Vendors

NON-DISCLOSURE AND CONFIDENTIALITY AGREEMENT 

1. Background; Intent 

(a) Parties. This Non-Disclosure and Confidentiality Agreement (this “Agreement”) is entered into as of the date and time of Recipient’s electronic submission of this Agreement, as recorded in M3’s electronic submission logs (the “Effective Date”), by and between M3 Veterinary Innovation Advisors, a Texas corporation (“M3”), and the vendor, supplier, consultant, or other counterparty identified herein (“Recipient”). M3 and Recipient may be referred to individually as a “Party” and collectively as the “Parties.”

(b) Authority. The individual executing this Agreement on behalf of Recipient represents and warrants that they have full authority to bind Recipient and to ensure compliance by all of its affiliates, subsidiaries, and representatives.

(c) Intent of Agreement. This Agreement governs disclosures made in connection with M3’s vendor-qualification, evaluation, and procurement processes and is intended to protect M3’s proprietary and confidential information while permitting Recipient to demonstrate its capabilities for potential engagement. It is not intended to restrict Recipient’s lawful, independent development or business activities beyond what is reasonably necessary to safeguard M3’s confidential and proprietary interests. The specific “Purpose” for which Confidential Information may be used is defined in §2 (Purpose; Scope of Discussions).

(d) Value and Risk Context. M3 is engaged in the design and development of advanced, enterprise-grade software and data systems that include proprietary concepts, algorithms, architectures, datasets, and data models of substantial commercial and competitive value. Certain disclosures made under this Agreement may relate to systems and data assets that could reasonably be expected to achieve significant enterprise valuation—potentially exceeding USD $1 billion—and even limited unauthorized access, use, retention, derivation, or disclosure could foreseeably cause material and irreparable harm to M3’s competitive position. Recipient acknowledges that substantially similar Confidential Information may be disclosed to multiple competing bidders within the same procurement, which heightens the risk that any unauthorized access, retention, derivation, or disclosure could cause immediate and irreparable harm to M3. Because multiple vendors may receive such information while only one may ultimately be selected for engagement, this Agreement serves as the primary instrument protecting M3’s proprietary and confidential information during a competitive procurement process. The Parties acknowledge that these provisions are proportionate to the magnitude of potential harm, the scope of information disclosed, and the number of recipients involved, and that these terms are customary, reasonable, and necessary in high-value technology procurements to ensure fair competition, safeguard trade secrets, and prevent irreversible market disadvantage to M3.

(e) Clarity on Protections. This Agreement is designed for use in competitive procurement processes where proprietary system information of substantial commercial value will be disclosed to multiple potential vendors. Its terms are intended to balance fair opportunity to participate with the protection necessary to prevent loss or misuse of that information, and to ensure that M3 may conduct such processes efficiently and safely without risk of unintended dissemination or competitive use.

(f) Foundational Principle. The Parties acknowledge that the foregoing context forms the factual and commercial basis for this Agreement and that each obligation herein is reasonable and necessary to protect M3’s legitimate interests as described in this Section.

(g) Run-With-Information Principle. The Parties acknowledge that the obligations in this Agreement attach to, and run with, the Confidential Information itself. Accordingly, such obligations apply regardless of any change in ownership of the Confidential Information or any transfer of M3’s related business or assets.

2. Purpose; Scope of Discussions

(a) Purpose. M3 may disclose, or may have previously disclosed, non-public information to Recipient solely to enable Recipient to: (i) register for and participate in M3’s vendor intake, qualification, proposal, and procurement processes; (ii) evaluate whether to submit, and to prepare, responses to M3’s RFQ/RFP materials; and (iii) if invited, conduct pre-contract due diligence and solutioning in support of the foregoing (collectively, the “Purpose”).

(b) Retroactivity. This Agreement applies retroactively to all prior disclosures between M3 and Recipient (including disclosures to Recipient’s affiliates, predecessors, or former representatives) made for or relating to the Purpose, regardless of any prior project or code name.

(c) Non-Performance Clarification. For clarity, the Purpose does not include performance of services or production work for M3 unless and until the Parties execute a separate written agreement expressly authorizing such work; however, this Agreement shall continue to govern all Confidential Information and related obligations during any interim period between selection and execution of such agreement, and thereafter to the extent not superseded by that subsequent written agreement. Nothing herein restricts Recipient’s independent development or use of materials that do not incorporate or rely upon M3 Confidential Information.

3. Interpretive Principle.

This Agreement shall be interpreted broadly to effectuate the Parties’ shared intent to preserve and protect M3’s proprietary and confidential interests, consistent with applicable trade secret and data protection laws. Recipient acknowledges that safeguarding M3’s Confidential Information is essential to M3’s proprietary and competitive position and provides reciprocal commercial benefit by enabling Recipient’s participation in M3’s procurement processes. The Parties agree that the terms herein are designed to prevent disproportionate and potentially existential harm to M3, as described in §1, and shall therefore be construed as reasonable and necessary to effectuate that protective intent, not as punitive, restrictive, or unfair to Recipient’s legitimate business operations. This Agreement shall be interpreted in harmony with, and to the fullest extent permitted under, the Texas Uniform Trade Secrets Act, the federal Defend Trade Secrets Act, and any successor or comparable law providing equal or greater protection.

4. Applicability; Assent; Consideration 

(a) Applicability. This Agreement governs all M3 information disclosed before, on, or after the Effective Date, regardless of the form or medium of disclosure (e.g., oral, written, electronic, visual, or AI-generated).

(b) Assent. Recipient’s agreement to be bound occurs upon the earliest of: (i) electronic execution of this Agreement; (ii) receiving, accessing, downloading, or using any Confidential Information after being presented with this Agreement; or (iii) continuing to possess or use Confidential Information after the Effective Date. Acceptance applies retroactively to information previously received. Access to any of M3’s Confidential Information, systems, or materials is conditioned on assent; any access or use without assent is unauthorized and constitutes a breach.

(c) Consideration. The Parties acknowledge that each of the following constitutes good, valuable, and independent consideration supporting Recipient’s obligations—including their retroactive application—whether or not any business is ultimately awarded: (i) M3’s past, present, and future disclosure of proprietary information; (ii) Recipient’s opportunity to receive, review, and evaluate such information; (iii) Recipient’s opportunity to participate in M3 qualification, proposal, and procurement processes and to compete for potential commercial engagements; and (iv) M3’s initial, continued, or renewed provision of access to its information, communications, or designated processes. Each item of consideration is independent and severable. The Parties agree that the consideration for this Agreement is fair, adequate, and mutually beneficial. Recipient waives any claim that the consideration is inadequate, illusory, or fails for lack of mutuality.

5. Definition of Confidential Information 

(a) Scope. “Confidential Information” means all non-public information disclosed or made available by or on behalf of M3 to Recipient, whether before, on, or after the Effective Date, in any form or medium (oral, visual, written, electronic, demonstrative, or otherwise), that is identified as confidential or that a reasonable person would understand to be confidential given its nature and the circumstances of disclosure. By way of example and without limitation, Confidential Information includes: business and product strategy; roadmaps; pricing and pricing methodologies; financial information; customer, partner, and vendor information; third-party information M3 is obligated to protect; data models and schemas; specifications; software designs, architectures, source and object code; algorithms; documentation; prototypes; security measures and controls; access credentials, keys, and secrets; deployment and operations materials; service levels; agreements; usage analytics and operational/performance data; personal data processed on M3’s behalf; and any notes, summaries, analyses, or other materials (including those prepared by Recipient) that contain, reflect, or are derived from the foregoing. The foregoing is illustrative and non-exhaustive; obligations apply equally to higher-order equivalents, functional substitutes, combinations of elements, and successor technologies, whether now known or later developed. Information that is a combination of public or known elements is Confidential Information if the combination, compilation, or arrangement is non-public. The fact that information has been previously disclosed without express contractual protection or has been disclosed to multiple recipients does not preclude it from being Confidential Information.

