Built on Workday
Content Federation Services
Security
Service Levels
Third-Party AI Model Providers
Hyland Experience Technical Support
Hyland Experience Security
Hyland Experience Service Levels
Hyland Insight Pilot Program

Built on Workday

Version

Effective April 18th 2025

Download

Built on Workday

1. If Customer has purchased the Content Innovation Cloud integration with Workday (as identified on an Order Form), then Customer will be required to accept the Built on Workday Terms (currently, https://developer.workday.com/terms/builtonworkdaycustomer), which will be provided by Workday to the customer prior to downloading and using the Built on Workday App. The Customer agrees that it has the authority to agree to the Built on Workday terms from Workday notwithstanding anything in Customer’s agreement with Workday. 

The most current version of this document shall be such in effect as of 12:00am EST (Eastern Standard Time) of the date stamped on such online version.

Security

Version

Effective April 18th 2025

Download

Security

For Content Innovation Cloud, Hyland maintains and manages a comprehensive written security program that is designed to protect: (a) the security and integrity of Customer Data; (b) against threats and hazards that may negatively impact Customer Data; and (c) against unauthorized access to Customer Data. Such program includes the following:

1. Risk Management.

1.1 Conducting an annual risk assessment designed to identify threats and vulnerabilities in the administrative, physical, legal, regulatory, and technical safeguards used to protect Content Innovation Cloud.

1.2 Maintaining a documented risk remediation process to assign ownership of identified risks, establish remediation plans and timeframes, and provide for periodic monitoring of progress.

2. Information Security Program.

2.1 Maintaining a documented comprehensive information security program that includes policies and procedures based on industry standard practices, which may include ISO 27001/27002, or other equivalent standards. Such information security program shall include, as applicable: (a) adequate physical and cyber security where Customer Data will be processed and/or stored; and (b) reasonable precautions taken with respect to Hyland personnel employment.

2.2 Reviewing and updating such policies annually.

3. Organization of Information Security. Assigning security responsibilities to appropriate individuals or groups to facilitate protection of Content Innovation Cloud and associated assets.

4. Human Resources Security.

4.1 Requiring all Hyland employees to undergo a comprehensive screening during the hiring process.

4.2 Performing background checks and reference validation to determine whether candidate qualifications are appropriate for the proposed position.

4.3 Subject to any restrictions imposed by applicable law and based on jurisdiction, conducting criminal background checks, employment validation, and education verification as applicable.

4.4 Ensuring all Hyland employees are subject to confidentiality and non-disclosure commitments before access is provisioned to Content Innovation Cloud or Customer Data.

4.5 Ensuring applicable Hyland employees receive security awareness training designed to provide such employees with information security knowledge to provide for the security, availability, and confidentiality of Customer Data.

4.6 Upon Hyland employee separation or change in roles, ensuring any Hyland employee’s access to Content Innovation Cloud is revoked in a timely manner and all applicable Hyland assets, both information and physical, are returned.

5. Asset Management.

5.1 Ensuring Customer Data is encrypted and stored in a secure location subject to strict physical access controls.

5.2 Maintaining asset and information management policies and procedures, including ownership of assets, an inventory of assets, classification guidelines, and handling standards pertaining to Hyland assets.

5.3 Note: Content Innovation Cloud is hosted in the Amazon Web Services (AWS) Cloud where security and compliance are shared responsibilities between AWS and Hyland. AWS is responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates, including media handling and decommissioning. AWS Device Management Controls can be found here: https://aws.amazon.com/compliance/data-center/controls/#Device_Management

6. Access Controls.

6.1 Maintaining an access policy and corresponding procedures. The access procedures will define the request, approval, and access provisioning process for Hyland personnel. The access process will restrict Hyland user (local and remote) access based on Hyland user job function (role/profile based, appropriate access) for applications and databases.

6.2 Documenting procedures for: (a)onboarding and offboarding Hyland personnel users in a timely manner; and (b) Hyland personnel user inactivity threshold leading to account suspension and removal threshold.

6.3 Limiting Hyland’s access to Customer Data to its personnel who have a need to access Customer Data as a condition to Hyland’s performance of the services under this Agreement. For such Hyland employees, Hyland shall utilize the principle of “least privilege” and the concept of “minimum necessary.” Hyland shall require strong passwords subject to complexity requirements and periodic rotation and the use of multi-factor authentication.

6.4 Ensuring access controls are in place for Customer Data access by Hyland. Note: Customer controls its: user’s access, user’s permissions, and Customer Data retention to the extent such controls are available to Customer.

7. System Boundaries.

7.1 Note: Hyland is not responsible for any system components that are not within Content Innovation Cloud, including network devices, network connectivity, workstations, servers, and software owned and operated by the Customer or other third parties.

7.2 Note: The processes executed within Content Innovation Cloud are limited to those that are executed by a Hyland employee (or Hyland authorized third party) or processes that are executed within Hyland’s established system boundaries, in whole.

7.3 Note: Certain business processes may cross these boundaries, meaning one or more tasks are executed outside of Hyland’s established system boundaries for Content Innovation Cloud, one or more tasks are executed by individuals who are not Hyland personnel (or authorized third parties), or one or more tasks are executed based on written requests placed by Customer. In such event, Hyland will provide support for such processes to the extent they occur within Hyland’s established system boundaries, but Hyland is not responsible for providing support for such processes to the extent they occur outside of such established system boundaries. Examples of business processes that cross these boundaries include, but are not limited to, Content Innovation Cloud configuration changes, processing that occurs within Content Innovation Cloud, user authorization, and file transfers.

8. Encryption.

8.1 Ensuring Customer Data shall only be uploaded to Content Innovation Cloud in a supported encrypted format such as TLS or other equivalent method.

8.2 Encrypting Customer Data at rest and in transit over public networks.

8.3 Note: Where use of encryption functionality may be controlled or modified by Customer and Customer elects to modify its use of or turn off any encryption functionality, Customer does so at its own risk.

9. Operations Security.

9.1 Maintaining change management controls to ensure changes made by Hyland to production systems are properly authorized and reviewed prior to implementation. Note: Customer is responsible for testing all configuration changes, authentication changes and upgrades implemented by Customer or Hyland. If Customer requests Hyland to implement changes on its behalf, such request must be in writing and submitted by Customer’s designated Authorized Customer Administrators via a support case or set forth in a separate agreement.

9.2 Making scheduled configuration changes that are expected to impact Customer access to Content Innovation Cloud during a planned maintenance window. Note: Hyland may make configuration changes that are not expected to impact Customer during normal business hours.

9.3 Utilizing technologies that are configured to meet common industry standards designed to protect the Customer Data within Content Innovation Cloud from virus infections or similar malicious payloads.

9.4 Implementing disaster recovery and business continuity procedures in accordance with the applicable Service Level purchased by Customer.

9.5 Maintaining security logs for one year.

9.6 Maintaining system hardening requirements and configuration standards for components deployed within Content Innovation Cloud.

