SAAS LICENSE AGREEMENT

UPSTREAM SECURITY SAAS LICENSE AGREEMENT


Last Updated: June 18, 2026

This Agreement (the “Agreement”) is entered into by and between Upstream Security Ltd., together with its affiliates (the “Upstream”) and you (the “Customer”) (each, a “Party” and collectively, the “Parties”). This Agreement shall be effective on the earliest of (a) Customer entering into an order form or similar form referencing or otherwise incorporating this Agreement; or (b) Customer’s use of the Data Platform and AutoThreat Platform (the “Effective Date”). If you are entering into this Agreement on behalf of your organization, that organization is deemed to be the Customer and you represent that you have the power and authority bind that organization to this Agreement.

If Customer has purchased the license granted hereunder from a partner, reseller or distributor authorized by the Company (“Partner”), to the extent there is any conflict between this Agreement and the agreement entered between Customer and the respective Partner, including any purchase order (“Partner Order Form”), then, as between Customer and Company, this Agreement shall prevail. Any rights granted to Customer in such Partner Order Form which are not contained in this Agreement, apply only in connection with such Partner. In that case, Customer must seek redress or realization or enforcement of such rights solely with such Partner and not the Company.

  1. License. Subject to the terms and conditions of this Agreement, and Customer’s payment of applicable fees to Upstream and/or Upstream’s authorized resellers/partner (“Partner”), as applicable, Upstream hereby grants Customer a limited, non-exclusive, non-sublicensable, non-transferable, subscription based and revocable license to: (a) remotely access (i.e. on a SaaS basis) the Upstream security software (the “Data Platform”) and use it for internal purposes; and (b) remotely access and use Upstream’s AutoThreat intelligence platform, including any data provided thereunder, for internal purposes only (“AutoThreat Platform“). Unless otherwise indicated, the term “Data Platform” also includes the AutoThreat Platform, any AI Agent functionalities made available as part of, or in connection with, the Data Platform or AutoThreat Platform, and any documentation (“Documentation”) provided to Customer in connection with their operation and any application and integration component or other software provided or authorized by Upstream that enables connectivity, interoperability, or integration between the Data Platform and any third party application, platform, system or service. Customer may only use the Data Platform in accordance with the Documentation, subject to the use limitations indicated in Customer’s proposal or order (“Proposal”) or Partner Order Form (if purchased via Partner) and applicable laws.
  2. Services. In addition to the abovementioned licenses, Upstream may provide additional services and/or SOC services (the “Additional Services”) (collectively, the Additional Services, SOC Services with the licenses to the Data Platform, the “Services”). For removal of doubt, the SOC services will only be provided to the extent Customer’s license for the Data Platform is in effect (for clarity, the SOC services will not be provided to Customers that only purchased a license to the AutoThreat Platform).
  3. Payment. (a) This Section 3(a) shall apply to the extent Customer has purchased the license granted under Section 1 and the Services directly from Upstream. The provision of the Services are conditioned on Customer’s upfront payment in full of the applicable fees set forth in the Proposal. All fees and other amounts paid hereunder are non-refundable. Any amount not paid when required to be paid hereunder shall accrue interest on the rate of one and a half percent (1.5%) per month. All amounts payable under this Agreement are exclusive of all sales, use, value-added, withholding, and other direct or indirect taxes, charges, levies and duties; (b) In case Customer purchased the license via Partner, the license granted hereunder and the related services are subject to the full payment of the applicable fees as set forth in the Partner Order Form. All payments shall be made directly to Partner, as agreed between Customer and Partner. Company may suspend or terminate Customer’s subscription to use the Data Platform if Company does not receive payment from the Partner, as a result of Customer not paying the corresponding amount to the Partner.
    Customer shall be responsible for setting up a monitoring system to monitor its use of the cloud platform and cloud services and all chargeable services thereunder. At Customer’s request, Upstream will assist Customer to set up such monitoring system based on the applicable required services for each cloud platform. This obligation shall not apply with respect to customer that only purchased a license to the AutoThreat Platform.
