Customer Agreement

1. Parties & Acceptance

This Customer Agreement ("Agreement") is between PinPole Pty Ltd (ABN 75 631 505 694) ("PinPole", "we", "us", or "our") and the entity or individual identified in an Order ("Customer", "you").

By accessing or using the PinPole Platform, executing an Order, or clicking "I agree" or a similar button, Customer agrees to be bound by this Agreement. If Customer does not agree, it must not use the Platform. If Customer is entering into this Agreement on behalf of an organisation, Customer represents it has authority to bind that organisation.

1.1. Resellers. If Customer purchases through an authorised Reseller, the commercial terms (pricing, payment, renewal) are governed by Customer's agreement with that Reseller. All other terms in this Agreement apply directly between Customer and PinPole.

1.2. Consumer Rights. Nothing in this Agreement excludes, restricts, or modifies any rights Customer holds under the Australian Consumer Law or other applicable consumer protection legislation that cannot be excluded by agreement. Where Customer is a consumer or small business as defined under the Australian Consumer Law, those protections apply in addition to this Agreement.

2. License & Restrictions

2.1 License Grant

Subject to Customer's compliance with this Agreement and payment of all applicable Fees, PinPole grants Customer a limited, non-exclusive, non-transferable, non-sublicensable right to access and use the Platform during the Subscription Term solely for Customer's internal business purposes in accordance with the Documentation and Customer's Scope of Use.

2.2 Restrictions

Customer must not, and must not permit any User or third party to:

• Rent, lease, resell, sublicense, or provide access to the Platform to any third party;
• Use the Platform to build a competing product or service, or to benchmark the Platform for publication without PinPole's prior written consent;
• Reverse engineer, decompile, disassemble, or attempt to derive source code or underlying algorithms from the Platform;
• Copy, modify, or create derivative works of any part of the Platform;
• Remove, alter, or obscure any proprietary notices, labels, or marks on the Platform;
• Use the Platform to process or store data in violation of applicable Laws or in breach of the Acceptable Use Policy;
• Attempt to gain unauthorised access to the Platform, other customers' accounts, or AWS infrastructure outside Customer's own connected account;
• Use automated means (bots, scrapers, crawlers) to access the Platform in a manner that exceeds reasonable use or disrupts the Platform's operation;
• Use the Platform's AWS deployment features to provision resources in any AWS account Customer does not own or have explicit written authority to manage.

2.3. Consumer Rights Preservation. Nothing in this Section limits Customer's rights under applicable consumer protection laws, including the Australian Consumer Law.

3. Users

3.1. Responsibility. Customer may authorise Users to access and use the Platform in accordance with the Documentation and Customer's Scope of Use. Customer is responsible for its Users' compliance with this Agreement and all activities of its Users, including Orders they may place, integrations they enable, and how they access and use Customer Data.

3.2. Login Credentials. Customer must ensure that each User keeps login credentials confidential. Customer must promptly notify PinPole if it becomes aware of any unauthorised access to User login credentials or to the Platform.

3.3. Role-Based Access. For Enterprise plans, Customer may configure role-based access controls (RBAC) as described in the Documentation. Customer is responsible for assigning appropriate roles and ensuring Users operate within their assigned permissions, including restrictions on who may initiate AWS deployments.

3.4. Age Requirements. The Platform is not intended for use by anyone under the age of 18. Customer is responsible for ensuring all Users meet this requirement.

3.5. Managed Accounts. Where a Platform feature requires Customer to specify a domain for user management, PinPole may verify domain ownership. Product administrators appointed by Customer may take over management of accounts registered with email addresses belonging to Customer's verified domain.

4. Platform & Features

4.1 Overview

The PinPole Platform is a governed cloud infrastructure design product that enables Customer to:

• Design Canvas: Design AWS cloud architectures on a visual drag-and-drop canvas spanning 315+ AWS services;
• Traffic Simulation: Run pre-deployment traffic simulations from 10 RPS to 100M RPS across four configurable traffic patterns — Constant, Ramp, Spike, and Wave;
• AI Optimisation: Receive AI-powered cost optimisation and architectural recommendations generated against Customer's canvas state;
• AWS Deployment: Deploy directly to AWS via a secure STS cross-account IAM workflow; and
• IaC Export: Export infrastructure-as-code (Terraform and AWS CDK) from any canvas state.

