CONTRACT 6355 Service Agreement CLOSEDAgreement No. 6355
SERVICES AGREEMENT
BETWEEN THE CITY OF EL SEGUNDO
AND
WAITWHILE, INC.
THIS AGREEMENT, is entered into this 18th day of April, 2022, by and between CITY OF
EL SEGUNDO, a municipal corporation ("CITY") and WAITWHILE, INC, a Delaware
corporation ("CONSULTANT").
1. CONSIDERATION.
A. As partial consideration, CONSULTANT agrees to perform the scope of services
attached as Exhibit "A," and incorporated by reference ("SERVICES"). The
SERVICES include maintaining a software program for various tasks associated
with WAITWHILE, INC. ("SOFTWARE").
B. As additional consideration, CONSULTANT and CITY agree to abide by the
terms and conditions contained in this Agreement;
C. As additional consideration, CITY will pay CONSULTANT the compensation set
forth in Exhibit B, but in no event more than Five Thousand Thirty -Four dollars
($5,034.00).
D. CITY will not be liable for any costs or expenses exceeding the sum paid to
CONSULTANT pursuant to Section 1(C) unless otherwise agreed to by the
Parties and by written amendment to this Agreement.
2. TERM. The term of this Agreement will be for one (1) year. This Agreement will
automatically renew, on an annual basis, on its anniversary date unless otherwise terminated.
Unless otherwise determined by written amendment between the parties, this Agreement will
terminate in the following instances:
A. Completion of the work specified in Exhibit "A";
B. Termination as stated in Section 9.
3. "SELF-HELP" AND "MALICIOUS" CODES PROHIBITED.
A. CONSULTANT understands and agrees that CONSULTANT's use of any "self-
help" or "malicious" codes, as defined by this Section, is prohibited and
constitutes an "unfair business practice" as defined by California law.
Notwithstanding any other provision of this Agreement that limits
CONSULTANT's liability, CONSULTANT will be fully liable for all penalties
and damages arising from use of a self-help or malicious code.
B. "Self-help code" means any back -door, time -bomb, drop -dead, time-out, lock -up,
Agreement No. 6355
slow -down, data freezing, logic bombs, or other software routine, code, devices,
techniques intended to disable, slow, prevent operation of, or otherwise interfere
with or change any operation of any computer system, software or other property
automatically with the passage of time or under the prior instruction, triggering
event or control of someone other than Client.
C. "Malicious Code" means any virus, "spyware," "Trojan horse," "worm," "Easter
egg," "cancelbot," "trapdoor," or other unapproved or malicious software routine,
code, command, device, technique, or instruction or other contaminant intended to
i. Permit unauthorized access to, detection of, modification of, or monitoring
of any code, system, or data;
ii. Alter, supplement, disable, erase, limit, threaten, infect, assault, vandalize,
defraud, disrupt, damage, disable, shut down or delete, threaten, slow or
otherwise inhibit the functioning of, or otherwise harm any of the code,
documentation or data or any computer system, software or other
property;
iii, Render any data irretrievable, modified, or disrupted so as to be unreliable
in any regard;
iv. Perform any other unauthorized action, or prevent, limit, condition or
inhibit performance of authorized actions or any function including,
without limitation, to its security or end user data.
4. LAWS AND REGULATIONS. Except as stated in Exhibit A, Section 2(b) Use
Restrictions), CONSULTANT will be responsible for complying with any and all applicable
Federal, State, County, and Municipal laws and regulations and the conditions of any required
licenses and permits before entering into this Agreement. Such compliance will be at
CONSULTANT's sole cost and without any increase in price or time on account of such
compliance, regardless of whether compliance would require additional labor, equipment, and/or
materials not expressly provided for in the Agreement or CONSULTANT's proposal.
5. INDEMNIFICATION.
A. CONSULTANT agrees to the following:
i. Indemnification for Professional Services. CONSULTANT will save
harmless and indemnify and at CITY's request reimburse defense
costs for CITY and all its officers, volunteers, employees and
representatives from and against any and all suits, actions, or claims,
of any character whatever, brought for, or on account of, any injuries
or damages sustained by any person or property resulting or arising
from any negligent or wrongful act, error or omission by
CONSULTANT or any of CONSULTANT's officers, agents, or
Agreement No. 6355
employees in the performance of professional services under this
Agreement, except for such loss or damage arising from CITY's sole
negligence or willful misconduct.
i. Indemnification for other Damages. CONSULTANT indemnifies and
holds CITY harmless from and against any claim, action, damages,
costs (including, without limitation, attorney's fees), injuries, or
liability, arising out of CONSULTANT'S breach of this Agreement,
except to the extent such loss or damage arising from CITY's
negligence or willful misconduct. Should CITY be named in any suit,
or should any claim be brought against it by suit or otherwise,
whether the same be groundless or not, arising out of this Agreement,
or its performance, CONSULTANT will defend CITY (at CITY's
request and with counsel satisfactory to CITY) and will indemnify
CITY for any judgment rendered against it or any sums paid out in
settlement or otherwise.
i i, Intellectual Property Infringement. Notwithstanding any provision to
the contrary, CONSULTANT will, at its own expense, indemnify and
defend CITY against any claim that CONSULTANT's services or
work product furnished under this Agreement infringes a patent or
copyright in the United States or Puerto Rico. In such event,
CONSULTANT will pay all costs damages and attorney's fees that a
court finally awards as a result of such claim. To qualify for such
defense and payment, CITY must (a) give CONSULTANT prompt
written notice of any such claim; and (b) allow CONSULTANT to
control, and fully cooperate with CONSULTANT in the defense and
all related settlement negotiations. CITY agrees that if the use of
CONSULTANT's services or work product becomes, or
CONSULTANT believes is likely to become, the subject of such an
intellectual property claim, CITY will permit CONSULTANT, at its
option and expense, either to secure the right for CITY to continue
using CONSULTANT's services and work product or to replace it
with comparable services and work product.
B. For purposes of this section "CITY" includes CITY's elected and appointed
officials, officers, employees, and volunteers.
C. It is expressly understood and agreed that the foregoing provisions will survive
termination of this Agreement.
D. The requirements as to the types and limits of insurance coverage to be
maintained by CONSULTANT as required by Section 6, and any approval of said
insurance by CITY, are not intended to and will not in any manner limit or qualify
the liabilities and obligations otherwise assumed by CONSULTANT pursuant to
this Agreement, including, without limitation, to the provisions concerning
Agreement No. 6355
indemnification.
6. INSURANCE.
A. Before commencing performance under this Agreement, and at all other times this
Agreement is effective, Consultant will procure and maintain the following types
of insurance with coverage limits complying, at a minimum, with the limits set
forth below:
Type of Insurance
Commercial general liability:
Professional Liability
Workers compensation
Limits (combined single)
$1,000,000
$1,000,000
Statutory requirement.
B. Commercial general liability insurance will meet or exceed the requirements of
the most current ISO-CGL Form. The amount of insurance set forth above will
be a combined single limit per occurrence for bodily injury, personal injury, and
property damage for the policy coverage. Liability policies will be endorsed to
name City, its officials, and employees as "additional insureds" under said
insurance coverage and to state that such insurance will be deemed "primary"
such that any other insurance that may be carried by City will be excess thereto.
Such insurance will be on an "occurrence," not a "claims made," basis and will
not be cancelable or subject to reduction except upon thirty (30) days prior written
notice to City.
C. Professional liability coverage will be on an "occurrence basis" if such coverage
is available, or on a "claims made" basis if not available. When coverage is
provided on a "claims made basis," Consultant will continue to maintain the
insurance in effect for a period of three (3) years after this Agreement expires or
is terminated ("extended insurance"). Such extended insurance will have the same
coverage and limits as the policy that was in effect during the term of this
Agreement, and will cover Consultant for all claims made by City arising out of
any errors or omissions of Consultant, or its officers, employees or agents during
the time this Agreement was in effect.
D. Consultant will furnish to City duly authenticated Certificates of Insurance
evidencing maintenance of the insurance required under this Agreement,
endorsements as required herein, and such other evidence of insurance or copies
of policies as may be reasonably required by City from time to time. Insurance
must be placed with insurers with a current A.M. Best Company Rating
equivalent to at least a Rating of "A:VII."
E. Should Consultant, for any reason, fail to obtain and maintain the insurance
required by this Agreement, City may obtain such coverage at Consultant's
expense and deduct the cost of such insurance from payments due to Consultant
Agreement No. 6355
under this Agreement or terminate..
7. TERMINATION OF AGREEMENT
A. During the term of this Agreement, CITY may, in its sole discretion, terminate
this Agreement with or without cause by giving written notice to
CONSULTANT. Termination will become effective immediately upon the
giving of notice as provided in this section of the Agreement. The City Manager
may exercise such right of termination on behalf of CITY.
B. Except as otherwise provided, upon termination of this Agreement, CITY will be
liable to CONSULTANT only for all work done by CONSULTANT up to and
including the date of termination of this Agreement unless the termination is for
cause, in which event CONSULTANT need be compensated only to the extent
required by law. For the avoidance of doubt, CITY shall not be entitled to a
refund of pre -paid fees attributable to services not rendered to the CITY.
NOTICES
A.. CONSULTANT will notify CITY of changes in address. All notices given or
required to be given pursuant to this Agreement will be in writing and may be
given by personal delivery or by mail. Notice sent by mail will be addressed as
follows:
To CITY: Attn: Information Technology Services Department
City of El Segundo
350 Main Street
El Segundo, CA 90245
To CONSULTANT: Waitwhile, Inc.
1407 Funston Avenue
San Francisco, CA 94122
and, when addressed in accordance with this paragraph, will be deemed given
upon deposit in the United States mail, postage prepaid. In all other instances,
notices will be deemed given at the time of actual delivery. Changes may be
made in the names or addresses of persons to whom notices are to be given by
giving notice in the manner prescribed in this paragraph.
9. AUDIT AND ACCESS TO RECORDS. CONSULTANT, including
CONSULTANT's subcontractors, will maintain records and other evidence of all expenses
incurred in the performance of this Agreement for a period of three (3) years after completion.
CITY or any of its duly authorized representatives will, for the purpose of audit and examination,
have reasonable access to and be permitted to inspect such records and other evidence of
expenses and costs charged to CITY and/or incurred for work related to SERVICES no more
than once per contract year. For purposes of audit, the date of completion of the Agreement will
Agreement No. 6355
be the date of CITY'S payment for CONSULTANT's final billing (so noted on invoice) under
this Agreement.
10. NON -APPROPRIATION OF FUNDS. Payments due and payable to CONSULTANT for
current services are within the current budget and within an available, unexhausted and
unencumbered appropriation of the CITY. In the event the CITY has not appropriated sufficient
funds for payment of CONSULTANT services beyond the current fiscal year, this Agreement
will cover only those costs incurred up to the conclusion of the current fiscal year and no further
services will be provided thereafter.
11. INDEPENDENT CONTRACTOR. CONSULTANT, CONSULTANT's
subconsultants, employees, agents, and representatives, will act as independent contractors while
performing the SERVICES and will have control of CONSULTANT's work and the manner in
which it is performed, except as is otherwise provided herein. CONSULTANT will be free to
contract for other services performed during the term of this Agreement. CONSULTANT is not
an agent or employee of CITY and is not entitled to participate in any pension plan, insurance,
bonus or similar benefits CITY provides for its employees.
12. ASSIGNMENT. An essential element of this Agreement is the skill and creativity of
CONSULTANT. CONSULTANT may not, therefore, assign the creative portions of the work to
a third party for the production of the work without CITY's prior written consent. Failure to
conform to this provision may result in termination of the Agreement.
