TERMS OF SERVICE

These Terms of Service are effective as of May 22, 2020 (the “Effective Date”).

PLEASE READ THESE TERMS OF SERVICE (THESE “TERMS”) CAREFULLY, AS THEY GOVERN THE USE OF THE WEBSITE LOCATED AT HTTPS://VENDORPORTAL.TTPN.ORG (THE “VENDOR PORTAL”), AND ANY OTHER WEBSITES, SOFTWARE, SECURITY INFORMATION (INCLUDING, WITHOUT LIMITATION ANY ASSESSMENT MATERIAL), PRODUCTS, OR SERVICES (EACH OF THE FOREGOING ITEMS, COLLECTIVELY, THE “SERVICES”) OFFERED BY TRUSTED PARTNER NETWORK, LLC, A CALIFORNIA LIMITED LIABILITY COMPANY (HEREINAFTER, “TPN”). TPN PROVIDES THE SERVICES SOLELY ON THE TERMS AND CONDITIONS SET FORTH HEREIN AND ON THE CONDITION THAT YOU ACCEPT AND COMPLY WITH THEM.

BY CLICKING THE “ACCEPT” BUTTON AT HTTPS://VENDORPORTAL.TTPN.ORG AND/OR USING OR ACCESSING THE SERVICES, YOU (A) ARE INDICATING THAT YOU HAVE READ AND UNDERSTAND THESE TERMS, AND AGREE TO BE LEGALLY BOUND BY THEM; AND (B) REPRESENT AND WARRANT THAT: (I) YOU ARE OF LEGAL AGE TO ENTER INTO A BINDING AGREEMENT; (II) YOU ARE A VENDOR (OR ARE AN AUTHORIZED EMPLOYEE OF A VENDOR, ACTING ON ITS BEHALF); AND (III) IF YOU ARE ACTING ON BEHALF OF A CORPORATION, GOVERNMENTAL ORGANIZATION, OR OTHER LEGAL ENTITY, YOU HAVE THE RIGHT, POWER AND AUTHORITY TO AGREE TO THESE TERMS ON BEHALF OF SUCH ENTITY AND BIND SUCH ENTITY TO THESE TERMS. IF YOU DO NOT AGREE TO THESE TERMS, TPN WILL NOT AND DOES NOT GIVE YOU THE RIGHT TO USE THE SERVICES, AND YOU MUST NOT USE THE SERVICES.

You may have another written agreement with TPN that amends, supplements or supersedes all or portions of this document.

1. Definitions.

(a) “Accreditation Program” means a security auditor accreditation and training program, under which individual auditors may be accredited by TPN if they meet certain criteria and pass an examination designed to test their knowledge, skills and awareness of established best practices.

(b) “Assessment” means any security assessment of a Vendor’s content security procedures conducted within the TPN Program.

(c) “Assessment Company” means any organization that employs Qualified Assessors for the purpose of undertaking Assessments under the TPN Program.

(d) “Assessment Material” means, collectively, Reports and Remediation Evidence.

(e) “Assessor” means the Qualified Assessor or Assessment Company engaged to perform a particular Assessment.

(f) “Content Providers” means, collectively, (i) the Motion Picture Association, Inc. and each of its member studios, (ii) the Content Delivery and Security Association, Inc. and each of its content-owner members, (iii) each governing board member of the Alliance for Creativity and Entertainment, and (iv) certain other members of the Alliance for Creativity and Entertainment, as determined by TPN’s board of directors. Each of these parties, individually, shall be a “Content Provider”.

(g) “Documentation” means any written materials or documentation (including training materials, user guides, Content Security Standards, and release notes) provided by TPN that: are related to the TPN Software; and may be accessed through this web portal.

(h) “Hard Remediation Evidence” means documentary evidence (e.g., photographs, pen test results, etc.) of actions taken to remediate a Vendor’s security posture, uploaded to the TPN Software by the Vendor.

(i) “Industry” means the motion picture industry.

(j) “IP Author” means the third party that owns the Third-Party IP and licensed it to TPN, pursuant to the Underlying License Agreement.

(k) “Parties” means you and TPN collectively. Each of you and TPN may sometimes be referred to as a “Party” hereunder.

(l) “Primary User” means any individual member of your organization that receives the “primary user” designation within the TPN Software.

(m) “Purpose” means reducing duplicative security assessment costs and establishing uniform standards for content security assessments in the motion picture industry.

(n) “Qualified Assessor” mean any individual that is currently accredited by TPN to perform security assessments.

(o) “Questionnaires” means any completed responses to the “Assessment Request Form” and other questionnaires inside the Vendor Portal that request information regarding the Vendor’s operations, content security processes, and contact addresses.

(p) “Remediation” means any arrangement or course of action: (1) that is intended to remediate deficiencies in a Vendor’s content security procedures; and (2) for which Remediation Evidence is submitted to the TPN Program (via the TPN Software).

(q) “Remediation Evidence” means, either Hard Remediation Evidence or Soft Remediation Evidence, or both.

(r) “Report(s)” means a draft or final security assessment report produced in respect of an Assessment.

(s) “Security Assessment Agreement” means an agreement by and among TPN, a Vendor and an Assessor, pursuant to which the applicable Vendor engages the Assessor to undertake an Assessment.

(t) “Soft Remediation Evidence” means a written description of actions taken to remediate a Vendor’s security posture, uploaded to the TPN Software by the Vendor.

(u) “Third-Party IP” means, collectively, the TPN Software, Documentation, and Training Materials.

(v) “TPN Program” means, collectively: the Accreditation Program; a program under which, in exchange for a fee, TPN facilitates assessments by Qualified Assessors, and ensures that all such assessments are uploaded into the TPN Software, and made available for review by Content Providers; and any other Services provided by TPN in order to promote, or in connection with promoting, effective content security practices within the Industry.

(w) “TPN Software” means the software which may be accessed through this web portal (including a proprietary vendor-management software program which keeps track of and stores such things as Questionnaires, agreements, employee access lists, Reports, assessment status and remediation tasks) and any applications (including mobile applications) made available to you by TPN.

(x) “Training Materials” means any video, audio or mixed-media training materials provided by TPN, including, but not limited to, the video and examination located at https://ttpn.org/training/.

(y) “Underlying License Agreement” means that certain Software License Agreement, effective as of March 5, 2018, by and between TPN and the IP Author.

(z) “Vendor” means any service provider in the Industry (i) whose business involves handling, modifying, producing, or otherwise having access to, Industry proprietary information and/or entertainment supply chain content, and (ii) who has completed TPN’s vendor intake form, and created a profile within the TPN Software.

2. Use Rights. Subject to your continuous compliance with these Terms, TPN agrees to provide you with a nonexclusive, nontransferable, personal, revocable right to: (i) use and access the Vendor Portal for the duration of the Term solely to (x) communicate with Qualified Assessors and TPN, (y) input, upload and/or store information, Questionnaires and other data related to Assessments, and (z) access Assessment Material produced in respect of your facilities; (ii) use and access the Documentation and Training Materials solely in connection with your participation in the TPN Program; and (iii) use and access other Services offered to you on the terms and conditions set forth in these Terms. In certain circumstances, additional terms or product requirements may apply to certain of the Services offered by TPN. Such additional terms will be available with the relevant Services, and those additional terms will become part of your agreement with TPN if you access or use those Services.

3. Acknowledgements; License Restrictions; Data Security Policies.

(a) Acknowledgements. You hereby acknowledge and agree that TPN retains all right, title, and interest in and to the Services, including without limitation all software (other than the Third-Party IP) used to provide the Services and all logos and trademarks reproduced through the Services (other than the Third-Party IP), and these Terms do not grant you any intellectual property rights in the Services or any of their components.

(b) Restrictions. You hereby agree that you will not, and you will not permit any third party to: (i) provide access to the Services (including the Third-Party IP) – or any part of the Services – to a third party; (ii) sell, trade or resell any of the Services (including the Third-Party IP); (iii) modify, copy, or create derivative works based on any of the Services (including the Third-Party IP); (iv) reverse engineer or disassemble the Services (including the Third-Party IP); (v) access or use the Services (including the Third-Party IP) in order to build a competitive product or service, or copy any ideas, features, functions or graphics of the Services in a manner that infringes or misappropriates any trade secrets, trademarks, copyrights, patent rights or other proprietary rights (“Intellectual Property Rights”) of TPN, IP Author, or their affiliates; (vi) access or use the source code of any of the Services (including the TPN Software); (vii) access or use any of the Services in any manner to which you are not granted express use rights; (viii) access or use any Services (including the Third-Party IP) in a manner that violates applicable Law; or (ix) misrepresent your identity, or your affiliation with another person or entity.

