Terms & Conditions UK

CONNECT FLEET - GENERAL TERMS AND CONDITIONS OF SALE AND SERVICE Version dated December 2nd, 2025

1. BACKGROUND

These General Terms and Conditions of Sale and Services (hereinafter the "T&Cs" or the "Agreement") govern the sales and/or provision of services Connect Fleet (the “Services”) concluded between the company Mobilisights S.p.A., whose head office is located at TORINO (TO) VIA PLAVA 86, CAP 10135 Italy registered under number 10342750014 (hereinafter, "Mobilisights" or the "Service Provider") and its clients (hereinafter, the "Customer") defined as being the recipients of the services provided by Mobilisights (the "Services"), unless otherwise agreed in a specific agreement or contract signed between the Parties (the "Parties").

The T&Cs form an indivisible whole. They are applicable in the Netherlands and in the countries in which the equipped vehicles are used. Any tolerance on the part of Mobilisights in the event of non compliance with one or more provisions of these T&Cs shall not be construed as a waiver of their application. Any general conditions of purchase of the Customer shall not apply.

The T&Cs define the terms and conditions under which Mobilisights provides the Customer with all or any of the following services:

- Provision of Embedded Devices;

- Installation of Embedded Devices on the Customer's vehicles;

- Provision of a connected platform and data processing services, including reports; - Training services;

- Customer support;

- such other services as the Parties may agree as set out in an Order, and as may otherwise be agreed in writing.

The various services selected by the Customer are listed in the Order Form. By signing each Order Form and/or quotation, the Customer declares that he accepts these General Terms and Conditions without reservation. Any other terms and conditions shall only be binding on Mobilisights if confirmed in writing by Mobilisights.

The information contained in this document may be changed by Mobilisights without prior notice. In this case, the new conditions will only apply to orders placed after they come into force.

2. DEFINITIONS

The terms used in this document, whether in the singular or plural, have the meanings given below. “Business Day” means any day that is not a Saturday, Sunday or a public holiday in the Netherlands;

“Embedded Device”: means the hardware device (GSM and GPS telematics box) embedded in the Customer’s vehicle as described in the Order, together with its ancillary equipment: cable sets, readers and transceivers, probes, etc. The embedded unit can be original ('original equipment') or installed after the vehicle has been manufactured ('aftermarket'). The aftermarket unit supplied by Mobilisights is called the GP8000 or GP8500.“Data”: means the telematics data gathered by Mobilisights via the Embedded Device and stored on the Software Platform for the Customer’s needs;

“Confidential Information” means this Agreement and all information in any form or medium that is secret or otherwise not publicly available (either in its entirety or in part, including the configuration or assembly of its components) including accounts, business plans, business methods, strategies and financial forecasts, tax records, correspondence, designs, drawings, manuals, specifications, customer sales or supplier information, technical or commercial expertise, software, formulae, processes, methods, knowledge, know-how, trade secrets and other information in any form or medium whether disclosed orally or in writing before or after the Commencement Date together with any copies, summaries, reproductions or extracts of such information clearly designated by a party as being confidential or which can reasonably be considered confidential;

“Order” means the Customer's order for Services as set out in a form and/or a quote;

“Software Platform”: A mobility and fleet management solution that collects and aggregates data from the devices in the customer's vehicles (geolocation, speed, mileage, dashboard alerts, driver identification) and potentially sends commands (lock, unlock, enable or disable engine start). It enables the customer to provide mobility services such as fleet management, remote tracking of stolen vehicles, remote immobilisation, car sharing and digital rental.

A reference to a statute or statutory provision is a reference to it as amended or re-enacted. A reference to a statute or statutory provision includes all subordinate legislation made under that statute or statutory provision.

Any words following the terms including, include, in particular, for example or any similar expression, shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

Words expressed in the singular shall include the plural and vice versa.

References to a person include an individual, company, body corporate, corporation, unincorporated association, firm, partnership, joint venture, government, state or agency of state.

A reference to writing or written includes email.

3. ORDERS

The Customer orders the Services from Mobilisights by signing an Order Form or a quotation.

Orders are firm and final and cannot be cancelled or amended without the prior written consent of Mobilisights. Unless it can be shown that the cancellation is the fault of Mobilisights, any deposits paid will be retained by Mobilisights as compensation for early termination.

Delivery, installation and activation times of the Embedded Devices are given for guidance only and may vary according to region, availability of supplies or availability of technicians. Any delays may

not give rise to compensation, refusal of goods or cancellation of the order, unless the Customer demonstrates that the Service Provider is at fault.

Mobilisights undertakes to inform the Customer of any temporary or permanent unavailability of the Embedded Devices, such unavailability rendering any delivery deadline null and void.

Mobilisights reserves the right to suspend its deliveries in the event of any event likely to reduce the Customer's apparent solvency.

4. PROVISION OF EMBEDDED DEVICES

For the purpose of using the Software Platform, Mobilisights may supply the Customer with Embedded Devices under the financial conditions defined in the Order Form and/or the quote.

Mobilisights assumes the risks associated with the delivery of the Embedded Devices up to the point of delivery to the Customer's designated location for a territory as defined in the Order Form. The Embedded Devices shall be transported at the expense and under the responsibility of Mobilisights. Mobilisights shall be responsible for selecting the carrier and taking out the necessary insurance. The Parties expressly agree that the transfer of risk in respect of the Embedded Devices shall take place upon delivery of the Embedded Devices to the aforementioned location and upon complete unloading.

