, the other party will have the right to suspend performance hereunder or terminate this Agreement.

9.2. Customer Representations and Warranties. Customer represents and warrants that: (a) its use of the Service, including any Customer Data provided by Customer for use with the Service or handling by Anomity, will: (i) comply with any applicable law or regulation, including employment, privacy and surveillance laws applicable to monitoring of employee endpoints, (ii) not cause a breach of any agreement with or rights of any third party, and (iii) not unreasonably interfere with use of services offered by Anomity to third parties; (b) it shall use the Service strictly in accordance with this Agreement and other written instructions (e.g., product documentation, release notes, mutually agreed SOWs) provided by Anomity; (c) it has the legal authority to install the Endpoint Daemon on each Managed Device on which it deploys the daemon; and (d) it has provided any notices and obtained any consents that may be required under applicable law in respect of individuals reflected in Telemetry Data. In the event of any breach of any of the foregoing warranties, in addition to any other remedies available at law or in equity, Anomity will have the right to suspend any of the Service to prevent harm to Anomity or its business. If practicable, Anomity will provide notice and opportunity to cure. Once cured, at Anomity’s reasonable discretion, Anomity will use reasonable efforts to promptly restore the Service.

9.3. Anomity Representations and Warranties. Anomity represents and warrants that its provision of the Service, excluding any Customer Data provided by Customer, will: (i) comply with any applicable law or regulation; (ii) not cause a breach of any agreement with or rights of any third party; and (iii) operate properly and securely during the Term, in accordance with industry-leading practices, including SOC 2 Type II attested controls and the SLA attached hereto as Exhibit A, as further described in the Anomity Trust Center — https://trust.anomity.ai. However, as a service that relies on software, infrastructure, servers, third-party networks, and continuous internet connectivity outside the control of Anomity, Anomity cannot guarantee that the Service will operate in an uninterrupted or error-free manner, or that it will always be available, free from errors, omissions, or malfunctions. If Anomity becomes aware of any failure or malfunction, it shall attempt to regain the Service’s availability as soon as practicable. In addition, Customer acknowledges that the Service may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Anomity or by third-party providers, or because of other causes beyond Anomity’s reasonable control. Anomity shall provide an advance notice by email of any scheduled Service disruption.

9.4. Anomity warrants that during the Subscription Term, the Service will substantially conform to the features, abilities and functions specified in the Service’s documentation provided to Customer by Anomity. Customer’s remedy for the breach of this warranty is that Anomity, once notified of the breach by Customer, will use reasonable endeavors to repair or replace the impacted Service so that it substantially conforms to the features, abilities and functions specified in the Service’s documentation provided to Customer by Anomity. The foregoing warranty does not apply to the extent that any error or interruption in the Service results from: incorrect operation or use of the Service by Customer or its Users, including any failure to follow the policies or instructions issued by Anomity; use of any of the Service other than for the purposes for which it is intended; use of any Service with other software or services or on equipment with which it is incompatible per Anomity-provided documentation; any act by any third party (excluding service or technology providers of Anomity unless they experience general issues of reduced performance or availability across their customer base), such as unavailability of services, hacking, or the introduction of any virus or malicious code, which could not have been prevented by Anomity using reasonable and customary safeguards and precautions; modification of Service (other than that undertaken by Anomity or at its direction); or any breach of this Agreement by Customer or its Users.

9.5. Anomity shall have no liability for the accuracy or suitability of the underlying configuration of any AI tooling on a Managed Device or for the actions Customer takes in response to Findings, all of which shall be deemed under Customer’s exclusive control.

