Parties

Customer subsequently to be called User.

ZoomBIM Solutions B.V. located in Hogehilweg 24, 1101 CD Amsterdam, registered under number 55022669 at the chamber of commerce in Amsterdam and known to the Dutch tax authorities                                                                                                               ,

under sales tax number NL8515.33.279.B01, represented by Harrie Huisman, Chief Executive Officer,,

to be called Supplier.

Considering:

The User, has licenses for use of the online development platform WEM for which the license costs have been paid on time and in full.

Supplier acts as developer and supplier of WEM, and is able to carry out maintenance and development.

1. Terminology

2. General

This Service Level Agreement (SLA) describes the package of agreements made between Supplier and User of WEM, as made available by the Supplier in a Platform as a Service (PaaS) model and service levels that apply as such.

2.1.Intention of the SLA

By means of this SLA, it is intended to clarify the agreements set between Supplier and User regarding WEM. This excludes: all (in WEM made) solutions, the WEM Projects.

2.2  Term and Termination

The duration of this SLA is inextricably linked to the term of the signed license agreement of which this SLA is part. This SLA is valid and applicable only if User has a VALID WEM License. This SLA agreement will be extended or terminated in accordance with the User’s WEM License agreement.

2.3  Penalty clause

This agreement does not include a penalty clause.

2.4  Costs

This SLA is offered free of charge by the Supplier as part of the WEM License which the User is contracted to. In case of special requirements by the User, additional charges may apply, all based on separate prices quotes or agreements to be signed by the Parties.

2.5  Communication

All communication regarding WEM and the Service Levels in this document can be found in the online WEM application via the URL http://my.wem.io

3.Release management

Release management includes the (further) development of new functionalities in the software; corrective application maintenance (bug fixing) and availability of the latest optimally working version of the software.

Supplier follows ISO 27001 clause 14 with the goal to ensure that information security is an integral part of information systems across the entire lifecycle, including during the developmental life cycle. This also includes the requirements for information systems which provide services over public networks.

3.1  New releases

The Supplier aims for constant product improvement and innovations and strives to release a new version regularly. The provision of new functionalities and bug fixes are the responsibility of the Supplier. New versions will be made available at times chosen by the Supplier. If User impact is expected, a notification about a new release will be provided by Supplier to User, in a timely manner, so that the User can have some time to prepare for such release.

In case WEM requires so, User is obliged to update to a new version within a reasonable time frame

3.2  Impact of new releases

The Supplier has the right to add new, and implement existing WEM functionalities in future versions differently, while continuously supporting the functionality of existing WEM Projects.

The Supplier is obligated to inform the User if a significant impact on existing WEM projects is expected as a result of changes in WEM functionalities. If necessary, the Supplier based on a best effort basis, will actively support maintenance of existing features within WEM Projects.

In cases like this, the Supplier will actively communicate with the User to seek a solution. However, the Supplier retains the right to take the lead in the implementation of the solution.

4.Specification Service Levels

4.1  Services

The Supplier’s support desk can be contacted for all incidents related to the functioning of WEM.

Supplier’s Support desk is reached via https://my.wem.io portal. A ticket can be submitted on a 24/7 basis however a representative will respond to the ticket according to clause 5.2.1.

WEM does depend on the supply chain of third parties who provide services supporting the WEM Platform (for example – Microsoft Azure, CloudVPS, etc…). In that manner, tickets which involve the responsibility of WEM supply-chain or WEM Partners will be handled by the supply chain and in accordance with their SLA’s.

As determined jointly, Support provided by the Supplier for incidents caused by intent or negligence of the User or a third party acting on behalf of the User, may be charged to the User based on normal commercial rates used by Supplier.

4.2    Version support

Support is guaranteed by the Supplier on all versions of WEM that are in production from Version

3.4.0. onwards, and for which the User has a valid License Agreement. Custom coded elements such as Scripts, widgets, (Custom) Master Templates, as well as other custom made additions, etc. are excluded from this SLA.

4.3  Further developments

At all times, further development is performed on the last published WEM version. No further development will be committed on previous versions.

4.4  Support desk

The User is entitled to support from a support desk within the frameworks set out in this document.

The support desk provides support for corrective, adaptive and preventive maintenance to ensure proper functioning of the latest version of WEM. Support desk can be reached on https://my.wem.io portal.

