Legal

Licenseware Technology Services S.R.L.
B2B Agreement — Governed by the Laws of Romania (EU Member State)

PLEASE READ THIS LICENCE CAREFULLY. BY PURCHASING, COPYING, INSTALLING, OR USING ALL OR ANY PORTION OF THIS SOFTWARE, YOU ACCEPT ALL THE TERMS AND CONDITIONS OF THIS LICENCE. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENCE, YOU MAY NOT USE THE SOFTWARE.

This Licence Agreement (Licence) is a legal agreement between you (Licensee) and Licenseware Technology Services S.R.L., incorporated and registered in Romania with company number J21/238/2021, VAT no RO42866470, whose registered office is at Independentei 1, Slobozia, Ialomita, 920095, Romania (Licensor) for the Apps described in the applicable Order Form and associated Documentation.

We, or an authorised Reseller, licence use of the Apps and Documentation to you on the terms set out herein. This Licence is a B2B agreement entered into between entities acting in the course of their business. This is not a consumer contract.

You acknowledge that we may update the terms and conditions of this Licence from time to time and that it is your responsibility to check any updates.

---

Agreed Terms

1. Provision of the Services

1.1 Licensor will provide the Apps materially in accordance with this Licence and the Documentation.

2. Grant and Scope of Licence

2.1 Subject to Licensee's continuous compliance with this Licence and payment of the applicable Licence Fee, Licensor grants Licensee a non-exclusive, non-transferable, revocable and limited licence to install (where applicable) and use the Apps in the Territory during the Licence Term for its own internal business purposes.

2.2 Licensor reserves the right at any time to make any improvement, substitution or modification in the design or configuration of the Apps provided that such change shall not result in any material change in the functionality or performance of the Apps.

2.3 The Licensee may, subject to prior written consent, perform any of its obligations or exercise any of its rights under this Licence through any affiliate, provided that: (a) any act or omission of such person shall be deemed to be the act or omission of the Licensee; (b) performance shall be solely for the business purposes of the Licensee and its Declared Affiliates; and (c) any claim from an affiliate shall be brought through the Licensee and liability caps shall apply in aggregate.

2.4 Where third party suppliers are required to interface with the Apps, Licensor shall at the Licensee's request and expense co-operate with such suppliers.

2.5 The Licensee shall: (a) provide to Licensor the details of the Licensee authorised contact and notify Licensor in writing of any change; (b) take all necessary steps to ensure that its employees, agents and subcontractors abide by the terms of this Licence; (c) comply with the Documentation; and (d) inform Licensor as soon as possible about any change of location.

3. Apps Restrictions

3.1 Except as expressly set out in this Licence or as permitted by any local law, you undertake not to: (a) make copies of the Apps or Documentation except as reasonably necessary for back-up or disaster recovery; (b) rent, lease, sell, sublicense, assign or transfer your rights in the Apps; (c) disassemble, decompile, reverse-engineer or create derivative works based on the Apps except to the extent essential for inter-operability; (d) modify, port, adapt, or translate the Apps; (e) allow any Designated User login to be used by more than one individual; or (f) fail to comply with all applicable technology control or export laws and regulations.

3.2 You may: (a) use the Apps for your internal business purposes only; (b) receive and use free Updates as provided by us from time to time; and (c) use Documentation in support of the permitted use.

4. Intellectual Property Rights

4.1 All Intellectual Property Rights in the Apps and Documentation throughout the world belong to us. Rights in the Apps are licensed (not sold) to you. You have no Intellectual Property Rights in the Apps other than the right to use them in accordance with this Licence.

4.2 You acknowledge that you have no right to access the Apps in source code form.

4.3 The Licensor shall defend and indemnify the Licensee against all damages finally awarded against the Licensee in connection with any third-party IPR Claim. The maximum aggregated liability for such indemnification shall not exceed €1,000,000 (one million euros) and shall count towards the overall cap in Clause 8.3.

4.4 If an IPR Claim is brought or is likely to be made, the Licensor may at its own expense ensure the Licensee is still able to use the Licence by either: (a) modifying the provisions of the Licence so as to avoid the infringement without reducing performance and functionality; or (b) procuring a licence or permission to use the Licence on acceptable terms.

4.5 The Licensee shall promptly notify the Licensor if any IPR Claim or demand is made against the Licensee.

4.6 The Licensee shall fully indemnify the Licensor from any claims arising because the Licensee or its end users modify, alter, or combine the Apps with other software or data in a way that infringes third-party intellectual property rights. This indemnity survives termination.

