WIXLIB

third party services and any data loss or other losses it may sufferas a result of using any such services. If Customer uses any thirdparty service in connection with Medallia Products or usesMedallia Products to link or direct online traffic to third-partywebsites, Customer shall ensure that such use complies with theterms of use of those third party services.5. OWNERSHIP AND USE RIGHTSa.Customer DataCustomer owns all data delivered to Medallia by Customer orcollected by Medallia on behalf of Customer (the “CustomerData”), including any personal data as defined by applicable dataprivacy laws (“Personal Data"). Customer grants Medallia a nonexclusive, worldwide, limited license to the Customer Data for thepurposes of: (i) providing and improving Medallia Products andProfessional Services, as long as such improvements are notderived from the use of Personal Data; and (ii) developing andpublishing broadly applicable experience management insights(such as industry experience management benchmarks, ifapplicable, provided that only aggregated or de-identifiedCustomer Data is used).b.Medallia ProductsMedallia owns Medallia Products, including all features,functionalities, configurations, designs, templates, and otherproprietary elements contained therein and all modifications,improvements, and derivative works thereof. Medallia will provideCustomer with access to Medallia Products as described in theOrder during the term of an Order for its internal businesspurposes. If Customer uses a Medallia API or software developerkit (“SDK”), Medallia grants Customer a non-exclusive, worldwide,limited license for use of such API or SDK for the purpose ofenabling Customer to use Medallia Products. Customer will notremove, obscure, or alter Medallia’s copyright notice, or otherproprietary rights notices affixed to or contained within MedalliaProducts or any related documentation. Customer grants Medalliaa worldwide, perpetual, irrevocable, royalty-free license to usefeedback provided by Customer to Medallia related to the MedalliaProducts.c.DocumentationMedallia owns the Documentation and all derivative works thereof.Medallia grants Customer a non-exclusive, worldwide limitedlicense to use, copy, and make derivative works of theDocumentation for internal business purposes during the term ofan Order.d.TrademarksCustomer grants Medallia a limited, non-exclusive license to markCustomer surveys and reports and Customer’s instance ofMedallia Products with Customer’s trademarks, when requestedby Customer and subject to Customer approval for consistencywith its branding guidelines.e.Reserved RightsCustomer and Medallia each reserve all intellectual property rightsnot explicitly granted herein.6. PAYMENTSa.InvoicingFees due for Medallia Products and Professional Services will bestated on the Order. Fees are non-cancelable and non-refundableother than as explicitly stated in this Agreement.b.TaxesInvoiced amounts are payable in full, without reduction fortransaction taxes (e.g., value added taxes, consumption taxes,goods and services taxes, GST/HST, excise, sales, use or similartaxes, and withholding taxes). Customer is required to pay all suchtransaction taxes, either directly or by increasing payments toMedallia to offset taxes that Customer is required to deduct frompayments. If Medallia has a legal obligation to pay or collect suchtransaction taxes, the appropriate amount will be invoiced to andpaid by Customer, unless Customer provides Medallia with a validtax exemption certificate.7. TERM AND TERMINATIONa.TermThe term of this Agreement is from the Effective Date through thelast to expire Order.b.Termination for CauseEither party may terminate this Agreement or Order within thirtydays upon the occurrence of either of the following: (a) in the eventthe other party fails to cure any material breach of this Agreementor the relevant Order within thirty (30) days after receipt of writtennotice; or (b) if the other party files or has filed against it anybankruptcy or similar proceeding or enters into any form ofarrangement with its creditors that is not removed within 60 daysof filing.c.Transfer ofTerminationCustomerDataUponUpon termination of this Agreement or an Order, Medallia willmake customer feedback collected through and, at the time oftermination, stored within Medallia Products available for securedownload by Customer in a standard flat file format for at leastthirty (30) days (the “Data Transfer Period”). Within sixty (60)days of the end of the Data Transfer Period, Medallia will removeall Customer Data from Medallia Products.8. INSURANCEMedallia will maintain insurance policies providing at least thefollowing coverage and will provide a certificate of