9.6. LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND EXCEPT IN THE EVENT OF A PARTY’S INTENTIONAL MISCONDUCT, GROSS NEGLIGENCE, BREACH OF INTELLECTUAL PROPERTY RIGHTS, DATA SECURITY BREACH, OR CONFIDENTIALITY BREACH, EACH PARTY, INCLUDING ITS EMPLOYEES, DIRECTORS, OFFICERS, SHAREHOLDERS, ADVISORS, AND ANYONE ACTING ON ITS BEHALF, WILL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, STATUTORY, OR PUNITIVE DAMAGES, LOSSES (INCLUDING LOSS OF PROFIT, LOSS OF BUSINESS OR BUSINESS OPPORTUNITIES, AND LOSS OF DATA), COSTS, EXPENSES, AND PAYMENTS, EITHER IN TORT, CONTRACT, OR IN ANY OTHER FORM OR THEORY OF LIABILITY (INCLUDING NEGLIGENCE), ARISING FROM OR IN CONNECTION WITH THE AGREEMENT, ANY USE OF, OR THE INABILITY TO USE, THE SERVICE OR THE FINDINGS, ANY RELIANCE UPON THE FINDINGS, OR ANY ERROR, INCOMPLETENESS, INCORRECTNESS, OR INACCURACY OF THE SERVICE OR THE FINDINGS. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND EXCEPT IN THE EVENT OF A PARTY’S INTENTIONAL MISCONDUCT, GROSS NEGLIGENCE, BREACH OF INTELLECTUAL PROPERTY RIGHTS, DATA SECURITY BREACH, OR CONFIDENTIALITY BREACH, THE TOTAL AND AGGREGATE LIABILITY OF ANOMITY AND ITS EMPLOYEES, DIRECTORS, OFFICERS, SHAREHOLDERS, ADVISORS, AND ANYONE ACTING ON ITS BEHALF, FOR DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, THE SERVICE, OR THE FINDINGS, SHALL BE LIMITED TO THE FEES ACTUALLY PAID IN THE TWELVE MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM. IN THE EVENT OF AN ANOMITY BREACH OF INTELLECTUAL PROPERTY RIGHTS, DATA SECURITY BREACH, OR CONFIDENTIALITY BREACH, THE TOTAL AND AGGREGATE LIABILITY OF ANOMITY FOR ALL DAMAGES ARISING OUT OF OR RELATED TO ITS BREACH OF INTELLECTUAL PROPERTY RIGHTS, DATA SECURITY BREACH, OR CONFIDENTIALITY BREACH, SHALL BE LIMITED UP TO THE ACTUAL PAID ANOMITY INSURANCE COVERAGE.

10. Indemnification

10.1. Indemnification. Each party shall defend, indemnify and hold harmless the other party and its directors, officers, employees, and subcontractors (collectively, the “Party’s Indemnitee”), upon the other Party’s request, from and against any damages, liabilities, loss, costs, expenses and payments, including but not limited to reasonable attorneys’ fees and legal expenses, arising out of any third-party claim, suit, action, arbitration or proceeding brought against the Party’s Indemnitee, relating to: (a) a breach of any of its representations, warranties, covenants or obligations hereunder; (b) infringement or misappropriation of any Intellectual Property rights; or (c) any gross negligence or willful misconduct. Without limiting the generality of the foregoing, Customer shall defend, indemnify, and hold harmless Anomity from and against any third-party claim brought by an individual associated with a Managed Device alleging unlawful surveillance, monitoring, or processing of personal data attributable to Customer’s installation, configuration, or operation of the Endpoint Daemon (other than to the extent such claim arises out of Anomity’s breach of this Agreement or its obligations under the Anomity Data Processing Addendum).

10.2. The indemnified party shall promptly notify the indemnifying party in writing of any claim for which it seeks indemnification hereunder, provided that the failure to provide such notice shall not relieve the indemnifying party of its indemnification obligations hereunder except to the extent of any material prejudice directly resulting from such failure. The indemnifying party shall bear full responsibility for, and shall have the right to solely control, the defense (including any settlements) of any such claim; provided, however, that (a) the indemnifying party shall keep the indemnified party informed of, and consult with the indemnified party in connection with, the progress of such litigation or settlement; and (b) the indemnifying party shall not have any right, without the indemnified party’s written consent (which consent shall not be unreasonably withheld), to settle any such claim in a manner that does not unconditionally release the indemnified party. At the indemnifying party’s request, the indemnified party will provide reasonable cooperation with respect to any defense or settlement.