For territories outside the European Union, an amendment to these terms and conditions will be drawn up.

Upon delivery, the Embedded Devices must be accepted by the Customer within 5 working days. Failure to do so shall constitute acceptance of the Embedded Devices by the Customer. Acceptance by the Customer implies full payment of the Embedded Devices to the Service Provider.

It is agreed that ownership to each Embedded Device shall be individualised and that transfer of title shall take place upon payment of the full price. Notwithstanding the foregoing, the Parties agree that upon delivery of the Embedded Device, Mobilisights shall grant the Customer a licence to use the Embedded Device for the purposes of the Customer's project. In the event of payment by instalments, the Customer shall acquire ownership of the Embedded Device in question by instalments with each payment until full payment of the Price, which shall trigger the full and final transfer of ownership of the Embedded Device to the Customer.

Mobilisights undertakes to guarantee the Embedded Devices for a period of thirty-six months (36 months) from the date of delivery and, in this respect, undertakes to diagnose any malfunction reported by the Customer to the Service Provider and to implement the necessary means to correct or circumvent any malfunction so diagnosed, including:

- Replacement of non-functioning onboard equipment (or spare parts, if required); - Correcting and/or remotely providing patches and new versions of on-board software.

This warranty is strictly limited to the repair or replacement of defective or non-conforming Embedded Device, to the exclusion of any compensation.

All returns of Embedded Devices must be formally agreed between Mobilisights and the Customer. Any return accepted by Mobilisights will result in a credit note being issued in favour of the Customer, which credit note shall in no way constitute acceptance by Mobilisights of any penalty or damages.

5. INSTALLATION OF EMBEDDED DEVICES

The installation and removal of Embedded Devices on the Customer's vehicles may be carried out by Mobilisights or its subcontractor, or directly by the Customer or its subcontractor.

In all cases, Mobilisights will provide the Customer with the documentation necessary for the proper installation and/or removal of the Embedded Devices (the "Documentation") and may provide the necessary training to the Customer's personnel under the financial conditions agreed in the Order Forms. The list of supported vehicles will be made available to the Customer upon request.

For each installation or removal ordered from the Service Provider, the Parties will agree on the dates, places and times of the installations. The Customer must provide the Service Provider with the following information at least ten (10) working days prior to the installation or removal of the equipment: number of vehicles, vehicle identification numbers (VIN), registration numbers, location, on-site contact and availability dates.

The Customer must place the vehicles to be installed or uninstalled at the disposal of the Service Provider in a working area suitable for electrical installation work on vehicles and covered by the mobile phone network. In all cases, Mobilisights will be accompanied by a member of the Customer's staff during each intervention.

Mobilisights will make all the necessary settings and connections to get the Embedded Devices up and running and connected to the Software Platform. Once these operations have been completed, the Parties will sign an installation report.

Installation and uninstallation procedures and related information are considered confidential information and are the property of Mobilisights.

The in-car devices provided by Mobilisights may collect:

- Operational data enabling the Service Provider to improve the quality of its products and services;

- Technical data enabling the Service Provider to maintain the embedded device in working order.

This technical information may be shared with a Mobilisights subcontractor or partner. It does not contain any personal information.

In the event that the Customer or one of its subcontractors installs or uninstalls the Embedded Devices, Mobilisights shall under no circumstances be held liable, in particular in the event of damage to the Embedded Devices or in the event of installation or uninstallation not in accordance with the instructions and/or documentation.

6. PROVISION OF THE SOFTWARE PLATFORM

Mobilisights undertakes to provide the Customer with the Software Platform enabling the Customer to access via the Internet the telematics data of the Customer's vehicles supplied by the Embedded Devices and received and processed by the Service Provider's servers, or to interact remotely with the Customer's vehicles.

The Customer is clearly informed that the quality and speed of the transmission of information on the server is directly dependent on the choice of Internet transmission mode (for example, ADSL mode).

The Customer shall not hold the Service Provider responsible for any failure to locate and/or communicate with the Vehicle(s), in particular in the following cases:

- When the Customer's vehicle is located in a geographical area not covered by the networks of the Service Provider's telecommunications operator partners;

- When the Vehicle is located in a place that does not allow the reception of the satellite signal, GSM and/or GPS waves, in particular an underground car park, a closed environment made of metal or materials that are impervious to radio waves, etc. ;

- When the telephone and/or GPS networks are interrupted or down, or when it is difficult to connect to a satellite;

- In the presence of a strong electric field or wave jamming system near the vehicle; - If the equipment is destroyed following an accident to the vehicle;

- Abnormal deterioration of the equipment due to abnormal use by the customer's staff or employees;

- In the event of the system being neutralised by acts of vandalism.

Mobilisights shall not be held liable in the event of interruption of the Services due to decisions by public authorities, or directly or indirectly due to malfunctions relating to communication networks independent of the Service Provider on which the performance of the Services essentially depends, or due to an act of God or force majeure.

Specific conditions for access to telematics data for vehicles equipped with native devices:

Access to telematics data for vehicles equipped with native devices is subject to the manufacturer of each vehicle and any associated software updates performed by the manufacturer or to be performed by the Customer. However, Mobilisights will take all necessary steps to ensure that the manufacturer allows access to the Telematics Data and will inform the Customer of any difficulties encountered with the Manufacturer and of any recommendations made by the manufacturer. The Customer also undertakes to contact the manufacturer directly in the event of any difficulties.

