This product schedule (“Product Schedule”) is governed by and incorporated into the Platform and Support Agreement between ReliaQuest and Customer (“Agreement”). Subject to the Agreement, the terms and conditions in this Product Schedule apply to the ReliaQuest Products identified in the applicable Order between ReliaQuest and Customer. Capitalized terms used in this Product Schedule and not otherwise defined herein will have the meaning given to such terms in the Agreement or the Ongoing Enablement description.

1. GreyMatter.

The Specifications for GreyMatter are set forth in this Product Schedule as follows:

1.1. GreyMatter Respond (formerly GreyMatter Automate) is the component of GreyMatter that integrates with Customer’s in-scope GreyMatter Integration to enrich, contain or remediate threats using configured plays and playbooks. GreyMatter Respond may allow for automated remediation of threats or other actions involving GreyMatter Integrations. There is an inherent risk in activating automated features of GreyMatter that such features may take actions not initially intended or foreseen. As a result, Customer should not use GreyMatter Respond in a hazardous environment or in connection with other technologies or applications in which unintended or unforeseen automated action could cause personal injury or property damage.

1.2. GreyMatter Detect is the component of GreyMatter that supports the Security Tool Content methodology and lifecycle to accelerate or enhance Customer’s threat detection capabilities with Customer’s in-scope and eligible GreyMatter Integration.

1.3. GreyMatter Health is the component of GreyMatter that supports real-time monitoring of Customer’s in-scope GreyMatter Integration.

1.4. GreyMatter Intel is the component of GreyMatter that supports threat intelligence automation, aggregation, normalization, and dissemination of machine-readable threat intelligence. GreyMatter Intel may support accessing or using third-party websites or content (including external hyperlinks, web forums, dark-web search results, defined files, file hashes, commands, digital artifacts, and other threat intelligence information and materials).  The websites and content are obtained from a variety of sources, which may include known threat actors, and ReliaQuest does not produce or control such websites or content.  The websites or content may be subject to third-party intellectual property, privacy, publicity, or other proprietary rights and may contain or consist of defamatory, obscene, abusive, malicious (such as viruses, malware, ransomware, or other Malicious Code), potentially harmful, or otherwise objectionable content.  The websites and content are provided “AS-IS,” “AS AVAILABLE,” with “ALL FAULTS,” and otherwise subject to the disclaimer of warranties in the Agreement.  ReliaQuest has no support obligations with respect to the websites or content and does not commit to the ongoing availability of such websites or content.  Any access or use of the websites or content may be subject to additional terms of use, privacy notices, and other licenses or restrictions.  If Customer accesses or uses the websites or content, or their sources, Customer does so at its own risk and assumes all risk associated with such access and use.  ReliaQuest does not endorse, is not responsible for, and shall not be liable for the behavior or features of the websites or content, any harm or damages caused by such websites or content, or any reliance placed on the completeness, accuracy, or veracity of such websites or content.

1.5. GreyMatter Investigate is the component of GreyMatter that supports the triage and analysis of Security Tool Content.

1.6. Reporting is any tangible and intangible reports provided by ReliaQuest to Customer with respect to GreyMatter or the Ongoing Enablement provided by ReliaQuest, including any reports provided by ReliaQuest utilizing ReliaQuest’s proprietary model index reporting capabilities.

2. Add-On Products.

To the extent that one or more of the following Add-On Products are specifically identified in an Order, the Specifications for the applicable Add-On Products are set forth in this Product Schedule as follows:

2.1. GreyMatter Digital Risk Protection is a sub-component of GreyMatter Intel that supports the detection or identification of data loss or brand impersonation and the monitoring of Customer’s web and digital attack surface. GreyMatter Digital Risk Protection may reveal to you information obtained from third parties or publicly-available sources, including dark-web search results, possible data leaks (and their contents) and other disreputable information. GreyMatter Digital Risk Protection is subject to the same warning and disclaimer applicable to GreyMatter Intel.

2.2. GreyMatter Hunt is the component of GreyMatter that supports threat hunting potentially leveraging data from Customer’s in-scope GreyMatter Integration.