4.2 Customer Data

PinPole may process Customer Data to provide the Platform and related Support in accordance with this Agreement. Customer Data includes canvas definitions, simulation configurations, simulation results, and architecture exports submitted by Customer or its Users.

4.3 Security Program

PinPole has implemented and will maintain an information security program using appropriate physical, technical, and organisational measures to protect Customer Data from unauthorised access, destruction, use, modification, or disclosure, as described in the Security Processes. PinPole will also maintain a compliance program that includes independent third-party audits and certifications, as described in the Security Processes.

4.4 Service Levels

Where applicable, service level commitments for the Platform are set out in the Service Level Agreement incorporated into this Agreement.

4.5 Data Retrieval

The Documentation describes how Customer may retrieve its Customer Data from the Platform, including canvas exports, simulation result downloads, and IaC export packages.

4.6 Removals and Suspension

PinPole has no obligation to monitor Customer Data. Nonetheless, if PinPole becomes aware that Customer Data may violate Law, Section 2.2 (Restrictions), or the rights of others, or that Customer's use threatens the security or operation of the Platform, PinPole may: (i) limit access to or remove the relevant Customer Data, or (ii) suspend Customer's or any User's access to the Platform. PinPole may also take such measures where required by Law or at the request of a governmental authority.

4.6.1 Procedural Requirements. Before taking action under Section 4.6, PinPole will: (a) provide Customer with written notice specifying the grounds and a reasonable opportunity to remedy the issue (except where immediate action is required to prevent harm or comply with legal obligations); (b) where Customer is a consumer or small business, provide at least 7 days' notice before suspension unless emergency circumstances exist; (c) maintain a reasonable complaints process for Customer to dispute such actions; (d) restore access promptly once any breach is remedied.

5. Customer Obligations

5.1. Disclosures and Rights. Customer must ensure it has made all disclosures and obtained all rights and consents necessary for PinPole to process Customer Data to provide the Platform and Support.

5.2. Platform Assessment. Customer is responsible for determining whether the Platform meets Customer's requirements and any regulatory obligations applicable to Customer's intended use. Simulation outputs and AI recommendations are provided as informational tools to assist architectural decision-making. They are not a guarantee of the performance, cost, security, or compliance of any resulting deployed infrastructure.

5.3. AWS Account Responsibility. Customer is solely responsible for: (a) all actions taken within Customer's connected AWS account(s) by Users or through automated Platform features; (b) all costs, charges, and consequences arising from AWS resources provisioned or modified via the Platform; (c) ensuring that the IAM permissions granted to PinPole's cross-account role are no broader than those described in the Documentation and Section 6 (AWS Account Integration).

5.4. Sensitive and Regulated Data. Unless the parties have entered into appropriate supplementary agreements:

• HIPAA: Customer must not upload to the Platform or use the Platform to process any patient, medical, or other protected health information regulated by the Health Insurance Portability and Accountability Act (HIPAA). A Business Associate Agreement must be executed before any such processing.
• Australian Health Data: Customer must not upload to the Platform any health information subject to enhanced protections under the Privacy Act 1988 (Cth), My Health Records Act 2012 (Cth), or equivalent state or territory health records legislation, unless Customer has obtained all necessary consents and provided appropriate notice to PinPole.
• Payment Card Data: Customer must not use the Platform to store, process, or transmit payment card data regulated by PCI-DSS unless Customer has separately engaged PinPole under a compliant data processing arrangement.

6. AWS Account Integration

6.1 Cross-Account IAM Workflow

The Platform's deployment feature operates via a secure AWS STS cross-account IAM role that Customer provisions in its own AWS account. Customer grants PinPole's deployment agent the ability to assume this role for the sole purpose of provisioning the resources defined in a Customer-approved canvas state. PinPole will not assume Customer's cross-account role for any purpose other than executing Customer-initiated deployments.

