LUCIDLINK CONNECT ANNEX

This Annex forms part of the order form to which it is attached (the "Order Form"). The services described in the Order Form will be delivered in accordance with the LucidLink Terms & Conditions available at https://www.lucidlink.com/terms/ (the "Terms") and this Annex. By signing the Order Form, Customer acknowledges and agrees to the Terms and the additional provisions set forth in this Annex.

The following provisions supplement or modify the Terms:

1. LUCIDLINK CONNECT FEATURE DESCRIPTION

1.1 Feature Overview. The LucidLink Connect (“Connect”) Feature allows Customer to connect LucidLink Services to Customer's existing cloud storage buckets that contain pre-existing data, configurations, and settings not created or initialized by LucidLink.

1.2 Material Difference from Standard Services. Customer acknowledges that the Connect Feature operates differently from LucidLink's standard Services, which typically initialize and operate on clean storage substrates. When using the Connect Feature, LucidLink's filesystem layer interacts with storage environments, data structures, and configurations that are entirely controlled and maintained by Customer.

1.3 Zero-Knowledge Clarification. The Parties acknowledge that the Connect feature does not operate under LucidLink’s zero-knowledge encryption model as described in Section 5.1 of Exhibit No. 1 of the Data Processing Agreement and LucidLink’s security documentation. Unlike LucidLink’s standard Services, Connect enables Customers to connect LucidLink to Customer-provided storage environments that are not initialised or encrypted by LucidLink from inception. As a result, while LucidLink does not access Customer file contents as part of normal operations, LucidLink may have the technical capability to access Customer Data stored in Customer-controlled storage where necessary to operate the Service and where authorised internal access is used, in accordance with LucidLink’s internal security controls. Connect therefore operates under a trusted service-provider security model rather than a cryptographic zero-knowledge model.

2. CUSTOMER REPRESENTATIONS AND RESPONSIBILITIES

2.1 Bucket Authority and Rights. By enabling the Connect Feature, Customer represents, warrants, and covenants that:

a) Customer has full legal authority and all necessary rights to grant LucidLink access to the designated storage bucket(s);

b) Customer's use of the storage bucket(s) with LucidLink Services does not violate any third-party agreements, licenses, or obligations, including but not limited to data residency requirements, intellectual property restrictions, regulatory compliance obligations, or contractual limitations;

c) Customer has obtained all necessary consents, authorizations, and permissions required to allow LucidLink to access and process the contents of the storage bucket(s);

d) All pre-existing data, objects, metadata, and configurations in the storage bucket(s) are owned by Customer or Customer has the right to use such data with the Services; and

e) Customer understands and accepts that LucidLink does not and will not validate, sanitize, audit, or verify the contents, structure, compliance status, or suitability of pre-existing bucket contents.

2.2 Backup Requirement. Customer is solely responsible for maintaining complete and current backups of all data existing in the storage bucket(s) prior to and after enabling the Connect Feature. Customer acknowledges that LucidLink's log-structured filesystem model may interact with, modify, or reorganize storage bucket contents in ways that differ from the original object semantics.

2.3 Bucket Configuration Responsibility. Customer retains full and exclusive responsibility for all aspects of the storage bucket environment, including but not limited to:

a) Identity and Access Management (IAM) policies and permissions;

b) Bucket policies, lifecycle rules, and retention policies;

c) Replication rules, versioning settings, and cross-region replication;

d) Encryption settings and key management;

e) Third-party integrations and external access configurations;

f) Compliance with all applicable legal, regulatory, and contractual obligations related to the storage and processing of data in the bucket(s); and

g) Backup, Retention, and Recovery

3. ADDITIONAL DISCLAIMERS FOR PRE-EXISTING DATA

3.1 No Warranty on Pre-Existing Content. In addition to the warranty disclaimers set forth in Section 14 of the Agreement, LucidLink makes no representations or warranties whatsoever regarding:

a) The integrity, structure, format, consistency, or suitability of any objects, data, or metadata existing in the storage bucket(s) prior to and after enabling the Connect Feature;

b) The compatibility of pre-existing bucket contents with LucidLink's filesystem operations;

c) The accuracy, completeness, or reliability of pre-existing data or metadata;

d) Performance, accessibility, or retrievability of pre-existing data when accessed through the Services; or

e) Any unexpected behavior, errors, or system responses that may result from the pre-existing state, configuration, or contents of the storage bucket(s).