In the event that the manufacturer does not provide the data for a vehicle, Mobilisights will postpone the start of the invoicing of the services for the vehicle in question until the data is provided, for a maximum of 3 (three) months beyond the invoicing conditions stipulated in the order form.

The Customer is informed that the quality of the data processed by the Software Platform depends on the availability and content of the data transmitted by the vehicle manufacturer. Consequently, Mobilisights cannot be held responsible for any lack of quality or temporary unavailability of the data transmitted by the vehicle manufacturer.

Mobilisights will inform the Customer of any difficulties and send the necessary information to the vehicle manufacturer. Mobilisights will keep the Customer regularly informed of the resolution of any difficulties by the manufacturer. Mobilisights can in no way be held responsible for the quality of the data or the temporary absence of data transmitted by the manufacturer, which does not entitle the Customer to any reimbursement.

7. TRAINING

Mobilisights undertakes to provide the Customer with training in the use of the Services selected by the Customer. Training dates will be proposed to the Customer, who undertakes to confirm one of these dates in writing on the same day. The Customer may order additional training sessions for a fee.

8. CUSTOMER SUPPORT

Mobilisights shall provide to the Customer a technical assistant service available via email or by phone, between the hours of 9am to 5pm on Business Days.

In the event that the Customer is unable to access the Services, the Customer shall promptly notify Mobilisights in accordance with paragraph above. The Customer shall provide Mobilisights details of the issue and all the information necessary to the resolution of the problem.

The Customer shall provide Mobilisights with access to all materials and all documents reasonably required by Mobilisights to resolve the Customer’s issue, such as the circumstances that triggered the problem, whether it recurs, its consequences, etc.

This support is limited to the Customer's administrators. Mobilisights will not provide any support to the Customer's end users or end customers.

The Customer will designate one or more key persons or representatives, duly identified, who have the necessary competence, power and authority to use the Platform. These persons will be the only ones authorised to contact the Service Provider's technical team for any questions, requests for assistance or reports of faults relating to the Service.

9. TERM

Orders are placed for a fixed and irrevocable period of time as specified in the order form and/or offer. The commitment period is specific to each of the vehicles covered by the order and begins when they are activated.

Mobilisights may accept early termination of the Service provided that a new Order is placed for an equivalent number of vehicles to replace the previous Order (particularly in the case of vehicle replacement). If this is not the case, the Customer must pay the outstanding balance of the cancelled order before the end of the agreed commitment period.

At the end of the initial commitment period chosen by the Customer, as defined in the Order Form and/or the quote, and if the Customer has not opted for renewal by subscribing to a new Order for the same purpose or has not terminated the Agreement by giving three months' notice, the Customer's commitment shall be tacitly renewed for a further period of 24 (twenty-four) months.

In all cases, either party may terminate the Agreement at the end of any period (initial or renewal) by giving three months' notice by registered letter with acknowledgement of receipt. In the event of premature termination, the Customer will be required to pay the amounts that would have been due at the end of the commitment period.

10. PRICE AND PAYMENT

The Services are provided at the rates indicated in the price list on the order form and, where applicable, in the commercial proposal sent to the Customer. Prices are non-refundable and are quoted exclusively of VAT.

The fees payable by the Customer to Mobilisights for the Service shall be payable in Euros (as specified in the relevant Order) and is exclusive of all value added tax which shall be added to the Customer’s invoice at the applicable rate.

Embedded equipment and installation services are invoiced at the rate in force on the day the order is placed. Services are invoiced at the rate in force at the end of the month.

Invoices are payable in arrears within 30 (thirty) days of receipt by bank transfer.

In the event of late payment, Mobilisights will be liable to the Customer for a lump sum of €40.00 for collection costs and interest on arrears at a rate equal to three times the legal interest rate in force from the due date of the invoice, without any formalities or prior notice, without prejudice to any other action that Mobilisights may take against the Customer.

In the event that the Customer fails to pay the sums due, Mobilisights reserves the right to assign all or part of its claims to a third party, following formal notification with acknowledgement of receipt. The assignment shall take effect upon notification to the Customer, who may not object to the assignment. From the date of receipt of the notification by the Customer, the latter shall make all payments directly to the assignee. The Customer will be released from all obligations to Mobilisights as of that date.

Mobilisights shall not be obliged to provide the Services if the Customer fails to pay the Price in accordance with the terms and conditions set out in the Agreement and/or the Order Form. In the event that the Customer fails to comply with the payment terms and deadlines, Mobilisights also reserves the right to suspend the performance of all of its Services for current Agreements and Orders.

The prices agreed in the Order and/or the Offer may be changed at any time subject to thirty (30) days' notice. During this period of notice, the Customer shall have the option of terminating the Agreement in the event of disagreement.

In the event of renewal of an Order, Mobilisights may increase the price of the Service and/or access to the Software Platform by giving thirty (30) days' notice to the Customer, such increase taking effect at the end of the initial or renewal term.

11. OBLIGATIONS AND LIABILITY OF MOBILISIGHTS

Mobilisights undertakes to take all reasonable care in the performance of the Services, subject to a duty of care.