6.2 Customer Responsibilities for AWS Integration

Customer is responsible for:

• Configuring the cross-account IAM role in accordance with PinPole's Documentation, applying the principle of least privilege;
• Reviewing and approving each canvas state before initiating a deployment;
• Monitoring deployed resources and associated AWS costs via AWS Cost Explorer or equivalent tooling;
• Maintaining the AWS account's service quotas and limits to accommodate resources defined in Customer's canvas;
• Revoking or modifying PinPole's cross-account role access when Customer's Subscription Term ends or upon account disconnection.

6.3 Simulation and Cost Estimates

Traffic simulation results and AI-generated cost estimates produced by the Platform are based on publicly available AWS pricing data, Customer-provided workload parameters, and PinPole's proprietary simulation models. These outputs are indicative only. Actual AWS costs will depend on factors outside PinPole's control, including AWS pricing changes, reserved capacity commitments, data transfer costs, and runtime behaviour of deployed applications. PinPole makes no warranty as to the accuracy of cost estimates.

6.4 AWS Digital Twin (where available)

Where Customer has enabled the AWS Digital Twin feature, PinPole will read Customer's existing AWS account state (via read-only API calls) to populate the canvas. Customer grants PinPole permission to perform these read-only operations solely for the purpose of generating and maintaining the digital twin representation. PinPole will not modify any existing Customer AWS resource via the Digital Twin feature without a separate Customer-initiated deployment action.

7. Third-Party Code & Products

7.1. Third-Party Code. The Platform incorporates open source software and commercial third-party software components. PinPole's Third-Party Code Policy, incorporated into this Agreement, governs those components. Open source licences applicable to components included in the Platform are available in the Documentation.

7.2. Third-Party Products. Customer may choose to use the Platform alongside third-party platforms, integrations, services, or products ("Third-Party Products"), including third-party IaC tooling, CI/CD pipelines, and cloud management platforms. Use of Third-Party Products with the Platform may require access to Customer Data by the third-party provider, which PinPole will enable on Customer's behalf where Customer has activated that integration. Customer's use of Third-Party Products is governed by the relevant provider's terms of use, not this Agreement. PinPole does not control and has no liability for Third-Party Products.

7.3. AWS Relationship. PinPole is an independent software vendor. PinPole is not an AWS affiliate, agent, or reseller. AWS services accessed through the Platform are subject to the AWS Customer Agreement and applicable AWS Service Terms between Customer and Amazon Web Services. PinPole has no responsibility for AWS service availability, pricing, policy changes, or any actions taken by AWS with respect to Customer's AWS account.

8. Support Services

PinPole will provide Support as described in the Support Policy and applicable Order. Support is provided within the AEST (Australian Eastern Standard Time) timezone unless otherwise specified in Customer's Order. Support tiers, response times, and channel availability are set out in the Support Policy incorporated into this Agreement.

PinPole's provision of Support is subject to Customer providing timely access to information and reasonable cooperation required to diagnose and resolve issues. PinPole support personnel do not have standing access to Customer's canvas content or simulation outputs; any access for support purposes requires Customer's explicit permission.

9. Ordering Process & Delivery

No Order is binding until PinPole provides acceptance — including by sending a confirmation email, providing access to the Platform, or making account credentials available. No terms of any Customer purchase order or other business form will supersede or supplement this Agreement. PinPole will deliver access credentials and onboarding materials electronically to Customer's registered account promptly upon receiving payment of the applicable Fees.

9.1. Order Precedence. In the event of conflict between an Order and this Agreement, the Order prevails for its specific subject matter; otherwise this Agreement controls.

10. Billing & Payment

10.1 Fees

(a) Direct Purchases. If Customer purchases directly from PinPole, Fees and payment terms are as specified in Customer's Order.

(b) Resellers. If Customer purchases through a Reseller, Customer must pay amounts directly to the Reseller. Order details are specified in the Order placed by the Reseller with PinPole on Customer's behalf.

(c) Renewals. Unless otherwise specified in an Order, a Subscription Term will automatically renew at PinPole's then-current rates for: (i) a period equal to Customer's prior Subscription Term (if less than 12 months), or (ii) 12 months (if the prior term was 12 months or more). Either party may elect not to renew by giving notice before the end of the current Subscription Term. For consumer and small business customers, PinPole will provide at least 7 days' written notice before any automatic monthly renewal and 30 days before any annual renewal, including renewal terms and cancellation instructions. Consumer and small business customers have the right to cancel any automatically renewed subscription within 14 days of renewal for a pro-rated refund.