5. Confidentiality

5.1 Each party agrees to treat all Confidential Information disclosed to it by the other party as strictly confidential and to use it solely for the purposes of this Licence. Neither party shall disclose Confidential Information to any third party without the prior consent of the disclosing party.

5.2 Each party may disclose Confidential Information to its employees, agents, sub-contractors and professional advisers who need to know such information for the purposes of this Licence, provided such persons are bound by equivalent confidentiality obligations.

5.3 Confidentiality obligations shall not apply to information which: (a) is publicly known other than through breach of this Licence; (b) was rightfully in the receiving party's possession prior to disclosure; (c) is required to be disclosed by law; or (d) was independently developed by the receiving party.

5.4 Confidentiality obligations survive termination for five (5) years, except for trade secrets which remain confidential for as long as they constitute trade secrets under applicable law.

6. Limited Warranty

6.1 Licensor warrants that: (a) it has all necessary rights and authority to grant the licences herein; and (b) the Apps, when used in accordance with their documentation and this Licence, will materially conform to the functionality described in their specifications.

6.2 Except as expressly provided in this Licence, all Apps are provided "as is". To the maximum extent permitted by applicable law, Licensor disclaims any implied warranties of non-infringement, merchantability or fitness for a particular purpose.

6.3 The Apps are not designed or intended for high-risk use scenarios where failure could reasonably lead to death, serious bodily injury, or severe damage to property or the environment.

7. Support

7.1 Support is provided as set out in Exhibit A to this Licence. Current support terms are available at https://licenseware.io/legal. Current apps are listed at https://licenseware.io/apps/.

8. Limitation of Liability

8.1 To the maximum extent permitted by applicable law, neither party shall be liable to the other for any indirect or consequential damages, including lost revenues, lost profits, business interruption, or loss of business information or data.

8.2 Neither party shall be liable for any delay or default caused by conditions beyond its reasonable control, including any Force Majeure event.

8.3 Licensor's total aggregate liability under or in connection with this Licence shall not exceed the total Licence Fees paid by the Licensee in the twelve (12) month period immediately preceding the event giving rise to the claim.

8.4 The limitations in Clauses 8.1 and 8.3 shall not apply to: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; (c) any liability that cannot be excluded under applicable mandatory law; or (d) the IPR indemnity cap in Clause 4.3.

9. Data Processing

9.1 To the extent that Licensor processes personal data on behalf of Licensee in connection with this Licence, such processing is governed by the Licenseware Data Processing Addendum, available at https://licenseware.io/legal/#data-protection-agreement, which is incorporated into this Licence by reference.

9.2 Licensee acknowledges that Licensor processes personal data as described in the Data Processing Addendum, including the categories set out in Schedule 2, using the infrastructure sub-processors set out in Schedule 3.

9.3 In the event of a personal data breach affecting Licensee's data, Licensor shall notify Licensee without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach.

9.4 Licensor shall assist Licensee in fulfilling its obligations under applicable data protection law, including in connection with data subject rights requests, Article 32 security measures, data protection impact assessments, and prior consultation with supervisory authorities. Full details are set out in the Data Processing Addendum.

10. Miscellaneous

10.1 Force Majeure. Licensor shall not be liable for any delay or failure to perform its obligations due to any cause beyond its reasonable control, including acts of God, war, terrorism, fire, flood, epidemic, pandemic, or communication failures.

10.2 Notices. All notices shall be in writing. Email is agreed as a valid means of formal notice. Notice is deemed given: (a) on the date sent by email, provided no automated delivery failure is received within 24 hours; (b) on the date of personal delivery; (c) three (3) calendar days after deposit in certified mail; or (d) one (1) calendar day after delivery to a recognised overnight courier. Notices to Licensor: [email protected] and [email protected].

10.3 Amendments. This Licence may be amended only by a document in writing signed by both parties.

10.4 Severability. If any provision of this Licence is held invalid or unenforceable, the remainder shall continue in full force and effect to the fullest extent allowed by law.

10.5 Governing law and jurisdiction. This Licence and any dispute or claim arising out of or in connection with it shall be governed by the laws of Romania, as an EU member state. Each party irrevocably submits to the exclusive jurisdiction of the Romanian courts. The parties confirm that they are each acting in the course of their business and that this Licence is not a consumer contract.

