For the purposes of this Services Agreement, the following expressions shall have the meanings assigned below:

This Services Agreement establishes the overarching legal and commercial framework within which the Supplier and the Customer shall engage. Under this framework:

1. The Customer may formally request the Supplier to perform and deliver the Services described in the Order Form, subject to the terms and conditions of this Agreement; and
2. The Supplier agrees to perform, deliver, and make available such Services in accordance with this Agreement and any accompanying documents.

Every Service that the Customer wishes to procure shall be individually described in the relevant Order Form and, where applicable, any supporting Annex or Service Addendum. The Order Form shall specify all operational, commercial, technical, and delivery-related details relevant to that particular engagement.

If any conflict, inconsistency, or ambiguity arises between different components of the Services Agreement, and unless expressly stated otherwise, the documents shall take precedence in the following order:

1. The applicable Order Form, which always governs the specific engagement;
2. Any applicable Annex or Order Form Services Addendum, which may specify additional or service-specific terms; and
3. These Services Agreement Standard Terms, including any service-specific terms incorporated herein.

This ensures clarity in the interpretation of conflicting provisions and provides the Parties with a clear hierarchy of documents.

The Supplier and the Customer may mutually agree to execute one or more Order Forms over time. Each executed Order Form constitutes a separate and independent contractual engagement under this Services Agreement.

Although governed by the same overarching terms, each Order Form applies only to the specific Services described therein.

For this Services Agreement to be legally binding and enforceable:

• The applicable Order Form must be confirmed in writing; and
• The Order Form must be signed by authorised representatives of both Parties.

Once signed by both Parties, the Services Agreement becomes fully binding and cannot be cancelled except through the termination provisions detailed in Clause 13.

From the point of execution:

• All Fees, charges, and amounts specified in the Order Form become payable in accordance with this Agreement.
• The Supplier is authorised to begin performance of the Services on the Commencement Date or any other mutually agreed date.

Each Party represents and warrants to the other that:

1. It has full legal capacity and authority to enter into and perform its obligations under this Services Agreement.
2. This Agreement has been executed by an authorised representative who has the proper corporate or legal authority to bind the Party.
3. It is the lawful owner, or has obtained all required consents, authorisations, and permissions from the owner, for all systems, networks, premises, applications, and other assets identified in the Order Form.
4. It will comply with all Applicable Laws, including those related to data protection, cybersecurity, and industry-specific regulatory requirements.

This Services Agreement shall commence on the Commencement Date and shall continue in full force during the Initial Term, unless earlier terminated in accordance with Clause 13 (Termination).

Where the type of Service permits continued delivery beyond the Initial Term and unless the Order Form states otherwise the Agreement shall automatically renew for successive terms of the same duration as the Initial Term (each an "Extension Term"), unless:

• Either Party provides at least 60 days' prior written notice of non-renewal; or
• An alternative renewal period is expressly specified in the Order Form.

If a Party issues a notice of termination under clause 3.1:

• And no Services remain incomplete, the Agreement terminates automatically at the end of the notice period, but not before the expiry of the Initial Term or any Extension Term, as applicable.
• If any Services remain incomplete, then (unless agreed otherwise):
  • The Supplier must complete those Services; and
  • The Customer must pay for all completed or unavoidably incurred work.

If the Customer's own failure prevents completion, the Customer shall still be liable to pay for all Services performed or committed under the Order Form.

The Customer may request any Services covered under this Agreement by executing an Order Form. No Service becomes binding until the mutually agreed Order Form is signed by both Parties.

The Supplier shall commence delivery of the Services either on the Commencement Date or on any other date expressly stated in the Order Form. This may include staging, onboarding, platform access, or initial assessments where relevant.

The Supplier shall provide the Services, and any associated Deliverables, to the Customer for the duration of the Initial Term or any Extension Term. Where relevant, platform-based Deliverables will be made available via a valid bugtrack.xparth.com Licence.

Specifically:

1. Conformity with Order Form and Annex

Each Service and Deliverable shall be performed strictly in accordance with:

• The description provided in the Order Form
• Any applicable Annex or Addendum
• The service-specific procedures or methodologies referenced in this Agreement
2. Standard of Performance

The Supplier shall:

• Use Good Industry Practice,
• Apply reasonable care, skill, expertise, and diligence,
• Deliver the Services within the timelines set out in the Order Form or Annex, and
• Follow all applicable provisions contained in this Services Agreement.

This ensures a professional and competent standard of delivery.

3. Appointment of a Contact Person

Where the Supplier deems it necessary or beneficial, it may appoint a dedicated contact person, manager, or coordinator responsible for overseeing and facilitating the delivery of the Services. This individual will be assigned prior to commencement of the relevant Service.