  4. .Customer Account. The Data Platform may only be used through a Customer account (the “Account”). Such Account may be accessed solely by Customer’s employees or service providers who are explicitly authorized by Customer to use the Data Platform in accordance with the Proposal (each, a “Permitted User”). Customer will ensure that the Permitted Users keep the Account login details secure at all times and comply with the terms of this Agreement; and will be fully responsible for any breach of this Agreement by a Permitted User. Unauthorized access or use of the Account or the Data Platform must be immediately reported to the Upstream.
  5. Prohibited Uses. Except as specifically permitted herein, without the prior written consent of Upstream, Customer must not, and shall not allow any Permitted User or any third party to, directly or indirectly: (i) copy, modify, create derivative works of or distribute any part of the Data Platform (including any data provided and/or included thereof, including by incorporation into its products); (ii) sell, license (or sub-license), lease, assign, transfer, pledge, or share Customer’s rights under this Agreement with any third party; (iii) use any “open source” or “copyleft software” in a manner that would require Upstream to disclose the source code of the Data Platform or Agent to any third party; (iv) disclose the results of any testing or benchmarking of the Data Platform to any third party; (v) disassemble, decompile, reverse engineer or attempt to discover the Data Platform’s source code or underlying algorithms; (vi) use the Data Platform in a manner that violates or infringes any rights of any third party, including but not limited to, privacy rights, publicity rights or intellectual property rights; (vii) remove or alter any trademarks or other proprietary notices related to the Data Platform; (viii) circumvent, disable or otherwise interfere with security-related features of the Data Platform or features that enforce use limitations; (ix) export, make available or use the Data Platform in any manner prohibited by applicable laws (including without limitation export control laws); and/or (x) transmit any malicious code (i.e., software viruses, Trojan horses, worms, malware or other computer instructions, devices, or techniques that erase data or programming, infect, disrupt, damage, disable, or shut down a computer system or any component of such computer system) or other unlawful material in connection with Upstream’s Product.
  6. Customer Data and Analytics Information. It is further agreed that any anonymous information, which is derived from the use of the Data Platform (i.e., metadata, aggregated and/or analytics information which is not personally identifiable information, including, without limitation, User Content, as defined below) (“Analytics Information”) may be used by Upstream for any purpose, including for providing the Service, for development and/or for statistical purposes. For the removal of doubt Upstream will be the exclusive owners of the Analytics Information. As Upstream operates the Services, Upstream may monitor and process data regarding the vehicles included in Customer’s vehicles fleet’s systems and network (the “Customer Data”). As the exclusive owner of the Customer Data, Customer hereby warrants, represents and covenants that to the extent the Customer Data includes any personally identifiable information and/or Personal Data as defined in the EU General Data Protection Regulation (“GDPR”), Customer has and will: i) provide all appropriate notices, ii) receive all the required informed consents and/or have any and all ongoing legal bases and permits, and iii) act in compliance with applicable privacy laws and data regulations (including, without limitation, the GDPR), as to allow Upstream to use the Customer Data solely in order to perform Upstream’s Services (including, without limitation, the provision of such data to Upstream (or access thereto) and the transfer of such data by Upstream to its affiliates, subsidiaries and subcontractors, including transfers outside of the European Economic Area), and not for any monetization purposes. Without limiting the generality of the foregoing, Upstream may be required to disclose the Customer Data: (a) to satisfy any applicable law, regulation, legal process, subpoena or governmental request; and/or (b) to collect, hold and/or manage the Customer Data through Upstream’s authorized third party service providers as reasonable for business purposes, which may be located in a country that does not have the same data protection laws as the data subject’s jurisdiction. Customer hereby further warrants and represents that to the extent that Customer needs a data processing agreement, Customer shall request by email to [email protected] Upstream’s Data Processing Agreement (“DPA”) and return it signed to Upstream as described therein. In the event Customer fails to comply with any data protection or privacy law or regulation, the GDPR and/or any provision of the DPA, and/or fails to return an executed version of the DPA to Upstream, then: (a) to the maximum extent permitted by law, Customer shall be solely and fully responsible and liable for any such breach, violation, infringement and/or processing of personal data without a DPA by Upstream and Upstream’s affiliates and subsidiaries (including, without limitation, their employees, officers, directors, subcontractors and agents); and (b) in the event of any claim of any kind related to any such breach, violation or infringement and/or any claim related to processing of personal data without a DPA, Customer shall defend, hold harmless and indemnify Upstream and Upstream’s affiliates and subsidiaries (including, without limitation, their employees, officers, directors, subcontractors and agents) from and against any and all losses, penalties, fines, damages, liabilities, settlements, costs and expenses, including reasonable attorneys’ fees.
