This NON-DISCLOSURE AGREEMENT (“NDA”) governs the disclosure of information by SUMMIT TECHNOLOGY CONSULTING GROUP, LLC (“STG” or “the Company”), a Pennsylvania LLC with offices at 5050 Ritter Road, Mechanicsburg, PA 17055 to a Recipient as that term is described in this agreement and is effective immediately upon signature of the individual named below who is requesting the report as an individual or on behalf of a user entity as that term is described in this agreement.

Whereas McKonly & Asbury LLP (“M&A”) has conducted an examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that they plan and perform the examination to obtain reasonable assurance about whether, in all material respects, based on the criteria in management’s assertion, the description is presented fairly, and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period

Whereas McKonly & Asbury LLP (“M&A”) has prepared a written report of their results (the “Report”) for the sole benefit and use of Summit Technology Consulting Group, LLC (“Company” or “STG”) that is intended solely for the information and use of STG, user entities of STG’s managed services and software development system during some or all of the period January 1, 2023 to September 30, 2023, and their independent auditors who audit and report on such user entities financial statements or internal control over financial reporting and have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities’ financial statements;

and

Whereas the Recipient has requested a copy of the Report:

STG agrees to allow Recipient access to the Report subject to your agreement to the terms and conditions set forth below. Please read them carefully. If you are agreeing to this agreement on behalf of your company, then “Recipient” or “you” also means your company. Your acceptance of these terms will bind your company to this agreement, and you attest that you have sufficient authority to bind your company in this manner. You also attest that you are not requesting this Report or behalf of another individual or company.

You, individually, and the Recipient agree to be bound by these terms and conditions. Distribution or disclosure of any portion of the Report or any information or advice contained therein to persons other than STG is prohibited, except as provided below.

Conditions of Access:

STG agrees to allow Recipient to access to the Report on the condition that Recipient reads, understands, and agrees to all of the following:

1. Content and limitations: The Report consists of a service auditor’s examination (the “Services”) conducted for the Company in accordance with the examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that the service auditor plan and perform the examination to obtain reasonable assurance about whether, in all material respects, based on the criteria in management’s assertion, the description is fairly presented, and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period January 1, 2023 to September 30, 2023.

   a.  An examination of a description of a service organization’s system and the suitability of the design and operating effectiveness of controls involves:

   • Performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on the criteria in management’s assertion;
   • Assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description;
   • Testing the operating effectiveness of those controls that management considers necessary to provide reasonable assurance that the related control objectives stated in the description were achieved; and
   • Evaluating the overall presentation of the description, suitability of the control objectives stated in the description, and suitability of the criteria specified by the service organization in its assertion.

   b.  McKonly & Asbury LLP (“M&A”) has prepared a written report of their results (the “Report”) for the sole benefit and use of Summit Technology Consulting Group, LLC (“Company” or “STG”), is intended solely for the information and use of STG, user entities of STG’s managed services and software development system during some or all of the period January 1, 2023 to September 30, 2023, and their independent auditors who audit and report on such user entities financial statements or internal control over financial reporting and have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities’ financial statements. This report is not intended to be and should not be used by anyone other than these Recipients.