3.2 Acknowledgment of Risk. Customer expressly acknowledges and accepts that connecting the Services to pre-existing, customer-controlled storage environments introduces risks and uncertainties that do not exist when LucidLink initializes storage. These risks include, but are not limited to, data incompatibility, performance degradation, unexpected interactions with existing configurations, and potential data accessibility issues.

4. DATA LOSS, CORRUPTION, AND MODIFICATION

4.1 Limitation of Liability. Notwithstanding any other provision of the Agreement, and in addition to the limitations set forth in Section 15 of the Agreement, LucidLink shall not be responsible or liable for any loss, corruption, deletion, modification, overwriting, or inaccessibility of:

a) Pre-existing data or objects stored in the storage bucket(s) prior to enabling the Connect Feature;

b) Data affected, modified, or deleted by bucket policies, lifecycle rules, replication configurations, versioning settings, or retention policies configured by Customer or third parties;

c) Data affected by IAM policies, access controls, or permissions configured by Customer or third parties;

d) Data accessed, modified, or deleted by external actors, applications, or services with access to the storage bucket(s); or

e) Data affected by incompatibilities between LucidLink's filesystem operations and the pre-existing structure or state of the storage bucket(s).

4.2 Customer Acceptance of Filesystem Model. Customer acknowledges and accepts that LucidLink's log-structured filesystem model may not preserve, maintain, or be compatible with prior object semantics, metadata structures, or access patterns established before enabling the Connect Feature. Customer assumes all risk related to such incompatibilities.

4.3 No Duty to Monitor or Notify. LucidLink has no obligation to monitor the storage bucket(s) for external modifications, deletions, policy changes, or access by third parties, and has no duty to notify Customer of such activities unless expressly agreed in a separate written agreement.

5. SECURITY AND ACCESS CONTROL CLARIFICATIONS

5.1 Customer-Controlled Security Layer. Customer acknowledges and agrees that:

a) All storage-layer security, including bucket-level IAM policies, device and user access controls, encryption settings (beyond LucidLink's filesystem encryption), and network configurations, are entirely within Customer's control and responsibility;

b) LucidLink is not responsible for security vulnerabilities, data exposure, unauthorized access, or data breaches resulting from misconfigurations, inadequate policies, or insufficient access controls at the storage bucket level;

c) LucidLink does not audit, monitor, review, or validate Customer's storage bucket configurations, IAM policies, or security settings unless expressly agreed in a separate written agreement; and

d) Customer is solely responsible for ensuring that storage bucket configurations comply with all applicable security requirements, industry standards, and regulatory obligations.

6. DATA PRIVACY AND DATA PROTECTION CLARIFICATIONS

6.1 For the purposes of applicable data protection laws, including the GDPR and CCPA/CPRA, the Customer remains the data controller (or “business”), and LucidLink acts solely as a data processor or service provider when providing the Connect feature. Connect enables Customers to connect LucidLink to storage environments and data structures that are created, configured, and managed by the Customer. LucidLink does not determine the content, structure, or legality of data stored in such environments and does not act as a controller or joint controller with respect to Customer data stored in Customer-controlled storage.

6.2 Data Processing Scope. In connection with the Connect feature, LucidLink processes personal data in accordance with the Data Processing Agreement incorporated into the Agreement. Connect does not introduce new categories of personal data beyond those already described in the Data Processing Agreement. Any personal data processed in connection with Connect arises from Customer-provided storage identifiers, metadata, or configurations, to the extent such data contains personal data determined and controlled by the Customer.

6.3 Purpose Limitation. LucidLink processes the above data solely to provide, maintain, and support the Connect functionality and for no other purpose. LucidLink does not use Customer Data accessed via Connect for profiling, advertising, or independent commercial purposes.

6.4 Security Controls and Internal Access Safeguards. Connect is protected by LucidLink’s existing Technical and Organisational Measures, as described at Exhibit No. 1 of the Data Processing Agreement and LucidLink’s security documentation. These measures include restricted access to production systems, role-based access controls, multi-factor authentication, private network access, and centralized logging and monitoring of privileged activity. Because Connect does not operate under a zero-knowledge model, LucidLink relies on these internal controls and oversight mechanisms to prevent unauthorised access and misuse, rather than on cryptographic impossibility. LucidLink does not access Customer file contents as part of normal operations, and any authorised internal access is limited, logged, and subject to internal security controls.

