AUDIT AND ADVISORY SERVICES TERMS

Information as a Commodity (IAAC)
A trade name of Northern Gaming L.L.C., a Minnesota limited liability company

Last Updated: March 29, 2026
Version 3.0

Section 1. Purpose and Scope of Audit Services

1.1 Purpose of Audit Services

The Audit service is designed to:

• Evaluate a participant’s current privacy and digital exposure posture;
• Expand upon concepts introduced in IAAC educational materials; and
• Provide structured, high-level guidance regarding potential risk areas and prioritization.

1.2 Scope of Audit Services

The Audit includes:

• Review of participant-provided information;
• Discussion of relevant risk categories;
• Identification of potential areas of concern; and
• General guidance on prioritization of actions.

The Audit does not include:

• Implementation of recommendations;
• System configuration; or
• Execution of any changes.

1.3 Relationship to Educational Services

The Audit builds upon IAAC’s educational Services and extends beyond general Q&A by:

• Addressing a broader range of risk areas; and
• Providing structured, participant-specific considerations.

However, the Audit remains:

• Educational in nature; and
• Limited in scope as defined in this Policy.

1.4 No Guarantee of Completeness

The Audit does not:

• Cover all possible risks;
• Identify all vulnerabilities; or
• Provide a comprehensive security or privacy assessment.

Participants acknowledge that:

• Only a subset of risk areas may be discussed; and
• Unknown or undiscovered risks may remain.

1.5 No Expansion of Scope

Nothing in the Audit shall be interpreted to:

• Expand IAAC’s obligations beyond those defined in this Policy and the Terms & Conditions; or
• Create additional services beyond the defined Audit session.

1.6 Jurisdictional Application and Savings Clause

To the maximum extent permitted by applicable law:

• This Section shall be enforced in full;
• Any unenforceable provision shall be modified to the minimum extent necessary; and
• The remainder shall remain valid and enforceable.

Nothing in this Section limits non-waivable statutory rights.

Section 2. Nature of Services and No Consulting Relationship

2.1 Non-Consulting Nature of Audit

The Audit is not:

• Consulting services;
• Managed services; or
• Professional advisory services.

The Audit provides structured guidance only and does not involve execution or management of participant systems.

2.2 No Professional Advice

The Audit does not constitute:

• Legal advice;
• Financial advice;
• Cybersecurity consulting;
• Regulatory compliance advice; or
• Any regulated professional service.

2.3 No Fiduciary or Advisory Relationship

Participation in an Audit does not create:

• A fiduciary relationship;
• An advisor-client relationship; or
• Any ongoing duty of care beyond the defined session.

2.4 No Ongoing Obligation

IAAC has no obligation to:

• Provide follow-up services;
• Monitor participant systems; or
• Maintain ongoing engagement after the Audit session.

2.5 User Responsibility

Participants are solely responsible for:

• Decisions made based on Audit discussions;
• Actions taken following the Audit; and
• Seeking additional professional advice where necessary.

2.6 Alignment with Terms & Policies

This Section shall be interpreted in conjunction with:

• Section 13 (Regulatory Positioning) of the Terms & Conditions; and
• The Q&A Policy.

2.7 Jurisdictional Application and Savings Clause

To the maximum extent permitted by applicable law:

• This Section shall be enforced in full;
• Any unenforceable provision shall be modified to the minimum extent necessary; and
• The remainder shall remain valid and enforceable.

Nothing in this Section limits non-waivable statutory rights.

Section 3. Audit Session Structure and Time Limitations

3.1 Session Format

The Audit is conducted as a scheduled session, which may include:

• Discussion of participant-provided information;
• Review of selected risk areas; and
• General guidance regarding prioritization and considerations.

3.2 Time Limitation (Hard Cap)

Audit sessions are strictly limited to the scheduled duration, which shall not exceed sixty (60) minutes unless otherwise explicitly agreed in writing.

The session will conclude at the scheduled end time regardless of:

• Remaining questions; or
• Unaddressed topics.

