Cybersecurity Guidance, Advisory, and Consulting Services Policy

Policy Overview

Yama Industrials, Inc. including any associated divisions and/or subsidiaries (hereinafter referred to as "Yama Industrials") is committed to delivering industry best practices for cybersecurity guidance, advisory, and consulting services to our clients. This policy delineates the exact scope of our services and explicitly states that Yama Industrials does not act as, nor imply in any way the role of, the Chief Information Security Officer (CISO) or any related positions and/or titles for our clients. Our responsibilities are strictly limited to:

• Providing standard(s)-based guidance, advice, and consulting services on cybersecurity matters.

• Conducting standard(s) evaluations of the client's cybersecurity requirements and current posture.

• Recommending appropriate and tailored cybersecurity solutions based on the client's specific needs.

• Offering industry-accepted best practices and strategies for the implementation of cybersecurity solutions.

• Yama Industrials may assist in the implementation of cybersecurity solutions as needed.

• Our team can engage in hands-on activities to ensure the deployment and configuration of recommended cybersecurity measures.

Implementation Assistance Clause

Yama Industrials may assist in the implementation of cybersecurity solutions as needed. However, such assistance is ultimately provided under the client's approval, direction and authorized supervision. The client retains ultimate responsibility for the implementation and effectiveness of all cybersecurity measures.

Hands-on Engagement Clause

Our team can engage in hands-on activities to ensure the logistics, deployment, and configuration of recommended cybersecurity measures. These activities are performed based on industry-standard practices (as viable) but ultimately based on the client's specified needs and requirements. Yama Industrials shall not be liable for any damages arising from the deployment and configuration of cybersecurity measures unless such damages result from gross negligence, reckless disregard, or willful misconduct on the part of Yama Industrials.

Definitions of Misconduct

Willful Misconduct: For purposes of this agreement, "willful misconduct" shall mean a conscious, voluntary act or omission in reckless disregard of a legal duty and of the consequences to another party, but shall not include ordinary negligence, inadvertent errors, or mistakes in judgment. "Reckless disregard" shall mean conduct that is substantially more than negligent but less than intentional harm, characterized by a substantial deviation from acceptable standards of care, where the risk of harm is either known or so obvious that it should have been known, excluding actions taken in good faith or errors made in complex or ambiguous situations. "So obvious" shall mean a risk that is clear and evident to a reasonable person with similar expertise and/or experience and under similar circumstances, but shall not include risks that are not apparent due to the complexity, ambiguity, and/or technical nature of the situation.

Purposeful Misconduct: "Purposeful misconduct" shall mean any action or omission undertaken with the specific intent to cause harm or achieve a wrongful objective, characterized by a deliberate and conscious effort to disregard the safety, rights, or interests of others. This includes actions taken with a clear and wrongful purpose that goes beyond negligence or recklessness.

Recklessness: "Recklessness" shall mean conduct whereby a person disregards a substantial and unjustifiable risk that their action or omission will result in harm. This risk must be of such a nature and degree that considering the circumstances known to the person, its disregard involves a gross deviation from the standard of conduct that a reasonable person would observe in the situation. For purposes of this policy, "substantial" means significant in terms of the probability and magnitude of potential harm. "Potential harm" refers to an adverse effect that could reasonably be expected to result from an action or omission.

Unjustifiable Risk: An "unjustifiable risk" is a risk that a reasonable person in the same situation would not take because the potential harm involved is significantly greater than any potential benefit to be gained. This type of risk is not reasonable under the circumstances and represents a gross deviation from the standard of care expected in similar situations.

Justifiable Risk: A "justifiable risk" is a risk that a reasonable person in the same situation would take because the potential benefits outweigh the potential harm, considering the circumstances and the information available at the time. This type of risk is reasonable under the circumstances and aligns with the standard of care expected in similar situations.

Gross Negligence: "Gross negligence" shall mean a severe degree of negligence taken as a reckless disregard for the safety or lives of others. It is more than simple inadvertence, but it is just shy of being intentional harm. Gross negligence is characterized by a substantial deviation from the standard of care that a reasonable person would observe in the situation, constituting a flagrant indifference to the safety and rights of others.

Willful Negligence: "Willful negligence" shall mean a deliberate act or omission, knowing that such conduct is likely to cause harm to another party. It involves a conscious and intentional disregard or indifference to the safety, rights, or interests of others, characterized by an awareness of the risk and a willful decision to ignore it.

Simple Inadvertence: "Simple inadvertence" shall mean an unintentional act or omission resulting from carelessness or lack of attention, but which does not rise to the level of gross negligence, willful negligence, or recklessness. It typically involves minor errors or lapses in judgment that a reasonable person might make under similar circumstances.

Reasonable Person: A "reasonable person" refers to a hypothetical individual in society who exercises average care, skill, and judgment in conduct. This standard is used as a comparative measure to determine if a person's actions were negligent by evaluating whether a similarly situated person with ordinary prudence would have acted in the same manner under the same circumstances.

Limitation of Liability

Yama Industrials, Inc. (including any divisions and/or subsidiaries) shall not be liable for any damages, whether direct, indirect, incidental, consequential, or punitive, arising from the performance or non-performance of services provided by the client, their designated third party service providers and/or subcontractors. This limitation applies regardless of the nature of the claim, whether based on contract, tort, or any other legal theory.

Any claims, disputes, or legal actions related to the management, monitoring, operation or implementations of cybersecurity and associated systems shall be directed solely to the client and/or their, third party or subcontracted service providers. Yama Industrials' liability is strictly limited to instances of gross negligence, reckless disregard or willful “misconduct”

Indemnification

The client agrees to indemnify, defend, and hold harmless Yama Industrials, its officers, directors, employees, and agents from and against any and all claims, liabilities, damages, losses, or expenses (including reasonable attorneys' fees and costs) arising out of or in any way connected with the client’s, their service providers', third parties and/or subcontractors performance or non-performance of general cybersecurity and/or management and monitoring services. This indemnification obligation begins from the initial point of contact, including during the solicitation and inquiry phase, and continues throughout the duration of the engagement. This includes, but is not limited to, claims arising from data breaches, security incidents, regulatory non-compliance and legal non-compliance.

Client Responsibilities

The client is bound and agrees to:

Maintain Compliance: Ensure compliance with all applicable federal, state, and local laws, regulations, and industry standards related to cybersecurity and data protections.

Implement Recommendations: Implement (where appropriate and as needed) the cybersecurity solutions and strategies recommended by industry best practices regardless of origin.

Monitor Systems: Monitor and manage their cybersecurity systems, and promptly address any vulnerabilities or threats identified as applicable.

Report Incidents: Report any data breaches, security incidents, or regulatory issues to appropriate agencies as dictated by law and cooperate fully with any investigations or remediation efforts.

Maintain Documentation: Keep accurate and up-to-date records (as dictated by industry compliance and laws) of all cybersecurity measures, incidents, and compliance efforts.

Dispute Resolution

Any disputes or claims arising out of or relating to this policy shall be resolved through binding arbitration, conducted in accordance with the rules of the American Arbitration Association. The arbitration shall take place in a mutually agreed location, and the arbitrator's decision shall be final and binding on all parties. The costs of arbitration, including reasonable attorneys' fees, shall be borne by the losing party unless otherwise determined by the arbitrator.

Governing Law

This policy shall be governed by and construed in accordance with the laws of the jurisdiction in which Yama Industrials is headquartered, without regard to its conflict of laws principles.