MASTER SERVICES AGREEMENT

I.

PARTIES AND RECITALS

This Master Services Agreement ("Agreement") is entered into as of the Effective Date between:

Moana and the Client are each referred to as a "Party" and together as the "Parties".

RECITALS: (A) Moana has developed and operates a cloud-based and offline-capable healthcare infrastructure platform delivering EMR/EHR functionality, clinical workflow management, and health data interoperability services. (B) The Client wishes to engage Moana to provide access to the Platform and related services for the Client's healthcare operations. (C) The Parties agree to be bound by the terms of this Agreement.

II.

DEFINITIONS AND INTERPRETATION

2.1 Definitions

In this Agreement, the following terms have the meanings set out below:

2.2 Interpretation

(a) Headings are for convenience only. (b) "Including" means "including without limitation". (c) Singular includes plural and vice versa. (d) References to legislation include amendments and subordinate legislation. (e) Where conflict arises between the main body of this Agreement and a Schedule, the Schedule prevails only with respect to the specific subject matter it addresses. (f) References to "days" mean calendar days unless stated otherwise.

III.

SCOPE OF SERVICES

3.1 Platform Licence

Subject to the terms of this Agreement and payment of applicable Fees, Moana grants the Client a non-exclusive, non-transferable, non-sublicensable, revocable licence to access and use the Platform during the Term solely for the Client's internal healthcare operations as specified in the applicable Order Form.

3.2 Core Platform Capabilities

The Platform provides the following core capabilities, subject to the modules licensed in the applicable Order Form:

• Electronic Medical Records and EHR — creation, management, retrieval, and longitudinal management of patient health records in FHIR R4 format

• Clinical workflow management — appointment scheduling, clinical pathways, care coordination, and task management

• Patient data management — registration, demographics, consent management, and longitudinal care records

• Health system interoperability — FHIR R4 (primary), HL7 v2/v3 (legacy compatibility), and DICOM integration for medical imaging

• Laboratory integration — biochemistry, haematology, and diagnostic reporting via HL7 and FHIR

• Radiology integration — PACS connectivity, digital X-ray, CT, and mammography workflow support

• Pharmacy integration — electronic prescribing, medication management, and dispensing workflows

• Multi-facility deployment — networked management of hospitals, clinics, primary care centres, and community health facilities

• Offline-first architecture — full clinical operational capability without continuous internet connectivity, with automated conflict-resolved synchronisation upon reconnection

• Third-party API integration — documented REST APIs for integration with approved external systems

3.3 Implementation Services

Where specified in an Order Form, Moana will provide Implementation Services comprising: (a) discovery and requirements analysis; (b) system configuration and module activation; (c) legacy data migration (where included in scope); (d) third-party system integration; (e) user acceptance testing support; (f) go-live technical support; and (g) staff training and onboarding. Moana will conduct Implementation Services in accordance with the Implementation Plan agreed in the applicable Order Form.

3.4 Training

Moana will provide initial training as specified in the Order Form. Training may be delivered in person (where agreed), remotely, or via Moana's online learning resources. Additional training engagements may be purchased at Moana's then-current rates.

3.5 Support and Maintenance

Moana will provide technical support and Platform maintenance in accordance with the SLA in Schedule B. Unless Priority or Enhanced Support has been purchased, standard support is available during Moana's business hours (AEST/AEDT).

3.6 Business Continuity and Disaster Recovery

Moana maintains and tests a business continuity and disaster recovery plan (BCDR Plan) for the Platform. Key BCDR metrics are specified in Schedule B and include: (a) Recovery Time Objective (RTO): target of four (4) hours for critical system recovery; (b) Recovery Point Objective (RPO): target of one (1) hour maximum data loss. The BCDR Plan is reviewed annually and tested at minimum once per calendar year. Moana will provide a summary of BCDR test results upon request.

3.7 Platform Updates

Moana may update, enhance, and patch the Platform at its discretion. Moana will: (a) provide seven (7) days' notice for non-emergency scheduled maintenance; (b) provide reasonable prior notice of material feature changes; and (c) use commercially reasonable efforts to schedule disruptive maintenance outside of peak clinical operating hours. Moana may release emergency patches at any time with minimal advance notice where necessary to address security vulnerabilities.

IV.