insurance uponrequest:(i)Technology Errors & Omissions / Professional liabilitywith a limit of at least 5 Million;(ii)Cyber/Network and Information Security liability with alimit of at least 5 Million;(iii)Commercial General liability with a limit of at least 1Million;(iv)Automobile liability with a limit of at least 1 Million;(v)Workers Compensation and Employer’s liability with alimit of at least 1 Million;(vi)Umbrella liability with a limit of at least 10 million.9. PRIVACY, SECURITY, AND AUDITSa.Compliance with Data Protection LawsIn processing Personal Data in the Medallia Products and throughthe Professional Services to Customer, Medallia shall comply withapplicable legal requirements for privacy, data protection andconfidentiality of communications. Such applicable legalrequirements include the Standards for the Protection of PersonalInformation of Residents of the Commonwealth of Massachusetts(201 CMR 17.00), the California Consumer Privacy Act of 2018(the “CCPA”), and other applicable United States data protectionlaws at the state level, and implementing national legislation, andRegulation 2016/679 (also known as GDPR), if applicable.Medallia shall not (i) sell Personal Data as defined under the

CCPA, or (ii) retain, use, or disclose Personal Data for anypurpose other than for the specific purpose of providing theMedallia Products and performing the Services. Medallia iscertified under the Privacy Shield to cover the transfer of datacollected in the European Economic Area and Switzerland to theUnited States.b.Data Protection AgreementMedallia offers a data processing agreement that definesMedallia’s and Customer's obligations under GDPR, and includesthe EU’s approved Standard Contractual Clauses for the handlingof data collected in the European Economic Area and Switzerlandoutside of those areas. If Customer has a need for this agreement,Customer should please request it from Customer's Medalliaaccount representative.c.Security ObligationsMedallia shall implement and maintain appropriate technical andorganizational security measures to protect Customer Data fromSecurity Incidents and to preserve the security and confidentialityof Customer Data, in accordance with Medallia's securitystandards described in the Security Measures addendumd.Security Incident ResponseMedallia shall respond to Security Incidents as described in theSecurity Measures addendume.General Performance AuditsCustomer may, no more than once per year, audit Medallia’sperformance under this Agreement and each Order, and Medalliawill maintain records sufficient for such audits, including servicehours provided, uptime, and the results of security and disasterrecovery tests.f.Security AuditsCertain Medallia Products are regularly audited by independentthird parties and/or internal auditors. Upon request, Medallia shallsupply (on a confidential basis) a summary copy of its auditreport(s), if applicable, as well as written responses (on aconfidential basis), not more than once per year, to all reasonablesecurity and audit questionnaires that are necessary to confirmMedallia's compliance with this Agreement. Medallia shall permitCustomer (or its appointed third party auditors) to carry out anaudit of Medallia's processing of Customer Data under thisAgreement following: (i) a Security Incident or (ii) upon theinstruction of a data protection authority.g.Audit ProcedureEach audit requires at least thirty days’ prior notice, except in theevent of a Security Incident or upon instruction of a data protectionauthority. Audits will take place on a mutually agreed date duringMedallia’s normal business hours, and Customer will cause itsrepresentative or agent to employ such reasonable proceduresand methods as are necessary and appropriate in thecircumstances to minimize interference with Medallia’s normalbusiness operations. Onsite audits are limited to two businessdays.h.Data CollectionMedallia Products enable Customer to import and collect a widerange of information about Customer's customers or end users.The types of data that are imported and collected in MedalliaProducts will be within Customer's control, and will be specifiedduring implementation and use of each product. Unless approvedby Medallia’s data protection attorneys, Customer shall notconfigure the Medallia Products to collect bank account numbers,payment card or credit card information, bank transactioninformation, government identification numbers including (but notlimited to) social security numbers, state identification numbers,and passport numbers, and sensitive personal informationincluding (but not limited to) religious beliefs, health, sexualorientation, race, and union membership and Medallia will not beliable for