Master Services Agreement

MASTER SERVICES AGREEMENT — The framework on which we deliver AriaPLT™ to enterprise Customers.

This Master Services Agreement ("MSA"), together with all exhibits and references incorporated herein — including without limitation the Terms of Service ("ToS"), the Data Processing Agreement ("DPA"), the Service Level Agreement ("SLA"), the Privacy Policy, the Acceptable Use Policy (the "AUP", integrated in Art. 05 of the ToS), the EU Data Act Addendum, the DORA Addendum where applicable, the AI Act Annex, the Sub-Processors List, and the Order Form executed by the Parties (collectively, the "Agreement") — forms a legally binding and enforceable agreement by and between SINAURA S.R.L. ("SINAURA") and the legal entity identified as the customer in the Order Form (the "Customer"). SINAURA and the Customer may be referred to herein collectively as the "Parties" and individually as a "Party". This Agreement is effective as of the date on which the Customer accepts and signs the Order Form (the "Effective Date").

Version 1.2 · Last updated: 16 May 2026 · References: Italian Civil Code · D.Lgs. 70/2003 · GDPR · EU AI Act (Reg. 2024/1689) · EU Data Act (Reg. 2023/2854) · NIS2 (Dir. 2022/2555) as transposed by D.Lgs. 138/2024 · DORA (Reg. 2022/2554) where applicable · Directive 96/9/EC · eIDAS · D.Lgs. 30/2005 · D.Lgs. 231/2001 · D.Lgs. 231/2002.

RECITALS

WHEREAS, SINAURA provides AriaPLT™, an industrial AgenticAI Software-as-a-Service platform that enables the deployment, configuration, orchestration, monitoring and operation of vertical AI agents on Customer industrial processes (work orders, P&IDs, technical manuals, telemetry, ERP/CMMS/SCADA integrations), inclusive of related interfaces, APIs, knowledge bases, vertical RAG pipelines, dashboards and support resources (the "Platform", and together with the Account, the Agents and all features made available, the "Services"); and

WHEREAS, the Customer desires to access and use the Services in accordance with the terms and conditions set forth in this Agreement and the applicable Order Form.

NOW, THEREFORE, in consideration of the mutual covenants, terms and conditions set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows.

Capitalised terms not defined in-line are defined in the Definitions section at the end of this MSA.

01 · ACCESS AND USE OF THE SERVICES, THIRD-PARTY SYSTEMS

1.1 — Licence grant. During the Term, and for the Customer's internal industrial business purposes, SINAURA hereby grants the Customer a non-exclusive, non-transferable, non-sub-licensable and limited licence (the "Licence") to: (i) access and use the Platform and the Account and to configure, design, build, deploy and monitor the Agents; (ii) operate the Agents within the limits of the Subscription; (iii) add or remove Authorised Users; (iv) view usage reports and audit trails, monitor Agent actions, configure notification preferences; and (v) access support resources and Documentation. The Licence is granted exclusively for the duration of the Subscription set out in the Order Form and is subject to the terms of this Agreement, the ToS and the AUP.

1.2 — Account responsibility. The Customer is responsible for all activities conducted under its Account and shall ensure that the Account information is accurate, updated and complete. The Customer shall maintain the confidentiality of all login credentials, Account information and API keys, and shall ensure that named credentials are not shared, sold, leased or otherwise transferred. The Customer must promptly notify SINAURA of any unauthorised use or suspected security breach at info@sinauragroup.com. SINAURA may suspend access to the Services where it reasonably suspects or detects unauthorised use, security threat or breach of these terms, and shall cooperate with the Customer to mitigate the risks and resolve the matter. The detailed prohibitions on credentials, accounts and API keys are set out in Art. 03 of the ToS.

1.3 — Compliance with laws and policies. The Customer agrees to use the Services solely in accordance with this Agreement, the Documentation, the ToS, the AUP and all applicable laws. Without limiting the foregoing, the Customer shall not: (i) copy, modify or create derivative works of the Services beyond what is expressly permitted; (ii) reverse engineer the Platform or the Services, save for the mandatory interoperability rights set out in Art. 06 of the ToS; (iii) use the Services in a manner that infringes, misappropriates or otherwise violates any third-party rights, applicable laws or regulations governing data protection, AI (including Arts. 5 and 50 EU AI Act), consumer rights, recording or communications; (iv) use the Services to transmit any unlawful, fraudulent, defamatory or harmful content; (v) use or access the Services from an embargoed country or in violation of export-control or sanctions regimes; (vi) interfere with, disrupt or compromise the integrity, performance or security of the Services or their underlying infrastructure; or (vii) use the Agents or the Third-Party Systems made available through the Services for the purpose of extracting, scraping, copying or reverse-engineering proprietary components of the Platform in order to develop a directly competing product. For the avoidance of doubt, this Section shall not prevent the Customer from developing its own AI systems or models for its own legitimate internal industrial use, provided that no SINAURA IP or Confidential Information is incorporated therein. The Customer is responsible for ensuring that its use of the Services complies with the AUP and the additional prohibitions set out in Art. 19 (Anti-Plagiarism) and Art. 20 (NDA and Lockout) of the ToS.

1.4 — Beta / Labs features. SINAURA may offer the Customer access to certain features that are not generally available or that are identified as alpha, beta, pilot, preview, labs or by similar designation (collectively, "Beta Services"). Use of Beta Services is governed by Art. 09 of the ToS (Beta / Labs features) and requires explicit opt-in by an administrative Authorised User of the Customer. Beta Services are provided "as is", without any SLA, warranty or commitment of continued availability. Beta Services shall not be deployed by the Customer in safety-critical, life-supporting, life-sustaining or otherwise mission-critical industrial environments (including DCS, SIS, fire & gas, plant emergency shutdown systems) without SINAURA's prior express written authorisation.

