SOC2 - NON-DISCLOSURE AGREEMENT

This NON-DISCLOSURE AGREEMENT (“NDA”) governs the disclosure of information BY SUMMIT TECHNOLOGY CONSULTING GROUP, LLC (“STG” or “the Company”), a Pennsylvania LLC with offices at 5050 Ritter Road, Mechanicsburg, PA 17055 to a Recipient as that term is described in this agreement and is effective immediately upon signature of the individual named herein who is requesting the report as an individual or on behalf of a user entity as that term is described in this agreement

Whereas McKonly & Asbury LLP (“M&A”) has conducted an examination in accordance with attestation standards established by the American Institute of Certified Public Accountants that require they obtain reasonable assurance about whether, in all material respects, STG has presented a description of its control environment in accordance with the description criteria and the controls stated therein were suitably designed to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria.

Whereas McKonly & Asbury LLP (“M&A”) has prepared a written report of their results (the “Report”) for the sole benefit and use of STG, and for user entities of STG’s products and/or services during some or all of the period from January 1, 2023 to September 30, 2023, certain business partners of STG subject to risks arising from interactions with the STG in the provision of these services, practitioners providing services to such user entities and business partners, prospective user entities and business partners, and regulators (all parties listed and referenced collectively hereafter as “Recipient);

Whereas the Recipient has requested a copy of the Report:

LC agrees to allow Recipient access to the Report subject to your agreement to the terms and conditions set forth below. Please read them carefully. If you are agreeing to this agreement on behalf of your company, then “Recipient” or “you” also means your company. Your acceptance of these terms will bind your company to this agreement, and you attest that you have sufficient authority to bind your company in this manner. You also attest that you are not requesting this Report or behalf of another individual or company.

You, individually, and the Recipient agree to be bound by these terms and conditions. Distribution or disclosure of any portion of the Report or any information or advice contained therein to persons other than LC is prohibited, except as provided below.

LC agrees to allow Recipient to access to the Report on the condition that Recipient reads, understands, and agrees to all of the following:

1. Content and limitations: The Report consists of a service auditor’s examination (the “Services”) conducted for the Company in accordance with the AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. McKonly & Asbury LLP (“M&A”) has prepared a written report of their results (the “Report”) for the sole benefit and use of LC, for user entities of LC’s products and/or services during some or all of the period from January 1, 2023 to September 30, 2023, certain business partners of LC subject to risks arising from interactions with the LC in the provision of these services, practitioners providing services to such user entities and business partners, prospective user entities and business partners, and regulators (all parties listed and referenced collectively hereafter as “Recipient) who have sufficient knowledge and understanding of the following:

This report is not intended to be, and should not be, used by anyone other than these specified recipients.

2. Degree of Care and Limitation of Use: Except where compelled by legal process (of which the Recipient shall promptly inform LC so that they may seek appropriate protection), the Recipient agrees it will not disclose, orally or in writing, this Report or any portion thereof; any other Confidential Information received in connection therewith; or make any reference to LC or this Report in connection therewith in any public document or to any third party other than Recipient’s employees, agents and representatives, who need to know the information to evaluate operations for compliance with Recipient’s security, regulatory and other business policies, and provided such third parties are bound by confidentiality restrictions at least as stringent as those stated in this agreement. Recipient agrees it will hold and store this information in keeping with storage of its own confidential information and in no case handle or store this information with less than reasonable care. “Confidential Information” shall mean the Report and other information and materials that are (i) disclosed by LC in writing and marked as confidential at the time of disclosure, or (ii) disclosed by the Company in any other manner and identified as confidential either at the time of or within thirty (30) business days of disclosure, or (iii) reasonably regarded as being of a confidential nature.

3. Term of Use: Recipient may use Confidential Information, including the Report, for a period of the sooner of one (1) year from disclosure or such other validity term as indicated in the Report, and only for the purpose of evaluating the Company’s operations for compliance with Recipient’s security or and other business policies, and related practices as may be referenced therein. This agreement does not create or imply an agreement to complete any transaction or an assignment by LC of any rights in its intellectual property.

4. Release of Claim: The Recipient (for itself and its successors) hereby releases each of LC, from any and all claims or causes of action that the Recipient has, or hereafter may or shall have, against them in connection with the Report, the Recipient’s access to the Report, or McKonly & Asbury LLP’s performance of the Services.

5. Indemnity: The Recipient shall indemnify, defend and hold harmless these Report Parties from and against all claims, liabilities, losses and expenses suffered or incurred by any of them arising out of or in connection with (a) any breach of this agreement by the Recipient or its representatives; and/or (b) any use or reliance on the Report or other Confidential Information by any party that obtains access to the Report, directly or indirectly, from or through the Recipient or at its request.

6. Actions Required at Termination: Upon termination of this agreement or written request by a Report Party, the Recipient shall: (i) cease using the Confidential Information, (ii) return or destroy the Confidential Information and all copies, notes or extracts thereof to Company within seven (7) business days of receipt of request, and (iii) upon request of a Reporting Party, confirm in writing that Recipient has complied with these obligations.

7. Legal Action Requiring Disclosure: The Recipient may disclose Confidential Information pursuant to legal, judicial, or administrative proceeding or otherwise as required by law; provided that the Recipient shall give reasonable prior notice, if not prohibited by applicable law, to the Discloser and shall assist the Discloser, at Discloser’s expense, to obtain protective or other appropriate confidentiality orders, and further provided that a required disclosure of Confidential Information to an agency or Court does not relieve the Recipient of its confidentiality obligations with respect to any other party.

8. Governing Law: This NDA shall be governed by and construed in accordance with the laws of the Commonwealth of Pennsylvania, in the courts of Pennsylvania, without reference to conflict of laws principles. This NDA may not be amended except by in writing signed by authorized representatives of each party.

9. Injunctive Relief: Either party may, without waiving any remedy under this NDA, seek from any court of competent jurisdiction any interim or provisional relief that such party deems necessary to protect its Confidential Information and property rights

10. Validity: If any term or provision of this NDA is unenforceable, then the remainder of this NDA will not be affected, impaired, or invalidated, and the other terms and provisions of this NDA will be valid and enforceable to the fullest extent permitted by law.

11. Third Party Rights: Neither party shall communicate any information to the other in violation of the proprietary rights of any third party.

13 Notices: All notices or reports permitted or required under this NDA shall be in writing and shall be delivered by personal delivery, electronic mail, or by certified or registered mail, return receipt requested, and shall be deemed given upon personal delivery, five (5) days after deposit in the mail, or upon acknowledgment of receipt of electronic transmission. Notices shall be sent to the addresses set forth at the end of this NDA or such other address as either party may specify in writing.