  7. AI Capabilities. Customer may provide input to the Service (“Input”), and receive output from the services based on the Input (“Output”), and together the Input and Output are the “User Content”. As between the Parties and to the extent permitted under applicable law, Customer (a) retain all ownership rights in and to the Input, and (b) own all Output. Upstream hereby assigns to Customer all its right, title and interest, where relevant, in and to the Output. To the maximum extent permitted by law, Upstream shall have no liability to Customer with respect to the User Content, including, without limitation, liability with respect to: (i) any information (including Customer confidential information) contained in or apparent from any User Content; and/or (ii) any copyright infringement claim or another infringement claim by a third party in relation to or in connection with the User Content.
    Customer warrants, represents and covenants that: (i) it owns or has a valid and enforceable license and all the necessary rights to use, submit or transmit all Input and use the Service; (ii) that no User Content infringes, misappropriates or violates or will infringe, misappropriate or violate, the rights (including, without limitation, any copyrights or other intellectual property rights) of any person or entity or any applicable law, rule or regulation of any government authority of competent jurisdiction; (iii) Customer shall not disseminate or distribute the User Content in breach of any applicable law or third party’s intellectual property rights or other rights.
    Customer may elect to use certain artificial intelligence agent functionalities made available by Upstream as part of, or in connection with, the Data Platform (the “AI Agent”). Customer acknowledges and agrees that the AI Agent may be made available through user interface tools used to interact with the AI Agent, including communication interfaces such as Slack, Microsoft Teams, email or similar channels (the “Interface Tools”), and may also access, connect to, interoperate with, or use Customer’s or any third party’s systems, assets, tools, applications, data sources or services (the “Connected Tools”, and together with the Interface Tools, the “Customer Approved Tools”). For the avoidance of doubt, Customer shall determine which Interface Tools and which Connected Tools are enabled, authorized or made available for use by or in connection with the AI Agent, and only those Interface Tools and Connected Tools expressly approved by Customer shall constitute Customer Approved Tools. Upstream’s Baseline Configuration shall not, in and of itself, enable, authorize or designate any Interface Tools or Connected Tools for Customer except to the extent expressly approved by Customer. Upstream may provide a baseline configuration for the AI Agent as made generally available by Upstream in connection with the Services (the “Baseline Configuration”). To the extent Customer elects to use the AI Agent, Customer shall be solely responsible for defining, approving and maintaining any Customer-specific configuration, administration, instructions, integrations, customizations or modifications to the AI Agent, including in connection with the Customer Approved Tools. Upstream may implement such configuration and integrations on Customer’s behalf solely in accordance with Customer’s instructions, and Customer shall remain solely responsible for those instructions and related configuration choices. Customer shall also be solely responsible for obtaining and maintaining all rights, licenses, permissions, consents and approvals required for the AI Agent to access, connect to, interoperate with, or use any Customer Approved Tools. Upstream will not be responsible for issues arising from the foregoing or from the availability, connectivity, security, operation, access controls, use, transmission, transfer or handling of data by or through Customer Approved Tools, except to the extent caused by Upstream’s breach of this Agreement or Upstream’s failure to implement the Baseline Configuration or the agreed configuration in accordance with Customer’s documented instructions.