1.5 — Third-Party Systems and international transfers. The Customer acknowledges that the Services include components or integrations from third-party providers ("Third-Party Systems"), including without limitation cloud infrastructure (AWS EMEA SARL, region eu-central-1, Frankfurt), email delivery, payment processing and large-language-model providers (currently Anthropic, OpenAI, Mistral AI, as listed at sinauragroup.com/en/legal/dpa#annex-3-authorised-sub-processors). SINAURA represents that, in respect of the data plane used for inference, the LLM providers listed above are accessed through their EU-resident endpoints, where available. The Customer acknowledges that the data plane residency does not, by itself, exclude that administrative, security telemetry or support access to the Third-Party System may be performed from outside the European Economic Area. Where any processing of personal data is performed outside the EEA, SINAURA shall ensure that such processing is covered by an appropriate safeguard under Art. 46 GDPR (including the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 — Modules 2 or 3 as applicable — or the EU-US Data Privacy Framework where the recipient is certified). SINAURA shall conduct and maintain a documented Transfer Impact Assessment ("TIA") for each material Sub-processor located outside the EEA, including supplementary technical and organisational measures (encryption in transit and at rest, pseudonymisation where feasible, strict access controls, BYOK where supported). SINAURA represents that the inclusion of Third-Party Systems will not reduce the rights granted to the Customer under this Agreement or restrict the Customer's ability to use the Services in accordance with the Documentation. The use or integration of Third-Party Systems within the Services shall not obligate the Customer to license its own software or products under any open-source or similar licence. SINAURA shall not be liable for failure or unavailability of Third-Party Systems not within its reasonable control, save where such failure is attributable to SINAURA's own negligent selection, supervision or risk management of such Third-Party System (NIS2 / DORA risk management).

1.6 — Changes to Third-Party Systems. SINAURA reserves the right to add, modify, replace or discontinue any Third-Party System integrated with or used in connection with the Services, provided that such changes do not materially decrease the overall functionality of the Services. Changes to sub-processors are notified to the Customer at least thirty (30) days in advance under DPA §5(1), with right of reasoned objection. SINAURA shall use commercially reasonable efforts to minimise any disruption to the Services resulting from such changes.

1.7 — Updates to the Services. SINAURA may, from time to time, update, enhance, modify or discontinue features of the Services to comply with law or regulatory requirements, improve quality, performance, security, efficiency or for any other legitimate business purpose. Material changes are governed by Art. 15 of the ToS (Updates to the Platform). With respect to API changes, SINAURA shall provide at least thirty (30) days' prior written notice for any breaking changes or deprecation of API versions, and shall maintain backward compatibility for deprecated API versions for a minimum of ninety (90) days following such notice, unless the changes are required for security or legal compliance. Material adverse changes shall not become effective without the Customer's consent, save where the change is required by law, regulation or to address an imminent security risk; in such cases the Customer shall be entitled to terminate the affected Order Form without penalty within thirty (30) days from the effective date of the change. The Customer is responsible for making any necessary changes to its systems, applications or integrations to maintain compatibility with the current version of the Services and supported API versions.

02 · RESPONSIBILITIES

2.1 — Customer responsibilities. The Customer is responsible for: (i) ensuring the accuracy, quality, integrity and lawfulness of Customer Data and Inputs and that Customer Data does not infringe third-party rights (including intellectual property and data protection rights); (ii) acknowledging that the Agents generate Outputs based on Customer Data, with the consequence that SINAURA shall not be liable for harmful, unlawful, misrepresenting or infringing Outputs directly and exclusively resulting from Customer Data, prompts or configurations (without prejudice to SINAURA's provider obligations under the AI Act and §9.1-bis below); (iii) providing all technical data and information reasonably required by SINAURA to deliver the Services, and granting SINAURA the licence set out in Art. 06 of the ToS to host, store, transmit, process and display Input and Customer Data solely as strictly necessary to provide the Services; (iv) ensuring that the use of the Agents and Inputs complies with applicable regulations, including content-moderation regulations, AI labelling under Art. 50 EU AI Act, recording or telecommunications laws and data protection regulations, and obtaining all necessary consents or providing required disclosures to End Users; (v) procuring and maintaining all equipment and ancillary services necessary to access and use the Services (servers, network connectivity, end-user devices, MDM, security tooling — collectively the "Equipment"). Except as expressly set forth in the Agreement, SINAURA is not responsible for supplying Equipment to the Customer nor for any malfunction or error caused by the Equipment.

2.2 — High-risk AI systems and roles under the AI Act. The Parties acknowledge that SINAURA is the provider of the AI system underlying the Platform (within the meaning of Art. 3(3) Reg. (EU) 2024/1689), and that the Customer is the deployer in respect of its own deployment, configuration and operation of the Agents (Art. 3(4)). Where the Customer's use case falls within Annex III of Reg. (EU) 2024/1689 — in particular §2 (critical infrastructure) or §4 (safety components of products subject to harmonised EU legislation) — or otherwise within a safety-critical industrial environment expressly identified in the Order Form, the system shall be deemed high-risk. In such case, SINAURA shall comply with its provider obligations under Arts. 9 to 17 and 50 AI Act (subject to the transitional regime set forth in the AI Act and any applicable extension), including by providing the Customer with the instructions for use and technical documentation required under Art. 13, and shall cooperate with the Customer in the Customer's fulfilment of deployer obligations under Art. 26 AI Act, including human oversight, monitoring, logging retention and Fundamental Rights Impact Assessment (FRIA) where applicable. The Customer shall promptly inform SINAURA of any required specifications or configurations to ensure regulatory compliance where processing involves sensitive information (health, financial or minors' data), high-risk AI use cases, or where the Customer is a financial entity subject to Regulation (EU) 2022/2554 (DORA), in which case the DORA Addendum applies as an integral part of this Agreement.

2.2-bis — Substantial modification. If the Customer or any third party acting on the Customer's behalf performs fine-tuning, retraining, modification of the intended purpose or any other change to the AI system that qualifies as a "substantial modification" under Art. 25 AI Act, the Customer shall be deemed to be the provider of the resulting modified system and shall assume the corresponding obligations under the AI Act. SINAURA's Per-Customer agent specialization as set out in §4.5 is, by design, configured to remain within the original intended purpose of the system and does not, in itself, constitute a substantial modification.

2.2-ter — GPAI. To the extent the underlying foundation models used in the Platform qualify as general-purpose AI models, SINAURA shall comply with applicable provider obligations under Arts. 53 and 55 AI Act, including by maintaining technical documentation, a copyright policy (Art. 53(1)(c) and Art. 4 Directive (EU) 2019/790), and a summary of training data (Art. 53(1)(d)), and by adhering to the relevant Codes of Practice published by the AI Office.

