# Mutual Non-Disclosure Agreement **This Agreement is dated 16 April 2026** **Between** (1) **Zenith Holdings plc**, a company incorporated in England and Wales (No. 04217883), whose registered office is at 1 Aldwych, London WC2B 4HX ("**Zenith**"); and (2) **NimbusLogistics Group Ltd**, a company incorporated in England and Wales (No. 09182734), whose registered office is at 14 Crown Wharf, London E14 0NW ("**NimbusLogistics**"), each a "**Party**" and together the "**Parties**". --- ## Recitals (A) The Parties wish to discuss a possible business transaction concerning NimbusLogistics (the "**Permitted Purpose**"). (B) In connection with the Permitted Purpose each Party may disclose Confidential Information (as defined below) to the other. (C) Each Party wishes to ensure that the Confidential Information disclosed to it is used solely for the Permitted Purpose and is otherwise kept confidential. The Parties agree as follows. ## 1. Definitions **"Confidential Information"** means all information of whatever kind disclosed (whether before or after the date of this Agreement) by one Party (the "**Discloser**") to the other (the "**Recipient**") in connection with the Permitted Purpose, including without limitation: the existence and content of these discussions, business plans, customer lists, financial information, technical information, source code, models, datasets, and any analyses, compilations, studies or other documents prepared by either Party which contain or reflect such information. **"Public AI Service"** means any artificial-intelligence service hosted by a third party where the input or output data is processed outside the Recipient's exclusive control. For the avoidance of doubt, this includes but is not limited to consumer chat assistants, third-party API endpoints, and cloud LLM endpoints whose providers retain rights to inspect, store, or train on submitted content. **"Permitted Recipients"** means the Recipient's directors, officers, employees, professional advisers and group companies who have a need to know the Confidential Information for the Permitted Purpose. ## 2. Confidentiality obligations 2.1 Each Recipient shall: a) keep all Confidential Information disclosed to it strictly confidential and use it solely for the Permitted Purpose; b) disclose Confidential Information only to its Permitted Recipients, and only on terms at least as restrictive as those in this Agreement; c) protect the Confidential Information using the same standard of care it uses to protect its own confidential information of a similar nature, but in no event less than a reasonable standard; d) not copy, reproduce, distribute or otherwise disseminate the Confidential Information except as strictly necessary for the Permitted Purpose; and e) on request from the Discloser, return or destroy all Confidential Information in its possession (subject to any legal or regulatory retention obligations). ## 3. AI tooling 3.1 **Public AI Services prohibited.** Neither Party shall, and each Party shall procure that its Permitted Recipients shall not, input, upload, paste, transmit, or otherwise disclose any Confidential Information to a Public AI Service. This restriction applies regardless of the apparent confidentiality settings of any such service. Following *Munir v Secretary of State for the Home Department* [2026] UKUT 81, the Parties record their shared understanding that input of Confidential Information into a Public AI Service constitutes disclosure to the public domain and would amount to a material breach of this Agreement. 3.2 **Self-hosted AI tooling permitted.** Either Party may use AI tooling that runs entirely within infrastructure under that Party's exclusive control (including but not limited to on-premises deployments, virtual private cloud deployments, and self-hosted open-source models). For such tooling each Party shall maintain a verifiable audit chain capable of replaying any decision made by the model in respect of Confidential Information disclosed under this Agreement. 3.3 **Audit chain disclosure.** Either Party may, on reasonable notice, request from the other a copy of the IDR (Intent Decision Record) audit chain for any AI-assisted decision touching that Party's Confidential Information. The other Party shall comply with the request within seven (7) Business Days, in a format that allows independent cryptographic verification. ## 4. Exclusions The obligations in clause 2 do not apply to information that the Recipient can demonstrate by written records: a) was already in its possession before disclosure by the Discloser, free of any obligation of confidence; b) is or becomes publicly available without breach of this Agreement; c) is independently developed by the Recipient without use of any Confidential Information; or d) is required to be disclosed by law, regulation, or order of a competent court or regulator (in which case the Recipient shall promptly notify the Discloser, where lawful to do so, before making the disclosure). ## 5. No licence Nothing in this Agreement grants either Party any right or licence in or to the other Party's Confidential Information beyond use for the Permitted Purpose. ## 6. Term This Agreement commences on the date first set out above and continues for a period of three (3) years thereafter, save that clause 3 (AI tooling) shall continue in force without limit of time in respect of any Confidential Information disclosed during the term. ## 7. Governing law and jurisdiction This Agreement is governed by the laws of England and Wales. The Parties submit to the exclusive jurisdiction of the courts of England and Wales. --- Signed for and on behalf of **Zenith Holdings plc**: ________________________________ Henrik Vester · Group General Counsel · 16 April 2026 Signed for and on behalf of **NimbusLogistics Group Ltd**: ________________________________ Aoife Devereux · Chief Executive Officer · 16 April 2026 --- > **Demo note**: clause 3.2's "verifiable audit chain capable of replaying any decision made by the model" is the contractual hook the IDR Audit Chain exists to satisfy. NimbusLogistics' counsel asked specifically that the AI clause appear in this NDA — that ask was captured by Catherine via DONNA on the morning of 16 April (`idr_004` in the audit log). Open `idr-audit-log.json` to walk the chain.