Price Increase Cap: For renewal terms, any fee increase from the prior Subscription Term will not exceed the greater of: (i) 5% of the prior term's fees, or (ii) the percentage increase in the Australian Consumer Price Index (All Groups, Weighted Average of Eight Capital Cities) for the 12-month period ending in the quarter prior to renewal. PinPole will provide at least 60 days' notice of any fee increase for renewals.

(d) Increased Scope of Use. Customer may increase its Scope of Use by placing a new Order or amending an existing Order by mutual agreement. PinPole will charge for increased Scope of Use at PinPole's then-current rates, pro-rated for the remainder of the then-current Subscription Term.

(e) Refunds. All Fees are non-refundable except as provided in this Agreement or required by the Australian Consumer Law.

(f) Credit Cards. If Customer uses a credit card or online payment method for its initial Order, PinPole may bill that payment method for renewals, additional Orders, and overages.

10.2 Taxes

(a) Generally. Fees are exclusive of any GST, value-added, withholding, or similar taxes or levies. Other than taxes on PinPole's net income, Customer is responsible for any such taxes, which PinPole will itemise separately on applicable invoices.

(b) GST. Where applicable, PinPole will issue tax invoices in accordance with the A New Tax System (Goods and Services Tax) Act 1999 (Cth).

(c) Exemptions. If Customer claims exemption from any applicable tax, Customer must provide PinPole with a valid tax exemption certificate or tax ID at the time of Order.

10.3 Return Policy

Within thirty (30) days of its initial Order for a Platform plan, Customer may terminate the Subscription Term for any or no reason by providing notice to PinPole. Following such termination, upon request, PinPole will refund the amount paid for that plan.

10.4 Suspension for Non-payment

PinPole may suspend Customer's rights to access the Platform if payment is overdue and PinPole has given Customer no fewer than ten (10) days' written notice.

11. Warranties

11.1. Performance Warranties. PinPole warrants to Customer that: (a) the Platform will operate in substantial conformity with the applicable Documentation during the Subscription Term; (b) PinPole will not materially decrease the core functionality or overall security of the Platform during the Subscription Term; and (c) PinPole will use reasonable efforts to ensure that the Platform, as provided by PinPole, is free of viruses, malware, or similar malicious code (each, a "Performance Warranty").

11.2. Remedy. If PinPole breaches a Performance Warranty and Customer makes a reasonably detailed warranty claim within 30 days of discovering the issue, PinPole will use reasonable efforts to correct the non-conformity. If PinPole determines such remedy impracticable, either party may terminate the affected Subscription Term, and PinPole will refund any pre-paid, unused Fees for the terminated portion. These procedures are Customer's exclusive remedy and PinPole's entire liability for breach of a Performance Warranty.

11.3. Simulation and AI Disclaimer. PinPole does not warrant that simulation results, cost estimates, or AI-generated architectural recommendations will be accurate, complete, or suitable for any particular purpose. These outputs are decision-support tools only. Customer is solely responsible for validating simulation results and AI recommendations before acting on them, including before initiating any AWS deployment.

11.4. Disclaimers. Except as expressly provided in this Section 11 and subject to applicable consumer protection laws including the Australian Consumer Law, the Platform and all related services and deliverables are provided "AS IS." To the extent permitted by law, PinPole makes no other warranties, whether express, implied, statutory, or otherwise, including warranties of merchantability, fitness for a particular purpose, title, or non-infringement. Nothing in this Section excludes, restricts, or modifies consumer guarantees under the Australian Consumer Law that cannot be excluded.

12. Term & Termination

12.1. Term. This Agreement commences on the date Customer accepts it and continues until all Subscription Terms have ended.

12.2. Termination for Convenience. Customer may terminate this Agreement or a Subscription Term upon notice for any reason. Subject to Section 10.3 (Return Policy), Customer will not be entitled to refunds for termination for convenience, and any unpaid amounts for the then-current Subscription Term will become due and payable immediately. For consumer and small business customers who terminate for convenience after the 30-day return window, PinPole will provide a pro-rated refund for the unused portion of any prepaid annual term.

