Effective February 8, 2026

Content Innovation Cloud

Cloud Service

TERMS

1.  If Customer purchases a Product Subscription for a Content Innovation Cloud application (the “Licensed Application”) Customer may also be given access to certain other Content Innovation Cloud applications (“Dependent Applications”) for limited, dependent functionality without Customer’s purchase of a Product Subscription for the Dependent Application. In this case, Customer may only use the Dependent Application in connection with the Licensed Application and cannot use the Dependent Application on a stand-alone basis.   

2. Content Innovation Cloud Application-Specific Terms.

2.1 Built on Workday:  If Customer has purchased the Product integration with Workday (as identified on an Order Form), then Customer will be required to accept the Built on Workday Terms (currently, https://developer.workday.com/terms/builtonworkdaycustomer), which will be provided by Workday to the Customer prior to downloading and using the Built on Workday App. The Customer agrees that it has the authority to agree to the Built on Workday Terms from Workday notwithstanding anything in Customer’s agreement with Workday.  

3. Security Administrator. Customer shall designate its Customer Security Administrator. “Customer Security Administrators” (also referred to as “CSA(s)”) are individuals designated by Customer who are authorized to submit configuration change requests, speak authoritatively on behalf of Customer’s Product and shall receive and provide, as applicable, all notifications related to maintenance, security, service failures and the like. If Customer fails to designate the initial CSA, Hyland may at its option, designate the initial CSA as the individual who executed the Agreement on behalf of Customer.   

4. Security. Hyland maintains and manages a comprehensive written security program that is designed to protect: (a) the security and integrity of Customer Data; (b) against threats and hazards that may negatively impact Customer Data; and (c) against unauthorized access to Customer Data. Such program includes the following:

4.1. Risk Management.

4.1.1 Conducting an annual risk assessment designed to identify threats and vulnerabilities in the administrative, physical, legal, regulatory, and technical safeguards used to protect the Product.

4.1.2 Maintaining a documented risk remediation process to assign ownership of identified risks, establish remediation plans and timeframes, and provide for periodic monitoring of progress.

4.2. Information Security Program.

4.2.1 Maintaining a documented comprehensive information security program that includes policies and procedures based on industry standard practices, which may include ISO 27001/27002, or other equivalent standards. Such information security program shall include, as applicable: (a) adequate physical and cyber security where Customer Data will be processed and/or stored; and (b) reasonable precautions taken with respect to Hyland personnel employment.

4.2.2 Reviewing and updating such policies annually.

4.3 Organization of Information Security. Assigning security responsibilities to appropriate individuals or groups to facilitate protection of the Product and associated assets.

4.4. Human Resources Security.

4.4.1 Requiring all Hyland employees to undergo a comprehensive screening during the hiring process.

4.4.2 Performing background checks and reference validation to determine whether candidate qualifications are appropriate for the proposed position.

4.4.3 Subject to any restrictions imposed by applicable law and based on jurisdiction, conducting criminal background checks, employment validation, and education verification as applicable.

4.4.4 Ensuring all Hyland employees are subject to confidentiality and non-disclosure commitments before access is provisioned to the Product or Customer Data.

4.4.5 Ensuring applicable Hyland employees receive security awareness training designed to provide such employees with information security knowledge to provide for the security, availability, and confidentiality of Customer Data.

4.4.6 Upon Hyland employee separation or change in roles, ensuring any Hyland employee’s access to the Product is revoked in a timely manner and all applicable Hyland assets, both information and physical, are returned.

4.5. Asset Management.

4.5.1 Ensuring Customer Data is encrypted and stored in a secure location subject to strict physical access controls.

4.5.2 Maintaining asset and information management policies and procedures, including ownership of assets, an inventory of assets, classification guidelines, and handling standards pertaining to Hyland assets.

4.5.3 Note: The Product is hosted in the Amazon Web Services (AWS) Cloud where security and compliance are shared responsibilities between AWS and Hyland. AWS is responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates, including media handling and decommissioning. AWS Device Management Controls can be found here: https://aws.amazon.com/compliance/data-center/controls/#Device_Management .

