Service Level with Standardized Compensations (Service Level Agreement) - English

1. Purpose and Scope The purpose of this appendix is to regulate the responsibilities and scope of support, operations, and maintenance of the services covered by this agreement, including integrations and additional services. The agreement covers the support, operations, and maintenance of eAdm, including integrations and components as described in the order form.

The agreement does not cover:

• Operations, maintenance, support, or similar services for custom adaptations.

• Identum Managed Services (this service has its own separate agreement and SLA).

• Implementation of custom functionality in existing solutions (must be agreed upon as a new project).

• The Provider is not responsible for problems or downtime originating from providers of third-party modules and components not covered by the cloud solution, such as learning platforms or Office 365.

2. Delivery and Acceptance Test An acceptance period of 30 days commences from the date of delivery. The Customer must, prior to the expiration of the acceptance period, send the Provider a written notice if major discrepancies are discovered between the agreed-upon solution and the production solution. If this is not done before the end of the period, the performance is considered approved and delivered as agreed, the project is closed, and the SLA conditions for operations come into effect.

3. Maintenance and Communication The Provider is obligated to maintain the components within its production environment. Downtime resulting from maintenance shall be notified to the Customer and is primarily carried out between 23:00 and 06:00 (CET/CEST). If the Customer wishes to make changes to the configuration of the communication between their own and the Provider's environments, the Provider must be notified no later than one month before the changes take effect.

4. Operations, Data Retrieval, and Synchronization The Provider commits to executing an import of source data at least once every 24 hours. The time and frequency of the synchronizations are determined by the Customer. In the event of notified downtime in the Provider's production environment due to updates or maintenance, the Provider may postpone the execution of a synchronization. The postponement of a synchronization shall not exceed 12 hours. If the Provider suspects errors in the data or data format provided by the Customer, the Provider may halt the import until the Customer has been contacted and the error is resolved.

5. Support, Troubleshooting, and Error Correction Work and customer support are provided on business days between 08:00 and 16:00. All support inquiries must be routed through support@identum.no and support.identum.no. Errors reported to the Provider are handled according to the following definitions and response times for initiating error correction during regular business hours:

• Level A (Critical error): The service is completely unavailable to the end user. Troubleshooting and error correction work will commence no later than 2 hours after the error is reported to the Provider.

• Level B (Severe error): Core functionality is severely degraded, and no temporary workaround exists. Error correction work will commence no later than 4 hours after the error is reported to the Provider.

• Level C (Minor error): Functionality is affected, but the system remains usable (or a workaround exists). Error correction work will commence no later than the next business day after the error is reported to the Provider.

If troubleshooting reveals that the source of the error lies within the Customer's area of responsibility (e.g., the Customer's local applications or source systems), the Provider reserves the right to invoice the Customer for the work performed at the applicable hourly rate. The same applies if the software/integrations must be updated as a result of the Customer making changes to their systems.

6. Security, Backup, and Disaster Recovery Security and data integrity are of the highest priority. For detailed and updated information regarding the Provider's routines for backup, Disaster Recovery, RPO/RTO, as well as procedures for notification in the event of security incidents, please refer to our current and applicable security documentation: https://docs.identum.no/sop/security-documentation

7. Uptime and Standardized Compensation The Provider's production environment for the standard software has a guaranteed uptime of 99.9%. Uptime is measured per calendar month by the Provider's internal monitoring systems, and the logs from these systems will serve as the basis for any discrepancies. Notified downtime during planned maintenance (as per section 3) is not counted as downtime.

Limitations for compensation and right of termination:

• The price reduction is calculated based on the fixed subscription fee for the relevant calendar month.

• The maximum price reduction per calendar month is 30% of the subscription fee.

• Compensation claims must be submitted in writing within 30 business days following the end of each month.

Material Breach: If the measured availability falls below 95.0% in a single calendar month, or below 98.0% calculated over a rolling average of three consecutive months, this shall be considered a material breach of the agreement. In such cases, the Customer has the right to terminate the agreement with immediate effect.

8. Provider's Limitations and Prerequisites The Provider cannot be held liable for, and cannot be subjected to compensation claims for, breaches of this agreement caused by:

• Errors in the data provided from source systems sent to the Provider's production environment.

• Errors occurring in applications located outside the Provider's production environment.

• Conflicts between data manually created in eAdm and data originating from source systems.

• Network errors occurring outside the Provider's production environment.

• Errors caused by the Customer's local (client) applications, infrastructure, or other equipment for which the Provider is not responsible.

• Improper use of the service, or errors occurring because the Customer has failed to comply with the requirements set forth in this appendix.

• Force majeure or factors beyond the Provider's control (including cyberattacks constituting a security threat). This specifically applies only in the event of a Europe-wide cyberattack, e.g., if a global Public Cloud provider (Microsoft Azure, AWS, Google Cloud) experiences a complete outage due to a cyberattack by, or on behalf of, a foreign power.

• The Provider temporarily suspending the service, without prior notice, upon the discovery of a severe data security threat.