---

Definitions and Interpretation

Term	Definition
Applicable Data Protection Legislation	(a) To the extent the UK GDPR applies, the law of the United Kingdom. (b) To the extent the EU GDPR applies, the law of the European Union or any member state to which Licensor or Licensee is subject.
Business Day	A day other than a Saturday, Sunday or public holiday in Romania when banks in Bucharest are open for business.
Declared Affiliates	The affiliates of the Licensee set out in the Order Form.
Designated User	Any user of the Apps named to the Licensor as a user by the Licensee.
EU GDPR	The General Data Protection Regulation ((EU) 2016/679) as it has effect in EU law.
Force Majeure	Any cause beyond the reasonable control of the affected party including acts of God, war, terrorism, fire, flood, epidemic, pandemic, and communication failures.
Intellectual Property Rights	All patents, rights to inventions, copyright, moral rights, trade-marks, business names, domain names, rights in designs, rights in computer software, database rights, and all other intellectual property rights, whether registered or unregistered, throughout the world.
Licence Fee	The fee for the Apps as set out in the Order Form.
Licence Term	The First Year, automatically renewing for successive 12-month periods (each a Renewal Term) unless terminated in accordance with this Licence.
Order Form	The order form, statement of work or set-up form setting out the number of licences, the Licence Fee, commencement date, and other relevant details.
Reseller	An authorised reseller of the Licensor.
Territory	As set out in the Order Form.
UK GDPR	Has the meaning given in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
Updates	All updates, upgrades, bug fixes, error corrections, enhancements and other modifications to the Apps.

Schedule 2: Particulars of Data Processing

Category	Details
Types of personal data	Identity and directory data (names, usernames, email addresses, job titles, organisational roles, account identifiers); device and endpoint data (device names, hardware identifiers, OS, compliance/ownership attributes); software installation and usage data; licence and entitlement data; SaaS and cloud application usage data; authentication and access data; business contact information.
Special categories	None.
Purpose	To provide the Apps in accordance with this Licence.
Nature	Storage and processing of Personal Data as necessary to provide the Apps.
Duration	For the duration of the Licence.
Further details	https://licenseware.io/legal/#data-protection-agreement

Schedule 3: Sub-Processor Register

Sub-Processor	Parent	Purpose	Processing Locations	Legal Basis
Google Cloud Platform	Google LLC	Cloud infrastructure: compute, storage, networking, encryption, AI services	EU: Netherlands · US: Iowa · AU: Sydney	Google Cloud DPA incl. SCCs

All other platform components are self-hosted within Licenseware's own GKE clusters on GCP and do not constitute independent sub-processors. The authoritative register is maintained at https://licenseware.io/legal/#data-protection-agreement.

Exhibit A: Support Agreement

1. Severity Definitions

P1 — Critical. Complete service outage or severe functionality loss impacting all users.

P2 — High. Major functionality issue with significant business impact.

P3 — Medium. Partial, non-critical loss of functionality; manageable impact.

P4 — Low. Cosmetic issue, minor inconvenience, or feature request.

P5 — Informational. General questions, guidance requests, or clarifications with no direct service impact.

2. Scope

Included: The production Licenseware SaaS platform, Licenseware apps, and documented features. Current apps: https://licenseware.io/apps/.

Excluded: Non-production environments, undocumented or custom features, customer infrastructure, unsupported third-party tools, and preview/beta features.

3. Channels and Hours

Email: [email protected]  |  Ticketing: https://help.licenseware.io/raise-a-ticket  |  Hours: 09:00–18:00 UK time, Monday–Friday.

4. Severity Targets

Severity	Response Target	Resolution Target
P1 — Critical	Within 1 hour	Best effort within 4 hours
P2 — High	Within 1 business day	Within 5 business days
P3 — Medium	Within 1 business day	Up to 2 weeks
P4 — Low	Within 1 business day	Addressed in upcoming releases
P5 — Informational	As soon as reasonably possible	Not applicable

Exhibit B: Service Level Agreement

Uptime Commitment: Licenseware targets 99.9% monthly uptime for the production service.

Measurement: Availability is measured per hour in the production environment at the service boundary; compiled monthly.

Scheduled Maintenance: Excluded from uptime where Licenseware provides a minimum of 48 hours' notice.

QBRs: SLA performance may be reviewed during Quarterly Business Reviews and adjusted by mutual agreement.