non-compliance under laws and regulations that appliesto the processing of the foregoing categories of data. Thisprovision shall not apply to Protected Health Information asdefined by HIPAA, as long as Customer has signed a BusinessAssociate Agreement with Medallia.10. CONFIDENTIALITYa.Controlling Statement of ObligationsThe terms of this Confidentiality provision supersede any nondisclosure or confidentiality agreement entered into by the partiesprior to the Effective Date of this Agreement.b.Confidential InformationConfidential Information means all information provided by adisclosing party to a receiving party that a reasonable industryparticipant would deem to be confidential, including for example:(i) all information that is marked confidential; (ii) the terms of eachOrder; (iii) features and functionality of Medallia Products andrelated documentation; and (iv) Customer Data. ConfidentialInformation does not include information that is independentlydeveloped, that becomes public knowledge through no fault of thereceiving party, or that is received from a third party undercircumstances that do not create a reasonable suspicion that ithas been misappropriated or improperly disclosed.c.Use and Disclosure RestrictionsA receiving party will use commercially reasonable efforts toprotect Confidential Information it receives and will useConfidential Information only as necessary to perform itsobligations and exercise its rights under this Agreement and eachOrder. A receiving party will not disclose Confidential Informationto third parties other than as permitted under this Agreement or ascompelled by a court or regulator of competent authority (and thenwhile taking all reasonable steps to inform the disclosing partyprior to disclosure and to limit the scope of the disclosure).11. INDEMNIFICATIONa.Intellectual Property Indemnification byMedalliaMedallia will defend Customer against claims, causes of action,and investigations by third parties or government agencies andwill pay the resulting judgments, fines, settlements, court costs,and attorneys fees (to “Indemnify”) for third party claims allegingthat Medallia Products infringe a third-party patent, copyright, ortrademark or misappropriate a third-party trade secret, subject tothe following limitations: (i) if the alleged infringement arises froma modification by Customer or the unauthorized use of MedalliaProducts; (ii) if the alleged infringement arises from a violation ofCustomer’s obligations under Section 4 (“Use of MedalliaProducts”); or (iii) if the alleged infringement arises from thecombination of Medallia Products with any product or process notprovided by Medallia, and if Medallia would not be liable forinducement or contribution for such infringement, then Medalliawill have no obligation to Indemnify. If Customer establishes areasonable belief that use of Medallia Products will be enjoined,then Medallia will use commercially reasonable efforts tosubstitute the affected functionality with a non-infringingalternative or to procure a license to allow for the continued use ofthe affected functionality. If use of Medallia Products is enjoinedand if Medallia has not provided a non-infringing alternative, thenCustomer may, within 30 days of the date of the injunction,terminate the affected Order immediately upon written notice andreceive a refund of the unused portion of prepaid fees.

b.Data Breach Indemnification by MedalliaMedallia will Indemnify Customer for third party claims arising fromthe improper access, use, or disclosure of personally identifiableCustomer Data caused by: (i) Medallia’s breach of its obligationsunder this Agreement; or (ii) the willful misconduct or grossnegligence of Medallia personnel or any third party underMedallia’s control.c.Indemnification by CustomerIndemnificationProcedureRequirementsandThe party seeking indemnification (the “Indemnified Party”) willprovide timely notice to the party from which it seeksindemnification (the “Indemnifying Party”) (although untimelynotice will relieve the Indemnifying Party of its indemnificationobligations only commensurate with actual prejudice suffered asa result) and will provide reasonable assistance to IndemnifyingParty at the Indemnifying Party’s expense. The IndemnifyingParty will have sole control over the defense, but the IndemnifiedParty will have the right to participate at its own cost.12. LIMITATION OF DAMAGES AND LIABILITYa.Limitation of DamagesNEITHER PARTY WILL BE LIABLE TO THE OTHER FOR CONSEQUENTIAL,SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, OR INDIRECT DAMAGESOR FOR LOST PROFITS, LOST REVENUES, HARM TO GOODWILL, OR THECOSTS OF PROCURING REPLACEMENT SERVICES, REGARDLESS OFWHETHER SUCH DAMAGE WAS