2.3 — SINAURA responsibilities. SINAURA shall: (i) use Customer Data solely under the documented instructions of the Customer acting as data controller, pursuant to Art. 28(3)(a) GDPR, and only for the purpose of providing the Services, including Per-Customer agent specialization as set out in §4.5 below and in the Privacy Policy; (ii) implement and maintain commercially reasonable technical and organisational measures to protect the security and integrity of the Services and Customer Data against accidental, unlawful or unauthorised access, use, destruction, transfer, disclosure or alteration, as further detailed in Annex 1 of the DPA (TOMs); (iii) implement and maintain technical and organisational measures consistent with the risk management requirements of Art. 21 of Directive (EU) 2022/2555 (NIS2), as transposed in Italy by Legislative Decree 138/2024, to the extent applicable to SINAURA, and shall in any event support the Customer's own compliance where the Customer qualifies as an essential or important entity under NIS2; (iv) where the Customer is a financial entity subject to DORA, comply with the obligations of an ICT third-party service provider under Arts. 28-30 DORA as further specified in the DORA Addendum; (v) in the event of a significant incident affecting the Services and likely to impact the Customer's NIS2 obligations, notify the Customer without undue delay and in any event within twenty-four (24) hours from awareness, with subsequent information consistent with the Customer's notification timeline under Art. 23 NIS2.

2.4 — Independent controllership over Analytics Information. Where Analytics Information includes personal data of Authorised Users, SINAURA acts as an independent data controller for the purposes of (a) ensuring service availability, security and abuse detection, and (b) improving the quality and performance of the Services. Such processing is grounded on SINAURA's legitimate interest under Art. 6(1)(f) GDPR, as documented in the Legitimate Interest Assessment available upon Customer request. SINAURA shall make available a notice compliant with Arts. 13-14 GDPR which the Customer agrees to make accessible to its Authorised Users. SINAURA shall not use Analytics Information for direct marketing toward End Users nor for the training of generalist AI models intended for or shared with other customers.

03 · REPRESENTATIONS, WARRANTIES AND DISCLAIMERS

3.1 — Mutual representations. Each Party represents and warrants that: (i) it has the full legal power and authority to enter into and perform its obligations under this Agreement; and (ii) the execution and performance of this Agreement does not and will not conflict with or violate any other agreement, law or obligation by which it is bound.

3.2 — SINAURA Service Warranties. SINAURA further represents and warrants that: (i) the Services will materially conform to the specifications and service-level commitments set forth in the applicable Order Form and SLA; (ii) it shall perform the Services, including Professional Services where applicable, in a professional manner in accordance with industry standards for similar services; (iii) it has implemented and will maintain appropriate monitoring, validation and quality-assurance procedures to ensure the safe, reliable and professional operation of the Services, and will promptly notify the Customer of any material issues, failures or incidents that could affect the reliability, accuracy or security of the Services (collectively, the "Service Warranties"); and (iv) it shall comply with its provider obligations under the AI Act as set forth in §§2.2 to 2.2-ter to the extent applicable.

3.3 — Notification and remedy. The Customer must notify SINAURA in writing of any alleged breach of the Service Warranties within thirty (30) business days of becoming aware of such breach. If SINAURA determines that a breach of warranty has occurred, SINAURA will promptly correct or re-perform the affected Professional Services at its own expense, or correct the error within the Services subject to the SLA. The foregoing shall be the Customer's sole and exclusive remedy with respect to Services that fail to comply with the Service Warranties, save for the mandatory remedies under applicable law and the indemnification obligations under Art. 09.

3.4 — "As is" disclaimer. Except for the express warranties set forth in this Agreement, for mandatory obligations of SINAURA as provider of an AI system under the AI Act (Arts. 9-17, 50, 53), and save for mandatory provisions of law, all Services — including the Platform, the Account, the Agents, the APIs, the Outputs, any free-tier services, Evaluation Accounts or Beta Services — are provided on an "as is" and "as available" basis. To the maximum extent permitted by applicable law, SINAURA disclaims all implied warranties of merchantability, fitness for a particular purpose, accuracy, non-infringement or arising from course of performance, dealing, usage or trade. SINAURA makes no warranty that the Services will be uninterrupted, error-free or bug-free. The cyber-security warranty set out in Art. 09 of the ToS (NIS2 alignment) applies to the extent stated therein.

3.5 — Disclaimers regarding integrations and equipment. SINAURA expressly disclaims all warranties and liability arising from or related to: (i) integrations with Customer Systems or Third-Party Systems chosen by the Customer; (ii) materials or content uploaded by the Customer; and (iii) the Equipment, whether provided by SINAURA or any third party, except as expressly stated otherwise in this Agreement and without prejudice to §9.1, §9.1-bis and SINAURA's mandatory obligations under the AI Act.

04 · INTELLECTUAL PROPERTY RIGHTS

4.1 — SINAURA IP. As between the Parties, SINAURA owns and retains all right, title and interest in and to the Platform, the Agents, the Documentation, the Analytics Information (without prejudice to §2.4 above on controllership), the System Generic Materials, the SINAURA Technology and any derivative works thereof, and all related Intellectual Property Rights (collectively, the "SINAURA IP"). SINAURA holds sui generis database rights pursuant to Directive 96/9/EC on all proprietary databases, ontologies and knowledge bases embedded in the Platform. Except for the limited rights expressly granted to the Customer under this Agreement, no rights in or to the SINAURA IP are granted, assigned or transferred to the Customer.

4.2 — Customer IP. As between the Parties, the Customer owns and retains all right, title and interest in and to Customer Data, Inputs and the Outputs generated for the Customer, to the extent that such Outputs do not include or incorporate SINAURA IP or SINAURA Confidential Information (collectively, the "Customer IP"). Subject to payment of the applicable Fees and to compliance with this Agreement, SINAURA assigns to the Customer, to the maximum extent permitted by law, all right, title and interest that SINAURA may have in and to the Outputs generated from Inputs and Customer Data. The Parties acknowledge that, under EU and Italian copyright law, content generated entirely by AI systems without sufficient human creative contribution may not qualify for copyright protection; the assignment operates to the maximum extent of any right that may subsist. For the avoidance of doubt, "Outputs" do not include any synthetic voice rendering of pre-existing recordings (deepfake voice cloning), which is not a feature offered through the Services; SINAURA expressly does not engage in voice cloning of identifiable natural persons. Output similarity between independent Customer Outputs that may arise as a statistical consequence of foundation-model behaviour shall not in itself constitute a breach of this Agreement. Transparency obligations under Art. 50 AI Act and the deployer obligations under Art. 26 and Annex III AI Act are governed by Art. 06 of the ToS and §§2.2 to 2.2-ter above.