Mobilisights is liable to the Customer for the performance of its obligations under these T&Cs and consequently undertakes to compensate the Customer for any direct damage caused by the non performance of its obligations up to the amount of the sums actually paid by the Customer during the last 3 (three) months prior to the occurrence of the event giving rise to its liability.

Mobilisights cannot be held liable for indirect damage, such as loss of profits, business, revenue, turnover, customers, business opportunities, savings, costs of replacing software, services or technologies other than those provided under this agreement, loss of data or loss of use, even if the Customer has been duly informed of the possibility of such damage. The Service Provider is not responsible or liable for the accidental destruction of data by the Customer or any third party accessing the Service and/or the Software Platform. The Service Provider is not responsible for the implementation of IT security measures (antivirus, firewall, etc.) necessary to protect the Customer's media or its users and the consequences thereof.

Furthermore, the Customer is solely and entirely responsible for the use of the Service, to the exclusion of any liability on the part of the Service Provider. The Service Provider shall not be liable for any damage resulting from the data transmitted or integrated into the functionalities of the Software Platform. In this respect, the Customer acknowledges that he is aware that the use of data accessible on the Internet may be regulated in terms of use or protected by intellectual property rights.

The Service Provider may not be held liable by a Customer who, at the time of the event giving rise to his claim or action, is not up to date with the regular payment of his fees or monthly instalments.

Any action for damages must be brought within twelve (12) months of becoming aware of the harmful event.

12. CUSTOMER OBLIGATIONS

The Customer is expressly informed that the correct operation of the Embedded Device presupposes full compliance with the obligations incumbent on the Customer, without which the correct operation of the Device cannot be guaranteed, nor the transmission of information to the Software Platform prior to processing.

In addition to its obligation to comply with all the general and specific clauses of the Agreement, the Customer undertakes, in particular, to comply with the following obligations:

- Use the Embedded Devices and the Software Platform in accordance with their intended purpose and with the documentation, any other use, whether illegal or not, remaining the sole and entire responsibility of the Customer,

- Carry out maintenance or inspection operations as provided for in the Agreement or as requested by Mobilisights and/or the manufacturer.

- Maintain the equipment installed in the vehicles as installed by the manufacturer or its authorised installers, without altering its location or environment;

- Ensure the protection of the unique and personal password(s) provided to the Customer, which must be kept secret;

- Not to distribute the access codes to anyone without the express prior written authorisation of the Service Provider;

- Immediately notify Mobilisights of any loss or theft of the access codes and confirm this by registered letter with acknowledgement of receipt;

- Ensure that its information systems are protected against any malicious act or computer virus; - Not to attempt to access, directly or indirectly, the source code of the Software Platform;

- Refrain from attempting to access, directly or indirectly, the maintenance or repair of the Embedded Devices without the prior consent of the Service Provider.

- Failure by the Customer to comply with its obligations may give rise to liability under the Agreement.

The Customer is solely responsible for any damage caused by the equipped vehicles in relation to its customers and third Parties in the course of its business. Consequently, the Customer expressly indemnifies Mobilisights against all claims by third Parties.

The provision of Services by Mobilisights to the Customer requires active and regular cooperation between the Parties. Consequently, the Customer undertakes to:

- Provide Mobilisights with all information it deems necessary and useful for the provision of the Services;

- Provide Mobilisights with full access to all information it deems necessary and useful for the provision of the Services;

- To put Mobilisights in contact with all the people in the company that it deems useful and to designate from among them a person in charge capable of answering the questions asked and accepting the solutions proposed by Mobilisights. This person, identified as the contact person for Mobilisights, will be authorised to provide the Service Provider, on behalf of the Customer, with all the information and assistance necessary for the performance of the Agreement. In the event of the failure of the designated contact person, the Customer must provide a replacement as soon as possible;

- Bear in mind that Mobilisights does not have detailed knowledge of the Customer's professional activities. In this respect, any ambiguity or inaccuracy must be explained by the Customer as soon as it becomes aware of it. In particular, the Customer must provide Mobilisights with all useful explanations and information about the Services and their environment. The Customer shall instruct its staff to cooperate with Mobilisights;

- To comply strictly with the instructions for the use of the Software Platform and hardware (Embedded Devices);

- to ensure that its employees and collaborators who use the Software Platform have a sufficient level of knowledge and skills to use it in accordance with the documentation; if necessary, to provide, at its own expense, specific training corresponding to the Software Platform.

Mobilisights shall be released from its obligation to perform the Agreement for as long as the Customer fails to comply with its obligations to cooperate. Mobilisights may not be held liable, for any reason whatsoever, for any disruption caused by the failure to comply with these obligations.

The Customer waives the right to hold the Service Provider liable for any damage to the database, computer memory or other documents, materials or programs that the Customer may have entrusted to the Service Provider in connection with the work to be performed by the Service Provider. The same shall apply to the resumption of activities following an intervention by the Service Provider.

To this end, the Customer shall protect itself against such risks by making a duplicate of all documents, files and data carriers and by taking the necessary steps when the work is resumed.

13. THEFT, LOSS OR DAMAGE TO THE EMBEDDED DEVICES OR THE VEHICLE

Under no circumstances, even in the event of an accident or claim, may the Customer terminate the Agreement as a result of the theft, loss or damage of the Embedded Device necessary for the provision of the Services.