2.3. GreyMatter Verify is the component of GreyMatter that allows Customer to test the effectiveness of Customer’s cybersecurity tools and content by simulating malicious and/or anomalous activity within Customer’s digital environment. GreyMatter Verify may cause Customer’s cybersecurity tools and content to interpret simulated activity as a legitimate threat or malicious activity, which may cause such tools or content to respond with automated actions with respect to Customer’s systems and network. As a result, ReliaQuest shall have no liability to Customer with respect to any simulated attacks or other actions taken through GreyMatter Verify, except to the extent any damages caused result from ReliaQuest’s gross negligence or intentional misconduct. ReliaQuest specifically disclaims any and all liability caused by a simulated attack (including, but not limited to, any damages, losses, or expenses of

any kind related to system downtime, damage, data corruption, or data loss), except to the extent resulting from ReliaQuest’s gross negligence or intentional misconduct.

2.4. GreyMatter Phishing Analyzer is a Service Tool that ReliaQuest may leverage to investigate user reported emails to identify malicious email threats and campaigns attempting to infiltrate an organization.

2.5. Managed Takedown Services are end-to-end management of takedown requests across the available risk categories including identification of targets, preparation and filing of takedown request forms, status monitoring and management of the removal or blocking action, and confirmation of takedown. Examples may include cease and desist requests, including DMCAISP/host level content suspension; registrar level domain suspension; registry level domain suspension; and/or domain takedown.

2.5.1. Customer shall promptly provide to ReliaQuest the following information required for Managed Takedown Services: (a) reasonably required letter of authorization to ReliaQuest, its agents or its third-party supplier to pursue enforcement (a sample of which will be provided upon request); and (b) registration details for user accounts of websites/platforms and any other information or documents reasonably requested by ReliaQuest.

2.5.2. ReliaQuest reserves the right to suspend or not perform the Managed Takedown Services if it believes: (i) Customer has not provided sufficient, accurate or complete information to initiate or continue with the Managed Takedown Services; or (ii) any Managed Takedown Services may result in any adverse action from a third party; or (iii) that the desired result of the Managed Takedown Services is unlikely to be achieved through reasonable efforts; or (iv) ReliaQuest or its suppliers are or may be legally restricted or prevented from providing the Managed Takedown Services.

2.5.3. Customer agrees that (a) infringing websites specified by Customer that are to be the subject of Managed Takedown Services are under third-party control and those third parties may resist any part of the Managed Takedown Services. Further, due to the international nature of the internet and the political, legal and/or language issues, ReliaQuest may be prevented from successfully performing in whole or in part the Managed Takedown Services; and/or (b) the Managed Takedown Services may not achieve the desired result.

2.5.4. ReliaQuest will commence specified actions for a Takedown Request after the Managed Takedown Services have been provisioned, activated and a takedown candidate has been identified. In each instance, upon receipt from Customer of one of the following: (i) an authorization action taken by Customer’s authorized web portal user to initiate the takedown process (“Takedown Request”); or (ii) confirmation from Customer authorizing ReliaQuest or its suppliers to commence action against a takedown candidate; or (iii) written confirmation authorizing ReliaQuest or its suppliers to proceed with the Managed Takedown Services using a commercially reasonable form approved by ReliaQuest.

2.5.5. Customer shall indemnify ReliaQuest and keep it indemnified for all costs, expenses, liabilities, losses, damages, claims, demands, proceedings, judgments and reasonable legal costs which ReliaQuest incurs or suffers in respect of any claim brought or threatened against ReliaQuest or its suppliers or sub- contractors by any third party, during or after the end of the term of the Agreement and arising out of or in connection with Customer’s actions in fulfilling the Managed Takedown Services in accordance with this Agreement.

2.5.6. Notwithstanding anything to the contrary in the Agreement, ReliaQuest shall be entitled to subcontract the performance of the Managed Takedown Services to any reasonable third-party subcontractor selected by ReliaQuest that performs such managed takedown services. FraudWatch International PTY Ltd. is the current vendor used by ReliaQuest to perform such managed takedown services, but this may change from time to time.