This Data Processing Addendum (DPA) forms part of the agreement between Licenseware Technology Services S.R.L. ("Licenseware", "Processor") and the Customer or Partner named in the applicable Order Form or agreement ("Controller"). It applies wherever Licenseware processes personal data on behalf of the Controller in connection with the provision of Licenseware Products and services. For MSP Partners, additional provisions in Section 12 apply to reflect the controller → processor → sub-processor chain.

Capitalised terms not defined herein have the meanings given in the applicable Licenseware agreement (EULA, Reseller Agreement, Appendix 1G, or other).

1. Definitions

Term	Definition
Applicable Data Protection Law	(a) The EU General Data Protection Regulation (EU) 2016/679 ("EU GDPR"); (b) the UK GDPR as defined in section 3(10) of the Data Protection Act 2018; (c) Romanian Law no. 190/2018 on measures for the implementation of the EU GDPR; and (d) any other applicable data protection legislation in force from time to time.
Personal Data	Has the meaning given in Applicable Data Protection Law.
Processing	Has the meaning given in Applicable Data Protection Law.
Data Subject	Has the meaning given in Applicable Data Protection Law.
Personal Data Breach	Has the meaning given in Applicable Data Protection Law.
Sub-Processor	Any third party engaged by Licenseware to process Personal Data on behalf of the Controller.
Standard Contractual Clauses (SCCs)	The standard contractual clauses for the transfer of personal data to third countries as adopted by the European Commission from time to time.
Regional Instance	A geographically isolated deployment of the Licenseware platform, currently: EU Instance (Eemshaven, Netherlands); US Instance (Iowa, United States); AU Instance (Sydney, Australia).

2. Scope and Nature of Processing

2.1 Licenseware processes Personal Data on behalf of the Controller solely to the extent necessary to provide the Licenseware Products and services in accordance with the applicable agreement and this DPA.

2.2 Licenseware acts as a data processor with respect to Personal Data processed on behalf of the Controller. The Controller is the data controller and is responsible for the lawfulness of the processing, including obtaining any necessary consents or establishing any other valid legal basis for processing.

2.3 The subject matter, nature, purpose and duration of processing, the types of Personal Data processed, and the categories of Data Subjects are set out in Schedule 1 to this DPA.

2.4 Licenseware shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. Licenseware shall inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law, before carrying out the instruction.

3. Controller Obligations

3.1 The Controller warrants that it has a valid legal basis for processing Personal Data and for instructing Licenseware to process Personal Data on its behalf.

3.2 The Controller is responsible for ensuring that Data Subjects have been informed of the processing of their Personal Data by Licenseware as sub-processor, to the extent required by Applicable Data Protection Law.

3.3 The Controller shall not instruct Licenseware to process Personal Data in a manner that would cause Licenseware to breach Applicable Data Protection Law.

4. Licenseware's Processing Obligations

4.1 Licenseware shall:

• (a) process Personal Data only on the Controller's documented instructions and for no other purpose;
• (b) ensure that all persons authorised to process Personal Data are subject to appropriate confidentiality obligations;
• (c) implement and maintain appropriate technical and organisational security measures in accordance with Section 5;
• (d) not engage Sub-Processors without the Controller's prior written authorisation, except as provided in Section 6;
• (e) assist the Controller in fulfilling its obligations under Applicable Data Protection Law as set out in Section 8;
• (f) delete or return all Personal Data to the Controller on termination of the applicable agreement, in accordance with Section 10;
• (g) make available to the Controller all information necessary to demonstrate compliance with this DPA and cooperate with audits and inspections in accordance with Section 11.

5. Technical and Organisational Security Measures

5.1 Licenseware shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, having regard to: (a) the state of the art; (b) the costs of implementation; (c) the nature, scope, context and purposes of processing; and (d) the risks to Data Subjects.

5.2 Such measures include, at minimum:

• (a) encryption of Personal Data in transit and at rest;
• (b) access controls and authentication mechanisms limiting access to Personal Data to authorised personnel only;
• (c) ongoing confidentiality, integrity, availability and resilience of processing systems;
• (d) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• (e) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.

5.3 Licenseware is SOC 2 Type 2 certified. Certification details are available from Licenseware on request.

5.4 Licenseware shall ensure that any Sub-Processor engaged under Section 6 implements equivalent technical and organisational measures.

6. Sub-Processors

6.1 The Controller hereby grants Licenseware general written authorisation to engage the Sub-Processors listed in Schedule 2 of this DPA.

