LE-FR-8568 Rev 2 Oct. 4, 2018

1

SCENE WEBSHARE CLOUD LICENSE AGREEMENT

between

FARO Europe GmbH & Co. KG,

Lingwiesenstr. 11/2,

70825 Korntal-Münchingen,

Federal Republic of Germany

- hereinafter referred to as “FARO” -

and

Company: …………………………………………………….…

Address: …………………………………………………….…

…………………………………………………….…

…………………………………………………….…

Tel : ……………………….………………………………

Fax : ……………………………….………………………

e-mail: ……………………………………….………………

Other information needed to identify the organisation:

…………………………………………………….…

- hereinafter referred to as “Licensee” -

WHEREAS

(1) FARO Group has developed the cloud computing service SCENE WebShare Cloud

that is hosted on third parties’ servers (“Computing Service”).

(2) Licensee uses laser scanner of the FARO Group and is interested in using the

Computing Service.

LE-FR-8568 Rev 2 Oct. 4, 2018

2

NOW THEREFORE, in consideration of the mutual covenants, the Parties hereto enter into

this License Agreement (“Agreement”) according to the following terms and conditions:

§ 1

Object of the Agreement

The deployment of the Computing Service by FARO to Licensee and the referring license

fees in favour of FARO is subject to this Agreement. The Computing Service shall enable

Licensee to get access to and use software applications and data storage, which are hosted

on servers of FARO and/or third parties, via telecommunication and to use these

functionalities of the software applications within the framework of this Agreement. Type and

extent of the Computing Service is set out in the Computing Service Specifications of FARO

(“Computing Service Specifications”, Annex 1) and in § 2 of this Agreement.

§ 2

Description of the Computing Service

(1) In order to be able to create Uploaded Data of the Computing Service, Licensee

requires at least the software SCENE and a functioning internet connection.

(2) The Computing Service is a software and hosting service that is provided to Licensees

as well as to any third party internet user by FARO. The Computing Service allows

users to upload 3D laser scan data and panoramic photographs produced by SCENE

(“Uploaded Data”) to view the Uploaded Data and related meta data within a standard

web browser, to organize the Uploaded Data in projects to which annotations and

measurements can be added (“Scan Projects”), and to share the Scan Projects with

other users. Each Scan Project is presented in an overview map which indicates the

position of 3D laser scans. Single laser scans are presented in a panoramic view.

(3) The Computing Service requires the installation and use of SCENE and the setting up

of accounts to SCENE as described in § 6 below.

(4) Further description of the Computing Service and minimum requirements are

determined in Annex 1.

LE-FR-8568 Rev 2 Oct. 4, 2018

3

§ 3

License

(1) FARO hereby grants to Licensee a personal, revocable, non-exclusive, non-assignable

and non-transferable license, on a royalty-basis, timely limited to the end of this

Agreement, to use the Computing Service via telecommunication in accordance with

the terms and conditions of this Agreement (“License”). Unless granted expressly in

this Agreement, Licensee does not get additional rights or licenses, in particular, but

not limited to, SCENE, the Computing Service, software applications and/or operating

systems.

(2) The License granted herein does not include the right to make copies of the Computing

Service, to make or retain any notes, memos, reports or records, reproductions,

correspondence or any document regarding the Computing Service, including copies of

the Computing Service.

(3) The License is restricted to the access and usage of the Computing Service in the

cloud. FARO is not obligated to provide Licensee with the object and/ or source code of

the Computing Service.

(4) The right to decompile, reverse engineer or dis- and/or reassemble or otherwise

attempt to derive the object and/or the source code for the Computing Service granted

to Licensee is excluded.

§ 4

Rights to use and Sublicensing

(1) Licensee is not entitled to assign or transfer the License or any part thereof to any

other party without the prior written consent of FARO.

(2) Licensee may sublicense the Computing Service to users of the Licensee in

accordance with the terms and conditions of this Agreement (the "Sublicensees").

Otherwise, Licensee is not entitled to sublicense any of the rights granted to it

hereunder without prior consent of FARO.

LE-FR-8568 Rev 2 Oct. 4, 2018

4

(3) Licensee shall inform FARO about any Sublicensee including the correct name and

address of the Sublicensee without undue delay.

(4) Each sublicense granted by Licensee is limited in scope and time to the License and

will automatically terminate upon the termination of this Agreement and the License

respectively. Licensee shall be fully liable for the observance of the terms and

conditions of this Agreement by the Sublicensees and for any damage FARO or any of

its affiliates suffer as a result of a misuse of the Computing Service by any

Sublicensee.

(5) For each case that Licensee enables the use of the Computing Service to a non-

named user and/or unauthorized third party, Licensee is obligated to pay compensation

to FARO amounting to the license fee that would be payable in the event of entering

into a license contract for a regular term of one (1) year including the extent of

Computing Service as selected by the License. Licensee remains the right to evidence

that FARO has suffered no damages or damages less than the above-mentioned

compensation. FARO remains entitled to claim further damages.

§ 5

Ownership of Computing Service

(1) Licensee acknowledges that FARO is the full and sole owner of the Computing Service

and that title to the Computing Service, any copies thereof or any modification,

improvement, adaption, enhancement or translation, developed as a result of Licensee

using the Computing Service, and/or rights in and to any patent, trademark, copyright

developed and/or incorporated in the Computing Service, shall at all times remain with

FARO. Licensee agrees that nothing in this Agreement shall give Licensee, its

subsidiaries or other affiliates any right, title or interest in the Computing Service other

than the right to use the Computing Service in accordance with the provisions of this

Agreement.

(2) Licensee hereby recognizes to FARO full and sole ownership of the Computing Service

in and to any such modification, improvement, adaption, enhancement or translation

and undertakes to confer, full and sole ownership in said modification, improvement,

LE-FR-8568 Rev 2 Oct. 4, 2018

5

adaption, enhancement or translation to FARO by executing an assignment of rights,

evidencing such transfer to FARO.

(3) Licensee undertakes to refrain, and to procure its subsidiaries and other affiliates to

refrain, from doing any act inconsistent with such ownership. In respect of those

countries in which the Computing Service are not subject to a registration or

application, Licensee acknowledges FARO’s priority rights in the Computing Service

and expressly waives in favor of FARO any right it may acquire in such countries in the

Computing Service as user of them.

(4) Licensee agrees that FARO and/or its licensors or other licensees own all right, title

and interest in any and all of Licensee’s feedback, without any remuneration,

compensation or credit to Licensee. To the extent that any of the rights assigned herein

cannot presently be assigned under applicable law, Licensee agrees to assign such

rights at such time as the rights are capable of being assigned.

(5) Licensee shall not use, deposit or obtain registration of, and shall procure that none of

the Sublicensees, its subsidiaries or other affiliates uses, deposits or obtains

registration of a tradename or trademark that is identical with, confusingly similar to, or

consisting of the Computing Service.

§ 6

Account

(1) To every Licensee an account will be assigned (“Account”).