4. Compliance with On-site Requirements

If the Supplier's personnel are required to access the Customer's premises:

• The Supplier shall comply with any communicated security, safety, and access requirements by Customer.
• However, the Supplier shall not be held liable for any failure to meet a contractual obligation if compliance with such requirements results in an unavoidable delay or interference with Service delivery.
5. Use of Subcontractors

The Supplier may, if necessary, engage subcontractors to assist in delivering the Services, provided that:

• Such subcontractors are engaged under terms consistent with this Agreement, and
• The Supplier has conducted adequate due diligence to confirm their skills, qualifications, and capability to perform the Services to required standards.

The Supplier remains responsible for the acts, omissions, and performance of appointed subcontractors.

The Customer acknowledges that its active cooperation is essential for the Supplier to successfully deliver the Services. Accordingly, the Customer shall:

1. Provide the Supplier with all necessary assistance, cooperation, and support relating to this Services Agreement, including any Order Form or Annex, as may be required for effective Service delivery. This includes timely access to relevant Customer personnel, systems, applications, and authorised representatives.
2. Provide the Supplier with complete, accurate, and timely access to all information, documentation, security configurations, credentials, environments, and technical data required to deliver the Services. This may include access to Customer staff, agents, systems, and data repositories.
3. Ensure that all Customer Equipment, including systems, networks, servers, software, and related infrastructure, complies with any specifications, restrictions, security requirements, or usage limitations issued by the Supplier from time to time, and conforms to all applicable security, technical, and information protection procedures required for the Services.

The Customer is solely responsible for maintaining a suitable and functional environment for the receipt and use of the Services, including:

• Stable and uninterrupted internet connectivity
• Properly functioning Customer Equipment
• Internal configurations required to interface with Supplier Deliverables

The Supplier shall not be liable for any failure, inefficiency, disruption, or misuse of the Services caused by deficiencies, incompatibilities, or failures within the Customer's own environment.

The Customer confirms it owns or is authorised to test all in-scope assets and provides safe harbour for actions performed within scope.

The Customer agrees that it shall not engage in any of the following activities:

1. Infringement of Intellectual Property Rights: The Customer shall not infringe, violate, or misuse any intellectual property rights owned or licensed by the Supplier.
2. Uploading or Distributing Malicious Content: The Customer shall not create, upload, store, transmit, or otherwise introduce into the Services or Deliverables:
   • malicious code
   • viruses, worms, Trojan horses
   • malware or harmful links
   • unlawful or confidential information
   • prohibited advertising or solicitations
   • or any material that disrupts, degrades, or harms the Services or encourages others to do so.
3. Reverse Engineering and Technical Manipulation: The Customer shall not attempt to:
   • copy, modify, or create derivative works
   • reverse engineer, decompile, disassemble
   • replicate or imitate user interfaces
   • use automated scripts, bots, or software to interact with the Services
   • extract data outside permitted methods or otherwise convert the Services or Deliverables into human-perceivable form in any unauthorised manner.

The Customer agrees to fully indemnify, defend, and hold the Supplier harmless against any loss, liability, damage, claim, cost, or expense arising out of or in connection with the Customer's breach of clause 5.3.

This indemnity applies regardless of whether the breach was intentional, negligent, or accidental.

The Customer further agrees it shall not:

1. Withhold information that may reasonably affect the Supplier's ability to deliver the Services, ensure security, or maintain platform integrity.
2. Use the Services to impersonate any person or misrepresent identity of any user or Customer representative.
3. Engage in unsolicited messaging, spam, or unauthorised mass communication using any Service or Deliverable.
4. Use the Services in a manner that, in the Supplier's reasonable judgment, falls outside the intended or authorised usage.
5. Engage in abusive, excessive, or unreasonable usage that significantly exceeds standard usage patterns and negatively impacts system performance or availability for other users.
6. Provide access to or use the Services or Deliverables for the benefit of any third party, except where explicitly stated in the Order Form.
7. Sell, resell, lease, rent, licence, sublicence, distribute, outsource, or otherwise commercially exploit the Services or Deliverables unless explicitly permitted in writing.
8. Use the Services or Deliverables for competitive analysis, benchmarking against non-Supplier offerings, or to build competing solutions.
9. Integrate the Services or Deliverables into Customer-developed products or use them for commercial gain or redistribution without Supplier's express written consent.

The Customer shall:

1. Cooperate with the Supplier in all matters reasonably required for the delivery of the Services.
2. Assign a contact person for the Services (as identified in the Order Form) who will coordinate with the Supplier.
3. Provide timely and cost-free access to Customer premises, infrastructure, data, staff, and facilities required for the Supplier to perform the Services.
4. Ensure that all documents, information, materials, credentials, and data provided to the Supplier are complete, accurate, up-to-date, and delivered promptly.
5. Inform the Supplier of all health, safety, and security policies applicable on Customer premises.
6. Ensure that all Customer Equipment is properly maintained, fit for purpose, and compliant with applicable laws and standards.
7. Obtain and maintain all necessary licences, permissions, and consents required for the Supplier to legally deliver the Services.
8. Participate in a periodic service review, if requested by the Supplier, once every six months or at another reasonable interval.
9. For Services involving bugtrack.xparth.com, appoint Users in accordance with the number of licences purchased, and ensure only authorised Users access the platform.

