End User License Agreement - Addendum 01

This End User License Agreement - Addendum 01 (“Addendum”) serves as an

addendum to all existing ITHENA product licenses and related agreements. It

supplements, and shall be read in conjunction with, the applicable End User License

Agreement (EULA) available at https://eula.ithena.io/ and the Privacy Policy available

at https://privacy.ithena.io/.

This Addendum forms an integral part of the ITHENA EULA. In the event of any conflict

between this Addendum and the EULA, the provisions of this Addendum shall prevail

solely with respect to payment processing matters.

This Addendum may be executed electronically and in counterparts, each of which shall

be deemed an original and all of which together shall constitute one and the same

instrument.

1. Definitions

For the purposes of this Addendum, and in addition to the definitions contained in the

EULA, the following terms shall have the meanings set forth below. Capitalized terms

not otherwise defined herein shall have the meanings ascribed to them in the EULA.

1.1 “Cardholder Data” means the Primary Account Number (PAN), Card Verification

Value (CVV), expiration date, or any other data elements enabling payment card

transactions, including any data defined as “cardholder data” under the Payment Card

Industry Data Security Standard (PCI-DSS).

1.2 “Payment Token” means a surrogate value returned by a Payment Processor in

lieu of raw Cardholder Data, which permits charges to be processed but does not

reveal the underlying PAN or CVV.

1.3 “Payment Processor” means the third-party payment services provider integrated

with the Platform for processing payment card transactions.

1.4 “Chargeback” means a reversal, retrieval, or dispute of a payment card transaction

initiated by a cardholder, issuing bank, or Payment Processor.

1.5 “Invoice” means a transaction instruction generated by or on behalf of a

Merchant/Client reflecting the sale of parts, goods, or services to an End Customer,

which is intended for payment processing through the Platform.

Page 1

End User License Agreement - Addendum 01

1.6 “PCI-DSS” means the Payment Card Industry Data Security Standard, as

updated from time to time.

1.7 “Company Indemnitees” or “Company” means ITHENA, its affiliates, and their

respective directors, officers, employees, contractors, representatives, and agents.

1.8 “OEM” means the original equipment manufacturer that licenses or purchases the

Platform from the Company for use by itself and by its End Customers.

1.9 “End Customer” means any customer of the OEM that accesses or uses the

Platform to purchase parts or submit orders.

1.10 “Merchant/Client” means the OEM and, where applicable, its End Customers.

1.11 “Platform” means the hosted aftermarket e-commerce service platform provided

by the Company pursuant to this Agreement.

2. Indemnification

2.1 Indemnification by OEM and End Customers.

OEM and each End Customer (each, an “Indemnifying Party”) shall defend, indemnify,

and hold harmless the Company Indemnitees from and against any and all losses,

damages, liabilities, penalties, fines, costs, expenses, settlements, interest, judgments,

and reasonable attorneys’ fees (collectively, “Losses”) arising out of:

(a) any third-party claim, action, demand, investigation, regulatory proceeding, or

chargeback arising from or relating to the OEM’s or End Customer’s (i) collection,

storage, or use of Cardholder Data, Payment Tokens, or Invoices, (ii) payment disputes,

chargebacks, or refund obligations, or (iii) failure to comply with PCI-DSS or other

applicable law;

(b) any misuse of Payment Tokens or other payment credentials by OEM or any End

Customer;

(c) any breach by OEM or End Customer of its obligations under this Agreement or of

its agreements with End Customers.

The foregoing indemnification obligations shall not apply to the extent that any Losses

arise solely from the Company’s willful misconduct, gross negligence, or intentional

fraud.

Page 2

End User License Agreement - Addendum 01

3. Limitation of Liability

3.1 Limitation on Damages.

None of the Company Indemnitees shall be liable to OEM, End Customers, or any third

party for any direct, indirect, consequential, incidental, special, exemplary, or punitive

damages, or for any lost profits, revenues, savings, business, goodwill, or data, even if

advised of the possibility of such damages.

3.2 Aggregate Cap.

Notwithstanding anything to the contrary in this Agreement, the Company’s total liability

for any and all claims arising out of or in connection with this Agreement shall not

exceed an amount equal to the total fees paid by the OEM to the Company under this

Agreement during the twelve (12) months immediately preceding the event giving rise to

the claim.

3.3 Application.

The limitations in this Section apply regardless of the theory of liability, and whether

arising from breach of contract, warranty, tort, strict liability, or otherwise.

4. Data Security and Non-Use

4.1 Non-Handling of Cardholder Data.

With the exception of providing information from the End Customer to the payment

gateway, the Company does not request, collect, or transmit raw Cardholder Data. The

Company never stores raw Cardholder Data.

Any and all data requested for payment processing like card entry, pre-authorization,

and authorization is performed solely by the Payment Processor. Company only

receives and stores Payment Tokens returned by the Payment Processor.

4.2 Storage of Tokens

Payment Tokens and any other payment credentials are stored exclusively in a secure,

industry-recognized key management or secrets storage service (for example, cloud

key vaults such as Microsoft Azure Key Vault, AWS Key Management Service, or

Google Cloud KMS) and are used solely for processing Invoices in accordance with the

OEM’s or End Customer’s instructions. The Company shall not use Payment Tokens for

any other purpose.

Page 3

End User License Agreement - Addendum 01

4.3 Reliance on Third-Party Providers

OEM acknowledges that:

(a) the Payment Processor or Payment Gateway (for example, Stripe, PayPal, Moneris,

and others) is solely responsible for its own infrastructure, security, and PCI-DSS

compliance with respect to the handling of Cardholder Data;

(b) the provider of the key management or cloud storage service (for example,

Microsoft, Amazon Web Services, or Google Cloud) is solely responsible for the

security, availability, and compliance of its infrastructure; and

(c) the Company does not control or guarantee the acts or omissions of the Payment

Processor, Payment Gateway, or any third-party infrastructure provider, and shall not be

liable for their failures or non-compliance, except to the extent caused by the

Company’s willful misconduct or gross negligence.

4.4 OEM and End Customer Responsibilities.

OEM and End Customers shall:

(a) comply with all applicable laws, card-network rules, and PCI-DSS requirements to

the extent applicable to them;

(b) ensure that only Payment Tokens (and not raw Cardholder Data) are transmitted to

or through the Platform;

(c) not misuse Payment Tokens or other payment credentials; and

(d) be solely responsible for resolving disputes with End Customers, issuing refunds,

handling chargebacks, and maintaining compliance with Payment Processor

requirements, including but not limited to any data security or refund policies imposed

by such Payment Processor.

4.5 No Access to Cardholder Data.

OEM and End Customers acknowledge and agree that Company has no role in, and

shall not be provided with, raw Cardholder Data. OEM and End Customers shall not

attempt to cause the Platform to receive, access, or store raw Cardholder Data.

4.6 Notification.

If OEM or any End Customer becomes aware of any unauthorized access to Cardholder

Data, Payment Tokens, or credentials used in connection with the Platform, the OEM or

any End Customer shall immediately notify Company and cooperate in good faith to

contain and remediate the incident.

THE REST OF THIS PAGE HAS BEEN INTENTIONALLY LEFT BLANK

Page 4