(b) AI / Computational Derivatives. Confidential Information includes any data, content, insights, features, analytics, outputs, model parameters/weights, metadata, prompts, embeddings, token/interaction logs, synthetic data, evaluation artifacts, or other materials generated by humans or machines including but not limited to generative, predictive, or assistive AI and successor methods that (i) are trained on, reference, incorporate, depend upon, or are materially derived from Confidential Information, or (ii) reveal statistical patterns, structures, relationships, performance characteristics, or other “head-start” learnings reasonably attributable to Confidential Information, whether or not such outputs are recognizable as the original data. For clarity, “head-start” means a measurable reduction in research, development, or deployment time or cost directly attributable to M3 Confidential Information.

(c) Form-Agnostic / Flow-Through. All obligations apply to Confidential Information in any form or derivative state—unaltered, summarized, transformed, intermixed, or incorporated into other media or systems—and to all persons and systems (including agents, service providers, and subprocessors) processing such information on Recipient’s behalf.

(d) Carve-Outs (Recipient’s burden). Information is not Confidential Information to the extent Recipient proves with contemporaneous written records that it: (i) was lawfully known to Recipient, without confidentiality obligations, prior to disclosure by M3; (ii) becomes public through no act or omission of Recipient or its representatives; (iii) is rightfully received from a third party without restriction and without breach of any duty to M3; or (iv) is independently developed by Recipient without use of or reference to Confidential Information (and not through memory-based use by personnel with exposure to Confidential Information). Publicity resulting from Recipient’s breach does not qualify. Information is not excluded merely because it is included within a broader set that is public or known, or because individual elements are public—if the selection, coordination, or arrangement remains non-public, it is Confidential Information.

(e) Cooperation on Potential Misuse. If M3 reasonably and in good faith believes that any Recipient work product may incorporate or rely upon M3 Confidential Information, M3 may request that Recipient provide documentation reasonably sufficient to demonstrate independent development (for example, dated design records, commit histories, or comparable contemporaneous evidence). Both Parties shall cooperate in good faith to resolve such concerns efficiently and confidentially. If Recipient fails to provide such documentation or otherwise cooperate within ten (10) business days after M3’s written request, the Parties agree that such non-cooperation may give rise to a rebuttable presumption of derivation or misuse, which Recipient may rebut only with competent evidence. This inference is intended to reflect ordinary evidentiary principles and does not limit any other rights or remedies available to M3 under this Agreement or applicable law.

6. Non-Use; Non-Disclosure; Security 

(a) Confidentiality Obligation. Recipient shall hold all Confidential Information in strict confidence and not, directly or indirectly (whether intentional or negligent), permit any unauthorized access, possession, retention, copying, transfer, or disclosure;

(b) Permitted Use. Recipient shall use Confidential Information solely as necessary for the Purpose, and for no competitive, commercial, or personal purpose;

(c) Authorized Representatives. Recipient shall disclose Confidential Information only to Recipient’s authorized employees, officers, directors, contractors, professional advisors, temporary staff, agency personnel, or offshore resources (collectively, “Authorized Representatives”) who (i) have a strict need-to-know for the Purpose, (ii) are bound by written obligations no less protective than this Agreement (short-form acknowledgments permitted), and (iii) access under least-privilege with unique credentials and individual accountability. Recipient shall ensure such parties’ compliance and keep the list/history required by §9;

(d) Copies and Derivatives. Recipient shall not copy, reproduce, summarize, extract, or create derivative materials from Confidential Information except as reasonably necessary for the Purpose; such copies shall be temporary where practicable and in all cases securely deleted or destroyed when no longer necessary; if temporary storage is not practicable, Recipient shall document the justification and apply equivalent protective controls;

(e) AI / Automated Systems. Recipient shall not input, upload, expose, or otherwise provide Confidential Information to any artificial-intelligence or automated system except in accordance with the following conditions:

(i) the system and each subprocessor do not ingest, train on, fine-tune, or retain any M3 Confidential Information beyond ephemeral processing necessary to generate the immediate output, and any cache is automatically purged within twenty-four (24) hours, absent M3’s written consent;

(ii) the system operates in a private, tenant-isolated environment under Recipient’s exclusive administrative control—meaning Recipient maintains sole access to model inputs, outputs, and logs (e.g., Azure OpenAI Service with private endpoint, ChatGPT Enterprise, Anthropic Claude for Business, or substantially equivalent enterprise or self-hosted systems);

(iii) each such system and subprocessor is subject to written contractual terms that prohibit training, retention beyond ephemeral processing, secondary use, or human review, and provide Recipient with sufficient rights to verify compliance;

(iv) public, consumer, or shared AI services—including, without limitation, free or standard versions of ChatGPT, Claude.ai, Gemini, Grok, or any comparable large-language or generative system that logs, stores, or reuses inputs—are strictly prohibited; and

(v) upon M3’s reasonable request, Recipient shall identify the AI or automated systems used, their deployment type, and the date of the most recent provider compliance confirmation. For clarity, this subsection does not prohibit use of enterprise-grade or self-hosted AI tools operated under enforceable “no-training” and “no-retention” commitments that meet the foregoing conditions. For additional clarity, non-generative tools such as IDE auto-completion, spell-check, static analysis, or equivalent utilities that do not transmit M3 data to any third-party model are outside the scope of this subsection. Recipient remains fully liable for any breach of this subsection by any AI system, subprocessor, or provider it engages.

(vi) maintain an internal record of any enterprise or self-hosted AI system used with M3 Confidential Information (system name, deployment type, provider contractual posture as to “no train/no retain,” and dates of use) and, upon M3’s written request under §9, provide a summary of that record.

(f) No Competitive Use. Recipient shall not use, disclose, incorporate, or rely upon Confidential Information, directly or indirectly, to develop, enhance, or offer any product, service, dataset, or system—whether for another client, partner, or Recipient’s own benefit—that competes or could reasonably be expected to compete with M3’s business, technology, or systems, or that provides a head-start advantage as described in §5(b);

(g) No Public Disclosure or Benchmarking. Recipient shall not market, publish, publicly present, demonstrate, benchmark, conduct comparative testing, or make any public statement based on or incorporating Confidential Information, except to the minimum extent legally compelled under §6(k);

(h) Reverse Engineering Prohibition. Recipient shall not reverse engineer, decompile, disassemble, or attempt to derive the ideas, algorithms, or underlying structure of any prototypes, software, or technology provided by M3, and not perform security testing without M3’s prior written authorization;

(i) Security Controls. Recipient shall implement and maintain appropriate technical and organizational measures designed to protect Confidential Information against unauthorized access, use, or disclosure, including at minimum: access controls and multi-factor authentication for privileged access; encryption in transit and at rest with appropriate key management; segregation from other client data; access logging and monitoring; vulnerability management with timely remediation of critical and high-severity issues; managed endpoints for systems storing or accessing Confidential Information; and subprocessor parity with these controls; documented, immaterial deviations that do not materially increase risk, supported by a written risk assessment, shall not constitute breach;

(j) No Residual Use. Recipient shall not rely on memory or residual knowledge of Confidential Information; any such use is prohibited to the fullest extent permitted by applicable law;

(k) Legally Compelled Disclosures. Recipient shall, if legally compelled to disclose Confidential Information, promptly—and in any event within forty-eight (48) hours unless prohibited by law—notify M3 in writing, cooperate to seek a protective order or equivalent protections, and disclose only the minimum information legally required; Recipient shall bear its reasonable costs of such compliance, shall not stipulate to any order that diminishes confidentiality without M3’s prior written consent, and shall seek confidential treatment or sealing (including for public-records requests); any disclosed Confidential Information remains subject to this Agreement.