(c) Data Security Policies. You agree to comply at all times with TPN’s data security policies and practices as set forth on Schedule I attached hereto and incorporated herein or as otherwise communicated to you in writing.

(d) U.S. Government User Rights. Certain of the Services (including the TPN Software) consist of commercial computer software, as such term is defined in 48 C.F.R. §2.101. Accordingly, if you are the US Government (or are acting on its behalf), you shall receive only those rights with respect to such software as are granted to all other end users under license, in accordance with (a) 48 C.F.R. §227.7201 through 48 C.F.R. §227.7204, with respect to the Department of Defense and their contractors, or (b) 48 C.F.R. §12.212, with respect to all other US Government licensees and their contractors.

4. Confidentiality.

(a) In connection with the Parties’ commercial relationship, each Party may receive Confidential Information (as hereinafter defined) from the other Party. “Confidential Information” means any information (whether written or oral and whether or not marked “confidential”) provided to a Party in (direct or indirect) connection with the TPN Program or other Services, concerning the other Party’s business or operations, that is identified as “confidential”, or which a reasonable person would consider to be confidential. For avoidance of doubt, as applied to TPN, Confidential Information shall include, without limitation, information regarding: TPN’s business affairs or customers; the Services; TPN’s business plans; TPN’s finances; any agreements or negotiations between you and TPN; TPN’s personnel; the source code, design elements or other specifications of the TPN Software, Third-Party IP, or any other intellectual property furnished by TPN. For purposes hereof, the party receiving the Confidential Information is the “Receiving Party”, and the party that the Confidential Information concerns is the “Disclosing Party”.

(b) Receiving Party shall hold all Confidential Information in confidence and shall not distribute, disseminate or otherwise disclose any Confidential Information to any person except: (a) its authorized employees, agents, representatives and service providers who reasonably require the same in connection with fulfilling the purposes of these Terms (the “Authorized Parties”); (b) as expressly permitted by these Terms or a Security Assessment Agreement between the Parties; (c) as reasonably required by TPN in order to administer the TPN Program; and (d) as otherwise required by applicable Law or legal process, provided that before making any disclosure required by law, the Receiving Party shall, to the extent legally permissible, notify the Disclosing Party of such requirement in order to give them a reasonable opportunity to seek a protective order or other appropriate remedy, and, provided further, that the Receiving Party shall limit any such disclosure to information that is specifically required to be disclosed. Except as expressly permitted in these Terms, Receiving Party shall not use Confidential Information for the benefit of it self or any third party; provided, however, that you shall not be in breach of these Terms because you used TPN’s Confidential Information to improve your security posture or participate in the TPN Program. No Receiving Party shall reverse engineer, decompile or disassemble any Confidential Information of the Disclosing Party or make any attempt to do so without the written consent of the Disclosing Party. Receiving Party shall be deemed responsible for any action by its Authorized Parties, including, but not limited to, any action which, if taken by Receiving Party, would constitute a breach of this Section 4.

(c) Notwithstanding the foregoing, Receiving Party shall not have an obligation with respect to any Confidential Information which: (i) is known or generally available to the public other than as a result of an act or omission by Receiving Party or itsAuthorized Parties; (ii) is received from a third party having a bona fide right to provide such information without an obligation of confidentiality; (iii) was in Receiving Party’s possession, as established by documentary evidence, before Disclosing Party’s disclosure hereunder; (iv) is independently developed by Receiving Party without reference to DisclosingParty’s Confidential Information; or (v) is approved for release, in writing, by Disclosing Party.

(d) On the expiration or earlier termination of these Terms and/or upon TPN’s request, you shall promptly: destroy any of TPN’s Confidential Information that is in your possession; and ensure the destruction of any of TPN’s Confidential Information that is in the possession of your Authorized Parties.

(e) You hereby acknowledge and agree that any breach of these Terms will cause injury to each Disclosing Party for which money damages would bean inadequate remedy and that, in addition to remedies at law, each Disclosing Party shall be entitled to equitable relief as a remedy for any such breach.

5. Questionnaires, Assessments & Remediations.

(a) Questionnaires. You hereby grant TPN a perpetual, irrevocable, royalty-free, worldwide license to make your Questionnaires available to: Content Providers; and any Assessor that is currently engaged to perform an Assessment of your facility.

(b) Distribution of Assessment Material to Content Providers. You hereby grant TPN a perpetual, irrevocable, royalty-free, worldwide license to: (i) make all Soft Remediation Evidence and each final Report available to the Content Providers; and (ii) provide the preceding final Report for a given facility to the Assessor engaged to Assess that facility.

(c) Ownership of Assessment Materials. You hereby acknowledge and agree that:

i. All Reports shall be owned solely by the entity that paid for the applicable Assessment (such entity, the “Sponsor”). The Sponsor shall have the right to circulate, quote, disclose or otherwise distribute these materials as it sees fit upon the earlier of: (x) the completion of the applicable Assessment (as evidenced by the“publication” of the final Report within the TPN Software); and (y) the termination of the applicable Security Assessment Agreement. Any Remediation Evidence shall be owned solely by the applicable Vendor. Such Vendor shall have the right to circulate, quote, disclose or otherwise distribute this Remediation Evidence as it sees fit at any time.For avoidance of doubt, the applicable Assessor shall have no rights (including any copyright, moral rights or other intellectual property rights) in the Assessment Material, except as set forth in Section 5(c)v hereof.

ii. The Sponsor of each Assessment shall grant TPN a perpetual, irrevocable, royalty-free, worldwide license to: (x) use or distribute any data or information (including any Reports) uploaded to the TPN Software in the manner set forth in the applicable SecurityAssessment Agreement (including by making the Assessment’s Report available to each ContentProvider); (y) compile and distribute basic information regarding the Assessment (e.g. Vendor’s name, type of Assessment, date of Assessment, date of Remediation, etc.) to the Content Providers as TPN deems necessary or desirable in administering the TPN Program; and (z) provide copies of the Assessment to third-parties at the request and direction of the Sponsor. Where the Sponsor of an Assessment is not a Vendor, the applicable Vendor shall be allowed to retain its copy of the final Report but shall be prohibited from circulating, quoting, disclosing or otherwise distributing the Reports or any portion thereof, to any person or entity whatsoever (with the exception of theContent Providers). If such aVendor desires that a third-party be given a copy (in whole or in part)of the final Report, Vendor shall ask the Sponsor to provide such third-party with a copy, and theSponsor may, in its sole discretion, fulfill Vendor’s request.

iii. Each Vendor shall grant TPN a perpetual, irrevocable, royalty-free, worldwide license to: (x) use or distribute any Remediation-related data or information (including any Remediation Evidence) uploaded to the TPN Software in the manner set forth in the applicable Security Assessment Agreement (including by making Soft Remediation Evidence available to each Content Provider); and (y) compile and distribute basic information regarding any Remediation (e.g. Vendor’s name, type of underlying Assessment, date of underlying Assessment, date of remediation, etc.) to the Content Providers as TPN deems necessary or desirable in administering the TPN Program.

iv. The Sponsor of each Assessment shall grant each Content Provider a perpetual, irrevocable, royalty-free, worldwide license to view, use, copy and store the Assessment’s final Report solely for such Content Provider’s (and its subsidiaries’ and affiliates’) internal use for security evaluation purposes. Each Vendor shall grant each Content Provider a perpetual, irrevocable, royalty-free, worldwide license to view, use, copy and store its Questionnaires and any Soft Remediation Evidence solely for such Content Provider’s (and its subsidiaries’ and affiliates’) internal use for security evaluation purposes.

v. The Sponsor of each Assessment shall grant the applicable Assessor: (x) a perpetual, irrevocable, royalty-free, worldwide license to(1) view, edit or otherwise use any Reports that Assessor or their employees have produced in respect of an Assessment solely to the extent necessary to perform the applicable Assessment, and (2) share such Reports with their employer or authorized employees (as applicable) solely to the extent necessary to perform the applicable Assessment; and (y) a revocable, royalty-free, worldwide license to retain and view any work product that they produced in respect of the Assessment for three months following its completion solely in order to respond to inquiries from, and address issues raised by, TPN or theSponsor of such Assessment.Each Vendor shall grant the applicable Assessor a perpetual, irrevocable, royalty-free, worldwide license to view the most recent prior Report produced in respect of the facility undergoing an Assessment solely for the purpose of performing the applicable Assessment.

vi. For the avoidance of doubt, the Parties shall have no right to use, disseminate, distribute or otherwise disclose any Assessment Material (including the Reports) except as set forth in this Section 5(c).