6.2 Licenseware shall: (a) ensure that each Sub-Processor is subject to data processing obligations no less protective than those in this DPA; (b) remain responsible for the acts and omissions of each Sub-Processor as if they were Licenseware's own acts and omissions; (c) notify the Controller of any intended addition or replacement of Sub-Processors by updating Schedule 2 and providing notice to the Controller's registered contact. Licenseware will provide no less than thirty (30) days' prior notice of any material change to the Sub-Processor list.

6.3 The Controller may object to a new Sub-Processor within fifteen (15) Business Days of receiving notice of the proposed change by providing written notice to Licenseware specifying reasonable grounds for objection. If the Controller objects and the Parties cannot resolve the issue, the Controller may terminate the applicable agreement on written notice.

7. International Data Transfers

7.1 Regional instance isolation. Customer data is processed exclusively within the Regional Instance selected by the Controller. No Customer data is transferred between Regional Instances. Each Regional Instance is fully isolated at VPC, cluster, and storage level.

7.2 EU Regional Instance. Where the Controller accesses the EU Regional Instance (Eemshaven, Netherlands), Personal Data is processed within the European Union and is not subject to cross-border transfer for the purposes of Chapter V of the EU GDPR.

7.3 US and AU Regional Instances. Where the Controller accesses the US Regional Instance (Iowa, United States) or AU Regional Instance (Sydney, Australia), Personal Data is processed within the United States or Australia respectively. Such processing is governed by Google Cloud Platform's Data Processing Addendum, which incorporates Standard Contractual Clauses or equivalent transfer mechanisms as applicable.

7.4 Multi-instance. Where a Controller simultaneously accesses more than one Regional Instance, the data residency and transfer position for each instance is as set out in Clauses 7.2 and 7.3 above.

7.5 Licenseware's sole infrastructure Sub-Processor is Google Cloud Platform, as set out in Schedule 2. Google Cloud Platform's Data Processing Addendum governs processing within each Regional Instance.

8. Assistance to the Controller

8.1 Data Subject rights. Licenseware shall assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability and objection). Licenseware shall forward any Data Subject requests it receives directly to the Controller without undue delay.

8.2 Security, breach notification, DPIA and prior consultation. Taking into account the nature of processing and the information available to Licenseware, Licenseware shall assist the Controller in ensuring compliance with the Controller's obligations under Articles 32–36 of the EU GDPR, including: (a) implementing and maintaining appropriate security measures (Section 5); (b) notifying the Controller of Personal Data Breaches in accordance with Section 9; (c) assisting with Data Protection Impact Assessments where required.

8.3 DPIA support. Licenseware's processing of data via the Microsoft Graph API integration and the broader SAM platform (processing user-level identity, device, licence, usage and authentication data) is likely to trigger a DPIA obligation for Controllers under GDPR Article 35. A customer-facing DPIA Support Document (Processor Information) prepared by Licenseware is available at https://licenseware.io/legal/. Licenseware will assist Controllers with DPIA requirements upon written request.

9. Personal Data Breach Notification

9.1 Licenseware shall notify the Controller without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting the Controller's Personal Data.

9.2 Notification shall include, to the extent available at the time: (a) a description of the nature of the breach, including categories and approximate numbers of Data Subjects and Personal Data records concerned; (b) the name and contact details of Licenseware's Data Protection contact; (c) a description of the likely consequences of the breach; (d) a description of the measures taken or proposed to address the breach.

9.3 Where complete information is not available at the time of initial notification, Licenseware shall provide the information in phases without undue further delay.

9.4 Licenseware shall cooperate with the Controller in investigating the breach and in fulfilling any notification obligations the Controller may have to supervisory authorities or Data Subjects.

10. Deletion and Return of Personal Data

10.1 On termination of the applicable agreement or on the Controller's written request, Licenseware shall, at the Controller's election: (a) return all Personal Data to the Controller in a standard machine-readable format (CSV, JSON or via API); or (b) securely delete all Personal Data, and certify in writing that it has done so.

10.2 Licenseware shall complete deletion or return within thirty (30) days of the termination date or written request, unless applicable law requires Licenseware to retain certain data for a longer period, in which case Licenseware shall notify the Controller and limit processing to what is required by that obligation.