4.5  Operational management

The Supplier is responsible for operational management of WEM and its supporting infrastructure. This operational management includes:

• active monitoring of the operational status of WEM;
• supply and installation of upgrades and patches of (system) software to the extent necessary to guarantee the availability and safety of WEM;
• optimization and (having to) carry out necessary maintenance on and, if necessary, replacing (parts of) the infrastructure;
• solving infrastructural problems;
• monitoring storage and processing capacity of the infrastructure and identifying potential capacity problems;
• signaling trends, common problems, their interconnections and causes;
• provide security;
• periodically carrying out backups on the WEM Runtime environments and restore these backups in the event of an irreparable incident with a technical cause.
• scheduled and Emergency maintenance

Supplier adheres to ISO 27001 measure A.12.1 for Operational procedures and responsibilities with the objective to ensure correct and secure operations of information processing facilities.

4.6  Availability of WEM

The Supplier strives for a minimum availability of WEM as tested via the “WEM Performance Baseline Application” in accordance with the following scheme:

Availability of WEM Software is based on the correct functioning of the WEM Runtime in the production environment. Correct functioning will be confirmed by periodically carrying out a test application and comparing its output with expected results.

The availability will be calculated over a period of one calendar year and is based on the number of minutes that the test application functions correctly, adding up the minutes of planned downtime divided by the total number of minutes during this period. See function below:

(Correctly functioning minutes + Planned downtime minutes) / Total minutes * 100% = Availability percentage

4.6.1  Planned downtime

WEM intends to carry out maintenance work on the WEM Platform which can affect the availability of the WEM Platform during the maintenance activities taken. Planned downtime can be for WEM maintenance or for supply-chain maintenance as needed. WEM will inform User for Planned maintenance in writing on a timely manner to allow User to make any necessary actions to be ready for such downtime. Notification of a Planned downtime will include a date, start and expected end time, the Services/Functionalities which are maintained and if there is a possible impact.

The Supplier will make all its best effort so that WEM will not be unavailable for more than a maximum of 4 hours per situation in case of planned maintenance. If the Supplier expects WEM will not be available for longer than this maximum time, the User will be informed accordingly and the Supplier will initiate actions to offer the availability of WEM in an alternative manner. The User will be informed on the progress of such actions. Planned downtime always takes place in the Maintenance window hours which are between 22.00PM to 06.00AM CET.

User is aware that during a Planned downtime the WEM services may be completely or partially unavailable.

4.7  Periodic backups of Runtime Data

The Supplier periodically conducts backups of the WEM Runtime Data at minimum at the following frequency:

Backups are kept available for a period of 28 days.

Supplier will periodically, at least once a quarter, perform a restore of a backup to test the correctness of the back-up and restore process.

The storage of backups takes place at a different location with at least equal quality and security conditions as the data centers in which WEM is hosted.

4.8   User System requirements

For an optimal accessibility and usability of WEM, the User must ensure that User’s workstation

meets the following requirements:

• A stable internet connection with sufficient bandwidth for a pleasant user experience; required bandwidth is dependent on the WEM project the User has in place.
• A modern internet browser with HTML-5 For example: the latest versions and/or the previous version of Microsoft Edge, Apple Safari, Google Chrome or Mozilla Firefox.

4.9 Disaster Recovery

The Supplier offers a Disaster Management and Recovery solution to all WEM Users with a valid WEM License. This is based on an alternate WEM environment with comparable functionality and warranted by the foundation “Stichting Waarborgfonds WEM-platform”, a specially established foundation for this purpose.

The Disaster Management solution is tested by the Supplier and can be put in place in case of

disruptions with priority 1 that can’t be resolved within 4 hours or in other disastrous situations.

The Supplier will decide in its sole discretion whether or not to activate the Disaster Recovery solution.

5.Incident Management

5.1  Service times and availability

The Supplier can be reached for support requests through the https://my.wem.io portal 24 hours per day, 7 days per week.

Processing of support requests is available on workdays between 09:00h – 17:00h CET local time. All timeframes mentioned are based on these working hours in the Dutch Headquarters. Additional service level contracts are available in case additional contact methods and support are required.

5.2  Incident Registrations

1. One can register incidents via:
   1. An online ticket system https://my.wem.io (only available after login)

2. The description of a finding is required to contain at least the following information:
   1. A description of the finding;
   2. Describe the type of finding, for example: downtime, disfunction or security breach findings, etc..
   3. Urgency of the matter reported
   4. The way in which the finding can be reproduced;
   5. Node ID (if applicable and/or available);
   6. Screenshot (if applicable);
   7. Recovery actions that already have been taken and the result thereof;
   8. Other, relevant

3. All communications has to occur through the support system as part of the https://my.wem.io

5.2.1 Impact & Response times

When dealing with Malfunctions with a technical cause, the following times and service levels are maintained.

Impact severity determines the time window within which the Supplier will respond to the reporting of an incident. Resolution times agreed with the User will always apply as a guideline.