(l) Procurement Registry. Recipient shall maintain an internal registry identifying (i) each copy or extract of M3 Confidential Information received for the Purpose, (ii) the systems and locations where such materials are stored or accessed, and (iii) the Authorized Representatives with access and their access dates. Upon M3’s written request, Recipient shall provide a summary of the registry reasonably sufficient to verify scope and handling within three (3) business days.

7. Ownership; No License 

(a) Title. As between the Parties, all right, title, and interest in and to the Confidential Information, and all copies, adaptations, and derivatives thereof, are and shall remain exclusively with M3. No right or license is granted by implication, estoppel, exhaustion, or otherwise, except the limited, revocable right to use the Confidential Information solely for the Purpose and strictly in accordance with this Agreement.

(b) Derived Works. Any work product, invention, software, model, dataset, algorithm, design, prototype, document, output, or other material—whether created manually or through automated systems, and whether or not submitted to M3—that (i) incorporates, references, transforms, or is materially derived from Confidential Information, or (ii) depends upon, utilizes, or reproduces non-public patterns, relationships, or know-how obtained from Confidential Information (a “Derived Work”), is deemed Confidential Information and owned exclusively by M3. This includes, without limitation, any implementation of M3’s specifications, data models, algorithms, architecture, or analytical outputs disclosed under this Agreement. For clarity, a work is a Derived Work if it would not exist in substantially the same form absent access to or use of M3’s Confidential Information, including any measurable head-start as defined in §5(b).

(c) De Minimis Outputs. “De Minimis Outputs” means incidental, generic materials created by Recipient in the ordinary course that (i) do not reveal, reproduce, or enable reconstruction or inference of any Confidential Information; (ii) do not rely upon or benefit from non-public patterns or know-how derived from Confidential Information; and (iii) could have been created in substantially the same form without access to Confidential Information. Recipient retains De Minimis Outputs that meet all of (i)–(iii); all other outputs are Derived Works under §7(b).

(d) Remedies for Derived Works. If Recipient or its personnel knowingly or recklessly create, use, retain, disclose, or transfer any Derived Work in breach of this Agreement—including any competitive use, retention after the Purpose, provision to a third party, public disclosure, or sale of any product or service incorporating or materially derived from Confidential Information (including any head-start as defined in §5(b))—then Recipient irrevocably assigns to M3 all right, title, and interest in such Derived Work to the maximum extent permitted by law. Where assignment is not permitted, Recipient grants M3 an exclusive, perpetual, worldwide, royalty-free license to use, copy, modify, distribute, and exploit the Derived Work for any purpose. Recipient shall execute any documents reasonably necessary to perfect such assignment or license. This provision is intended to prevent unjust enrichment or misuse of Confidential Information and does not affect Recipient’s rights in pre-existing or independently developed IP under §7(e). For evidentiary matters, §5(e) applies.

(e) Pre-Existing IP and Independent Development Safe Harbor. Recipient retains full ownership and unrestricted use of: (i) its pre-existing intellectual property, tools, frameworks, code libraries, DevOps pipelines, estimation models, and general know-how existing before disclosure; (ii) improvements to such pre-existing IP made without reference to Confidential Information; and (iii) any work independently developed without use of or reference to Confidential Information (including no memory-based use by personnel exposed to such information). To claim this safe harbor, Recipient must maintain contemporaneous records (e.g., dated design documents, commit logs, or comparable evidence) sufficient to demonstrate independent development. If M3 reasonably believes a Derived Work has been created using its Confidential Information, Recipient shall cooperate in good faith and provide such records within ten (10) business days of M3’s request under §5(e). Failure to provide them or otherwise cooperate may give rise to a rebuttable presumption of derivation or misuse, which Recipient may rebut only with competent evidence. Recipient may, at the time of execution and before receiving any M3 Confidential Information, attach, upload, or enter via M3’s designated e-signature/submission portal as Exhibit A a list describing any specific intellectual property, tools, frameworks, code libraries, DevOps pipelines, estimation models, or other materials it claims as pre-existing (the “Pre-Existing IP”). To qualify for evidentiary consideration, each listed item must include objective identifiers evidencing existence prior to disclosure (for example, repository URLs and commit SHAs, version numbers, file hashes, or dated design documents). Exhibit A shall be treated as Recipient’s Confidential Information. For clarity: (i) Items properly listed and substantiated on Exhibit A shall constitute prima facie evidence of pre-existing ownership unless M3 proves incorporation of its Confidential Information; (ii) General, categorical, or non-specific descriptions (such as “our codebase,” “our methods,” or “internal tools”) carry no evidentiary effect and do not alter Recipient’s burden of proof; (iii) Failure to provide Exhibit A does not waive Recipient’s ability to assert pre-existing or independently developed IP under this §7(e); (iv) M3 has no obligation to review, verify, or accept any Exhibit A. This safe harbor applies to all obligations under this Agreement to the extent they concern pre-existing IP or independent developments.

(f) Feedback. If Recipient or its personnel provide suggestions, comments, ideas, or other feedback regarding M3’s technology, processes, or business (“Feedback”), M3 may use the Feedback without restriction. Recipient assigns to M3 all right, title, and interest in and to the Feedback; if assignment is not permitted, Recipient grants M3 a perpetual, worldwide, irrevocable, royalty-free license (with the right to sublicense) to use and exploit the Feedback for any purpose.

(g) No Residuals; No Data Rights. Recipient shall not use ‘residual’ or memory-based knowledge of the Confidential Information to the fullest extent permitted by applicable law. Recipient acquires no data rights, model-training rights, or rights to create or contribute to open-source or third-party materials using the Confidential Information.

(h) Marks and Publicity. No right or license is granted to use M3’s names, logos, domain names, or other brand features, or to make any public or private announcement, case study, or marketing use involving M3, except as expressly authorized in writing by M3.

(i) Reservation of Rights; No Encumbrances. All rights not expressly granted are reserved by M3. Recipient shall not encumber, pledge, lien, or otherwise assert any security interest in any Confidential Information or derivative thereof.

(j) DTSA Whistleblower Notice. Notwithstanding the foregoing, nothing in this Agreement prohibits Recipient from disclosing Confidential Information in confidence to government authorities for the purpose of reporting or investigating a suspected violation of law, or in a sealed court filing or other proceeding, as protected by 18 U.S.C. § 1833(b). Recipient is not required to notify M3 of such disclosures.

(k) Consent Requests for Non-Competing Use. Nothing in this Agreement prevents Recipient from requesting M3’s written consent to apply generic, non-proprietary concepts that do not reproduce Confidential Information in non-competing contexts. Any request must be emailed to legal@m3via.com with the subject line “Consent Request – [Recipient],” and must include: (i) the third-party client and industry; (ii) a concise description of the proposed concept or approach; (iii) an explanation of how it differs from M3’s proprietary elements (e.g. no algorithms, datasets, pricing, or client-specific materials); and (iv) Recipient’s certification that the use will not create any head-start as described in §5(b). Recipient is responsible for ensuring receipt by M3: the 7-business-day response period begins only upon confirmed receipt, which means (i) an automated acknowledgement from M3’s designated mailbox or portal, or (ii) an explicit written acknowledgement from an authorized M3 representative. If no confirmation is received within one (1) business day after transmission, Recipient shall promptly resend and, if needed, use the backup contact designated by M3. M3 shall respond in good faith and in writing within seven (7) business days of confirmed receipt by either granting consent (which may include conditions), denying consent, or requesting reasonable additional information (which tolls the response period until Recipient provides the requested information). Consent decisions are in M3’s sole discretion; silence after the response period constitutes denial. Any consent is (i) limited to the specific use described, (ii) non-transferable, (iii) revocable upon Recipient’s material breach or material misrepresentation, and does not authorize any reproduction, retention, competitive use, or head-start as described in §§5(b), 6(f), 6(j), or 7(b). No request, correspondence, delay, or denial creates any license, waiver, course of dealing, or obligation to consider future requests, and M3 shall have no liability for denial of consent. Absent an express written consent under this subsection, all other terms of this Agreement continue to apply in full.

