Cloud Policies

ACCEPTABLE USE POLICY ("AUP")

1. Objective

The purpose of the AUP is to ensure responsible use by all Users of Cloud Services within the Forterro Cloud
Environment and its resources and to avoid practices that damage the use of Cloud Services or the Forterro Cloud
Environment. The AUP is designed to protect the image and reputation of the Customer, its subsidiaries, the Cloud
Services and Forterro as a responsible service provider, by maintaining the security, reliability and confidentiality
of the Cloud Services and Forterro's Cloud Environment.

2. Overview

2.1. The Customer ensures that it and the Named Users of Forterro's Cloud Services or cloud-based services
comply with the AUP at all times. Forterro, without limiting its other rights, reserves the right, without
liability or duty of prior notice to the Customer to:
2.1.1. delete all or part of the Customer Data downloaded or processed by a Named User (insofar
as they do not comply with this AUP); or
2.1.2. disable any Named User's access to its Cloud Services or cloud-based services;
if Forterro believes, in its sole discretion, that the Named User is in breach of this AUP.
2.2. The purpose of the AUP is to ensure responsible use by the Customer and its Named Users of Forterro's
Cloud Services or cloud-based services, its resources and to avoid practices or actions that damage the
usability of the Cloud Services or impact other customers of Forterro's Cloud Services or cloud-based
services.
2.3. This AUP is designed to protect the image and reputation of all customers, Forterro's cloud-based
services or cloud-based services and Forterro as a responsible service provider, by seeking to ensure
the confidentiality, integrity and availability of Forterro's Cloud Services or cloud-based services.
2.4. The rules set forth in this AUP govern acceptable use of Forterro Cloud Services or cloud-based
services. Failure to comply with this AUP may result in suspension of Forterro's Cloud Services or cloudbased services, or termination of the applicable agreement with the Customer.

3. Obligations

3.1. Each Named User MUST understand and comply with his or her obligations as a Named User.
3.2. Named Users MUST NOT share Identification Data, including IDs or passwords. It is the responsibility
of each Named User to maintain the confidentiality of this information. If a Named User believes that
his or her account has been compromised, he/she should change his/her password and report the
problem immediately to the Customer's appointed administrator.
3.3. Each Named User MUST NOT, or attempt to, access, assist or allow others to access anything that the
Named User or any other Named User has not been explicitly authorised to access.
3.4. The use of Cloud Services by each Named User MUST be decent, honest and in compliance with
legislative and regulatory requirements.
3.5. Each Named User MUST NOT attempt to analyse, probe, test or perform any activity that could be
considered to compromise or risk compromising the confidentiality, integrity or availability of the
Cloud Services or cloud-based services, unless explicitly authorised to do so by a Forterro
representative.
3.6. Each Named User MUST NOT disable, reconfigure or attempt to circumvent security measures, such as
anti-virus (unless explicitly authorised by a Forterro representative).
3.7. Each Named User MUST scan ALL files for viruses and malware using a commercial anti-virus/malware
solution BEFORE uploading to Forterro Cloud Services or cloud-based services. Under no circumstances
should files corrupted by viruses or malware be uploaded to Forterro Cloud Services or cloud-based
services.
3.8. Each Named User MUST NOT use Forterro's Cloud Services or cloud-based services to harass, defame,
slander, intimidate, impersonate or otherwise abuse any other person, including other customers of
Forterro, Forterro, a Forterro Group Company, its or their suppliers or other third parties.
3.9. Each Named User MUST NOT use Forterro's Cloud Services or cloud-based services for the creation,
collection, storage, uploading or posting of offensive, obscene, indecent or threatening images, data
or material that may be resolved as such.
3.10. Each Named User MUST NOT use Forterro Cloud Services or cloud-based services for the creation or
transmission of material that infringes the copyright or intellectual property of another person or
organisation.
3.11. Each Named User MUST NOT send or store in Forterro's Cloud Services or cloud-based services any
personal health data, credit card data, personal financial data or other sensitive data that may be, for
example, subject to the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley
Act, the Payment Card Industry Data Security Standards, the EU General Data Protection Regulation or
any other similar legislation applicable in the specified jurisdiction outside of the Agreement without
Forterro's written consent.

4. Guidelines

4.1. In the event of security problems, incidents or near misses, each Named User MUST promptly take all
possible steps to inform the Customer's authorized administrator, retaining all supporting
information/evidence.
4.2. For the sole purpose of providing the relevant services or enforcing applicable policies, Forterro
reserves the right to view any material, including Customer Data, that a Named User stores within
Forterro's cloud-based or SaaS services.
4.3. If a Named User is unsure or concerned about any matter relating to this AUP or has a question about
it, the Named User should seek advice from the Customer's authorised administrator

BACKUP POLICY

1. Objective

The purpose of this document is to define data access mechanisms, data backup management and
data retention policies with respect to ProConcept Cloud Services.