9.7 Conducting vulnerability scans on a regular basis and remediating in a timely manner. In the event any security patch would materially adversely affect Content Innovation Cloud, then Hyland will use reasonable efforts to implement compensating controls until a security patch is available that would not materially adversely affect Content Innovation Cloud. Upon written request, Hyland will provide an executive summary report of its most recent external vulnerability scan.

9.8 Conducting external penetration tests at least annually against an instance of Content Innovation Cloud that is representative of the configuration used by Customers generally and making an executive summary of the most recent penetration test to Customer upon request.

9.9 Permitting Customer to, on an annual basis (but no more than once during any 12-month period), conduct a penetration test against a Content Innovation Cloud website, setup by Hyland, that is authorized for penetration testing , provided: (1) Customer submits a Penetration Testing Authorization form in advance; (2) prior to conducting such testing, Hyland and Customer mutually agree upon the timing, scope, and price, (3) such testing is at Customer’s sole cost and expense; and (4) if Customer engages a third-party to assist with such testing, the third-party must first be cleared by Hyland and enter into a Non-Disclosure Agreement directly with Hyland. Note: Any testing performed without mutual agreement regarding timing, scope, and criteria may be considered a hostile attack, which may trigger automated and manual responses, including reporting the activity to local and federal law enforcement agencies as well as immediate suspension of Customer’s access to or use of Content Innovation Cloud; and Customer is prohibited from distributing or publishing the results of such penetration testing without Hyland’s prior written approval.

9.10 Maintaining a 24/7 security operations center.

10. Supplier Relationships. Maintaining a Vendor Management Program for its critical vendors and evaluating critical vendors on an annual basis.

11. Security Incident Response.

11.1 Employing incident response standards that are based upon applicable industry standards, such as ISO 27001 and National Institute for Standards and Technology (“NIST”), to maintain the information security components of Content Innovation Cloud environment.

11.2 Responses to these incidents follow the Hyland documented incident response sequence. This sequence includes the incident trigger phase, evaluation phase, escalation phase, response phase, recovery phase, de-escalation phase, and post-incident review phase.

11.3 If Hyland has determined Customer’s instance of Content Innovation Cloud has been negatively impacted by a security incident, delivering a root cause analysis summary. Such notice will not be unreasonably delayed but will occur after initial corrective actions have been taken to contain the security threat or stabilize Content Innovation Cloud.

11.4 The root cause analysis will include the duration of the event, resolution, technical summary, outstanding issues, and follow-up, including steps Customer needs to take to prevent further issues. Content Innovation Cloud information including data elements that require additional confidentiality and security measures (including that of other customers impacted in the event) will not be publicly disclosed. If Customer needs additional details of an incident, a request to the applicable Hyland Cloud support team must be submitted and handled on a case-by-case basis to protect the confidentiality and security of the requested information.

11.5 Notifying Customer of a Security Incident within 48 hours. A “Security Incident” means a determination by Hyland of an actual disclosure of unencrypted Customer Data to an unauthorized person or entity that compromises the security, confidentiality, or integrity of the Customer Data.

12. Information Security Aspects of Business Continuity Management.

12.1 Maintaining a business continuity and disaster recovery plan.

12.2 Reviewing and testing the business continuity and disaster recovery processes annually.

13. Audits and Assessments.

13.1 Monitoring its compliance with its information security program. This includes periodic internal reviews. Results are shared with Hyland leadership and deviations tracked through to remediation.

13.2 Maintaining a periodic external audit program. Completed attestations are provided to Customer upon written request.

13.3 Permitting Customer to, on an annual basis (but no more than once during any 12-month period), conduct audits (which includes assessments, questionnaires, guided reviews or other requests to validate Hyland’s security controls) of Hyland’s operations that participate in the ongoing delivery and support of Content Innovation Cloud (each, a “Security Inquiry”), provided, that:

(a) the proposed Security Inquiry does not overlap with, or otherwise cover the same or similar information as, or scope of: (1) any controls already provided for by an external audit or assessment already performed by Hyland, such as a SOC 2 report, ISO 27001 or other similar audit or assessment that is made available to Customer upon Customer’s request; or (2) any content already provided by Hyland through its completed SIG, CAIQ or similar questionnaire that is made available to Customer upon request.

(b) Hyland and Customer mutually agree upon the timing, scope, fees (if any), and criteria of such Security Inquiry;

(c) confidential and restricted documentation, such as Hyland internal policies, practices, and procedures, including any documentation requested by Customer that cannot be removed from Hyland’s premises as a result of physical limitations or policy restrictions will not be provided externally or removed from Hyland’s premises and such reviews must either (at Hyland’s election) be conducted onsite at Hyland’s corporate headquarters in Ohio or through a secure screenshare which may be arranged by Hyland to prohibit any type of copying or screen shots;

(d) Hyland will not permit access to internal systems or devices used to host or support Hyland’s offerings; and

(e) to the extent Customer desires to engage a third party to perform such Security Inquiry: (1) Hyland must approve of such third party in writing in advance, (2) Customer shall cause such third party to: (A) enter into a Non-Disclosure Agreement with Hyland and (B) agree to abide by Hyland’s security standards, and (3) Customer shall manage the engagement with the third party and ensure the third party understands the scope of the Security Inquiry as mutually agreed upon between Hyland and Customer and how Customer utilizes the Hyland Cloud Service.

Where necessary, Hyland will provide private and reasonable accommodation at Hyland’s corporate headquarters in Ohio for data analysis and meetings. Upon reasonable advance written request, Hyland and Customer may mutually agree to make necessary employees or contractors available for interviews in person or on the phone during such Security Inquiry at Customer’s cost and expense. Customer is prohibited, , and Customer shall prohibit each third-party engaged to perform a Security Inquiry from distributing or publishing the results of such Security Inquiry without Hyland’s prior written approval. Notwithstanding anything to the contrary within this Agreement, nothing in this Agreement (including this section) will require Hyland or any of its affiliates to disclose information that is subject to attorney-client privilege.

The most current version of this document shall be such in effect as of 12:00am EST (Eastern Standard Time) of the date stamped on such online version.

Service Levels

Version

Effective April 18th 2025

Download

Service Levels

Service Level Agreements (“SLA”) described in this document pertain to the availability of Content Innovation Cloud. This document does not address technical support.

Service Level Definitions

“Downtime” is calculated as the aggregate time (in minutes) each calendar month, as confirmed by Hyland following written notice from the Customer, that Content Innovation Cloud is Unavailable (as defined below). The length of Downtime will be measured from the time an incident occurs, as confirmed by Hyland, until the time when Hyland confirms that the failure condition(s) reported are no longer present. Downtime does not include any failure conditions which occur due to an Exclusion Event (see below).

“Exclusion Event” means any of the following occurrences:

1. System maintenance, whether such maintenance is scheduled (e.g., for upgrading of the Service or its components or for any other scheduled purpose) or unscheduled (due to emergency) which results in the Service being unavailable or inaccessible to Customer.