13. CONSISTENCY. In interpreting this Agreement and resolving any ambiguities, the main
body of this Agreement takes precedence over the attached Exhibits; this Agreement supersedes
any conflicting provisions. Any inconsistency between the Exhibits will be resolved in the order
in which the Exhibits appear below:
A. Exhibit A; Waitwhile Queue Management Enterprise Agreement and Security FAQ 1
B. Exhibit B; City of El Segundo Quote
14. ENTIRE AGREEMENT. This Agreement, and its Attachments, sets forth the Parties'
entire understanding. There are no other understandings, terms or other agreements expressed or
implied, oral or written. There are three (3) attachments to this Agreement. Except as otherwise
provided, this Agreement will bind and inure to the benefit of the Parties to this Agreement and
any subsequent successors and assigns.
15. MODIFICATION. No alteration, change or modification of the terms of the Agreement
will be valid unless made in writing and signed by both Parties hereto and approved by
appropriate action of CITY. The city manager may exercise this authority on behalf of CITY.
16. FACSIMILE SIGNATURES FOR SUBSEQUENT AGREEMENTS. The Parties
agree that agreements ancillary to this Agreement, and related documents to be entered into in
connection with this Agreement will be considered signed when the signature of a party is
delivered by facsimile transmission. Such facsimile signature will be treated in all respects as
having the same effect as an original signature.
Agreement No. 6355
17. TAXPAYER IDENTIFICATION NUMBER. CONSULTANT will provide CITY
with CONSULTANT's Taxpayer Identification Number.
18. STATEMENT OF EXPERIENCE. By executing this Agreement, CONSULTANT
represents that CONSULTANT has demonstrated trustworthiness and possesses the quality,
fitness, and capacity to perform the Agreement in a manner satisfactory to CITY.
CONSULTANT represents that CONSULTANT's financial resources, surety and insurance
experience, service experience, completion ability, personnel, current workload, experience in
dealing with private parties, and experience in dealing with public agencies all suggest that
CONSULTANT is capable of performing the proposed contract and has a demonstrated capacity
to deal fairly and effectively with and to satisfy a public agency.
19. WAIVER. A waiver by a party of any breach of any term, covenant, or condition
contained in this Agreement will not be deemed to be a waiver of any subsequent breach of the
same or any other term, covenant, or condition contained in this Agreement whether of the same
or different character. The payment or acceptance of fees for any period after a default will not
be deemed a waiver of any right or acceptance of defective performance.
20. SEVERABILITY. If any portion of this Agreement is declared by a court of competent
jurisdiction to be invalid or unenforceable, then such portion will be deemed modified to the
extent necessary in the opinion of the court to render such portion enforceable and, as so
modified, such portion and the balance of this Agreement will continue in full force and effect.
21. RESERVED.
22. FORCE MAJEURE. Should performance of this Agreement be prevented due to fire,
flood, explosion, acts of terrorism, war, embargo, government action, civil or military authority,
the natural elements, or other similar causes beyond the Parties' reasonable control, then the
Agreement will immediately terminate without obligation of either party to the other.
23. INTERPRETATION; VENUE. This Agreement and its performance will be governed,
interpreted, construed and regulated by the laws of the State of California. Exclusive venue for
any action involving this Agreement will be in Los Angeles County.
[SIGNATURES ON NEXT PAGE]
Agreement No. 6355
IN WITNESS WHEREOF the parties hereto have executed this contract the day and year
first hereinabove written.
CITY OF EL SEGUNDO WAITWHILE, INC.
Charles Mallory,
Director, Inform
,ATTEST.
Trac Weaver,
City Clerk
APPROVED AS TO FORM:
MARK D.1 F44SLE ", City Attorney
M.
Vazquez, Deputy City Attorney
IS iv'C,E REVIEW.:
.,
Han.
RiskjMalter
AAn�--
Lire sey Gagnon
VP of Client Services
EXHIBIT A Agreement No. 6355
'mil itwh i le
(Information Security organization
Is there an information security and privacy program and policies in place that is
reviewed, updated, and approved annually by management, and communicated
to staff, contractors, and relevant third parties?
Waitwhile has an information security program that is reviewed, updated, and approved annually
by management, and communicated to staff, contractors, and relevant third parties. The
program includes policies for Acceptable Use, Asset Management, Information Security, Backup
Management, Vulnerability and Patch Management, Incident Response, Privacy, Vendor Security
The program and policies are updated at least annually.
Has a designated person(s) been appointed within the organization that is
accountable for overseeing the information security and privacy program
management, maintenance, and compliance?
Waitwhile has designated a responsible person for each policy and program. Responsibilities
include keeping the organization informed, leading the review process and keeping information
up to date.
Does an information classification policy and procedures exist to classify
information and systems?
Waitwhile has an information classification policy that outlines how information should be
stored, transmitted, handled and disposed. The classes in use are public, internal, restricted,
confidential. All information that is confidential is required to be stored encrypted at rest and
when transmitted, and securely disposed of.
Agreement No. 6355
Asset Management
Does a hardware and software acquisition policy exist and is it reviewed,
updated, and reaffirmed on at least an annual basis, and communicated to
affected stakeholders at least annually?
Waitwhile's security policy contains provisions for hardware and software acquisition and is
reviewed annually.
Is there an inventory of all information technology assets including software
applications, hardware, databases and datastores, network devices, web
services, etc.?
Waitwhile keeps an inventory of all information technology assets including software
applications, hardware, databases and datastores, network devices, web services. We use
Google Cloud Platform Security Command Center to keep track of all assets within our cloud
infrastructure. Employee devices and software are tracked in Google Workspace.
Do you have procedures for the secure sanitization and disposal of assets?
Waitwhile have procedures for secure sanitization and disposal of assets. We rely on Google
Cloud Platform for disposing assets within our cloud infrastructure. Employee devices are
securely wiped of all data before disposal.
Workforce Security
Do documented HR policies and procedures exist for the onboarding of
employees, contractors, and relevant third parties that incorporate best
practices for performing background checks and other evaluations to
reasonably ensure that employees, contractors, and relevant third parties are
not hired that pose an information security threat, and are these
policies/procedures reviewed and reaffirmed annually?
Waitwhile has documented procedures for onboarding employees, contractors, and relevant
third parties. Before they join our staff, Waitwhile will verify an individual's education and
previous employment, and perform internal and external reference checks. Where local labor
law or statutory regulations permit, Waitwhile may also conduct criminal, credit, immigration,
and security checks. The extent of these background checks is dependent on the desired
position.
Agreement No. 6355
Are all employees, contractors, and relevant third parties required to formally
acknowledge they have received new hire and annual information security and
privacy awareness training?
Waitwhile employees undergo security awareness training as part of the orientation process and
receive ongoing security training throughout their careers. Depending on their job role, additional
training on specific aspects of security may be required. For instance, the information security
team instructs new engineers on topics like secure coding practices, product design and
automated vulnerability testing tools.
Are new employees, contractors, and relevant third parties required to sign a
confidentiality agreement and acceptance of policies?
During orientation, new employees and contractors agree to our policies and acceptable use,
which highlights our commitment to keep customer information safe and secure.
Environmental Security
Does the information security and privacy program include physical security
controls (such as door locks, badges, escorts, mantraps, secure public facing
network jacks/Wi-Fi, alarms, and cameras) to prevent and detect unauthorized
individuals accessing facilities/systems where all access is based on business
need -to -know and least privilege principles?
Waitwhile uses Google Cloud Platform for our cloud infrastructure. Google's data centers
physical security, features a layered security model, including safeguards like custom -designed
electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and
biometrics, and the data center floor features laser beam intrusion detection. Data centers are
monitored 24/7 by high -resolution interior and exterior cameras that can detect and track
intruders. Access logs, activity records, and camera footage are available in case an incident
occurs. Data centers are also routinely patrolled by experienced security guards who have
undergone rigorous background checks and training. All hardware is tracked and disposed of in
a secured manner. To keep things running 24/7 and ensure uninterrupted services, data centers
feature redundant power systems and environmental controls.
Agreement No. 6355
Operational Security
Are there specific policies and procedures covering system administration and
network management?
Waitwhile uses Google Cloud Platform for our cloud infrastructure and relies on Google's
stringent policies and procedures covering system administration and network management.
Are all computing and network infrastructure devices (workstations, router,
switches, wireless access points, firewalls, etc.) securely hardened, including
changing default passwords, before placing the asset into production?
Waitwhile uses Google Cloud Platform for our cloud infrastructure and relies on Google's
hardening of VM images and network devices. All employee devices are required to use strong
passwords, client firewall, full disk encryption and other operating system hardening settings.
Are vulnerability scans and penetration tests performed on internal critical and
sensitive networks and systems at least every 90 days?
Waitwhile performs scans for security threats using a combination of commercially available
tools. For our cloud infrastructure we use Security Command Center's automated vulnerability
and threat detection services.
Does a policy and procedures exist to identify, risk rate, manage, and
remediate/patch system vulnerabilities and is/are the policy/procedures
reviewed, reaffirmed, and communicated to affected stakeholders at least
annually?
Waitwhile administers a vulnerability management process that involves scans for security
threats using a combination of commercially available tools, intensive automated and manual
penetration efforts, quality assurance processes, software security reviews and external audits.
Once a vulnerability requiring remediation has been identified, it is logged, prioritized according
to severity, and assigned an owner. The owner then tracks the issue and follows up frequently
until they can verify that the issue has been remediated. Waitwhile also offers bug bounties for
disclosed vulnerabilities from external parties.
Agreement No. 6355
Do you have a capability to patch vulnerabilities across all of your computing
devices, applications, and systems?
Waitwhile relies on Google Cloud Platform stringent patching policies to apply OS level patches
in a timely manner across all its infrastructure. For application patches Waitwhile has a patch
management procedure that allows for deploying a patch across all services efficiently.
Does an adequate virus / malware protection program exist to prevent
employees, contractors, relevant third parties, and customers from introducing
unauthorized malware (viruses, worms, spyware, adware, etc.) from being
installed and/or activated on computing and networking devices (laptops,
desktops, PDAs, smart phones, tablets, servers, etc.)?
Waitwhile uses a variety of methods to prevent, detect and eradicate malware. Waitwhile
leverages Google Cloud Platform anti-malware services for our cloud infrastructure. Employees
are mandated to use Google's Safe Browsing in Chrome to prevent malware to be installed
through visiting infected websites and make use of the built-in antivirus engines of Google
Workspace Email and Google Drive.
Please describe any additional steps your organization takes to detect and
prevent ransomware attacks (e.g. segmentation of your network, additional
software tools, external security services, etc.).
We're using Google Workspace / Google Drive for all file access with versioning and
access/author control.
Audits & Assessments
Are annual independent third -party security audit/assessments (ex. SSAE SOC2
Type II, ISO 27000 series, HITRUST, PCI DSS, etc.) conducted on your internal
operations?
Waitwhile is currently undergoing an SOC2 Type 2 audit and certification process. It is
scheduled to be complete in Q2 2021.
Are annual independent third -party penetration tests on public facing systems
conducted?
Waitwhile performs third -party penetration tests annually. Last test was conducted in Q4 2020.
Agreement No. 6355
Cryptographic Controls
Does an encryption policy exist and is the policy reviewed and reaffirmed on an
annual basis, and communicated to affected stakeholders at least annually?
Waitwhile's security policy contains provisions for encryption standards and is reviewed
annually.
Is customer data encrypted in transit on internal and public networks?