CLIENT RESPONSIBILITIES

4.1 Client Obligations

The Client is responsible for:

• Providing accurate, complete, and timely information required for Implementation Services

• Ensuring all Authorised Users receive Moana-recommended training before accessing the Platform in live clinical environments

• Maintaining adequate internet connectivity, power supply, and device infrastructure to support Platform access

• Designating a named Client Project Manager and technical point of contact for each deployment

• Ensuring all healthcare activities conducted using the Platform comply with applicable laws, professional registration requirements, and clinical standards

• Obtaining all required patient and staff consents for collection, storage, and processing of data on the Platform

• Promptly reporting any suspected security incidents, data breaches, or system anomalies to Moana via the support channels specified in Schedule B

• Ensuring that Authorised Users comply with the Terms of Use and all applicable usage policies

4.2 Account Security

The Client is solely responsible for: (a) managing and controlling access credentials for all Authorised Users; (b) ensuring Authorised Users do not share login credentials; (c) immediately notifying Moana of any suspected compromise of credentials or unauthorised access; and (d) ensuring that all Authorised User devices used to access the Platform are secured with appropriate device-level security controls.

4.3 Infrastructure Dependencies

The Client acknowledges that Platform performance may be affected by Client-controlled infrastructure, including power supply, local area networks, WAN connectivity, and endpoint devices. Moana is not liable for Platform unavailability or degraded performance attributable to deficiencies in Client-controlled infrastructure or third-party connectivity not within Moana's control.

4.4 Government and Regulatory Compliance

Where the Client is a government entity or receives government funding, the Client is responsible for ensuring that its procurement and use of the Platform comply with applicable government procurement policies, including the Commonwealth Procurement Rules (where applicable), relevant Pacific Island government procurement frameworks, and any applicable international development partner requirements (e.g., World Bank procurement guidelines).

V.

FEES AND PAYMENT

5.1 Fees

The Client will pay Moana the fees specified in the applicable Order Form ("Fees"). Fees may be structured as: (a) per-facility or per-site licensing; (b) per-Authorised-User licensing; (c) national deployment or enterprise flat licensing; (d) implementation and professional services fees on a fixed-price or time-and-materials basis; or (e) a combination of the foregoing as specified in the Order Form.

5.2 Milestone Payments

Where an Order Form specifies milestone-based payment, the following default milestone structure applies unless otherwise agreed:

5.3 Payment Terms

Unless otherwise stated in an Order Form: (a) invoices are payable within thirty (30) days of the invoice date; (b) recurring subscription fees are invoiced in advance at the commencement of each billing period; (c) all amounts are stated exclusive of applicable taxes; and (d) payments must be made in Australian dollars (AUD) unless an alternative currency is specified in the Order Form.

5.4 Taxes and GST

Each Party is responsible for its own income taxes. Where Moana is required by law to charge GST, VAT, or equivalent indirect taxes, such amounts will be added to the invoice and paid by the Client in addition to the Fees. Moana will issue tax invoices in accordance with the A New Tax System (Goods and Services Tax) Act 1999 (Cth).

5.5 Late Payment

Amounts unpaid beyond the due date may incur interest at 2% per annum above the Reserve Bank of Australia's cash rate from the due date. Moana may suspend Platform access after fourteen (14) days' written notice of non-payment, without prejudice to its other rights and remedies.

5.6 Fee Reviews

Moana may adjust its standard fees annually on sixty (60) days' prior written notice. Adjustments do not apply mid-term to existing Order Forms unless otherwise agreed in writing.

VI.

DATA OWNERSHIP AND PROTECTION

6.1 Data Ownership

All Client Data, including Patient Data and Health Records, is and shall remain the sole and exclusive property of the Client. Moana acquires no ownership, title, or interest in Client Data by virtue of this Agreement or the provision of Services. The Client retains full sovereignty over all patient health information at all times.

6.2 Moana as Data Processor

For the purposes of applicable Privacy Laws, the Client is the Data Controller and Moana is the Data Processor with respect to Client Data processed on the Platform. Moana will process Client Data only: (a) in accordance with this Agreement and the DPA; (b) as strictly necessary to provide the Services; and (c) as required by applicable law, in which case Moana will notify the Client in advance where legally permissible.

6.3 Data Processing Agreement

The DPA set out in Schedule C forms an integral part of this Agreement and governs the processing of personal data. In the event of any conflict between this Agreement and the DPA with respect to the processing of personal data, the DPA prevails.