2. Failure of a customer’s or user’s equipment or facilities.

3. Acts or omissions of a customer or its user, including but not limited to (a) performance or non-performance of any services by a third party (other than Hyland) contracted by the customer to provide services to the customer or its users related to Content Innovation Cloud, (b) any failure that is not due to fault of Hyland or Hyland’s contracted third-party service provider, (c) failure of any code or configurations managed or written by the customer or any third-party vendor to the customer, or (d) any unauthorized use or access by the customer or any of its users;

4. The occurrence of a force majeure event.

5. Internet failure or congestion.

6. Failure of equipment or systems not within Content Innovation Cloud, or of equipment or systems not provided, or not under the control or direction of Hyland including equipment or systems Hyland may obtain or contract for at the request of the customer; or

7. Failures or other failures caused directly or indirectly by known or unknown computer viruses, worms or other malicious programs (assuming Hyland has not breached any of its obligations here or in the applicable agreement relating to virus protection protocols).

“Failover Notice” is a notification made by Hyland to the Customer (which may be made by electronic communication via e-mail or the Community portal) indicating that Hyland is initiating an AWS (Amazon Web Services) Region failover.

“Monthly Fees” is the portion of the recurring fees for Content Innovation Cloud attributable to the month in which the applicable performance deficiency occurs, excluding any taxes, one-time fees, third party fees, travel or expense, professional services or similar additional fees. E.g., if fees are charged annually, the Monthly Fee equals the annual fees divided by 12, subject to the same exclusions above.

Monthly Uptime Percentage. is calculated as the total number of minutes in a calendar month, minus the number of minutes of Downtime (as defined above) in such month, divided by the total number of minutes in such month.

“Recovery Point” means the minimum number of hours (prior to the time Hyland provides a Failover Notice) that the customer’s data must have been stored within Content Innovation Cloud to qualify as eligible data. Customer Data is deemed “eligible” if Hyland confirms it has been stored within the Hyland Cloud Service for a number of hours (prior to the time Hyland provides a Failover Notice) that exceeds the applicable Recovery Point Objective defined in Table 2 below.

“Recovery Time” means the number of hours from the time the required Failover Notice is delivered to the time Content Innovation Cloud has been Restored (excluding any time during that period if/when an Exclusion Event affects both the current primary and secondary data centers).

“Restoration” occurs once access to Content Innovation Cloud has been restored such that:

(1) eligible Customer Data can be retrieved; and

(2) new Customer Data can be input.

“Unavailability” or “Unavailable” refers to a state when Content Innovation Cloud is either (1) unresponsive or (2) responds with an error, and thereby prevents all users from accessing Content Innovation Cloud.

Service Level Commitments

Table 1: Monthly Uptime Percentages

	STANDARD
Monthly Uptime Percentage	99.5%
Applicable Credit	5% of the Monthly Fee

Table 2: Business Continuity

	STANDARD
Recovery Point Objective (RPO)	24 Hours
Applicable Credit	15% of the Monthly Fee
Recovery Time Objective (RTO)	8 Hours
Applicable Credit	15% of the Monthly Fee

Service Level Commitment Terms

Monthly Uptime Percentage. Hyland will meet the Monthly Uptime, as identified in Table 1 above, during each calendar month.

Business Continuity. Hyland shall provide business continuity redundancy via AWS Availability Zones. Content Innovation Cloud does not use multiple AWS Regions. If Hyland delivers a Restoration Notice to Customer, Hyland shall restore Content Innovation Cloud within the applicable Recovery Time Objective set forth in Table 2 above (except to the extent caused or prevented by an Exclusion Event).

Downtime Report. Following the occurrence of a Downtime event, upon request by the customer, Hyland shall provide a report which will include, as applicable, a detailed description of the incident, start and end times of the incident, duration of the incident, business/functional impact of the incident, description of remediation efforts taken, and a description of outstanding issues or tasks relating to the incident.

Exclusive Remedies Terms

Monthly Uptime Percentage. In the event the Monthly Uptime Percentage during any calendar month is less than the applicable Monthly Uptime Percentage set forth in the Table 1 above, the customer shall receive the applicable credit against the fees specified in Table 1 above, provided Customer submitted a technical support request within twenty-four hours of such Downtime.

Maximum Service Level Credit. Notwithstanding anything to the contrary, customers are only entitled to a maximum of one service level credit for all events occurring in a particular calendar month. If available, Customer shall be entitled to only the largest service level credit which may be payable for one or more of the service level failures occurring in such calendar month.

Application of Service Level Credits. Service level credits will be applied first to any outstanding amounts which are due and owing from Customer, and then to future fees.

Termination Remedy. If Customer earns a service level credit either: (i) in three consecutive calendar months, or (ii) in four calendar months during any six consecutive month period; then Customer may, by written notice to Hyland delivered within thirty days after the last credit described in either clause or (i) or (ii) above is earned, terminate the Agreement.

Exclusivity. The remedies set forth above constitute the sole and exclusive remedies available to a customer for any failure to meet the service level commitments set forth in this document.

System Maintenance

For the purposes of an Exclusion Event, system maintenance will not exceed 16 hours per month, subject to the following.

Maintenance Notifications. Hyland will notify Customer of system maintenance expected to impact system availability or functionality through the status page (currently, https://status.experience.hyland.com) or through direct communication to Customer’s designated CSA.

Scheduled Maintenance. Hyland will notify Customer of scheduled maintenance that is expected to impact or potentially impact system availability or functionality. Such notification will typically be sent at least one week in advance, but in no event will such notice be sent less than 24 hours prior to the specified start time. Modifications or repairs to shared infrastructure or platform patching and upgrades, that is expected to impact or potentially impact Content Innovation Cloud availability is currently restricted to within the hours of 12 AM to 2 AM, based on the time zone of the impacted AWS Region. Any changes to the scheduled hours of maintenance will be communicated to each Customer via e-mail to Customer’s designated CSA, posted in the Content Innovation Cloud, or the status page.

Unscheduled Maintenance. Hyland will use reasonable efforts to notify Customer of unscheduled maintenance that is expected to impact or potentially impact Content Innovation Cloud availability or functionality. Such notification will typically be sent at least 24 hours in advance, but to the extent Hyland determines that such maintenance is required sooner due to a security or availability concern (e.g. emergency maintenance is required by Hyland), Hyland will use reasonable efforts to send such notice no less than 2 hours prior to the specified start time.

The most current version of this document shall be such in effect as of 12:00am EST (Eastern Standard Time) of the date stamped on such online version.

Hyland Experience Technical Support

Version

Effective May 3rd 2024

Download

HYLAND EXPERIENCE TECHNICAL SUPPORT

1 DEFINED TERMS

“Business Day” means any day other than Saturday, Sunday, or a legal holiday.

“Business Daily” means at least once per Business Day.

“Business Hour” means 8:00 a.m. to 6:00 p.m., in the time zone of the Hyland entity that Customer has contracted with for Hyland Experience, of a Business Day.

“Upgrades and Enhancements” means any and all new versions, improvements, modifications, upgrades, updates, fixes and additions to Hyland Experience that Hyland makes available to its end users generally to correct errors or deficiencies or enhance the capabilities of Hyland Experience, together with updates of the documentation to reflect such new versions, improvements, modifications, upgrades, fixes or additions; provided, however, that the foregoing shall not include new, separate product offerings, new modules or re-platformed software.