Waitwhile encrypts all data in transit with TLS 1.2 or TLS 1.3 with AES-128+.
Is customer data encrypted at rest?
Waitwhile encrypt all data at rest with AES-256.
Is all sensitive electronic information maintained on employees, contractors, or
relevant third -party portable devices (laptops, phones, pdas, tablets, etc.)
encrypted to prevent sensitive information from being compromised in the
event the device is lost or stolen?
Waitwhile's security policy requires that all mobile devices are passcode protected and
encrypted.
Are all sensitive electronic information and/or backups that is/are transported
off site via physical media encrypted (tape, disk, thumb drive, DVD, CD, etc.)?
Waitwhile's security policy requires that all portable physical media is password protected and
encrypted.
Do you have documented key management procedures in place to securely
store encryption keys and identify key owners?
Waitwhile relies on Google Cloud Platform managed encryption keys using hardened key
management systems, including strict key access controls and auditing.
Agreement No. 6355
Communications
Are all communications containing customer information (e.g. instant
messaging, email, conference calls, video conferences, Voice over IP, voicemail)
conducted in a secure manner?
Waitwhile's security policy and Code of Conduct contains provisions that customer data is
stored and transmitted in a secure manner.
Do you have website whitelisting and blacklisting in place to prevent access to
unknown malicious websites?
Waitwhile employees are mandated to use Google's Safe Browsing in Chrome to prevent access
to malicious websites.
Security Monitoring
Do you have security logging and monitoring of systems in place that includes
capturing the use of privileged credentials, user activities, exceptions, faults,
firewall activity, system alerts, events and internal and external
communications? Is event logging in place and are logs monitored?
Waitwhile leverages Google Cloud Platform for audit logging and monitoring which captures use
of privileged credentials, user activities, exceptions, faults, firewall activity, system alerts, events
and internal and external communications, across all our cloud infrastructure.
Do you have controls in place to prevent unauthorized access and tampering of
logs?
Waitwhile leverages Google Cloud Platform for logging which prevents unauthorized access and
tampering.
Agreement No. 6355
Data Incident Notification & Response
Do a policy and procedure related to security incident and privacy event
management exist and is/are the policy/procedures reviewed and reaffirmed on
an annual basis, and communicated to affected stakeholders at least annually?
Waitwhile has an Incident Response Plan that is reviewed at least annually. The plan outlines
escalation, severity classification, responsibilities, response steps, contact information and
post-mortem.
Is there an information security and privacy incident response team ready to be
deployed in the event of known or suspected unauthorized access to sensitive
information?
Waitwhile has a team of employees that are designated to handle incident response.
Has there been any loss of company data confidentiality, integrity, or significant
reduction of availability in the past year as it relates to services being provided?
Waitwhile has not been subject to any data loss or significant reduction in availability so far.
How and when will you notify customers in case of a customer data breach?
Waitwhile will contact affected customers by email within 72 hours of an identified data breach.
Access Controls
Is every user uniquely identified and placed into roles, where authorization to
information systems and resources is based on business need -to -know roles
and least privilege principles?
Waitwhile employee access rights and levels are based on their job function and role, using the
concepts of least -privilege and need -to -know to match access privileges to defined
responsibilities.
Are access reviews, including entitlements, on user and privileged accounts
conducted at least semi-annually?
Waitwhile review access rights and privileges at least semi-annually.
Agreement No. 6355
Are accounts used by third party vendors and contractors only set up to be
active for the time needed (e.g. length of their contract)?
Waitwhile's third -party vendors and contractors are only given access rights and privileges while
their services are active.
Does an operating system security policy or procedure exist that restricts
non-admin/privilege accounts from making OS level modifications and changes
(e.g. general users can't download unapproved software, alter security settings,
etc.)?
Waitwhile restricts non-admin/privilege accounts from making OS level modifications and
changes.
Does a process exist to ensure that access to all systems and physical access is
immediately revoked from employees, contractors, and relevant third parties at
termination?
Waitwhile has a procedure that ensures access to systems and physical access is revoked
within 24 hours of termination.
Does a password management policy exist and is it reviewed, updated, and
reaffirmed on at least an annual basis, and communicated to affected
stakeholders at least annually?
Waitwhile's security policy contains provisions for password rules and management. Waitwhile
requires passwords to be at least 12 characters in length. Waitwhile enforces MFA for all
employees.
Are all passwords on network devices and systems encrypted in transport and
at rest?
Waitwhile leverages Google Cloud Platform Cloud Identity and Firebase Authentication, to
protect all passwords by hashing them with a salt using scrypt.
Is remote access to networks and systems required to be two -factor?
Waitwhile enforces MFA for all remote access to networks and systems, using Google
Authenticator. Only access through a verified browser is allowed.
Agreement No. 6355
Are secure, encrypted communications sessions utilized for all remote
administrative activities?
Waitwhile enforces secure, encrypted communications for all remote administrative activities
using TLS 1.2+ with AES-128+ and MFA authentication.
What procedures are in place to ensure the security of customer data?
Waitwhile logically isolates each customer's data from that of other customers and users, even
when it's stored on the same physical server. Only a small group of Waitwhile employees have
access to customer data. Waitwhile employees are only granted a limited set of default
permissions to access company resources, such as employee email and internal employee
portal. Requests for additional access follow a formal process that involves a request and an
approval from a data or system owner, manager, or other executives, as dictated by Waitwhile's
security policies. Support services are only provided to authorized customer administrators and
any access to customer data is audit logged.
Within customer organizations, administrative roles and privileges for Waitwhile are configured
and controlled by the customer. This means that individual team members can manage certain
services or perform specific administrative functions without gaining access to all settings and
data. Integrated audit logs offer a detailed history of administrative actions, helping customers
monitor internal access to data and adherence to their own policies.
Privacy & Data Retention
Do you have a publicly available privacy policy?
Waitwhile has a publicly available privacy policy at httos://waitwhile.com/privacy and also GDPR
specific information at https://waitwhile.com/gdpr
Do you have technical capabilities to enforce customer data retention policies?
Waitwhile supports different ways of customizing customer data retention by scheduling
masking or erasure of customer data at set intervals.
Does a data retention procedure exist that ensures customer data is disposed of
at the end of engagement?
Waitwhile disposes of customer data at the end of engagement as soon as reasonably
practicable or within a maximum period of 90 days. Waitwhile may retain anonymized and
aggregated data for service improvement purposes, and audit logs may contain customer data
for up to 365 days after termination.
Agreement No. 6355
Do you support the secure deletion of data, including backups and archived
data?
Waitwhile relies on Google Cloud Platform stringent procedures to securely erase data and
dispose of hardware in a secure way. Waitwhile employee devices are securely erased before
disposal or reassignment.
Can you describe the data flow of customer PH in your service?
The customer data flow within Waitwhiles system is highly dependent on the business use case
and service configuration, but typically looks as follows:
1. Customer data including PH is submitted to our server by our web client or through our
API.
2. Customer data is stored in our realtime database and retained at the business' discretion
3. Data is stored in irreversibly anonymized form in our analytics database with indefinite
retention.
4. The customer data is also stored as immutable log entries in our application log retained
for 30 days and our audit log retained for 365 days.
5. Any notifications triggered by submitted data are sent and message data such as
recipient, sender and message content is in turn submitted to the relevant messaging
provider.
6. Notifications are received by recipient carriers/email providers and finally recipient
devices.
7. Any webhooks configured will submit data to their configured endpoints.
8. On a daily basis, customer data is backed up internally.
9. If configured, every 6 hours customer PH data where more than 24 hours has passed
since service completion, is irreversibly anonymized or erased in our database. Backups
and logs, being immutable, are not touched in this process.
10. Customer data including PH may remain in application logs retained for 30 days, audit
logs retained for 365 days and backups retained for 90 days, until their deletion.
What data retention policies do your messaging providers have?
SparkPost is used for email messaging and does not store the body of the message.
Every other data such as the recipient, subject, sender, injection time, delivery time is
only retained for 10 days. Aggregate reporting data is available through metrics or the
app for up to 6 months.
+� Bandwidth is used for SMS messaging. Bandwidth encrypt and store messages for 72
hours for customer -initiated troubleshooting and support ticket resolution. Access to
decrypt and view content is customer -initiated and limited to their TAC and subject to
their highest levels of access controls and auditing processes. Billing related Message
Detail Records MDR data - i.e. meta -data only, and excludes message content - is stored
Agreement No. 6355
typically up to 90 days for billing purposes and no more than 18 months for back billing
purposes, and for law enforcement purposes up to 7 years, with restricted access.
Twilio is used for SMS messaging. Twilio only stores message data such as message
content and sender/recipients in redacted form. Data retention is 90 days.
Application Development
men°
Does a Software Development Lifecycle (SDLC) exist, including required
approvals at key stages?
Waitwhile uses a Software Development Lifecycle featuring use of milestones, issue tracking,
source version control, automated testing, manual testing, static code analysis, security review,
continuous integration and peer code reviews. Approvals are required at key stages. Waitwhile
use GitLab extensively to support this process.
Does a Change Management program exist around additions, deletions, and
changes to information technology assets?
Waitwhile has a change management process that involves issue tracking, security reviews and
approvals. Waitwhile use GitLab and Google Cloud Platform to support this process.
End User Devices
Does an Acceptable Use Policy and procedures exist describing the proper and
improper use of information systems (including end user computing devices,
remote access, email, IM/chat, wireless, internet, removable media, social
media and social networking, etc.) and are the policy or procedures reviewed
and reaffirmed on annual basis, and communicated to affected stakeholders at
least annually?
Waitwhile's Acceptable Use Policy and Code of Conduct describes the proper and improper use
of information systems, including end user computing devices, remote access, email, IM/chat,
wireless, internet, removable media, social media and social networking. These documents are
reviewed at least annually.
Agreement No. 6355
Network Security
Are firewalls used to protect the network and limit traffic from external
connections?
Waitwhile uses firewalls to protect its network and limit traffic from external connections. Only
HTTP/S is allowed, everything else is denied.
Are firewalls used to segment internal networks?
Waitwhile uses Google Cloud Platform VPC to only allow required traffic between internal
networks.
Do you have the ability to segment customer data from other customer data?
Waitwhile logically isolates each customer's data from that of other customers and users, even
when it's stored on the same physical server.
Is wireless networking used in locations storing (e.g. data centers, servers) or
with access to (e.g. office locations accessing servers/cloud) customer
information?
Waitwhile does not use any wireless network within its cloud infrastructure. Waitwhile office
locations use wireless networks with WPA2 and strong passwords.
What domains must be allowed and/or whitelisted by customer firewall and
infrastructure for Waitwhile service to function?
Waitwhile requires the following domains to be allowed in order for the web application to work:
• v2.waitwhile.com
• app.waitwhile.com
• api.waitwhile.com
• waitwhile-app.firebaseapp.com
• waitwhile-app.firebaseio.com
• firestore.googleapis.com
• www.googleapis.com
Agreement No. 6355
Business Resiliency
Does your company have a business continuity/disaster recovery plan, along
with a policy or procedures that are reviewed and tested by affected
stakeholders at least annually? What is the RTO?
Waitwhile has a Business Continuity Plan which outlines key risks and mitigation procedures
and is reviewed at least annually. Waitwhile estimates its RTO to be 48 hours in case of disaster..
Does your business have a designated Crisis Management Team and Plan that
includes both business and technical representation that would assess the
crisis, aid in decision making and provide consistent status to all key
stakeholders?
Waitwhile's Business Continuity Plan includes responsibilities of key personnel in case of a
disaster.