(2) Licensee shall appoint one representative (“Domain Owner”) who will be responsible

for making all service and support calls to FARO. FARO will contact this representative

for any operational and/or billing-related issues. Licensee can assign administrators for

their Account (each a “Domain Administrator”). Domain Administrators can invite

prospective users who have not registered to the Computing Service yet by email

address. By accepting such invitation, users will create a “User Account”. Domain

Administrators can remit access privileges to employees and/or to third parties who

have created a User Account (each a “User”) per role. These permissions may include

(i) read-only access to Private Scan Projects in the Licensee’s domain, or (ii) additional

LE-FR-8568 Rev 2 Oct. 4, 2018

6

permissions per role. The Domain Administrator(s) may assign the following rules to

Users:

• “User Role”: The User Role includes the permission to create measurements,

annotations and orthophotos related to a Scan Project;

• “Uploader Role”: The Uploader Role includes the permission to upload data to

Scan Projects;

• “Project Manager Role” (or “Project Managers”): The Project Manager Role

includes the permission to view all Scan Projects in the respective domain, to

manage group-based access for all Protected Scan Projects of same and to

delete Scan Projects in the respective domain; or

• “Administrator Role” (or “Domain Administrator”): The Administrator Role

includes the permission to add Users to the domain and to manage user roles.

This includes the appointment of the Domain Owner.

(3) Future versions of the Computing Service may include further roles that can be

assigned to Users.

(4) Licensee agrees not to pass to and/or to let a third party use Licensee’s Account.

(5) FARO is not responsible for unauthorized access to Licensee’s Account. Licensee will

immediately contact FARO if Licensee believes an unauthorized third party may be

using Licensee’s Account or if Licensee’s Account information is lost or stolen.

(6) More Details in respect of the Account and the User Accounts shall be set out in

Annex 1.

§ 7

Obligations of Licensee

(1) Except as otherwise expressly permitted in this Agreement, Licensee agrees not to use

the Computing Service in any manner contrary to the purposes of this Agreement nor

to adapt, add-on, improve, enhance, modify the Computing Service or translate the

Computing Service. In particular, Licensee undertakes not to redistribute, encumber,

sell, rent, lease, assign, sublicense or use the Computing Service in a timesharing or

LE-FR-8568 Rev 2 Oct. 4, 2018

7

service bureau arrangement, or otherwise transfer rights to the Computing Service to

third parties.

(2) Licensee is required to keep the contact information of the Domain Owner current in

the settings of the administration area in SCENE WebShare Cloud.

(3) Licensee is obligated to take all appropriate measures to avoid any infringement, action

or cause of action against it by reason of the use of the Computing Service. Should

Licensee be the cause of any such infringement, action or cause of action, Licensee

agrees to bring such a matter to the attention of FARO immediately.

(4) Licensee is obligated to refrain from each attempt to retrieve unauthorized information

or data himself or via non-authorized third parties and/or to interfere or to let interfere in

programs that are run by FARO and/or to intrude unauthorized into the data network of

FARO.

(5) Licensee warrants to FARO that (i) the Uploaded Data shall not contain any violent,

sexual, gambling, hacking, cracking or other objectionable material, including, without

limitation, any material intolerant, offensive or otherwise offensive material regarding

race, sex, religion, nationality, disability, sexual orientation, or age, or any material that

is illegal or that may give rise to civil liability on the part of FARO of any sort, and (ii)

that any Uploaded Data and/or data Licensee provides to FARO shall not contain any

viruses, Trojan horses, malware, spyware, adware or other disruptive software, or any

software code which is designed to disrupt, damage, or perform unauthorized actions

on a computer system, or which transmits data from FARO’s webservers or other

computer systems of FARO or any third party without notice to and the express prior

consent of FARO, and (iii) that Licensee will comply with all applicable laws, rules and

regulations.

(6) Licensee hereby grants to FARO a personal, limited, non-exclusive, royalty-free, non-

assignable and non-transferable license to use the Uploaded Data and the related

copyrights and other intellectual property rights restricted to conduct the Computing

Service due to the terms and conditions of this Agreement. FARO hereby accepts the

granting of these rights.

LE-FR-8568 Rev 2 Oct. 4, 2018

8

(7) Licensee represents and warrants to FARO that in relation to all Uploaded Data,

Licensee has the worldwide authority, be it by ownership or with consent of the entitled

owner or entitled licensee, to upload the Uploaded Data and that uploading the

Uploaded Data does not infringe or violate any copyright, trademark, trade secret,

personality, personal data or other proprietary right of any third party.

(8) Licensee has to protect its data and Uploaded Data, for example by making a daily

backup of its data and Uploaded Data to limit possible damages and to ensure the

reconstruction of its data and/or Uploaded Data in case of a loss of its data and/or

Uploaded Data.

(9) As far as legally required, Licensee is obligated to have persons, car plates and any

other personal data that refers to third parties which is included in Uploaded Data

anonymized, i.e. pixelated or blurred.

(10) Licensee is obligated to check data and information for viruses and other malware

before sending these and to use an up-to-date reasonable antivirus program.

§ 8

FARO’s Obligations and Rights

(1) FARO is not obligated to provide upgrades to Licensee.

(2) FARO may modify the Computing Service and its functionalities and provide software

updates at any time. In the case of an amendment to the Licensee’s detriment, FARO

will advise the Licensee or its Domain Owner, who serves as point of contact for

FARO, of such amendment in advance by sending an email or by applying a clearly

highlighted notice on the Computing Service. The Licensee may then object to this

amendment by sending an email to Support.EMEA@faro.com or a letter to FARO

within thirty (30) days of receipt of the notice of change. If Licensee fails to object in

due time or continues to use the Computing Service after receipt of the notice of

change, the amended Computing Service shall be deemed to be accepted. For this

purpose, a use of the Computing Service executed by Users who were set up by

Licensee or granted access to the Licensee’s domain will be deemed as continued use

of the Computing Services by Licensee. Licensee will be informed by this legal

LE-FR-8568 Rev 2 Oct. 4, 2018

9

consequence separately in the notice of change. If the Licensee objects to the

amendment, FARO may terminate this Agreement extraordinarily with one (1) month

notice to the end of a calendar month.

(3) FARO is entitled to block the access of Licensee to the Computing Service or the

Uploaded Data and/or the access of Licensee’s Account and the User accounts in its

domain in case of an unlawful violation of Licensee and/or the Sublicensees against

one of the obligations of Licensee and/or the Sublicensees of this Agreement,

especially a breach of the obligations of § 7 para. (1), (4), (5), (7), (9) and/or (10) of this

Agreement. The access will be restored when Licensee has stopped violating this

Agreement and the danger of repetition is eliminated by issuing a declaration of cease

and desist by Licensee with respect to FARO. In that case Licensee remains obligated

to pay all due invoices.

(4) FARO is obligated to delete the concerned Uploaded Data in case of a breach against

§ 7 para. (5) and/or (7) of this Agreement.