6.4 Data Export

Upon request at any time during the Term, or upon termination, Moana will provide a complete export of all Client Data in FHIR R4-compliant JSON format or another agreed standard format within thirty (30) days of the request, at no additional charge unless the export requires substantial professional services engagement.

6.5 Prohibition on Data Use

Moana will not: (a) use Client Data for any purpose other than providing the Services; (b) sell, license, or disclose Client Data to third parties except as expressly permitted by this Agreement or required by law; or (c) aggregate, anonymise, or de-identify Client Data for Moana's own commercial benefit without the Client's express prior written consent.

VII.

INTELLECTUAL PROPERTY

7.1 Moana IP

The Platform and all Intellectual Property Rights therein are and shall remain the exclusive property of Moana or its licensors. Nothing in this Agreement transfers any ownership of the Platform, its underlying architecture, algorithms, or technology to the Client. The Client receives only the licence rights expressly granted in this Agreement.

7.2 Client IP

The Client retains all Intellectual Property Rights in: (a) Client Data; (b) all materials and content provided by the Client to Moana; and (c) any client-specific customisations developed exclusively for the Client and funded by the Client under an Order Form, which shall be owned by the Client upon full payment.

7.3 Feedback Licence

Where the Client provides suggestions, feedback, or recommendations concerning the Platform, the Client assigns to Moana all rights in such feedback, and Moana may use it to improve the Platform without restriction or obligation.

VIII.

CONFIDENTIALITY

8.1 Mutual Obligations

Each Party will: (a) hold the other Party's Confidential Information in strict confidence with at least the same degree of care used for its own confidential information (and no less than reasonable care); (b) not disclose Confidential Information to any third party without prior written consent; and (c) use Confidential Information solely for the purposes of this Agreement.

8.2 Permitted Disclosures

Confidentiality obligations do not apply to information that: (a) is or becomes publicly available through no fault of the receiving Party; (b) was independently known prior to disclosure; (c) is independently developed without use of the Confidential Information; or (d) must be disclosed by law or court order, provided the receiving Party gives prompt written notice where legally permissible.

8.3 Duration

Confidentiality obligations survive termination for five (5) years, except for trade secrets which are protected indefinitely.

IX.

WARRANTIES

9.1 Moana Warranties

Moana warrants that: (a) it has full authority to enter into this Agreement; (b) the Platform will perform materially in accordance with its then-current documentation; (c) Services will be delivered with reasonable skill and care; (d) Moana will maintain appropriate technical and organisational security measures; (e) the Platform will not knowingly incorporate malicious code; (f) the Platform supports FHIR R4, HL7 v2/v3, and DICOM standards as documented; and (g) Moana holds all necessary licences and registrations to provide the Services in Australia.

9.2 Client Warranties

The Client warrants that: (a) it has full authority to enter this Agreement; (b) all information provided is accurate and complete; (c) the Client will use the Platform in compliance with all applicable laws and professional standards; and (d) the Client has obtained all necessary consents for Client Data submitted to the Platform.

9.3 Disclaimer

EXCEPT AS EXPRESSLY SET OUT IN THIS AGREEMENT, MOANA PROVIDES THE PLATFORM AND SERVICES "AS IS" AND DISCLAIMS ALL IMPLIED WARRANTIES INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. MOANA DOES NOT WARRANT THAT THE PLATFORM WILL BE UNINTERRUPTED OR ERROR-FREE AT ALL TIMES.

X.

LIMITATION OF LIABILITY AND INDEMNITY

10.1 Exclusion of Consequential Loss

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR ANY: (a) LOSS OF PROFITS; (b) LOSS OF REVENUE; (c) LOSS OF BUSINESS; (d) LOSS OF DATA (BEYOND DATA RECOVERY COSTS); (e) LOSS OF ANTICIPATED SAVINGS; (f) LOSS OF GOODWILL; OR (g) INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, HOWEVER CAUSED, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH LOSS.

10.2 Aggregate Liability Cap

Subject to Clause 10.3, each Party's total aggregate liability to the other under or in connection with this Agreement (in contract, tort, or otherwise) shall not exceed the greater of: (a) the total Fees paid or payable by the Client to Moana in the twelve (12) months immediately preceding the event giving rise to the claim; or (b) AUD $[INSERT AGREED CAP].

10.3 Uncapped Liabilities

The limitations in Clauses 10.1 and 10.2 do not apply to: (a) death or personal injury caused by a Party's negligence; (b) fraud or fraudulent misrepresentation; (c) a Party's obligations under Clauses 10.4 and 10.5; (d) wilful misconduct; or (e) any other liability that cannot be excluded or limited by applicable law, including obligations under the Australian Consumer Law.