12.3. Termination for Cause. Either party may terminate this Agreement or a Subscription Term if the other party: (a) fails to cure a material breach (including a failure to pay Fees) within 30 days of written notice; (b) ceases operations without a successor; or (c) seeks protection under a bankruptcy, receivership, or comparable insolvency proceeding. If Customer terminates for PinPole's cause, PinPole will refund any pre-paid, unused Fees for the terminated portion.

12.4. Effect of Termination. Upon expiration or termination: (a) Customer's rights to access the Platform cease; (b) Customer must immediately cease accessing the Platform and promptly revoke PinPole's cross-account AWS IAM role; (c) PinPole will delete Customer Data in accordance with the Documentation and Privacy Policy, subject to legal retention obligations.

12.5. Survival. These Sections survive termination: 2.2 (Restrictions), 4.3 (Security Program), 10.1 (Fees), 10.2 (Taxes), 11.4 (Disclaimers), 12.4 (Effect of Termination), 13 (Ownership & IP), 14 (Limitations of Liability), 15 (Indemnification), 16 (Confidentiality), 18 (Feedback), 20 (General Terms), and 21 (Definitions).

13. Ownership & Intellectual Property

13.1. General. Except as expressly set out in this Agreement, neither party grants the other any rights or licences to its intellectual property.

13.2. Customer Ownership. As between the parties, Customer owns all intellectual property rights in: (a) Customer Data, including canvas definitions, simulation inputs, and architecture designs created by Customer or its Users; and (b) IaC files (Terraform and AWS CDK) exported from Customer's canvas.

13.3. PinPole Ownership. PinPole and its licensors retain all intellectual property rights in: (a) the Platform, including all software, simulation engines, AI models, canvas rendering, and technology comprising or enabling the Platform; (b) PinPole's methodologies, processes, simulation frameworks, scoring algorithms, and AI recommendation models; (c) any modifications, improvements, or derivative works to any of the foregoing; and (d) aggregated, anonymised usage data and platform performance metrics.

13.4. Feedback Licence. Any Feedback provided by Customer is addressed in Section 18 (Feedback).

13.5. No Implied Rights. Nothing in this Agreement grants Customer any right to use PinPole's AI models, simulation engines, or platform technology independently of the Platform as accessed via the Service.

14. Limitations of Liability

14.1. Damages Waiver. Except for Excluded Claims, to the maximum extent permitted by Law, neither party will have any liability arising out of or related to this Agreement for any loss of use, lost data, lost profits, interruption of business, or any indirect, special, incidental, or consequential damages of any kind, even if informed of their possibility in advance. PinPole's liability is specifically limited for business decisions made based on simulation outputs or AI recommendations.

14.2. General Liability Cap. Except for Excluded Claims, to the maximum extent permitted by Law, PinPole's entire liability arising out of or related to this Agreement will not exceed the Fees paid to PinPole for the Platform during the twelve (12) months preceding the first event giving rise to the liability. Customer's payment obligations under Sections 10.1 and 10.2 are not limited by this cap.

14.3. Excluded Claims. "Excluded Claims" means: (a) Customer's breach of Section 2.2 (Restrictions) or Section 5 (Customer Obligations); (b) either party's breach of Section 16 (Confidentiality), excluding claims relating to Customer Data; or (c) amounts payable to third parties under PinPole's indemnification obligations in Section 15.

14.4. Special Claims. For Special Claims, PinPole's aggregate liability is the lesser of: (a) two times (2x) the Fees paid during the 12 months preceding the event, and (b) AUD 5,000,000. "Special Claims" means unauthorised disclosure of Customer Data caused by PinPole's breach of its Security Program obligations.

14.5. AWS Cost Liability. PinPole is not liable for any AWS infrastructure costs incurred as a result of deployments initiated via the Platform, whether or not such deployments resulted from Customer error, User error, or Platform malfunction, except to the extent directly caused by PinPole's wilful misconduct or gross negligence.

14.6. Failure of Essential Purpose. The exclusions and limitations in this Section apply regardless of the form of action and survive even if any limited remedy fails of its essential purpose.