Does your company conduct a Business Impact Analysis that identifies the
critical processes, the essential people who perform them, and the critical
applications to support them on an annual or bi-annual basis to identify the
impact of a significant business interruption?
Waitwhile performs an annual risk assessment and updates relevant policies and procedures
accordingly.
Do you have an effective communication/escalation plan with an established
SLA for who and when you will contact a customer company during a significant
interruption?
Waitwhile has a Service Level Agreement with an established procedure for contacting
customers in the event of a significant outage. Using our status page customers can subscribe
to incidents and keep track of system metrics.
Does your company have a third party management process that helps identify
and mitigate any business continuity or disaster recovery risks associated with
the third party's ability to recover from a significant business or technical
interruption?
Waitwhile performs an annual risk assessment of third -party services and updates relevant
policies and procedures accordingly.
Agreement No. 6355
Has your company conducted a risk assessment identifying the risks to your
specific locations, the ability to continue business and/or the risks associated
with the ability to recover critical applications?
Waitwhile performs an annual risk assessment of all locations and updates relevant policies
and procedures accordingly.
Does your company have an identified relocation sites for employees, data
center(s) if your primary site(s) are unavailable?
Waitwhile employees are empowered to work from home in case of disaster or pandemic. Our
cloud infrastructure features multi -region data centers to minimize the effects of regional
disruptions such as natural disasters and local outages.
Does your company have a backup policy and procedures in place that ensures
all company and customer data is safely backed up? What is the RPO?
Waitwhile has a backup policy and procedure that ensures daily backups for all customer data.
The RPO is 24 hours. Backups are retained for 90 days.
Third Party Security
Are there security policies, practices, and procedures for assessing vendors and
subcontractors with whom you share sensitive information and are they
reviewed and evaluated for adequacy on at least an annual basis?
Waitwhile conducts an assessment of the security and privacy practices of third -party suppliers
to ensure they provide a level of security and privacy appropriate to their access to data and the
scope of the services they are engaged to provide.
Are vendors and subcontractors handling sensitive information contractually
required to comply with your information security and privacy policies,
standards, and practices?
Waitwhile requires third -party vendors to enter into appropriate security, confidentiality, and
privacy contract terms. Specifically we ensure third party vendors do not retain customer data
longer than necessary to perform the services required.
Agreement No. 6355
Do any other third parties collect, process, or manage customer information
(e.g. SaaS, IaaS, PaaS, call centers, recycling, disposal center, payment
gateway, etc.)?
Waitwhile rely the following third -party vendors to deliver our service:
• Google Cloud Platform - used for cloud infrastructure
• Twilio - used for messaging
• Bandwidth - used for messaging
• SparkPost - used for messaginglntercom - used for support, chat and marketing
• Stripe - used for payment processing
Do you utilize any third party data centers and/or cloud hosting providers?
Google Cloud Platform
Do you have a cloud security responsibility matrix that delineates
responsibilities between the cloud provider and yourself?
TO
Risk aqua emen
Is there an internal audit, risk management or compliance department with
responsibility for identifying and tracking resolution of information security and
privacy issues and audit findings?
Waitwhile has a team of employees that are responsible for risk assessments.
Is an information security and privacy risk assessment performed on at least an
annual basis by appropriately skilled individuals that includes identifying and
assessing critical assets, threats, and vulnerabilities?
Waitwhile includes information security and privacy when it performs its annual risk
assessment.
Agreement No. 6355
Location of Information
Will any customer data be stored, processed or managed outside the US as part
of these services?
Waitwhile does not store, process or manage customer data outside of the US.
Will customer systems be accessed outside the US as part of these services?
Waitwhile will not access customer systems from any country as part of delivering our service.
EXHIBIT i Agreement• •
��i �� )I� � / is //i �: � �
iP r ,✓ 0 i / h i f i
i,, if 4% ',sir % � % � 1 ,
City of El Segundo
City of El Segundo Margaret Liu Reference: 20211220-135819931
350 Main Street Senior Project Manager, Quote created: December 20, 2021
El Segundo, CA 90245 Consultant Quote expires: March 31, 2022
United States mliu@elsegundo.org Quote created by: Hunter Dant
hunter@waitwhile.com
Products & Services
Item & Description Quantity Unit Price Total
Enterprise - Annual 1 $5,034.00 $5,034.00
- 12,000 Annual Visits
fort year
-Average of 3 SMS per Visit
- 1 Location
Subtotals
One-time subtotal $5,034.00
Total $5,034.00
Purchase Terms
Terms of Use
Questions? Contact me
t
r
Hunter Dant
hunter@waitwhile.com
Waitwhile, Inc
548 Market St, Suite 45862
San Francisco, CA 94104
Agreement No. 6355
W'WaitwhiLe
548 Market St
Suite 45862
San Francisco, CA 94104
Waitwhile Queue Management Enterpris
Agreement i
This Waitwhile Queue Management Enterprise Agreement (this "Agreement"), effective as of
1� 1�
23 rd of February 2022, is by and between Waitwhile, Inc.. a Delaware corporation with offices
located at 1407 FLInston Ave., San Francisco, CA 94122 ("Provider"), and CITY OF EL
SEGUNDO. a municipal corporation (City) with offices located at 350 Main Street., El Segundo,
CA 90245 ("Customer"). Provider and Customer may be referred to herein collectively as the
'Parties" or individually as a "Party."
HIRWO
WHEREAS. Customer desires to access the Services. and Provider desires to provide Customer
access to the Services, subject to the terms and conditions of this Agreement.
NOW. THEREFORE, in consideration of the Mutual covenants, terms. and conditions set forth
herein, and for other hood and valuable consideration, the receipt and sufficiency of which are
hereby acknowledged. the Parties agree as follows:
,Dchnitions. Capitalized terms not defined elsewhere in this Agreement have the
meanings given below.
(a) "Aggregated Statistics" means data and information related to Customer's use of the
Services and Customer Data that is used by Provider in an aggregate and/or anonyrnized manner.
aggregate
including to compile statistical and performance information related to the provision and
operation of the Services.
(b) "Authorized User" means (i) Customer's employees (a) who are authorized by
CLIStOiner to access and use the Services under the rights granted to Customer pursuant to this
..........%,%
Agreement No. 6355
/\�,reernen1 and (b) for whom access tothe Services has been purchased hereunder: and (ii)
Guests._
(o) Dubn- means, other than Aggregated Statiztios, infbnna1iVo., data, and other
content, in an), form or mediurn, that is Submitted, posted. or otherwise transmitted by or on
behalf ofCustomerman Authorized User through the Services.
(d) "Documentation - means Provider's technical User manuals and guides relating to the
Services made available byProvider electronically orthmuCIIIthe Site. Documentation does not
include general description., marketing, and similar materials.
(e) -Guast~nneanmusers ufthe Site and/or Mobile &oy,who are Customers ocprospective
Customers o[Customer,who engage 10use the Services 10enter oqueue for access toor
receiving Customer's products or services and receiving related notifications specific to their
position � |in�mr��in�utud wait .
AH ''lLommos" means any and all losses, dunna�en,deficiencies, o|ainns,aotioos. uJrnzo�n,
yett\cnoeo1s, interest, avvau]u. penalties. fines, costs, or expenses nfwhatever kind, including
reasonable attorneys' fees and the costs ofonfbo:ingany right to indemnification hereunder and
the Cost ofPursuing any insurance providers.
(o) "Provider 8P`' means the Services, the Duuunneototion., and any and at[ intellectual
property provided to CuyUoonerorany Authorized User in connection with the foregoing. For the
avoidance of doubt. Provider IP includes Aggregated Statistics and any information, data. or
other content derived trono Provider's monitoring Of Customer's access to or use of the Services,
but does not ioo|ude Custonner Data.
(h) "Service*" means the Waitvvbi|e vvaidiat management platform for management m[Guest
vvokbnze, line position, capacity. and related notifications as further described on
(die^�Skc-), iothis Agreement, and/or in the Documentation, including
the Site and/or mobile applications through which the Services may be used inaccordance with
the Agreement (the "Mobile Ann,)and all other conopmnent ofthevvuidis1management
platform, in addition to any future release. update. or other addition to the foregoing.
(i) "Third -Party B»rodnmtx' means any third -party produdn, softvvare' data, or other
Agreement No. 6355
2. 'Access and Use.
(a) 'Provision of Access. Subject to and conditioned Oil Customer's payment of Fees and
Customer's and Authorized Users' compliance with all other terms and conditions of this
Agreement, Provider hereby grants Custorner a limited. personal. non-exclusive, rion-
transferable (except in compliance with Section 12(h)), non-sublicensable right to access and use
the Services and Documentation during the Term for Authorized Users to manage and
ID In
communicate with Guests about wait time thrOLI(YI1 the Service in accordance with the terms and
conditions of this Agreement.
(b) I)SC RCStI'jCtI0nS. Customer shall not use the Services for any purposes beyond the scope
of the access granted in this Agreement. Without I Iniltincy the foregoing, CLIStOrner shall not at
1 -1 11� In I
any time, directly or indirectly, and shall not permit any Authorized Users to: (i) copy, modify,
or create derivative works of the Services or DOCUrnentation., in whole or in part; (ii) rent, lease,
lend, sell, license, Sublicense, assign. distribute, publish, transfer, or otherwise make available
the Services or Documentation; (iii) reverse engineer, disassemble, decompile, decode, adapt, or
otherwise attempt to derive or gain access to any software component of the Services., in whole
or in part; (iv) remove any copyright or other proprietary notices from the Services or
Documentation-, (V) use the Services or Documentation in any manner or for any purpose that
infringes, misappropriates, or otherwise violates any intellectual property right or other right of
any person, or that violates any applicable law-, (vi) remove, circumvent, disable, damage or
I'D
otherwise interfere with security -related features of the Services, features that prevent or restrict
use or copying of any content accessible through the Services, orfeatures that enforce limitations
on use of the Services; (vii) input, upload, transmit. or otherwise provide to or through the
Services or provider systems, any information or materials that are unlawful or injurious, or
contain, transmit, or activate any virus, worm, n-ialware, or other malicious Computer code; (viii)
access or use the Services or Provider IP for purposes of competitive analysis of the Services or
Provider IP, the development. provision, or use of a competing software service or product or
ID
any other purpose that is to the Provider's detriment or commercial disadvantage-, (ix) access or
use the Services or Provider IF in, or in association with, the design, construction, maintenance,
design,
or operation of any hazardous environments, systems, or applications. any safety response
systems or other safety -critical applications, or any other Use or application in which the use or
failure of the Services Could lead to personal injury or severe physical or property damage; (x)
use the Services to market or advertise to, or otherwise communicate with Guests after the
purpose for which the Guest provided consent to be contacted is fulfilled (e.g., after the Guest is
Agreement No. 6355
removed from the queue)'ur(xi)use the Services tocontact orcommunicate with any Guest
Without receiving consent required by applicable |uvv,orotherwise use the Services except
iostrict compliance with applicable |uv. rules. r��|aino. and �ui�m/u��u
(c) Provider reserves all rights not expressly gran1edtm Customer in
this Agreement. Except for the limited rights and licenses expressly granted under this
/\grecmonL ootbio� in this \�:�no1�runtu, by implication, waiver, estoppel, or Customer or any third party any intellectual property rights or other right. title., or interest in or to
(i) Provider reserves the right. aLany tione. to modify
features and funutiono]itieaofthe Services and Support Without notice toorprior approval from
Customer, provided that Such modification does not materially diminish the overall Services.