11. Governing Law; Dispute Resolution & Venue

11.1. This Agreement and Customer’s use of the Service will be exclusively governed by and construed in accordance with the laws of the State of Israel, without giving effect to conflicts-of-law principles thereof.

11.2. The Parties will use reasonable efforts to resolve any dispute arising out of this Agreement through discussion between the appropriate personnel from each Party. If the Parties are unable to resolve the dispute, either Party may escalate the dispute to its executives. If an executive-level meeting fails to resolve the dispute within thirty (30) days after escalation, either Party may seek any available legal relief. This provision will not affect either Party’s right to seek injunctive or other provisional relief at any time.

11.3. Any dispute arising out of or in connection with this Agreement, including any question regarding its existence, validity or termination, which the Parties cannot amicably resolve pursuant to the foregoing, shall be exclusively referred to the courts located in Tel Aviv, Israel.

12. Miscellaneous

12.1. Assignment. To the greatest extent permissible by law, either Party may assign this Agreement, including all rights, duties, liabilities, performances, and obligations herein, upon notice to the other Party, to a third party, upon a merger, acquisition, change of control, or sale of all or substantially all of its equity or assets.

12.2. Relationship of the Parties. The relationship between the Parties hereto is strictly that of independent contractors, and neither Party is an agent, partner, joint venturer, or employee of the other.

12.3. Complete Terms and Severability. This Agreement constitutes the entire and complete agreement between the Parties concerning the subject matter herein and supersedes all prior oral or written statements, understandings, negotiations, and representations with respect to the subject matter herein. If any provision of this Agreement is held invalid or unenforceable, that provision shall be construed in a manner consistent with the applicable law to reflect, as nearly as possible, the original intentions of the Parties, and the remaining provisions will remain in full force and effect. This Agreement may be modified or amended only in writing, signed by the duly authorized representatives of both Parties.

12.4. No Waiver. Neither Party will, by mere lapse of time, without giving express notice thereof, be deemed to have waived any breach by the other Party of any terms or provisions of this Agreement. The waiver by either Party of any such breach will not be construed as a waiver of subsequent breaches or as a continuing waiver of such breach.

12.5. Open Source. The Service includes certain open source code software and materials (as listed in the documentation and updated from time to time) that are subject to their respective open source licenses and not to this Agreement. Such open source licenses contain lists of conditions with respect to warranty, copyright policy, and other provisions. If, and to the extent, any of the foregoing open source code licenses require that the source code of their corresponding open source code software and materials be made available to Customer, and such source code was not delivered to Customer, then Anomity hereby extends a written offer, valid for the period prescribed in such respective open source code licenses, to obtain a copy of the source code of the corresponding open source code software, from us. To take up this offer, contact us at [email protected].

Exhibit A – Service Level Agreement

Anomity will endeavor, using commercially reasonable efforts, to quickly respond to Service support requests and reported Service errors, technical problems, payment disputes, operational questions, or defects, bugs, or malfunctions (each, an “Inquiry”), and to provide a solution to Customer Inquiry, as set forth in this SLA.

Anomity’s handling and resolution of Inquiries is subject to the following procedure and scheme:

Inquiries shall be submitted to Anomity’s helpdesk by email at [email protected] or through Anomity’s Help Center at https://help.anomity.ai.

When Anomity receives notice of an Inquiry from Customer, along with all pertinent information at Customer’s disposal regarding the Inquiry, Anomity will record the time the notification was received during Anomity business hours (the “Opening Time”), starting 10:00 am Israel time, Monday – Friday. If an Inquiry is received by Anomity outside its business hours, the Opening Time will be recorded as 9:00 am Israel time on Anomity’s next business day.

Upon receiving an Inquiry, Anomity, using its reasonable judgment, will classify the Inquiry’s severity level as Critical, High, Medium or Low, in accordance with the following guidelines:

Critical – Complete failure of the Service where Customer indicates that its operational systems are disrupted as a result, including loss of Telemetry ingestion across the fleet, complete Dashboard outage, or unauthorized data exposure;

High – Faults in most of the primary functionalities of the Service, such as broken policy evaluation, broken alerting, or significant degradation of Telemetry ingestion;

Medium – Features of the Service are partially malfunctioning, such as a broken integration with a single Third-Party Service or a non-blocking Dashboard issue;

Low – Minor error or malfunction in the Service, such as cosmetic UI issues or documentation errors.