15. Indemnification

15.1. By PinPole. PinPole will defend Customer against any third-party claim that the Platform, as provided and used in accordance with this Agreement, infringes any Australian or New Zealand patent, copyright, trademark, or trade secret right ("Infringement Claim"), and will indemnify Customer for damages and costs awarded by a court or agreed in settlement.

15.2. Exclusions. PinPole's obligations under Section 15.1 do not apply where the Infringement Claim arises from: (a) Customer's or a User's modification of the Platform; (b) use of the Platform in combination with products, data, or services not provided or authorised by PinPole; (c) use of the Platform in violation of this Agreement or the Documentation; or (d) Customer Data.

15.3. By Customer. Customer will defend PinPole against any third-party claim arising from: (a) Customer Data; (b) Customer's breach of this Agreement, including Section 2.2 (Restrictions) or Section 5 (Customer Obligations); or (c) Customer's or any User's use of the Platform to deploy or modify AWS resources without authority, and will indemnify PinPole for damages and costs awarded or agreed in settlement.

15.4. Procedure. The indemnified party must: (a) promptly notify the indemnifying party in writing of the claim; (b) give the indemnifying party sole control of the defence (with the right to participate at its own cost); and (c) provide reasonable cooperation. The indemnifying party may not settle any claim in a manner that imposes liability or obligations on the indemnified party without prior written consent.

16. Confidentiality

16.1. Definition. "Confidential Information" means any information disclosed by one party ("Discloser") to the other ("Recipient") that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and circumstances of disclosure. PinPole's Confidential Information includes the Platform's architecture, algorithms, simulation models, AI frameworks, pricing, and roadmap. Customer's Confidential Information includes Customer Data, canvas designs, and business data.

16.2. Obligations. Recipient must: (a) use Discloser's Confidential Information only as permitted under this Agreement; (b) protect Confidential Information using at least the same degree of care as it uses for its own confidential information, but no less than reasonable care; and (c) limit access to those who have a need to know and are bound by confidentiality obligations at least as protective as those in this Section.

16.3. Exclusions. Confidentiality obligations do not apply to information that: (a) becomes publicly available through no fault of Recipient; (b) was rightfully known by Recipient before disclosure; (c) is rightfully received from a third party without restriction; or (d) is independently developed by Recipient without use of Discloser's Confidential Information.

16.4. Compelled Disclosure. Recipient may disclose Confidential Information if required by law or court order, provided it gives Discloser reasonable prior notice (to the extent permitted by law) and cooperates with any request by Discloser to seek protective measures.

17. Free & Beta Products

17.1. Scope. PinPole may make available free tiers, trial access, or pre-release ("beta") features of the Platform from time to time. Free and Beta Products are provided at PinPole's discretion and are subject to this Agreement.

17.2. Termination or Modification. PinPole may terminate or modify Customer's access to Free or Beta Products upon at least 14 days' written notice, except where immediate termination is required due to security concerns, legal requirements, or Customer's breach of this Agreement.

17.3. Pre-GA. Beta features may be inoperable, incomplete, or include errors and bugs. Beta feature performance information is PinPole's Confidential Information. Beta features must not be used to deploy to production AWS environments unless PinPole has explicitly confirmed the feature is suitable for production use in writing.

17.4. Disclaimer. To the maximum extent permitted by Law, PinPole provides no warranty, indemnity, or service level commitment for Free or Beta Products and its aggregate liability for Free or Beta Products is limited to AUD 200.

18. Feedback

If Customer or any User provides PinPole with feedback, suggestions, bug reports, or other input regarding the Platform ("Feedback"), PinPole may use that Feedback without restriction or obligation, including to improve the Platform, simulation models, and AI recommendation quality. Feedback does not constitute Customer Confidential Information. PinPole will not publicly attribute Feedback to Customer without Customer's consent.

19. Publicity

PinPole may identify Customer as a PinPole customer in its promotional materials, website, and investor materials. PinPole will promptly remove such identification upon Customer's written request to legal@pinpole.cloud. PinPole will not disclose specific details of Customer's architecture designs or simulation outputs in any marketing material without Customer's prior written consent.

20. General Terms

20.1. Compliance with Laws. Each party must comply with all Laws applicable to its business in its performance of this Agreement. Customer must comply with all Laws applicable to its use of the Platform, including those governing cloud infrastructure deployment, data residency, and export controls.