(e) Customer has and will retain sole responsibility
for: (i) all CuokOooerDu1o, including its content and uoe�, (ii)ul| information, instructions, and
materials provided by or oil behalf of Customer or any Authorized User in connection with the
Services-, (iii)Cusiorner`o information technology infrastructure, iao|udinuconopu1ens. software,
databases, electronic systems (including database management symtenon).and networks, whether
operated directly byCustomer ortbrou1(Yhthe use ofthird-party services (^^CustonmmrSystmomm`^),
(Iv) the security and rise ofCuatornec'*and its Authorized Users` access credentials-- and (p) all
access to and use of the Services directly or indirectly by or through the Customer Systems or its
or its Authorized Users' access credentials. with orwithout Customer's knowledge or consent,
Including all results obtained finno, and all conclusions, decisions, and actions based oil, suoh
access ncuse.
Al Ision� ��o��idb�andin� uo)ihin� to dh� contrary in dbis Agreement, Provider may
temporarily suspend Cuyk>nnec`o and an), Authorized i]mer`a ucucsa to any portion or all of tile
Services if- (i) Provider reasonably determines that (A) there is a threat or attack oil any ofthe
Provider IP;(8)Customer's orany Authorized User's use ofthe Provider 1Pdisrupts Vrposes o
security risk to the Provider IP or to any other customer or vendor of Provider- (C) CLIston-ier. or
any Authorized User, is using the Provider lP [brbuudu|�utoc iU��o| activities; nr(L})
Provider's provision of the Services to Customer orany Authorized User is prohibited by
applicable law; or (ii) any vendor of Provider has suspended or ternlinated Provider's access to
oruse oFany third -party services nrproducts required to enable Customer toaccess the Services
�
Agreement No. 6355
(any Such Suspension described in SLibclaLlse (i) or (ii), a "Service Suspension"). Provider
will have noliability for nsuresult ofaService Suspension.
(�) Notwithstanding onvd�in� 1n the contrary in this Agreement.
In
Provider may monitor Customer's use o[the Services and collect and compile /\g�couated
Statistics. As be1vvccn Provider and CoStomer, all h�hLbdo, and int�r�xtio/\��r��utcd
Statistics, and all 'intellectual property rights therein, belong toand are retained solely bv
Provider. Customer agrees t�u1 Provider n��y use Statistics 10the axtm�and in the
manner not prohibited under applicable law provided that such Aggregated Statistics do not
identify CuotonnerorCuytomer`o Confidential Information.
CuytonocrResnonaibi\iti
bJ Customer is responsible and |iub|c fbroU uues of the Services and
Documentation n:ouki»�fr000access provided 6y(�ustonne�dirccdyorindirecdy'vvhutb:rSuch
access or use is permitted by or in violation of this \�r��n�nt� Without limiting ��o�ru|iLy of
the fbru9oin-. Customer is responsible for all acts and mnoisaiunym[Authorized Osocs, and any
act oremission by an Authorized User that Would Constitute breach of this Agreement if taken
by Customer will be dee000d u breach of this Agreement by Customer. Customer oba|| use
o:eaVnub|e efforts to make all Authorized Users aware ofthis Agreement's provisions as
applicable to such Authorized User's use o[tile Services, and shall cause Authorized Users to
Cornp|y With Such provisions. Cua1nnoeruoknovv|ud1geu and agrees that each Authorized User
agrees to. must comply with, and is bound by the Terms of Use as may be updated fronn time to
time, located at
(k) Provider may from time 10time make Third -Party Products
available to Customer. For purposes of this Agreement. ouoh Third -Party Products are subject to
their own terms and conditions and the applicable flow -through provisions. i[Cumtomecdoes not
agree toabide by the applicable terms for any such Third -Party Products. then Customer should
not ioato|| oruse Such Third -Party Products.
4. �u6i�uttoth�t�nnaundcomditionso[dbie�oroonueoii[purchased under
provide support during the Term in accordance with Exhibit B.
Agreement No. 6355
hA Fees. Provider shall invoice Customer via email. CustOnxzshuU pay Provider the
invoiced tccs ("Fees") as set Fbdh in Provido,`acurrent pricinu and/or usagreed upon in
Exhibit AWithout offset mrdeduction. Customer yba||make a||payments hereunder ioU5
dollars on orbefore the due date set [bdb in Exhibit A. Customer shall make all paynoentsvia
Automated Clearing House transaction. electronic funds transfer, or credit card LlSiMl Stripe or
uuuhothorpayrnentpr0000aoruaPnopidernnuyae|coifromtimetobroe. |fCustomer fails bo
make any payment when due,vvithout limiting Provider's other rights and renoedieo:(i)Provider
may charge interest on the past due amount at the rate of 1.596 per month oa|uu|aiud daily and
compounded monthly or, if lower, the highest rate permitted Under applicable law; (ii) CLIstorner
shall reimburse Provider for all reasonable costs incurred byProvider incollecting ally late
payments orinterest, including attorneys' fees, Court costs. and collection agency fees.
(b) Taxes. All Fees and other anuuuoispayable hyCustomer under this Agreement are
exclusive of taxes and similar assessments. Customer Is responsible for all aa|es, use, and excise
tuxou' and any other similar taxes, duties, and charges of any kind imposed by any federal, uLnte,
orlocal governmental orregulatory authority onany amounts payable byCuutonnerhecounder,
other than any taxes imposed on Provider's income.
(c) Fee Increases. Provider may increase Fees for any Renewal Term hnproviding written
notice to Customer at least thirty (30) calendar days prior to the beginning, of the Renewal Term,
(d) Additional Features. Provider may add new features and/orfuodiwm|ities to the
Services for additional fees and charges a1 m��tirn� in ba so|�diso��imn� �ov associated change
topricin�vviUb000nn��O�ctiv�inth�biUi��c�c|�6zUop/ln�innp|cno�nto1onoFsuoh�hon�em.
(a) Fronotione0otime dudn�the Term, o�herPadynoaydisclose ornnakeavailable tothe
other Party information about its business affairs. products, confidential Intellectual property.
trade secrets, third -party confidential ioOronation, and other sensitive orproprietary iu[brnnatiun.
whether orally or in written, electronic, orother form ornncdiu/in written or electronic homo or
media, whether or not morked, designated, or otherwise identified as -'confidential" (collectively,
"Confidential Information"). Confidential Information does not Include information that, ot
the time of disclosure is: (b in the public domain; (ii) known to the receiving Party a1the tinxe of
disclosure; (ill) rightfully obtained by the receiving Part/ on unun-omN5derdia| basis from udziuj
party; or(iv) independently developed bythe receiving Party.
Agreement No. 6355
(b) The receiving Party shall treat the Confidential Information as it does its own
valuable and sensitive information of a similar nature and, in any event, with not less than a
reasonable degree of care. The receiving Party shall not disclose the disclosing Party's
Confidential Information to any person or entity. except to the receiving Party's employees Who
have a need to know the Confidential Information for the rights or11�
receiving Party to exercise its rig
perform its obligations hereunder. Notwithstanding 1 no the foregoing, each Party may disclose
I t, 0
Confidential Information to the limited extent required (i) in order to comply with the order of a
Court or other governmental body, or as otherwise necessary to comply with applicable law,
provided that the Party making the disclosure pursuant to the order shall first have given written
1�
notice to the other Party and made a reasonable effort to obtain a protective order; or (ii) to
establish a Party's rights Linder this Agreement. Including to make required Court filings.
(c) On the expiration or termination of the Agreement, the receiving Party shall promptly
return to the disclosing Party all copies, whether in written. electronic. or other form or- media. of
the disclosing Party's Confidential Information. or destroy all such copies and certify in writing
to the disclosing Party that Such Confidential Information has been destroyed. Each Party's
obligations of non -disclosure with regard to Confidential Information are effective as of the
Effective Date and will expire five years from the date first disclosed to the receiving Party;
provided, however, with respect to any Confidential Information that constitutes a trade secret
(as determined Linder applicable law), Such obligations of non -disclosure Will Survive the
termination or expiration of this Agreement for as long as Such Confidential Information remains
Subject to trade secret protection Linder applicable law.
(d) Provider's Privacy Policy located at httl)s:Hwaitwhile.com/12rivtcy/. as may be updated
from time to time ("Privacy Policy") explains how Provider collects, uses, and discloses Guest
information. By licensing., accessing, or using the Service, as applicable, Customer and all
Guests agree to the terms and conditions of the Privacy Policy.
(e) To the extent that Provider processes any Guest Personal Information in connection with
the Services as a Processor on behalf of the Customer as Controller Of Such Personal Information
(as those terms are defined by the EU General Data Protection Regulation (2016/679)
("GDPR"). such processing shall be governed by the "Iaityvhile Data Processing Agreement,
I
which is hereby incorporated herein by reference,
r ME 5 I �//smai//I/z// . . . . ..... .......
Agreement No. 6355
(M If Cuskznner isuCovered Entity oru Business Associate arid Guest in[onnation may
inc|udu Protected Health Information. Customer shall not request mrrequire that any Guest
provide Protected Health lufbrnua1iontbrouEYb or in connection with the Services unless
Customer arid Provider have previously entered into u Business Associate /\grocnueni (as this
and the preceding terms are defined in the Health Insurance Portability arid Accountability Act nf
1996 (H(PA/\) and its implementing regulations arid the Ucukb Information Technology for
Economic arid Clinical Health Act (HITECH) and its irilplernenting re-Ulations).
(y) Provider shall use commercially reasonable efforts to provide the Services in accordance
with its security policies as may be updated honutinnrtntime. available at
rSeuurht'Pol^ `l NotvvithstonJin,uny provision tothe
onobury. Provider may modify its SecurityPolicy at its discretion provided that Such
rilodification does not result in a material degradation of the protections provided thereunder.
(a) P. Cuat)nnera:k'Vx'|edncn that, as between Customer arid Provider, Provider
owns all ,i�hLdde. arid interest, including all ia�ol|�c�/w| pnop�dyri�bt . iuand tothe Provider
|Pund_ with respect toThird-Party Products, the applicable third -party providers own all right.
title, arid interest, Including all intellectual property rights, ioarid tmthe Third -Party Products.
(b) Data. Provider acknowledges that. uabetween Provider arid Customer,
Cu:tonner is am|dy responsible and |iah\c for arid owns all righ1, title, and intoreyt. including all
intellectual property rights. in and to the ��uak�nnux Data. Cua�,nocrh�r�hx �ron1 to Provider
non-exu|uaivo' royalty -free. worldwide license to reproduce, distribute, and otherwise use and
display the Customer Data arid per[brou all acts with respect 10the Customer Data uy may be
necessary for Provider to provide the Services to Customer. The Services do not replace the
need for Customer iu maintain re(,yu|urduta backups o,redundant data archives. Provider has no
obligation or liability for any loss, o|tenabon' destruction, duooage. corruption, or recovery of
CustomerUata.
(c) 1, eedback. If Customer orany ofits employees orcontractors sends mtransmits any
uomrnuuivationy or materials to Provider by nuuiL enouiL io|ephnnc, or otherwise, Suggesting or
reconomendin�ohon�estothe Provider |P,indudingvvdhout|inoi�n/ limitation, new
functionality relating thereto, or any uononnontm guestions, Suggestions. ordhe like ("Feedback").
Provider iufree tmuse Such Feedback irrespective ofany other obligation orlimitation between
'
Agreement No. 6355
the Pat -ties governing suoh Feedback. Customer hereby assigns io Provider uuCustomer's
behalf, and on behalf ofits employees, contractors and/or agents, all right, title, and interest
in, and Provider is free to use. without any attribution urcompensation tm any party. an)/ ideus,
know-how, concepts, techniques, or other intelteCtUat property rights contained inthe Feedback.
for any Purpose whatsoever. although Provider is not required to use any Feedback.