8. Incident Notification 

(a) Definition of Incident. An “Incident” means any actual or reasonably suspected unauthorized or unlawful access to, acquisition of, use of, disclosure of, alteration of, loss of, or inability to access Confidential Information; compromise of credentials or keys that could permit such access; material failure of required security controls; or security event at any subprocessor or third-party system that processes Confidential Information for Recipient.

(b) Notice Timing and Channel. Recipient shall notify M3 in writing at the security contact designated by M3 promptly and in no event later than forty-eight (48) hours after discovery of an Incident or formation of a reasonable belief that an Incident may have occurred.

(c) Notice Content. The initial notice shall include, to the extent then known: (i) a summary of the Incident and discovery time; (ii) affected systems, environments, and subprocessors; (iii) the categories and estimated volume of Confidential Information affected; (iv) the likely cause and current containment status; (v) immediate mitigation steps taken and planned; and (vi) a named senior point of contact available 24×7 until closure.

(d) Rolling Updates and Final Report. Recipient shall provide daily written updates (or at a frequency reasonably requested by M3) until containment is confirmed in writing by M3. Within ten (10) business days after containment, Recipient shall deliver a written root-cause analysis and corrective-action report describing: timeline, cause, scope, data impact, corrective actions taken, and control improvements with implementation dates.

(e) Cooperation; Evidence Preservation. Recipient shall (at its expense) preserve and not alter relevant logs, images, volatile data, and other evidence; reasonably cooperate with M3 and, upon M3’s request, provide access to pertinent logs, records, and knowledgeable personnel, and facilitate reasonable forensics by M3 or its designated independent firm under appropriate confidentiality and privilege protections.

(f) Subprocessors and Third Parties. Any Incident affecting a subprocessor or third-party system that processes Confidential Information for Recipient shall be deemed an Incident of Recipient. Recipient shall flow down obligations enabling timely notice, cooperation, and forensics consistent with this Section.

(g) Regulatory and Third-Party Notifications. Where legally required, Recipient shall (at its expense and after good-faith coordination with M3) make any regulator, law-enforcement, contractual-counterparty, or data-subject notifications relating to the Incident. Content and timing of any public or third-party communications that reference M3 shall be subject to M3’s prior written approval unless prohibited by law.

(h) Remediation. Recipient shall promptly implement containment, eradication, and remediation measures reasonably acceptable to M3, and verify completion in writing. If keys, credentials, tokens, models, or datasets are implicated, Recipient shall rotate, revoke, retrain, or re-provision as applicable and confirm when completed.

(i) Costs. Investigation, mitigation, remediation, notifications, and forensics cooperation under this Section shall be at Recipient’s expense, except to the extent the Incident is finally determined by a court to have resulted primarily from M3’s willful misconduct.

(j) Law-Enforcement; Privilege. Recipient shall promptly inform M3 of any law-enforcement or regulatory inquiry concerning an Incident (unless legally prohibited), use reasonable efforts to preserve applicable privileges, and coordinate responses with M3.

(k) Material Breach. Failure to provide timely notice, required cooperation, or the final report constitutes a material breach, without prejudice to any other remedy available to M3.

9. Verification; Audit Cooperation 

(a) Records and Controls. Recipient shall maintain complete and accurate records and controls sufficient to trace and verify the collection, access, processing, transfer, storage, and destruction of Confidential Information, including access logs, change/incident tickets, subprocessor listings, and data-flow documentation.

(b) Certifications and Evidence. Upon M3’s written request, Recipient shall within five (5) business days (or such other period as M3 may approve in writing) provide a written certification of compliance signed by an authorized officer and reasonable supporting evidence, which may include: current SOC 2 Type II or ISO/IEC 27001 certificate and scope statement (or equivalent), most recent independent penetration-test executive summary with remediation status, risk register excerpts relevant to M3, data-map/ROPA showing systems and locations, current subprocessor list, summaries of any DPIA or similar assessment covering processing of M3’s data, current software bill of materials (SBOM) and license inventory for tools/environments used to process M3 Confidential Information, and a summary of third-party or provider attestations supporting any “no train/no retain” AI commitments relied upon.

(c) Audit Right and Scope. No more than once every twelve (12) months, M3 may audit Recipient’s compliance by documentary review, remote assessment, and/or onsite examination of facilities, systems, and processes that handle Confidential Information. Audits may also occur upon reasonable risk triggers, including suspected or actual breach, legal or regulator requirement, material change in relevant controls, change of primary hosting/location, material subprocessor change, lapse of a certification relied on for controls, merger or acquisition affecting security posture, or recurring SLA or control failures. The frequency and scope of audits shall be reasonably necessary and proportionate to the level of risk presented, taking into account the nature and sensitivity of the Confidential Information, the Recipient’s role and access, and the circumstances triggering the audit. Nothing in this Section limits M3’s right to conduct additional audits if reasonably required to verify compliance or investigate suspected breach. For clarity, planned audits shall not exceed one (1) per twelve (12) months; additional audits are permitted only upon M3’s reasonable suspicion of breach (e.g., detected leak, anomaly).

(d) Process and Notice. M3 shall provide at least five (5) business days’ written notice for planned audits; shorter notice may be provided where M3 reasonably suspects a breach or imminent risk. Recipient shall provide timely access to knowledgeable personnel, relevant policies and procedures, logs and tickets, architecture and data-flow diagrams, and to facilities and systems where Confidential Information is processed, subject to reasonable security and confidentiality safeguards.

(e) Auditor. M3 may conduct the audit itself or through a reputable independent firm bound by confidentiality. Recipient may object to a proposed third-party auditor for reasonable, documented conflict-of-interest grounds within three (3) business days; if so, M3 will propose an alternative.

(f) Remediation. Recipient shall promptly address findings. For any material non-conformity, Recipient shall within ten (10) business days deliver a written corrective-action plan with concrete milestones and implement it within the timelines reasonably approved by M3. Failure to meet agreed remediation milestones constitutes a material breach.

(g) Costs. M3 bears ordinary audit costs. If an audit reveals a material breach or a variance that materially increases risk, Recipient shall reimburse M3’s reasonable audit costs and pay all reasonable expenses of required re-audits to confirm remediation.

(h) Priority and Conflicts. Recipient shall ensure subprocessors permit flow-down verification rights substantially equivalent to this Section. Recipient’s internal policies or third-party agreements shall not diminish or delay M3’s rights under this Section; where a conflict exists, this Section controls to the maximum extent permitted by law.

(i) Frequency and Attestations. Between audits, Recipient shall provide quarterly written attestations of continued compliance and promptly notify M3 of any material changes to controls, subprocessors, processing locations, or certifications affecting the protection of Confidential Information.

(j) Preservation. Recipient shall retain audit-relevant records for at least three (3) years after the later of the audit date or termination of this Agreement, or longer if required by law or while an investigation or claim is pending.