4.3 — Licence to SINAURA. The Customer hereby grants SINAURA a non-exclusive, royalty-free licence — sub-licensable solely to the authorised sub-processors listed in Annex 3 of the DPA, and limited geographically to the regions necessary for the provision of the Services, with international transfers governed by §1.5 above — to host, store, transmit, process and display Customer Data and Inputs solely as strictly necessary to provide the Services, fulfil its obligations under this Agreement and as otherwise expressly permitted herein. This licence terminates upon termination of the Subscription, save for the retention and deletion obligations set out in Annex 4 of the DPA and for statutory retention obligations.

4.4 — Feedback. If the Customer provides SINAURA with any suggestions, ideas, enhancement requests, feedback, recommendations or other input regarding the Services (the "Feedback"), the Customer agrees that such Feedback is provided voluntarily and on a non-confidential, non-proprietary basis. SINAURA shall be free to use, disclose, reproduce, license, distribute and otherwise exploit such Feedback without restriction and without any obligation or compensation to the Customer. For the avoidance of doubt, Feedback shall not include Customer Data or Customer Confidential Information.

4.5 — Per-Customer agent specialization (the only training SINAURA performs on Customer Data). The Platform's Agents can be specialized to the Customer's own context through fine-tuning, instruction-tuning, retrieval-augmented configuration and reinforcement on the Customer's Data and Feedback. This is the only form of training that SINAURA performs on Customer Data. Its purpose is to make the Agents progressively more accurate, specialized and autonomous in the Customer's specific operational domain (work orders, P&IDs, technical manuals, telemetry patterns, vocabulary and workflows of that Customer). For the avoidance of doubt, Per-Customer agent specialization is performed exclusively on the documented instructions of the Customer acting as data controller, pursuant to Art. 28(3)(a) GDPR, and constitutes processing by SINAURA as data processor for the benefit of the Customer alone.

Per-Customer specialization is performed exclusively: (i) on a per-tenant basis, within the Customer's isolated workspace, never cross-tenant; (ii) using only the Customer's own Inputs, Outputs, Customer Data and Feedback as training signal; (iii) for the sole benefit of the Customer's own Agents, with no carry-over of trained weights, prompts or specialization artefacts to Agents serving any other customer; (iv) with the same encryption, segregation and access-control safeguards applicable to Customer Data (AES-256 at-rest, tenant isolation, RBAC, immutable audit trail); (v) disabled by default for new tenants and activated only upon explicit opt-in by an administrative Authorised User of the Customer, with the right of the Customer to disable it at any time via the workspace administration settings, in which case the Agents operate in pre-trained baseline mode; (vi) with complete deletion of the specialized Agent configurations and any derived training artefacts upon termination of the Subscription, under the T0–T15–T30 procedure of DPA Annex 4. Per-Customer specialization does not constitute training of generalist AI models intended for or shared with other customers.

4.6 — Anti-Plagiarism and Anti-Cloning. The Customer's obligations regarding plagiarism, cloning, replication, imitation or reverse-design of the Platform or any of its proprietary or distinctive components — and the related enforcement remedies under Italian, EU and international intellectual-property regimes — are set out in Art. 19 of the ToS. The user-level confidentiality and lockout undertakings collected via click-through at registration are set out in Art. 20 of the ToS (NDA and Lockout Agreement).

05 · PAYMENTS

5.1 — Subscription model. The Services operate on a subscription basis, with annual or multi-annual fixed commitments, monthly billing cycles or hybrid models, as agreed in the applicable Order Form. Fees, billing frequency, payment method, currency, applicable Modules, seats and rate limits are set out in the Order Form. Where the Order Form specifies a usage-based component (e.g., per-Agent action, per-token, per-document), the corresponding metering rules and overage rates are defined therein. SINAURA may update non-subscription usage rates by giving the Customer at least thirty (30) days' prior written notice; the change applies only to usage purchased after the effective date and does not affect already-purchased capacity.

5.2 — Invoicing. Invoices are issued in compliance with Italian tax law, through the Italian electronic invoicing system (Sistema di Interscambio – SDI), where applicable. Payments are processed via bank transfer or through authorised third-party payment sub-processors listed at sinauragroup.com/en/legal/dpa#annex-3-authorised-sub-processors. Except as otherwise set forth in the Order Form, all Fees are payable within thirty (30) days from the date of the invoice. All amounts paid by the Customer are non-refundable, non-cancellable and non-creditable, save where otherwise required by mandatory law or as expressly set forth in this Agreement (including §6.2 termination for cause refunds).

5.3 — Suspension for non-payment. If the Customer's payment is overdue and not subject to a good-faith dispute under §5.6, SINAURA may, after sending written notice and a reasonable cure period of at least fifteen (15) business days, suspend access to the Services. SINAURA shall not be liable for any interruption resulting from suspension under this clause, save where the Customer's non-payment is itself attributable to a documented prior breach of SINAURA.

5.4 — Scope overage. If the Customer exceeds the permitted scope of use, seats, rate limits or usage allowance set out in the Order Form, SINAURA reserves the right to charge the Customer additional Fees at the then-current rates, after written notice and a reasonable opportunity to true-up.

5.5 — Taxes. Fees are exclusive of all Taxes. The Customer is responsible for settling any applicable Taxes that may be levied on top of the Fees and must pay SINAURA under this Agreement without any deductions related to Taxes. If SINAURA is required to collect or pay any Taxes, they will be invoiced to the Customer unless the Customer promptly provides a valid tax-exemption certificate. If the Customer is obligated by law to withhold Taxes from any payment, the Customer agrees to gross up the payment so that SINAURA receives the full agreed-upon Fees. VAT is applied according to place-of-supply rules: reverse charge for intra-EU B2B Customers (Art. 7-ter D.P.R. 633/1972 / Art. 196 Dir. 2006/112/EC); not subject to VAT for extra-EU Customers under the relevant exemption.