6.5 Customer Storage Access and Configuration. Customers are solely responsible for:

a) Ensuring that storage access credentials provided to LucidLink are scoped as narrowly as possible and grant only the permissions required for Connect to operate (for example, read-only object access);

b) Managing bucket-level security controls, including encryption settings, access policies, lifecycle rules, retention, replication, and backups; and

c) Ensuring that the Customer has all necessary rights, permissions, and lawful bases to connect and process data stored in Customer-controlled storage using Connect.

LucidLink does not validate, audit, or monitor Customer bucket configuration and acts solely on Customer instructions and configuration provided through the service.

6.6 Logging and Diagnostic Data. During error handling, diagnostics, or support activities, limited storage identifiers (such as bucket names or object identifiers) may appear in system or client logs. LucidLink seeks to minimise logged data and does not log file contents. Customers should exercise discretion when naming storage objects and paths and should consider whether such identifiers include personal or sensitive data.

6.7 Data Residency. The LucidLink hub location follows the filespace region selected by the Customer. Connect permits Customers to link storage resources located in multiple regions or providers. Customers are responsible for ensuring that their configuration complies with applicable data-residency or cross-border transfer requirements.

6.8 External Link-Based Access. LucidLink may support the ability for Customers to link to externally hosted files via direct HTTP-accessible links (for example, files hosted in third-party services). Where supported, this model allows Customers to provide external access links instead of LucidLink storing ongoing storage access credentials. This access model is not zero-knowledge. Files accessed via external links are not encrypted or managed end-to-end by LucidLink. Instead, the files remain stored in the applicable third-party storage environment and are accessed using the security, encryption, and access controls of that environment. Because access is provided via Customer-managed external links, the Customer is responsible for how those links are created, scoped, shared, expired, refreshed, and revoked. LucidLink does not control, manage, or monitor externally hosted links or the systems that serve them once created, and does not determine who may ultimately access data via such links. This approach involves different usability and security considerations compared to Connect. Customers are responsible for determining whether this access model is appropriate for their intended use, data sensitivity, and compliance requirements, and should engage with LucidLink to discuss its implications prior to use.

6.9 Except as expressly described in this Addendum, all processing of personal data in connection with the Connect Feature remains governed by the Data Processing Agreement incorporated into the Agreement.

7. OPERATIONAL RIGHTS AND SERVICE MANAGEMENT

7.1 Right to Refuse or Suspend Connection. In addition to the suspension rights set forth in Section 12 of the Agreement, LucidLink reserves the right to refuse connection to, or suspend Customer's use of, any storage bucket(s) that:

a) Causes or is reasonably likely to cause system instability, performance degradation, or service disruption affecting LucidLink's infrastructure or other customers;

b) Poses or is reasonably likely to pose a security risk to LucidLink's Services, infrastructure, or other customers;

c) Contains content or configurations that violate the restrictions set forth in Section 10 of the Agreement or applicable law; or

d) Cannot be safely or reliably integrated with the Services due to technical incompatibilities, structural issues, or configuration conflicts.

7.2 Notice and Remediation. Where reasonably practicable, LucidLink will provide Customer with prior notice and an opportunity to remediate issues before exercising suspension rights under Section 7.1, provided that immediate suspension without prior notice may be implemented where necessary to prevent imminent harm, security threats, or material service disruption.

7.3 No Obligation to Support All Configurations. LucidLink has no obligation to support all possible storage bucket configurations, structures, or pre-existing data formats. LucidLink may, in its sole discretion, decline to support or recommend against using the Connect Feature with buckets that present significant technical, operational, or compatibility challenges.

8. AMENDMENTS TO EXISTING SECTIONS OF THE AGREEMENT

8.1 Section 1 (License; Order Forms; Access to the Service). The following sentence is added to the end of Section 1:

"When Customer elects to use the Connect Feature, Customer acknowledges that the Services will interact with Customer's pre-existing cloud storage environment, and the additional terms set forth in the Connect Feature Addendum shall apply."

8.2 Section 11 (Confidentiality; Customer Data; Publicity). The following paragraph is added immediately after the paragraph beginning with "Customer, not LucidLink, shall have sole responsibility...":

"For Customers using the Connect Feature, Customer acknowledges and agrees that all pre-existing data, configurations, and settings in Customer's storage bucket(s) are Customer's sole responsibility, and LucidLink's obligations regarding security, integrity, and unauthorized access prevention apply only to the Services' filesystem layer operations, not to storage-layer configurations, access controls, or pre-existing bucket contents."