(k) Non-Interference; Confidentiality. Audits shall be conducted in a manner designed to avoid unreasonable disruption of operations and maintain confidentiality and privilege. Audit results and artifacts are Confidential Information of both Parties.

(l) Obstruction. Unreasonable refusal to cooperate, material obstruction, or failure to provide certifications or agreed corrective actions under this Section constitutes a material breach, without prejudice to any other remedy.

(m) Exit Audit Right. Upon Recipient’s disqualification or non-selection, M3 may, at its sole discretion, elect to verify compliance with this Agreement, including by requiring written destruction certification, requesting supporting evidence, or conducting an exit audit of systems that processed M3 Confidential Information. Any such audit shall be at M3’s discretion and timing, and nothing herein obligates M3 to conduct or waive such verification. Recipient’s obligations to return or destroy remain absolute regardless of whether M3 elects to verify compliance.

10. Third-Party Flow-Down; Subprocessors 

(a) Pre-conditions and Approval. Recipient shall not grant any third party access to Confidential Information unless and until: (i) such party has executed a written agreement no less protective than this Agreement that expressly names M3 as a third-party beneficiary with direct enforcement rights; and (ii) Recipient has satisfied all export-control and sanctions screening and verified need-to-know. Recipient shall provide M3 at least five (5) business days’ prior written notice of any new or replacement subprocessor or any material change in scope, location, or role of an existing subprocessor. M3 may reasonably object; in that case, Recipient shall not provide access, or shall promptly propose a functionally equivalent alternative acceptable to M3.

(b) Current and Historical Register. Recipient shall maintain and, upon request within five (5) business days, provide a current and historical register identifying all third parties that have had access to Confidential Information, together with each party’s role, geographic location(s), access start/stop dates, and data categories accessed. Recipient shall update the register within three (3) business days of any change.

(c) Mandatory Flow-Down Obligations. Recipient shall flow down to each third party obligations that are at least as protective as this Agreement, including without limitation: confidentiality and non-use; no-AI/no-training/no-retention restrictions; no residuals; security controls and MFA; incident notification and cooperation under timelines no less stringent than §8; audit/verification and evidence duties equivalent to §9; return/destruction and certification duties equivalent to §11; IP ownership/assignment consistent with §7; sealing and confidentiality in proceedings consistent with §19; export-control compliance consistent with §16; and prohibition on onward transfers except as permitted by this Section.

(d) Personnel and Access Controls. Recipient shall ensure third-party personnel with access have completed confidentiality training, are subject to background checks where lawful and appropriate to risk, use unique credentials, follow least-privilege and MFA, and are logged and monitored. Recipient shall immediately revoke access upon role change, separation, or loss of need-to-know.

(e) Geography; Cross-Border Transfers. Recipient shall not permit any cross-border transfer or remote access to Confidential Information by a third party except where strictly necessary for the Purpose and in full compliance with §16 (including required safeguards and transfer-impact assessments where applicable). Location changes require the advance notice set out in subsection (a). Where any offshore or cross-border access is approved, Recipient shall implement geo-fencing and IP allow-listing for all access paths to Confidential Information.

 (f) No Onward Subcontracting. Third parties shall not further subcontract or grant access to additional parties without Recipient’s prior written approval and compliance with this Section; any onward subcontracting requires the same obligations and M3 beneficiary rights.

(g) Suspension and Termination. Upon M3’s written request based on reasonable risk, suspected breach, sanctions concern, or regulatory restriction, Recipient shall promptly suspend or terminate the relevant third party’s access and, within ten (10) business days, present a mitigation plan or an acceptable alternative. Failure to implement an approved plan constitutes a material breach.

(h) Evidence; Certificates. Recipient shall ensure third parties provide, via Recipient, certificates of destruction on off-boarding, incident reports and cooperation consistent with §8, and reasonable audit artifacts consistent with §9, upon M3’s request.

(i) Sanctions and Competitor Conflicts. Recipient shall not permit access by any sanctioned person or entity, or any entity owned or controlled by a sanctioned person, and shall screen against applicable sanctions lists. Recipient shall not use any direct competitor of M3 (or its designated list provided in writing) as a subprocessor without M3’s prior written consent.

(j) Responsibility. Recipient remains fully responsible and liable for all acts and omissions of third parties and for ensuring their continuous compliance with this Agreement. Any breach by a third party shall be deemed a breach by Recipient.

11. Return and Destruction 

(a) Triggers; cease-use. Without further notice, upon the earliest of (i) completion of the RFQ/procurement process, (ii) Recipient’s withdrawal or disqualification, (iii) M3’s written instruction, or (iv) conclusion of the Purpose or expiration/termination of discussions, Recipient shall immediately, and in any event within five (5) business days, cease all use of Confidential Information. For total clarity, these obligations apply automatically without the need for any written request by M3.

(b) Scope; methods. Within thirty (30) days of a trigger under §11(a), Recipient shall securely destroy or permanently delete (render irrecoverable) all Confidential Information and materials derived from it in Recipient’s possession, custody, or control, including by way of example and without limitation: physical documents and notes; digital files, emails, attachments, and caches; collaboration-platform records; audio/video/meeting recordings, transcripts, or AI-generated notes; local caches, autosave files, sync folders; cloud storage; vector stores; retrieval indices; disaster-recovery media; working papers; CI/CD artifacts; logging/observability archives. Destruction shall follow an industry-recognized standard appropriate to the medium (e.g., NIST SP 800-88 for media sanitization).

(c) Return on request. At M3’s option and written direction (which may be concurrent with or in lieu of destruction), Recipient shall promptly return specified originals or tangible items containing Confidential Information using a mutually agreed secure method and provide chain-of-custody documentation. Any non-returned copies remain subject to §11(b).

(d) AI models and computational artifacts. Recipient shall delete, unwind, or retrain any models, fine-tuned parameters, checkpoints, embeddings, vector indexes, retrieval corpora, caches, prompts, or evaluation artifacts trained, tuned, populated, or derived using Confidential Information, and certify such removal or retraining. Where deletion or retraining is technically infeasible, Recipient shall (i) permanently isolate the affected artifacts in a read-only, access-controlled environment segregated from other client or customer data; (ii) implement controls that prevent any inference, prompting, or use materially relating to M3 or its market; (iii) certify non-use under penalty of perjury; and (iv) permit M3 to verify such isolation during any exit review under §9(m). Recipient shall document and execute a plan to deprecate and replace the affected artifacts within a commercially reasonable timeframe agreed with M3.

(e) No Retention for Reference Proposals. Recipient shall not retain, repurpose, or internally reference any materials, fragments, templates, workflows, data models, or other content identifiably derived from non-public M3 Confidential Information for use in, or in connection with, any future proposals, solicitations, demonstrations, or business opportunities with any other party.

(f) Backups and DR. For backups and disaster-recovery replicas that cannot be immediately edited: (i) segregate/flag affected data, (ii) prohibit any restoration, indexing, mining, or access except for restore testing unrelated to M3 and only under equivalent protections, and (iii) ensure automatic deletion on the next routine lifecycle for such media. Backups and disaster-recovery media may follow Recipient’s standard retention policy (not to exceed 90 days) if segregated and access-restricted. Recipient shall document the relevant schedules and controls and provide them to M3 upon request.

(g) Subprocessors and third parties. Recipient shall require all subprocessors and other third parties with access to Confidential Information to complete destruction and provide Recipient with certificates or written attestations; Recipient’s §11(h) certificate shall identify such parties and incorporate their attestations.