4.6. Access Controls.

4.6.1 Maintaining an access policy and corresponding procedures. The access procedures will define the request, approval, and access provisioning process for Hyland personnel. The access process will restrict Hyland user (local and remote) access based on Hyland user job function (role/profile based, appropriate access) for applications and databases.

4.6.2 Documenting procedures for: (a) onboarding and offboarding Hyland personnel users in a timely manner; and (b) Hyland personnel user inactivity threshold leading to account suspension and removal threshold.

4.6.3 Limiting Hyland’s access to Customer Data to its personnel who have a need to access Customer Data as a condition to Hyland’s performance of the services under the Agreement. For such Hyland employees, Hyland shall utilize the principle of “least privilege” and the concept of “minimum necessary.” Hyland shall require strong passwords subject to complexity requirements and periodic rotation and the use of multi-factor authentication.

4.6.4 Ensuring access controls are in place for Customer Data access by Hyland. Note: Customer controls its: user’s access, user’s permissions, and Customer Data retention to the extent such controls are available to Customer.

4.7. System Boundaries.

4.7.1 Note: Hyland is not responsible for any system components that are not within the Product, including network devices, network connectivity, workstations, servers, and software owned and operated by the Customer or other third parties.

4.7.2 Note: The processes executed within the Product are limited to those that are executed by a Hyland employee (or Hyland authorized third party) or processes that are executed within Hyland’s established system boundaries, in whole.

4.7.3 Note: Certain business processes may cross these boundaries, meaning one or more tasks are executed outside of Hyland’s established system boundaries for the Product, one or more tasks are executed by individuals who are not Hyland personnel (or authorized third parties), or one or more tasks are executed based on written requests placed by Customer. In such event, Hyland will provide support for such processes to the extent they occur within Hyland’s established system boundaries, but Hyland is not responsible for providing support for such processes to the extent they occur outside of such established system boundaries. Examples of business processes that cross these boundaries include, but are not limited to, the Product configuration changes, processing that occurs within the Product, user authorization, and file transfers.

4.8. Encryption.

4.8.1 Ensuring Customer Data shall only be uploaded to the Product in a supported encrypted format such as TLS or other equivalent method.

4.8.2 Encrypting Customer Data at rest and in transit over public networks.

4.8.3 Note: Where use of encryption functionality may be controlled or modified by Customer and Customer elects to modify its use of or turn off any encryption functionality, Customer does so at its own risk.

4.9. Operations Security.

4.9.1 Maintaining change management controls to ensure changes made by Hyland to production systems are properly authorized and reviewed prior to implementation. Note: Customer is responsible for testing all configuration changes, authentication changes and upgrades implemented by Customer or Hyland. If Customer requests Hyland to implement changes on its behalf, such request must be in writing and submitted by Customer’s designated Authorized Customer Administrators via a support case or set forth in a separate agreement.

4.9.2 Making scheduled configuration changes that are expected to impact Customer access to the Product during a planned maintenance window. Note: Hyland may make configuration changes that are not expected to impact Customer during normal business hours.

4.9.3 Utilizing technologies that are configured to meet common industry standards designed to protect the Customer Data within the Product from virus infections or similar malicious payloads.

4.9.4 Implementing disaster recovery and business continuity procedures in accordance with the applicable Service Level purchased by Customer.

4.9.5 Maintaining security logs for one year.

4.9.6 Maintaining system hardening requirements and configuration standards for components deployed within the Product.

4.9.7 Conducting vulnerability scans on a regular basis and remediating in a timely manner. In the event any security patch would materially adversely affect the Product, then Hyland will use reasonable efforts to implement compensating controls until a security patch is available that would not materially adversely affect the Product. Upon written request, Hyland will provide an executive summary report of its most recent external vulnerability scan.

4.9.8 Conducting external penetration tests at least annually against an instance of the Product that is representative of the configuration used by Customers generally and making an executive summary of the most recent penetration test to Customer upon request.