  8. Output Responsibility. Customer acknowledges and agrees that artificial intelligence and machine learning are rapidly evolving fields, and that, given the probabilistic nature of artificial intelligence and machine learning, use of the Service, including the AI Agent, may in some situations result in incorrect Output, recommendations, actions and/or inactions, and/or the Output may not be unique across users and the Service may generate the same or similar Output for different users of the Service. Customer is solely responsible and liable for evaluating, verifying and approving (including without limitation by human review) the Output and any recommendation, instruction, action or workflow generated by the AI Agent as being suitable and appropriate for Customer’s use. Upstream recommends that Customer maintain appropriate human oversight over the use of the AI Agent and that Customer carefully reviews and vets the Output and any recommendation, instruction, action or workflow before use or implementation. In addition, Customer shall not engage in any automatic decision-making (including, without limitation, profiling), or rely upon Output, recommendations, instructions, actions or workflows generated by the AI Agent in isolation to make a decision, relating to any person, which has a legal effect or a similarly significant effect on that person. To the maximum extent permitted by law, Upstream shall have no liability to Customer arising out of or relating to any malware, malicious code, harmful scripts or unauthorized actions contained in, generated by, transmitted through, or implemented by means of any Output, recommendation, instruction, action or workflow of the AI Agent, to the extent resulting from Customer’s or any user’s use of the AI Agent, Customer’s instructions, Customer-specific configuration, customizations or modifications, Customer Approved Tools, or any third party systems, tools or services not controlled by Upstream.
  9. Warranties. Each Party represents and warrants that it is duly organized, validly existing and in good standing under the laws of its jurisdiction of incorporation or organization; and that the execution and performance of this Agreement will not conflict with other agreements to which it is bound or violate applicable law.
  10. Intellectual Property Rights. If prior or during the Term, Upstream receives any feedback (e.g., questions, comments, suggestions or the like) regarding any of the Services (collectively, “Feedback”), all rights, including intellectual property rights in such Feedback shall belong exclusively to Upstream and that such shall be considered Upstream ‘s Confidential Information; and Customer hereby irrevocably and unconditionally transfers and assigns to Upstream without all intellectual property rights it has in such Feedback and waives any and all moral rights that Customer may have in respect thereto. Upstream is and shall remain the sole owner of (i) all right, title, and interest, including any intellectual property rights related to the Services and any and all improvements and derivative works, and (ii) any know-how, including methods, logic, techniques, processes, or technologies embodied or relating to the Services, including such that was created and/or developed during or prior to the provision of the Services (including in case of a trial or evaluation of the Services by Customer), as well as any developments, improvements, continuations or derivations thereof. This Agreement does not convey to Customer any interest in or to the Services other than a limited right to use the Services in accordance with Section 1. Nothing herein constitutes a waiver of the Upstream’s intellectual property rights under any law.
  11. Third Party Components and Sources. The Data Platform may use or include third party software, files, libraries or components that are subject to third party open source license terms. A list of such components can be found at the following URL: https://www.upstream.auto/open-source-software-terms/, as may be further updated by Upstream from time to time. In addition, it is further clarified that information provided through the AutoThreat Platform, is based, among others, on third-party sources. Accordingly, and without derogating from Section ‎14 below, Upstream hereby disclaims any and all express and/or implied warranties with respect to any report and/or recommendation provided in connection to the AutoThreat Platform. In addition, Upstream engages with certain third party AI providers, as set forth in the Upstream Sub-processor list. A list of such components can be found at the following URL: https://www.upstream.auto/subprocessor-list/. Customer agrees that such third parties may use Input and Output as necessary to provide the Services. Customer further agrees (i) that where the provision of the Services requires Upstream’s use of Customer’s license to any third party AI provider’s tool, Customer has all necessary licenses from such relevant third party AI providers; and (ii) to use the Services in accordance with the policies of the relevant third party AI providers, as follows:
    • – OpenAI: https://openai.com/policies/business-terms/
    • – AWS Bedrock: https://aws.amazon.com/service-terms/
  12. Confidentiality. Each Party may have access to certain non-public and/or proprietary information of the other Party, in any form or media, including without limitation trade secrets and other information related to the products, software, technology, data, know-how, or business of the other Party, and any other information that a reasonable person should have reason to believe is proprietary, confidential, or competitively sensitive (the “Confidential Information”). The Documentation shall be considered as Confidential Information hereunder. Each Party shall take reasonable measures, at least as protective as those taken to protect its own confidential information, but in no event less than reasonable care, to protect the other Party’s Confidential Information from disclosure to a third party. Neither Party shall use or disclose the Confidential Information of the other Party except as expressly permitted under this Agreement or by applicable law. All right, title and interest in and to Confidential Information are and shall remain the sole and exclusive property of the disclosing Party.