2 TECHNICAL SUPPORT

2.1 In General. Hyland will provide technical support for the functionality described in the Documentation of Customer’s production instance of Hyland Experience based on the level purchased by Customer.

2.1.1 Limitations. Technical support: (a) is provided in English-only; (b) only applies to the production instance; and (c) will only be provided during Business Hours unless otherwise stated herein.

2.1.2 Remote Work. Technical support will be performed remotely. Resources assigned to perform technical support may be employees or third-party contractors of Hyland or its’ affiliates, in each case located outside the United States. Unless otherwise agreed to by the parties in writing, Customer consents to such resources’ access to Customer’s Hyland Experience instance and related data during the provision of technical support.

2.2 Targets. In response to support cases submitted by Customer, Hyland will use reasonable efforts to: (a) resolve the support case, which may be effected by a reasonable workaround, correction, or modification; and (b) meet the targets described in the table below based upon the level Customer has purchased:

	Technical Support Levels
	Digital	Premier	Signature
Initial Response Target	N/A	P1 and P2: 60 minutes* P3 and P4: 1 Business Day P5 and P6: 2 Business Days	P1 and P2: 30 minutes* P3 and P4: 1 Business Hour P5 and P6: 4 Business Hours
Issue Update Frequency Target	N/A	P1 and P2: Hourly P3 - P6: 2 Business Days	P1 and P2: Conference bridge** P3 - P6: Business Daily

*Priority Level 1 and Level 2 must be reported to Hyland by phone for Hyland to meet the Initial Response Targets.

**Hyland will participate in a conference bridge to provide continual updates to Customer, provided Customer remains accessible for troubleshooting from the time Hyland initially responds to the support case.

2.3 Priority Levels. Hyland will respond to support cases based on the Priority Level Hyland determines is most applicable to each such support case. Hyland may modify its commitments for Priority Levels from time to time, provided, that, the level of technical support will not materially decrease during the term of a Product Subscription.

Priority Level	Description	Hyland Response
Level 1 (P1)	Total or substantial failure of Hyland Experience.	Hyland will match Customer’s effort, up to and including 24-hour days, 7 days a week.
Level 2 (P2)	All of Customer’s users are unable to access an entire portion of Hyland Experience.	Hyland will match Customer’s effort, up to and including 24-hour days, 7 days a week.
Level 3 (P3)	Hyland Experience is usable except there is an ongoing, system-wide, severe performance degradation.	Hyland will match Customer’s efforts during Business Days, up to 16 hours/day.
Level 4 (P4)	Hyland Experience is usable except a specific feature or functionality is not working.	Hyland will use reasonable efforts during Business Hours.
Level 5 (P5)	Hyland Experience is usable except for a trivial inconvenience.	Hyland will use reasonable efforts during Business Hours.
Level 6 (P6)	All other matters, including “how to” requests and questions about the Documentation.	Hyland will use reasonable efforts during Business Hours.

2.4 Customer Resources. To facilitate Hyland’s resolution of support cases, Customer agrees to the following. Failure by Customer to meet these commitments may impact Hyland’s ability to provide technical support.

2.4.1 Sponsor. Customer will assign a sponsor, who is the final escalation point for engaging with technical support. The sponsor will: (a) ensure that the appropriate Customer personnel are assigned and made available when necessary; (b) manage all Customer obligations described herein; and (c) coordinate all key departmental decision makers, technical experts, subject matter experts, end user representatives and third-party software application resources.

2.4.2 Technical Contacts. Customer will designate specific Users as “Technical Contacts.” Technical Contacts must have a working knowledge of Hyland Experience and the overall environment; typically, Technical Contacts are Customer’s designated system administrators. Hyland may provide Technical Contacts with access to the online support portal via a unique login. Technical Contacts are exclusively responsible for submitting support cases and engaging in interactions with the Hyland technical support team. Customer permits Hyland to communicate with the Technical Contacts as necessary to provide technical support.

2.4.3 Additional Subject Matter Experts. Customer will engage the appropriate business process owners and subject matter experts, who are thoroughly knowledgeable about the current business practices in their respective areas, including vendor resources, interface specialists, technical experts, and/or subject matter experts for third-party system(s) with which Hyland Experience will integrate or from which content will be migrated.

2.4.4 Updates. Customer will notify Hyland of Customer personnel changes to the extent personnel changes impact the performance of Hyland’s obligations. Such designees may be changed at any time by notice from Customer to their applicable Customer Support Manager, Account Manager, or Technical Account Manager.

2.5 Reporting Policies and Procedures.

2.5.1 Reporting Requirements. When requesting technical support, Customer’s Technical Contacts must submit the support case via Hyland’s secure end user website (currently www.hyland.com/community). Once such support case is submitted through the end user website, if Customer is experiencing a Level 1 or Level 2 Priority Level, Customer is advised to call Hyland’s support team after submitting the support case (support numbers are available through Hyland’s secure end user website). Hyland shall have no obligation to provide technical support, by any means, to any entity or individual other than the designated Technical Contacts.

2.5.2 Assistance. To resolve an error, Hyland must be able to reproduce the error. Therefore, Customer will provide Hyland with as much information and access to systems as reasonably possible to enable Hyland to investigate and attempt to identify and verify the error. Customer will work with Hyland support personnel as reasonably needed. Customer will notify Hyland of any configuration changes it has made, such as workflow configuration changes, network installation/expansion, integrations, upgrades, relocations, etc.

2.5.3 Hyland Response Procedures. Hyland will use reasonable efforts to meet the Initial Response Targets set forth in the table above based upon the confirmed Priority Level. Initial Response Targets are measured from when the Customer’s Technical Contact submits the support case to when Hyland first attempts to contact the Customer’s Technical Contact regarding such case. Hyland’s initial response may include questions seeking to clarify the issue or gather information regarding the cause of the issue. Hyland may be unable to start resolving the issue before receiving such additional information. At Hyland’s reasonable discretion, the Priority Level of a case may be updated based on the information provided to align with the Priority Level definitions.

2.5.4 Update, Upgrade, Change or Replacement of Components. To resolve a support case, Hyland may: (1) update the build or version of Hyland Experience; or (2) change, replace, update or upgrade the Hyland-provided hardware or software components, in each case, at Hyland’s discretion and expense.

2.6 Excluded Errors. Hyland is not responsible for providing, or obligated to provide, technical support:

(1) in connection with any errors, defects, or issues that were caused, in whole or in part, from any: (a) alteration, revision, change, enhancement, or modification; or (b) configuration of a component that was done by a party other than Hyland or a party retained by Hyland to perform the configuration;

(2) if Hyland has previously made available a reasonable workaround, correction, or modification which Customer has failed to implement;

(3) in connection with any software, hardware, system, or computer networking that is not provided by Hyland;

(4) in connection with any Work Products (as defined in the Underlying Agreement or the applicable agreement such Work Products were provided under, as applicable);

(5) in connection with any questions related to the operation or use of application programming interfaces (APIs); or

(6) if any party other than Hyland, or an authorized subcontractor specifically selected by Hyland, has provided any services in the nature of technical support to Customer (items (1)-(6), “Excluded Errors”).