5.6 — Payment disputes. In the event of a good-faith dispute as to an invoice, the Customer must (a) pay all undisputed Fees on time and (b) notify SINAURA in writing at info@sinauragroup.com within fifteen (15) days from issuance of the invoice, with sufficient detail to explain the basis of the dispute. The Parties shall use reasonable efforts to resolve the dispute within thirty (30) days from such notice.

5.7 — Late payment interest. In case of late payment, statutory interest under Italian D.Lgs. 231/2002 applies automatically from the day following the due date, without need of formal notice, in addition to the recovery costs provided therein. In case of non-payment after due notice and expiry of the cure period under §5.3, SINAURA may terminate the Agreement pursuant to Art. 1456 of the Italian Civil Code.

5.8 — Price changes at renewal. Save where otherwise agreed in the Order Form, SINAURA may revise Subscription Fees applicable to subsequent renewal periods by giving the Customer at least sixty (60) days' prior written notice before the renewal date. Where the cumulative increase since the last revision exceeds the European HICP variation observed over the same period by more than five (5) percentage points, the Customer is entitled to terminate the Subscription with effect from the renewal date by written notice given within thirty (30) days of receipt of SINAURA's notice. Until termination takes effect, the existing Fees continue to apply.

06 · TERM AND TERMINATION

6.1 — Term. This Agreement shall commence on the Effective Date and remain in full force and effect until terminated in accordance with this Section (the "Term"). The Term shall automatically continue for as long as there is at least one active Order Form in effect, with tacit renewal of each Order Form unless either Party gives written notice of termination at least sixty (60) days before the expiration date of the relevant Subscription period. The tacit renewal mechanism in this §6.1 constitutes a vexatious clause expressly approved pursuant to Art. 1341 of the Italian Civil Code.

6.2 — Termination for cause. Either Party may terminate this Agreement or any affected Order Form for cause if the other Party materially breaches any provision of this Agreement or any Order Form (including failure to pay undisputed Fees when due) and fails to cure such breach within thirty (30) days after receiving written notice from the non-breaching Party. Termination for cause shall not limit either Party's right to pursue any other remedies available at law or in equity, including injunctive relief. In the event of termination for cause by the Customer due to material breach by SINAURA, SINAURA shall refund the Customer a pro-rata portion of any prepaid Fees applicable to the remaining period after the effective date of termination.

6.3 — Effects of termination. Upon expiration or termination of this Agreement for any reason: (i) the Licence granted to the Customer shall immediately terminate and the Customer shall cease all use of and access to the Services, except for the limited access expressly permitted during the Transition Period described below; (ii) each Party shall promptly return, or if instructed in writing, securely destroy all Confidential Information of the other Party in its possession or control, except as otherwise agreed in writing or as required by applicable law; (iii) termination or expiration shall not affect any rights or obligations accrued prior to the effective date, including the Customer's obligation to pay any outstanding Fees; (iv) SINAURA shall return or delete Customer Data in accordance with the Customer's written instructions under the T0–T15–T30 procedure documented in Annex 4 of the DPA, save for statutory retention obligations.

6.4 — Transition Period. SINAURA shall provide the Customer with continued read-only access to the Services and Customer Data for an initial period of sixty (60) days following termination, extendable up to a maximum of seven (7) months upon the Customer's reasoned written request (the "Transition Period"), solely to enable the Customer to retrieve Customer Data and facilitate an orderly transition. During the Transition Period, SINAURA shall: (a) export Customer Data in a structured, commonly used and machine-readable format (CSV, JSON, Parquet or as otherwise agreed) free of charge; (b) provide reasonable migration assistance — beyond standard export tools, at the Customer's reasonable expense — including necessary data, documentation and technical support required for migration, with the objective of achieving "functional equivalence" within the meaning of Art. 30 of Reg. (EU) 2023/2854 (Data Act); (c) progressively reduce and ultimately waive switching charges, in line with the timeline set forth in Arts. 25 and 29 Data Act, with full waiver no later than 12 January 2027. At the end of the Transition Period, SINAURA shall, at the Customer's written direction, delete or return all Customer Data as set forth herein, completing the T0–T15–T30 deletion cycle.

6.5 — Switching, portability and B2B data sharing. The Customer's rights to switch to another provider under the Data Act, including the progressive withdrawal of switching charges by 12 January 2027, are set out in Art. 12 of the ToS and apply additionally and cumulatively with the Transition Period. Where the Platform processes data generated by connected products of the Customer (within the meaning of Art. 2(5) Data Act) or by related services, the Customer remains free to exercise the access and sharing rights under Arts. 3-6 Data Act vis-à-vis the relevant data holders, and SINAURA shall provide reasonable technical cooperation. Beginning 12 September 2026, all new connected products and related services made available through the Services shall be designed in accordance with the access-by-design principle of Art. 3 Data Act.

6.6 — Survival. The following provisions survive the termination or expiration of this Agreement, for the duration necessary to give them effect: Art. 02 (in the parts dealing with controllership and AI Act roles necessary to address residual obligations), Art. 04 (Intellectual Property), Art. 07 (Confidentiality), Art. 08 (Limitation of Liability), Art. 09 (Indemnification), Art. 10 (Governing Law), Art. 11 (Miscellaneous, including §§11.8, 11.9, 11.10, 11.13), and the corresponding survival provisions of the ToS (Art. 06, 07, 10, 11, 14, 17, 20, 21), as well as §3.8 of the DPA (return and deletion). Trade-secret obligations under Italian D.Lgs. 30/2005 survive indefinitely.

07 · CONFIDENTIALITY

7.1 — Mutual obligations. The Receiving Party shall hold in strict confidence all Confidential Information of the Disclosing Party and shall not disclose or use any such Confidential Information for any purpose outside the scope of this Agreement, except with the Disclosing Party's prior written consent. Each Party may disclose Confidential Information only to its employees, contractors, advisors and auditors who have a legitimate need to know and are bound by confidentiality obligations at least as protective as those set forth herein. The Receiving Party shall use at least the same degree of care to protect the Confidential Information as it uses to protect its own confidential and proprietary information of a similar nature, and in no event less than a reasonable standard of care.

7.2 — Compelled disclosure. If the Receiving Party is compelled by law, regulation, court order or other legal process to disclose Confidential Information of the Disclosing Party, it shall, to the extent legally permitted, provide the Disclosing Party with prompt written notice of such requirement prior to disclosure, and reasonable assistance, at the Disclosing Party's expense, if the Disclosing Party wishes to contest or limit the disclosure.