(h) Certificate. Within ten (10) business days after completing the actions in §§11(b)–(f) (or within a shorter period if directed by law or regulator), Recipient shall deliver a written certification signed by an authorized officer under penalty of perjury specifying: (i) the date of each trigger under §11(a); (ii) the systems, locations, and media where Confidential Information resided; (iii) the destruction/return method used and applicable standards (including, as applicable, NIST SP 800-88 for media sanitization); (iv) the subprocessors and third parties involved and their certificates or written attestations (as required by §11(g)); (v) a hash- or inventory-based before/after reconciliation, where technically feasible, evidencing removal of Confidential Information (and materials derived from it) from known systems and repositories; and (vi) the custodian and location of any legally required archival copy retained under §11(i), including the legal/audit basis and planned deletion date.

(i) Archival exception. Recipient may retain one (1) encrypted archival copy only to the extent strictly required by applicable law, regulation, or a bona fide external audit obligation, provided that: (i) it remains subject to this Agreement; (ii) access is strictly limited to legal/compliance personnel on a need-to-know basis; (iii) it is not accessed, processed, or restored for any other purpose; and (iv) it is automatically deleted upon expiry of the applicable retention period. Recipient shall disclose to M3 the legal or audit basis and the planned deletion date.

(j) Later-discovered copies. If Recipient later discovers any additional instances of Confidential Information, it shall promptly destroy them in accordance with this Section and deliver a supplemental certificate within five (5) business days of discovery.

(k) Litigation hold. If destruction is suspended due to a valid legal hold under §24, Recipient shall (i) notify M3 of the scope and basis to the extent legally permitted, (ii) segregate and protect the retained materials, (iii) continue to apply this Agreement, and (iv) promptly complete destruction when the hold is lifted and certify accordingly.

(l) Breach. Failure to timely complete destruction/return, obtain and provide required third-party attestations, or deliver an adequate certificate constitutes a material breach and entitles M3 to immediate injunctive and other equitable relief without bond and without proof of actual damages, in addition to any other remedies.

12. Duration; Survival 

(a) Term of Obligations. Recipient’s confidentiality and non-use obligations apply to all Confidential Information as described in §5 and shall continue for at least five (5) years after the later of (i) the last disclosure of Confidential Information by M3 or (ii) the written termination or completion of the Purpose.

(b) Trade-Secret Survival. Obligations concerning Confidential Information that constitutes a trade secret survive for so long as such information remains a trade secret under applicable law, including without limitation the Texas Uniform Trade Secrets Act and the federal Defend Trade Secrets Act, as each may be amended or succeeded.

(c) Continuing Obligations. Expiration or termination of this Agreement does not relieve Recipient of any duty to return or destroy Confidential Information under §11, to cooperate under §8 (Incident Notification) or §9 (Audit), or to comply with any other obligations that by their nature or context should survive.

(d) Survival of Obligations. All provisions that by their nature or context are intended to survive termination or expiration of this Agreement shall so survive, including without limitation those relating to: confidentiality, non-use, ownership and intellectual property, incident notification and cooperation, audit and verification, third-party flow-down, return and destruction, duration and survival, injunctive and equitable relief, remedies and indemnity, compliance with law, assignment and successors, severability and reformation, interpretation, governing law and dispute resolution, independent counsel acknowledgment, no-waiver, publicity and use of name, litigation hold, clawback and privilege preservation, and electronic execution. Enumeration of specific Sections is for convenience only and shall not limit survival of other provisions intended by their nature to survive.

(e) Reasonableness. Recipient acknowledges and agrees that these durations and survival provisions are reasonable and necessary to protect M3’s legitimate business interests, that trade-secret protections may persist indefinitely, and that such continuation is consistent with public policy and applicable law.

13. Injunctive and Equitable Relief 

Recipient agrees that any unauthorized acquisition, possession, retention, use, disclosure, or threatened misappropriation of Confidential Information provided in connection with M3’s vendor-qualification or pre-contract bidding process (which remains highly sensitive even after Recipient is not selected) will cause M3 irreparable harm for which monetary damages are inadequate. Accordingly, in addition to all other remedies at law or in equity, M3 is entitled to temporary, preliminary, and permanent injunctive relief and specific performance, including orders compelling immediate cessation of use or disclosure, return and/or destruction under §11, cooperation and access under §§8–9, and enforcement of flow-down controls under §10, in each case without the necessity of proving actual damages, posting bond or other security, or establishing the inadequacy of monetary damages, to the fullest extent permitted by law. Such relief may be sought in any court of competent jurisdiction as provided in §20. These equitable remedies are cumulative and not exclusive of any other relief available under TUTSA §134A.003, DTSA, or other applicable law. These rights and remedies extend to any permitted successor or assignee of M3 that acquires its business or related assets.

14. Remedies; Indemnity; Fees 

(a) Indemnity. Recipient shall indemnify, defend, and hold harmless M3, its affiliates, and their respective directors, officers, employees, and agents from and against any and all losses, damages, liabilities, penalties, fines, costs, and expenses (including reasonable attorneys’ fees and experts’ fees) arising out of or relating to: (i) any breach of this Agreement by Recipient or its Authorized Representatives, subcontractors, or subprocessors; (ii) any unauthorized access to, acquisition of, use of, or disclosure of Confidential Information; (iii) any failure to timely return, destroy, or certify destruction as required; (iv) any use of AI or automated systems in violation of this Agreement; and (v) any claim, demand, action, investigation, or proceeding by a third party or government authority relating to the foregoing. This indemnity covers, without limitation, reasonable costs for forensics, containment, remediation, notifications, regulator engagement, credit monitoring or identity protection, public communications, business interruption to the extent attributable to the breach, implementation of court-ordered relief, and service credits or similar remedies paid to third parties due to Recipient’s conduct.

(b) Defense and settlement. Upon written tender by M3, Recipient shall immediately defend the indemnified parties with counsel reasonably acceptable to M3. M3 may participate with its own counsel at its own expense (or at Recipient’s expense if a conflict of interest arises). Recipient shall not settle any matter without M3’s prior written consent if the settlement imposes any non-monetary obligation on M3, requires an admission of wrongdoing by M3, restricts M3’s operations, or fails to unconditionally release the indemnified parties. M3’s approval shall not be unreasonably withheld for settlements that solely involve monetary payment fully funded by Recipient and an unconditional release of the indemnified parties.

(c) Primary, non-contributory. Recipient’s indemnity obligations are primary and non-contributory with any insurance maintained by M3. Recipient shall not seek contribution from M3 or its insurers for losses within the scope of this Section.

(d) No limitations. No limitation of liability, exclusion of damages, or similar restriction (whether in this Agreement, in any other agreement between the Parties, or otherwise) applies to Recipient’s obligations under this Section or to breaches of Sections 5–11.

(e) Enhanced Recovery for Catastrophic Breach. If any willful or negligent breach of this Agreement results in (i) public disclosure of Confidential Information, (ii) competitive use or possession by a third party, or (iii) irreversible incorporation of such information into any product, service, or AI or data system, M3 shall be entitled to recover its full actual damages, including without limitation lost profits, development and containment costs, diminution of enterprise value, and reasonable attorneys’ and experts’ fees and expenses. The Parties acknowledge that the nature and scale of potential harm from such breaches are difficult to quantify at the time of contracting. Accordingly, Recipient agrees that M3’s good-faith, expert-supported damage estimate shall be admissible and presumed reasonable absent competent contrary evidence. Nothing in this subsection limits M3’s rights to injunctive or other equitable relief, fee recovery, or any other remedy at law or in equity, and no limitation of liability applies to breaches of this Agreement.