2. Degree of Care and Limitation of Use: Except where compelled by legal process (of which the Recipient shall promptly inform STG so that they may seek appropriate protection), the Recipient agrees it will not disclose, orally or in writing, this Report or any portion thereof; any other Confidential Information received in connection therewith; or make any reference to STG or this Report in connection therewith in any public document or to any third party other than Recipient’s employees, agents and representatives, who need to know the information to evaluate operations for compliance with Recipient’s security, regulatory and other business policies, and provided such third parties are bound by confidentiality restrictions at least as stringent as those stated in this agreement. Recipient agrees it will hold and store this information in keeping with storage of its own confidential information and in no case handle or store this information with less than reasonable care. “Confidential Information” shall mean the Report and other information and materials that are (i) disclosed by the STG in writing and marked as confidential at the time of disclosure, or (ii) disclosed by the Company in any other manner and identified as confidential either at the time of or within thirty (30) business days of disclosure, or (iii) reasonably regarded as being of a confidential nature.
3. Term of Use: Recipient may use Confidential Information, including the Report, for a period of the sooner of one (1) year from disclosure or such other validity term as indicated in the Report, and only for the purpose of evaluating the Company’s operations for compliance with Recipient’s security or and other business policies, and related practices as may be referenced therein. This agreement does not create or imply an agreement to complete any transaction or an assignment by STG of any rights in its intellectual property.
4. Release of Claim: The Recipient (for itself and its successors) hereby releases each of the STG, from any and all claims or causes of action that the Recipient has, or hereafter may or shall have, against them in connection with the Report, the Recipient’s access to the Report, or McKonly & Asbury LLP’s performance of the Services.
5. Indemnity: The Recipient shall indemnify, defend and hold harmless these Report Parties from and against all claims, liabilities, losses and expenses suffered or incurred by any of them arising out of or in connection with (a) any breach of this agreement by the Recipient or its representatives; and/or (b) any use or reliance on the Report or other Confidential Information by any party that obtains access to the Report, directly or indirectly, from or through the Recipient or at its request.
6. Actions Required at Termination: Upon termination of this agreement or written request by a Report Party, the Recipient shall: (i) cease using the Confidential Information, (ii) return or destroy the Confidential Information and all copies, notes or extracts thereof to Company within seven (7) business days of receipt of request, and (iii) upon request of a Reporting Party, confirm in writing that Recipient has complied with these obligations.
7. Legal Action Requiring Disclosure: The Recipient may disclose Confidential Information pursuant to legal, judicial, or administrative proceeding or otherwise as required by law; provided that the Recipient shall give reasonable prior notice, if not prohibited by applicable law, to the Discloser and shall assist the Discloser, at Discloser’s expense, to obtain protective or other appropriate confidentiality orders, and further provided that a required disclosure of Confidential Information to an agency or Court does not relieve the Recipient of its confidentiality obligations with respect to any other party.
8. Governing Law: This NDA shall be governed by and construed in accordance with the laws of the Commonwealth of Pennsylvania, in the courts of Pennsylvania, without reference to conflict of laws principles. This NDA may not be amended except by in writing signed by authorized representatives of each party.
9. Injunctive Relief: Either party may, without waiving any remedy under this NDA, seek from any court of competent jurisdiction any interim or provisional relief that such party deems necessary to protect its Confidential Information and property rights
10. Validity: If any term or provision of this NDA is unenforceable, then the remainder of this NDA will not be affected, impaired, or invalidated, and the other terms and provisions of this NDA will be valid and enforceable to the fullest extent permitted by law.
11. Third Party Rights: Neither party shall communicate any information to the other in violation of the proprietary rights of any third party.
12. No Assignment: Neither party will assign or transfer any rights or obligations under this NDA without the prior written consent of the other party.
13. Notices: All notices or reports permitted or required under this NDA shall be in writing and shall be delivered by personal delivery, electronic mail, or by certified or registered mail, return receipt requested, and shall be deemed given upon personal delivery, five (5) days after deposit in the mail, or upon acknowledgment of receipt of electronic transmission. Notices shall be sent to the addresses set forth at the end of this NDA or such other address as either party may specify in writing.

This NON-DISCLOSURE AGREEMENT (“NDA”) governs the disclosure of information by SUMMIT TECHNOLOGY CONSULTING GROUP, LLC (“STG” or “the Company”), a Pennsylvania LLC with offices at 5050 Ritter Road, Mechanicsburg, PA 17055 to a Recipient as that term is described in this agreement and is effective immediately upon signature of the individual named herein who is requesting the report as an individual or on behalf of a user entity as that term is described in this agreement

Whereas McKonly & Asbury LLP (“M&A”) has conducted an examination in accordance with attestation standards established by the American Institute of Certified Public Accountants that require they obtain reasonable assurance about whether, in all material respects, STG has presented a description of its control environment in accordance with the description criteria and the controls stated therein were suitably designed to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria.

Whereas McKonly & Asbury LLP (“M&A”) has prepared a written report of their results (the “Report”) for the sole benefit and use of STG, and for user entities of STG’s products and/or services during some or all of the period from January 1, 2023 to September 30, 2023, certain business partners of STG subject to risks arising from interactions with the STG in the provision of these services, practitioners providing services to such user entities and business partners, prospective user entities and business partners, and regulators (all parties listed and referenced collectively hereafter as “Recipient);

Whereas the Recipient has requested a copy of the Report:

STG agrees to allow Recipient access to the Report subject to your agreement to the terms and conditions set forth below. Please read them carefully. If you are agreeing to this agreement on behalf of your company, then “Recipient” or “you” also means your company. Your acceptance of these terms will bind your company to this agreement, and you attest that you have sufficient authority to bind your company in this manner. You also attest that you are not requesting this Report or behalf of another individual or company.

You, individually, and the Recipient agree to be bound by these terms and conditions. Distribution or disclosure of any portion of the Report or any information or advice contained therein to persons other than STG is prohibited, except as provided below.