(d) Disclaimer. You hereby acknowledge and agree that: (i) the final scope of any Assessment for which you are the Sponsor (each a “User Sponsored Assessment”) shall be a product of the information that you input in the Questionnaires, and discussions between you and the Assessor; (ii) TPN will not be a party to any discussions regarding the scope of any User Sponsored Assessment; (iii) although TPN’s policies prescribe the form and structure of the Reports, TPN does not review or control any Report’s substance (with the exception of seven (7) pieces of basic, introductory information on each Report’s “Summary Page”); and (iv) all User Sponsored Assessments will be performed by the relevant Assessor alone, without any input or assistance from TPN. You further acknowledge that: (x) TPN’s accreditation of any Qualified Assessor is solely an indication that such Qualified Assessor’s baseline knowledge and formal qualifications meet TPN Program standards; and (y) TPN’s accreditation of a Qualified Assessor does not provide any guarantee as to the quality of such Qualified Assessor’s work. AS A RESULT OF THE FOREGOING ACKNOWLEDGEMENTS IN THIS SECTION 5(d), THE PARTIES HEREBY AGREE THAT TPN SHALL BEAR NO RESPONSIBILITY OR LIABILITY FOR ANY INADEQUACIES, INACCURACIES OR OTHER DEFICIENCIES IN THE PERFORMANCE OF ANY ASSESSMENT.

(e) No Financial Audit. You hereby acknowledge and agree that no Assessment will constitute an audit, a review, or a compilation of your financial statements or any part thereof, nor an examination of your management’s assertions concerning the effectiveness of your internal-control systems or an examination of compliance with Law. Each Assessment is a point-in-time analysis of the security posture at your facility sites. Accordingly, performance of an Assessment will not result in the expression of an opinion, or the issuance of any approval or any other form of assurance thereon.

(f) Remediation Acknowledgments. You hereby acknowledge that the TPN Software may provide Content Providers with information regarding the status of identified deficiencies in your security controls (“Deficiencies”) using self-reported information, and Remediation Evidence provided to TPN. You further acknowledge that: (i) TPN will not be independently verifying any information that you submit regarding acts you claim to have taken to rectify Deficiencies; and (ii) both TPN and Content Providers rely on the accuracy of information you provide regarding Remediation activity to understand your security posture and the risks associated therewith. You represent, warrant and covenant that all information you submit to the TPN Software (including any Remediation Evidence) will, in all material respects, accurately represent the actions you have taken to address the applicable Deficiencies.

(g) Consideration. The Parties hereby agree that the following is sufficient consideration for TPN’s grant of rights hereunder: (i) progress towards the Purpose; and (ii) the potential for revenue derived from TPN’s facilitation of Assessments.

6. Suggestions; Communications.

(a) Suggestions. If you provide TPN with any ideas, suggestions, documents or proposals in respect of the TPN Program and/or Services (including the TPN Software) (“Suggestions”), TPN shall be entitled to use the Suggestions without restriction. You hereby irrevocably assign to TPN all right, title and interest in and to any Suggestions, and agree to provide TPN with any assistance it requires to document, perfect and maintain its rights in the Suggestions. You further acknowledge and agree that: (i) any Suggestions provided to TPN will not contain the confidential or proprietary information of third parties; (ii) TPN is under no obligation of confidentiality, express or implied, with respect to the Suggestions; and (iii) TPN may have something similar to the Suggestions under consideration or development.

(b) Communications. You hereby authorize TPN to share your professional contact information with Content Providers and Qualified Assessors for the purpose of facilitating Assessments. You also hereby consent to receive electronic communications from TPN, including notifications of changes to these Terms.

7. Responsibility for Your Security. You hereby acknowledge the following:

(a) From time to time, TPN provides Vendors, Assessors and Content Providers with information and training regarding: site security; the basics of content protection; and emerging security threats within the entertainment industry. This information is not intended to be comprehensive, and does not identify all relevant security practices, considerations, or risks; nor does it necessarily address the most significant security considerations for your particular situation. You hereby acknowledge that: (i) these services should be used as one threat-identification-and-prevention measure among many; and (ii) you are solely responsible for conducting independent due diligence and obtaining the information necessary to address the particular security issues that you face.

(b) The Motion Picture Association, Inc. Content Security Best Practices (the “Best Practices”) are intended to serve as a baseline for reasonable content security practices in ordinary circumstances. However, they do not address all conceivable security threats; nor will they be sufficient in all situations. You need to decide whether you need more or less demanding security controls based on the particulars of your situation and your risk appetite. TPN MAKES NO WARRANTY, GUARANTEE, OR REPRESENTATION, EXPRESS OR IMPLIED, THAT MEETING THE BEST PRACTICES WILL ADDRESS ALL SECURITY THREATS AND VULNERABILITIES, OR RENDER YOUR SYSTEMS INVULNERABLE TO SECURITY BREACHES.

8. Term; Termination. These Terms shall be effective on the Effective Date and shall continue in force unless earlier terminated as set forth below (the “Term”):

(a) Termination for Breach of IP Provisions. In the event that you breach Section 3 of these Terms, TPN shall have the right to: (i) suspend the rights granted under Section 2 hereof; and/or (ii) terminate these Terms immediately upon providing written notice to you.

(b) Termination for Other Breach. Either Party may terminate these Terms if the other Party commits a material breach of these Terms, and such material breach continues for thirty (30) days after written notice thereof is provided to such Party; provided that if such material breach cannot reasonably be cured within thirty (30) days, the breaching Party shall be given a reasonable period of time to cure such breach; provided further, that if such material breach is incapable of cure, then the non-breaching Party may terminate these Terms effective after the expiration of such thirty (30) day period.

(c) Termination for Convenience.

i. You may terminate these Terms at any time, by providing TPN notice and requesting that TPN deactivates your user account(s); provided, however, that if you are party to a Security Assessment Agreement for an Assessment that has not yet been performed, the Assessment must be performed, or the agreement rescinded, before you may exercise the termination right set forth in this Section 8(c)i.

ii. TPN may terminate these Terms at any time, for any reason, by providing you with at least thirty (30) days’ advance notice.

iii. TPN may terminate these Terms immediately upon giving notice if its license rights to the Third-Party IP are terminated. TPN hereby agrees to notify you within thirty (30) days after receiving notice that the Underlying License will be terminated.

(d) Termination in Advance of Modification(s). In the event that TPN proposes to modify these Terms pursuant to Section 9 hereof, you may terminate these Terms before the modification becomes effective. This right may be exercised by providing notice of termination to TPN prior to the effective date of the proposed modification.

(e) Termination for Loss of Vendor Status. If you cease to be a Vendor at any time during the Term, TPN may terminate these Terms immediately by providing notice to you.

Upon termination of these Terms, you shall immediately cease to use any and all Services; provided, however, that you may continue to use the Assessment Material as set forth in Section 5(c) hereof.

9. Modifications to these Terms. TPN reserves the right, in its sole discretion, to modify these Terms from time to time. Subject to Section 8(d) hereof, you agree that any modifications TPN makes pursuant to this Section 9 will be effective thirty (30) days after notice of the modifications is received (in accordance with Section 17 hereof), or on such later date as is specified in the modified Terms. Once the modified Terms become effective, you agree that they will govern your use of the Services. You further agree (i) that it is your responsibility to check all notice addresses (including the spam filter of any email address) regularly for modifications to these Terms, and (ii) that declining to terminate these Terms prior to the effective date of the modifications constitutes your agreement to the modifications. The current version of these Terms will govern any disputes arising before the effective date of the modified Terms.

10. Compliance with Law; Code of Ethics.

(a) You hereby represent, warrant and agree that in performing your obligations under these Terms you will comply with any and all applicable domestic and international laws, regulations, statutes, ordinances, orders and other governmental directives, including, without limiting the generality of this Section 10, antitrust and competition laws, anti-bribery laws such as the U.S. Foreign Corrupt Practices Act and all applicable intellectual property and/or privacy laws and regulations (together, “Law”).

(b) The Services (including the Third-Party IP) may be subject to US export control laws, including the US Export Administration Act and its associated regulations. You shall not, directly or indirectly, export, re-export, or release the Services to, or make the Services accessible from, any jurisdiction or country to which export, re-export, or release is prohibited by law, rule, or regulation. Without limiting the generality of Section 10(a) hereof, you shall comply with all applicable federal laws, regulations, and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Services available outside the US.