(f) Fee shifting. Notwithstanding §20(c), M3 is entitled to recover its reasonable attorneys’ fees and costs incurred to obtain or enforce injunctive, clawback, preservation, or destruction relief.

(g) Reservation of remedies. The remedies in this Section are cumulative with, and not exclusive of, any other right or remedy available to M3 at law or in equity, including under TUTSA, DTSA, or comparable laws.

(h) Insurance. Recipient shall maintain insurance, including technology E&O/cyber liability coverage, in commercially reasonable amounts sufficient to satisfy its obligations under this Agreement and shall provide certificates of insurance upon request.

15. No Warranty; No Obligation to Proceed 

All Confidential Information is provided “as is,” without representation or warranty of any kind, whether express, implied, statutory, or otherwise, including any warranty of accuracy, completeness, title, non-infringement, merchantability, or fitness for a particular purpose. Recipient assumes all risk arising from its access to or use of Confidential Information. M3 shall have no liability to Recipient or any third party for any reliance placed upon such information or for any decisions made in connection therewith.  Nothing in this Agreement obligates either Party to proceed with any proposed transaction, engagement, or business relationship, and M3 may engage with others, in whole or in part, in its sole discretion. Recipient expressly waives any claim of reliance or expectation based on M3’s disclosure of Confidential Information or participation in any evaluation, qualification, or procurement process. For clarity, this Section does not limit or reduce Recipient’s obligations under this Agreement.

16. Compliance with Law; Export Control 

Recipient shall at all times comply with all applicable U.S. federal, state, and foreign laws, regulations, and governmental requirements relating to export control, sanctions, data privacy, and artificial-intelligence governance, as each may be amended, re-enacted, or succeeded from time to time, including without limitation: the U.S. Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR), Office of Foreign Assets Control (OFAC) sanctions programs, and any applicable data-protection or localization laws (such as the Texas Data Privacy and Security Act, the EU General Data Protection Regulation (GDPR), and comparable laws in other jurisdictions). Recipient shall not directly or indirectly export, re-export, transfer, access, or disclose any Confidential Information in violation of such laws or to any person or destination prohibited thereby. Recipient shall not permit any cross-border access or transfer of Confidential Information—including remote or cloud access—except to the extent strictly necessary for the Purpose, subject to M3’s prior written approval where required, and only in compliance with applicable transfer-mechanism and safeguard requirements (including standard contractual clauses, adequacy decisions, or equivalent instruments). Recipient shall screen all persons and entities with access against applicable sanctions lists and ensure that no sanctioned person or country receives access. Recipient shall indemnify and hold harmless M3 for all losses, costs, liabilities, penalties, and expenses (including attorneys’ fees) arising out of or relating to any actual or alleged violation of this Section or applicable law. For clarity, this Section supplements and does not limit Recipient’s obligations under §§10 (Third-Party Flow-Down) and §11 (Return and Destruction).

17. Assignment; Successors

Recipient shall not assign, transfer, delegate, sublicense, or otherwise convey this Agreement or any rights or obligations hereunder, in whole or in part, whether voluntarily, involuntarily, by merger, consolidation, change of control, operation of law, or otherwise, without M3’s prior written consent. Recipient shall provide M3 prior written notice of any proposed merger, consolidation, change of control, or similar transaction, and any assignment or delegation in connection therewith requires M3’s prior written consent. Any purported assignment or delegation in violation of this Section is void and constitutes a material breach of this Agreement. For the avoidance of doubt, M3 may assign or transfer this Agreement, and any rights or interests in or to the Confidential Information, without consent or notice, to (i) any affiliate; (ii) any purchaser, acquirer, or successor of all or substantially all of M3’s equity, business, or assets (including by merger, consolidation, sale of assets, or reorganization); or (iii) a debtor-in-possession or trustee in bankruptcy. Recipient irrevocably consents to any such assignment and shall execute and deliver any reasonable confirmatory instruments or acknowledgments requested by M3 or its successor to evidence such assignment or continuation. This Agreement shall be binding upon and inure to the benefit of the Parties and their respective permitted successors and assigns. All references to “M3” in this Agreement include M3’s permitted successors and assigns. For clarity, nothing in this Section limits or restricts disclosures or subcontracting expressly permitted under §10 (Third-Party Flow-Down).

18. Severability; Reformation 

If any provision of this Agreement is held invalid, illegal, or unenforceable in any respect, such provision shall be reformed, revised, or modified by the court to the minimum extent necessary to render it valid and enforceable while preserving its original intent and protective effect for M3 to the fullest extent permitted by law. No such invalidity or unenforceability shall affect or impair the enforceability of any other provision or of that provision in any other jurisdiction or context. Recipient expressly agrees that this Section shall be applied consistent with Texas law favoring reformation over invalidation and with the interpretive principles stated in §3 (Interpretive Principle). Recipient acknowledges that the provisions of this Agreement are reasonable and necessary to protect M3’s legitimate business interests and agrees that, if any term is deemed excessive, it shall be narrowed and enforced to the maximum extent permissible rather than struck down.

19. Interpretation 

Headings are for convenience only. Singular includes plural and vice versa; gender terms are inclusive; “including” means “including without limitation.” All obligations apply to information in any form and to all systems under Recipient’s control, whether now known or later developed. This Agreement shall not be construed against either Party as drafter, and no rule of strict construction or contra proferentem shall apply. In any conflict, this Agreement governs confidentiality and related obligations unless a later written agreement expressly supersedes it. References to technology, systems, or data-processing mechanisms include functional equivalents, successor technologies, and future modalities performing analogous functions, whether human or machine-mediated (technological neutrality). All enumerations in this Agreement are illustrative and non-exhaustive; the absence of an item does not imply exclusion of comparable, successor, or functionally equivalent items. The Parties shall jointly request that any court proceedings involving this Agreement be conducted under seal under TUTSA §134A.0065, DTSA, or other applicable law. If ambiguity arises, provisions shall be interpreted to maximize enforceability and give effect to the Parties’ intent to protect M3’s Confidential Information, consistent with §3 (Interpretive Principle). In any inconsistency between this Agreement and any other confidentiality or data-protection terms, this Agreement controls to the extent of conflict. References to M3’s rights or interests in Confidential Information shall be interpreted to include any successor or assignee that acquires such rights or interests.

20. Governing Law; Venue; Dispute Resolution 

This Agreement is governed by and construed in accordance with the laws of the State of Texas, without regard to conflict-of-law principles.

(a) Courts and Equitable Relief. Courts located in Travis County, Texas shall have exclusive jurisdiction over any action seeking temporary, preliminary, or permanent injunctive or other equitable relief, or the enforcement or set-aside of any arbitral award. Each Party further consents to the jurisdiction of the state or federal courts in Travis County, Texas and agrees that any judicial proceeding shall be filed exclusively in the state or federal courts in Travis County, Texas, and the Parties expressly waive any objection to such courts as an inconvenient forum or venue. Nothing in this Agreement prevents M3 from seeking injunctive or interim relief in any court of competent jurisdiction where a breach, threatened breach, or harm occurs, or where assets or infringing activity are located.

(b) Arbitration. All other disputes arising out of or relating to this Agreement that are not subject to subsection (a) shall be finally resolved by binding arbitration administered by the International Centre for Dispute Resolution (ICDR) under its International Arbitration Rules. The seat (legal place) of arbitration shall be Austin, Texas, USA. The proceedings shall be conducted in English, governed by the substantive laws of the State of Texas, and remain strictly confidential. All pleadings, evidence, and awards shall be treated as M3 Confidential Information under this Agreement.

