Risk management

The purpose of our risk management policy in agreements is to provide efficient and safe contract execution by categorizing the levels and types of risk we may face and clear process in signing off of acceptance of risk.

Risk Levels

• Level 1 - Low risk or documented accepted risk, and 90% probability worst case < $10K

• Level 2 - Risk to address before IPO and 90% worst case < $100K

• Level 3 - Risk to address before Series C

• Level 4 - Risk to address from 6 months from discovery

• Level 5 - Risk to address ASAP

• Level N - Needs Investigation

Risk Types

• Intellectual property - including copyright

• Tax - including corporate tax, employment tax, sales tax, and other forms

• Liability - including risk from lack of/commitment to indemnity from/to 3rd parties

• Jurisdiction - including material risk from mechanisms other than JAMS or California law

• Export compliance - including U.S. embargo

• Employment law risk - including statutory benefits

• Internal consistency - including compensation

• Business risk - including non-market terms and ability to meet expectations

• System security - exposure to potential security breaches

• Contract compliance risk - risk of being in breach of customer contracts or other contracts

Agreements

Risk levels are most commonly addressed in agreements of the following types:

• Customer agreements

• Vendor agreements

• Employment agreements

• Partnerships agreements

Mattermost Templated Agreement

Mattermost Templated Agreements (MTAs) have significant reduced risk and in general can be reviewed and executed within 1 business day.

Examples include:

• Mattermost Mutual Non-disclosure Agreement (link needed)

Custom Agreements

All custom agreements require approval by procurement and may take days to weeks to complete depending on their complexity.

Risk Types and Risk Levels for Custom Agreements

Note: Risk levels are expected to change over time. For example: Contracts in foreign jurisdictions may be less of an issue over time as we establish infrastructure in those jurisdictions.

Risk Acceptance Process

The following summarizes the process for review and risk acceptance on any agreement that binds Mattermost, Inc.

Legal Review and Approval ("LRA")

Legal review and approval is required for all custom agreements and department heads should ensure their teams plan their work to provide at least 1-2 weeks for the review of any custom contracts.

Risk Acceptance ("RA")

Risk Acceptance Initial ("RAI") is provided by a Mattermost staff member who is a non-interim department head or someone director-level or higher and who has also completed Mattermost procurement and risk management training within the last 12 months.

RAI initial should appear within 2 inches of the FCA signature it maximize clarity that RAI is complete when FCA is executed.

Final Company Approval ("FCA")

To bind the company to any agreement Final Company Approval ("FCA") is provided by the company CEO, and potentially board members, via physical or electronic signature.

E-sign Process

HR-related E-sign

All HR-related e-sign should be conducted via either:

• a HelloSign account controlled by Mattermost (which is only accessible by staff approved for handling confidential HR data)

• an e-sign system controlled by our partner law firm, Cooley

HR-related agreements should not be executed using the company-controlled DocuSign account given HR privacy requirements.

General Agreements

The following table summarizes general agreements to be completed via company-controlled DocuSign or vendor-controlled DocuSign with written sign-off from Mattermost staff member requesting the agreement that the vendor will send the fully-executed contract to procurement within 1 business day after execution.