§ 9

Fees and Terms of Payment

(1) The license fees depend on the extent of Computing Services which are utilized by the

Licensee (“Package”). Licensee and FARO have agreed about the extent of the

Computing Services as listed in Annex 2 and selected by Licensee (“Selected

Package”).

(2) For the use of the Selected Package, Licensee shall pay FARO a yearly license fee as

set forth in FARO’s applicable Price List (Annex 3) (“License Fee”).

(3) To the extent that Licensee’s use of the Computing Service falls outside the limits of

the Selected Package, for example exceeds the storage and/or download volume of

the Selected Package, Licensee shall pay additional fees (“Additional Fees”) which

are subject to FARO’s applicable Price List (Annex 3), after the service has been

provided.

(4) The payable fees consist of the License Fee and the Additional Fees, as applicable.

FARO will issue an invoice on the payable fees which are calculated on the basis of

FARO’s applicable Price List (Annex 3) of the Commencing Date, subject to a raise of

LE-FR-8568 Rev 2 Oct. 4, 2018

10

fees pursuant to § 9 (5) (“Invoice Amount”). In case the fees have to be calculated for

a portion of a year, the fees will be calculated for every month with 1/12 of the yearly

fees as set out in Annex 3.

(5) FARO is entitled to raise adequately the fees as set out in Annex 3 for the contractual

services as compensation for personnel or other cost increases of FARO. In this case

FARO will inform Licensee by letter or email about the increase of fees. The increase

of fees does not apply to the period that Licensee had already made payments. The

same applies mutatis mutandis in the event of personnel or other cost decrease. In

case that the increase of the fees reaches an amount of 20% of the previous fee,

Licensee is entitled to terminate this Agreement at the end of the Initial Term or

Renewal Term, as applicable, by written notice given at least one (1) month prior to the

end of any such period. If Licensee exercises this right of termination, the previous fees

will be invoiced until the termination becomes effective.

(6) In case that the parties have not agreed to use a direct debiting scheme, the Invoice

Amount has to be credited to the specified account thirty (30) days after reception of

the invoice of FARO. Invoices shall be issued in Euro.

(7) The fees are exclusive of VAT. If VAT accrues, it shall be added at the current rate.

§ 10

Default

(1) FARO is entitled to block the access of Licensee to the Computing Service, whilst a

default of Licensee’s payment obligation under this Agreement over thirty (30) days. In

that case, Licensee stays obliged to pay all due invoices.

(2) If the Licensee defaults with its payment obligations under this Agreement over sixty

(60) days, FARO is entitled to terminate the Agreement without prior notice and to

claim liquidated damages in the amount of a quarter of all monthly fees to the end of

the normal term of the Agreement.

(3) Upon Licensee's default of payment, Licensee shall pay default interest amounting to

eight (8) percentage points above the base interest rate of the German Federal Bank.

LE-FR-8568 Rev 2 Oct. 4, 2018

11

(4) FARO reserves the right to enforce further claims against Licensee because of default

of payment.

§ 11

Warranties of FARO

(1) FARO represents and warrants to Licensee that FARO has the authority to grant the

License. To the best of FARO's knowledge and belief, the Computing Service does not

infringe or violate any third-party rights. However, FARO does not represent and

warrant that the use of the Computing Service does not infringe any third-party rights,

in particular copyrights, software, trademarks, trade secrets, know-how, patents, utility

patents, design patents or other proprietary or intellectual property rights. FARO

represents and warrants that it is not aware of any circumstances that may have

infringed the confidentiality, insofar as confidentiality exists, of the Computing Service.

(2) FARO strives to perform without errors and interruptions. However, a faultless and

uninterrupted service cannot always be guaranteed. FARO provides the Computing

Service on an “AS IS” basis. In the event of faults or interruptions in the Computing

Service or other deteriorations in quality, FARO shall restore normal operation as soon

as possible.

(3) FARO makes no express or implied warranties concerning the quality of the Computing

Service, including any warranties of merchantability or fitness for a particular purpose.

(4) FARO does not and cannot warrant the performance or results Licensee may obtain by

using the Computing Service. In addition, Licensee is solely responsible for

determining the appropriateness of using the Computing Service and FARO does not

represent that the Computing Service can be used in any, and in particular in

Licensee’s hardware and/or software and/or computer system environment.

LE-FR-8568 Rev 2 Oct. 4, 2018

12

§ 12

Infringement of Computing Service

(1) If any Party becomes aware

(a) of any actual or imminent infringement of the Computing Service, or

(b) of any claim or allegation by a third person that any part of the Computing

Service is invalid or liable to revocation or cancellation, or infringes the rights of

any third party,

it shall promptly advise the other party by written notice, giving full particulars thereof. If

Licensee becomes aware of such facts, it shall not make any admission or comment to

any third party with regard to such issues.

(2) Notwithstanding § 12 para. (1), FARO shall have the control of disputes and

proceedings relating to the Computing Service (including, without limitation, any

proceedings to which Licensee is a party), in particular but not limited to infringement of

any copyright, trademark, trade secret or other proprietary right by any third party

resulting from or as a consequence of Licensee’s use of Computing Service in

accordance with this Agreement, and shall, in its reasonable discretion and in

consideration of Licensee's position, decide what action (including litigation, arbitration

or settlement), if any, to take in respect of any circumstance referred to under § 13

para. (1). FARO shall not be obliged to bring or defend any proceedings in relation

thereto. In the event that FARO notifies Licensee within reasonable time in writing that

it will not take any action in respect of any circumstance referred to under § 13

para. (1), Licensee shall be entitled to prosecute infringements and bring suit or take

any other action in its own name and at its own cost.

(3) Upon request, Licensee and FARO shall give each other all reasonable assistance

(including, without limitation, the provision of documents and information and the

execution of documents and making relevant people available and being joined as a

party in which the contracting partner is a party) in any action, claim or proceedings

brought, threatened or contemplated concerning any of the Computing Service. The

requesting party shall meet all reasonable expenses incurred by the assisting party in

giving such assistance.

LE-FR-8568 Rev 2 Oct. 4, 2018

13

§ 13

Indemnification, Limitation of FARO’s Liability

(1) In the event of any breach of a duty under this Agreement, in particular the duties

under § 7 of this Agreement, Licensee shall indemnify FARO without delay against all

claims of third parties, for example but not limited to claims for indirect, direct and/or

consequential damages, liabilities and expenses incurred by FARO, including FARO’s

reasonable costs of its legal defense, and arising out of any activity of Licensee,

including, but not limited to, such arising out of the storage or processing of Uploaded

Data or other business operations of the Uploaded Data, and offer FARO the

necessary assistance in its legal defense.

(2) FARO shall not be liable for any damages, costs, losses, expenses (including

settlement awards and attorney’s fees) incurred by Licensee in defending any action or

claim unless such defense or action has been authorized in writing by FARO.

(3) Unless otherwise agreed herein, any claims for damages of Licensee against FARO or

FARO’s agents because of or in relation with any defects or lack of warranted

characteristics of the Computing Service, no matter on which legal basis, in particular,

claims arising out of breach of contract or of precontractual relationship (culpa in

contrahendo), infringement of duties arising in connection with the Agreement or tort,

subsequent frustration due to petty negligence and/or repudiation of the contract

because of delayed delivery, shall be excluded.