FORESEEABLE. THIS LIMITATION WILLAPPLY TO ALL CLAIMS UNDER ALL THEORIES OF LAW AND EQUITY,EXCEPT WHERE PROHIBITED BY LAW.b.Limitation of LiabilityEXCEPT IN THE EVENT OF GROSS NEGLIGENCE; WILLFUL MISCONDUCT;FOR FEES OWED IN EXCESS OF THE BELOW LIMIT; AND WHEREPROHIBITED BY LAW, THE CUMULATIVE LIABILITY OF EITHER PARTY TOTHE OTHER WILL BE LIMITED TO THE FEES PAID OR PAYABLE UNDER THISAGREEMENT FOR THE 12 MONTHS PRECEDING THE FILING OF THECLAIM, FOR ALL OTHER CLAIMS.13. MARKETINGMedallia may include Customer’s name and logo on Medallia’spublic customer list. Customer agrees to partner with Medallia onco-marketing and public relations activities to demonstrate thelaunch and success of Customer’s program (e.g., press release,case study, testimonial, video). Customer grants Medallia alimited, non-exclusive, worldwide license to use its trademark forthese purposes.14. GENERAL TERMSa.AuthorityEach party warrants that it has the authority to enter into thisAgreement and each Order.b.c.AssignmentNeither this Agreement nor any Order may be assigned withoutwritten consent (such consent not to be unreasonably withheld)SurvivalAll terms that must survive termination in order to have theircustomary effect, including terms related to confidentiality,indemnification, limitation of damages and liability, and posttermination data transfer will survive termination or expiration ofthis Agreement.d.Customer shall Indemnify Medallia from third-party claims arisingout of: (i) Customer’s or any of its employees and agents use ofMedallia Products in violation of Section 4 of this Agreement; and(ii) alleged infringement of a third-party patent, copyright, ortrademark or misappropriation of a third-party trade secret arisingout of (A) an unauthorized modification by Customer of MedalliaProducts; or (B) an unauthorized combination of MedalliaProducts with any product or process not provided or authorizedby Medallia.d.and any such attempted assignment will be void.Force MajeureNo party will be deemed to have breached this Agreement or anyOrder if its failure to perform was caused by events beyond thatparty’s reasonable control, such as mass failure of internetinfrastructure, civil unrest, and natural disasters.e.Independent ContractorsThe parties are independent contractors. Neither party has theright to bind the other, and neither party will make any contraryrepresentation to a third party.f.Export ComplianceCustomer will comply with the export control and economicsanctions laws and regulations of the United States and otherapplicable jurisdictions. Consistent with that obligation, Customerwill not make Medallia Products available to any person or entitythat is: (i) located in a country that is subject to a U.S. governmentembargo, (ii) on a U.S. government list of prohibited or restrictedparties, or (iii) engaged in activities directly or indirectly related tothe proliferation of weapons of mass destruction.g.Arbitration, Governing Law and ForumDisputes arising from this Agreement will be settled by arbitrationadministered in San Mateo, California by the American ArbitrationAssociation under its procedural Commercial Arbitration Rulesand the substantive law of the United States of America and theState of California, and judgment on the award rendered by thearbitrator may be entered in any court with jurisdiction. Thisprovision will not impair either party’s ability to receive injunctiveor other equitable relief from any court with jurisdiction. The UnitedNations Convention on Contracts for the International Sale ofGoods does not apply to this Agreement.h.No WaiverThe failure of a party to timely enforce an obligation under thisAgreement or Order will only be construed as a waiver if given inwriting and will not act to waive any other obligation, including anyfuture occurrence of the waived obligation.i.Complete AgreementThis Agreement and each Order including relevantDocumentation contains the full agreement of the parties(superseding all prior or contemporaneous agreements) and mayonly be amended by a writing signed by both parties. Terms andconditions stated in Customer order documentation (e.g., aCustomer purchase order) will be null and void. Neither partyenters into this Agreement or Orders based on representationsnot stated in these documents, and there will be no presumptionagainst either party as the drafter thereof.j.SubcontractorsMedallia may utilize the subcontractors provided that: (i) Medalliahas bound the subcontractor to agreements requiring it to conformto law, regulation, industry standards, and the quality,confidentiality, and privacy standards reflected in this Agreement;and (ii) Medallia remains responsible for delivery of the scopeestablished in the Order.