3.3 No Obligation to Extend Time

IAAC is not obligated to:

• Extend the session;
• Continue discussion beyond the scheduled time; or
• Provide additional coverage of topics not addressed during the session.

3.4 No Guarantee of Coverage

Due to time constraints, the Audit may not:

• Address all participant concerns;
• Cover all identified risk areas; or
• Provide detailed discussion of every topic.

3.5 Single-Session Scope

Each Audit is limited to:

• The scheduled session; and
• The topics reasonably addressed within that time.

Additional sessions require separate agreement and payment.

3.6 No Carryover or Continuation

Unused time, unanswered questions, or incomplete discussions:

• Do not carry over; and
• Do not create entitlement to additional services.

3.7 Jurisdictional Application and Savings Clause

To the maximum extent permitted by applicable law:

• This Section shall be enforced in full;
• Any unenforceable provision shall be modified to the minimum extent necessary; and
• The remainder shall remain valid and enforceable.

Nothing in this Section limits non-waivable statutory rights.

Section 4. Participant Responsibilities and Pre-Session Requirements

4.1 Responsibility for Providing Information

Participants are solely responsible for:

• Providing accurate, complete, and relevant information; and
• Disclosing information necessary for meaningful discussion.

4.2 No Independent Verification

IAAC does not:

• Verify participant-provided information;
• Independently investigate participant systems; or
• Confirm the accuracy of disclosed details.

4.3 Preparation Requirement

Participants are responsible for:

• Reviewing relevant course materials; and
• Preparing questions or areas of focus prior to the session.

4.4 Impact of Incomplete or Inaccurate Information

Incomplete, inaccurate, or omitted information may:

• Limit the effectiveness of the Audit; and
• Affect the relevance of any guidance provided.

IAAC is not responsible for outcomes resulting from such limitations.

4.5 No Obligation to Elicit Information

IAAC is not obligated to:

• Prompt for missing details;
• Identify undisclosed risks; or
• Conduct investigative questioning beyond general discussion.

4.6 Responsibility for Technical Setup

Participants are responsible for:

• Ensuring access to necessary devices and platforms;
• Maintaining a stable internet connection; and
• Preparing any materials needed for discussion.

4.7 No Access to Systems or Credentials

Participants shall not:

• Provide account credentials; or
• Grant system access to IAAC.

IAAC does not accept or use such access.

4.8 Jurisdictional Application and Savings Clause

To the maximum extent permitted by applicable law:

• This Section shall be enforced in full;
• Any unenforceable provision shall be modified to the minimum extent necessary; and
• The remainder shall remain valid and enforceable.

Nothing in this Section limits non-waivable statutory rights.

Section 5. Implementation Boundaries and Execution Limitations

5.1 No Implementation Services

The Audit does not include:

• Implementation of recommendations;
• Configuration of systems, devices, or accounts; or
• Execution of any changes.

IAAC provides guidance only and does not perform actions on behalf of participants.

5.2 No Step-by-Step Execution Guidance

IAAC does not provide:

• Detailed, system-specific step-by-step instructions tailored to a participant’s environment; or
• Real-time walkthroughs intended to execute changes.

Guidance is provided at a general level only.

5.3 Participant Responsibility for Implementation

Participants are solely responsible for:

• Deciding whether to act on guidance;
• Implementing any changes; and
• Verifying the accuracy and effectiveness of such actions.

5.4 No Validation or Verification

IAAC does not:

• Validate participant implementations;
• Confirm correctness of configurations; or
• Test or verify outcomes.

Any discussion of implementation remains conceptual.

5.5 Assumption of Implementation Risk

Participants assume all risks associated with:

• Applying guidance;
• Misinterpreting information; or
• Implementing changes within their environment.

Such risks include, without limitation:

• Data loss;
• Account lockout;
• System misconfiguration;
• Unauthorized access; and
• Service disruption.

5.6 No Guarantee of Results

IAAC does not guarantee that:

• Recommendations will improve security or privacy;
• Risks will be reduced or eliminated; or
• Any specific outcome will be achieved.