If the Supplier's performance is delayed, hindered, or prevented due to any act or omission of the Customer or any third-party acting on its behalf, then:

• The Supplier shall be entitled to an extension of time equal to the duration of the delay;
• The Supplier may, at its discretion, extend the timeline further if reasonably required; and
• The Supplier shall not be liable for any failure or delay caused by Customer's non-performance.

Both Parties shall maintain appropriate business continuity and disaster recovery measures to minimise disruptions to the Services.

In the event of an unforeseen interruption, the Customer must take all reasonable steps and cooperate fully with the Supplier to ensure continuity of the Services.

Neither Party shall, without the prior written consent of the other Party, at any time during the provision of the Services and for a period of 12 months following the completion of such Services:

• Solicit, induce, encourage, or attempt to entice away any employee, consultant, subcontractor, or personnel engaged by the other Party;
• Offer employment, contract, consultancy, or engagement to any such individual;
• Interfere with the employment or contractual relationship between the other Party and its personnel.

This restriction applies whether the approach is direct or indirect, intentional or unintentional, and whether carried out personally or through an intermediary.

Either Party may, from time to time, propose modifications to the scope, specification, or execution details of the Services. However, no such proposed change shall take effect unless a formal Order Form Services Addendum is mutually agreed in writing by both Parties.

The Order Form Services Addendum shall:

• Reference the relevant Order Form;
• Clearly detail the requested changes;
• Specify the impact of such changes on:
  • the Services,
  • the Fees,
  • the delivery timelines,
  • resource requirements, and
  • any other term of the Order Form or this Agreement.

The Addendum may be executed as a document or, where the Supplier expressly permits, via written email confirmation.

If the Supplier determines that a material change to any Service is necessary whether due to technical requirements, regulatory obligations, operational factors, or other reasons, the Supplier shall prepare and submit a draft Order Form Services Addendum for the Customer's review and approval.

Should the Customer require modifications to the Services, it shall:

• Notify the Supplier in writing,
• Provide all details reasonably needed by the Supplier to assess the change, including timing and scope, and
• Cooperate with the Supplier during the evaluation process.

The Supplier shall, within a reasonable time after receiving complete information, prepare and deliver a draft Order Form Services Addendum to the Customer.

Once both Parties mutually approve the changes, the Order Form Services Addendum must be signed.

Upon execution:

• The Addendum immediately becomes part of, and amends, the applicable Order Form.

If the Parties are unable to reach agreement on the proposed changes:

• Either Party may request termination of the specific affected Service;
• Such termination shall take effect on a mutually agreed date;
• Termination of one Service shall not affect the Customer's obligation to pay outstanding Fees already due or accrued up to the termination date.

In consideration of the Supplier allocating the necessary personnel, infrastructure, and resources for the delivery of the Services, the Customer shall pay all applicable Fees specified in the Order Form.

This applies even if Services cannot be delivered due to the Customer's failure to comply with its obligations under this Agreement.

Unless otherwise specified in the Order Form:

• The Supplier will raise an invoice either in accordance with the schedule defined in the Order Form, or
• Immediately upon the Commencement Date of the Order Form, with payment due within 30 days of the invoice date.

All Services ordered are payable in full.

Except where expressly agreed in writing:

• Any Services not utilised by the Customer during the Initial Term or any Extension Term will expire, and
• The Customer shall not be entitled to any refund, credit, or carryover.

The Fees do not include reimbursable expenses. The Customer shall pay, monthly in arrears, the following items (provided the Supplier has obtained prior written approval, not to be unreasonably withheld):

1. Actual costs incurred for travel, lodging, local conveyance, subsistence, and similar expenses incurred by Supplier personnel during the provision of Services.
2. Costs of any third-party products, materials, or services procured by the Supplier specifically for the Customer's benefit, where such items and costs have been pre-approved in writing.
3. Costs reasonably deemed necessary by the Supplier in emergencies or critical scenarios, provided prior cost notification has been given to the Customer.

The Fees do not include charges arising from cancellations or delays attributable to the Customer. Where the Customer cancels or reschedules scheduled Services:

1. Between 7 and 14 days prior to the scheduled start date → 50% of the applicable Service Fees become payable;
2. Within 7 days of the scheduled start date → 100% of the applicable Service Fees become payable.

These charges compensate for committed personnel, infrastructure, and scheduling resources.

The Supplier may revise the Fees annually, effective on each anniversary of this Agreement. The increase will be:

1. The higher of 5% or
2. The percentage increase in the Consumer Price Index (CPI) during the preceding 12-month period.

The Supplier may elect to apply the first increase on the first anniversary of this Agreement.