2. Overview

2.1. Data storage
The data present in the database files is stored in Switzerland.
2.2. Data backup
Backup management is divided into three services:
2.2.1. Guaranteed document storage, provided by the Amazon S3 service in Switzerland.
2.2.2.Hot backups:
2.2.2.1. A hot backup of the environment is a snapshot of the data on disk and the
software configuration, taken every hour.
2.2.2.2. The hot backup is stored locally in the Swiss zone and is not copied outside the
production infrastructure or to an off-site location.
2.2.2.3. In the event of data corruption or loss of Customer Data, this hot backup enables
the Cloud Services used by the Customer to be restored to a previous state as
close as possible in time to the event that caused the corruption or loss of
Customer Data.
2.2.3.Daily backups:
2.2.3.1. Cloud backup is a daily backup performed every night for Customer
environments located in Switzerland.
2.2.3.2. Enterprise backup is a backup of the database, documents and software
configuration.
The main requirement of the backup strategy is to enable complete protection of Cloud Services for
the end user. This makes it possible to achieve a rapid recovery point objective ("RPO") and/or
recovery time objective ("RTO") for disaster recovery.

3. Data retention

Data backups are stored as follows:
3.1. The last five (5) hourly backups are retained.
3.2. The last seven (7) daily backups are retained.
3.3. The last five (5) weekly backups are retained.
3.4. The last two (2) monthly backups are retained.
Once the periods defined above have been reached, the concerned backup is deleted and the data
cannot be recovered. Upon termination, the Customer will receive a copy of the last available backup
in a format to be determined by Forterro.
If the Customer requires a data backup at a time other than termination, this can be provided under
a professional services agreement.

4. Data restoration

If the Customer needs to restore data at a time other than a technical incident, this can be provided
under a professional services agreement.

5. Disaster recovery

In the event that it is decided to recover the Cloud Environment, the following deadlines apply from
the moment the decision to recover the Cloud Environment is made:

Recovery objective	Target
RPO (Recovery Point Objective)	1 hour
RTO (Recovery Time Objective)	4 hour

MAINTENANCE AND SUPPORT POLICY

1. Objective

The purpose of this document is to define the support included in the Cloud Services, including any applicable
service levels.

2. Maintenance Services

2.1. Planned Maintenance
2.1.1. ProConcept communicates in advance the monthly Planned Maintenance windows to be
undertaken. The monthly windows provided by ProConcept for the execution of Planned
Maintenance may not be used to perform Software Updates or Upgrades for the Customer.
2.1.2. Separate Planned Maintenance windows are scheduled in advance with the Customer prior to
Software Updates or Upgrades, but are considered as Planned Maintenance for the purposes of
Critical Service Level calculations.
2.2. Emergency maintenance
2.2.1. ProConcept will perform emergency maintenance as required by ProConcept. In the event of
Emergency Maintenance, ProConcept must give as much advance notice as possible. However,
if the requirement to give such notice affects or delays ProConcept's ability to perform such
Emergency Maintenance, such notice need not be given.

3. Support Services

Software support will be provided to the Customer during ProConcept's business hours as defined on
ProConcept's website (https://www.proconcept.ch/fr/societe/contact), excluding bank holidays applicable to
ProConcept. Software support will include and be limited to operations and tools used by ProConcept (24/7
access to the knowledge base and the Support Platform).

4. Assistance classification

4.1. Severity level classification applies to all anomalies and is mandatory. The Customer identifies the
classification of the anomaly according to the clause below. ProConcept may modify the classification
made by the Customer during the assistance process after having better understood the Customer's
situation and/or if an unjustified high classification is requested by the Customer. Any change in
classification is notified to the Customer.

5. Reaction types, response times and resolution

5.1. ProConcept endeavours to provide an initial reaction time and a timeframe for defining an action plan
to deal with the anomaly according to its severity and criticality after classification. All response and
intervention times are calculated only in working hours/days during service opening hours. Any time
during which ProConcept is waiting for a response or information from the Customer will be considered
as "Customer Waiting" and will be deducted from the calculation of reaction and resolution times.
5.2. In cases where the ProConcept support team cannot provide a solution for a Blocking or Major anomaly,
and cannot provide a resolution or workaround to the problem, the ProConcept support team will: (1)
escalate the anomaly; (2) provide a regular status report to the Customer; and (3) add additional specialist
skills to the resolution team if deemed necessary by ProConcept.
5.3. ProConcept will use reasonable efforts to respond within the following reaction and response times,
depending on the classification assigned to the Service Request:

6. Assistance Classification Matrix

Service Request Priority	Definition	Target Initial Reaction time frame	Target Response time frame	Resolution
1 - Critical/ Blocking	An anomaly which, individually or cumulatively, has repercussions on the operation of Cloud Services, by blocking the use or operation of the features, with no possible workaround. The anomaly has an immediate material and substantial impact on the use of Cloud Services [and on the Customer's business];	8 working hours	4 working days	Repair or workaround
2 - Major	An anomaly which, individually or cumulatively, has a significant impact on the normal operation of the Cloud Services, by blocking the use or operation of their features, [but there is a workaround]. The anomaly has a substantial impact on the use of the Cloud Services and on the Customer's business, even if access to the feature(s) is not completely interrupted.	12 working hours	10 working days	Repair or workaround
3 - Average	An anomaly which, individually or cumulatively, has a significant impact on the normal operation of the Cloud Services, by blocking the use or operation of their features, [but there is a workaround]. The anomaly has an impact on the use of Cloud Services and on the Customer's business, but the affected feature remains mainly operational.	Two working days	30 working days	Any resolution of the defect will be dealt with on a case-by-case basis.
4 - Minor	An anomaly that does not affect the use or operation of the features [while not conforming to the documentation or specifications]. The minor anomaly has no impact on the use of Cloud Services [and on the Customer's business]. A problem affecting a single User or a question or clarification in a Customer Environment.	5 working days	On request	Minor defects will be dealt with on a case-by-case basis and on request.

The aforementioned times are target times for initial reaction and/or response depending on the
classification of the Service Request and should not be interpreted as a commitment to resolve any
anomaly within that timeframe.

7. Service Requests

7.1. A Service Request may also include a request for services to be performed for the Customer in connection
with the Cloud Services. However, these services may not be included in this Maintenance and Support
Policy and may then be provided as professional services under a separate agreement

DESCRIPTION OF CLOUD SERVICES

1. Objective

The purpose of this document is to present the standard services that are provided as part of the Cloud
Services and those that are available subject to the selection of a different Cloud Services Level and payment
of the applicable fees.

2. Cloud services

2. Payment of the Cloud Services Fee gives all customers access to the following standard Cloud Services:
2.1.1. Link to the Cloud Platform
2.1.2. Single tenant environment
2.1.3. Software access
2.1.4.Provision of a production database
2.1.5.Data storage and redundancy
2.1.6. 100GB document storage, expandable in 100GB increments
2.1.6.1.Maximum document size is 500MB
2.1.7.Backup management in accordance with the Backup Policy
2.1.8. Software Upgrades and Updates

3. Support Services

3. The following tables show what is included in the Cloud Services, depending on the Cloud Services Level
selected by the customer. No professional services are provided as part of the Cloud Services, but such
a service is available from ProConcept under a separate agreement

SERVICES	Finance & Payroll Cloud	Cloud ERP
24/7 service access (SLA 99.5%)	✓	✓
Assistance/Support platform	✓	✓
Direct telephone line for trained users	✓	✓
Monthly software upgrades	✓	✓
Access to the support portal	✓	✓
Upgrade of version* in production (minor/major)	✓	✓
Test environment for major version upgrades	✓	✓
New features in early access	-	✓
Contacts with access to the support service	✓ (1 contact person)	✓ (3 contact persons)
Knowledge base	✓	✓
Suggestions for improvement		✓
100GB data storage	✓	✓
Backup management	✓	✓
Disaster Recovery Plan	✓	✓

*Upgrade version: corresponds exclusively to the technical part of the version upgrade.

4. Customer responsibility

4. The Customer is responsible for managing the Named Users and for configuring the ERP. Named Users
are not authorised to access or manage databases or any other component of the underlying
infrastructure other than through the user interfaces provided by the Software

SECURITY INCIDENT POLICY

1. Objective

The purpose of this Security Incident Policy is to communicate the measures taken by Forterro in the
event of a Security Incident.

2. Overview

2.1. Forterro implements and maintains a written plan and process for the prevention, detection,
identification, reporting, follow-up and response to Safety Incidents. Security incidents include:
2.1.1. security breaches of Forterro's network or internal applications resulting in the compromise
of Customer Data;
2.1.2. serious damage to Forterro's security controls, methods, processes or procedures resulting
in a compromise of the security, availability, confidentiality or integrity of Customer Data;
2.1.3. unauthorised access to or disclosure of Customer Data.
2.2. Forterro's plan includes procedures for handling, responding to and reporting Security Incidents,
specific Security Incident contacts, and the roles and responsibilities of each Security Incident
contact.
2.3. The following provisions apply in the event of a Safety Incident:
2.3.1. Forterro will submit a Security Incident report to the Customer. This report will be provided
as soon as possible after the discovery of a Security Incident and in accordance with
governing laws.
2.3.2. At the Customer's request, Forterro will meet with the Customer to discuss the cause of the
Security Incident and Forterro's response.