(4) FARO shall only be liable - and this shall also apply if FARO employed executive

personnel or other persons in performing FARO’s obligations - in the event that:

(a) FARO is attributed gross negligence or intent;

(b) FARO fraudulently concealed a defect or warranted the quality of the service

FARO provides;

(c) damage to life, bodily injury or damage to health has been negligently and/or

willfully caused by FARO; and/or

LE-FR-8568 Rev 2 Oct. 4, 2018

14

(d) FARO violates substantial contractual obligations (cardinal obligations)

endangering the purpose of the agreement as a whole, that is

(aa) in the event of material violations of duties which endanger the

achievement of the contractual purpose, or

(bb) in the event of the violation of duties – the fulfilment of which enables the

proper performance of the contract in the first place - and on the

observance of which the buyers may regularly rely ("Cardinal Duties").

(5) The claim to damages compensation for the violation of Cardinal Duties in the case of

§ 13 para (4) lit. (d) of this Agreement is limited to the typically foreseeable damage.

(6) The liability regardless of negligence or fault of FARO on compensation (sec. 536 a

German Civil Code) for existing deficits on conclusion of contract are expressly

excluded. § 13 para. (1) to (5) of this Agreement remain unaffected.

(7) The exclusion of liability shall not apply to claims arising out of the German Product

Liability Code. No change in the legally codified distribution of the burden-of-proof to

the Licensee’s disadvantage is associated with the aforementioned rules.

§ 14

Act of God

(1) FARO is released of its obligation to perform out of this Agreement, if and to the extent

to which the default of performances is due to an incidence of circumstances of an act

of God after signing this Agreement.

(2) As act of God apply for example, but not limited to, the following events: war, riots,

dispossessions, cardinal modifications of law, lawfully industrial actions, also in third

party businesses, storm, flooding and other natural disasters, failures of communication

networks or gateways of third party carriers, regulatory actions, and/or other technical

dysfunctions insofar as FARO is not be responsible for them, especially water ingress,

power blackouts and disruptions or destruction of data lines.

LE-FR-8568 Rev 2 Oct. 4, 2018

15

§ 15

Data Protection

(1) FARO is permitted to use Licensee’s personal information to provide Licensee with

support and inform Licensee about FARO’s software updates/upgrades or new

releases that are part of FARO’s service.

(2) FARO has implemented technology and security policies, rules and measures to

protect the personal data that FARO has in FARO’s possession from unauthorized

access, improper use, alteration, unlawful or accidental destruction, and accidental

loss. For detailed information, please see Exhibit 2 to Annex 4 which shall be deemed

incorporated herein by reference.

(3) Licensee warrants that Licensee (i) has permission of all individuals (where required),

be it employees or customers of Licensee or employees of Licensee’s customers or

other persons, or (ii) is otherwise justified to transmit this individual’s personal data to

FARO, that FARO stores this personal data, including on web servers of FARO and on

web servers owned by Amazon Web Services, Inc., that FARO processes this personal

data with the Computing Service and that this personal data can be presented to third

parties, especially with all data processing operations related with the use of the

Computing Service. Therefore, Licensee undertakes to enter into agreements with its

employees and customers relating to the aforementioned.

(4) In order to entitle FARO to process the personal data of individuals in the manner of

para. (3) above, Licensee and FARO enter into an “Data Processing Agreement” that

complies with all applicable laws, rules and regulations, especially Art. 28 (3) of

General Data Protection Regulation (Annex 4).

(5) Licensee shall, upon first demand, indemnify FARO and hold FARO harmless from and

against any and all liability or claims of third parties based on culpable infringement of

personal privacy rights of individuals from or as a consequence of FARO’s permitted

use of the personal data of individuals as set out in § 15 para. (3) till (4) above. The

above indemnification shall not apply if the claim is based on FARO’s intentional or

grossly negligent breach of duties or FARO’s slightly negligent breach of Cardinal

Duties.

LE-FR-8568 Rev 2 Oct. 4, 2018

16

§ 16

Confidentiality

(1) All Confidential Information (information which is designated as confidential, or

communicated in such a manner or under such circumstances as would reasonably

enable a person or organization to ascertain its confidential nature) provided by one

party will be maintained in confidence by the other party. Each party agrees to notify

the other party if disclosure of such other party's Confidential Information is necessary

to comply with the requirements of any law, government order, regulation or legal

process prior to such disclosure. The provisions of this § 16 will not have application to

any information disclosed by a party to the extent such information (i) becomes lawfully

available to the public; (ii) is received without restriction from another person or

organization lawfully in possession of such information; (iii) was rightfully in the

possession of a party without restriction prior to its disclosure; or (iv) is independently

developed by a party or its employees or agents without access to the other party's

similar information.

(2) The obligations contained in § 17 para. (1) of this Agreement shall survive the

termination of this Agreement for five (5) years, but shall cease to apply to any

information coming into the public domain otherwise than by breach of the Licensee of

its obligations contained in this Agreement.

§ 17

Term and Termination

(1) This agreement shall be deemed to have taken effect from the date this Agreement is

signed (“Commencing Date”). The Agreement shall be effective for the period of one

(1) year beginning on the day of operable deployment (“Initial Term”). The Agreement

will be renewed automatically to the end of the Initial Term or following terms for one

(1) year (“Renewal Term”), unless either party terminates this Agreement.

(2) The Agreement may be terminated at the end of each term of the Agreement by written

notice given at least thirty (30) days before the end of any of such terms.

(3) The right to terminate this Agreement for cause remains unaffected. A serious and

continuous breach of the terms of this Agreement by either party shall be considered

LE-FR-8568 Rev 2 Oct. 4, 2018

17

as cause to terminate this Agreement without prior notice. Without limiting the

generality of the foregoing sentence, such a cause is considered in particular if one of

the following violations occurs:

(a) If either party commits an act of bankruptcy or compounds or makes any

arrangement with its creditor or executes a bill of sale on its assets or any part

thereof; or

(b) if either party is wound up either compulsorily or voluntarily or a receiver on its

assets is appointed except for the purpose of amalgamation or reconstruction; or

(d) in the event that Licensee comes under the control, directly or indirectly, of a third

party or entity different from the shareholders/owners of Licensee at the time of

signing of this Agreement; or

(e) Licensee does not conduct its business in consistency with proper business

methods and practices or otherwise in a manner able to cause considerable

damage to FARO’s reputation or fails to comply with its obligations under § 7

para. (1), (4), (5), (7) and/or (11) and § 4 para. (1).

(4) A notice of termination requires the written form or text form (e.g. email).

§ 18

Effect of Termination

(1) Upon termination of this Agreement, the rights of Licensee to use the Computing

Service cease immediately to exist.

(2) In case of termination, Licensee is not entitled to any kind of compensation for the

goodwill connected to the Computing Service that Licensee may have created during

the term of this Agreement.