Limited Warran�xand Warranty i
kd Each party represents and warrants 10the other party that (i) it is duty organized, validly
existing, and in good standing as ocorpookioo or other entity under the Laws of the juriudicdoo
of its incorporation orother organization; and (ii) it has the fuU right, power. and authority to
enter into and perk)nn its obligations and grant the rights, licenses, consents, and authorizations
it grants or is reqUired to gant Under this Agreement.
(6) Provider warrants that the Services will Substantially conform in all nnateha| respects to
the Documentation when operated and used aurecommended iothe Documentation and in
accordance with this Agreement. Customer's sole and eXCIUSive remedy for any breach o[the
limited warranty set forth herein ybu|| be to oo1i[v Provider ofthe specific oon-coohocnnity, in
which case, Provider shall use commercially reasonable efforts to correct suuh non -conformity
and make the corrected Services available to Customer. Notwithstanding any provisions to the
contrary luthis Agreement. the limited warranty set forth herein does not apply to issues arising
ouiofocrelating 1m Customer's orany third party's ncg|i�onoe, abuse, misapplication, or misuse
of tile Services, including any use of the Services other than as specified in the 0ocuruen1a1ion.
THE FOREGOING WARRANTY DOES NOTAPPLY.AND PROVIDER STRICTLY
DISCLAIMS ALL WARRANTIES, WITH RESPBCTTOANYTB|Q0-P/\KT\,PRODUCTS.
k3 Custonnecrepresents, warrants, and covenants tothat: (i)CumtOmer'suse o[the Services
shall comply with all applicabte laws., rules, regulations, ordinances. and governmental guidance -
and (ii) Customer owns or otherwise has and will have the necessary rights and consents in and
relating tothe Customer Data so that. as received by Provider and processed in accordance with
this Agreement, the Customer Data does not and wilt not infringe, misappropriate, or otherwise
Yim|o1eany intellectual property rights orany privacy orother rights ofunythird party orviolate
any opp|ioob|e law.
Agreement No. 6355
ALL, WARRANTIES, WHETHER EXPRESS. IMPLIED, STATUTORY, OR
OTHERWISE. PROVIDER SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES
OF MERCHANTABILITY. FITNESS FOR A PARTICULAR PURPOSE. TITLE, AND NON -
INFRINGEMENT. AND ALL WARRANTIES ARISING FROM COURSE OF DEALING,
USAGE, OR TRADE PRACTICE. EXCEPT FOR THE LIMITED WARRANTIES SET
FORTH IN SECTIONS 8(a) AND 8(b), PROVIDER MAKES NO WARRANTY OF ANY
KIND THAT` "THE PROVIDER IP. OR ANY PRODUCTS OR RESULTS OF THE USE
THEREOF, WILL MEET CUSTOMEWS OR ANY OTHER PERSON°S REQUIREMENTS,
OPERATE WITHOUT INTERRUPTION. ACHIEVE ANY INTENDED RESULT, BE
COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM, OR OTHER SERVICES, BE
SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL, CODE. OR ERROR FREE. OR
COMPLY WITH ANY PARTICULAR LAW, RULE, OR REGULATION.
(e) WITHOUT LIMITINGTHE GENERALITY OF THE FOREGOING, (1) ALTHOUGH
THE SERVICES MAY ESTIMATE AN APPROXIMATE WAIT TIME. PROVIDER MAKES
NO GUARANTEES AND EXPRESSLY DISCLAIMS ALL WARRANTIES CONCERNING
SUCH WAITTIMES, (11) PROVIDER MAKES NO REPRESENTATIONS OR
WARRANTIES, AND CUSTOMER IS SOLELY RESPONSIBLE FOR. ALL
NOTIFICATIONS TO AND COMMUNICATIONS WITH GUESTS, INCLUDING,
WITHOUT LIMITATION, THE SUBSTANCE OF ALL SUCH COMMUNICATIONS AND
OBTAINING ALL CONSENT NECESSARY OR RECOMMENDED BEFORE SENDING
SUCH COMMUNICATIONS AND NOTIFICATIONS, AND (111) CUSTOMER IS SOLELY
RESPONSIBLE FOR ENSURING THATITS USE OF THE SERVICES COMPLY WITH
APPLICABLE LAWS, RULES, REGULATIONS. AND GUIDANCE, INCLUDING,
WITHOUT LIMITATION. LTIETELEPHONE CONSUMER PROTECTION ACT AND
REGULATIONS AND GUIDANCE ISSUED THEREUNDER. ANY TEMPLATES,
POLICIES. OR OTHER MATERIALS PROVIDER MAY PROVIDETHROUGH THE
SERVICES OR OTHERWISE ARE PROVIDED "AS IS" AND IN NO WAY REDUCE,
DIMINISH, OR OTHERWISE LIMIT CUSTOMEWS RESPONSIBILITY TO ENSURE ITS
USE OF THE SERVICES COMPLIES WITH A13PLICABLE LAWS. RULES,
REGULATIONS, AND GUIDANCES. CUSTOMERS COMMUNICATIONS WITH
GUESTS ARE AT CUSTOMER'S OWN RISK AND CUSTOMER ACKNOWLEDGES AND
AGREES THAT IT ASSUMES ALL RESPONSIBILITY LTIEREFOR.
9. Inden-inification.
/%. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Agreement No. 6355
Providcr
kO (i) Provider shall indemnify, defend, and hold harmless Customer frorn and againstany
Losses rcmu|tin�Un7nn any third part), claim aUegingthat the Services infringe an), United States
patent,, copyright, trademark. orservice mark, ormisappropriates any United States trade secret,
and resulting losses. denoa��a,|ioN|idcs,um��.ond�xp�no�s,ino|udin�,widhout|ioni�kion,
reasonable attorneys' fees. If the Services, or any part 1herenL is, or in Providur`yopinioo is
likely Lobe, duinnedto infringe, noiaa9yroVrio1o, orotherwise violate any third party intellectual
property right. nriFCustomer's use ofthe Services isenjoined orthreatened hohoenjoined.
Provider may, at its option and sole cost and expense: kA obtain the right for Customer tu
Continue to use the Services materially uauon1ennp|a1ed by this Agreement; (k) modify orreplace
the Services, in whole or in part, to rouko the Services non-ioOrin�io�; or terminate this
Agreement, in ita entirety or with respect to the affected part orfeature of the Services, effective
immediately on written notice toCustunuer, inwhich case. Provider shall promptly refund to
Customer, on u pro ata basis, the share ofany license h:ca prepaid by Customer for the future
portion ofthe Term that Would have remained but for Such termination.
(ii) Section 9(a)(1) does not apply, and Provider has no obligation hereunder. If any alleged
infringement or misappropriation is caused by orrelated tu (u)uonobinu1ion, operation, or use of
the Services in or with. any technology, materials. servicc, information, data, or anything not
provided by Provider; (h) modification o[the Services other than 6v Provider; (C)use ofthe
Services after Provider's notice to CuatOnuero[alleged, potential, or actual infringement.
nuiauppnopria1inu, orother violation w[athird purty`u rioh1a; (J) negligence. abuse,
misapplication, or misuse of the Services or Documentation by or on behalf of Customer or a
third party; (e)use ofthe Services orDocumentation bvoronbehalf ofCustomer that iaoutside
the purpose, scope, or manner Of use authorized by this Agreement; (0 clairns for which
[uatonnor isobligated &7 indemnify Providec Cuatonucr`y instructions ocspecifications, (b)
Customer Data, or (xi) Third -Party Products.
(b) Customer Indemnification. CuatonoerahaU indemnify, hold harmless, and, defend
Providerbonu and u�a�oa any Losses resulting from any third -party claim related to (i)
Customer Data, (ii) notifications to Guests and communications between Guests and Customer in
connection with the Services, (iii)Customer's failure tmcomply with applicable |aws, ruleu,
rel-u|o1ions. and guidance, (iv)claims hn Guests against Provider related to Customer's use of
Agreement No. 6355
the Services, and (v) any use of the Services within the scope of the exclusions from Provider
indemnification set forth in Sections 9(a)(6).
(c) Inden-ind'ication Procedures. The following shall apply with respect to all
indemnification obligations under this Section 9: (1) the indemnified Party shall provide the
indemnifying Part), with prompt written notice of any claim; (1i) the indemnified Party shall
pern-ilt the indemnifying Party to assume and control the defense of any action; and (iii) the
indemnifying Party shall not enter into any settlement or compromise of any claim without the
indemnified Party's prior written Consent, unless Such settlement includes no liability or
admission of fault whatsoever on the part of the indemnified Party or its affiliates or agents. In
addition, the indemnified Party may. at its own expense, participate in the defense or settlement
of any claim.
(d) Sole Remedy. THIS 9 SETS FORTH CUSTOMER'S SOLE REMEDIES AND
PROVIDER'S SOLE LIABILITY AND OBLIGATION FOR ANY ACTUAL. THREATENED,
OR ALLEGED CLAIMS THAT THE SERVICES INFRINGE, MISAPPROPRIATE, OR
OTHERWISE VIOLATE ANY INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD
lyw�
10. Limitations all l,hibdii.v. NOTWITHSTANDING ANYTHING TO THE CONTRARY
IN THIS AGREEMENT, (A) THE MAXIMUM LIABILITY OF PROVIDER. ITS
AFFILIATES, AND SUPPLIERS, FOR ANY DAMAGES FOR ANY AND ALL CAUSES
WHATSOEVER, SHALL BE LIMITED TO THE FEES PAID TO PROVIDER. DURING THE
6 MONTH PERIOD IMMEDIATELY PRECEDING THE CLAIM THAT GAVE RISE TO
SUCH DAMAGES, AND (B) IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE
0-1-HER PARTY (OR ANY PARTY CLAIMING THROUGH THE OTHER PARTY) FOR (1)
LOST' PROFITS, LOSS OF GOODWILL OR REPUTATION, LOST REVENUES, LOST
SAVINGS. LOST. CORRUPTED. OR DAMAGED DATA OR EQUIPMENT, COST OF
COVER, LOSS OF BUSINESS OPPORTUNITY, OR (11) FOR ANY INDIRECT,
INCIDENTAL, SPECIAL, CONSEQUENTIAL. EXEMPLARY. PUNITIVE OR LIKE
DAMAGES ARISING OUT OF OR RELATING TOTHIS AGREEMENT OR THE
PROVIDER IP, SERVICES. OR DOCUMENTATION PROVIDED HEREUNDER. THE
DISCLAIMERS AND LIMITATIONS OF LIABILITY SET FORTH ABOVE SHALL APPLY
REGARDLESS OF THE FORM OF ACTION. WHETHER IN CONTRACT. TORT OR
OTHERWISE. UNDER ANY THEORY OF LIABILITY (INCLUDING NEGLIGENCE,
. . . . . . . . . . . . .......
Agreement No. 6355
PRODUCT LIABILITY OR ANY OTHER LEGAL OR EQUITABLE THEORY). THE
FOREGOING LIMITATIONS SHALL APPLY TO THE MAXIMUM EXTENT
PERMITTED BY APPLICABLE LAW. IN EACH CASE REGARDLESS OF WHETHER THE
PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR
SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE. AND
NOTWITHSTANDING THE FAILURE OF ANY AGREED OR OTHER REMEDY OF ITS
ESSENTIAL PURPOSE.