During the Initial Term or any Extension Term, the Supplier may increase the Fees with 30 days' prior written notice if new taxes, levies, duties, regulatory costs, or government-imposed expenses are introduced or increased and impact the cost of providing the Services.

The Supplier shall raise invoices:

1. As set out in the Order Form; or
2. As specified in this Agreement; or
3. As mutually agreed in writing between the Parties.

The Customer shall pay all invoices as follows:

1. Within 30 days of the invoice date, unless the Order Form specifies otherwise;
2. Immediately upon receipt if paid via credit card;
3. Via direct debit, where approved, with payments taken 14 days from the invoice date;
4. In advance, where the Customer's creditworthiness does not meet the threshold required for the total contract value.

If the Customer fails to pay any amount by the due date:

1. All outstanding and future sums due under this Agreement immediately become payable.
2. If payment remains outstanding for more than 10 days, the Supplier may suspend or cancel some or all Services until full payment is received, without prejudice to any other rights or remedies.

All amounts payable under this Agreement:

1. Are exclusive of GST.
   The Customer shall additionally pay GST at the applicable rate upon receipt of a GST-compliant invoice.
2. Must be paid in full without any set-off, deduction, counterclaim, or withholding, except where tax withholding is expressly required by Indian law.

Amounts under this clause are expressly excluded from the Force Majeure provisions clause 15.

1. Ownership:

The Supplier and its licensors shall retain full and exclusive ownership of all Intellectual Property Rights ("IPRs") in the Services, the Deliverables, all related materials, and all proprietary methods, tools, scripts, processes, or techniques used in providing the Services. This excludes Customer Materials, which remain the property of the Customer.

2. Licence to Customer:

The Supplier grants the Customer a fully paid-up, non-exclusive, worldwide, royalty-free, revocable licence for the duration of this Services Agreement to reproduce, store, and modify the Deliverables solely for the Customer's internal use and only for the purpose of receiving and using the Services in its business.

3. Restrictions:

The Customer shall not sublicence, transfer, assign, or otherwise grant rights in the Deliverables to any third party unless expressly authorised in advance in writing by the Supplier.

1. Ownership

The Customer and its licensors shall retain full ownership of all IPRs in the Customer Materials provided to the Supplier.

2. Licence to Supplier

The Customer grants the Supplier a fully paid, non-exclusive, royalty-free, non-transferable licence to copy, use, modify, and process the Customer Materials:

• for the duration of this Agreement; and
• thereafter, only to the extent required by law; solely for the purpose of performing the Services.

1. Non-infringement Warranty

The Supplier warrants that the Customer's lawful receipt and permitted use of the Services and Deliverables shall not infringe any third-party IPR.

2. Indemnity

Subject to Clause 12 (Limitation of Liability), the Supplier shall indemnify the Customer against all direct losses, damages, expenses, and liabilities arising out of any claim that the Customer's authorised use of the Services or Deliverables infringes a third party's IPR.

3. Exceptions to Warranty and Indemnity

The Supplier shall not be in breach of the warranty under clause 9.3(a), and the Customer shall have no claim under the indemnity at clause 9.3(b), to the extent that any alleged infringement arises from any of the following. Accordingly, the Supplier shall not be responsible, and the Customer shall not be entitled to make any claim under this clause, where the alleged infringement results from:

1. Customer specifications or instructions: When the Deliverables or Services are created or configured in accordance with Customer instructions and such infringement could not have been avoided while following those instructions. The Supplier will notify the Customer if it believes such instructions may lead to an infringement.
2. Customer Materials: Any infringement arising from the use, inclusion, or integration of Customer Materials.
3. Unauthorised modifications: Any modification, alteration, or combination of the Deliverables or Services by the Customer or by any third party not authorised by the Supplier.

1. Customer Warranty

The Customer warrants that all Customer Materials provided for use in connection with the Services do not breach or infringe any third-party rights, including but not limited to IPR.

2. Customer Indemnity

The Customer shall indemnify and hold the Supplier (and its employees, agents, subcontractors, and consultants) harmless against all liabilities, damages, losses, and expenses resulting from any claim relating to the actual or alleged infringement of third-party IPR caused by the Supplier's use of Customer Materials.

Where an indemnity under clause 9 applies:

1. Notification: The Indemnified Party shall promptly notify the Indemnifying Party in writing of any IPR claim it intends to rely upon.
2. Conduct of Defence: The Indemnifying Party may, at its own cost, assume control of the defence and settlement negotiations, provided that any settlement receives the prior written approval of the Indemnified Party (not to be unreasonably withheld or delayed).
3. Assistance: The Indemnified Party shall provide reasonable cooperation and assistance in defending the claim, with the Indemnifying Party reimbursing reasonable related costs.
4. No Admissions: The Indemnified Party shall not admit liability or settle any IPR claim without prior consultation with the Indemnifying Party.