k.NoticesNotifications required under this Agreement or an Order in relationto breach, disputed payments, audit, or indemnification will beprovided in writing to the legal departments of the parties to theaddresses identified in an Order. Other notifications can besubmitted via email. Notifications will be effective as of the date ofdelivery.

ATTACHMENT ASecurity MeasuresMedallia maintains and manages a comprehensive written security program designed to protect: (a) the security and integrity of CustomerData; (b) against threats and hazards that may negatively impact Customer Data; and (c) against unauthorized access to Customer Data.Medallia’s security program includes the following:1.Risk Managementa.b.2.5.Conducting an annual risk assessment designed tive, physical, legal, regulatory, andtechnical safeguards used in the Medallia Products.Maintaining a documented risk remediation process toassign ownership of identified risks, establishremediation plans and timeframes, and provide forperiodic monitoring of progress.a.b.Information Security Programa.b.c.3.Asset ormation security program. This program willinclude policies and procedures aligning with industrybest practices, such as ISO 27001/27002.Such information security program shall include, asapplicable: (i) adequate physical security of allpremises in which Customer Data will be processedand/or stored; (ii) reasonable precautions taken withrespect to Medallia personnel employment; and (iii) anappropriate network security program.These policies will be reviewed and updated byMedallia management annually.d.Organization of Information Securitya.b.4.Assigning security responsibilities to appropriateMedallia individuals or groups to facilitate protectionof the Medallia Products environment and associatedassets.Establishing information security goals to be met.6.Access Controlsa.Human Resources ivescreening during the hiring process. Backgroundchecks and reference validation will be performed todetermine whether candidate qualifications areappropriate for the proposed position. Subject to anyrestrictions imposed by applicable law and based onjurisdiction, these background checks include criminalbackground checks, employment validation, andeducation verification as applicable.Ensuring all Medallia employees are subject toconfidentiality and non-disclosure commitmentsbefore access is provisioned to Medallia Productsand/or Customer Data.Ensuring applicable Medallia employees receivesecurity and privacy awareness training designed toprovide such employees with information securityknowledge to provide for the security, availability, andconfidentiality of Customer Data.Upon Medallia employee separation or change inroles, Medallia shall ensure any Medallia employeeaccess is revoked in a timely manner and all Medalliaassets, both information and physical, are returned.Maintaining asset and information managementpolicies and procedures. This includes ownership ofassets, an inventory of assets, classificationguidelines, and handling standards pertaining toMedallia assets.Maintaining media handling procedures to ensuremedia containing Customer Data is encrypted andstored in a secure location subject to strict physicalaccess controls.When a storage device has reached the end of itsuseful life, procedures include a decommissioningprocess that is designed to prevent Customer Datafrom being exposed to unauthorized individuals usingthe techniques recommended by NIST to destroy dataas part of the decommissioning process.If a hardware device is unable to be decommissionedusing these procedures, the device will be virtuallyshredded, degaussed, purged/wiped, or physicallydestroyed in accordance with industry-standardpractices. Devices used in the administration of theMedallia Products that have been decommissionedwill be subjected to these or equally effectivestandards.b.7.Maintaining a logical access policy and correspondingprocedures. The logical access procedures will definethe request, approval and access provisioningprocess for Medallia personnel. The logical accessprocess will restrict Medallia user (local and remote)access based on the principle of least privilege forapplications and databases. Medallia user accessrecertification to determine access and privileges willbe performed periodically. Procedures for onboardingand off-boarding Medallia personnel users in a timelymanner will be documented. Procedures for Medalliapersonnel user inactivity threshold leading to accountsuspension and removal threshold will bedocumented.Limiting access to Customer Data to its personnel whohave a need to access Customer Data as a conditionto Medallia’s performance of the services under thisAgreement. Medallia shall utilize the principle of “leastprivilege” and the concept of “minimum necessa

This Medallia Master Subscription Agreement (the "Agreement") is effective as of the last signature on an Order between the parties (the "Effective Date") and is between Medallia, Inc. ("Medallia") and the other signatory to an Order ("Customer"). Medallia provides experience management products (the "Medallia Products .