In the event of the theft of the vehicle equipped with the Embedded Device, Mobilisights is only obliged to provide the Customer with information on the location of the vehicle, without this obligation extending to the physical recovery of the said vehicle or to ensuring that it is protected against acts of vandalism or deterioration, whatever the cause.

14. INTELLECTUAL PROPERTY

The Customer acknowledges and agrees that Mobilisights and/or its licensors own all intellectual property rights in the Services and all related Documentation. Except as expressly stated herein, this Agreement does not grant the Customer any rights to, under or in, any patents, copyright, database right, trade secrets, trade names, trademarks (whether registered or unregistered), or any other rights or licences in respect of the Services, the Software Platform or the related documentation.

Unless otherwise specified in these TCS, Mobilisights does not grant the Customer any rights with respect to the aforementioned elements. Any use of the Software Platform not in accordance with the terms of the Agreement constitutes an infringement of the Service Provider's intellectual property rights.

For the duration of the Agreement and subject to proper payment by the Customer, Mobilisights grants the Customer a non-exclusive and non-transferable right to access and use the Software Platform and any extracts or reports provided by the Service Provider as part of the Service or generated by the Service solely for the purposes set out above, without the right to sub-license. The Customer may authorise (the Customer's) fleet managers to use the Software Platform for the same purpose, provided that the Customer shall be responsible for their compliance with the terms of these T&C.

This right is exclusive of the granting of any other right and in no way implies the right to perform any act not expressly authorised, in particular the right to copy, translate, adapt, arrange or otherwise modify the Software Platform and/or its components. Consequently, under no circumstances does it

confer the right to sublicense, assign, transfer or make available the Software Platform to third Parties, whether free of charge or in return for payment, notwithstanding any legal provisions to the contrary.

The Customer shall acquire no title, interest, copyright or other proprietary right in or to the Software Platform and the Services, including the materials, content and information on the Service Provider's websites, whether or not they form part of the Software Platform and the Services, including but not limited to graphics, user and visual interfaces, images, software, applications and text, as well as the design, structure, selection, coordination, expression, appearance and organisation of the Software Platform and its content, its exclusive domain names, trademarks, service marks, logos and other distinctive signs.

The Customer undertakes not to:

- Decompile, disassemble, divide or otherwise reduce any part of the Service Provider's Proprietary Information to a form that can be understood by anyone;

- introduce computer viruses, worms, logic bombs or similar elements into the Service Provider's Proprietary Information, in particular by using the Service in any way, intentionally, recklessly or maliciously;

- access and/or use the Software Platform and the Service or the Service Provider's Proprietary Information for purposes other than those set out in the Agreement;

- Correct, or cause a third party to correct, any errors in the Software Platform without the prior written consent of the Service Provider;

- allow third Parties to use the Software Platform and the Service through distribution channels other than the Customer's own;

- adapt, modify, transform or arrange the Software Platform and the Service and the related documentation, except for additional configurations and/or specific developments that may be carried out in accordance with the related documentation.

- Any breach of any provision of the Agreement attributable to the Customer's customers shall be deemed a breach of the Agreement by the Customer.

Each party acknowledges that it is the owner of all rights and entitlements in respect of the hardware, equipment and software provided by it to the other party under the Agreement.

Each party indemnifies the other party against any disturbance, claim, loss of use and, in general, any action that may be brought against it by a third party on the basis of an intellectual property claim relating to the said hardware and software.

15. PERSONAL DATA PROTECTION

With regard to the processing of the Customer's personal data, the Parties acknowledge that the Customer is the data controller and that Mobilisights is the data processor and agree to comply with all the obligations of the European Regulation 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data (RGPD), Legislative Decree 101/2018,

Privacy Code (Legislative decree 196/2003) and all the other applicable regulations on data protection.

As data controller for processing the data of the users of the Software Platform and its customers, the Customer is responsible for informing the users or drivers of the vehicles of the presence of Embedded Devices inside the said vehicles and of its functionalities, including the collection of personal data, including geolocation data.

The Customer undertakes not to use the personal data to which it may have access through the Services for purposes other than those for which they were communicated.

The terms and conditions governing the processing of personal data by the Parties are set out in Appendix 1.

16. CONFIDENTIALITY

Each Party may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. A party's Confidential Information shall not be deemed to include information that:

- is or becomes publicly known other than through any act or omission of the receiving party; - was in the other party's lawful possession before the disclosure;

- is lawfully disclosed to the receiving party by a third party without restriction on disclosure; or

- is independently developed by the receiving party, which independent development can be shown by written evidence.

Subject to the paragraph below, each party shall hold the other's Confidential Information in confidence and not make the other's Confidential Information available to any third party or use the other's Confidential Information for any purpose other than the implementation of this Agreement.

Each party shall take all reasonable steps to ensure that the other's Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of this Agreement.

A party may disclose Confidential Information to the extent such Confidential Information is required to be disclosed by law, by any governmental or other regulatory authority or by a court or other authority of competent jurisdiction, provided that, to the extent it is legally permitted to do so, it gives the other party as much notice of such disclosure as possible and, where notice of disclosure is not prohibited and is given in accordance with this clause 11.4, it takes into account the reasonable requests of the other party in relation to the content of such disclosure.

The Customer acknowledges that details of the Services, and the results of any performance tests of the Services, constitute the Confidential Information of Mobilisights.