20.2. Assignment. Customer may not assign or transfer any rights or obligations under this Agreement without PinPole's prior written consent, except Customer may assign this Agreement in its entirety to a successor resulting from a merger, acquisition, or sale of substantially all of Customer's assets, provided Customer gives PinPole prompt written notice and the assignee assumes all Customer obligations. PinPole may assign its rights and obligations without Customer's consent, provided PinPole gives Customer 30 days' written notice. Consumer or small business customers may terminate without penalty within 30 days of such notice if the assignment materially and adversely affects their rights.

20.3. Governing Law. This Agreement is governed by the laws of the State of Victoria, Australia, and the parties submit to the exclusive jurisdiction of the courts of Victoria. The United Nations Convention on the International Sale of Goods does not apply. The parties acknowledge that the Australian Consumer Law, including unfair contract terms provisions, applies where Customer is a consumer or small business as defined under that law.

20.4. Notices. Notices under this Agreement must be in writing and are deemed given on: (i) personal delivery; (ii) receipt if sent by recognised overnight courier with receipt request; (iii) the third business day after mailing; or (iv) the second business day after sending by email (provided no delivery failure notification is received). Notices to PinPole must be sent to legal@pinpole.cloud. Notices to Customer will be sent to the billing or technical contact provided in Customer's account, which Customer may update at any time.

20.5. Entire Agreement. This Agreement is the parties' entire agreement regarding its subject matter and supersedes any prior or contemporaneous agreements. In the event of conflict among documents, the main body of this Agreement controls, except that incorporated Policies control for their specific subject matter. To the extent of any inconsistency between this Agreement and applicable consumer protection laws, the consumer protection laws prevail.

20.6. Force Majeure. Neither party is liable for any delay or failure to perform any obligation under this Agreement (except for a failure to pay Fees) due to events beyond its reasonable control and occurring without that party's fault or negligence, including natural disasters, pandemics, widespread internet outages, or acts of government.

20.7. Subcontractors. PinPole may use subcontractors or Affiliates in the performance of its obligations, but PinPole remains responsible for overall performance and for having appropriate written agreements in place with its subcontractors.

20.8. Independent Contractors. The parties are independent contractors and nothing in this Agreement creates any agency, partnership, or joint venture relationship.

20.9. Export Restrictions. Customer must comply with all applicable export and import Laws in its access to, use of, and download of the Platform or content entered into the Platform, including the Defence Trade Controls Act 2012 (Cth), Customs Act 1901 (Cth), the Autonomous Sanctions Regulations 2011, and applicable U.S. Export Administration Regulations where Customer operates in the U.S. Customer must not use the Platform to provision cloud infrastructure that would violate applicable export Laws or sanctions programs.

20.10. Changes to this Agreement. PinPole may modify this Agreement by posting updated terms on its website with at least 30 days' notice prior to the effective date. For free subscriptions, modifications become effective per PinPole's notice. For paid subscriptions, modifications take effect at next renewal unless they relate to legal compliance or new product features that do not materially and adversely affect Customer's existing rights. Customer may terminate the affected Subscription Term within 30 days of modification notice and receive a refund of pre-paid, unused Fees.

20.11. Interpretation and Severability. In this Agreement, headings are for convenience only; "including" and similar terms are construed without limitation. Waivers must be in writing and signed by the waiving party's authorised representative. If any provision is held invalid, illegal, or unenforceable, it will be limited to the minimum extent necessary so the rest of the Agreement remains in effect.

20.12. No Contingencies. Customer's purchase of a Platform plan is not contingent on delivery of any future functionality or features, including features described in PinPole's product roadmap. Roadmap descriptions are provided for informational purposes only and do not constitute commitments.

21. Definitions

Appendix A — Security Processes

PinPole has implemented and will maintain a comprehensive information security program covering the following control domains. These controls apply to all systems that store, process, or transmit Customer Data, including the Platform, simulation infrastructure, and associated data stores hosted on AWS ap-southeast-2 (Sydney).