2.7 Voluntary Support. In its efforts to be a supportive vendor, Hyland may assist Customer in troubleshooting and resolving Excluded Errors, but such assistance is beyond Hyland’s obligations (contractual or otherwise). Hyland may cease providing ongoing assistance with Excluded Errors at any time.

2.8 Upgrades and Updates.

2.8.1 Upgrades and Enhancements. Hyland will provide, in accordance with Hyland’s then current policies, as set forth from time to time on Hyland’s secure end user web site, all Upgrades and Enhancements, if and when released during the term of the Agreement.

2.8.2 Regulated Products. Customer acknowledges and agrees that for regulatory compliance purposes, Customer may be required to engage Hyland under a Services Proposal to implement Upgrades and Enhancements to a regulated product. If Hyland offers a self-service option for implementing Upgrades and Enhancements to a regulated product, and the Customer chooses this option, Customer agrees to comply with the training, reporting, and documentation requirements established by Hyland to ensure that the implementation is performed and documented as required by applicable regulations.

2.8.3 Update, Upgrade, Change or Replacement of Components. Hyland may update or upgrade the build or version of the software used in Hyland Experience from time to time at Hyland’s expense. Hyland also may change, replace, update or upgrade the physical hardware and infrastructure or any composite software layers which Hyland uses to provide Hyland Experience, in each case, whether owned by Hyland or a third party. Customer agrees to collaborate with Hyland and assist Hyland in connection with the completion of installation and testing of any update or upgrade. Notwithstanding the foregoing, Customer acknowledges that it is Customer’s responsibility to ensure that Customer is running a Cloud Compatible Version of Hyland Experience in accordance with Hyland’s Cloud Software Version Policy available at Hyland’s end user website; Customer’s failure to comply with Hyland’s Cloud Software Version Policy shall be considered a material breach of the Agreement.

[The most current version of this page shall be such in effect as of 11:59 p.m. ET of the date stamped on such online version.]

Hyland Experience Security

Version

Effective May 3rd 2024

Download

HYLAND EXPERIENCE SECURITY

For Hyland Experience, Hyland maintains and manages a comprehensive written security program that is designed to protect: (a) the security and integrity of Customer Data; (b) against threats and hazards that may negatively impact Customer Data; and (c) against unauthorized access to Customer Data. Such program includes the following:

1 Risk Management

1.2 Maintaining a documented risk remediation process to assign ownership of identified risks, establish remediation plans and timeframes, and provide for periodic monitoring of progress.

2 Information Security Program

2.2 Reviewing and updating such policies annually.

3 Organization of Information Security. Assigning security responsibilities to appropriate individuals or groups to facilitate protection of Hyland Experience and associated assets.

4 Human Resources Security

4.1 Requiring all Hyland employees to undergo a comprehensive screening during the hiring process.

4.2 Performing background checks and reference validation to determine whether candidate qualifications are appropriate for the proposed position.

4.3 Subject to any restrictions imposed by applicable law and based on jurisdiction, conducting criminal background checks, employment validation, and education verification as applicable.

4.4 Ensuring all Hyland employees are subject to confidentiality and non-disclosure commitments before access is provisioned to Hyland Experience or Customer Data.

4.6 Upon Hyland employee separation or change in roles, ensuring any Hyland employee’s access to Hyland Experience is revoked in a timely manner and all applicable Hyland assets, both information and physical, are returned.

5 Asset Management

5.1 Ensuring Customer Data is encrypted and stored in a secure location subject to strict physical access controls.

5.3 Note: Hyland Experience is hosted in the Amazon Web Services (AWS) Cloud where security and compliance are shared responsibilities between AWS and Hyland. AWS is responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates, including media handling and decommissioning. AWS Device Management Controls can be found here: https://aws.amazon.com/compliance/data-center/controls/#Device_Management

6 Access Controls

7 System Boundaries

7.1 Note: Hyland is not responsible for any system components that are not within Hyland Experience, including network devices, network connectivity, workstations, servers, and software owned and operated by the Customer or other third parties.

7.2 Note: The processes executed within Hyland Experience are limited to those that are executed by a Hyland employee (or Hyland authorized third party) or processes that are executed within Hyland’s established system boundaries, in whole.

7.3 Note: Certain business processes may cross these boundaries, meaning one or more tasks are executed outside of Hyland’s established system boundaries for Hyland Experience, one or more tasks are executed by individuals who are not Hyland personnel (or authorized third parties), or one or more tasks are executed based on written requests placed by Customer. In such event, Hyland will provide support for such processes to the extent they occur within Hyland’s established system boundaries, but Hyland is not responsible for providing support for such processes to the extent they occur outside of such established system boundaries. Examples of business processes that cross these boundaries include, but are not limited to, Hyland Experience configuration changes, processing that occurs within Hyland Experience, user authorization, and file transfers.

8 Encryption

8.1 Ensuring Customer Data shall only be uploaded to Hyland Experience in a supported encrypted format such as TLS or other equivalent method.

8.2 Encrypting Customer Data at rest and in transit over public networks.

9 Operations Security

9.2 Making scheduled configuration changes that are expected to impact Customer access to Hyland Experience during a planned maintenance window. Note: Hyland may make configuration changes that are not expected to impact Customer during normal business hours.

9.3 Utilizing technologies that are configured to meet common industry standards designed to protect the Customer Data within Hyland Experience from virus infections or similar malicious payloads.

9.4 Implementing disaster recovery and business continuity procedures in accordance with the applicable Service Level purchased by Customer.

9.5 Maintaining security logs for one year.

9.6 Maintaining system hardening requirements and configuration standards for components deployed within Hyland Experience.

9.7 Conducting vulnerability scans on a regular basis and remediating in a timely manner. In the event any security patch would materially adversely affect Hyland Experience, then Hyland will use reasonable efforts to implement compensating controls until a security patch is available that would not materially adversely affect Hyland Experience. Upon written request, Hyland will provide an executive summary report of its most recent external vulnerability scan.

9.8 Conducting external penetration tests at least annually against an instance of Hyland Experience that is representative of the configuration used by Customers generally and making an executive summary of the most recent penetration test to Customer upon request.

9.9 Permitting Customer to, on an annual basis (but no more than once during any 12-month period), conduct a penetration test against a Hyland Experience website, setup by Hyland, that is authorized for penetration testing , provided: (1) Customer submits a Penetration Testing Authorization form in advance; (2) prior to conducting such testing, Hyland and Customer mutually agree upon the timing, scope, and price, (3) such testing is at Customer’s sole cost and expense; and (4) if Customer engages a third-party to assist with such testing, the third-party must first be cleared by Hyland and enter into a Non-Disclosure Agreement directly with Hyland. Note: Any testing performed without mutual agreement regarding timing, scope, and criteria may be considered a hostile attack, which may trigger automated and manual responses, including reporting the activity to local and federal law enforcement agencies as well as immediate suspension of Customer’s access to or use of Hyland Experience; and Customer is prohibited from distributing or publishing the results of such penetration testing without Hyland’s prior written approval.