17. FORCE MAJEURE

Mobilisights shall have no liability to the Customer under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by acts,

events, omissions or accidents beyond its reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes (whether involving the workforce of Mobilisights or any other party), failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or sub-Agreementors, provided that the Customer is notified of such an event and its expected duration.

The party who is aware of the event must immediately inform the other party of its inability to fulfil its obligations and must justify this to the other party. The suspension of obligations shall not, under any circumstances, give rise to any liability for non-performance of the obligation in question, nor shall it give rise to the payment of damages or penalties for delay.

However, as soon as the cause of the suspension of their mutual obligations has ceased to exist, the Parties shall make every effort to resume the normal performance of their contractual obligations as soon as possible. To this end, the party prevented from doing so shall notify the other party of the resumption of its obligation by any written means (e-mail, letter, registered letter).

It is expressly agreed that the Parties may terminate the Agreement automatically if the event defined as a suspension of obligations continues for more than 30 (thirty) days. However, this automatic termination can only take place 30 (thirty) days after formal notice has been sent by registered letter with acknowledgement of receipt or by any extrajudicial act stating the intention to apply this clause. The Agreement will then be terminated without the Parties having to pay any compensation.

18. TRADE REFERENCE

Subject to the Customer's prior written consent, the Customer may authorise the Service Provider to disclose, by way of commercial reference and to the Service Provider's prospects or customers, the Customer's name and logo and the fact that the Service Provider has provided the Customer with the Services.

Subject to the Service Provider's prior written consent, the Customer may disclose, as a trade reference, the Service Provider's name and logo and the fact that the Service Provider has provided the Customer with the Services.

19. ASSIGNMENT AND SUB-CONTRACTING

Mobilisights reserves the right to subcontract the provision of the Services. The Agreement and the Services may be transferred or assigned by Mobilisights to a third party, in particular to a company within its group or within the Stellantis group, subject to notification to the Customer.

The Customer shall not, without the prior written consent of Mobilisights, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement.

20. SEVERANCE

If any provision (or part of a provision) of this Agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force.

If any invalid, unenforceable or illegal provision would be valid, enforceable or legal or if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the Parties.

21. WAIVER

No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

22. APPLICABLE LAW AND JURISDICTION

This Agreement is governed by Italian law. Each party irrevocably agrees that the courts of Netherlands shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).

23. TERMINATION

Any breach by the Customer of its contractual obligations shall entitle the Service Provider to terminate the Agreement ipso jure fifteen days after formal notice has been given by registered letter with acknowledgement of receipt and has remained without effect, in particular in the following cases:

- if the Customer fails to pay any amount due under the Agreement by the due date specified in the Agreement

- if the customer fails to fulfil any of his obligations.

Termination may also be declared in the event of the Customer's bankruptcy or liquidation.

In all cases, the Customer undertakes to pay the Service Provider, in addition to any sums due in respect of the Services provided under the Agreement, a termination indemnity equal to the balance, including tax, of the monthly instalments due on the date of termination, plus 10%.

24. DISMISSAL - TERMINATION OF THE SERVICE

In the event that one of the Parties ceases to operate or the Service Provider ceases to provide the Service, the Agreement shall be terminated ipso jure, without legal formalities and without prior notice, on the effective date of cessation of operation or provision of the Service.

The Party which ceases to operate or to provide the Service undertakes to notify the other Party in writing of its decision to cease to operate or to provide the Service, giving 14 (fourteen) days' notice. This notification must specify the effective date of the cessation of the activity.

In the event of cessation of Activity or provision of the Service, all Services provided by the Service Provider up to the effective date of cessation shall be invoiced and paid for in accordance with the terms and conditions set out in the Agreement.

Each of the Parties shall return to the other Party all goods, documents, information and data belonging to it within 30 (thirty) days of the effective date of the cessation of the activity or the provision of the Services.

The party ceasing its activities shall not be liable for any damage resulting from such cessation, except in the case of gross negligence or fraud.

Appendix 1 - data processing agreement (“DPA”)

1. DEFINITIONS

“Data Protection Laws” or “Applicable Laws”

all data protection laws and regulations, including the data protection laws and regulations of the European Union, the European Economic Area and their member states (the “GDPR”) applicable to the Processing under the Agreement as amended from time to time.

GDPR General Data Potection Regulation, European Regulation 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

Data Controller the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data Processor a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

“Data Subject” the identified or identifiable person to whom Personal Data relates.

“Personal Data” the information relating to an identified or identifiable natural person under art. 4, c. 1, lett. 1.

“Physical,

Technical and Organizational Security

Measures”

those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

“Data Processing” any operation or set of operations which is performed on Personal Data or on sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Personal data breach”

the accidental or unlawfuldestruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, the Personal Data transmitted, stored, or otherwise processed as part of the Services.

“Services” the services supplied to or carried out by (or on behalf of) Mobilisights, pursuant to the Agreement;

“Sub-processor” a third party selected by the Data Processor and authorized by the Data Controller to process Personal Data in connection with provision of the Service.

2. DESCRIPTION OF PERSONAL DATA PROCESSING

The subject matter of the Personal Data processing is described below:

Description Details

Subject-matter and purpose

Use of Mobilisights platforms and Services (offered via our websites and applications), including for the provision of Fleet management activities (including, but not limited to “ConnectFleet” services).