(c) Privacy Shield Agreement. You hereby agree to the terms of the Privacy, Confidentiality and Information Security Addendum attached hereto as Exhibit A.

(d) Code of Ethics. You hereby agree to the terms of the Code of Ethics attached hereto as Exhibit B. Any action taken against you pursuant to this Code of Ethics shall be effective upon thirty (30) days’ written notice to you, with you being given the opportunity during that time to undertake an appeal of the action, pursuant to the Appeal Procedures attached hereto as Exhibit C.

11. Indemnification. You hereby agree to indemnify, defend, release and hold harmless TPN, its member companies, their affiliates, and each of their respective officers, directors and employees, and IP Author from and against any and all claims, proceedings, damages, injuries, liabilities, losses costs and expenses (“Claims”; and each a “Claim”), including reasonable attorneys’ fees and litigation expenses, relating to or arising from:

(a) your breach or alleged breach of any condition, covenant, representation, warranty or restriction herein;

(b) your access or use of the Services (including the Third-Party IP), provided, that such indemnity in this subsection (b) shall not extend to any Claim that the Services (including the Third-Party IP) infringe the Intellectual Property Rights of a third party unless you have modified the Services (including the Third-Party IP) in a manner that caused the alleged infringement; and/or

(c) your negligence or willful misconduct.

In any legal action to enforce compliance with any condition or covenant in this section, the prevailing party shall be entitled to recover from the other party all of its out-of-pocket costs, including reasonable attorneys’ fees.

12. Disclaimers.

(a) ALL SERVICES (INCLUDING THE THIRD-PARTY IP AND ASSESSMENT MATERIAL) PROVIDED BY TPN HEREUNDER ARE PROVIDED “AS IS.” TPN MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND EXPRESSLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, QUIET ENJOYMENT, FITNESS FOR A PARTICULAR PURPOSE, AND ANY EQUIVALENTS UNDER THE LAW OF ANY JURISDICTION THAT MIGHT ARISE FROM THE SERVICES (INCLUDING THE THIRD-PARTY IP), AS WELL AS YOUR USE OR ATTEMPTED USE OF THE SERVICES (INCLUDING THE THIRD-PARTY IP). YOU EXPRESSLY AGREE THAT YOUR PARTICIPATION IN THE TPN PROGRAM, AND YOUR USE OF THE SERVICES (INCLUDING THE THIRD-PARTY IP), ARE AT YOUR SOLE RISK. TPN FURTHER DISCLAIMS ANY WARRANTY THAT THE SERVICES (INCLUDING THE THIRD-PARTY IP), IN WHOLE OR IN PART, WILL BE FREE FROM INFRINGEMENT OF ANY THIRD PARTY INTELLECTUAL PROPERTY RIGHTS, AND/OR THAT THEY WILL BE AVAILABLE ON AN UNINTERRUPTED BASIS, ERROR FREE, OR FREE OF HARMFUL COMPONENTS.

(b) You hereby agree that particular Services may be modified, updated, interrupted or stopped at any time without notice or liability.

13. Limitation of Liability.

(a) TPN, ANY MANAGER, OFFICER, OR EMPLOYEE OF TPN ACTING IN HIS OR HER CAPACITY AS A MANAGER, OFFICER, OR EMPLOYEE OF TPN, ANY OF TPN’S MEMBERS, ANY DIRECTOR, OFFICER OR EMPLOYEE OF TPN’S MEMBERS ACTING IN HIS OR HER CAPACITY AS A DIRECTOR, OFFICER OR EMPLOYEE OF TPN’S MEMBERS, IP AUTHOR, ANY OF IP AUTHOR’S AFFILIATES, ANY DIRECTOR, OFFICER OR EMPLOYEE OF IP AUTHOR OR ANY OF ITS AFFILIATES ACTING IN HIS OR HER CAPACITY AS A DIRECTOR, OFFICER OR EMPLOYEE OF IP AUTHOR OR ITS AFFILIATES, AND ALL INDIVIDUALS DIRECTLY INVOLVED IN THE DEVELOPMENT OR ADMINISTRATION OF THE TPN PROGRAM(COLLECTIVELY, THE “AFFECTED PARTIES”) SHALL NOT HAVE LIABILITY TO ANY PARTY FOR ANY ACTUAL, COMPENSATORY, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE OR OTHER DAMAGES ARISING OUT OF ANY CAUSE OF ACTION RELATING TO THESE TERMS, OR BASED ON ANY PARTY’S USE OR ATTEMPTED USE OF THE SERVICES (INCLUDING THE THIRD-PARTY IP AND ASSESSMENT MATERIAL), WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE), INDEMNITY, PRODUCT LIABILITY OR OTHERWISE. TO THE EXTENT THAT ANY COURT OF COMPETENT JURISDICTION RENDERS JUDGMENT AGAINST THE AFFECTED PARTIES NOTWITHSTANDING THE ABOVE LIMITATION, THE AFFECTED PARTIES’ TOTAL LIABILITY TO ANY PARTY IN CONNECTION WITH THESE TERMS, OR THE SERVICES (INCLUDING THE THIRD-PARTY IP), SHALL IN NO EVENT EXCEED THE AMOUNTS OF MONEY RECEIVED BY THE AFFECTED PARTIES FROM SUCH PARTY UNDER THESE TERMS DURING THE MOST RECENT FIVE (5) YEAR PERIOD IMMEDIATELY PRIOR TO THE DATE OF SUCH JUDGMENT.

(b) THE LIMITATION OF LIABILITY PROVISIONS SET FORTH IN THIS SECTION 13 SHALL APPLY EVEN IF A PARTY’S WARRANTIES OR REMEDIES UNDER THESE TERMS FAIL OF THEIR ESSENTIAL PURPOSE.

(c) Each Party acknowledges and agrees that the Parties entered into these Terms in reliance upon the limitations of liability set forth in this Section 13, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties.

14. Limitation on Actions. Except for any Claim arising from the Preamble, Sections 2, 3, 5(c) and 10, no action, regardless of form, relating to these Terms, may be brought by any Party more than one year after the occurrence of the event giving rise to the cause of action.

15. Non-Exclusivity. You hereby acknowledge and agree that your participation in the TPN Program: (a) is entirely voluntary; and (b) is non-exclusive and does not, in any manner, restrict you from obtaining security assessment or consulting services outside of the TPN Program, or from third-parties unaffiliated with the TPN Program.

16. Application of these Terms; Conflict with Other Agreements. You agree that these Terms shall apply to all Services provided by TPN, and every Security Assessment Agreement to which you are a party. In the event of any conflict between these Terms (or any portion thereof) and any other agreement now existing or hereafter entered into between you and TPN, these Terms shall prevail. In particular, in the event of a conflict between these Terms and any Security Assessment Agreement, the inconsistency shall be resolved by giving precedence in the following order: (i) these Terms; (ii) the Security Assessment Agreement.

17. Notices. All notices, demands, requests, consents, approvals, and other communications required or permitted hereunder must be in writing and delivered by hand-delivery, facsimile or electronic mail, recognized overnight courier service with tracking capabilities, or first-class prepaid certified or registered mail (with acknowledgment of receipt requested), addressed as set forth below or to such other address as a party may designate. All notices, demands, requests, consents, approvals and other communications required or permitted hereunder will be conclusively deemed to have been received by a Party hereto (i) in the case of personal delivery, when delivered, (ii) in the case of facsimile or electronic mail, three (3) business days after the message is sent, (iii) in the case of overnight delivery using a recognized overnight courier service with tracking capabilities, two (2) business days after deposit with the courier service and (iv) in the case of mailing by certified or registered U.S. mail, three (3) business days after deposit in the mail. All notices made or given pursuant to these Terms must be in the English language.

if to TPN:

Trusted Partner Network, LLC

c/o Motion Picture Association

15301 Ventura Blvd., Bldg. E

Sherman Oaks, CA 91403

United States of America

Attention: Kurt Fischer

Telephone: (818) 935-5796

Email: [email protected]

with a copy to:

Trusted Partner Network, LLC

c/o Motion Picture Association

15301 Ventura Blvd., Bldg. E

Sherman Oaks, CA 91403

United States of America

Attention: Ian Brown

Telephone: (818) 935-5839

Email: [email protected]

if to you:

Notices will be provided to one (or more) of your Primary Users using the contact information associated with their user accounts in the TPN Software.

18. Governing Law; Binding Arbitration; Waiver of Jury Trial.

(a) These Terms shall be governed in all respects by the laws of the United States of America and the State of California without regard to conflicts of law principles.