7.3 — Injunctive relief. The Receiving Party acknowledges that any breach or threatened breach of this Section may cause irreparable harm to the Disclosing Party for which monetary damages would be an inadequate remedy. Accordingly, in addition to any other remedies available at law or in equity, the Disclosing Party shall be entitled to seek injunctive or other equitable relief to prevent or restrain any such breach or threatened breach, without the requirement to post a bond or prove actual damages.

7.4 — Duration. The confidentiality obligations set forth in this Section shall survive for a period of five (5) years following the termination or expiration of this Agreement; provided, however, that obligations with respect to information constituting trade secrets under applicable law shall continue for as long as such information remains a trade secret.

This Section applies at the contractual level between SINAURA and the Customer. User-level confidentiality and lockout obligations collected by click-through at registration are governed by Art. 20 of the ToS (NDA and Lockout Agreement) and apply cumulatively.

08 · LIMITATION OF LIABILITY

8.1 — No indirect damages. Except as expressly stated in this Agreement, neither Party shall be liable to the other for any indirect, incidental, consequential, special, punitive or exemplary damages, including without limitation any loss of profits, revenue, business, data, goodwill or anticipated savings, arising out of or in connection with this Agreement, any Order Form or the use or inability to use the Services, regardless of the cause of action or theory of liability (whether in contract, tort, including negligence, or otherwise), even if such Party has been advised of the possibility of such damages.

8.2 — Liability cap. Subject to §§8.3 and 8.4, each Party's total aggregate liability for all claims arising out of or relating to this Agreement, any Order Form or the Services in any twelve (12)-month period shall not exceed the greater of: (a) the total Fees actually paid by the Customer to SINAURA under the applicable Order Form during the twelve (12) months immediately preceding the event giving rise to such claim; or (b) where the use case falls within Annex III of the AI Act or is otherwise expressly identified in the Order Form as a safety-critical industrial deployment (DCS, SCADA, SIS, fire & gas, plant emergency shutdown systems), an enhanced cap specifically agreed in the Order Form, which shall not be less than two (2) times the annual Subscription Fees.

8.3 — Carve-outs. The limitations set forth in §§8.1 and 8.2 shall not apply to: (i) liability arising from dolo, colpa grave (gross negligence), fraud or wilful misconduct (Art. 1229 of the Italian Civil Code); (ii) death or personal injury caused by negligence; (iii) either Party's breach of its confidentiality obligations or wilful infringement of intellectual property rights; (iv) the Customer's payment obligations under this Agreement; (v) liability that cannot be limited or excluded under applicable law, including joint and several liability under Art. 82 GDPR and analogous provisions under Reg. (EU) 2024/1689 (AI Act) and Reg. (EU) 2022/2554 (DORA); (vi) administrative fines lawfully imposed on the Customer by a competent supervisory authority directly resulting from SINAURA's documented breach of its obligations under this Agreement (in which case the carve-out is capped at three (3) times the annual Subscription Fees for the affected Order Form); (vii) SINAURA's indemnification obligations under §§9.1 and 9.1-bis.

8.4 — Mandatory law. The limitations and exclusions set forth in this Section shall apply to the maximum extent permitted by applicable law. Nothing in this Agreement shall limit or exclude any liability that cannot be limited or excluded under applicable law.

09 · INDEMNIFICATION

9.1 — SINAURA IP indemnity. SINAURA shall defend, indemnify and hold harmless the Customer from and against any third-party proceeding, action or claim alleging that the Platform, when used in accordance with this Agreement and the Documentation, infringes or misappropriates such third party's valid patent, copyright, trademark or trade secret right protected: (a) within the European Union; (b) where the applicable Order Form is governed by the Americas regional regime, also within the United States; or (c) where the applicable Order Form is governed by the APAC regional regime, also in Japan, Singapore, South Korea and Australia (each, an "IP Claim"). SINAURA shall, at its expense, defend such IP Claim and pay damages, costs and reasonable attorneys' fees finally awarded against the Customer by a court of competent jurisdiction or agreed in a settlement approved by SINAURA. If the Platform becomes, or in SINAURA's reasonable opinion is likely to become, the subject of an IP Claim, SINAURA may, at its option and expense: (i) procure for the Customer the right to continue using the Platform as set forth herein; (ii) replace or modify the Platform to make it non-infringing while providing substantially equivalent functionality; or (iii) if options (i) or (ii) are not commercially reasonable, terminate the affected Order Form and refund a pro-rata portion of prepaid Fees for the unused period. This §9.1, together with §9.1-bis, sets out SINAURA's entire liability and the Customer's sole and exclusive remedy with respect to any infringement or misappropriation of intellectual property rights, subject to mandatory provisions of law.

9.1-bis — AI Output indemnity. Subject to the same conditions and limitations as §9.1, SINAURA shall defend and indemnify the Customer against any third-party claim alleging that an Output generated by an Agent through normal operation of the Platform (and without modification or use by the Customer beyond ordinary, intended use as described in the Documentation) infringes a valid copyright, trademark, patent or trade secret right within the territorial scope of §9.1(a)-(c), provided that: (i) the Customer has implemented the safety, filtering and human-review settings recommended by SINAURA in the Documentation and the AI Act Annex; (ii) the alleged infringement does not derive from Customer Data or Inputs supplied by the Customer; (iii) the Output has not been further modified by the Customer in a way that introduces the infringement; and (iv) the Customer has not disregarded a clear warning or labelling issued by the Platform under Art. 50 AI Act.

9.2 — Exclusions. SINAURA shall have no obligation under §9.1 or §9.1-bis with respect to any IP Claim to the extent arising from or related to: (i) modifications made to the Platform by anyone other than SINAURA or its authorised representatives; (ii) the Customer's use of the Platform in violation of this Agreement or the Documentation; (iii) the Customer's Equipment, Customer Data, Customer Systems or any Inputs that caused the claim to arise; (iv) continued use of the Platform after SINAURA has provided the Customer with a non-infringing alternative or modification; or (v) combination of the Platform with products, services or content not supplied or authorised by SINAURA.