5.7 No Expansion of Scope

Nothing in the Audit shall be interpreted to:

• Create responsibility for implementation outcomes; or
• Expand IAAC’s obligations beyond those defined in this Policy and the Terms & Conditions.

5.8 Jurisdictional Application and Savings Clause

To the maximum extent permitted by applicable law:

• This Section shall be enforced in full;
• Any unenforceable provision shall be modified to the minimum extent necessary; and
• The remainder shall remain valid and enforceable.

Nothing in this Section limits non-waivable statutory rights.

Section 6. No System Access, Control, or Managed Services

6.1 No Access to Participant Systems

IAAC does not access:

• Participant devices;
• Accounts;
• Networks; or
• Systems.

All Audit interactions occur without system-level access or visibility.

6.2 No Remote Control or Intervention

IAAC does not:

• Take control of participant devices;
• Perform remote actions; or
• Execute changes within participant environments.

6.3 No Managed or Ongoing Services

The Audit does not include:

• Managed services;
• Ongoing monitoring;
• Continuous support; or
• System administration.

6.4 No Duty to Detect or Prevent Issues

IAAC has no obligation to:

• Detect vulnerabilities;
• Identify security incidents; or
• Prevent or mitigate risks within participant systems.

6.5 No Knowledge of Full Environment

Audit discussions are based solely on:

• Participant-provided information; and
• Limited session context.

IAAC does not have:

• Full visibility into participant systems; or
• Complete understanding of their environment.

6.6 Third-Party System Disclaimer

Participant implementation may involve third-party systems (e.g., Kajabi, Stripe, Google services).

IAAC is not responsible for:

• Behavior of such systems;
• Integration issues; or
• Outcomes resulting from third-party interactions.

6.7 Alignment with Terms & Conditions

This Section shall be interpreted in conjunction with:

• Section 3 (Service Limitations);
• Section 4 (Implementation Risk); and
• Section 11 (Account Use and Restrictions)

of the Terms & Conditions.

6.8 Jurisdictional Application and Savings Clause

To the maximum extent permitted by applicable law:

• This Section shall be enforced in full;
• Any unenforceable provision shall be modified to the minimum extent necessary; and
• The remainder shall remain valid and enforceable.

Nothing in this Section limits non-waivable statutory rights.

Section 7. Recording, Confidentiality, and Information Sharing

7.1 Prohibition on Recording

Participants may not record, capture, or transmit any portion of the Audit session without prior written consent from IAAC.

This includes use of:

• Mobile devices;
• Screen recording software;
• Audio or video recording tools; and
• Wearable devices (including smart glasses or similar technologies).

7.2 Unauthorized Recording as Breach

Unauthorized recording or distribution of Audit content constitutes:

• A material breach of this Policy; and
• A violation of IAAC’s intellectual property rights.

7.3 Limited Confidentiality Expectation

The Audit is not a confidential advisory or consulting engagement.

IAAC does not undertake obligations equivalent to:

• Attorney-client privilege;
• Professional confidentiality; or
• Formal nondisclosure agreements

unless separately agreed in writing.

7.4 Participant Responsibility for Information Disclosure

Participants are solely responsible for any information they choose to disclose.

Participants should not share:

• Account credentials;
• Sensitive authentication data;
• Highly confidential business information; or
• Information they are not authorized to disclose.

7.5 No Duty to Protect Disclosed Information

IAAC has no obligation to:

• Review participant disclosures for sensitivity;
• Prevent disclosure of confidential information; or
• Implement safeguards beyond standard operational practices.

7.6 Shared Communication Environment

Audit sessions may occur through third-party communication platforms.

IAAC does not control:

• Platform-level security; or
• Data handling practices of such platforms.

7.7 Third-Party Recording and Platform Risk

IAAC is not responsible for:

• Recording by third-party platforms;
• Platform data retention; or
• Unauthorized use of session content by external systems.

7.8 Jurisdictional Application and Savings Clause

To the maximum extent permitted by applicable law:

• This Section shall be enforced in full;
• Any unenforceable provision shall be modified to the minimum extent necessary; and
• The remainder shall remain valid and enforceable.