Conditions of Access:

STG agrees to allow Recipient to access to the Report on the condition that Recipient reads, understands, and agrees to all of the following:

1. Content and limitations: The Report consists of a service auditor’s examination (the “Services”) conducted for the Company in accordance with the AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. McKonly & Asbury LLP (“M&A”) has prepared a written report of their results (the “Report”) for the sole benefit and use of STG, for user entities of STG’s products and/or services during some or all of the period from January 1, 2023 to September 30, 2023, certain business partners of STG subject to risks arising from interactions with the STG in the provision of these services, practitioners providing services to such user entities and business partners, prospective user entities and business partners, and regulators (all parties listed and referenced collectively hereafter as “Recipient) who have sufficient knowledge and understanding of the following:
   • The nature of the service provided by the service organization,
   • How the service organization’s system interacts with user entities, business partners, and other parties,
   • Internal control and its limitations,
   • User entity responsibilities and how they may affect the user entity’s ability to effectively use the service organization’s services,
   • The applicable trust services criteria,
   • The risks that may threaten the achievement of the service organization’s service commitments and system requirements and how controls address those risks, and
   • Complementary user entity controls and how those controls interact with the controls at the service organization to achieve the service organization’s service commitments and system requirements.
   This report is not intended to be, and should not be, used by anyone other than these specified recipients.
2. Degree of Care and Limitation of Use: Except where compelled by legal process (of which the Recipient shall promptly inform STG so that they may seek appropriate protection), the Recipient agrees it will not disclose, orally or in writing, this Report or any portion thereof; any other Confidential Information received in connection therewith; or make any reference to STG or this Report in connection therewith in any public document or to any third party other than Recipient’s employees, agents and representatives, who need to know the information to evaluate operations for compliance with Recipient’s security, regulatory and other business policies, and provided such third parties are bound by confidentiality restrictions at least as stringent as those stated in this agreement. Recipient agrees it will hold and store this information in keeping with storage of its own confidential information and in no case handle or store this information with less than reasonable care. “Confidential Information” shall mean the Report and other information and materials that are (i) disclosed by STG in writing and marked as confidential at the time of disclosure, or (ii) disclosed by the Company in any other manner and identified as confidential either at the time of or within thirty (30) business days of disclosure, or (iii) reasonably regarded as being of a confidential nature.
3. Term of Use: Recipient may use Confidential Information, including the Report, for a period of the sooner of one (1) year from disclosure or such other validity term as indicated in the Report, and only for the purpose of evaluating the Company’s operations for compliance with Recipient’s security or and other business policies, and related practices as may be referenced therein. This agreement does not create or imply an agreement to complete any transaction or an assignment by STG of any rights in its intellectual property.
4. Release of Claim: The Recipient (for itself and its successors) hereby releases each of STG, from any and all claims or causes of action that the Recipient has, or hereafter may or shall have, against them in connection with the Report, the Recipient’s access to the Report, or McKonly & Asbury LLP’s performance of the Services.
5. Indemnity: The Recipient shall indemnify, defend and hold harmless these Report Parties from and against all claims, liabilities, losses and expenses suffered or incurred by any of them arising out of or in connection with (a) any breach of this agreement by the Recipient or its representatives; and/or (b) any use or reliance on the Report or other Confidential Information by any party that obtains access to the Report, directly or indirectly, from or through the Recipient or at its request.
6. Actions Required at Termination: Upon termination of this agreement or written request by a Report Party, the Recipient shall: (i) cease using the Confidential Information, (ii) return or destroy the Confidential Information and all copies, notes or extracts thereof to Company within seven (7) business days of receipt of request, and (iii) upon request of a Reporting Party, confirm in writing that Recipient has complied with these obligations.
7. Legal Action Requiring Disclosure: The Recipient may disclose Confidential Information pursuant to legal, judicial, or administrative proceeding or otherwise as required by law; provided that the Recipient shall give reasonable prior notice, if not prohibited by applicable law, to the Discloser and shall assist the Discloser, at Discloser’s expense, to obtain protective or other appropriate confidentiality orders, and further provided that a required disclosure of Confidential Information to an agency or Court does not relieve the Recipient of its confidentiality obligations with respect to any other party.
8. Governing Law: This NDA shall be governed by and construed in accordance with the laws of the Commonwealth of Pennsylvania, in the courts of Pennsylvania, without reference to conflict of laws principles. This NDA may not be amended except by in writing signed by authorized representatives of each party.
9. Injunctive Relief: Either party may, without waiving any remedy under this NDA, seek from any court of competent jurisdiction any interim or provisional relief that such party deems necessary to protect its Confidential Information and property rights
10. Validity: If any term or provision of this NDA is unenforceable, then the remainder of this NDA will not be affected, impaired, or invalidated, and the other terms and provisions of this NDA will be valid and enforceable to the fullest extent permitted by law.
11. Third Party Rights: Neither party shall communicate any information to the other in violation of the proprietary rights of any third party.
12. No Assignment: Neither party will assign or transfer any rights or obligations under this NDA without the prior written consent of the other party.
13. Notices: All notices or reports permitted or required under this NDA shall be in writing and shall be delivered by personal delivery, electronic mail, or by certified or registered mail, return receipt requested, and shall be deemed given upon personal delivery, five (5) days after deposit in the mail, or upon acknowledgment of receipt of electronic transmission. Notices shall be sent to the addresses set forth at the end of this NDA or such other address as either party may specify in writing.