(c) Finality and Enforcement. Subject to §14(f), the arbitrator may award reasonable attorneys’ fees, expert fees, and all costs of arbitration to the prevailing party. Recipient shall reimburse M3 for reasonable attorneys’ fees and costs incurred in obtaining or enforcing any injunctive or arbitral relief.

(d) Coordination. Nothing in this Section limits M3’s right to pursue parallel or sequential injunctive and arbitral proceedings to protect its Confidential Information and related rights.

21. Independent Counsel Acknowledgment 

Each Party acknowledges that it had the opportunity (but not the obligation) to consult independent legal counsel before entering this Agreement and does so voluntarily with full understanding of its terms. Recipient represents that it has reviewed and understands this Agreement in its entirety, including, without limitation, the scope of Confidential Information, AI and derivative-use restrictions, non-use/no-head-start obligations, destruction and certification duties, remedies, and all other obligations reasonably affecting Recipient’s handling of M3’s information. Recipient further acknowledges that the terms of this Agreement are reasonable and necessary to protect M3’s legitimate business interests and consistent with public policy and applicable law. This acknowledgment shall be interpreted consistent with §3 (Interpretive Principle) and §18 (Severability; Reformation).

22. No Waiver; Cumulative Remedies 

No failure, delay, or partial exercise of any right, power, or privilege under this Agreement shall operate as a waiver thereof or of any other right, power, or privilege. No waiver shall be effective unless in writing and signed by an authorized representative of M3. No course of dealing, course of performance, or trade usage shall be deemed to modify or waive any term of this Agreement. The exercise of any remedy by M3 shall not preclude the concurrent or subsequent exercise of any other remedy available at law, in equity, or under this Agreement. All remedies provided under §14 (Remedies; Indemnity; Fees) and elsewhere in this Agreement are cumulative and in addition to, and not in lieu of, any other rights or remedies available to M3.

23. Publicity; Use of Name 

Recipient shall not, publicly or privately, use or refer to M3’s name, logo, trademarks, brand features, Confidential Information, or participation in any M3 process for marketing, solicitation, business development, or promotional purposes (including, without limitation, AI-related announcements or publications, case studies, capability statements, proposals, websites, social media, or communications with prospective clients or partners) without M3’s prior written consent. “Use” includes any oral or written reference, listing, or depiction in any medium or format. Recipient shall cause its affiliates, employees, officers, directors, contractors, advisors, agents, subprocessors, and any other representatives to comply with this Section, and remains fully responsible and liable for their acts and omissions. Any third-party access must include written obligations no less protective than this Section and must expressly name M3 as a third-party beneficiary with direct enforcement rights, consistent with §10 (Third-Party Flow-Down). Recipient shall not cause or allow any AI or automated system to generate, synthesize, or disclose content referencing M3 or its Confidential Information without M3’s prior written consent. Any unauthorized reference or use under this Section constitutes both a breach of this Section and an unauthorized disclosure under §6 (Non-Use; Non-Disclosure). All rights in M3’s names, logos, trademarks, and brand features remain exclusively with M3.

24. Litigation Hold 

Upon any suspected or actual breach or upon M3’s written notice of a potential claim, Recipient shall immediately implement a litigation hold and preserve all potentially relevant materials—including, without limitation, logs, emails, system records, model artifacts, datasets, training materials, AI interaction data, backups, and any other data or documentation relating to M3 Confidential Information. Recipient shall (i) issue a written litigation-hold notice to all personnel and subprocessors who may possess relevant materials; (ii) suspend any automatic deletion, rotation, or overwriting of such materials; and (iii) confirm in writing to M3 within five (5) business days that such preservation has been implemented. Recipient shall ensure that all subprocessors and other third parties subject to §10 implement equivalent holds and confirm compliance to Recipient. Recipient remains liable for ensuring their continued preservation. The litigation hold shall remain in effect until M3 provides written release or the Parties jointly confirm in writing that all investigations, claims, or proceedings relating to M3 Confidential Information are fully resolved. Failure to implement or maintain the required hold constitutes a material breach and spoliation of evidence, entitling M3 to immediate injunctive relief and other remedies.

25. Clawback; Privilege Preservation 

Any disclosure or production of materials subject to attorney–client privilege, attorney work-product protection, common-interest privilege, trade-secret privilege, or any other applicable legal protection (collectively, “Privileged Material”)—whether made before, during, or after the term of this Agreement—is deemed inadvertent and shall not constitute or be construed as a waiver, impairment, or forfeiture of any privilege or protection, in whole or in part. Upon written notice from M3 identifying any Privileged Material (or material reasonably believed to be privileged), Recipient shall immediately (i) cease all review or use; (ii) promptly return or permanently destroy all copies, extracts, notes, summaries, and derivative materials containing or reflecting the content; and (iii) certify compliance in writing within five (5) business days. Recipient shall not challenge or oppose M3’s claim of privilege or work-product protection solely on the basis of inadvertent disclosure and shall maintain the confidentiality of the identified materials pending resolution. This Section applies notwithstanding any prior access, production, or use. For avoidance of doubt, this Section constitutes a “clawback agreement” under Federal Rule of Evidence 502, Texas Rule of Evidence 511, and any comparable state or foreign law, and shall be enforceable in any court or arbitral forum of competent jurisdiction.

26. Entire Agreement; Amendments; Counterparts 

This Agreement constitutes the final, complete, and exclusive understanding between the Parties regarding the protection, use, disclosure, and handling of M3’s Confidential Information and related proprietary materials, and supersedes all prior or contemporaneous agreements or understandings relating to the same subject matter to the extent inconsistent herewith. No amendment, modification, or waiver of any provision of this Agreement is valid unless in a writing expressly referencing this Agreement and executed by duly authorized representatives of both Parties. This Agreement may be executed in counterparts (including by electronic, facsimile, or scanned (PDF) signature), each of which shall be deemed an original, and all of which together constitute one and the same instrument.

27. Electronic Execution (ESIGN/UETA) 

Execution of this Agreement  electronically through M3’s designated e-signature or submission process constitutes a binding electronic record under the U.S. Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001 et seq.), the Uniform Electronic Transactions Act, and any substantially equivalent law governing electronic records and signatures in any applicable jurisdiction. Electronic records, metadata, and audit logs collected and maintained by M3 constitute prima facie evidence of assent and execution by the Recipient. By clicking “I Agree,” e-signing, continuing access, or otherwise indicating assent, Recipient accepts and agrees to be bound by this Agreement, including its retroactive application as described in §4.

28. Bid Materials; Limited Reciprocal Confidentiality

(a) Scope. The Parties acknowledge that Recipient may disclose certain non-public proposal or bid information to M3 in connection with the Purpose. M3 will treat Recipient’s non-public proposal, pricing, and technical information (“Bid Materials”) submitted in connection with the Purpose as confidential to the same extent it treats its own information of similar sensitivity.

(b) Permitted Use/Disclosure. M3 may use and disclose such Bid Materials (i) solely for purposes of evaluating proposals, conducting procurement, or developing, negotiating, or performing any related engagement; and (ii) on a need-to-know basis to its affiliates, employees, professional advisors, auditors, consultants, investors, and prospective partners or vendors under comparable confidentiality obligations.

(c) Carve-Outs. Nothing in this Section restricts M3’s use of information (i) independently developed by M3 or its partners, (ii) derived from multiple vendor submissions on an aggregated or anonymized basis, or (iii) that is or becomes publicly available through no act or omission of M3.

(d) Duration; Successors. M3’s obligations under this Section terminate upon award, withdrawal, or rejection of Recipient’s proposal. M3’s obligations under this Section extend to M3’s permitted successors and assigns for as long as they continue activities related to the Purpose.