The Customer grants the Supplier a non-exclusive, revocable, royalty-free licence to use the Customer's name and logo for marketing purposes, including testimonials, case studies, and client listings, provided that any usage is accurate, not misleading, and the Customer may withdraw such consent at any time with written notice.

Terms such as "personal data," "data fiduciary," "data processor," "processing," "data principal," and "personal data breach" carry the meanings assigned to them under the Digital Personal Data Protection Act, 2023 (DPDPA 2023) and any rules issued thereunder.

Both Parties shall comply at all times with all Applicable Data Protection Laws. This clause applies in addition to (and does not replace or reduce) either Party's statutory obligations under the DPDPA 2023 or any other applicable Indian legislation.

The Customer expressly consents to the Supplier's processing of Customer Personal Data in accordance with:

• This Agreement, and
• The Supplier's current Privacy Policy, available at: https://www.xparth.com/privacy-policy

In the event of a conflict between the Privacy Policy and this Agreement, the Privacy Policy shall prevail with respect to data protection matters.

The Customer is responsible for securing all necessary consents from its personnel, agents, users, and representatives for the lawful transfer and processing of their personal data by the Supplier.

The Customer shall ensure that:

• All necessary notices, permissions, and authorisations for lawful transfer of Customer Personal Data to the Supplier are in place; and
• Personal data shared with the Supplier is processed lawfully in accordance with Indian data protection laws.

The Supplier shall:

1. Process Data Only on Customer Instructions: Process Customer Personal Data only on documented instructions from the Customer, except where required by Applicable Law. If such law prohibits notification to the Customer, the Supplier may process the data accordingly.
2. Security Measures: Implement and maintain appropriate technical and organisational safeguards to protect Customer Personal Data from unauthorised access, breach, destruction, or alteration.
3. Confidentiality: Ensure that only authorised personnel bound by confidentiality obligations process Customer Personal Data.
4. Assistance with Regulatory Compliance: Assist the Customer (where reasonably possible and at Customer's cost) in meeting obligations relating to security incidents, data subject requests, impact assessments, and consultations with regulators.
5. Breach Notification: Notify the Customer without undue delay upon discovering a personal data breach affecting Customer Personal Data.
6. Deletion or Return of Data: Upon termination of the Services Agreement, delete or return Customer Personal Data unless retention is required by law. Data will be deemed deleted when irreversibly rendered inaccessible.
7. Data Minimisation: Process personal data only for as long as necessary for the lawful purpose of processing and follow applicable industry rules (including PCI DSS) regarding data retention restrictions.
8. Audit Rights: Maintain records demonstrating compliance with this clause 10 and permit reasonable audits by the Customer once per year upon written notice.

Customer provides its prior, general authorisation for Supplier to:

1. Appointment of Processors

The Customer provides general prior authorisation for the Supplier to appoint sub-processors, provided the Supplier:

• Ensures such processors are subject to obligations similar to those of the Supplier;
• Remains fully liable for their acts and omissions.
2. Transfers Outside India

The Customer authorizes the Supplier to transfer Customer Personal Data outside India where necessary for the provision of Services, provided such transfers comply with the DPDPA 2023 and any governmental restrictions or notifications.

The Customer shall promptly provide all necessary cooperation, information, or documentation required to lawfully effect such transfers.

Either Party may, with at least 30 days' written notice, require that this clause be replaced with any mandatory standard contractual clauses or government-issued templates applicable under the DPDPA 2023.

The Supplier's liability for all losses arising under this clause shall be subject to, and limited by, the provisions of Clause 12 (Limitation of Liability).

Each Party undertakes that it shall not, at any time during the term of the Services Agreement or thereafter, use or disclose to any third party any Confidential Information belonging to the other Party or any member of its corporate group, except as expressly permitted under clause 11.2.

Confidential Information shall be used solely for the performance of obligations and exercise of rights under this Services Agreement.

Each Party may disclose Confidential Information:

1. To Authorised Personnel

To its employees, officers, directors, advisers, representatives, contractors, or subcontractors who have a strict need to know the information for fulfilling the Party's obligations or exercising its rights under the Services Agreement, provided that:

• such persons are bound by confidentiality obligations no less strict than those set out in this clause 11; and
• the disclosing Party remains responsible for compliance with this clause 11 by such persons.
2. As Required by Law

Where disclosure is required by:

• applicable law,
• a government authority,
• any regulatory authority, or
• an order of a court of competent jurisdiction.

Where legally permissible, the disclosing Party shall notify the other Party before such disclosure.

No Party shall use the other Party's Confidential Information for any purpose other than:

• exercising its rights, or
• performing its obligations under the Services Agreement.

Confidential Information shall not be used to gain commercial advantage, create competing services, or harm the other Party.

References to "liability" in this clause 12 include all forms of liability arising under or in connection with the Services Agreement including, without limitation:

• contractual liability,
• tortious liability (including negligence),
• misrepresentation (whether negligent or otherwise),
• indemnity liability,
• statutory liability, and
• restitution-based claims

This is subject always to clause 12.3 (liabilities that cannot be legally limited).