10.3 Licenseware shall procure that Sub-Processors delete or return Personal Data on equivalent terms.

11. Audit Rights

11.1 Licenseware shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor.

11.2 Audits shall take place no more than once per twelve (12) month period, upon a minimum of four (4) weeks' prior written notice, during normal business hours, and subject to confidentiality obligations and reasonable data minimisation measures. The Controller shall bear the cost of the audit unless the audit reveals material non-compliance by Licenseware, in which case Licenseware shall bear its own reasonable costs.

11.3 Any auditor engaged by the Controller must be bound by confidentiality obligations at least as protective as this DPA and must not be a competitor of Licenseware.

12. MSP-Specific Provisions

This Section 12 applies only to MSP Partners under Appendix 1G.

12.1 Controller → Processor → Sub-Processor chain. Where the Controller is an MSP Partner: (a) each End User Customer of the MSP Partner is the data controller of Personal Data relating to its own staff, devices and systems; (b) the MSP Partner is a data processor, processing Personal Data on behalf of each End User Customer; (c) Licenseware is a sub-processor, processing Personal Data on behalf of the MSP Partner in the course of providing the platform.

12.2 MSP Partner's DPA obligations. The MSP Partner must have a compliant Data Processing Agreement in place with each End User Customer prior to onboarding that customer. That DPA must accurately reflect the processing chain in Clause 12.1, incorporate this DPA's obligations (including Schedule 2), and not make commitments to End User Customers that conflict with this DPA.

12.3 Breach notification chain. Licenseware shall notify the MSP Partner within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting End User Customer data. The MSP Partner shall notify affected End User Customers in accordance with the MSP Partner's own DPA obligations and applicable law.

12.4 Sub-processor notification. Where the MSP Partner must notify its End User Customers of changes to sub-processors, the MSP Partner shall pass through Licenseware's sub-processor change notifications under Clause 6.2 to its End User Customers in a timely manner.

13. General

13.1 Governing law. This DPA is governed by and construed in accordance with the laws of Romania, as an EU member state. Each party irrevocably submits to the exclusive jurisdiction of the Romanian courts for any dispute arising out of or in connection with this DPA.

13.2 Order of precedence. In the event of any conflict between this DPA and the applicable Licenseware agreement, this DPA shall prevail to the extent of the conflict in relation to data processing matters only.

13.3 Updates. Licenseware may update this DPA from time to time to reflect changes in Applicable Data Protection Law, Licenseware's technical architecture, or its Sub-Processor arrangements. Licenseware will notify Controllers of material changes with no less than thirty (30) days' prior notice by updating the published version at https://licenseware.io/legal/#data-protection-agreement and notifying registered contacts. Continued use of the Licenseware Products following the effective date of an update constitutes acceptance of the updated DPA.

13.4 Entire agreement on data processing. This DPA constitutes the entire agreement between the Parties with respect to the processing of Personal Data by Licenseware on behalf of the Controller and supersedes any prior data processing provisions embedded in earlier versions of Licenseware's agreements.

Schedule 1: Subject Matter, Nature, Purpose and Duration of Processing

Category	Details
Subject matter	Processing of personal data in the course of providing the Licenseware SAM/ITAM platform and associated services.
Nature of processing	Collection, storage, organisation, structuring, retrieval, use, disclosure by transmission, and erasure of personal data as necessary to provide the platform.
Purpose of processing	To provide the Licenseware Products and services in accordance with the applicable agreement and this DPA.
Duration	For the duration of the applicable agreement, and for such further period as may be required by applicable law.
Types of personal data	Identity and directory data (names, usernames, email addresses, job titles, organisational roles, account identifiers); device and endpoint data (device names, hardware identifiers, OS, compliance/ownership attributes); software installation and usage data; licence and entitlement data; SaaS and cloud application usage data; authentication and access data (SSO, directory service, identity provider records); business contact information.
Special categories	None.
Categories of Data Subjects	Employees, contractors, agents and authorised users of the Controller whose personal data is processed in the course of managing the Controller's software estate.
Additional instructions	As provided by the Controller in writing from time to time, provided such instructions are consistent with this DPA and Applicable Data Protection Law.

Schedule 2: Sub-Processor Register

As at April 2026. Licenseware will update this Schedule and notify Controllers of material changes in accordance with Clause 6.2.

Sub-Processor	Parent Company	Processing Role	Processing Locations	Legal Basis for Sub-Processing
Google Cloud Platform	Google LLC	Cloud infrastructure: compute, storage, networking, encryption key management, AI services	EU: Eemshaven, Netherlands · US: Iowa, United States · AU: Sydney, Australia	Google Cloud Terms of Service incorporating Google's Data Processing Addendum, including Standard Contractual Clauses for non-EU/EEA processing

All other platform components (databases, identity layer, observability stack, task queuing) are self-hosted within Licenseware's own GKE clusters on GCP infrastructure and do not constitute independent sub-processors.