4.9.9 Permitting Customer to, on an annual basis (but no more than once during any 12-month period), conduct a penetration test against a Product website, setup by Hyland, that is authorized for penetration testing , provided: (1) Customer submits a Penetration Testing Authorization form in advance; (2) prior to conducting such testing, Hyland and Customer mutually agree upon the timing, scope, and price, (3) such testing is at Customer’s sole cost and expense; and (4) if Customer engages a third-party to assist with such testing, the third-party must first be cleared by Hyland and enter into a confidentiality agreement directly with Hyland in accordance with the Contractor Use Restrictions provision of the Agreement. Note: Any testing performed without mutual agreement regarding timing, scope, and criteria may be considered a hostile attack, which may trigger automated and manual responses, including reporting the activity to local and federal law enforcement agencies as well as immediate suspension of Customer’s access to or use of the Product; and Customer is prohibited from distributing or publishing the results of such penetration testing without Hyland’s prior written approval.

4.9.10 Maintaining a 24/7 security operations center.

4.10. Supplier Relationships. Maintaining a Vendor Management Program for its critical vendors and evaluating critical vendors on an annual basis.

4.11. Security Incident Response.

4.11.1 Employing incident response standards that are based upon applicable industry standards, such as ISO 27001 and National Institute for Standards and Technology (“NIST”), to maintain the information security components of the Product environment.

4.11.2 Responses to these incidents follow the Hyland documented incident response sequence. This sequence includes the incident trigger phase, evaluation phase, escalation phase, response phase, recovery phase, de-escalation phase, and post-incident review phase.

4.11.3 If Hyland has determined Customer’s instance of the Product has been negatively impacted by a security incident, delivering a root cause analysis summary. Such notice will not be unreasonably delayed but will occur after initial corrective actions have been taken to contain the security threat or stabilize the Product.

4.11.4 The root cause analysis will include the duration of the event, resolution, technical summary, outstanding issues, and follow-up, including steps Customer needs to take to prevent further issues. The Product information including data elements that require additional confidentiality and security measures (including that of other customers impacted in the event) will not be publicly disclosed. If Customer needs additional details of an incident, a request to the applicable Hyland Cloud support team must be submitted and handled on a case-by-case basis to protect the confidentiality and security of the requested information.

4.11.5 Notifying Customer of a Security Incident within 48 hours. A “Security Incident” means a determination by Hyland of an actual disclosure of unencrypted Customer Data to an unauthorized person or entity that compromises the security, confidentiality, or integrity of the Customer Data.

4.12. Information Security Aspects of Business Continuity Management.

4.12.1 Maintaining a business continuity and disaster recovery plan.

4.12.2 Reviewing and testing the business continuity and disaster recovery processes annually.

4.13. Audits and Assessments.

4.13.1 Monitoring its compliance with its information security program. This includes periodic internal reviews. Results are shared with Hyland leadership and deviations tracked through to remediation.

4.13.2 Maintaining a periodic external audit program. Completed attestations are provided to Customer upon written request.

4.13.3 Permitting Customer to, on an annual basis (but no more than once during any 12-month period), conduct audits (which includes assessments, questionnaires, guided reviews or other requests to validate Hyland’s security controls) of Hyland’s operations that participate in the ongoing delivery and support of the Product (each, a “Security Inquiry”), provided, that:

(a) the proposed Security Inquiry does not overlap with, or otherwise cover the same or similar information as, or scope of: (1) any controls already provided for by an external audit or assessment already performed by Hyland, such as a SOC 2 report, ISO 27001 or other similar audit or assessment that is made available to Customer upon Customer’s request; or (2) any content already provided by Hyland through its completed SIG, CAIQ or similar questionnaire that is made available to Customer upon request.

(b) Hyland and Customer mutually agree upon the timing, scope, fees (if any), and criteria of such Security Inquiry;

(c) confidential and restricted documentation, such as Hyland internal policies, practices, and procedures, including any documentation requested by Customer that cannot be removed from Hyland’s premises as a result of physical limitations or policy restrictions will not be provided externally or removed from Hyland’s premises and such reviews must either (at Hyland’s election) be conducted onsite at Hyland’s corporate headquarters in Ohio or through a secure screenshare which may be arranged by Hyland to prohibit any type of copying or screen shots;

(d) Hyland will not permit access to internal systems or devices used to host or support Hyland’s offerings; and

(e) to the extent Customer desires to engage a third party to perform such Security Inquiry: (1) Hyland must approve of such third party in writing in advance, (2) Customer shall cause such third party to: (A) enter into a confidentiality agreement with Hyland in accordance with the Contractor Use Restrictions provision of the Agreement and (B) agree to abide by Hyland’s security standards, and (3) Customer shall manage the engagement with the third party and ensure the third party understands the scope of the Security Inquiry as mutually agreed upon between Hyland and Customer and how Customer utilizes the Product.