Nothing in this Agreement shall in any way limit, restrict, or reduce the Customer's obligation to pay Fees or other sums due under this Agreement. Payment obligations are absolute and unconditional.

Nothing in this Agreement excludes or limits liability for:

1. death or personal injury caused by negligence;
2. fraud or fraudulent misrepresentation; or
3. any liability that cannot be legally excluded under applicable Indian law, including criminal liability proven under an applicable criminal statute.

Subject always to clause 12.3 and clause 12.6:

• The maximum aggregate liability of either Party to the other Party for all claims arising during the term of this Agreement shall not exceed the Fees paid in the 12-month period immediately preceding the event giving rise to the claim, or
• where less than 12 months have elapsed since the Commencement Date, the amount equivalent to 12 months of Fees, calculated pro rata.

This limit applies per claim and in aggregate for all claims.

Subject to clause 12.2 and clause 12.3, the following categories of loss are expressly excluded, whether direct, indirect, special, incidental, or consequential:

• loss of profits;
• loss of revenue or goodwill;
• loss of business opportunity, contracts, or agreements;
• loss of business or anticipated savings;
• depletion of goodwill or reputation-related losses;
• pure economic loss;
• any indirect, consequential, exemplary, special, or punitive damages, costs, expenses, or losses of any kind arising in any manner.

These exclusions apply regardless of foreseeability or whether the Supplier was advised of the possibility of such losses.

The total liability of each Party to the other for breaches of the following obligations:

• Clause 9 (Intellectual Property Rights),
• Clause 10 (Data Protection),
• Clause 5.3 and 5.4 (Customer indemnities), and
• Clause 11 (Confidentiality),

shall be strictly limited to an aggregate cap of INR 15,00,000 (Fifteen Lakhs Only).

The Customer acknowledges that certain Services specially security testing, scanning, assessments, or other technical engagements carry inherent risks, which may include:

• corruption of data,
• temporary system unavailability,
• loss of stored information, or
• operational disruption.

The Customer agrees:

• To fully back up all relevant data before the commencement of any Service; and
• That the Supplier shall not be liable for any data loss or corruption except where expressly provided otherwise in this Agreement.

To the maximum extent permitted by law, the Supplier disclaims all express, implied, or statutory warranties not expressly stated in this Agreement, including warranties relating to:

• merchantability,
• satisfactory quality,
• fitness for a particular purpose,
• non-infringement,
• error-free operation, or
• uninterrupted service.

The Customer is solely responsible for evaluating the suitability of the Services for its specific business needs.

The Customer warrants that:

• it has full authority and capacity to instruct the Supplier to perform the Services; and
• it shall not hold the Supplier responsible for any breach of the Information Technology Act, 2000, the rules and regulations issued thereunder, or any other Indian laws arising from the Customer's failure to comply with its own legal obligations.

Except as expressly provided in this Agreement:

• all Services described in the Order Form are provided on an "as is" and "as available" basis;
• the Supplier shall not be liable for any issues outside the express terms of this Agreement; and
• no implied obligations, warranties, or representations shall apply.

Either Party may terminate the Services Agreement with immediate effect, without any obligation to pay compensation or damages solely arising from such termination, by issuing a written notice to the other Party if one or more of the following events occur:

1. The other Party commits a material breach of any provision of the Services Agreement and:
   • the breach is incapable of being remedied, or
   • where capable of remedy, the defaulting Party fails to rectify such breach within 30 (thirty) days from the date it receives a written notice specifying the breach and requiring its correction.
2. The other Party:
   • suspends or threatens to suspend payment of its debts,
   • is unable to pay its debts as they become due,
   • admits inability to pay its debts,
   and in case of a company or LLP, is deemed unable to pay its debts in accordance with the provisions of the Insolvency and Bankruptcy Code, 2016 (IBC), including circumstances permitting initiation of a corporate insolvency resolution process under Sections 7, 9 or 10 of the IBC;
   or in the case of an individual or partnership, becomes subject to individual insolvency processes under the IBC, or has any partner to whom any of the circumstances listed above apply.
3. The other Party initiates negotiations with all or a class of its creditors to reschedule or restructure any of its debts, or proposes or enters into any compromise or arrangement with its creditors, other than for a solvent amalgamation or a solvent restructuring.
4. A petition, notice, resolution, or order is made for the winding-up of the other Party (if it is a company), other than for a solvent amalgamation or reconstruction.
5. An application is filed before a court/tribunal for appointment of an administrator, insolvency professional, or similar office-holder over the business of the other Party, or an administrator is appointed.
6. A holder of a qualifying floating charge over the assets of the other Party (being a company) becomes entitled to appoint, or actually appoints, an administrative receiver.
7. Any person becomes entitled to appoint a receiver over all or any part of the assets of the other Party, or such a receiver is appointed.
8. Any creditor or encumbrancer attaches, seizes, or takes possession of any part of the other Party's assets, or any distress, execution, sequestration or similar proceeding is initiated and not released within 14 (fourteen) days.
9. Any event occurs in any applicable jurisdiction that is equivalent or similar to any of the circumstances described in clauses 13.1(b) to 13.1(h).
10. The other Party suspends, ceases, or threatens to suspend or cease, the conduct of all or a substantial part of its business operations.