Please read these Terms and Conditions carefully before using the https://licenseware.io/ website operated by Licenseware ("us", "we", or "our"). Your access to and use of the Service is conditioned on your acceptance of and compliance with these Terms.

License

Unless otherwise stated, Licenseware and/or its licensors own the intellectual property rights for all material on Licenseware. You must not: republish, sell, rent, sub-license, reproduce, duplicate, copy, or redistribute content from Licenseware, or attempt to reverse engineer any software contained on Licenseware's Website.

Links To Other Websites

Our Service may contain links to third-party websites or services that are not owned or controlled by Licenseware. Licenseware has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third-party websites or services.

Governing Law

These Terms shall be governed and construed in accordance with the laws of Romania, without regard to its conflict of law provisions.

Dispute Resolution

In the event of any dispute, the parties shall first attempt to resolve through good faith negotiation. If a resolution is not reached within sixty (60) days, the parties agree to enter into mandatory mediation in Bucharest, Romania, before escalating to litigation. Any unresolved dispute shall be submitted to the exclusive jurisdiction of the competent courts in Bucharest, Romania.

Changes

We reserve the right, at our sole discretion, to modify or replace these Terms at any time. By continuing to access or use our Service after those revisions become effective, you agree to be bound by the revised terms.

Contact Us

If you have any questions about these Terms, please contact us at [email protected]

1. Introduction

Licenseware Technology Services S.R.L. is incorporated at Independentei 1, Slobozia, Ialomita, 920095, Romania, VAT no RO42866470, company no J21/238/2021. This Privacy Policy applies to our website, social media, marketing campaigns, and use of our products and services.

2. Personal Information We Collect

We collect information you provide directly (name, business email, phone, company name), information collected automatically via cookies (access times, pages viewed, device and IP data), and information from third-party sources (name, email, job title, company, telephone).

3. How We Use Personal Information

We use your personal information to deliver contracted products and services, communicate with you, process payments, send product and marketing communications, carry out market research, and prevent fraud. We do not sell your information to any third party.

4. How We Share Personal Information

We share information with service providers bound by contractual confidentiality obligations, and may disclose it when required by law or as part of a corporate transaction. For more information, visit: https://help.licenseware.io/licenseware-security

5. How We Secure Personal Information

We use physical, administrative, and technical safeguards including encryption at rest and in transit, and have implemented best-practice standards aligned with internationally recognized security frameworks.

6. Your Rights

You may access, correct, delete, object to processing, restrict processing, or export your personal data. Contact us at [email protected] to exercise any of these rights.

7. Data Retention

We retain information as long as necessary to provide products and services, subject to legal obligations. Information no longer necessary may be de-identified or aggregated.

8. Data Processing Locations

We process data in Eemshaven, Netherlands (EU), Ashburn, Virginia (US), and Sydney, Australia (APAC), relying on legally-provided mechanisms for cross-border transfers including Standard Contractual Clauses.

9. Contact Information

Email: [email protected]

Licenseware Technology Services S.R.L. has a zero-tolerance approach to modern slavery and is committed to acting ethically and with integrity in all our business dealings. We are committed to ensuring transparency in our own business and in our approach to tackling modern slavery throughout our supply chains, consistent with our disclosure obligations under the Modern Slavery Act 2015.

This policy applies to all persons working for us or on our behalf in any capacity, including employees, directors, agency workers, volunteers, agents, contractors, and business partners.

Responsibility for the Policy

Licenseware has overall responsibility for ensuring this policy complies with our legal and ethical obligations. Management at all levels is responsible for ensuring those reporting to them understand and comply with this policy.

Compliance with the Policy

You must ensure that you read, understand, and comply with this policy. You must notify your line manager or a company Director as soon as possible if you believe or suspect that a conflict with this policy has occurred or may occur in the future.

Communication and Awareness

Training on this policy forms part of the induction process for all individuals who work for us. Our zero-tolerance approach must be communicated to all suppliers, contractors, and business partners at the outset of our business relationship.

Breaches of this Policy

Any employee who breaches this policy will face disciplinary action, which could result in dismissal. We may terminate our relationship with other individuals and organizations working on our behalf if they breach this policy.