Response times start the moment a report is received in the Supplier’s system based on the WEM standard business hours. For example – a change request which has been reported on Friday at

22.00 CET will be handled within 16 hours from the closest business day afterwards.

The Supplier aims to offer a solution as soon as possible. However, timeframe-guarantees cannot be given in advance. Incidents may be related to WEM and/or to the Supply-chain.

5.2.2  Resolution times

In case of the event of a failure of priority 1 occurs and in case circumstances requires, an Emergency maintenance shall apply. In such a situation Supplier will do all in its reasonable power to provide a solution in a minimum time however Supplier cannot guarantee a minimum time of unavailability of the WEM Platform. Events of failure can occur due to WEM and/or due to Supply- chain.

In case of such a situation, Supplier shall immediately inform User of the Emergency maintenance and the optional impacts and shall keep in contact will User.

If Solution time is over 4 hours WEM will assign a dedicated professional employee who will be in close direct contact with User in order to track the situation, update User upon the progress, etc… Solution time is calculated from the moment the Supplier receives the fault message. If the Supplier expects WEM will not be available for longer than this maximum time, the User will be informed of this and the Supplier will initiate actions to offer the availability of WEM in an alternative manner.

The User will be continuously informed of the progress

of these actions. For Users with a valid WEM License, Disaster Recovery operates as described in section 4.10. in case the incident refers to Supply-chain (such as Microsoft Azure), Resolution times will be according to Supply chain SLAs and commitments as well as the actual resolution of the issue by the supplier.

5.2.3 Resolution

The Supplier will make every effort to repair all defects that have an impact on the User and were reported by the User or identified by the Supplier, as long as the issue is related to Supplier. In case the incidents relate to Supply-chain, such as if the User is running on a private cloud (ex. Azure, AWS etc.) Supplier will be in contact with Supply-chain to make sure it makes every effort to repair all defects that have an impact on the User and were reported by the User or identified by the Supplier .The Supplier reserves the right to set priorities regarding the repair of the incident. The Supplier is permitted to resolve the reported incident by offering the User a work-around, if applicable.

5.2.4  Access to privacy-sensitive information during recovery

The Supplier refers to a possible ‘Processor Agreement’ in case an incident has occurred that requires access to privacy sensitive information from the User for this incident to be resolved. If such an agreement does not exist, the Supplier rightfully assumes this access is self-evident. In this manner, in case a Supply-chain needs to access the sensitive information, User will be informed and will decide if a User permission will be provided in writing.

The User is responsible to enter into a specific Processor Agreement with the Supplier where required by law.

5.2.5  Availability of resources

The Supplier assumes that, the Supply-chain partner (ex. Azure, AWS) and User will exert every effort to make all necessary resources available for solving reported malfunctions.

5.3  Refusal of incident responsibility

The Supplier reserves the right to refuse to carry responsibility for a malfunction if the nature of this malfunction is beyond the scope of this document or if the User License for the use of WEM and/or Supply-chain is not valid.

5.4  Return of an incident

If the provision of information of a finding reported by the User is insufficient for the Supplier to make a diagnosis, the Supplier reserves the right to return the notification with the request for more information. In case User does not provide sufficient information or does not respond within up to 3 approaches, the incident will be closed and a notification will be sent to User.

5.5  Signing off an incident

As soon as WEM Support has solved the issue, Support sets status of a ticket to Resolved. In that state Customers can Accept and Close the issue or Decline and Re-assign ticket to continue support.

In case an incident is resolved, the following information is reported to the User by the Supplier:

1. The ticket number under which the incident is registered by the Supplier;
2. The date and time of resolving the incident;
3. The way the incident has been dealt with;
4. The reason of resolving the incident;
5. The person responsible for closure of the

5.6  Paid and unpaid support

Support efforts will be invoiced to the User at current commercial rates if it appears that the incident is:

1. caused by circumstances beyond the scope of this document;
2. beyond the scope of influence of the Supplier;
3. caused by the User;
4. implies additional functionalities in WEM requiring a project;
5. caused by third parties on behalf of the

If there is any uncertainty regarding the aforementioned, distribution of costs will be determined in good consultation between the User and the Supplier.

5.7  Escalation procedures

In the event of disagreement about whether the service level has been successfully fulfilled, representatives of the User and the Supplier as mentioned in this agreement will be informed. These representatives, or persons appointed by them, will consult about structural solutions to improve the service level within a reasonable time period.

If these actions do not lead to structural improvements within 3 months, both parties can, at their own expense, name an independent third party as a mediator.

6.Risks

6.1   Security

According to NEN 7510/ ISO 27001 part A.12.2 Supplier takes adequate measures for protection from malware, in particular computer viruses and hackers. In addition for processing of personal health information (if applicable) appropriate prevention, detection and response controls are implemented to protect against malicious software and appropriate user awareness training will be provided.