(b) If any dispute arising out of or relating to these Terms, including any dispute as to the enforceability of these Terms, cannot be settled through direct discussions, the Parties agree to endeavor first to settle the dispute in an amicable manner by mediation administered by the American Arbitration Association (“AAA”) under its Commercial Mediation Rules before resorting to arbitration. Thereafter, any unresolved controversy or claim arising from or relating to these Terms shall be settled by binding arbitration in Los Angeles, California, administered by the AAA in accordance with its Commercial Arbitration Rules. The Parties shall make a good faith effort to select a mutually agreeable arbitrator. If the Parties are unable to reach agreement on an arbitrator, one will be selected in accordance with the rules of the AAA. These Terms shall incorporate the provisions of section 1283.05 of the California Code of Civil Procedure. The remedy provided by this binding arbitration provision is exclusive; provided that, nothing in this provision shall bar a party from seeking injunctive relief from a court of competent jurisdiction in emergent circumstances, including but not limited to the impending misappropriation of its intellectual property. Should any Party pursue any other legal or administrative action with respect to any matter included within this binding arbitration provision, the responding Party shall be entitled to recover its costs, expenses and attorneys’ fees incurred as a result of such action. The prevailing Party in such arbitration may file an action in court to confirm and to enforce the arbitration award. Any legal action or proceeding relating to these Terms shall be instituted in a state or federal court in Los Angeles County, California, and all of the Parties hereby submit to the personal jurisdiction of the above courts. All of the Parties consent to the service of process of said courts in any matter relating to these Terms by personal delivery by overnight mail or international courier, which requires signing on receipt, postage prepaid, to the Parties at the address specified in these Terms. Except for termination rights and rights to injunctive relief set forth herein, the remedy providing by this binding arbitration provision is exclusive.

(c) THE PARTIES HEREBY IRREVOCABLY WAIVE, TO THE FULLEST EXTENT PERMITTED BY LAW, ALL RIGHTS TO TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR COUNTERCLAIM RELATING TO THESE TERMS.

19. Miscellaneous.

(a) Force Majeure. Neither Party shall be liable for any delays or nonperformance resulting from circumstances or causes beyond its reasonable control, including, without limitation, acts or omissions or the failure to cooperate by any third party beyond the ability of the applicable Party to legally require, fire, epidemic or other casualty, act of God, strike or labor dispute, war or other violence, or any Law, order, or requirement of any governmental agency or authority.

(b) Independent Contractor. It is understood and agreed that each Party hereto is an independent contractor and that neither Party is, nor shall be considered to be, the other’s agent, distributor, partner, fiduciary, joint venturer, co-owner, or representative. No Party shall act or represent itself, directly or by implication, in any such capacity or in any manner assume or create any obligation on behalf of, or in the name of, the other.

(c) Time is of the Essence. Time is of the essence with respect to every provision of these Terms, including all Schedules hereto.

(d) Survival and Interpretation. All provisions of these Terms which expressly or by their nature are intended to survive termination of these Terms, will survive termination of these Terms, including, without limitation: Sections 3-7, 10-14, and 16-19.

(e) Third Party Beneficiaries. The parties agree that IP Author and its affiliated and related entities are intended third party beneficiaries of these Terms, including, without limitation, the terms in Sections 3, 10, 11, 12, and 13, and such third party beneficiaries shall be entitled to bring a claim or action to enforce rights against You with respect to Your compliance with these Terms. Nothing in these Terms is intended to limit remedies or relief available pursuant to statutory or other claims that such third party beneficiaries may have under separate legal authority not contained in these Terms.

(f) Assignment and Subcontracting. Except as provided below, neither Party may assign, transfer, or delegate any of its rights or obligations hereunder without the prior written consent of the other Party, which shall not be unreasonably withheld; provided that in no event shall TPN be obligated to consent to an assignment which violates the Underlying License Agreement.. You hereby consent to TPN assigning or subcontracting any of its rights or obligations hereunder to (a) any affiliate or related entity, whether located within or outside of the United States, or (b) any entity that acquires all or a substantial part of the assets or business of TPN.

(g) Further Assurances. Each Party shall do and perform, or cause to be done and performed, all such further acts and things, and shall execute and deliver all such other agreements, certificates, instruments and documents, as the other party may reasonably request in order to carry out the intent and accomplish the purposes of these Terms and the consummation of the transactions contemplated hereby.

(h) Entire Agreement; Amendment and Waiver. These Terms, including the schedules and exhibits, constitute the entire agreement between the Parties with respect to the subject matter of these Terms; and they shall supersede all other oral and written representations, understandings, or agreements relating to the subject matter of Terms. Further, the Parties agree that these Terms may not be amended except by written agreement signed by the parties, subject to Section 9 hereof . No waiver of any of the provisions of these Terms shall constitute a waiver of any other provision of these Terms, nor shall such waiver constitute a continuing waiver. The failure of either Party to enforce at any time any of the provisions of these Terms, or the failure of either Party to require the performance by the other Party of any provisions of these Terms, shall not be construed as a waiver of such provisions in the future, nor will it affect the ability of a Party to enforce each and every provision thereafter. A waiver will not be deemed effective unless provided in writing.

(i) Severability. If any of these Terms is to any extent illegal, otherwise invalid, or incapable of being enforced, such term shall be excluded to the extent of such invalidity or unenforceability; all other terms hereof shall remain in full force and effect; and, to the extent permitted and possible, the invalid or unenforceable term shall be deemed replaced by a term that is valid and enforceable and that comes closest to expressing the intention of such invalid or unenforceable term. If application of this Severability provision should materially and adversely affect the economic substance of the transactions contemplated hereby, the Party adversely impacted shall be entitled to compensation for such adverse impact, provided the reason for the invalidity or unenforceability of a term is not due to serious misconduct by the Party seeking such compensation.

(j) Headings. The headings contained in these Terms are for reference purposes only and shall not affect in any way the meaning or interpretation of these Terms.


SCHEDULE I

DATA SECURITY POLICIES

Acceptable Use

• Login accounts and passwords for users of the Vendor Portal (each, a “User”) are personal and shall not be shared.
• All third parties with whom any User has a contract or agreement are expressly forbidden to attempt access to TPN information assets without (i) explicit, written approval from TPN; and (ii) agreeing to be bound to these Terms.
• TPN’s systems shall not be used to perform any illegal activities, including but not limited to accessing any systems, internal or external, without proper authorization, hacking, launching attacks, sending spam, spreading malware, performing unauthorized business activities or any other illegal activities.
• All information security related incidents/events shall be immediately communicated to TPN point of contact.
• All access to TPN’s systems should be used strictly for business purposes.
• All Users are responsible for the proper protection of the accessed information.
• No User may undertake any of the following activities, or assist, encourage or enable others to do so:

o Record, process or mine information about other Users (excepting assessment statuses, assessment data, Assessment Material and the information contained therein), including any personal data in any form that is stored, transmitted, accessed, received, collected, generated or otherwise processed on behalf of, or made available to, TPN in the course of providing Services under these Terms;
o Attempt to gain unauthorized access to TPN’s systems, the TPN Software, User accounts or TPN’s networks via hacking, password mining, or any other means;
o Use TPN’s systems or the TPN Software to transmit any computer viruses, worms, defects, Trojan horses or other items of a destructive nature;
o Use any device, software or routine that interferes with proper working of TPN’s systems or the TPN Software, or otherwise attempt to interfere with the proper working of these items; or
o Use TPN’s systems to violate the security of any computer network, crack passwords or security encryption codes; disrupt or interfere with the security of, or otherwise cause harm to, TPN’s Systems or the TPN Software

Logical and Physical Access

• All third party computers shall meet the security minimum requirements, including, without limitation, firewall and anti-virus and anti-malware tools.

Password Management for TPN’s Systems

• The selection of passwords is the User’s responsibility.
• Passwords must be unique, meaning that the password is not used for access to any other systems.
• Passwords must comply with the following requirements:

o Must contain at least 8 characters for User accounts;

o Must be strong, complex passwords and use at least 3 of the following 5 rules: at least 1 upper case character (A-Z), at least 1 lower case character (a-z), at least 1 digit (0-9), at least 1 special character (punctuation or a space), and not more than 2 identical characters in a row.

• Passwords must be confidential and personal and shall not be written in visible places.
• Passwords shall not be shared with, used by, or disclosed to others.
• Each User is responsible for the use and protection of their password.
• Generic or group passwords shall not be used.
• Users with locked accounts must coordinate with the TPN point of contact to reset the password.
• User credentials shall not be cached or stored as plain text at any time.
• Employees must not disclose passwords by e-mail or any other electronic means, including telephones.
• Automatic login systems which bypass User authentication are prohibited.
• If a system has been compromised or inadvertently accessed, its owner shall change all the passwords used by, or within, that system and a security incident must be reported to the TPN’s Director of IT.