9.10 Maintaining a 24/7 security operations center.

10 Supplier Relationships. Maintaining a Vendor Management Program for its critical vendors and evaluating critical vendors on an annual basis.

11 Security Incident Response

11.3 If Hyland has determined Customer’s instance of Hyland Experience has been negatively impacted by a security incident, delivering a root cause analysis summary. Such notice will not be unreasonably delayed but will occur after initial corrective actions have been taken to contain the security threat or stabilize Hyland Experience.

11.4 The root cause analysis will include the duration of the event, resolution, technical summary, outstanding issues, and follow-up, including steps Customer needs to take to prevent further issues. Hyland Experience information including data elements that require additional confidentiality and security measures (including that of other customers impacted in the event) will not be publicly disclosed. If Customer needs additional details of an incident, a request to the applicable Hyland Cloud support team must be submitted and handled on a case-by-case basis to protect the confidentiality and security of the requested information.

12 Information Security Aspects of Business Continuity Management

12.1 Maintaining a business continuity and disaster recovery plan.

12.2 Reviewing and testing the business continuity and disaster recovery processes annually.

13 Audits and Assessments

13.1 Monitoring its compliance with its information security program. This includes periodic internal reviews. Results are shared with Hyland leadership and deviations tracked through to remediation.

13.2 Maintaining a periodic external audit program. Completed attestations are provided to Customer upon written request.

13.3 Permitting Customer to, on an annual basis (but no more than once during any 12-month period), conduct audits (which includes assessments, questionnaires, guided reviews or other requests to validate Hyland’s security controls) of Hyland’s operations that participate in the ongoing delivery and support of Hyland Experience (each, a “Security Inquiry”), provided, that:

(b) Hyland and Customer mutually agree upon the timing, scope, fees (if any), and criteria of such Security Inquiry;

(d) Hyland will not permit access to internal systems or devices used to host or support Hyland’s offerings; and

[This version shall be in effect as of 11:59 p.m. ET of the date stamped on such online version.]

Hyland Experience Service Levels

Version

Effective April 19th 2024

Download

Hyland Experience Service Levels

Service Level Agreements (“SLA”) described in this document pertain to the availability of Hyland Experience. This document does not address Support Services.

Service Level Definitions

“Downtime” is calculated as the aggregate time (in minutes) each calendar month, as confirmed by Hyland following written notice from the Customer, that Hyland Experience is Unavailable (as defined below). The length of Downtime will be measured from the time an incident occurs, as confirmed by Hyland, until the time when Hyland confirms that the failure condition(s) reported are no longer present. Downtime does not include any failure conditions which occur due to an Exclusion Event (see below).

“Exclusion Event” means any of the following occurrences:

System maintenance, whether such maintenance is scheduled (e.g., for upgrading of the Service or its components or for any other scheduled purpose) or unscheduled (due to emergency) which results in the Service being unavailable or inaccessible to Customer.
Failure of a customer’s or user’s equipment or facilities.
Acts or omissions of a customer or its user, including but not limited to (a) performance or non-performance of any services by a third party (other than Hyland) contracted by the customer to provide services to the customer or its users related to Hyland Experience, (b) any failure that is not due to fault of Hyland or Hyland’s contracted third-party service provider, (c) failure of any code or configurations managed or written by the customer or any third-party vendor to the customer, or (d) any unauthorized use or access by the customer or any of its users;
The occurrence of a force majeure event.
Internet failure or congestion.
Failure of equipment or systems not within Hyland Experience, or of equipment or systems not provided, or not under the control or direction of Hyland including equipment or systems Hyland may obtain or contract for at the request of the customer; or
Failures or other failures caused directly or indirectly by known or unknown computer viruses, worms or other malicious programs (assuming Hyland has not breached any of its obligations here or in the applicable agreement relating to virus protection protocols).

“Failover Notice” is a notification made by Hyland to the Customer (which may be made by electronic communication via e-mail or the Community portal) indicating that Hyland is initiating an AWS (Amazon Web Services) Region failover.

“Monthly Fees” is the portion of the recurring fees for Hyland Experience attributable to the month in which the applicable performance deficiency occurs, excluding any taxes, one-time fees, third party fees, travel or expense, professional services or similar additional fees. E.g., if fees are charged annually, the Monthly Fee equals the annual fees divided by 12, subject to the same exclusions above.

Monthly Uptime Percentage. is calculated as the total number of minutes in a calendar month, minus the number of minutes of Downtime (as defined above) in such month, divided by the total number of minutes in such month.

“Recovery Point” means the minimum number of hours (prior to the time Hyland provides a Failover Notice) that the customer’s data must have been stored within Hyland Experience to qualify as eligible data. Customer Data is deemed “eligible” if Hyland confirms it has been stored within the Hyland Cloud Service for a number of hours (prior to the time Hyland provides a Failover Notice) that exceeds the applicable Recovery Point Objective defined in Table 2 below.

“Recovery Time” means the number of hours from the time the required Failover Notice is delivered to the time Hyland Experience has been Restored (excluding any time during that period if/when an Exclusion Event affects both the current primary and secondary data centers).

“Restoration” occurs once access to Hyland Experience has been restored such that:

(1) eligible Customer Data can be retrieved; and

(2) new Customer Data can be input.

“Unavailability” or “Unavailable” refers to a state when Hyland Experience is either unresponsive or responds with an error, thereby preventing access. For clarification: if certain features or functions within Hyland Experience are unavailable while other features remain accessible, this will not be considered “Unavailability,” so long as the unavailable features or functions do not, when combined, significantly hinder the Customer’s use of Hyland Experience.

Service Level Commitments

Table 1: Monthly Uptime Percentages

	STANDARD
Monthly Uptime Percentage	99.5%
Applicable Credit	10% of the Monthly Fee

Table 2: Business Continuity

	STANDARD
Recovery Point Objective (RPO)	24 Hours
Applicable Credit	25% of the Monthly Fee
Recovery Time Objective (RTO)	8 Hours
Applicable Credit	25% of the Monthly Fee

Service Level Commitment Terms

Monthly Uptime Percentage. Hyland will meet the Monthly Uptime, as identified in Table 1 above, during each calendar month.

Business Continuity. Hyland shall provide business continuity redundancy via AWS Availability Zones. Hyland Experience does not use multiple AWS Regions. If Hyland delivers a Restoration Notice to Customer, Hyland shall restore Hyland Experience within the applicable Recovery Time Objective set forth in Table 2 above (except to the extent caused or prevented by an Exclusion Event).

Downtime Report. Following the occurrence of a Downtime event, upon request by the customer, Hyland shall provide a report which will include, as applicable, a detailed description of the incident, start and end times of the incident, duration of the incident, business/functional impact of the incident, description of remediation efforts taken, and a description of outstanding issues or tasks relating to the incident.

Exclusive Remedies Terms

Monthly Uptime Percentage. In the event the Monthly Uptime Percentage during any calendar month is less than the applicable Monthly Uptime Percentage set forth in the Table 1 above, the customer shall receive the applicable credit against the fees specified in Table 1 above, provided Customer submitted a technical support request within twenty-four hours of such Downtime.