6.2   Host partner

The Supplier selects and makes use of hosting partners. Herewith the WEM service is hosted and storage of data is accommodated. The Supplier guarantees the server farm(s) under its management will at all times be hosted by an ISO 27001 certified hosting partner. The Supplier also ensures protection of the organization’s assets that is accessible by hosting partners. Subjects rights will be protected, even if a potential external party has access to personal (health) information resides in another jurisdiction than the client or the (health) organization.

To enforce this, Supplier has set up an information security policy with respect to all Supplier relationships in the supply chain, according to NEN 7510 / ISO 27001 section A.15.1 “Information security in supplier relationships”. The implementation of this policy is handled in the form of guidelines, processes, and physical controls. In addition, to maintain an agreed level of information security and service delivery in line with supplier agreements, and according NEN 7510 / ISO 27001 A.15.2.1, a regular monitoring and review of supplier services is carried out.

6.3   Measures in case of security procedure breaches

In the unexpected event security breaches are detected, the concerned parties must inform each other as soon as possible. Supplier has set up an incident management process according NEN 7510/ ISO

27001 clause A 16. Information security incident management. The purpose of this incident management process is to restore an unplanned service interruption to the pre-agreed level as quickly as possible. Supplier adds to this monitoring the incidents and reporting to Users and stakeholders on the handling of incidents. The management of incidents is essential for incidents that hinder the operation of the WEM Platform to meet the requirements set with regard to the quality aspects of confidentiality, integrity, availability and verifiability.

This process description to handle incident management is fully compliant with the provisions in NEN 7510 / Iso 27001 clause A.16 Management of information security incidents. This specifically includes clause A12.6.1. Management of Technical Vulnerabilities.

In addition, with regard to confidentiality, the desired handling of privacy incidents is in accordance with the General Data Protection Regulation (GDPR), or in Dutch, ‘De Algemene Verordening Gegevensbescherming’ (AVG), is specifically examined. The following principle is included according NEN 7510/ ISO 27001 clause A-18.1.4 Privacy and protection of personally identifiable information. Supplier will follow Art. 33 GDPR Notification of a personal data breach to the supervisory authority https://gdpr-info.eu/art-33-gdpr/.

7.Preconditions WEM Software Application maintenance

The Supplier is not obliged to provide maintenance services regarding errors and/or incidents arising due to:

1. using WEM, or by connecting WEM with other software or equipment, in a manner not described in the accompanying documentation or a manner not permitted under this agreement and/or the license agreement;
2. intentional incorrect usage of WEM, whether or not by the User;
3. input errors or errors related to the data used by

If one of the cases as described under (a) to (c) occurs, the Supplier is free to identify faults, make diagnoses and/or solve them. In such cases a charge might apply according to the specific occasion.

7.1  Exclusions

Maintenance services under this agreement do not include:

• services related to system configurations, hardware and networks of third parties not hired by the Supplier;
• network connections, internet supply defaults, Customer Data, servers, burglaries or attempted burglaries by third parties,
• structural work such as defining layouts, overviews, import definitions and links with third- party software;
• support on location;
• WEM releases for versions prior to 4.0
• converting files;
• services regarding external databases of producers other than those of the Supplier;
• installation, configuration, training or other services not explicitly described in this agreement;
• maintenance or support for (operating) software from producers other than the Supplier;
• file repairs, for which the cause for issues cannot be attributed to the software of the Supplier;

• services with respect to errors and/or shortcomings caused by the use of system settings that do not correspond with the system requirements as described in Article 4.8 User System Requirements;
• support outside the times specified in article 1 (unless an additional SLA has been concluded);
• Errors and/or imperfections caused by how the User, or a third party engaged by the User, has modeled (a) WEM Project(s) in WEM.
• No support is offered on WEM Projects based on this If desired, support can be provided with a separate SLA to be concluded on the WEM Projects.

8.Reporting

Incident reports are available to the User at the https://my.wem.io portal at any time 24/7, depending on the chosen license:

• Malfunction reporting
• Performance
• Availability
• Security Breaches

9.Other conditions

This agreement is also subject to the most recent version of the “General, Service and Licensing Terms” and “Terms of use and Privacy Policy” of the Supplier.

These documents can be found on the website of the Supplier http://wem.io or can be sent to the User on request.

The Supplier may, in its sole discretion submit changes to this SLA and shall inform the User in writing. Any changes will then come into effect within 60 days.

10.Dutch law

All parties subject to this SLA declare that Dutch law applies to this agreement.

11.Agreement statement

By signing this document, all parties indicate that they are in accordance with this agreement and all previous versions of the WEM SLA are invalid.