Nothing in this Section limits non-waivable statutory rights.

Section 8. Information Handling, Accuracy, and Risk Acknowledgment

8.1 Reliance on Participant-Provided Information

Audit discussions are based solely on:

• Information provided by the participant; and
• Limited session context.

IAAC does not independently verify such information.

8.2 Accuracy and Completeness Risk

Inaccurate, incomplete, or omitted information may:

• Affect the relevance of guidance; and
• Limit the effectiveness of the Audit.

IAAC is not responsible for outcomes resulting from such limitations.

8.3 No Guarantee of Information Accuracy

IAAC does not guarantee that:

• All information discussed is complete;
• All risks are identified; or
• All considerations are addressed.

8.4 Assumption of Information Risk

Participants assume all risks associated with:

• Using information provided during the Audit;
• Misinterpreting guidance; or
• Applying general concepts to specific environments.

8.5 Third-Party System and Data Risk

Implementation of Audit guidance may involve third-party systems.

IAAC is not responsible for:

• Behavior of such systems;
• Data handling by third parties; or
• Outcomes resulting from their use.

8.6 No Duty to Update or Maintain Information

IAAC does not undertake a duty to:

• Update Audit findings;
• Notify participants of new risks; or
• Maintain ongoing accuracy of information provided.

8.7 Alignment with Terms & Privacy Policy

This Section shall be interpreted in conjunction with:

• Section 15 (Assumption of Risk) of the Terms & Conditions; and
• The Privacy Policy.

8.8 Jurisdictional Application and Savings Clause

To the maximum extent permitted by applicable law:

• This Section shall be enforced in full;
• Any unenforceable provision shall be modified to the minimum extent necessary; and
• The remainder shall remain valid and enforceable.

Nothing in this Section limits non-waivable statutory rights.

Section 9. Limitation of Liability (Audit-Specific)

9.1 Application of Terms & Conditions

Audit services are subject to the limitation of liability provisions set forth in the Terms & Conditions, including Section 20.

Such limitations apply fully to all Audit sessions and related interactions.

9.2 No Liability for Audit Content

To the maximum extent permitted by applicable law, IAAC shall not be liable for any damages arising out of or relating to:

• Audit discussions;
• Guidance or recommendations provided; or
• Participant reliance on such information.

9.3 Categories of Excluded Damages

This includes, without limitation:

• Loss of data;
• System misconfiguration;
• Account lockout;
• Unauthorized access or security incidents;
• Operational disruption;
• Financial loss; and
• Any indirect, incidental, or consequential damages.

9.4 No Guarantee of Risk Reduction

IAAC does not guarantee that:

• Risks will be identified;
• Vulnerabilities will be discovered; or
• Security or privacy will be improved.

9.5 Participant Reliance at Own Risk

Participants acknowledge that:

• Audit guidance is based on limited information; and
• Any reliance on such guidance is at their own risk.

9.6 No Expansion of Liability

Nothing in the Audit shall be interpreted to:

• Expand IAAC’s liability; or
• Create additional duties beyond those defined in the Terms & Conditions.

9.7 Aggregate Liability Cap Reference

Any liability arising from Audit services shall be subject to the same aggregate liability cap defined in the Terms & Conditions.

9.8 Jurisdictional Application and Savings Clause

To the maximum extent permitted by applicable law:

• This Section shall be enforced in full;
• Any unenforceable provision shall be modified to the minimum extent necessary; and
• The remainder shall remain valid and enforceable.

Nothing in this Section limits non-waivable statutory rights.

Section 10. Indemnification (Audit-Specific Alignment)

10.1 Application of Indemnification Provisions

Participant obligations under the indemnification provisions in the Terms & Conditions (Section 19) apply fully to Audit services.

10.2 Participant Responsibility for Actions

Participants agree to indemnify, defend, and hold harmless IAAC from any claims arising out of or relating to:

• Use of Audit services;
• Reliance on Audit discussions or recommendations;
• Implementation of any guidance; and
• Consequences resulting from participant actions.