I I. Term and Termination.
(a) Term. The initial term of this Agreement begins on the Effective Date and, unless
terminated earlier pursuant to this Agreement's express provisions,, will continue in effect until
one (1) year(s) from Such date (the "Initial Term"). This Agreement will automatically renew
for additional Successive one (1) year terms unless earlier terminated pursuant to this
Agreement's express provisions or either Party gives the other Party written notice of non -
renewal at least ninety (90) days prior to the expiration of the then -current term (each a
"Renewal Term" and together with the Initial Term. the "Term").
(b) Ternijnatiori, In addition to any other express termination right set forth in this
ZD
Agreement:
(i) Provider may terminate this Agreement, effective on written notice to Customer, if
Customer: (a) fails to pay any amount when due hereunder; or (b) breaches any of its obligations
Under Sections 2(a), (b), or (c) or 6;
(i i) either Party may terminate this Agreement, effective on written notice to the other Party,
if the other Party materially breaches this Agreement, and Such breach: (a) is incapable Of Cure;
or (b) being capable of cure, remains uncured thirty (30) days after the non -breaching Party
provides the breaching Party with written notice Of Such breach. or
(iii) either Party may terminate this Agreement. effective immediately upon written notice to
the other Party, if the other Party: (a) becomes insolvent or is generally unable to pay.. or fails to
pay, its debts as they become due; (b) files or has filed against it, a petition for voluntary or
c
irIVOILIritary bankruptcy or otherwise becomes Subject, voluntarily or involuntarily, to any
proceeding under any domestic or foreign bankruptcy or insolvency law; (c) makes or seeks to
make a general assignaient for the benefit of its creditors, or (d) applies for or has appointed a
..........
Agreement No. 6355
receiver, trustee, Custodian° or similar agent appointed by order of any court of competent
jurisdiction to take charge of or sell any material portion of its property or business.
(c) Effect of Expiration or Termination. Upon expiration or earlier termination of this
Agreement, Customer shall immediately discontinue use of the Provider IP and, Without limiting
Customer's obligations Under Section 6, Customer shall delete, destroy. or return all copies of
the Provider IP and certify in writing to the Provider that the Provider IP has been deleted or
destroyed. No expiration or termination will affect Customer's obligation to pay all Fees that
may have become due before such expiration or termination or entitle Customer to any refund.
(d) SurvivaL In the event of any termination or expiration of this Agreement for any reason,
all provisions of this Agreement whose meaning requires them to Survive shall Survive the
expiration or termination of this Agreement.
12. 'Miscellaneous.
(a) �.o(flic P,irtles. The relationship between the parties is that of independent
contractors. Nothing contained in this Agreement shall be construed as creating any agency,
ID
partnership, , joint venture, or other form of joint enterprise, employment° or fiduciary relationship
between the patties, and neither party shall have authority to contract for or bind the other party
in any manner whatsoever.
(b) [,"Atire Agreement. This Agreement, together with an other documents incorporated
t� 1.� y
herein by reference and all related Exhibits, constitutes the sole and entire agreement of the
Parties with respect to the Subject matter of this Agreement and supersedes all prior and
contemporaneous understandings, agreements, and representations and warranties, both written
and oral, with respect to SLIC11 Subject matter. In the event of any inconsistency between the
statements made in the body of this Agreement, the related Exhibits. and any other clOCUrnents
incorporated herein by reference. the following order of'precedence governs: (i) first, this
Agreement, excluding its Exhibits; (ii) second, the Exhibits to this Agreement as of the Effective
ZD I'D ID
Date-, and (iii) third, an), other documents incorporated herein by reference.
(c) Notices. All notices, requests, consents, claims, dernands, waivers, and other
communications hereunder (each, a "Notice") must be in writing and addressed to the Parties at
the addresses set forth on the first page of this Agreement (or to Such other address that may be
I I
designated by the Party giving Notice from t1n-ie to time in accordance with this Section). All
...........
Agreement No. 6355
Notices must be delivered by personal delivery, nationally recognized overnight courier (with
all fees pre -paid), or email (with confirmation of transmission). or certified or registered mail
(in each case, return receipt requested. postage pre -paid). Except as otherwise provided in this
Agreement, a Notice is effective only: (1) upon receipt by the receiving Party; and (ii) if the Party
giving the Notice has complied with the requirements of this Section.
(d) SUbCO1111'800rS. Provider may from time to time in its discretion engage third parties to
perform Services (each, a "Subcontractor").
(e) Insurance. Provider maintains and, upon Customer's request, shall provide a certificate
of insurance evidencing the following Insurance coverage: (i) Workers' Compensation and
ZD
Employers' Liability Coverage in amounts and in form in accordance with all statutory
requirements applicable to Provider.- (ii) Commercial General Liability Insurance with a limit of
$1,000,000 per Occurrence and $2,000,000 in the aggregate; (iii) Umbrella Liability Insurance
D
with a limit of $4,000,000 per occurrence and $4,000,000 in the aggregate- and (iv) Cyber
Liability, Errors and Omissions, Media Liability, and Privacy Insurance combined coverage with
$5,000,000 per Occurrence and $5,000,000 in the aggregate. Provider reserves the right to
modify such insurance coverage and Ili -nits at its sole discretion.
(f) Force MajeUre. In no event shall Provider be liable, or be deemed to have breached this
Agreement, for any failure or delay in performing its obligations under this Agreement, if and to
the extent Such failure or delay is caused by any circumstances beyond Provider's reasonable
control, including but not limited to acts of God. flood, fire, earthquake, explosion, war,
terrorism, invasion, riot or other Civil unrest, strikes, labor stoppages or slowdowns or other
industrial disturbances, or passage of law or any action taken by a governmental or public
authority., including imposing an embargo.
Amendment and Modification: Waiver. No amendment to or modification of this
Agreement is effective unless it is in writing and signed by an authorized representative of each
Party. No waiver by any Party of any of the provisions hereof will be effective unless explicitly
set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this
Agreement, (i) no failure to exercise, or delay in exercising, any rights. rernedy, power, or
privilege arising from this Agreement will operate or be COrlStrUed as a waiver thereof, and (ii)
no single or partial exercise of any right, remedy, power, or privilege hereunder will preclude
Agreement No. 6355
1�
any other orfurther exercise thereof octhe exercise n[any other dgbt remedy, power. or
(h) Severabilky. |fally provision ofthis Agreement iuinvalid, illegal, ocunenforceable in
any udmdktion, such invalidity., illegality, or um:n6orceobUity will not affect any other term or
provision of this Agreement or invalidate or render unenforceable such term or provision in any
other jurisdiction. Upon Such determination that any term or other provision is invalid. illegal. or
unenforceable, the Parties ebaU negotiate in good faith to modify this Agreement soaato effect
their original intent as u|oaek/ as possible in a mu1uu||v uoneotub|u n-iuoner in order that the
transactions contemplated hereby boconsummated as originally omuicoop|utodtuthe greatest
(i) This Agreement isgoverned hv
and construed in accordance with the internal laws of the State ofCalifornia without givina
effect to any choice or conflict of|a*' provision or rule that would require or permit the
application of the laws n[auy jurisdiutiono1hecthan those of the State of California. Any o|aino
or action by Customer In relation toaualleged breach of this Agreement shall be commenced
within one (1) year of the date of the breach., Without relgarding to the date the breach was
discovered. Any claim oraction not brought within Such time period shall beirrevocably barred.
Any |cgu| suit,achon,orpvoouudlngadmiu"'nutoforcc|a1cdtotbis&grucnocnto,1he |iucnacs
granted hereunder will be instituted exclusively in the federal couds of the United States or the
Courts mfthe State of California in each case |muu1ed iothe city o[San Francisco and County nf
San Pnaoulsoo, and each Puny irrevocably submits tothe exo|usive jurisdiodonufsuuh courts in
any Such Suit. oction,orproceeding,
6\ Customer may not assign any ofits rights ordelegate any ofits obligations
hereunder, ineach case whether Voluntarily, involuntarily. 6yoperation o[law orotherwise.
without the prior written consent of Provider, which consent shall not be unreasonably withheld.
conditioned, or delayed. Any purported assignment or delegation in violation of this Section will
benuUand void. Noaosi�onnentord6egaiionvviUPa
rtyany of its obligations hereunder. This Agreement is binding upon and inUres to the benefit of the
Parties and their respective permitted successors and assialls.
(k) Customer shall comply with all applicable federal iuvvs, reclu|u1ions,
and rules. and complete all required undertakings (including obtaining any necessary export
Agreement No. 6355
license or other governmental approval), that prohibit or restrict the export or re-export of the
Services or any CLIStOrner Data Outside the US.
(1) IJS (110%,ernment RiLdits. Each of the Documentation and the software components that
Constitute the Services is a -con-irriercial item" as that term is defined at 48 C.F.R. § 2.101,
consisting of"commercial COMPLIter software" and "commercial computer software
documentation- as Such terms are used in 48 C.F.R. § 12.212. Accordingly, if Customer is an
agency of the US Government or any contractor therefor. Customer only receives those rights
with respect to the Services and Documentation as are granted to all other end users, in
accordance with (a) 48 C.F.R. § 227.7201 through 48 C.F.R. § 227.7204, with respect to the
Department of Defense and their contractors, or (b) 48 C.F.R. § 12.212, with respect to al I other
US Government users and their contractors.
(m) j`q.giwble Relief' Each Party acknowledges and agrees that a breach or threatened breach
�! ......... --., 11� ZD
by Such Party of any of its obligations under 6 or, in the case Of Customer, Sections 2 (a), (b), or
(c) would cause the other Party irreparable harm for which monetary damages would not be an
n
adequate remedy and agrees that, in the event Of Such breach or threatened breach, the other
Party will be entitled to equitable relief, including a restraining order° an injunction, specific
performance, and any other relief that may be available from any Court, without any requirement
to post a bond or other security, or to prove actual damages or that monetary damages are not all
adequate rernedy. Such remedies are not exclusive and are in addition to all other remedies that
may be available at law., in equity, or otherwise.
(n) Counterparts. '['his Agreement may be executed in Counterparts, each of which is deemed
an ree au original, but all of which to -ether are deemed to be one and the agreement.
L) --
'11111MA Uji j iiiiiij If"110111
. . . . . . . . . . . . . . . . . .
Agreement No. 6355
18
IN WITNESS WHEREOF, the Pat -ties hereto have executed this .A.greement as of the
Effective Date.
Wa.itwhile, Inc.
By:
Name:
Tifle:
City of El Segundo
By:
Name:
NJ=
EXHIBIT A FITS
Capitalized terms used but not defined in this Exhibit A have the mearting given to those terms in
the Agreement.
Agreement No. 6355
I . Description of the Services
Waitwhile is a ctoud-based Virtual Queue Management solution that is used to eliminate
physical lines, improve the waiting experience for customers and reduce wait times overall. End
users can configure what contact information to collect, how to manage a virtual queue of
customers and send text or email notifications. The system will also allow end users to use basic
UI to manage a self -serve experience for customers to enter themselves into a virtual queue. The
system provides basic store capacity counting with data to show how long wait times are.
Waitwhile will provide the following configurations, features, and functionality as part of the
Services licensed under the Agreement:
Enterprise Solution System
Waitwhile Configuration, features,
and functionality Enterprise
Agreement No. 6355
Multiple locations
Create and manage many waitlists.
Message guests
Send SMS/Emails to guests.
Team notifications
Send SMS/Emails to team on guest updates.
Waitwhile Configuration, features,
and functionality
Two-way messaging
Guests can reply back and you will see their response.