10.4 Moana Indemnity

Moana will defend, indemnify, and hold harmless the Client against third-party claims that the Platform, as provided by Moana and used in accordance with this Agreement, infringes any third-party Intellectual Property Rights, provided the Client: (a) promptly notifies Moana in writing; (b) grants Moana sole control of the defence; and (c) provides reasonable cooperation.

10.5 Client Indemnity

The Client will defend, indemnify, and hold harmless Moana against third-party claims arising from: (a) the Client's breach of this Agreement; (b) the Client's use of the Platform in violation of applicable laws; or (c) any clinical decision, act, or omission by Authorised Users or healthcare professionals in connection with their use of the Platform.

10.6 Clinical Liability Separation

MOANA IS A TECHNOLOGY INFRASTRUCTURE PROVIDER ONLY. MOANA DOES NOT PROVIDE MEDICAL ADVICE, DIAGNOSIS, TREATMENT, OR ANY CLINICAL SERVICES. ALL CLINICAL DECISIONS MADE USING OR IN CONNECTION WITH THE PLATFORM ARE MADE SOLELY BY QUALIFIED HEALTHCARE PROFESSIONALS AND ARE THE SOLE RESPONSIBILITY OF THE RELEVANT CLINICIAN AND THE CLIENT'S HEALTHCARE ORGANISATION. MOANA SHALL HAVE NO LIABILITY WHATSOEVER FOR CLINICAL OUTCOMES, ADVERSE EVENTS, DIAGNOSTIC ERRORS, OR TREATMENT DECISIONS.

XI.

SECURITY

11.1 Security Programme

Moana implements and maintains a comprehensive Information Security Management System (ISMS) aligned with ISO/IEC 27001 standards, which includes at minimum:

• AES-256 encryption of all data at rest within AWS infrastructure

• TLS 1.2 or higher encryption for all data in transit across all network communications

• Role-based access control (RBAC) enforcing the principle of least privilege

• Multi-factor authentication including JWT tokens, OTP verification, biometric and PIN authentication

• Secure password hashing using bcrypt or equivalent industry-standard algorithms

• AWS Key Management Service (KMS) for cryptographic key management

• Device and session tracking with automated anomaly detection

• AWS-signed URLs for time-limited secure access to stored files

• CORS configuration and input data validation pipelines

• Regular independent penetration testing and vulnerability assessments

• Incident detection, response, and forensic capability

11.2 AWS Infrastructure

The Platform is hosted on Amazon Web Services (AWS) infrastructure. Moana's security posture benefits from AWS's certifications including ISO 27001, SOC 2 Type II, and applicable HIPAA technical safeguards. The primary data region is [ap-southeast-2 (Sydney)] unless otherwise specified in an Order Form. Data residency requirements for specific deployment jurisdictions will be agreed in the applicable Order Form.

11.3 Security Incident Response

Moana will notify the Client without undue delay, and within seventy-two (72) hours of confirmation, of any security incident or Personal Data breach affecting Client Data. Notification will include: (a) nature and scope of the incident; (b) categories and approximate volume of data affected; (c) likely consequences; (d) measures taken or proposed. Moana will cooperate fully with the Client in investigation, remediation, and regulatory notification obligations.

XII.

SERVICE LEVELS

Moana commits to the following minimum service levels for the Platform, with full details and remedies in Schedule B:

Service credits for SLA failures are the Client's sole remedy for availability shortfalls unless such failures constitute a material breach. Service credit calculations are detailed in Schedule B.

XIII.

AUDIT RIGHTS

The Client may, on thirty (30) days' prior written notice and no more than once per calendar year, conduct or commission an independent audit of Moana's security and compliance practices as they relate to Client Data processing. Audits shall be: (a) conducted during normal business hours; (b) conducted at the Client's expense; (c) subject to the auditor executing a confidentiality agreement acceptable to Moana; and (d) conducted in a manner that minimises disruption to Moana's operations. Moana will provide reasonable cooperation and documentation to support the audit.

XIV.