(3) With termination of the Agreement Licensee shall immediately return or, if instructed by

FARO, destroy all Uploaded Data. FARO will erase the Uploaded Data of Licensee if

the Uploaded Data were not returned or destroyed before this Agreement comes to an

end.

LE-FR-8568 Rev 2 Oct. 4, 2018

18

(4) Further termination of this Agreement will not limit FARO from pursuing any other

remedies available to it, including injunctive relief, nor will termination relieve Licensee

of its obligation to pay any charges to FARO that accrued under this Agreement prior to

termination, provided that FARO has met all its contractual obligations associated with

these charges. Further Termination of this Agreement by FARO pursuant to § 17 shall

be without prejudice to the right to seek compensation for breach of any provision of

this Agreement or any other damage of FARO or any of its affiliates caused in

connection with the use of the Computing Service by Licensee.

§ 19

Assignment and Set-off

(1) This Agreement is not transferable or assignable by Licensee, whether in whole or in

part, voluntarily or by merger, consolidation or sale, or otherwise by operation of law

without the prior written consent of FARO. Subject to the foregoing, this Agreement and

each and every provision hereof, shall be binding upon and shall inure to the benefit of

the parties and their respective permitted successors and assigns.

(2) Licensee is permitted to set off only with claims that are undisputed or have been

upheld by a final decision of a court of competent jurisdiction

§ 20

Applicable law, Jurisdiction

(1) This Agreement is governed by German law. The Application of the United Nations

Convention on Contracts for the International Sale of Goods is hereby expressly

excluded.

(2) Place of performance and delivery, as well as exclusive place of jurisdiction for all

disputes arising out of or in connection with this contract, shall be Korntal-Münchingen.

Nevertheless, FARO shall be entitled to take action against Licensee at Licensee’s

place of business.

LE-FR-8568 Rev 2 Oct. 4, 2018

19

§ 22

Final Provisions

(1) All Annexes which are listed in and are enclosed to the Agreement are an integral part

of the Agreement.

(2) Any amendment to or modification of this Agreement requires the written form. The

same applies to any agreement waiving the written form.

(3) This Agreement, including the Annexes, constitutes the entire agreement between the

Parties with respect to the subject matter of this Agreement, and supersedes all other

prior oral and written agreements or understandings of the Parties relating thereto. All

references to this Agreement shall be deemed to include the Annexes.

(4) In the event that any term or provision of this Agreement is or will become invalid or

unenforceable, then the validity and enforceability of all other terms and conditions

shall thereby not be affected. In such case, the invalid or unenforceable term shall be

substituted by a valid and enforceable term which comes as close as possible to the

economic purpose of the invalid or unenforceable term. The same applies in case of

gaps of this Agreement.

________________________________ ________________________________

(date) (date)

For on behalf of FARO For on behalf of the Licensee

________________________________ ________________________________

(Name) (Name)

Title Title

List of Annexes

Annex 1 – Computing Service Specifications

Annex 2 – Selected Package

Annex 3 – Price List

Annex 4 – Data Processing Agreement

LE-FR-8568 Rev 2 Oct. 4, 2018

20

Annex 1 of License Agreement

Computing Service Specifications

This following Computing Service Specifications shall establish the services which shall be

rendered by FARO in accordance with the License Agreement and the duties of the parties

with which they have to comply in order to render the services.

Deployment of the Computing Service

The Computing Service is a software and hosting service to Licensee by FARO. The

Computing Service is deployed operable to Licensee with informing Licensee about the

activation of the Computing Service in writing or by email.

Description of the Computing Service

(a) Computing Service

The Computing Service is a software and hosting service offered by FARO. The

Computing Service allows the User to upload laser scan data, to view uploaded

laser scan data and related meta data within a standard web browser like Mozilla

Firefox, Google Chrome, Apple Safari or Microsoft Internet Explorer. The data is

organized in scan projects. Each scan project is presented as an overview map

which indicates the position of 3D laser scans. Single laser scans are presented

in a panoramic view.

(b) Functionalities of the Computing Service

- Within the panoramic view, a logged-on User can take simple distance

measurements. These measurements will be stored and assigned to the

User to make the data persistent after the duration of a specific session.

- The uploading project data onto the Licensee’s Computing Service sub-

domain requires a local installation of FARO´s SCENE software in version

5.2 or higher.

- The Computing Service is providing a role model which enables Licensee

to assign specific User rights to registered Users.

(c) User documentations

- The documentation for the Computing Service is provided online via

http://manuals.faro.com.

LE-FR-8568 Rev 2 Oct. 4, 2018

21

- The documentation for creation of Uploaded Data and the upload onto the

sub-domain of the Licensee is described in the user manual of SCENE.

(d) Other services

- FARO is planning to constantly maintain the offered service and improve its

functionality. Updates and extensions of the service can be implemented at

all time without further notice but FARO is not obligated to improve the

functionality or to provide updates and extensions.

- It is FAROs sole decision to define if future extensions of the offered

service will be provided as part of existing contracts or if they will be

provided at additional costs.

(e) Handover point of performance

The handover point of the Computing Service is the interface of FARO’s network

to the public internet network. The scope of service of the Computing Service of

FARO ends from Licensee’s point of view at the handover point of the Computing

Service.

Access Authority

(a) Licensee will be granted one sub-domain for his sole usage. The name of the

sub-domain needs to be defined and provided to FARO by Licensee. The full

URL of Licensee’s Computing Service site will be as follows:

https://sub_domain.websharecloud.com.

(b) FARO will grant administrator rights to specific users in the Licensee’s sub-

domain (“Administrators” or “Domain Administrators”).

(c) The Administrators can assign additional registered users to the sub-domain. The

user rights and feature set provided to such an assigned user can be managed

by the Administrators via the role management system of the Computing Service.

(d) The number of users which can be assigned to the sub-domain of Licensee

depends on the actual package which is agreed with the License Agreement.

(e) The Administrators and each single user have to safeguard its access authority

by a unique and safe password.

LE-FR-8568 Rev 2 Oct. 4, 2018

22

Backups

(a) The Uploaded Data is stored within the system of Amazon Web Services.

(b) Neither FARO nor the Computing Service offer means to back up Uploaded

Data.

(c) It is in Licensee’s sole responsibility to create and store backups of the Uploaded

Data. FARO is not providing any means of backup service as part of the License

Agreement.

(d) With termination of the License Agreement, the sub-domain of Licensee including

all data will be deleted by FARO. FARO is not providing any means of backup

service as part of the License Agreement.

New Package

It is possible to change to a higher level of services of the Computing Service during

the duration of the License Agreement. This requires a written advance notice of not

less than one week before the beginning of the next month. The new conditions will

become active with the beginning of the following month. In case the fees have to be

calculated for a portion of a year, the fees will be calculated for every month with 1/12

of the yearly fees as set out in Annex 3 to the License Agreement.

Dashboard and Limits of Package

(a) The Computing Service offers real-time monitoring of the current load of the

Licensee’s sub-domain via a dashboard at Licensee’s administration console of

the web front end.