Where necessary, Hyland will provide private and reasonable accommodation at Hyland’s corporate headquarters in Ohio for data analysis and meetings. Upon reasonable advance written request, Hyland and Customer may mutually agree to make necessary employees or contractors available for interviews in person or on the phone during such Security Inquiry at Customer’s cost and expense. Customer is prohibited, and Customer shall prohibit each third-party engaged to perform a Security Inquiry from distributing or publishing the results of such Security Inquiry without Hyland’s prior written approval. Notwithstanding anything to the contrary within the Agreement, nothing in the Agreement (including this section) will require Hyland or any of its affiliates to disclose information that is subject to attorney-client privilege.

5. Service Levels.

5.1 Service Level Definitions.

“Downtime” is calculated as the aggregate time (in minutes) each calendar month, as confirmed by Hyland following written notice from the Customer, that the Product is Unavailable (as defined below). The length of Downtime will be measured from the time an incident occurs, as confirmed by Hyland, until the time when Hyland confirms that the failure condition(s) reported are no longer present. Downtime does not include any failure conditions which occur due to an Exclusion Event (see below).

“Exclusion Event” means any of the following occurrences:

(a) System maintenance, whether such maintenance is scheduled (e.g., for upgrading of the Service or its components or for any other scheduled purpose) or unscheduled (due to emergency) which results in the Service being unavailable or inaccessible to Customer.

(b) Failure of a Customer’s or User’s equipment or facilities.

(c)Acts or omissions of a Customer or its Users, including but not limited to (a) performance or non-performance of any services by a User related to the Product, (b) any failure that is not due to fault of Hyland or Hyland’s contracted third-party service provider, (c) failure of any code or configurations managed or written by the Customer or any third-party vendor to the Customer, or (d) any unauthorized use or access by the Customer or any of its Users;

(d) The occurrence of a force majeure event.

(e) Internet failure or congestion.

(f) Failure of equipment or systems not within the Product, or of equipment or systems not provided, or not under the control or direction of Hyland including equipment or systems Hyland may obtain or contract for at the request of the Customer; or

(g) Failures or other failures caused directly or indirectly by known or unknown computer viruses, worms or other malicious programs (assuming Hyland has not breached any of its obligations here or in the applicable agreement relating to virus protection protocols).

“Failover Notice” is a notification made by Hyland to the Customer (which may be made by electronic communication via e-mail or the Community portal) indicating that Hyland is initiating an AWS (Amazon Web Services) Region failover.

“Monthly Fees” is the portion of the Recurring Fees for the Product attributable to the month in which the applicable performance deficiency occurs, excluding any taxes, one-time fees, third party fees, travel or expense, professional services or similar additional fees. E.g., if fees are charged annually, the Monthly Fee equals the annual fees divided by 12, subject to the same exclusions above.

“Monthly Uptime Percentage”  is calculated as the total number of minutes in a calendar month, minus the number of minutes of Downtime (as defined above) in such month, divided by the total number of minutes in such month.

“Recovery Point” means the minimum number of hours (prior to the time Hyland provides a Failover Notice) that the Customer’s data must have been stored within the Product to qualify as eligible data. Customer Data is deemed “eligible” if Hyland confirms it has been stored within the Product for a number of hours (prior to the time Hyland provides a Failover Notice) that exceeds the applicable Recovery Point Objective defined in Table 2 below.

“Recovery Time” means the number of hours from the time the required Failover Notice is delivered to the time the Product has been Restored (excluding any time during that period if/when an Exclusion Event affects both the current primary and secondary data centers).

“Restore” or “Restored” means that, except to the extent prevented by an Exclusion Event, access to the Product has been restored such that:

(a) eligible Customer Data can be retrieved; and

(b) new Customer Data can be input.

“Unavailability” or “Unavailable” refers to a state when the Product is either (1) unresponsive or (2) responds with an error, and thereby prevents all Users from accessing the Product.