Maximum Service Level Credit. Notwithstanding anything to the contrary, customers are only entitled to a maximum of one service level credit for all events occurring in a particular calendar month. If available, Customer shall be entitled to only the largest service level credit which may be payable for one or more of the service level failures occurring in such calendar month.

Application of Service Level Credits. Service level credits will be applied first to any outstanding amounts which are due and owing from Customer, and then to future fees.

Termination Remedy. If Customer earns a service level credit either: (a) in two consecutive calendar months, or (b) in three calendar months during any six consecutive month period; then the customer may, by written notice to Hyland delivered within thirty days after the last credit described in either clause or (a) or (b) above is earned, terminate the subscription to Hyland Experience.

Exclusivity. The remedies set forth above constitute the sole and exclusive remedies available to a customer for any failure to meet the service level commitments set forth in this document.

System Maintenance

For the purposes of the Service Level Commitment, Scheduled Maintenance is defined as:

Hyland Scheduled Maintenance Windows. Modifications or repairs to shared infrastructure or platform patching and upgrades that are expected to impact or potentially impact Hyland Experience availability is currently restricted to within the hours of 12 AM to 2 AM, based on the time zone of the impacted AWS Region. Hyland expects that scheduled system maintenance will not exceed 16 hours per month.

Hyland will notify Customer of scheduled system maintenance expected to impact system availability or functionality through the status page (currently, https://status.experience.hyland.com) or through direct communication. Customers must subscribe to the status page to receive notifications. Hyland will use reasonable efforts to notify Customer of unscheduled system maintenance that is expected to impact or potentially impact system availability or functionality. Such notifications will typically be sent at least 24 hours in advance, but to the extent Hyland determines that such maintenance is required sooner due to a security or availability concern (e.g., emergency maintenance is required by Hyland), Hyland will use reasonable efforts to send such notice no less than 2 hours prior to the specified start time.

[This document will be effective 11:59 p.m. (ET) on the day it is published.]

Hyland Insight Pilot Program

Version

Effective November 22nd 2024

Download

ADDITIONAL TERMS AND CONDITIONS APPLICABLE TO HYLAND INSIGHT PILOT PROGRAM

1. INTEGRATION. As stated in the Hyland Experience Terms of Use presented to Customer prior to use of Hyland Experience, these terms (including the General Terms Schedule and Hyland Experience Schedule) govern any use of Hyland Experience as part of the Hyland Insight Pilot Program. Accordingly, any signed Master Agreement or document of similar import, in either case, which does not explicitly state that it governs the Customer’s use of Hyland Experience as part of the Hyland Insight Pilot Program shall have no force or effect with respect to Customer’s use of Hyland Experience as part of the Hyland Insight Pilot Program.

2. INCREASED LIABILITY FOR CUSTOMER DATA. IN THE CASE OF AN UNAUTHORIZED DISCLOSURE OF OR ACCESS TO CUSTOMER DATA AS A RESULT OF CUSTOMER'S PARTICIPATION IN THE HYLAND INSIGHT PILOT PROGRAM FOR WHICH A CLAIM AGAINST HYLAND (OR ANY OF ITS AFFILIATES OR SUPPLIERS) ARISES, THE MAXIMUM LIABILITY OF HYLAND (INCLUDING ITS AFFILIATES AND SUPPLIERS), WHETHER IN CONTRACT OR TORT (INCLUDING NEGLIGENCE), OR ANY OTHER LEGAL OR EQUITABLE THEORY, SHALL IN NO EVENT EXCEED $100,000.00 USD.

3. SECURITY AND SUPPORT. The Hyland Insight Pilot Program is an AI-powered pilot and beta-testing program where Customer will provide feedback on, and Hyland will add or modify the functionality of, Hyland Experience. Accordingly, notwithstanding anything to the contrary, the Hyland Experience Technical Support and Hyland Experience Security terms included in the Hyland Experience Guide do NOT apply to use of Hyland Experience as part of the Hyland Insight Pilot Program.

4. TERMINATION; RETURN OF DATA. The term of the Hyland Insight Pilot Program commences on the Effective Date and continues until the earlier of Hyland’s declaration, at its sole discretion, that the program has ended, or termination of Customer’s enrollment in the program by either party immediately upon written notice to the other party. Notwithstanding anything to the contrary, upon termination of the Hyland Insight Pilot Program, Hyland will delete all Customer Data uploaded to Hyland Experience as part of the Hyland Insight Pilot Program.

5. DATA PROCESSING. Notwithstanding anything to the contrary, where Customer Data includes Personal Data, Hyland will process such Personal Data in accordance with the following Data Processing Addendum.

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) applies when Customer provides Personal Data to Hyland as part of the Hyland Insight Pilot Program.

1. DEFINITIONS

"Data Protection Law(s)" means any applicable law, regulation, legislation, or directive applicable to the Processing of Personal Data.

“Data Subject” means a natural person as defined by applicable Data Protection Law.

“Customer Personal Data” means any Personal Data submitted by or on behalf of Customer to Hyland pursuant to the Hyland Insight Pilot Program Agreement.

“Personal Data” means any individually identifiable information relating to a natural person which is protected under applicable Data Protection Law.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, disclosure or access to Customer Personal Data.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collecting, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Sub-Processor,” means an entity that Processes Personal Data at the request of Hyland.

2. HYLAND’S PROCESSING OF PERSONAL DATA

2.1 Instructions for Processing Personal Data. Hyland shall only Process Customer Personal Data for the purposes set forth in the Agreement and in accordance with Appendix A, unless otherwise required by law. Hyland will not "sell" or "share" any Personal Data as defined in applicable Data Protection Laws.

2.2 Duration of Processing. Hyland shall Process Personal Data only for the duration set out in Appendix A.

3. HYLAND’S SAFEGUARDS FOR PERSONAL DATA

3.1 Physical, Technical and Organizational Safeguards. Hyland shall maintain appropriate technical and organizational security measures designed to protect Customer Personal Data from accidental or unlawful destruction, loss, alteration, disclosure, or access.

3.2 Processing by Sub-Processors. Hyland shall only engage the Sub-Processors listed in Appendix A, which may be updated without amendment to this Agreement upon notice to Customer. Hyland has entered into a written agreement with each Sub-Processor containing data protection obligations to protect Customer Personal Data no less protective than the protections set forth in this Data Processing Addendum.

3.3 Confidentiality of Personal Data. Hyland shall treat Customer Personal Data as confidential and ensure that Hyland's personnel (including independent contractors) who have access to the Customer Personal Data: (i) have entered into appropriate contractually binding confidentiality undertakings; (ii) are informed of the confidential nature of Customer Personal Data; and (iii) have received appropriate training related to Customer Personal Data.