Schedule bookings
Book flexible appointments with guests...
Sync bookings in waitlist automatically
Move upcoming bookings into waitlist to reflect wait times.
Invite team and admins
Multiple logins with different permissions and access.
Set user permissions
Set if users can access all settings or just waitlist and bookings.
Customize design
Edit colors, buttons, text etc.
White -label design
Remove Waitwhile branding and edit HTML, fonts
51
59
Enterprise
X
11
J
Agreement No. 6355
Resource management
Assign staff and other resources to guests and set working hours.
Export guest data
Export detailed guest data and analytics to CSV or Excel.
Import guest data
Import guest data from a CSV directly to your waitlist.
API access
API for every account action.:mpim aftNfli ie.rmin /docs
Webhooks
Subscribe to Waitwhile events in your own services and apps.
Waitwhile Configuration, features,
and functionality
Data anonymization
Purge your guest data from Waitwhile servers on schedule.
Daily Backup and Recovery
Recover waitlist if your team makes a mistake.
Data location control
Restrict data storage to US only.
Zapier integration
Connect Waitwhile with 2000+ services you already use & love.
Audit Logging
Detailed log of all activities in your account.
Enterprise
i
Agreement No. 6355
2. Fees
a. Scope of use included within Fees
[INSERT INCLUDED AUTHORIZED
USERS/LOCATIONS/GEOGRAPHY/COMPANIES/AUTHORIZED USERS/ETCJ
b. Fee structure
Rollout Schedule:
Number of Authorized users- Unlimited
Fee Start Date: Effective Date
Number of Visitors: 12,000 annual visits
Number of participating locations: I
Fees will be charged based on volume/locations, as per the following table and pulled from the
pricing scheduled:
Agreement No. 6355
14 Waitwhile
Pricing Schedule
AS Of Ott, 2021
I 1 locntlons In unita,d States with up to
1,000 visits per month 1,000
11 locations In
-wAth up to
visits per month
III locations in
-wAth up to
vklts per month
IV locationeIn
With up to
visits per month
V locations In
awuh up to
visits per month
locations in
With up to
visits per month
locationsin
With up to
visits per month
locations In
® with up to
visits permanth
locations In
-with up to
vkitspermanth
locations in
-With up to
visltsporinonth
40M $4000 1 X000 $0.00a125. '$2438
�sipa�kx
'tt4t ,,,
*,6khApurilY4'
0 Setup Poe
Included
It Licen5e1140
WuMOns a k tiiWs i'. kd:s $500.00
20%
0.00%
5400.00 $4,100.00
- � SMS I"
:iA W& $0.000.1/ta^xt $2438
20%
0.00%
S19.50 $234A0
Supporthm
Included
iotsi
$524„ s
,SUO $41940 0,034.00
Agreement No. 6355
C. SMS fees
Waitwhile is integrated with Twilio & Bandwidth, both market -leading SMS messaging
vendors. Twilio & Bandwidth both charge Waitwhile for each SMS segment (i.e., approximately
160 characters, with some exceptions as detailed here)
Waitwhile has negotiated a discounted rate of 0.006 USD per SMS segment. This cost will be
absorbed by Waitwhile for North America but assumes a maximum average of 3 SMS texts per
visitor per month.
d. Additional Terms
Where a pricing increase applies, Provider will charge or invoice Linder the new price structure,
starting the immediately following billing period during the Term.
Billing Schedule: Customer will pay Fees pursuant to correct invoices generated in accordance
with this Agreement. Fees will be billed on a monthly basis in advance, unless Customer
requests quarterly billing, in which case fees will be billed on a quarterly basis in advance.
Payment method: Credit Card or AC H transfer via Stripe.
Agreement No. 6355
EXHIBIT B —SERVICE LEVEL AGREEMENT
This Service Level Agreement ("SLA") between Waitwhile, Inc. ("Waitwhile", "us" or "we")
and users of the Waitwhile Services ("you") governs the use of the Waitwhile Services under the
provisions of the Agreement. Unless otherwise provided herein, this SLA is subject to the
provisions of the Agreement.
1. Waitwhile Service Commitment: 99.9% Uptime
Waitwhile will use commercially reasonable efforts to make your Waitwhile Services available
with a Monthly Uptime Percentage of at least 99.9% during any monthly billing cycle (the
"Service Commitment"). Subject to the SLA Exclusions, if we do not meet the Service
Commitment, you will be eligible to receive a Service Credit. A Monthly Uptime Percentage of
99.9% means that we guarantee you will experience no more than 40 min/month of
Unavailability.
2. Definitions
"Maintenance" means scheduled Unavailability of the Waitwhile Services, as announced by us
prior to the Waitwhile Services becoming Unavailable.
"Monthly Uptime Percentage" is calculated by subtracting from 100% the percentage of
minutes during the month in which the Waitwhile Services were Unavailable. Monthly Uptime
Percentage measurements exclude downtime resulting directly or indirectly from any SLA
Exclusion.
"Service Credit" means a credit denominated in US dollars, calculated as set forth below, that
we may credit back to an eligible account.
Agreement No. 6355
"Unavailable" and "Unavailability" mean, for our service, when it is not running or not
reachable due to Waitwhile's fault.
3. Service Commitments and Service Credits
Service Credits are calculated as a percentage of the total charges due on your Waitwhile invoice
for the annual or monthly billing cycle in which the Unavailability occurred, applied
proportionally to the Services that were Unavailable, in accordance with the schedule below:
For Monthly Uptime Percentage less than 99.95% but equal to or greater than 99.0%, you will be
eligible for a Service Credit of 10% of the charges attributable to the affected resources.
For Monthly Uptime Percentage less than 99.0%, you will be eligible for a Service Credit of
30% of the charges attributable to the affected resources.
For example, if our service is Unavailable for 25 minutes, you would be eligible for a Service
Credit for 10% of the service charge for the month.
We will apply any Service Credits only against future payments for the Services otherwise due
from you. At our discretion, we may issue the Service Credit to the credit card you used to pay
for the billing cycle in which the Unavailability occurred. Service Credits will not entitle you to
any refund or other payment from Waitwhile. A Service Credit will be applicable and issued
only if the credit amount for the applicable monthly billing cycle is greater than one dollar ($1
USD). Service Credits may not be transferred or applied to any other account.
4. Sole Remedy
Agreement No. 6355
Unless otherwise provided in the Terms, your sole and exclusive remedy for any
unavailability, non-performance, or other failure by us to provide the Services is the receipt
of a Service Credit (if eligible) in accordance with the terms of this SLA.
To receive a Service Credit, you must submit a claim by emailing: hello@waitwhile.com. To be
eligible, the credit request must be received by us by the end of the second billing cycle after
which the incident occurred and must include:
The words "SLA Credit Request" in the subject line;
e The dates and times of each Unavailability incident that you are claiming;
• The account handle(s); and
* Logs that document the errors and corroborate your claimed outage (any confidential or
sensitive information in these logs should be removed or replaced with asterisks).
If the Monthly Uptime Percentage of such request is confirmed by us and is less than the Service
Commitment, then we will issue the Service Credit to you within one billing cycle following the
month in which your request is confirmed by us. Your failure to provide the request and other
information as required above will disqualify you from receiving a Service Credit.
The Service Commitment does not apply to any Unavailability:
a. That results from a suspension or Remedial Action, as described in the Terms;
Agreement No. 6355
W:3
b. Caused by factors outside of our reasonable control, including any force majeure event,
Internet access, or problems beyond the demarcation point of the Waitwhile network;
c. That results from any actions or inactions of you or any third party;
d. That results from the equipment, software or other technology of you or any third party (other
than third party equipment within our direct control);
e. That results from failures of Waitwhile Services not attributable to Unavailability; or
f. That results from any Maintenance.
If availability is impacted by factors other than those used in our Monthly Uptime Percentage
calculation, then we may, but are not required to, issue a Service Credit considering such factors
at our sole discretion.
7® Service Management
Effective support of in -scope services is a result of maintaining consistent service levels. The
following sections provide relevant details on service availability, monitoring of in -scope
services and related components.
7.1. Service Availability
Coverage parameters specific to the service(s) covered in this Agreement are as follows:
e Telephone support: +l 888-983-0869
o 9:00 A.M-5:00 P.M EST Helpdesk Access
Agreement No. 6355
29
o Calls received out of office hours will be followed up during standard business hours (9:00
A.M. to 5:00 P.M. CST Monday — Friday).
o Chat support: Available inside application
o 24/7 Online Helpdesk Access
9 Email support: support@waitwhile.com
o Monitored 9:00 A.M. to 5:00 P.M. CST Monday — Friday
o All emails will receive an acknowledgement of receipt within 10 minutes.
o Email response to issue within 1 business day. This email response is not a guarantee of a
resolution but rather constitutes, at minimum, a check -in regarding the status of a helpdesk
ticket.
In support of services outlined in this Agreement, the Waitwhile will respond to service related
incidents and/or requests submitted by the Customer within the following time frames:
* 0-8 hours (during business hours) for issues classified as Severity Level 1.
9 Within 48 hours for issues classified as Severity Level 2.
Within 5 working days or the next scheduled update for issues classified as Severity
Level 3.
Agreement No. 6355
All Errors reported by Customer to Waitwhile will be assigned a severity level. Reported
Errors will be classified as follows:
• Severity Level 1- Severity Level 1 implies that the Application is not functioning or Customer
is unable to use major portions of the Application.
Severity Level 2- Severity Level 2 implies that the Application is running but that Customer is
unable to use major portions of the Application.
Severity Level 3- Severity Level 3 implies that the Application is operating close to normal,
but there is a noncritical Error. Severity Level 3 Errors will be fixed in the next scheduled
Update.
7.3. Response to Error Reports
Severity Level 1:
• Error Resolution - Immediate steps will be taken toward solving the Error. Waitwhile will
work to resolve Severity Level 1 Errors on a twenty-four (24) hour basis until the Error is
resolved. If required, Waitwhile staff will be moved off of lower Severity Level Errors to service
Severity Level I Errors.
o Resource Commitment - When a Severity Level 1 Error is reported, Waitwhile will assign all
resources required to correct the Error. Work on the Error will be continuous until a Fix is found.
If system access is required, Customer will provide a contact available to Waitwhile and access
to its system and software for the duration of the Error correction procedures.
Completion Goal - The completion goal will be to resolve one hundred percent (100%) of all
Severity Level 1 Errors with a Fix or Bypass within eight (8) hours of receipt of the Error
Report.
* The Customer will be notified of the status of the Error.
Agreement No. 6355
31
Severity Level 2:
o Error Resolution - Severity Level 2 Errors will be analyzed in the order that they are
reported. Severity Level 1 Errors will take priority over Severity Level 2 Errors.
Resource Commitment - Appropriate technical resources will be assigned to Severity Level 2
issues as long as Severity Level 1 Errors are not open.
o Completion Goal - The completion goal will be to resolve one hundred percent (100%) of all
Severity Level 2 Errors within forty-eight (48) hours of receipt of the Error Report.
The Customer will be notified of the status of the Error.
Severity Level 3:
Error Resolution - Severity Level 3 errors will be researched after Severity Level 1 and
Severity Level 2 Errors. The majority of the Severity Level 3 Errors will be scheduled for
correction and be resolved as part of the next scheduled Update to all of Waitwhile's users of the
Application generally.
Resource Commitment - Severity Level 3 Fixes will be included in the next scheduled Update.
Completion Goal - The completion goal and objective will be to correct Errors in the next
scheduled Update to all of Waitwhile's users of the Application generally.