Processing

activities

Duration of the processing

Categories of personal data

Categories of data subjects

● Provision of the Mobilisights Group Platforms (including enabling the connection to our services, securing our platforms and delivering our services to you). See point 4.and 5.1. of the present Data Processing Agreement for more information

● Processing activities linked to the management, use and use optimisation of Fleets via the Mobilisights Platforms. See point 4. and 5.2. of the present Data Processing Agreement for more information

The duration of the Agreement and 2 months after in order to provide the Company the possibility to retrieve Personal Data

● Contact data (name, last name, email address) of the fleet manager, ● Log-In information (to access our platforms),

● VIN (Vehicle Identification Number),

● Date of the sale of the car and/or Date of the activation of the insurance of the car,

● Geolocation data,

● Technical data related to the car (including Speed cap, CAN BUS, sensors and accessory detectors, temperature, fuel level, status),

● Eco-Driving score,

● Statistical data related to the use of the fleet for optimisation purpose (including related to fuel consumption, refuelings, length of the trips and frequency),

● personal data collected via the cars (while using our Fleets) and via the use of the Mobilisights Platforms and Applications,

For more information on the personal data processed in the context of our Fleet management services, please refer to Annex 1 below.

Company’s employees, End-users, Drivers and any relevant Users as determined by the Controller

List of sub processor(s) and their location(s)

● Servers / Cloud data centers: Amazon Web Services Inc. Amazon Web Services EMEA SARL 38 avenue John F. Kennedy, L-1855 Luxembourg (IRL/ GER)

● Data base: MongoDB MongoDB Limited Building Two, Number One Ballsbridge, Ballsbridge, Dublin 4, Ireland (IRL)

In addition and in the context of the Services, the Data Processor may have the need to engage with additional third Parties. More information can be found in Annex 2 below.

3. ROLES OF THE PARTIES

3.1. Provision of the Fleet management Services and related activities: For processing activities linked to the performance of fleet management Services (including White label platforms) provided by the Mobilisights Group, Mobilisights acts as a Data Processor as per Art. 28 GDPR, and the Customer acts as the Controller.

3.2. In addition to 3.1., the Parties agree to the following role attribution:

Processing activities Mobilisights Customer

Data Collection: via Mobilisights hardware (including via Telematik boxes) built in the cars/fleet

Data Storage: data collected via Mobilisights Hardware (incl. Metadata) or via other means

Data recording and matching: of the data collected via the Mobilisights Hardware to match the list of Individuals / Users as determined by the customer

Processor

(operational execution)

Processor

(operational execution)

Processor

(operational execution)

Controller

(Supervision)

Controller

(Supervision)

Controller

(Supervision)

Data Organisation: within the Mobilisights Fleet Management Platforms, including:

- Data modification or the modification of the organisation thereof within the Mobilisights fleet management Platforms

- Data retrieval within the Mobilisights fleet management Platforms

Data Retention: within the Mobilisights platforms and systems to comply with (i) contractual obligations and (ii) the relevant legal retention periods

Data Security: implementation of technical and organisational measures in relation to Mobilisights Hardware, systems, platforms and offices to safeguard personal data.

4. OBLIGATIONS OF THE PARTIES

Processor

(operational execution)

Controller

(operational execution)

Controller

(operational execution)

Controller

(Supervision)

(operational

execution)

Controller

(operational

execution)

Controller

(Supervision)

4.1. Obligations of Mobilisights: For processing activities related to the provision of Fleet management services (where Mobilisights acts as Processor as per Art. 28 GDPR), Mobilisights shall:

1) only process personal data in line with written and documented instructions from the Controller, including with regards to the transfer of personal data to a third country or to an international organisation and unless this is required by Applicable Laws. In such cases, Mobilisights shall inform the Controller of the relevant legal requirements, unless this is prohibited by law;

2) ensure that the Individuals authorised to process personal data on its behalf have committed themselves to confidentiality, or are bound by appropriate confidentiality obligations;

3) take all measures required (as per Art. 32 GDPR) to safeguard data. Notwithstanding with Art. 32 GDPR, Mobilisights may implement additional measures, provided that such modifications or updates do not result in lowering the level of protection offered;

4) respect the conditions found in this Agreement and related to the engagement of sub processors;

5) taking into account the nature of the processing, assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights;

6) assists the Controller in ensuring compliance with its obligations taking into account the nature of processing and the information available to Mobilisights;

7) at the choice of the Controller, deletes or returns all the Personal Data to the Controller after the end of the provision of services relating to fleet management, and deletes existing copies unless required to retain certain information for a specific period of time, as per any relevant retention obligations found in Applicable Laws;

8) makes available to the Controller all information necessary to demonstrate compliance with the obligations pertained in Applicable Laws, including Privacy Laws, and allow for and contribute to audits, including inspections, conducted by the Controller. Mobilisights shall immediately inform the Controller if, in its opinion, an instruction infringes any Applicable Laws.

9) Mobilisights shall immediately inform the Data Controller if it becomes aware of or suffers a Personal Data Breach in order to ensure that the Data Controller has the opportunity to notify the Supervisory Authority within the timeframes required by Applicable Laws.