3.4 Return or Deletion of Personal Data. Upon termination of the Agreement or upon request of Customer, whichever occurs first, Hyland shall delete all Customer Personal Data in Hyland’s possession or control. This provision shall apply to Customer Personal Data that is in the possession of Hyland, its subcontractors, and its agents. If Hyland determines that deleting the Customer Personal Data is infeasible, then Hyland shall: (a) notify Customer of the conditions that make deletion infeasible and (b) extend the protections of the Agreement to such Customer Personal Data and limit further uses and disclosures of such Customer Personal Data to those purposes that make the deletion infeasible for so long as Hyland maintains such Customer Personal Data.

3.5 Requests Directed to Hyland. To the extent legally permitted, Hyland will notify Customer without undue delay following its receipt of any actual or purported request from (or on behalf of) a Data Subject exercising his rights under Data Protection Laws ("Data Subject Request"). Hyland will cooperate with and provide any necessary assistance to Customer in responding to any such Data Subject Requests, insofar as possible and taking into account the nature of Hyland's Processing and the Personal Data available to Hyland.

3.6 Reporting a Personal Data Breach. Hyland will notify the Customer without undue delay upon becoming aware of a Personal Data Breach. Hyland will take reasonable efforts to identify the cause of such Personal Data Breach and take the steps that Hyland deems necessary and reasonable to remediate the cause of the Personal Data Breach. Any notification by Hyland under this subsection shall not be construed as an admission of fault by Hyland.

3.7 Notification of Processing. Hyland will notify Customer should Hyland determine that it can no longer meet its obligations under Data Protection Laws with respect to the Personal Data it receives or has access to in meeting its obligations under the agreement.

4. CUSTOMER OBLIGATIONS FOR PERSONAL DATA

4.1 Customer shall ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Customer Personal Data to Hyland; (ii) prevent or restrict it from granting Hyland access to the Customer Personal Data; and/or (iii) prevent or restrict Hyland from Processing the Customer Personal Data, in each case as required for Hyland to perform the Hyland Insight Pilot Program or as otherwise permitted in the applicable Hyland agreement.

4.2 Customer shall ensure all required consents and approvals have been obtained and all fair processing or other required notices or disclosures have been given and are sufficient in scope to enable Hyland to Process the Customer Personal Data in accordance with applicable Data Protection Laws.

Appendix A

Subject Matter and Duration of the Processing	The subject matter of the Processing is Hyland’s fulfilment of its obligations under the Hyland Insight Pilot Program Agreement. The duration of the Processing is the term of the Hyland Insight Pilot Program Agreement, and any exit period, if applicable.
Categories of Data Subjects whose Personal Data is Processed	Any Data Subject whose Personal Data is transferred to Hyland under the Hyland Insight Pilot Program Agreement, which could include the following categories: Customer Employees (Past, potential, present and future staff of Customer) Customer Vendors (Past, present and potential advisors, consultants, vendors, contractors, subcontractors and other professionals engaged by Customer and related staff.) Customers End Users (Past, present and potential users of Customer services or products)
Nature and Purpose of the Processing	The purpose of the Processing is to provide the Hyland Insight Pilot Program and otherwise for Hyland’s fulfilment of its obligations under the Hyland Insight Pilot Program Agreement. The nature of the Processing may include, but is not limited to, collection, recording, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Categories of Personal Data Processed	Any Personal Data submitted by Customer to Hyland under the Hyland Master Agreement.
Sub-Processors	Amazon Web Services, Inc. Snowflake Inc. DataDog, Inc. MongoDB, Inc. Pendo.io Inc. Hyland Software, Inc. Affiliated Companies

[The most current version of this page shall be such in effect as of 11:59 p.m. ET of the date stamped on such online version.]

Severity Level	Description	Hyland Response
Level 1	“Level 1” means any error or issue in the Hyland Experience Service that causes total or substantial Hyland Experience Service failure, which means that the Hyland Experience Service is down and Customer is unable to access the Hyland Experience Service in any way.	Upon receiving notification from Customer, Hyland’s support Team Leader will immediately notify a support Manager. Within thirty (30) minutes, the Manager will notify a member of Senior Management or a Vice President. To provide a Resolution, Hyland will work up to and including 24 hour days, 7 days a week, through holidays and weekends until there is a Resolution, provided Customer remains accessible by phone for troubleshooting from the time Hyland receives the notification through Resolution.
Level 2	“Level 2” means an error or issue in the Hyland Experience Service that causes substantial Hyland Experience Service failure which prevents a portion of Customer’s users from accessing the Hyland Experience Service in any way.	Upon receiving notification from Customer, Hyland’s support Team Leader will notify a support Manager within sixty (60) minutes. Within two (2) hours, the Manager will notify a member of Senior Management or Vice President. To provide a Resolution, Hyland will work up to 24 hour days, 7 days a week, through holidays and weekends until there is a Resolution, provided Customer remains accessible by phone for troubleshooting from the time Hyland receives the notification through Resolution.
Level 3	“Level 3” means that the Hyland Experience Service is usable except that an error or issue in the Hyland Experience Service causes an ongoing, system-wide, severe performance degradation.	To provide a Resolution, Hyland will work up to 5 days/week, 16 hours/day, through holidays and weekends until there is a Resolution, provided Customer remains accessible by phone for troubleshooting from the time Hyland receives the notification through Resolution.
Level 4	“Level 4” means that the Hyland Experience Service is usable except that an error or issue in the Hyland Experience Service prevents a specific feature or functionality from working.	To provide a Resolution, Hyland will use commercially reasonable efforts during regular support hours.
Level 5	“Level 5” means that the Hyland Experience Service is usable except that an error or issue in the Hyland Experience Service causes a trivial inconvenience and the task can be completed in another way.	Standard Hyland Experience Service Support.
Level 6	“Level 6” means Technical Support Services.	Standard Hyland Experience Service Support.

Service Classes	Silver
Monthly Uptime Percentage	99%
Applicable Credit Determinations	Less than 99% 15% of the Monthly Fees for the Hyland Cloud Service for the calendar month in which the downtime began

Contracts

Built on Workday

Effective April 18th 2025

Table of Contents

Content Federation Services

Effective April 18th 2025

Table of Contents

Security

Effective April 18th 2025

Table of Contents

Service Levels

Effective April 18th 2025

Table of Contents

Third-Party AI Model Providers

Effective April 18th 2025

Table of Contents

Hyland Experience Technical Support

Effective May 3rd 2024

Table of Contents

Effective March 30th 2021 to May 3rd 2024

Table of Contents

Hyland Experience Security

Effective May 3rd 2024

Table of Contents

Effective March 30th 2021 to May 3rd 2024

Table of Contents

Hyland Experience Service Levels

Effective April 19th 2024

Table of Contents

Hyland Experience Service Levels

Service Level Definitions

Service Level Commitments

Table 1: Monthly Uptime Percentages

Table 2: Business Continuity

Service Level Commitment Terms

Monthly Uptime Percentage. Hyland will meet the Monthly Uptime, as identified in Table 1 above, during each calendar month.

Exclusive Remedies Terms

System Maintenance

Effective March 30th 2021 to April 19th 2024

Table of Contents

Hyland Insight Pilot Program

Effective November 22nd 2024

Table of Contents

Effective November 7th 2024 to November 22nd 2024

Table of Contents