1. Access Control

PinPole implements role-based access control for all internal systems. Access to production environments and Customer Data is restricted to authorised personnel on a need-to-know basis. All privileged access requires multi-factor authentication (MFA). Access rights are reviewed quarterly and revoked upon role change or termination.

2. Awareness and Training

PinPole maintains a security awareness program that includes onboarding security training for all employees and annual refresher training covering security, privacy, and acceptable use topics.

3. Audit and Accountability

PinPole maintains comprehensive logging of system access and administrative actions. Logs are securely forwarded to a centralised log management system and retained for a minimum of 12 months. Security audit logs are monitored for anomalous activity.

4. Assessment, Authorisation, and Monitoring

PinPole conducts internal security assessments and engages independent external auditors. PinPole is pursuing SOC 2 Type I certification (target: July 2026) and SOC 2 Type II thereafter. Annual penetration testing is conducted against production systems.

5. Configuration Management

PinPole maintains documented configuration baselines for all production systems. Changes to production infrastructure require peer review and approval. Automated intrusion detection systems (IDS) supplement manual configuration monitoring.

6. Contingency Planning

PinPole maintains a business continuity and disaster recovery plan with defined recovery time objectives (RTOs) and recovery point objectives (RPOs). Disaster recovery tests are conducted quarterly. Primary infrastructure operates in AWS ap-southeast-2 with appropriate redundancy.

7. Identification and Authentication

User identity is managed through PinPole's identity provider. All employee access to production systems requires MFA. Password policies follow NIST 800-63B guidelines. AWS cross-account roles used for Customer deployments are scoped using least-privilege IAM policies.

8. Security Incident Response

PinPole maintains a security incident response plan covering detection, containment, eradication, and recovery. A cross-functional incident response team handles security incidents. In the event of a confirmed breach involving Customer Data, PinPole will notify affected Customers without undue delay and in accordance with applicable notification obligations under the Privacy Act 1988 (Cth) Notifiable Data Breaches scheme.

9. Data Encryption

Customer Data is encrypted in transit (TLS 1.2 minimum) and at rest (AES-256). Encryption keys are managed through AWS Key Management Service (KMS). Canvas data and simulation outputs are stored in encrypted data stores isolated per Customer tenant.

10. Vulnerability Management

PinPole operates a vulnerability management program including automated dependency scanning, static analysis of application code, and periodic infrastructure vulnerability assessments. Critical vulnerabilities are remediated within 72 hours; high-severity vulnerabilities within 7 days.

Appendix B — Acceptable Use Policy

This Acceptable Use Policy ("AUP") governs Customer's and all Users' use of the PinPole Platform. By using the Platform, Customer agrees to comply with this AUP and to ensure its Users do the same.

Permitted Use

The Platform is intended for the design, simulation, and deployment of cloud infrastructure architectures on AWS by authorised cloud engineering and DevOps professionals for legitimate business purposes.

Prohibited Uses

Customer and its Users must not use the Platform to:

• Design, simulate, or deploy infrastructure intended to support illegal activities, including fraud, phishing, malware distribution, or cryptocurrency mining operations that violate applicable terms of service;
• Provision or test infrastructure in AWS accounts that Customer does not own or have explicit written authority to manage;
• Conduct load or stress testing against third-party services or infrastructure not owned by Customer without those parties' consent;
• Attempt to probe, scan, or penetrate PinPole's systems or the systems of other PinPole customers;
• Upload or process data that violates applicable privacy laws, including personal health information without appropriate authorisations;
• Use the Platform in any manner that violates applicable Laws, including export control and sanctions regulations;
• Use the Platform to circumvent AWS service quotas or billing controls in a manner that violates AWS's terms of service;
• Upload content that is defamatory, obscene, or infringes the intellectual property rights of any third party.

Enforcement

PinPole reserves the right to investigate suspected violations of this AUP. If PinPole determines that a violation has occurred, PinPole may take action as described in Section 4.6 of this Agreement, including suspension of access. Serious violations may be reported to relevant law enforcement authorities.

Reporting

To report suspected AUP violations or security concerns, contact security@pinpole.cloud.

Contact & Notices

For legal notices, contract queries, or questions about this Agreement, contact PinPole at:

Notices delivered via email to legal@pinpole.cloud are deemed received on the second business day after sending, provided no delivery failure notification is received.