10.3 Third-Party Claims

This includes claims brought by:

• Third parties;
• Regulatory bodies; or
• Other individuals

arising from participant conduct, decisions, or system changes.

10.4 No Limitation by Insurance or Caps

Participant indemnification obligations shall not be limited by:

• Insurance coverage; or
• Any limitation of liability provision.

10.5 Defense and Control

IAAC reserves the right to:

• Assume control of defense; and
• Manage resolution of any claim subject to indemnification.

Participants agree to cooperate fully in such matters.

10.6 Survival

This Section shall survive:

• Completion of the Audit session; and
• Termination of Services.

10.7 No Expansion of IAAC Obligations

Nothing in this Section shall be interpreted to:

• Increase IAAC’s obligations; or
• Reduce protections provided under the Terms & Conditions.

10.8 Jurisdictional Application and Savings Clause

To the maximum extent permitted by applicable law:

• This Section shall be enforced in full;
• Any unenforceable provision shall be modified to the minimum extent necessary; and
• The remainder shall remain valid and enforceable.

Nothing in this Section limits non-waivable statutory rights.

11.1 Incorporation of Terms & Conditions

Audit services are governed by the dispute resolution provisions set forth in the Terms & Conditions, including Section 21.

Such provisions apply fully to any dispute arising out of or relating to:

• Audit sessions;
• Communications; and
• Any related interactions.

11.2 Mandatory Arbitration

To the maximum extent permitted by applicable law, any dispute arising from Audit services shall be resolved exclusively through binding arbitration, as defined in the Terms & Conditions.

11.3 Class Action Waiver

All disputes must be brought on an individual basis.

Class, collective, or representative actions are not permitted.

11.4 Waiver of Jury Trial

You waive any right to a jury trial to the maximum extent permitted by applicable law.

11.5 Forum Selection (Fallback)

If a dispute is determined not to be subject to arbitration, it shall be brought exclusively in the state or federal courts located in Minnesota.

You consent to jurisdiction and waive objections to venue.

11.6 No Separate Dispute Framework

Audit services do not create a separate dispute resolution framework.

All disputes are governed solely by the Terms & Conditions.

11.7 Jurisdictional Application and Savings Clause

To the maximum extent permitted by applicable law:

• This Section shall be enforced in full;
• Any unenforceable provision shall be modified to the minimum extent necessary; and
• The remainder shall remain valid and enforceable.

Nothing in this Section limits non-waivable statutory rights.

Section 12. Final Acknowledgment and Binding Effect

12.1 Acknowledgment of Scope and Limitations

You acknowledge that you:

• Understand the limited scope of the Audit;
• Understand that the Audit is not consulting or professional advisory services; and
• Understand that guidance is general and based on limited information.

12.2 Voluntary Participation

Participation in the Audit is voluntary.

You may discontinue participation at any time, subject to applicable Terms.

12.3 No Reliance on Statements Outside Agreement

You acknowledge that you have not relied on:

• Statements;
• Representations; or
• Informal communications

outside the Terms & Conditions, this Policy, and related agreements.

12.4 Binding Effect

This Policy is legally binding to the maximum extent permitted by applicable law.

Participation in an Audit constitutes acceptance of this Policy.

12.5 Method of Acceptance

Acceptance may occur through:

• Purchase of Audit services;
• Participation in a session; or
• Agreement to IAAC policies.

Such acceptance has the same legal effect as a signed written agreement.

12.6 Entire Agreement Alignment

This Policy forms part of the overall agreement between you and IAAC.

It must be interpreted in conjunction with:

• The Terms & Conditions;
• The Privacy Policy; and
• The Q&A Policy.

12.7 Survival

Provisions that by their nature should survive shall remain in effect, including:

• Limitation of liability;
• Indemnification; and
• Dispute resolution.

12.8 Jurisdictional Application and Savings Clause

To the maximum extent permitted by applicable law:

• This Section shall be enforced in full;
• Any unenforceable provision shall be modified to the minimum extent necessary; and
• The remainder shall remain valid and enforceable.

Nothing in this Section limits non-waivable statutory rights.