REGULATORY CLASSIFICATION

Moana Digital Health is positioned as a health information technology (health IT) infrastructure platform providing data management, workflow facilitation, and interoperability services. As at the Effective Date, the Platform is not classified as a Software as a Medical Device (SaMD) under: (a) the Therapeutic Goods Administration (TGA) framework and the Therapeutic Goods (Medical Devices) Regulations 2002; (b) the FDA Software as a Medical Device guidance (where applicable); or (c) the EU MDR 2017/745 (where applicable).

This classification is based on the Platform's current functionality as a data management and workflow tool. The Parties acknowledge that: (a) regulatory classifications may change as the Platform's capabilities evolve; (b) Moana will monitor applicable regulatory guidance and notify the Client of any material change in classification assessment; and (c) the Client is responsible for ensuring its own regulatory compliance in connection with its healthcare operations.

XV.

FORCE MAJEURE

Neither Party will be liable for delay or failure to perform its obligations to the extent such delay or failure is caused by a Force Majeure Event. A Party relying on this clause must: (a) promptly notify the other in writing; (b) use reasonable endeavours to mitigate the impact; and (c) resume performance as soon as reasonably practicable. If a Force Majeure Event affecting Moana continues for more than sixty (60) days, either Party may terminate the affected Order Form on written notice without further liability (other than for Fees accrued prior to the Force Majeure Event).

XVI.

DISPUTE RESOLUTION

16.1 Escalation Process

In the event of a dispute, the Parties agree to follow this escalation process before commencing litigation:

16.2 Urgent Relief

Nothing in Clause 16.1 prevents a Party from seeking urgent interlocutory relief from a court of competent jurisdiction where necessary to protect its rights.

XVII.

GOVERNING LAW

Unless otherwise specified in an Order Form, this Agreement is governed by the laws of the State of Victoria, Australia, and each Party submits to the non-exclusive jurisdiction of the courts of Victoria and the Federal Court of Australia. For deployments in Pacific Island nations or other international jurisdictions, the Parties may agree an alternative governing law in the applicable Order Form, provided such law is not inconsistent with Moana's data protection obligations.

XVIII.

TERM AND TERMINATION

18.1 Term

This Agreement commences on the Effective Date and continues until terminated. Each Order Form specifies an Initial Term which automatically renews for successive equal periods unless either Party gives written notice of non-renewal at least sixty (60) days before the end of the then-current term.

18.2 Termination for Convenience

Either Party may terminate this Agreement on ninety (90) days' written notice. Where the Client terminates for convenience during a committed subscription term, the Client remains liable for all Fees for the balance of that term, subject to Moana's duty to mitigate.

18.3 Termination for Cause

Either Party may terminate this Agreement immediately on written notice if the other Party: (a) commits a material breach unremedied within thirty (30) days of written notice; (b) enters administration, receivership, or insolvency proceedings; or (c) commits a breach incapable of remedy.

18.4 Effect of Termination

Upon termination: (a) all licences immediately cease; (b) Moana makes Client Data available for export for thirty (30) days; (c) each Party returns or destroys the other's Confidential Information within thirty (30) days (with written certification); (d) all accrued payment obligations remain due; and (e) Clauses VI, VII, VIII, X, XVII, and XIX survive.

XIX.

GENERAL PROVISIONS

19.1 Entire Agreement

This Agreement and all Schedules and Order Forms constitute the entire agreement between the Parties with respect to their subject matter and supersede all prior agreements, representations, and understandings.

19.2 Amendments

This Agreement may only be amended by a written instrument signed by authorised representatives of both Parties.

19.3 Assignment

Neither Party may assign its rights or obligations without the other's prior written consent (not to be unreasonably withheld). Moana may assign to a successor in connection with a merger, acquisition, or sale of substantially all its assets.

19.4 Severability

If any provision is held unenforceable, it will be modified to the minimum extent necessary, and remaining provisions continue in full force.

19.5 Waiver

No waiver is effective unless in writing. A waiver of one breach does not constitute a waiver of subsequent breaches.

19.6 Notices

All notices must be in writing and delivered by email (with read receipt or confirmation) or registered post. Moana's notice address: contact@moanadigitalhealth.com, St Kilda Road, Melbourne, Victoria 3004, Australia. Notices are deemed received upon confirmed delivery.

19.7 Relationship

The Parties are independent contractors. Nothing in this Agreement creates an employment relationship, partnership, joint venture, or agency.

19.8 Counterparts

This Agreement may be executed in counterparts, including electronically. Each counterpart is an original and all together constitute one instrument.

XX.

CONTACT DETAILS

 EXECUTION

IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date.