TERMS OF SERVICE

ADP Federated Single Sign On Terms of Service

1. FSSO Generally. ADP will provide Client with federated single sign on capabilities ("FSSO") that will allow Client to internally control the identity management and procedures with respect to end user provisioning/de-provisioning, authenticating, authorizing and enabling its designated employees ("Participants") to access certain products and services in the U.S. from ADP under this Agreement that involve electronic communication between ADP and designated employees of Client via internet or similar computerized means (each such ADP product or service shall be referred to herein individually as an "ADP Service," and collectively as the "ADP Services"., ADP will be entitled to rely upon and to accept as authentic the credentials (as more fully described below, the "Identifying Credentials") of each Participant and then provide access to the ADP Services commensurate with the access level assigned to the Identifying Credentials by the Client.

2. Authentication/Authorization. (a) Client will be solely responsible and liable for enforcing the terms of this FSSO Amendment with respect to the Participants. The Federated User Identity (the "FUI Feature") will be for (i) the sole purpose of creating and providing to Participants a login for accessing the intended ADP Services, and (ii) Participants' use of same will comply with all applicable laws. (b) Client will be solely responsible for the establishment, implementation and oversight of the rules, requirements and procedures relating to the provisioning, de-provisioning, distribution, selection, use and safeguarding of the Identifying Credentials (such as the usernames and passwords) and for the verification of the identity of each Participant and its respective level of access authorization for each ADP Service. Client will be solely responsible for the determination of the adequacy of any and all particular security procedures and policies to be utilized with respect to the FUI Feature, including any specifics contained herein, and that ADP shall not have any responsibility to authenticate Participants or otherwise verify their identity or authorized access levels (but ADP shall nonetheless retain the right to reject assertions or token as provided in Section 2(h)). ADP is therefore relying on the Client to utilize 'industry best practices' in regards to server security, password policies, user provisioning and de-provisioning, and the creation of persistent, unique and static user name. Client will use the FUI Feature in accordance with the reasonable instructions and reasonable policies established by ADP from time to time and communicated to the Client. (c) The Parties agree that the FUI Feature shall utilize "Security Assertion Mark-up Language" ("SAML") or Open ID Connect (OIDC) and the processes required thereby or any other method mutually agreed by the parties in writing. As of the date of this Agreement, detailed information applicable to SAML and its use is located at the following internet site: https://www.oasis-open.org/standards#samlv2.0 and detailed information applicable to OIDC and its use is located at the following internet site: http://openid.net. Client is responsible for procuring, at its own expense, all hardware and software necessary to utilize the FUI Feature. ADP also reserves the right to further the security of the assertions or token through the use of such technologies that support digital signing. Client shall digitally sign the assertion or token being provided to ADP. This signing is in support of a trusted and non-repudiation arrangement. Exhibit A below sets forth the information to be collected, transmitted and validated as part of the assertion messages under the FUI Feature. Client agrees that it will utilize the above security methods for the secure transport to the identity consumer. (d) Based upon the targeted ADP Services, those employees of Client who are administrators in connection with the receipt of ADP Services (or positions of similar purpose or intent) will be able to federate to access their personal information. For administrator functionality, such Client employees who are administrators will continue to register to ADP's identity management system in order to receive ADP credentials required for accessing and performing higher risk administrative functions. (e) For SAML, Communication between ADP FSSO and Client's internal network may only occur with an X509 Certificate, issued and signed by an ADP-approved certificate authority (CA). ADP will not accept any self-signed certificates for encryption and signing purposes. For OIDC, ID Tokens must be signed using JSON Web Signature [JWS] (f) Client agrees to maintain the privacy of Identifying Credentials associated with ADP Services. Client is fully responsible for all activities that occur under Client's or any Participant's password. Client agrees to (i) immediately notify ADP of any unauthorized use of Identifying Credentials or the ADP Services or any other breach of security, and (ii) ensure that Client and any Participants exits the browser at the end of each federated session. ADP shall not be liable for any damages incurred by Client, any Participant or any third party arising from Client's failure to comply with this section 2(f). (h) Upon request, Client can configure ADP FSSO in a Third Party Identity Provider (the "IDP"). Client shall ensure that the third party IDP adheres to all FUI Features documented herein. ADP will review with the IDP before relying on third party self-signed certificate or verify that the IDP is a certified authority with a valid certified authority certificate. Client will ensure that any IDP cooperates fully with any requests by ADP in connection with such review. ADP may, in its sole discretion, reject use by Client of any IDP or any assertions or token provided by such IDP at any time. Client shall be liable for, and shall indemnify ADP against, any loss, liability, claim, damage or exposure arising from or in connection with any actions or activities by or relating to such IDP.