5.2  Service Level Commitments.

Table 1: Monthly Uptime Percentages

Table 2: Business Continuity

5.3  Service Level Commitment Terms.

Monthly Uptime Percentage. Hyland will meet the Monthly Uptime, as identified in Table 1 above, during each calendar month.

Business Continuity. Hyland shall provide business continuity redundancy via AWS Availability Zones. The Product does not use multiple AWS Regions. If Hyland delivers a Failover Notice to Customer, Hyland shall restore the Product within the applicable Recovery Time Objective set forth in Table 2 above (except to the extent caused or prevented by an Exclusion Event).

Downtime Report. Following the occurrence of a Downtime event, upon request by the Customer, Hyland shall provide a report which will include, as applicable, a detailed description of the incident, start and end times of the incident, duration of the incident, business/functional impact of the incident, description of remediation efforts taken, and a description of outstanding issues or tasks relating to the incident.

5.4  Credits.

Monthly Uptime Percentage. In the event the Monthly Uptime Percentage during any calendar month is less than the applicable Monthly Uptime Percentage set forth in the Table 1 above, the Customer shall receive the applicable credit against the fees specified in Table 1 above, provided Customer submitted a technical support request within twenty-four hours of such Downtime.

Exclusions. The physical infrastructure of the Product is provisioned to Customer based on Customer’s Product Subscription which may be on a tier or volume basis. If Customer’s use of the Product exceeds the usage limits of Customer’s Product Subscription (“Excessive Use”), then the speed, availability, or number of API requests that Customer may make of the Product may be impacted. Customer will not earn a service level credit for Missed Uptime Percentages due to Excessive Use.

RPO and RTO. In the event and RPO or RTO during any calendar month is less than the applicable RPO or RTO set forth in the Table 2 above, the Customer shall receive the applicable credit against the fees specified in Table 2 above.

Maximum Service Level Credit. Notwithstanding anything to the contrary, Customers are only entitled to a maximum of one service level credit for all events occurring in a particular calendar month. If available, Customer shall be entitled to only the largest service level credit which may be payable for one or more of the service level failures occurring in such calendar month.

Application of Service Level Credits. Service level credits will be applied first to any outstanding amounts which are due and owing from Customer, and then to future fees.

Termination Remedy. If Customer earns a service level credit either: (i) in three consecutive calendar months, or (ii) in four calendar months during any six consecutive month period; then Customer may, by written notice to Hyland delivered within thirty days after the last credit described in either clause or (i) or (ii) above is earned, terminate the Agreement.

Exclusivity. The remedies set forth above constitute the sole and exclusive remedies available to a Customer for any failure to meet the service level commitments set forth in this document.

5.5. System Maintenance.

For the purposes of an Exclusion Event, system maintenance will not exceed 16 hours per month, subject to the following:

Maintenance Notifications. Hyland will notify Customer of system maintenance expected to impact system availability or functionality through the status page (currently, https://status.experience.hyland.com) or through direct communication to Customer’s designated CSA.

Scheduled Maintenance. Hyland will notify Customer of scheduled maintenance that is expected to impact or potentially impact system availability or functionality. Such notification will typically be sent at least one week in advance, but in no event will such notice be sent less than 24 hours prior to the specified start time. Modifications or repairs to shared infrastructure or platform patching and upgrades, that is expected to impact or potentially impact the Product availability is currently restricted to within the hours of 12 AM to 2 AM, based on the time zone of the impacted AWS Region. Any changes to the scheduled hours of maintenance will be communicated to each Customer via e-mail to Customer’s designated CSA, posted in the Product, or the status page.

Unscheduled Maintenance. Hyland will use reasonable efforts to notify Customer of unscheduled maintenance that is expected to impact or potentially impact the Product availability or functionality. Such notification will typically be sent at least 24 hours in advance, but to the extent Hyland determines that such maintenance is required sooner due to a security or availability concern (e.g. emergency maintenance is required by Hyland), Hyland will use reasonable efforts to send such notice no less than 2 hours prior to the specified start time.

The most current version of this document shall be such in effect as of 12:00am EST (Eastern Standard Time) of the date stamped on such online version.