  13. LIMITED WARRANTIES. OTHER THAN AS EXPLICITLY STATED IN THIS AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE DATA PLATFORM, ANY SECURITY AUDIT REPORTS SPECIFYING ANY ERRORS, ANOMALIES OR SECURITY ALERTS IN THE VEHICLES NETWORKS OR OTHER REPORTS AND OUTPUT GENERATED THROUGH THE USE OF THE DATA PLATFORM (THE “REPORTS”),  AND THE SERVICES (INCLUDING ANY AI AGENT FUNCTIONALITIES MADE AVAILABLE THROUGH THE SERVICES), ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. UPSTREAM DOES NOT WARRANT THAT THE DATA PLATFORM, THE REPORTS, THE AI AGENT FUNCTIONALITIES, OUTPUT AND/OR THE SERVICES WILL MEET CUSTOMER’S REQUIREMENTS AND DOES NOT WARRANT THAT THE DATA PLATFORM, THE AI AGENT FUNCTIONALITIES AND SERVICES WILL BE ACCURATE, COMPLETE, UNINTERRUPTED, ERROR FREE, OR THAT DEFECTS WILL BE CORRECTED. UPSTREAM  EXPRESSLY DISCLAIMS ALL EXPRESS WARRANTIES AND ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, NON-INTERFERENCE, FITNESS FOR A PARTICULAR PURPOSE AND/OR THAT THE USE OF THE DATA PLATFORM AND/OR SERVICES (INCLUDING ANY AI AGENT FUNCTIONALITIES MADE AVAILABLE THROUGH THE SERVICES) WILL PREVENT ANY CYBER ATTACKS AND/OR CYBER BREACH WITH RESPECT TO THE VEHICLES AND/OR THE VEHICLE’S INVOLVEMENT IN ANY CAR ACCIDENT AS A RESULT OF SUCH ATTACKS. CUSTOMER’S USE OF AND RELIANCE UPON THE REPORTS AND OUTPUT IS ENTIRELY AT CUSTOMER’S SOLE DISCRETION AND RISK, AND UPSTREAM AND ITS LICENSORS SHALL HAVE NO LIABILITY WHATSOEVER TO CUSTOMER  IN CONNECTION WITH ANY OF THE FOREGOING.
  14. LIMITATION OF LIABILITY. UPSTREAM SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, ARISING OUT OF OR RELATED TO THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO ANY LOSS OF REVENUE, REPUTATION, OR PROFITS, DATA LOSS, OR DATA USE.
    UPSTREAM’S MAXIMUM LIABILITY FOR ANY DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT OR TORT, OR OTHERWISE, SHALL IN NO EVENT EXCEED, IN THE AGGREGATE, THE TOTAL AMOUNTS ACTUALLY PAID TO UPSTREAM IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO SUCH CLAIM.