For the purposes of clause 13.1(a) material breach means a breach (including an anticipatory breach) that significantly affects the benefit, value, or performance the non-breaching Party is entitled to receive under the Services Agreement, in respect of a substantial portion of the obligations.

Without prejudice to any other rights or remedies available, the Supplier may terminate the Services Agreement with immediate effect by issuing written notice if:

• the Customer commits a material breach of this Services Agreement or any other order form/service agreement entered with the Supplier, or
• the Customer fails to make any payment due under any agreement with the Supplier by the due date and remains in default for over 30 (thirty) days after receiving a written reminder.

All outstanding fees due under the Services Agreement shall remain payable.

If the Supplier issues a 90-day prior written notice to the Customer regarding any material modification to the Standard Terms (as referred under clause 17), and such updated terms cannot be accepted by the Customer due to applicable law or prevailing policies, the Customer may issue a written notice of termination within 30 days of receiving such intimation.

All fees due and payable for services delivered up to the termination date shall remain payable in full.

Upon termination or expiry of the Services Agreement (unless otherwise expressly stated):

• All licences, access rights, and entitlements granted to the Customer to use the Services and/or the bugtrack.xparth.com platform shall immediately cease.
• The Customer must return all Supplier-owned equipment in its possession and permanently delete/destroy all copies of Supplier Confidential Information.
• The Supplier shall likewise destroy all copies of Customer Confidential Information, except where retention is required under applicable Indian laws.
• The Customer shall immediately settle all unpaid invoices for services rendered up to the effective date of termination.
• Where the Customer has not terminated due to Supplier's material breach, the Supplier may issue a final invoice for services delivered but not yet invoiced, which shall become payable upon receipt.

Upon termination due to Supplier's material breach, or upon normal expiry:

• Any active Order Form shall continue until the completion of its respective services, unless the Customer reasonably requests otherwise.
• Any clause of the Services Agreement that is intended expressly or by implication to survive termination or expiry shall remain fully enforceable.
• Termination or expiry shall not affect any rights, remedies, obligations, or liabilities accrued up to the termination/expiry date, including the right to claim damages for breach existing prior to termination.

A Force Majeure Event refers to any event or circumstance that is beyond the reasonable control of a Party (other than the Customer's obligation to make payments), which prevents or materially delays the performance of its obligations under this Services Agreement. Such events include, without limitation:

1. natural events or "acts of God" such as flood, drought, earthquake, cyclone, or any other natural disaster;
2. epidemics, pandemics, or any government-imposed lockdowns, restrictions, or directions arising from public health emergencies;
3. acts of terrorism, cyber-attacks, civil disturbances, riots, war (whether declared or not), preparation for war, armed conflict, imposition of sanctions, embargoes, or severance of diplomatic relations;
4. nuclear, chemical, biological contamination or sonic boom;
5. any statute, order, regulation, directive, or action by any governmental or public authority including export/import restrictions, prohibitions, quotas, denial of licences, or failure to grant mandatory approvals;
6. collapse of buildings, fire, explosion, or any major accident;
7. labour unrest including strikes, lockouts, industrial disputes or trade disputes (excluding events initiated by the Party relying on this clause or its group companies);
8. default, failure, or non-performance by suppliers or subcontractors (excluding entities within the same group as the Party relying on this clause);
9. disruption, failure, or interruption of utility services such as electricity, water supply, or telecommunications.

If a Party ("Affected Party") is prevented, hindered, or delayed in fulfilling its obligations under this Services Agreement due to a Force Majeure Event, and has complied with clause 15.4, such non-performance or delay shall not be considered a breach of the Services Agreement, nor shall the Affected Party be held liable for the consequences arising from such delay.

To the extent the Affected Party's obligations are suspended or delayed due to a Force Majeure Event, the corresponding obligations of the other Party shall also be suspended and the timeline for performance shall be extended proportionately.

The Affected Party shall:

1. notify the other Party in writing as soon as reasonably practicable, and in any case within ten (10) days from the commencement of the Force Majeure Event. The notice must include details of:
   • the date on which the Force Majeure Event began,
   • its likely or potential duration, and
   • how the Force Majeure Event is affecting the Affected Party's performance of its obligations;
2. take all reasonable steps and make reasonable efforts to mitigate the impact of the Force Majeure Event and resume performance of its obligations as soon as reasonably possible.

If the Affected Party is unable to perform its obligations for a continuous period exceeding six (6) weeks due to a Force Majeure Event, the non-affected Party may terminate this Services Agreement by issuing 21 days' prior written notice to the Affected Party.