Within twenty-four (24) hours of the Opening Time, Anomity will respond with its written acknowledgement to Customer that the Inquiry was received, will indicate Anomity’s classification of the Inquiry’s severity level, and confirm that Anomity began its work on Resolving the Inquiry.

“Resolution”, “Resolve” and “Resolving” means Anomity’s provision of a resolution for the Inquiry, and “Work Around” means Anomity’s provision of a productive workaround for the Inquiry.

This SLA is contingent upon Customer’s provision of reasonable cooperation and information necessary for Anomity to investigate and resolve the Inquiry. Any delays caused by Customer’s failure to provide the necessary information, or by any third party acting on Customer’s behalf, will not be counted towards the resolution or workaround timeframe. Once a Workaround is implemented, restoring service functionality, the severity level of the case will be adjusted accordingly.

This SLA covers only support-related services. Professional Services are not included and will be billed separately.

Anomity will endeavor, using commercially reasonable efforts, to resolve Inquiries as set forth below. Times are clocked in relation to the Opening Time, as recorded in Anomity logs.

Critical:

Work-around time after Opening Time: 24 hours

Resolution Time after Opening Time: 14 days

High:

Work-around time after Opening Time: 72 hours

Resolution Time after Opening Time: 30 days

Medium:

Work-around time after Opening Time: 72 hours

Resolution Time after Opening Time: 30 days

Low:

Work-around time after Opening Time: N/A

Resolution Time after Opening Time: in the next scheduled version release of the Service.

Service Availability. Anomity targets a monthly availability of 99.5% for the Anomity Cloud, measured at the multi-tenant edge, excluding (i) scheduled maintenance windows announced in advance; (ii) unscheduled emergency maintenance; (iii) force majeure events; (iv) Customer-caused outages; and (v) outages of third-party providers outside Anomity’s reasonable control. The Endpoint Daemon operates on Customer-controlled endpoints; its availability is therefore subject to the operating environment of those endpoints.

Exhibit B – Security Overview

The following summarizes Anomity’s information security posture. The full Trust Center, including the latest SOC 2 Type II report (under NDA), control descriptions, and subprocessor list, is available at https://trust.anomity.ai.

Architecture. Anomity is delivered as (i) Anomity Cloud, a multi-tenant SaaS application; and (ii) the Endpoint Daemon, a lightweight unprivileged background process that runs on Customer-managed endpoints (Windows, macOS, Linux). The Endpoint Daemon reads only AI-tool configuration files, redacts secrets locally, and transmits Telemetry Data over HTTPS.

Data minimization. The Endpoint Daemon transmits only configuration metadata about AI tools and devices, together with redacted secret fingerprints (hashes) and change events. It does not transmit source code, prompts, model outputs, or the plaintext values of secrets.

Tenant isolation. Strict tenant isolation is enforced at the query layer in the Anomity Cloud. Each persisted document is scoped by Customer organization and every data-access path filters by organization.

Authentication. Dashboard access is authenticated via Customer’s identity provider over SAML or OIDC. The Endpoint Daemon authenticates with per-device credentials, bcrypt-hashed at rest, transmitted over HTTPS.

Encryption. Data in transit is encrypted using TLS. Data at rest is encrypted using industry-standard mechanisms provided by Anomity’s cloud infrastructure providers.

Logging and audit. The Service maintains a 90-day audit trail of cloud admin actions and per-device configuration changes (with before/after state). Longer retention is available on request.

Subprocessors. Anomity uses a limited set of trusted subprocessors (such as cloud infrastructure, identity, database, real-time messaging, and CDN providers) to deliver the Service. The current list is maintained in the Anomity Trust Center and is incorporated into the Anomity Data Processing Addendum.