  15. Indemnification. If the Data Platform becomes, or in Upstream ‘s opinion is likely to become, the subject of an IP Infringement Claim, then Upstream may, at its sole discretion: (a) procure for the Customer the right to continue using the Data Platform; (b) replace or modify the Data Platform to avoid the IP Infringement Claim; or (c) if options (a) and (b) cannot be accomplished despite Upstream ‘s reasonable efforts, then the Upstream may terminate this Agreement and in such event accept return of the affected Data Platform and provide a refund for any amount pre-paid by Customer for such returned Data Platform for the remaining unused period of the license. Notwithstanding the foregoing, Upstream shall have no responsibility for IP Infringement Claims resulting from or based on: (i) modifications to the Data Platform made by a party other than Upstream or its designee; (ii) the Customer’s failure to implement software updates provided by Upstream specifically to avoid infringement; or (iii) combination or use of the Data Platform with equipment, devices or software not supplied or authorized by Upstream or not in accordance with the Documentation. This Section states Upstream’s entire liability, and Customer’s exclusive remedy, for claims or alleged or actual infringement. Upstream acknowledges and agrees to defend, at its expense, any third party action or suit brought against the Customer alleging that the Data Platform, when used as permitted under this Agreement, infringes intellectual property rights of a third party (“IP Infringement Claim); and the Upstream will pay any damages awarded in a final judgment against the Customer that are attributable to any such claim, provided that (i) the Customer promptly notifies Upstream in writing of such claim; and (ii) the Customer grants Upstream the authority to handle the defense or settlement of any such claim and provides Upstream with all reasonable information and assistance, at Upstream’s expense. Upstream will not be bound by any settlement that the Customer enters into without Upstream’s prior written consent.
  16. Term and Termination. This Agreement shall enter into force and effect on the Effective Date and shall remain in full force and effect for the period specified in the Proposal (the “Term”). Either Party may terminate this Agreement with immediate effect if the other Party materially breaches this Agreement and such breach remains uncured fifteen (15) days after having received written notice thereof. In case Customer purchased the license via Partner, Term shall mean the term specified in Partner Order Form. Upon termination or expiration of this Agreement: (i) Data Platform license granted to Customer under this Agreement shall expire, and Customer shall discontinue any further use and access thereof; (ii) Customer shall immediately delete and dispose of all copies of the Documentation; (iii) within 30 days from the termination date, Upstream shall permanently delete all Customer Data, without affecting any of the Upstream ‘s rights to the Analytics Information; and (iv) any sums paid by Customer until the date of termination are non-refundable, and Customer shall not be relieved of its duty to discharge in full all due sums owed by Customer to Upstream under this Agreement until the date of termination or expiration hereof. The provisions of this Agreement that, by their nature and content, must survive the termination of this Agreement in order to achieve the fundamental purposes of this Agreement shall so survive. The termination of this Agreement shall not limit Upstream from pursuing any other remedies available to it under applicable law.
  17. Miscellaneous. This Agreement – including any Proposals, and any exhibits attached or referred hereto – represents the complete agreement concerning the subject matter hereof and may be amended only by a written agreement executed by both Parties. The failure of either Party to enforce any rights granted hereunder or to take action against the other Party in the event of any breach hereunder shall not be deemed a waiver by that Party as to subsequent enforcement of rights or subsequent actions in the event of future breaches. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any use of the Data Platform by an agency, department, or other entity of the United States government shall be governed solely by the terms of this Agreement. Neither Party may assign its rights or obligations under this Agreement without the prior written consent of the other Party, provided that Upstream may assign this Agreement to the successor of all or substantially all of such Party’s assets or business (including a merger or acquisition). This Agreement shall be governed by and construed under the laws of the State of Israel, without reference to principles and laws relating to the conflict of laws. The competent courts of the Tel-Aviv shall have the exclusive jurisdiction with respect to any dispute and action arising under or in relation to this Agreement. This Agreement does not, and shall not be construed to create any relationship, partnership, joint venture, employer-employee, agency, or franchisor-franchisee relationship between the Parties. Upstream will not be liable for any delay or failure to provide the Services resulting from circumstances or causes beyond the reasonable control of Upstream. This Agreement may be executed in electronic counterparts, each of which counterpart, when so executed and delivered, shall be deemed to be an original and all of which counterparts, taken together, shall constitute but one and the same agreement.