(b) This dashboard is displaying the current storage consumption, the used

download volume and the number of registered Users together with the specific

thresholds according to the actual package.

(c) The Administrators of Licensees sub-domain will receive warnings before the

agreed limits of the actual Package are reached.

Exceeding the scope of the contract

In case Licensee exceeds the selected Package of Licensee, Licensee agrees that

FARO will charge for the excess service according to the unit prices as defined in the

Price List for the Computing Service.

LE-FR-8568 Rev 2 Oct. 4, 2018

23

Support

(a) Online Help system is available at http://manuals.faro.com

(b) Email and telephone support

Support will be provided by FARO Europe on workdays from 8:00 am until

5:00pm (MEZ / UTC +1h)

TEL: +49 7150 9797 400 or free call*: 00800 3276 7378

FAX: +49 7150 9797 9400 or free fax*: 00800 3276 1737

Email: Support.EMEA@faro.com

* Only for calls from Austria, France, Germany, Italy, Spain, Switzerland, the

Netherlands and Great Britain.

Minimum Requirements of Licensee

(1) The access to the Computing Service is made via telecommunication. The

necessary minimum requirements of Licensee for the usage of the Computing

Service are particularly:

- Access to the internet;

- Software SCENE (version 5.2 or higher) is required.

- Personal Computer with 64-Bit Windows (for SCENE, Windows 10

recommended)

- Standard web browser like Mozilla Firefox, Google Chrome, Apple Safari or

Microsoft Internet Explorer (web browser with WebGL support

recommended).

(2) The provision of these requirements and also the telecommunications service,

including the transmission service from the handover point right up to the devices

utilized by Licensee are not object of the Agreement. Licensee is responsible for

such requirements.

Service Availability

(a) Reference

LE-FR-8568 Rev 2 Oct. 4, 2018

24

The availability only concerns to the functionalities of the Computing Service as

set out in section 0of this Annex.

(b) Availability

FARO provides the functionalities of the Computing Service as described in

section 0 of this Annex to Licensee during the following system runtime (“Target

Runtime/Availability”) up to a percentage of 96%:

Target Runtime/Availability: 24 hours/day and 365 day/year up to 96%.

The Computing Service might be unavailable during Planned Non-Availability as

set out in section 0 of this Annex.

Non-Availability exists if for the rest the agreed functionalities are not usable.

Planned Non-Availability

(a) FARO is entitled to service, to maintain and to update the Computing Services,

including the inherent software and/or hardware-systems beyond the stipulated

periods of section 0 lit. (b) of this Annex (“Planned Non-Availability”).

(b) FARO will seek to inform Licensee upfront about planned maintenance activities.

This information will be either via email or online within the Computing Service

front-end.

(c) If and to the extent Licensee can use the Computing Service in periods of

Planned Non-Availability, there is no warranty claim. In case of a reduction or

dismissal of the performance during times of Planned Non-Availability, Licensee

has especially no right of warranty or damages.

LE-FR-8568 Rev 2 Oct. 4, 2018

25

Annex 2 of License Agreement

NOTE: To avoid any delays in processing your order, please make sure to fill out Annex 2 in

clearly readable form.

Selected Package

Selected FARO Part

Number Package Storage

Downloads / Month

Assigned Users

□ SOFTWSC001 Base Package 50GB 50GB unlimited

Available packages may be subject to change.

Sub-domain: https:// ………..………………………………… .websharecloud.com

🛈 The sub-domain can have between 3 and 32 characters.

🛈 Allowed characters: letters (a-z), numbers (0-9) and dashes (-).

Domain Owner Email: ………………………………………………..............................

🛈 The Domain Owner will be the user of your company who can initially log in to your sub-

domain, and invite additional users.

🛈 Further instructions will be sent to this email address, once the sub-domain is set up.

LE-FR-8568 Rev 2 Oct. 4, 2018

26

Annex 3 of License Agreement

Price List

The current Price List can be found at http://s.websharecloud.com/links/ws/pricing-eu.html

LE-FR-8568 Rev 2 Oct. 4, 2018

27

Annex 4 of License Agreement

Data Processing Agreement

Preamble

This Annex Data Processing Agreement (“Annex”) specifies the data protection obligations

of the parties which arise from commissioned data processing, as stipulated in the License

Agreement including all Annexes (the “Main Agreement”). This Annex applies to all activities

performed in connection with the Main Agreement where FARO as the data processor

(hereinafter: “Processor”) or a third party engaged by the Processor acting on behalf of the

Controller may process personal data of the Licensee according to the Main Agreement

(hereinafter: “Licensee”) and its customers or its staff.

§ 1

Definitions

(1) “Personal Data”

Personal Data means any information relating to an identified or identifiable natural

person (‘data subject’); an identifiable natural person is one who can be identified,

directly or indirectly, in particular by reference to an identifier such as a name, an

identification number, location data, an online identifier or to one or more factors

specific to the physical, physiological, genetic, mental, economic, cultural or social

identity of that natural person.

(2) “Processing” or “Processed”

Processing means any operation or set of operations which is performed on personal

data or on sets of personal data, whether or not by automated means, such as

collection, recording, organisation, structuring, storage, adaptation or alteration,

retrieval, consultation, use, disclosure by transmission, dissemination or otherwise

making available, alignment or combination, restriction, erasure or destruction.

(3) "General Data Protection Regulation” or “GDPR”

LE-FR-8568 Rev 2 Oct. 4, 2018

28

General Data Protection Regulation or GDPR means the General Data Protection

Regulation 2016/679 applying from 25 May 2018.

§ 2

Scope and Responsibility

(1) Processor shall Process Personal Data on behalf of Licensee. The scope of

Processing is specified in the Main Agreement. Within the scope of the Main

Agreement, Licensee is the controller and shall be responsible for complying with any

controller obligation. Licensee and Processor shall be separately responsible for

conforming with such statutory data protection regulations as are applicable to them.

(2) A list of categories of Personal Data, the purpose and nature of the Processing by

Processor on behalf of the Licensee is set out in Exhibit 1 to this Annex.

(3) The term of this Annex shall commence along with the Main Agreement and end upon

termination of the Main Agreement. Unless otherwise agreed by the Parties termination

of this Annex shall automatically terminate the Main Agreement.

§ 3

Documented Instructions

(1) The Processor shall not Process Personal Data that have been provided to the

Processor for purposes of data Processing for any other purposes, in particular, not for

its own purposes (including in anonymized form), and shall not transmit Personal Data

to third parties unless this is a subject matter of the services under this Agreement. The

foregoing shall not prevent the Processor from creating backup copies if and to the

extent they are required to ensure proper data Processing, or copies of data which are

required to be kept by virtue of law or any other legal standard. Where Processor is

obliged to Process Personal Data of Licensee beyond the instructions on basis of EU

law and/or EU member state law, the Processor shall inform Licensee before the start

of the Processing.