EXHIBIT A

Trusted Partner Network, LLC:
Privacy, Confidentiality and Information Security Addendum

This Privacy, Confidentiality and Information Security Addendum (the “Addendum”), by and between you (“Third Party Controller”) and Trusted Partner Network, LLC, a California limited liability company (“TPN”), sets forth the terms and conditions relating to the privacy, confidentiality and security of Personal Information (as defined below) associated with transfers of Personal Information between TPN and Third-Party Controller pursuant to the Terms of Service, by and between you and TPN (the “Terms”).

Whereas, TPN or its Personnel (as defined below) have provided and shall continue to provide Third-Party Controller with access to Personal Information in connection with certain activities conducted by Third-Party Controller pursuant to the Terms; and

Whereas, TPN requires that Third-Party Controller preserve and maintain the privacy, confidentiality and security of such Personal Information.

Now therefor, in consideration of the mutual covenants and agreements in this Addendum and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, TPN and Third-Party Controller agree as follows:

I. Definitions

(A) “Controller” means any person or entity that alone or jointly with others determines the purposes and means of the Processing of Personal Information.
(B) “European Union” and “EU” means the European Union, Iceland, Liechtenstein, the United Kingdom and Norway.
(C) “Personal Information” means any information relating to an identified or identifiable individual, whether such information is in individual or aggregate form and regardless of the media in which it is maintained, that may be:

(i) disclosed at any time to Third-Party Controller or its Personnel by TPN or its Personnel in anticipation of, in connection with or incidental to the activities of Third-Party Controller pursuant to the Terms;
(ii) Processed (as defined below) at any time by Third-Party Controller or its Personnel in connection with or incidental to the activities of Third-Party Controller pursuant to the Terms; or
(iii) derived by Third-Party Controller or its Personnel from the information described in (i) and (ii) above.
Personal Information includes, without limitation, information such as name, postal address, email address, telephone number, online contact information (such as an online user ID), date of birth, Social Security number (or its equivalent), driver’s license number (or other government-issued identification number), account number, payment card data, personal identification number, password, security questions and answers, medical information, health insurance information, or one or more factors specific to an individual’s physical, digital, physiological, mental, economic, cultural or social identity. For purposes of this Addendum, IP addresses and other device or persistent identifiers that are Processed by Third-Party Controller are also considered Personal Information, to the extent they are considered to be Personal Information under applicable laws and regulations.

(D) “Personnel” means any employees, agents, consultants or contractors of Third-Party Controller or TPN, as appropriate.
(E) “Privacy Shield” means the EU-U.S. Privacy Shield framework.
(F) “Process” or “Processing” means any operation or set of operations performed upon Personal Information, whether or not by automatic means, including, without limitation, creating, collecting, aggregating, procuring, obtaining, accessing, recording, organizing, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, making available, aligning, combining, blocking, erasing and/or destroying the information.

II. Privacy, Confidentiality and Information Security

(A) Third-Party Controller represents, warrants and covenants as follows:

(1) Disclosure of and Access to Personal Information

(a) Third-Party Controller and its Personnel shall hold in strict confidence any and all Personal Information.

(b) Third-Party Controller shall provide at least the same level of privacy protection for Personal Information received by TPN from the European Union as is required by the Privacy Shield principles and promptly notify TPN if at any time Third-Party Controller makes a determination that it can no longer meet this obligation. Upon such a determination, Third-Party Controller shall cease Processing Personal Information or take other reasonable and appropriate steps to remediate any Processing of Personal Information not in compliance with the Privacy Shield principles.

(c) Third-Party Controller shall Process Personal Information only for limited and specified purposes consistent with the consent provided by the relevant data subjects.

(2) Requirements

(a) Third-Party Controller shall comply with all applicable international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality or security of Personal Information (collectively, “Privacy Laws”).

(3) Personal Information Safeguards

(a) Third-Party Controller shall develop, maintain and implement a comprehensive written information security program that complies with applicable Privacy Laws. Third-Party Controller’s information security program shall include appropriate administrative, technical and physical safeguards and other security measures designed to (i) ensure the security and confidentiality of Personal Information; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Information; and (iii) protect against any actual or suspected unauthorized Processing, loss, use, disclosure or acquisition of or access to any Personal Information (hereinafter “Information Security Incident”).

(b) Third-Party Controller shall immediately inform TPN in writing of any Information Security Incident of which Third-Party Controller becomes aware, but in no case later than 24 hours after it becomes aware of the Information Security Incident. Such notice shall summarize in reasonable detail the effect on TPN, if known, of the Information Security Incident and the corrective actions taken or to be taken by Third-Party Controller. Third-Party Controller shall promptly take all necessary and advisable corrective actions, and shall cooperate fully with TPN in all reasonable and lawful efforts to prevent, mitigate or rectify such Information Security Incident. Third-Party Controller shall (i) investigate such Information Security Incident and perform a root cause analysis thereon; (ii) remediate the effects of such Information Security Incident; and (iii) provide TPN with such assurances as TPN shall request that such Information Security Incident is not likely to recur. The content of any filings, communications, notices, press releases or reports related to any Information Security Incident must be approved in writing by TPN prior to any publication or communication thereof.

(c) Upon the occurrence of an Information Security Incident involving Personal Information in the possession, custody, or control of Third-Party Controller or for which Third-Party Controller is otherwise responsible, Third-Party Controller shall reimburse TPN on demand for all Notification Related Costs (defined below) incurred by TPN arising out of or in connection with any such Information Security Incident. “Notification Related Costs” shall include TPN’s internal and external costs associated with investigating, addressing, and responding to the Information Security Incident, including but not limited to: (i) preparation and mailing or other transmission of notifications or other communications to consumers, employees, or others as TPN deems reasonably appropriate; (ii) establishment of a call center or other communications procedures in response to such Information Security Incident (e.g., customer service FAQs, talking points and training); (iii) public relations and other similar crisis management services; (iv) legal, consulting, and accounting fees and expenses associated with TPN’s investigation of and response to such event; and (v) costs for commercially reasonable credit reporting and monitoring services that are associated with legally required notifications or are advisable under the circumstances.

(d) Promptly upon the expiration or earlier termination of the Master Services Addendum, or such earlier time as TPN requests, Third-Party Controller shall return to TPN or its designee, or at TPN’s request, securely destroy or render unreadable or undecipherable if the return to TPN is not reasonably feasible or desirable (which decision shall be based solely on TPN’s written statement), each and every original and copy in every media of all Personal Information in Third-Party Controller’s possession, custody or control. Promptly following any return or alternate action taken to comply with this paragraph II(A)(3)(d), Third-Party Controller shall provide to TPN a completed Officer’s Certificate certifying that such return or alternate action occurred. In the event applicable law does not permit Third-Party Controller to comply with the delivery or destruction of the Personal Information, Third-Party Controller warrants that it shall ensure the privacy, confidentiality and security of the Personal Information in accordance with this Addendum and that it shall not use or disclose any Personal Information after termination of the Terms.

(4) Right to Monitor

(a) TPN shall have the right to monitor Third-Party Controller’s compliance with the terms of Section II of this Addendum. During normal business hours, and without prior notice, TPN and/or its authorized representatives may inspect Third-Party Controller’s facilities and equipment, and any information or materials in Third-Party Controller’s possession, custody or control, relating in any way to Third-Party Controller’s obligations under Section II of this Addendum. An inspection performed pursuant to Section II of this Addendum shall not unreasonably interfere with the normal conduct of Third-Party Controller’s business. Third-Party Controller shall cooperate fully with any such inspection initiated by TPN.

(b) Third-Party Controller shall deal promptly and appropriately with any inquiries from TPN relating to the Processing of Personal Information subject to this Addendum.

III. Injunctive Relief

Third-Party Controller agrees that any Processing of Personal Information in violation of Section II of this Addendum or any applicable Privacy law may cause immediate and irreparable harm to TPN, the amount of which would be extremely difficult to estimate. Accordingly, Third-Party Controller understands and agrees that monetary damages alone would not be a sufficient remedy for any such violation or incident and that TPN may obtain specific performance and injunctive or other equitable relief. TPN shall be entitled to such equitable relief in addition to all other remedies at law or in equity.