The Customer shall not assign, transfer, mortgage, charge, subcontract, delegate, create any trust over, or otherwise deal with any of its rights or obligations under this Services Agreement without obtaining the Supplier's prior written consent. Such consent shall not be unreasonably withheld.

The Supplier may assign, mortgage, charge, delegate, novate, or otherwise transfer any of its rights under the Services Agreement. However, the Supplier shall not transfer or novate its rights and obligations to another service provider without giving prior written notice to the Customer.

If any provision or part of a provision within this Services Agreement is determined to be invalid, illegal, or unenforceable under applicable law, that specific part shall be treated as severed and deemed deleted. Such deletion shall not affect the validity or enforceability of the remaining provisions of this Services Agreement, which shall continue in full force.

If any provision or part-provision is severed pursuant to clause 20.1, the Parties shall, in good faith, negotiate a revised provision that achieves, as closely as possible, the original commercial intent and purpose of the deleted provision.

This Services Agreement constitutes the full and final understanding between the Parties with respect to its subject matter. It supersedes and extinguishes all prior agreements, communications, negotiations, assurances, promises, warranties, and representations whether written, oral, or implied by conduct relating to the same subject matter.

Each Party acknowledges and agrees that it has not relied upon, and shall have no remedy concerning, any statement, representation, assurance, or warranty (whether made innocently or negligently) that is not expressly included in this Services Agreement.

Each Party further agrees it shall not bring any claim for negligent or innocent misrepresentation or misstatement relating to any term outside this Services Agreement.

Nothing in this Services Agreement shall be interpreted as creating or implying a partnership, joint venture, or association between the Parties. Neither Party shall be considered an agent, representative, or fiduciary of the other.

Unless expressly permitted in writing, neither Party is authorised to make commitments, enter into contracts, or create obligations on behalf of the other Party. Each Party confirms it is acting solely for its own benefit and not on behalf of any third person.

Any notice, request, consent, or other communication under this Services Agreement shall be in writing and may be delivered by:

• email,
• hand-delivery, or
• tracked courier or postal service

to the recipient's registered office address (if a company) or principal place of business (in all other cases).

Any notice shall be deemed to have been received:

1. in case of email, at the time of transmission, provided no delivery failure or bounce-back notification is received;
2. if delivered by hand, at the time the notice is left at the proper address; or
3. if sent tracked and signed-for delivery by national courier, at the time such courier confirms delivery.

This clause does not apply to the service of legal proceedings, arbitration notices, or any documents required to be served under formal dispute-resolution mechanisms.

A notice is deemed valid once it is received in accordance with this clause, irrespective of whether the recipient acknowledges it.

This Services Agreement shall be governed by and construed in accordance with the laws of India, without regard to conflicts-of-law principles.

Any dispute arising out of or relating to this Services Agreement, which cannot be resolved through good-faith discussions between the Parties, shall be submitted to binding arbitration under the Arbitration and Conciliation Act, 1996 (as amended).

• The arbitration shall be conducted by a sole arbitrator, mutually appointed by the Parties.
• If the Parties cannot agree, the arbitrator shall be appointed in accordance with the Act.
• The seat and venue of arbitration shall be Bengaluru, India.
• The arbitration proceedings shall be conducted in English.

The Supplier shall conduct penetration testing ("Penetration Testing Services") to assess the Customer's systems, applications, and infrastructure for security weaknesses. The assessment may include based on the scope agreed between the Parties, testing of:

• critical external or internal assets,
• APIs,
• web applications,
• mobile applications,
• cloud environments,
• wireless networks,
• AI & next-gen security,
• source code review,
• container & kubernetes, and/or
• CI/CD pipeline

All testing shall be performed by qualified and experienced penetration testers using industry-recognised methodologies.
Upon completion of the testing, the Supplier shall provide the Customer with a detailed report, available in both online and downloadable formats, within five (5) Business Days of the test's completion, or such later date as may be communicated to the Customer with reasonable justification.

The Supplier shall provide phishing simulation services ("Phishing Simulation Services") designed to assess and enhance the Customer's organisational resilience against social engineering and email-based cyber threats.
The Services may include, based on the configuration and options selected by the Customer:

• simulated phishing campaigns,
• spear-phishing simulations,
• attachment-based or link-based phishing templates,
• credential harvesting simulations,
• awareness assessments,
• behavioural tracking and reporting, and
• automated training assignments based on user responses.

The purpose of the Phishing Simulation Services is to evaluate employee awareness, identify vulnerabilities in human-centric security controls, and support the Customer in developing an improved security culture.

All simulations shall be delivered through the Supplier's phishing simulation platform and aligned with industry best practices in security awareness testing.

Upon completion of each simulation campaign, the Supplier shall provide the Customer with an online results dashboard and downloadable reports detailing user interactions, high-risk behaviours, and recommended remediation measures.