(2) Where Processor is of the opinion that an instruction violates Data Protection

Legislation, Processor is obliged to immediately inform Licensee of such opinion.

LE-FR-8568 Rev 2 Oct. 4, 2018

29

(3) The Personal Data will be Processed and used within the European Union and the

European Economic Area as well as by subcontractors of Processor being located

outside these areas (see Section 6 of this Annex). In the event Processor intends to

use subcontractors located in third countries, the additional requirements of Art. 44 et

seq. GDPR shall apply and have to be fulfilled.

§ 4

Confidentiality of Processing

Processor shall ensure that any personnel entrusted with Processing Licensee’s Personal

Data have committed themselves to confidentiality and have been duly instructed and trained

on the protective regulations of the GDPR. The confidentiality obligations shall continue after

the termination of the above-entitled activities.

§ 5

Security of Processing

(1) Within Processor’s responsibility, Processor shall structure Processor’s internal

corporate organisation to ensure compliance with the specific requirements of the

protection of Personal Data. Processor shall take the appropriate technical and

organisational measures taking into account (i) the nature of the Personal Data to be

protected, (ii) the risks that are presented by the Processing of Personal Data; (iii) the

harm that may result from breach of such measures; (iv) applicable industry standards;

(v) the state of technological development; and (vi) the costs of implementing the

measures to adequately protect Licensee’s Personal Data against unauthorized or

unlawful Processing, accidental loss, destruction or damage in accordance with the

requirements set out in Art. 32 GDPR. Such measures hereunder shall include, but not

be limited to measures to ensure ongoing confidentiality, integrity, availability and

resilience of the Processing systems and services and the ability to restore availability

and access to Customer Personal Data as well as evaluation of the measures

implemented.

(2) An overview of the above-entitled technical and organisational measures shall be

attached to this Annex as an Exhibit 2.

LE-FR-8568 Rev 2 Oct. 4, 2018

30

(3) Licensee shall retain title as to any carrier media provided to Processor as well as any

copies or reproductions thereof. Processor shall store such media safely and protect

them against unauthorised access by third parties.

§ 6

Subcontractors

(1) Processor is generally not entitled to engage subcontractors without the prior written

consent of Licensee. Where Processor engages subcontractors, Processor shall be

obliged to impose the same data protection obligations on the subcontractor as

applicable to the Processor under this Annex. Sentence 2 shall apply in particular, but

shall not be limited to, the contractual requirements for confidentiality, data protection

and data security stipulated between the parties of the Main Agreement. The Processor

is obliged to inform Licensee about any intended amendment to the subcontractors.

Licensee is entitled to refuse or withdraw consent to the amendment of the

subcontractors. The Licensee acknowledges refusal or withdrawal may have the effect

that the Licensee can no longer use certain services. In this case the Licensee shall be

entitled to terminate the Main Agreement without notice.

(2) Licensee acknowledges and consents that Processor’s contractual obligations

hereunder will be performed by using Amazon Web Services. Amazon Web Services,

Inc., who owns Amazon Web Services, is located in the USA. But, in this instance

Amazon Web Services will store the data in the cloud only within the EU.

§ 7

Data Subject Rights

(1) Taking into account the nature of the Processing under the Main Agreement Processor

shall provide reasonable assistance to Customer in responding to any request from

Data Subjects under Chapter III of the GDPR.

(2) Where Licensee, based upon applicable data protection law, is obliged to provide

information to an individual about the collection, Processing its Personal Data,

Processor shall assist Licensee in making this information available, provided that

Licensee has instructed Processor in writing to do so. Processor shall only correct or

LE-FR-8568 Rev 2 Oct. 4, 2018

31

erase the Personal Data Processed on behalf of the Licensee or restrict Processing of

Personal Data when instructed to do so by the Licensee.

(3) To the extent an individual contacts the Processor with a request to correct or erase

Personal Data or to restrict Processing of Personal Data, or if the Processor has other

reasons to believe that certain Personal Data should be corrected, erased or its

Processing restricted, the Processor shall inform the Licensee thereof without undue

delay in text form. The Licensee shall then issue the necessary instructions to the

Processor. The Processor shall be obliged to assist the Licensee upon first demand in

connection with the correction or erasure of Personal Data and to restrict Processing of

Personal Data.

§ 8

Assistance of Processor

(4) Processor shall, without undue delay, inform Licensee in case of breaches of Personal

Data protection, and any other irregularity in Processing Licensee’s Personal Data. The

information shall include information with respect to the timing, type of incident

(including information, which of the Personal Data is affected), the affected system, the

persons concerned, time of discovery, any potential adverse consequences as well as

the counter-measures taken by the Processor. Licensee shall be responsible for

fulfilling the duties to notify under Art. 33 and Art. 34 GDPR. Processor will support

Licensee in fulfilling such obligation.

(5) Processor shall also assist taking into account the nature of the processing in carrying

out data protection impact assessments (Art. 35 GDPR) or consulting the supervisory

authority (Art. 36 GDPR).

(6) Upon Licensee’s request, Processor shall provide all information necessary for

compiling the overview defined by Art. 30 GDPR.

(7) Processor shall if required under statutory law appoint a data protection officer in

accordance with Art. 37 to 39 GDPR and sections 38 and 6 German Federal Data

Protection Act. In this case Processor provides Licensee with the contact details of the

Processor’s data protection officer.

LE-FR-8568 Rev 2 Oct. 4, 2018

32

(8) Processor shall, upon Licensee and/or Subcontractor’s request, provide to Licensee or

Subcontractor all information on Licensee and/or Subcontractor’s Personal Data and

information.

§ 9

Return and Deletion of Personal Data

(1) Licensee shall, upon termination or expiration of the Main Agreement, instruct

Processor to return Personal Data or to delete stored Personal Data. Processor may

still need to retain certain information for legal and internal business reasons, such as

fraud prevention.

(2) Documentation intended as proof of proper data Processing must be kept by the

Processor beyond the end of the Annex in accordance with relevant retention periods.

The Processor may hand such documentation over to the Licensee after expiry of the

Annex.

(3) Processor shall be obliged to securely delete any test and scrap material as instructed

by Licensee on a case-by-case basis. On Licensee’s request, Processor shall hand

over such material to Licensee or store it on Licensee’s behalf.

(4) Any additional cost arising in connection with the return or deletion of Personal Data

after the termination or expiration of the Main Agreement shall be borne by Licensee.

§ 10

Information to demonstrate compliance; Audits

(1) The Processor shall regularly monitor compliance with the provisions of this Annex by

conducting its own reviews.

(2) At Licensee’s request, Processor makes available to Licensee the information

necessary to demonstrate compliance with the obligations under this Annex, in a

commonly used and machine-readable format. Such information can be in the form of a

current attestation, of reports or report excerpts from independent bodies (e.g.,

accountant, auditor, data protection officer), an appropriate certification resulting from

an IT security audit or from a data protection audit (e.g., according to ISO 27001), or a

certification approved by the competent authority.