IV. Indemnification

Third-Party Controller agrees to indemnify and hold harmless TPN and its officers, employees, directors and agents from, and at TPN ’s option defend against, any and all claims, losses, liabilities, damages, costs and expenses, including third-party claims, demands, reasonable attorneys’ fees, consultants’ fees and court costs (collectively, “Claims”), to the extent that such Claims arise from, or may be in any way attributable to (i) any violation of Section II of this Addendum; (ii) the negligence, gross negligence, bad faith, or intentional or willful misconduct of Third-Party Controller or its Personnel in connection with obligations set forth in this Addendum; (iii) Third-Party Controller’s use of any contractor providing services in connection with or relating to Third-Party Controller’s performance under the Terms or this Addendum; or (iv) any Information Security Incident involving Personal Information in Third-Party Controller’s possession, custody or control, or for which Third-Party Controller is otherwise responsible.

V. Miscellaneous

(A) Third-Party Controller’s obligations under this Addendum shall survive the termination of the Terms and the completion of all services subject thereto

(B) Except as provided below, notices provided hereunder must be in writing, contain a clear reference to the Terms, and sent by facsimile or certified mail, return receipt requested to the recipients identified in the “Notices” (or similar) provision of the Terms. With respect to notice pursuant to paragraph II(A)(3)(b) hereof, notice shall be made telephonically to Ian Brown at (818)-995-6600, followed promptly by a written notice in the form described above. For purposes of clarity, Third-Party Controller acknowledges that leaving a voicemail message for Mr. Brown doesn’t satisfy the notice requirement and that Third-Party Controller must actually speak with him.

(C) If any dispute arising out of or relating to this Addendum, including any dispute as to the enforceability of this Addendum, cannot be settled through direct discussions, the parties agree to endeavor first to settle the dispute in an amicable manner by mediation administered by the American Arbitration Association (“AAA”) under its Commercial Mediation Rules before resorting to arbitration. Thereafter, any unresolved controversy or claim arising from or relating to this Addendum shall be settled by binding arbitration in Los Angeles, California, administered by the AAA in accordance with its Commercial Arbitration Rules. The parties shall make a good faith effort to select a mutually agreeable arbitrator. If the Parties are unable to reach agreement on an arbitrator, one will be selected in accordance with the rules of the AAA. This Addendum shall incorporate the provisions of section 1283.05 of the California Code of Civil Procedure. The remedy provided by this binding arbitration provision is exclusive. Should any party pursue any other legal or administrative action with respect to any matter included within this binding arbitration provision, the responding party shall be entitled to recover its costs, expenses and attorneys’ fees incurred as a result of such action. The prevailing party in such arbitration may file an action in court to confirm and to enforce the arbitration award. Any legal action or proceeding relating to this Addendum shall be instituted in a state or federal court in Los Angeles County, California, and all of the parties hereby submit to the personal jurisdiction of the above courts. All of the parties consent to the service of process of said courts in any matter relating to this Addendum by personal delivery by overnight mail or international courier, which requires signing on receipt, postage prepaid, to the parties at the address specified in this Addendum. Except for termination rights and rights to injunctive relief set forth herein, the remedy providing by this binding arbitration provision is exclusive.

(D) This Addendum shall be governed in all respects by the laws of the United States of America and the State of California without regard to conflicts of law principles.

(E) This Addendum is the complete agreement between the parties with respect to the subject matter contained herein, and supersedes any prior oral or written agreement between the parties concerning the Processing of Personal Information by Third-Party Controller as contemplated under this Addendum.

(F) If any provision of this Addendum is held invalid or unenforceable, the remaining provisions shall remain in effect.

(G) This Addendum is binding upon successors and assigns of the parties.

(H) A waiver by either party of any term or condition of the Addendum in one or more instances shall not constitute a permanent waiver of the term or condition or any other term or condition of the Addendum or a general waiver.

(I) As required or upon request, Third-Party Controller agrees that TPN may provide a summary or copy of this Addendum to any government agency.


EXHIBIT B

TPN Vendor & Content Provider Code of Ethics

 

I. General Conduct Guidelines

a. Compliance with the Law

Compliance with the law and the legal system is a fundamental requirement for all vendors and content owners participating in the Trusted Partner Network (such parties, “Participants”; and the Trusted Partner Network, “TPN”). All Participants must abide by the laws and regulations of the legal system within which they operate, and failure to comply with the law must be avoided in all circumstances. If a Participant breaks the law, they could face suspension or expulsion from the TPN program, independent of the sanctions imposed by law.

b. Compliance with TPN Policies and Guidelines

From time to time, TPN will set forth, or modify, guidelines, codes, policies and procedures (collectively, “Policies”) which are to govern work performed in association with TPN. These Policies are intended to ensure the efficiency, transparency, ethical integrity and lawfulness of the TPN program and all work performed within it. As a result, it is essential that Participants comply with all applicable TPN Policies at all times. In the event that a Participant fails to abide by a TPN Policy, TPN shall have the right to limit or suspend their participation in the TPN program, or expel them from the program, in TPN’s sole discretion. Further, in the event that a Participant’s non-compliance with TPN Policies causes damage to TPN or a third-party, the Participant may be responsible for compensating such party under the terms of their contract(s) with TPN.
For avoidance of doubt, this Code of Ethics is a TPN Policy.

c. Non-Discrimination

The TPN respects the personal dignity, privacy and individual rights of all people, regardless of gender, nationality, culture, religion or skin color. The TPN does not tolerate any discrimination or any sexual or other personal harassment or offense by Participants. These principles apply both in interactions with TPN program representatives and in Participants’ conduct with vendors, Qualified Assessors or content owners.

d. Accuracy in Records and Reports

Accurate and truthful reporting is part of open and effective cooperation. All records and reports, including any invoices or payment documentation, that are produced internally or communicated externally must be accurate and truthful. In accordance with proper accounting principles, data records and other reports must always be complete, accurate, timely and system-compatible. The requirement of truthful reporting also applies in particular to expense accounts.

II. Relations with Business Partners and Third Parties

a. Fair Competition

Upholding the standards of fair competition in the free market is of ultimate importance to the TPN. As such, all Participants are duty-bound to observe the rules of fair competition. All Participants shall avoid engaging in and/or the appearance of engaging in anticompetitive practices such as price fixing, bid rigging, boycotting, creation of monopolies, exclusive dealing agreements, tying arrangements, or any other activity that would tend to discourage or reduce market competition. It can be difficult in individual cases to assess the position relating to anti-trust and competition laws. In cases of doubt, therefore, the General Counsel should be consulted to provide guidance on the individual case.

b. Offering and Granting Benefits

Participants shall engage Qualified Assessor’s on the basis of the quality and price of their services. No Participant may offer, grant or accept unjustified benefits in connection with its business activities – directly or indirectly – in the form either of cash payments or of other benefits. In particular, the provision of any unjustified benefit with the intention of influencing audit results is strictly prohibited. Violations of this section of the Ethics Policy will be treated very seriously and may lead to the Participant’s expulsion from the TPN program.

Promotional gifts should be carefully selected so as to ensure that no impression of dishonesty or impropriety is created. In cases of doubt, the recipient should be asked to obtain prior permission to accept the gift from his/her superior.

Gifts may not be offered to civil servants or other government officials in any circumstances. Participants negotiating contracts with consultants, agents and similar third parties should ensure that these contracts do not offer or grant unjustified benefits.

c. Truthfulness in the Assessment Process

Truthful and accurate disclosures by Participants are central to ensuring that the TPN program functions effectively. Participants shall not provide any false or misleading information to Qualified Assessors or TPN, in respect of any audit. Further, when asked to provide information under the TPN program, Participants shall ensure that they disclose all material facts in respect of the information requested.

d. Avoiding Conflicts of Interest

Participants must avoid both actual and potential conflicts of interest. The following rules in particular must be followed:

• A Participant should not engage any Qualified Assessor or Assessment Company (each of these entities, an “Auditing Party”) to conduct an audit if the Auditing Party has a personal, professional or financial interest in the target of the audit.