9.3 — Customer indemnity. The Customer shall defend, indemnify and hold harmless SINAURA and its Affiliates, officers, directors, employees and agents from and against any third-party claim, action or proceeding arising from or related to: (i) the Customer's use of the Services not in compliance with this Agreement, the Documentation or applicable laws; (ii) any allegation that Customer Data or Inputs (or Outputs to the extent integrated by the Customer into its own products or services in a manner that introduces the infringement) infringe or misappropriate any third party's intellectual property rights or violate any applicable law; (iii) the Customer's failure to comply with transparency obligations under Art. 50 AI Act in respect of Outputs integrated into its products or services; (iv) the Customer's failure to comply with the obligations of deployer under Art. 26 and Annex III AI Act, or with the obligations of provider where the Customer has triggered Art. 25 AI Act (substantial modification) as set forth in §2.2-bis.

9.4 — Conditions to indemnification. The indemnification obligations are conditioned upon the indemnified Party: (i) promptly notifying the indemnifying Party in writing of any claim for which indemnification is sought, in any case within fifteen (15) business days from receipt of formal notification (provided that any delay in notification shall not relieve the indemnifying Party of its obligations except to the extent materially prejudiced by such delay); (ii) granting the indemnifying Party sole control over the defence and settlement of such claim, provided that the indemnifying Party may not settle any claim without the indemnified Party's prior written consent if such settlement imposes any obligation on, or includes any admission of liability by, the indemnified Party; (iii) providing reasonable cooperation and assistance to the indemnifying Party in the defence of such claim, at the indemnifying Party's expense. The indemnified Party shall have the right to participate in the defence with counsel of its own choosing at its own expense.

10 · JURISDICTION, DISPUTE RESOLUTION AND GOVERNING LAW

10.1 — Default rule. The governing law and venue applicable to this Agreement are those set out in Art. 17 of the ToS (Governing Law, Mediation and Jurisdiction), which is incorporated by reference and depends on the region in which the Customer is headquartered at the time of acceptance of these Terms.

10.2 — Regional regimes. In summary:

• Americas Region (North, Central and South America) — laws of the State of New York, USA; exclusive jurisdiction of the federal and state courts located in the Borough of Manhattan, New York County, NY, USA. The Parties acknowledge that the validity and enforceability of any jury-trial waiver shall be determined under applicable U.S. state law; where such waiver is not enforceable in the relevant jurisdiction, the Parties shall instead resolve disputes through arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules, with a single arbitrator and seat in New York, NY.
• APAC Region (East Asia, South-East Asia, South Asia, Oceania) — laws of the Republic of Singapore; arbitration administered by the Singapore International Arbitration Centre (SIAC) under the SIAC Rules, with proceedings in English and seat in Singapore. The tribunal shall consist of a sole arbitrator for disputes with an aggregate amount in controversy below EUR 1,000,000 and of three (3) arbitrators (one nominated by each Party and the presiding arbitrator nominated by the two co-arbitrators or, failing agreement, by SIAC) for disputes above that threshold.
• EMEA Region and Rest of World — laws of the Italian Republic, supplemented by relevant European Union law; pre-judicial mediation under D.Lgs. 28/2010 before the Mediation Body of the Milan Chamber of Commerce; exclusive jurisdiction of the Court of Milan over disputes not settled through mediation.

10.3 — General. The Order Form may specify the applicable region. The United Nations Convention on Contracts for the International Sale of Goods (CISG) does not apply to this Agreement. Nothing in this Section limits the right of either Party to enforce a judgment or arbitral award rendered under the applicable regional regime before any court of competent jurisdiction worldwide, nor the right of either Party to seek interim or injunctive relief before any court of competent jurisdiction.

11 · MISCELLANEOUS

11.1 — Amendments. SINAURA may update this Agreement from time to time. Non-material editorial or administrative updates may be made unilaterally and become effective upon publication. SINAURA will provide the Customer with prior written notice of any material change at least thirty (30) days in advance, and any such material change will become effective on the date stated in the notice only if the Customer continues to use the Services after such date. Material changes that adversely affect the Customer's rights or obligations require the Parties' mutual written agreement, save where the change is required by law, regulation or to address an imminent security risk. Where SINAURA invokes the legal/security exception, the Customer shall be entitled to terminate the affected Order Form without penalty within thirty (30) days from the effective date of the change and to obtain a pro-rata refund of prepaid Fees.

11.2 — Independent contractors. Each Party is acting as an independent contractor under this Agreement. Nothing in this Agreement shall be construed to create a partnership, joint venture, agency, fiduciary, franchise or employment relationship between the Parties, and neither Party has authority to bind or commit the other in any respect.

11.3 — Entire agreement. This Agreement, including the documents referenced in §11.10, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, understandings, representations or communications, whether written or oral, relating to such subject matter. Statements or comments made between the Customer and any SINAURA employee or representative are expressly excluded from this Agreement absent a separate written agreement.

11.4 — Assignment. Neither Party may assign or transfer this Agreement, in whole or in part, without providing prior written notice to the other Party; provided, however, that either Party may assign this Agreement without the other Party's consent to (i) an Affiliate, or (ii) a successor in connection with a merger, acquisition, corporate reorganisation or sale of all or substantially all of its stock or assets, in each case provided that the assignee assumes the same obligations and that the assignment does not result in a material adverse change in the financial or operational capacity of the assignee to perform. Where SINAURA subcontracts any of its obligations to a third party, SINAURA remains responsible for the acts and omissions of such third party. Sub-processing of personal data is governed by §5 of the DPA. Sub-outsourcing of ICT services to financial-entity Customers is additionally governed by Art. 30 DORA and the DORA Addendum.

11.5 — Force majeure. Neither Party shall be deemed to be in default of any provision of this Agreement, nor liable for failure or delay in performance of its obligations (excluding payment obligations), resulting from acts or events beyond the reasonable control of such Party, including acts of God, natural disasters, civil or military authority, acts or threats of terrorism, civil disturbance, war, riot, fires, floods, infectious disease and acts of government (each a "Force Majeure Event"). For the avoidance of doubt, the following events shall not constitute Force Majeure: (a) cyber-attacks, ransomware, denial-of-service or other security incidents affecting SINAURA, its Sub-processors or its ICT supply chain, except where the event qualifies as an act of war or state-sponsored attack expressly recognised as such by EU or competent national authorities and the affected Party has implemented and maintained the risk management, business continuity and incident response measures required under NIS2 and DORA where applicable; (b) ordinary unavailability of cloud infrastructure providers chosen by SINAURA, the management of which falls within SINAURA's risk-management duties under NIS2 and, where applicable, DORA; (c) strike or labour disputes related to the affected Party's own workforce; (d) failures of Equipment or Customer Systems chosen by the Customer. The affected Party shall use reasonable efforts to mitigate the impact and resume performance as soon as the Force Majeure Event ceases. A Force Majeure Event lasting more than thirty (30) days entitles either Party to terminate the affected Order Form upon written notice, with pro-rata refund of prepaid Fees attributable to the period of unavailability.