LE-FR-8568 Rev 2 Oct. 4, 2018

33

(3) The Licensee shall be entitled to assure itself, by way of inspections at the Processor,

that the Processor complies with the terms of this Annex, in particular with respect to

compliance with the provisions of the GDPR, and that adequate data security is

guaranteed within the meaning of this Annex as well as the implementation of technical

and organizational measures pursuant to Art. 32 GDPR. The Licensee may execute

any controls by third parties. For his consideration to perform inspections, the Licensee

will take into account the information already received under Section 10(2) of this

Annex.

§ 11

Liability of Licensee and Processor

(1) As to the liability of the parties the terms and conditions of the Main Agreement shall

apply.

(2) Licensee shall indemnify and hold harmless in case third parties especially but not only

data subjects claim for damages alleging their rights had been harmed by Processor,

but Processor only acted within the scope of the instructions given by Licensee.

§ 12

Additional Costs, Duties to Inform, Mandatory Written Form, Choice of Law

(1) Any cost arising out of Processor’s performance under instructions outside the Main

Agreement’s scope of work shall be borne by Licensee.

(2) Where Licensee’s Personal Data becomes subject to search and seizure, an

attachment order, confiscation during bankruptcy or insolvency proceedings, or similar

events or measures by third parties while being Processed, Processor shall inform

Licensee without undue delay. Processor shall, without undue delay, notify to all

pertinent parties in such action, that any Personal Data affected thereby is in

Licensee’s sole property and area of responsibility, that Personal Data is at Licensee’s

sole disposition, and that Licensee is the controller.

(3) No change of or amendment to this Annex and all of its components, including any

commitment issued by Processor, shall be valid and binding unless made in writing and

unless they make express reference to being a change or amendment to these

regulations. The foregoing shall also apply to the waiver of this mandatory written form.

LE-FR-8568 Rev 2 Oct. 4, 2018

34

(4) This Annex is governed by the laws of the Federal Republic of Germany.

Exhibit 1

A list of Personal Data elements and the purpose of their Processing by Processor on behalf

of Licensee. The list shall state the extent, the nature and purpose of any contemplated

collection, Processing of data, the type of data, and the circle of data subjects.

Exhibit 2

An overview of the technical and organizational measures taken by Processor.

LE-FR-8568 Rev 2 Oct. 4, 2018

35

Exhibit 1 to Annex 4 of License Agreement

Scope, nature and purpose of the

Data Processing

Detailed description of the subject-matter of the contract in terms of extend, kind and

purpose of the service offered by FARO: Cloud-based storing, viewing and sharing service

for 3D laser scan data “SCENE WebShare Cloud” for the duration of the License Agreement

(see License Agreement).

1. Data Categories

Subject of acquisition, Processing of Personal Data are the following kind of data and data

categories:

Processed at FARO and Amazon Web Services:

- First name - Middle name - Last name - Email address - Username - User ID - Password

2. Data Subjects

- Customers

- Licensee’s or customers’ staff and employees

- Prospective customers

3. Processing Operations

• Storage, use and Processing of the above-mentioned data at FARO and in the

Amazon Web Services in order to provide, control and maintain the service which is

subject of this contract.

• FARO uses Amazon Web Services for storage, processing, data handling,

authorization and security.

LE-FR-8568 Rev 2 Oct. 4, 2018

36

Exhibit 2 to Annex 4 of License Agreement

Technical and organizational measures

in accordance with Art. 32 GDPR

Description of the Technical and Organizational Security Measures taken by

Processor.

Processor has implemented the following technical and organizational security measures to provide the on-going confidentiality, integrity, availability and resilience of processing systems and services:

1. Confidentiality Processor has implemented the following technical and organizational security to provide the confidentiality of processing systems and services, in particular:

• Licensee’s data is processed both on FARO premise as well as on remote server sites owned and operated by industry leading cloud service providers that offer highly sophisticated measures to protect against unauthorized persons gaining access to data processing equipment (namely telephones, database and application servers and related hardware). Cloud certifications can be obtained at https://aws.amazon.com/compliance/ and AWS GDPR DATA PROCESSING ADDENDUM at https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf ; Such certifications and measures may include:

- CSA

- ISO 9001, ISO 2701, ISO 2717, ISO 27018

- SOC1, SOC2, SOC3

- a layered security model, including safeguards like custom-designed electronics access cards, alarms, and perimeter fencings;

- data centers are monitored by CCTV;

- access logs and activity records;

- facilities hosting data centers are also routinely patrolled

- access to data centers requires security badges only approved employees with specific role may enter.

• Processor implements suitable measures to prevent its data processing systems from being used by unauthorized persons. This is accomplished by:

- automatic time-out of user terminal if left idle, identification and password required to reopen;

- issuing and safeguarding identification codes to Processor’s online

LE-FR-8568 Rev 2 Oct. 4, 2018

37

platform, requiring two-factor authentication for all users;

- letting Licensee and customers define individual user accounts with permissions across Processor resources;

- industry standard encryption and requirements for passwords (minimum length, use of special characters, etc.); and

- all access to data content is logged, monitored, and tracked.

• Processor’s employees entitled to use its data processing systems are only able to access personal data within the scope of and to the extent covered by their respective access permission (authorization). In particular, access rights and levels are based on employee job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. This is accomplished by:

- employee policies and training;

- effective and measured disciplinary action against individuals who access personal data without authorization;

- limited access to personal data to only authorized persons;

- industry standard encryption; and

- policies controlling the retention of back-up copies.

2. Integrity

Processor has implemented the following technical and organizational security to provide the integrity of processing systems and services, in particular:

• Processor implements suitable measures to prevent personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by:

- use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels;

- industry standard encryption; and

- avoiding the storage of personal data on portable storage media for transportation purposes and on company issued laptops or other mobile devices.

• Processor does not access any Licensee or customer content except as necessary to provide that Licensee with the Processor products and professional services it has selected. Processor does not access Licensee’s content for any other purposes. Accordingly, Processor does not know what content Licensees choose to store on its systems and cannot distinguish between personal data and other content, so Processor treats all Licensee content the same. In this way, all Licensee content benefits from the same robust Processor security measures, whether this content includes personal data or not.

LE-FR-8568 Rev 2 Oct. 4, 2018

38

3. Availability Processor has implemented the following technical and organizational security measure to provide the availability of processing systems and services, in particular:

• Processor implements suitable measures to provide that personal data is protected from accidental destruction or loss. This is accomplished by:

- infrastructure redundancy;

- policies prohibiting permanent local (work station) storage of personal data; and

- performing regular data back-ups.

4. Resilience Processor has implemented the following technical and organizational security measures to provide the resilience of processing systems and services, in particular:

• performing regular data back-ups;

• hosting its website on multiple web servers located in different locations; and

• performing regular health tests on servers.

LE-FR-8568 Rev 2 Oct. 4, 2018

39

Revision History

Version Revision Date Revised By Brief Description of the Revision

1 Sept. 28, 2018 T. Mauch Initial Upload

2 Oct. 4, 2018 T. Mauch Updated Exs. 1 and 2 to Annex 4