• If a Participant wishes to be audited by an Auditing Party from which, in the previous two (2) years, they have received consulting or advisory services regarding matters falling within the audit’s scope, the Participant must (i) upon submission of the applicable Security Assessment Agreement, ensure that TPN is notified of the prior consulting services; (ii) waive the Auditing Party’s conflict-of-interest by executing a standard conflict-waiver form provided by TPN; and (iii) ensure that the following disclosure is included in the first Section of the applicable assessment report:

DISCLOSURE OF CONFLICT: ON [DATE], ANOTHER ASSESSOR EMPLOYED BY [ASSESSMENT COMPANY] WAS ENGAGED BY [COMPANY] TO PROVIDE CONSULTING SERVICES INTENDED TO IMPROVE THE FOLLOWING SECURITY CONTROLS: [IDENTIFY ALL CONTROLS / ISSUES]. THUS, IN PREPARING THIS REPORT, [ASSESSOR] WAS RESPONSIBLE FOR REVIEWING THE WORK OF THEIR COLLEAGUE. THIS REPRESENTS A CONFLICT OF INTEREST. IN LIGHT OF THIS CONFLICT, EACH RECIPIENT OF THIS REPORT MUST INDIVIDUALLY DETERMINE: HOW MUCH WEIGHT THEY WISH TO PLACE IN ITS OBSERVATIONS; AND WHETHER THEIR INTERNAL SECURITY POLICIES REQUIRE ANY FURTHER ACTION.

TRUSTED PARTNER NETWORK DISCLAIMS ALL RESPONSIBILITY AND LIABILITY FOR YOUR RELIANCE ON ANY CONFLICTED OBSERVATIONS, AND/OR YOUR RESOLUTION OF THIS CONFLICT.”

Participants acknowledge & agree that TPN may make a public “conflict disclosure” in its software platform to make reviewing-parties aware that the Auditing Party recently provided the Participant with the consulting services.

For avoidance of doubt, under no circumstances: may a Participant engage an Auditing Party to perform an audit where, in the previous two (2) years, the Auditing Party provided consulting or advisory services intended to assist the Participant in preparing for the specific audit at issue; or may a Participant engage a Qualified Assessor to perform an audit where, in the previous two (2) years, the Qualified Assessor provided consulting or advisory services addressing or improving particular security controls which fall within the audit’s scope. Also, for avoidance of doubt, no Auditing Party may provide consulting or advisory services in respect of a facility that they are currently auditing.

• Participants shall not engage an Auditing Party to provide consulting or advisory services relating to the remediation of any deficiencies identified in a TPN-audit performed by the Auditing Party (or its assessors) unless the Participant (i) waives the Auditing Party’s conflict-of-interest by executing a standard conflict-waiver form provided by TPN, and (ii) submits the executed conflict-waiver to TPN.

• Participants shall not provide Auditing Parties with any gifts or social invitations (e.g. dinners, tickets to sporting events, etc.) that would confer a material financial benefit – individually or in the aggregate – to the Auditing Party. Further, in their relations with Auditing Parties, Participants should, at all times, remain cognizant of, and take steps to curb, the appearance of impropriety.

III. Managing complaints

Any Participant can lodge a personal complaint, or report a suspected violation of any TPN Policy, with TPN’s General Counsel, or with another designated person or office. The matter will then be thoroughly investigated and the necessary measures will be taken as appropriate.


EXHIBIT C

Appeal Procedures Summary

This document sets forth: (1) the process by which vendors and content owners participating in the TPN Program (“Participants”; and each a “Participant”) may challenge decisions to limit or suspend their participation in the TPN Program, or expel them from the TPN Program, as a result of their alleged violation of TPN policies (including the Code of Ethics) (any such limitation, suspension or expulsion, a “Participation Limit”); and (2) the rules governing such challenges (these processes and rules, collectively, the “Appeal Procedures”).
These Appeal Procedures provide for two (2) levels of appellate review: a preliminary review and determination by TPN’s Chief Operations Officer (the “Director”); and if needed, an appeal to the Appeals Committee (the “Appeals Committee”).

I. APPEALABLE ACTIONS

Participants may only appeal the following adverse action by the TPN Program: the Participant is being subjected to a Participation Limit by the TPN Program.

II. CONTENT OF APPEALS

In the appeal process, Participants may challenge the application of TPN’s rules and policies (this the “Appropriate Scope”), including by: contesting the factual basis for, or reasoning underlying, particular decisions; and/or disputing the applicability of particular rules to a given circumstance. In no circumstance, however, may Participants challenge the underlying rules or policies themselves in this process.
In the event that TPN receives appeal documentation that raises issues that are outside the Appropriate Scope, Participant will be notified that these issues are outside the Appropriate Scope and these issues will be disregarded. In the event that TPN receives appeal documentation which fails to raise any issues within the Appropriate Scope, this documentation will be rejected.

III. TIMEFRAME FOR SUBMITTING APPEAL

A Participant seeking to present an appeal must submit a written appeal request (a “Request for Review”) to the Director within thirty (30) days after the decision imposing the Participation Limit was issued (the “Deadline”). This Request for Review must be signed by the Participant and conform to the specifications set forth in Section III (Informal Review by the Director) of this document. If the Request for Review does not conform to the specifications set out in these Appeal Procedures or is not filed by the Deadline, it will be rejected by the Director. TPN will consider waiving the Deadline only where the inability to comply with the Deadline is due to factors beyond the control of the Participant.

IV. INFORMAL REVIEW BY THE DIRECTOR

A Participant who is the subject of a potential Participation Limit may appeal to the Director by submitting a Request for Review. This Request for Review must contain each of the following items:

• The name, phone number and email address of the Participant;
• The action that led to the appeal (e.g. suspension from the TPN Program);
• Each reason the Participant believes the adverse action is incorrect and should be changed; and
• Copies of any supporting documentation.

The Participant should be especially careful to note every disagreement they have with the adverse action, as only one appeal may be brought forward for each decision imposing a Participation Limit.

Within fifteen (15) business days after the submission of Request for Review, the Director will conduct a preliminary review and will either uphold, modify, or take other appropriate action regarding, the adverse action. In certain circumstances, the Director may also immediately refer the appeal to the Appeals Committee for review and resolution.

Once the Director issues their decision, the Participant shall have the right to appeal that decision by providing the Director with written notice of their desire to appeal within thirty (30) days after the Director’s decision. This notice should state the reasons the Participant believes the initial Director determination is incorrect and should be reversed or modified. If the Participant requests this second-level of review, the adverse action will then be referred to the Appeals Committee.

V. APPEALS TO THE APPEALS COMMITTEE

Appeals of Director determinations will be reviewed and resolved by the Appeals Committee. This committee will include at least three (3) motion picture industry content owners who participate in the MPA’s Content Security Working Group, and are TPN-participants in good standing. In order to defray the cost of convening and hosting these individuals, the Participant must pay a non-refundable $500 fee before scheduling a hearing with the Appeals Committee.

Once a complete written appeal is received, the Appeals Committee will notify the Participant of the appeal schedule. A Participant may request a hearing in person or by telephone conference to present information to the Appeals Committee. In reviewing the adverse action, the Appeals Committee shall consider the following:

• The written Request for Review;
• Evidence and arguments presented by the Director;
• Evidence and arguments presented by the Participant, in person, by telephone or in writing; and
• Any other objective evidence which pertains to the matter at hand and which is presented to the committee.

Within one week after the close of a hearing, the Appeals Committee will review the record and issue a final decision (a “Decision”) to the Participant, which will include the relevant factual determinations and reasoning of the Appeals Committee. All Decisions of the Appeals Committee are final.
No member of the Appeals Committee may participate in the review if they are associated or affiliated with the party seeking the appeal.

VI. FINALIZING AND CLOSING APPEALS
An appeal will be closed when: (1) Participant fails to appeal an adverse action or decision of the Director within the timeframes set forth in these Appeal Procedures; (2) the appeal has been withdrawn or terminated by the Participant; or (3) a Decision is issued by the Appeals Committee.

VII. CONFIDENTIALITY
In order to protect the privacy of all Participants, all material prepared by, or submitted to, the Director and/or the Appeals Committee will be confidential. Disclosure of material prepared by, or submitted to, this Committee is permitted only when specifically authorized by the Participant.

Among other information, TPN and the Appeals Committee will not consider the following materials and documents to be confidential:

a. Published rules, or policies and procedures;
b. Records and materials, which are disclosed as the result of a legal requirement; and
c. All decisions and orders of the Director or the Appeals Committee, which are considered final and closed, consistent with these procedures.

For avoidance of doubt, material submitted to the Director and/or the Appeals Committee may be shared with TPN staff for the purpose of: (a) administering an appeal; or (b) implementing a final decision made by the Director or the Appeals Committee.

VIII. QUESTIONS CONCERNING THE APPEAL PROCEDURES

Qualified assessors/candidates with any questions concerning the Appeal Procedures should submit the question(s) by email to [email protected] or by mail to:

Trusted Partner Network, LLC
c/o Motion Picture Association
15301 Ventura Blvd., Bldg. E
Sherman Oaks, CA 91403
United States of America
Attention: Kurt Fischer