Purpose

Licenseware is committed to embedding sustainability and ESG (Environmental, Social, and Governance) principles into its operations as a fully remote, globally distributed SaaS company.

Scope

This policy applies to all employees, contractors, suppliers, and business partners engaged with Licenseware.

Commitments

• Sustainable Remote Work: Encourage energy-efficient home office practices and responsible e-waste disposal.
• Energy Efficiency in Cloud & Infrastructure: Partner with providers prioritizing renewable energy. Continuously optimize infrastructure to minimize unnecessary resource consumption.
• Travel & Events: Limit non-essential travel; prioritize virtual collaboration. Opt for sustainable transport and eco-certified venues when travel is necessary.
• Procurement & Partnerships: Favor environmentally responsible suppliers. Require ESG compliance criteria as part of vendor evaluation.
• Employee Engagement: Provide resources for sustainable living and working.
• Continuous Improvement: Annual review of ESG and sustainability goals. Transparent reporting on progress and challenges.

Accountability

Licenseware's leadership is responsible for ESG strategy and reporting, while every employee shares responsibility for embedding sustainability in daily practices.

This code of conduct sets the expectations for behavior and conduct of employees and stakeholders in our organization. Violation may result in disciplinary action, up to and including termination of employment or contract.

General Principles

• Treat everyone with respect, kindness, and professionalism.
• Avoid discriminatory, harassing, or offensive behavior.
• Respect the privacy and confidentiality of others.
• Uphold high ethical standards and integrity.

Communication

• Use respectful and professional language in all communication.
• Respond to communication in a timely manner.
• Use appropriate channels for different types of communication.
• Be clear and concise.

Collaboration

• Collaborate in a constructive and respectful manner.
• Respect the opinions and contributions of others.
• Offer and be open to constructive feedback.

Remote Work

• Maintain a professional and productive work environment.
• Adhere to work schedules and deadlines.
• Be responsive and available for virtual meetings.
• Maintain a healthy work-life balance.

Security

• Follow all security policies and procedures.
• Protect company assets, including intellectual property and sensitive information.
• Report any security incidents or concerns to the appropriate personnel.
• Use secure passwords and multi-factor authentication for all accounts.

Compliance

• Adhere to all applicable laws and regulations.
• Follow company policies and procedures.
• Report any compliance concerns to the appropriate personnel.
• Participate in compliance training and education.

Purpose

This policy establishes Licenseware's position on preventing bribery and corruption in all jurisdictions where the company operates, ensuring compliance with applicable laws and protecting the integrity of Licenseware's operations, partners, and clients.

Scope

This policy applies to all employees, contractors, founders, executives, advisers, partners, resellers, and any third parties acting on behalf of Licenseware.

Policy Statement

Licenseware prohibits any form of bribery, facilitation payment, kickback, improper advantage, or corrupt practice. No one representing the company may offer, promise, give, request, or accept anything of value intended to improperly influence a decision or secure an unfair business benefit.

Prohibited Conduct

• Offering or accepting cash or cash equivalents intended to influence business outcomes.
• Providing gifts, hospitality, or entertainment that exceed reasonable, customary, and lawful business standards.
• Granting discounts, services, or favourable terms that are not commercially justified.
• Using intermediaries to channel improper payments or benefits.
• Offering anything of value to public officials to influence official actions.
• Making facilitation payments to speed up routine governmental processes.

Gifts and Hospitality

Gifts and hospitality must be reasonable, infrequent, compliant with local laws, and never tied to expected business outcomes. Any questionable or high-value offer must be declared to the compliance lead and approved before acceptance or provision.

Third Parties

Distributors, resellers, partners, consultants, and contractors must comply with this policy. Licenseware will conduct risk-based due diligence and may terminate relationships where bribery or corruption risks are identified or not remediated.

Record Keeping

All financial transactions, expenses, and approvals must be recorded accurately and transparently. No off-book accounts or unreported funds are permitted for any purpose.

Reporting Concerns

Any suspected or actual bribery, corruption, or unethical conduct must be reported immediately to the compliance lead or through internal reporting channels. Retaliation against individuals who raise concerns in good faith is strictly prohibited.

Consequences of Non Compliance

Violations may result in disciplinary action, contract termination, legal penalties, and regulatory reporting. Licenseware will cooperate fully with lawful investigations into suspected misconduct.

Review

This policy will be reviewed annually and updated as necessary to remain aligned with legal requirements, business operations, and global compliance standards.