4.2. Obligations of the Controller: The Customer acts as the Controller for the processing activities linked to the provision of Services of fleet management activities (including, but not limited to ConnectFleet services). The Controller acknowledges to be fully aware of its obligations under Applicable Laws, including the following:

1) The Controller shall warrant to Mobilisights that it is entitled to, and has obtained all necessary consents required to, use and transfer such Personal Data to Mobilisights as required for the Processor and its Sub-processor to provide the Services, in full compliance with applicable Data Protection Laws, including as needed, compliance to any prior required formalities and data subject rights, such as information and/or consent when such is required under applicable Data Protection Laws;

2) The Controller shall be solely responsible for (i) the accuracy, quality and legality of the Personal Data shared to the Processor and the means by which it acquired Personal Data, and for (ii) determining the purposes and the means of the Processor processing the Personal Data;

3) The Controller shall remain responsible for the completeness, the appropriation and the accuracy of the documented instructions.

Any changes to the instructions given or the security measures that are required by the Controller shall be borne by the Costumer.

4.3. Data Subject Rights: Mobilisights will provide support to enable the Controller to respond to any request by any individual exercising his or her right under the Applicable Laws, including the right to access, correct or retrieve Personal Data, request or complaint by any person or regulatory authority in connection with the processing of Personal Data.

Mobilisights will take into account the nature of the processing, the information available to Mobilisights, its competences and the costs of implementation for the fulfillment of the Controller’s obligation to respond to a Data Subject request. If such requests, correspondence, inquiries or

complaints go directly to Mobilisights the latter will promptly inform the Controller and will advise the Data Subject to submit its request to the Controller, who is solely responsible for responding substantively to any such requests or communications.

4.3. Subprocessors: The Controller authorises Mobilisights to engage Sub-processors for the processing activities linked to this Data Processing Agreement and the provision of services included in the Agreement.

5. Miscellaneous

This DPA shall remain in force as long as the processing activities involving Personal Data are ongoing and under the Agreement.

This DPA shall be governed by the terms and conditions of the Agreement (including but not limited to terms related to confidentiality, indemnification, limitation of liability, etc).

In the event of any conflict or inconsistency between the terms and conditions of this DPA and any terms or conditions set forth in this Agreement, the terms and conditions set forth in the Agreement shall prevail.

6. Data Protection Officer

Mobilisights has appointed a Group Data Protection Officer (DPO) in line with Art. 37 GDPR, which is the primary point of contact in relation to the performance of the obligations pertained in this agreement (including in relation to the fulfillment of Data Subject Rights). They can be reached via privacy@Mobilisights.com

Annex 1 - Kinds of personal data processed (Fleet management)

Annex 2 - Sub-processors (fleet management)

Annex 3 - Technical and organizational measures (TOM’s), Art. 32 RGPD

This Appendix summarises the minimum technical and organisational measures implemented by the Parties to ensure an adequate level of data protection. Mobilisights implements the following technical and organisational measures:

I. Technical measures

1. Logical access control to IT systems

Purpose: to prevent unauthorised access to the IT systems on which the data is processed. ● Logging of access to IT systems

● Identification of users through nominative user accounts

● Limiting the number of attempts to access an account (account lockout)

● Robust password policy (users/administrators)

● Mandatory and auditable forgotten password procedure

● IT systems access policy with authorisation management procedure and regular review ● Access to IT systems only after two-factor authentication

● Secure remote access to IT systems (VPN, strong authentication, etc.) ● Dedicated secure server management console

● SIEM/SOC

● Securing the wireless network

● Mobile devices protected by encryption

● Automatic session lockout for inactivity

● Regular antivirus and firewall updates (automatic or manual)

● Instant installation of critical operating system updates

● Installation of application updates in the event of a critical vulnerability

2. Data access controls

Aim: to prevent unauthorised/illegal access and activity to data

● Log access to IT systems

● Apply standard PSA data access controls

● Pseudonymisation

● Restrict access to data to those with a legitimate business need

● Log connections and access to data

● Formalisation of access rights

3. Data exchange controls

Aims: to ensure secure data transmission and prevent unauthorised transmission ● Log access to IT systems

● Encryption of data transmitted over the Internet (email encryption, secure connection in transit using SSL encryption)

● Remote access via VPN connection

● Use of electronic signatures

4. Data integrity controls

Aim: to protect data against any alteration and to ensure the traceability of any data entry, modification or deletion ☒ Logging of system administrator activities

● Logging of access to IT systems

5. Data availability controls

Aim: to prevent any loss/destruction of data, even temporary, whether accidental or deliberate. ● Regular backup of data, with checks on the completion and verification of backups ● Backup recovery procedures with regular testing

● Storage of backup media at an off-site location

● Business continuity plan with regular testing

● Business recovery plan with regular testing

● Compliant, state-of-the-art use of system protection solutions

6. Segregation controls

● Logical/physical segmentation of data for multiple clients

● Sandboxing

7. IT development controls

● Testing of IT developments on fictitious or anonymised data

● Training developers in the principles of data protection by default and at the design stage.

II. Organisational measures

● Procedures for testing, analysing and evaluating the effectiveness of technical and organisational measures (intrusion tests, internal and external vulnerability scans, etc.)

● Security incident management procedures

● Security Policy

● IT Charter

● Security awareness training for users

● Training of employees involved in the processing of data entrusted to the Service Provider

● Regular assessment of subsequent subcontractors (prior to subcontracting and during the subcontracting period)

● In addition, we refer to the IT security standards implemented by AWS, our cloud-based server Service Provider.

- END OF THE DOCUMENT -