11.6 — Waiver. No provision of this Agreement shall be deemed waived, and no breach shall be deemed excused, unless such waiver or consent is in writing and signed by the Party claimed to have waived or consented. No consent by either Party to, or waiver of, a breach by the other, whether express or implied, shall constitute consent to, waiver of, or excuse for any different or subsequent breach.

11.7 — Severability. Should any provision of this Agreement be determined to be invalid, unlawful or unenforceable, the validity, legality and enforceability of the remaining provisions shall not be affected and will remain in full force and effect. The Parties shall replace any invalid clause with a valid one that most closely reflects the original economic intent.

11.8 — Export controls and sanctions. Each Party is responsible for its compliance with applicable export controls, economic sanctions and trade compliance laws, including those of the European Union (Reg. (EU) 2021/821), the United States (including the Export Administration Regulations — 15 CFR Parts 730-774 — and OFAC sanctions programmes) and, where applicable, of any other jurisdiction. The Customer represents, covenants and warrants that it is not located in, organised under the laws of, or controlled by any country or territory subject to comprehensive sanctions or embargoes (including, as of the Effective Date: Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk and Luhansk regions of Ukraine), that such Customer is not listed on any government denied-party, restricted-party or sanctions list, and that it will comply fully with all applicable export laws and regulations and anti-corruption laws (Italian D.Lgs. 231/2001, UK Bribery Act, where applicable U.S. FCPA). The Parties acknowledge that the use of certain Third-Party Systems (in particular U.S.-origin foundation models) may trigger U.S. export control jurisdiction over the underlying technology; the Customer shall not use the Services for any prohibited end-use or by any prohibited end-user. The above warranties are deemed repeated at each Subscription renewal. SINAURA may suspend or terminate the Subscription with immediate effect if the use of the Services would place SINAURA in breach of applicable export-control or sanctions regulations.

11.9 — Notices. All notices and other communications under this Agreement must be in writing and delivered: (a) to the Customer at the email address or postal address provided at the time of entering into this Agreement, otherwise associated with the Customer Account, or via an in-product notification; and (b) to SINAURA via certified email at sinaurasrl@legalmail.it (PEC), or at the registered office in Viale Luigi Majno n. 7, 20122 Milan, Italy, with copy to info@sinauragroup.com and labelled "Attention: Legal". For Customers not established in Italy, where service via PEC is not technically available, notices to SINAURA may equally be served by internationally tracked courier (DHL, FedEx, UPS) with proof of delivery, at the registered office above, and by simultaneous email to info@sinauragroup.com. Notices sent via PEC are deemed received on the date of the delivery receipt; notices sent via registered mail or international courier are deemed received five (5) business days after dispatch; notices via ordinary email are deemed received on the next business day, provided that delivery is technically successful.

11.10 — Order of precedence. In the event of any conflict or inconsistency between the terms of the documents comprising the Agreement, the following order of precedence applies: (i) the Order Form shall prevail with respect to commercial terms and special conditions specifically negotiated; (ii) the DPA shall prevail with respect to matters subject to data-protection or personal-data processing regulations; (iii) the DORA Addendum shall prevail solely to the extent the Customer is a financial entity as defined under Art. 2(1) of Reg. (EU) 2022/2554 (DORA); (iv) the EU Data Act Addendum applies as additional contractual provisions solely when the Parties are governed by the Data Act; (v) the AI Act Annex applies as additional contractual provisions on AI-Act-specific matters; (vi) this MSA shall prevail over the ToS in case of conflict between B2B commercial provisions; (vii) the ToS shall prevail over the AUP and the SLA on substantive matters; (viii) the AUP and the SLA are additional obligations and requirements that supplement the MSA and the ToS but do not override their terms; (ix) the Privacy Policy applies to processing of personal data of website visitors and registered users in accordance with the GDPR. In the event of a conflict between the DPA and the DORA Addendum, the DORA Addendum shall prevail solely with respect to obligations specifically arising under DORA; otherwise the DPA shall prevail.

11.11 — No third-party beneficiaries. There are no third-party beneficiaries to this Agreement. No person other than the Parties (and their permitted assignees) shall have any rights under this Agreement, save for those rights which cannot be excluded by mandatory law (including data subjects' rights under the GDPR, which are addressed in the DPA).

11.12 — Insurance. SINAURA maintains professional liability and cyber insurance with reputable carriers, with minimum aggregate annual coverage of EUR 5,000,000 per policy, or such higher amount as may be specified in the Order Form for safety-critical or high-volume deployments. Certificates of insurance are made available upon reasonable Customer request, under confidentiality.

11.13 — Marketing reference. Neither Party may use the other Party's name, logos or marks in marketing materials, websites, social-media accounts or public statements without the other Party's prior written approval in each case (email sufficient), save as expressly authorised in the Order Form. Any such approval may be withdrawn at any time by written notice with thirty (30) days' prospective effect; existing materials in circulation shall be updated or removed within a reasonable time.

11.14 — Language. This MSA is drafted in English. Where a translation is provided for the Customer's convenience, the English version prevails in case of discrepancy.

11.15 — Counterparts and electronic signature. This Agreement and any Order Form may be executed in counterparts (including by electronic signature compliant with Reg. (EU) 910/2014 — eIDAS), each of which is deemed an original, and all of which together constitute one and the same instrument.

12 · DEFINITIONS

13 · APPLICABLE ADDENDA AND EXHIBITS

The following documents are incorporated by reference into this Agreement and form an integral part of it:

14 · CONTACTING SINAURA

Should the Customer have any questions, comments or feedback regarding this MSA or the Services, SINAURA may be reached at:

© 2026 SINAURA S.R.L. · AriaPLT™ and Sinaura™ are registered trademarks of SINAURA S.R.L · Version 1.2 · Last updated: 16 May 2026