3. Obligations

3.1. In the event of a Security Incident in which Personal Data is compromised by an unauthorised
person, or reasonably believed to have been compromised, Forterro shall, where applicable and
subject to governing data protection laws, notify the competent data protection authority within
the time and in the manner prescribed by governing data protection laws.
3.2. Forterro retains all documentation relating to Security Incidents, in written or electronic form,
including their identification, handling and resolution, for two (2) years (unless a shorter period is
imposed or permitted by the governing law) after their final resolution, including the final resolution
of any claim arising from a Security Incident

SERVICE LEVEL POLICY

1. Objective

The purpose of this document is to define the legal rights of the Customer in the event that the
Customer is unable to use the Cloud Services.

2. Service level

2.1. Critical service level
2.1.1. “Critical Service Level" means the percentage of time that Cloud Services are available
during Cloud Services operating hours, as set forth below.
2.1.2. The "Cloud Services Operating Hours" are 24 hours a day, 7 days a week, excluding:
2.1.2.1. time spent on Planned Maintenance and Emergency Maintenance;
2.1.2.2. downtime required to perform professional services; and
2.1.2.3. the inability of the Customer to connect to the Cloud Environment or Cloud
Services due to problems with the Customer's infrastructure or the Internet.
(hereinafter the "Exceptions")
2.1.3. "Availability of Cloud Services" means the ability to access the Cloud Environment and use
the Software.
2.1.4. The method used to calculate the critical service level is as follows:
Availability of Cloud Services during Cloud Services Operating Hours - unplanned downtime
_________________________________________________________________________________________ x100
Availability of Cloud Services during Cloud Services Operating Hours
2.1.4.1. The Cloud Services operating hours for a given month is calculated as (1) the
total number of minutes in a month (i.e. 1,440 minutes per day multiplied by the
number of days in a month), minus (2) the total number of minutes of Exceptions
endured by the Customer.
2.1.4.2. The method to calculate the critical service level is as follows: the total number
of minutes of availability during the month in question (calculated above)
("numerator"), divided by the Cloud Services operating hours during the month
in question ("denominator"), the quotient of which is then expressed as a
percentage = percentage of availability of Cloud Services.
2.1.4.3. In other words, the calculation of the critical service level is as follows: minutes
of availability ÷ Cloud Services operating hours = percentage of availability of
Cloud Services.
2.1.4.4. For example: during a 30-day month, if (a) the Customer experienced downtime
attributable to Exceptions of 30 minutes, and (b) the Customer experienced
downtime not attributable to Exceptions of 30 minutes, then (c) the Availability
of Cloud Services percentage would be 99.93%, because (x) the numerator would
be 43,140 (representing the total number of minutes during which the Customer
benefited from the availability of Cloud Services), (y) the denominator would be

43,170 (representing the operating hours of Cloud Services, which is the total
number of minutes during the month minus the minutes attributed to
Exceptions), and (z) the numerator divided by the denominator is 0.9993, which,
expressed as a percentage, gives 99.93%.
2.1.5. The critical service level is classified as green if the percentage of availability monitored by
Forterro for one month is between 100% and 99.5%.

3. Service credits

3.1. If, in a given month, the critical service level drops below green, the following service credits apply
to the concerned production environment:
3.1.1. where the percentage of availability of Cloud Services is less than or equal to 99.499% but
greater than 90.999% in any month, ten (10) percent of the Cloud Services Fee payable for
that month for the assigned Software licenses concerned;
3.1.2. when the percentage of availability of Cloud Services is less than or equal to 90.999%,
twenty-five (25) percent of the Cloud Services Fee payable for that month for the assigned
Software licenses concerned.
3.2. Service credits are applied:
3.2.1. only for a specific production environment;
3.2.2. only if the Customer has submitted a Service Request to notify Forterro of the problem
resulting in the critical service level dropping below the green level;
3.2.3. only to a Customer whose Named Users comply with the Acceptable Use Policy; and
3.2.4. when Cloud Services are provided via a public cloud platform, only to the extent that they
are made available to Forterro by the Third-Party Service Provider, subject to any
notification procedures that may be required by the Third-Party Service Provider.
3.3. To the extent applicable and notified by the Customer in accordance with the above provision,
service credits will be credited against subsequent monthly invoicing periods of the Cloud Services
Fee until such service credits have been used. In the event of termination, service credits will expire
and the Customer will not be entitled to cash payment as an alternative.
3.4. The service credits specified in this Service Level Policy constitute the sole and exclusive legal remedy
for the Customer and/or a subsidiary of the Customer, and Forterro's sole obligation and liability in
the event of Forterro's failure to comply with its Cloud Services or critical service level obligations