3. Implementation. (a) The Parties will, at their own respective cost and expense, work with each other in order to coordinate the testing and implementation of the FUI Feature, to include such activities as: (i) agreeing (to the extent not already agreed to herein) to the standard format for sharing authentication information between the Parties' systems; (ii) any necessary Client programming to meet the requirements of the FUI Feature; (iii) implementation of any required idle timeout, account linking, session management, and global logout techniques; (iv) joint testing of the solution; and (v) scheduling and coordinating the implementation of such solution. (b) The Parties will, at their own respective cost and expense, coordinate efforts to implement an end user support process which will act on the behalf of the Participants in order to investigate and answer any inquiries which may result from, relate to or be affected by the implementation or utilization of the FUI Feature. (c) Client will provide reasonable cooperation to assist with any additional network security features reasonably determined by ADP to be necessary to enhance the Internet facing FUI Feature. (d) Client agrees to immediately notify ADP of any security breach of the Client's internal system which provisions and/or stores the Participants with credentials to access the ADP Services through the FUI Feature. It is expected that the Client has an identity management system in place with appropriate security logging, retention, and transaction sharing processes in place. Client agrees to share any appropriate logs required for ADP to complete any necessary forensics in the event of a security incident. It is therefore expected that any logs would be available for at least six months. The notification referred to above may lead to the joint decision to cease all Participants' access (either directly or indirectly) to the ADP Services until the security issues are resolved to both parties mutual agreement. Client will also be willing to assist in any security breaches and or emergencies requested by ADP. (e) Client agrees to document for its former employees the process such former employees (provided by ADP to Client) to reregister with ADP for access to any ADP Services that the employee has the rights to beyond the employee's employment.

4. FSSO Client Indemnity. Client agrees to indemnify and hold harmless ADP from and against, and pay and reimburse ADP for any and all claims, costs, losses, damages or liabilities to the extent resulting from the utilization by Client or Participants of the FUI Feature or any unauthorized access to or use of the ADP systems or services through the FUI Feature. The foregoing obligations of Client shall not be limited by any liability provisions contained in the Agreement.

5. Termination/Transition. In the event of termination of the FUI Feature for cause by ADP, ADP will use reasonable efforts, in cooperation with Client, to convert the provision of the then continuing Covered Services to ADP's standard security authentication systems, but ADP will not be responsible for any consequences or damages to Client resulting from unavailability of the Covered Services to Client or Participants while such reasonable efforts are being made by ADP. In addition to any other termination rights under the Agreement, ADP may terminate this FSSO Amendment upon 60 days prior written notice to Client in the event that ADP will no longer be supporting the ADP Services generally for clients.

1. ADP, and not AppDirect, is solely responsible for providing, maintaining, supporting and updating the Application and its associated services. ADP shall provide product support for the Application.

2. ADP HEREBY DISCLAIMS ON BEHALF OF APPDIRECT ANY EXPRESS, IMPLIED OR STATUTORY REPRESENTATIONS OR WARRANTIES, AND ALL OTHER WARRANTIES, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, NONINFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE.

3. You and your end users' sole and exclusive remedies shall be against ADP and not against AppDirect. AppDirect shall have no liability or obligation to You or your end users.

4. You and your end users will not (i) decompile or reverse engineer the ADP Marketplace or take any other action to discover the source code or underlying ideas or algorithm of any components thereof, (ii) copy the ADP Marketplace, (iii) post, publish or create derivative works based on the ADP Marketplace, or (iv) remove any copyright notice, trade or service marks, brand names and the like from the ADP Marketplace or related documentation.

5. AppDirect is a third-party beneficiary of the above described terms and is entitled to enforce such terms as if it each were a party to this agreement.