Loading...
CONTRACT 6362A Amendment CLOSEDAgreement No. 6362A R1,1­211,6"'Pi i JI I ill� Client Information Company Name City of El Segundo, CA Address 350 Main St City ElSegundo State California ZIP 90245-3813 Technical Contact Name Jose Calderon Title IT Director Phone 31D.524.2392 Email jcalderon@elsegundo.org Billing Contact Name Jose Calderon Title IT Director Phone 310.524.2392 Email jcalderon@elsegundo.org Address 350 Main St City ElSegundo State California Zip 90245-3813 Quote Date 27-Feb-2023 Quote Expiration 16-Jun-2023 Start Date 17-Jun-2023 Renewal Date 17-Jun-2024 Sales Executive Shelby Phelan Billing Frequency Annual Services and Fees Unit Price Quantity contract Commitment Professional Archlve 1 Platform - Professional Archive - SMG $ 618.00 1 $ 618.00 Capture & Archive - Professional Archive $ 64.32 125 $ 8,040.00 Premium Adj - Professional Archive $ 28.00 100 $ 2,800.00 Smarsh Support 1 Professional Support - Basic 1 Smarsh University 1 Smarsh U - SMB - Full Access $ 995.00 1 $ 995.00 Recurring Subtotal $12,453.00 One -Time Subtotal $ 0.00 If Client uses more Connections than it has licensed, Smarsh will bill monthly for that use at $5.36 per connection plus $2.33 for each Notes premium Connection. US:+1(866)762-7741 UK:+44(0)800-048-8612 www.smarsh.com Agreement No. 6362A Purchase Order Information Client to Complete: Is a Purchase Order (PO) required for the purchase of the Services on this Order Form? ( I No ( ) Yes — Please complete below PO Number: PO Amount: Upon signature by Client and submission to Smarsh, this Order Form shall become legally binding unless Smarsh rejects this Order Form for any of the following reasons: (i) changes have been made to this Order Form (other than completion of the purchase order information and the signature block); or (ii) the requested purchase order information or signature is incomplete; or (ill) the signatory does not have authority to bind Client to this Order Form. Client authorized signature By: Title: Approved as to Form: ,y fi Joalquin Vazquez, Assistant City Attorney Attestai�iv "racy City Clerk Hank Lu, Risk Manager US:+1(866)762-7741 UK:+44(0)800-048-8612 www.smarsh.com A Agreement No. 6362A r Terms & Conditions On a date following the execution of this Order Form, Smarsh will provide Client with a license key for the Software or with login credentials to the applicable Service ("Activation Date"). Service Descriptions are available at www.sm rsh coni le al. The Services are subject to Smarsh Service Agreement -General Terms available at wily w.smarsh.cocra/Neeal/ServiceAgrreement,. The Services purchased by Client are also subject to the Information Security Addendum available at and the following Service Specific Terms: the Professional Archive Service Specific Terms available at https://www.smarsh.comAegal/SSTProressionalCloud; the following Premium Channels Service Specific Terms, as applicable: Mobile Channels Service Specific Terms available at htips//www.smarsh.coMagal/SSTMobileChannels, and Twitter Service Specific Terms available at htips:/Iwww.smarsh.comAegal/SSTTvdller. the applicable Professional Archive Onboarding package features described in more delall at https:l/www.smarsh.comAegal/OnboardingServices-ProArchive The Smarsh Service Agreement — General Terms, the Information Security Addendum, the Service Specific Terms, and this Order Form are, collectively, the "Agreement" The Initial Term of the Services shall begin on the date this Order Form is executed and continue for the Subscription Term specified above, unless Client is adding the above Services to an existing Service account, in which case, the above Services will sync to and co -terminate with Client's existing subscription Term. The Services will be subject to renewals as specified in the Agreement. For AT&T Mobility subscribers, your signature below represents your acceptance of the AT&T Wireless Terms and Conditions available at %vwva.s irsh,cornZleeal/ATT as they apply to AT&T messages that are archived by Smarsh. "Archive Fees" are the Fees charged for access to the Connected Archive (i.e., Professional Archive or Enterprise Archive). "Capture & Archive Fees" are the Fees that are charged for capture and archive of a bundle of Connections within the Professional Archive. "Capture Fees" are the per-Connectlon Fees that are charged for the capture of Connections by Connected Capture (i.e., Cloud Capture or Capture Server). "Premium Adj. Fees" are the additional Fees that are charged for capture of Connections from premium Channels. "Set-up Fees" are the one-time Fees that are charged to implement a Service. "Professional Services Fees" are the Fees charged for hourly, monthly, or flat rate professional services. The Platform Fees, the Capture & Archive Fees, the Capture Fees, and the Premium Adj. Fees, as applicable, are invoiced on an annual, up -front basis or a monthly basis in arrears, as specified on page 1 of this Order Form. Client agrees that the Recurring Subtotal above is Client's minimum commitment during each year or month, as applicable, of the Term. Smarsh will invoice Client for any usage over the minimum quantities at the applicable rate indicated in this Order Form. If not priced above, data import, conversion (if applicable), and storage Fees for Client's historical data and storage Fees for data from Connected Capture or other external capture mechanisms ingested into the Professional Archive are as follows: Data Imports - One-time $10/GB Import Data Conversion fees $3/GB Data Storage — Annual $2.50/GB Information about Smarsh data privacy compliance is available at v yw.sinarsh.cam US: +1 (866) 762-7741 UK: +44 (0) 800-048-8612 www.smarsh.com Page 2 of 5 Agreement No. 6362A smarsh EXHIBIT A Amendment to the Smarsh Service Agreement —General Terms This first amendment ("Amendment") to the Smarsh Service Agreement - General Terms amends the Agreement between Smarsh Inc. and City of El Segundo, CA. This Amendment is effective on the date the Client signs the Order Form, to which this Amendment is attached as Exhibit A. The parties agree: 1) Replace Section 4.3 in its entirety, as follows: As between Client and Smarsh, Client is solely responsible for the content of Client Data. Client represents and warrants that (a) Client Data will not (i) infringe any third party right, including third party rights In patent, trademark, copyright, or trade secret, or (ii) constitute a breach of any other right of a third party, including any right that may exist under contract or tort theories; (b) Client will comply with all applicable local, state, national, or foreign laws, rules, regulations, or treaties in connection with Client's use of the Services, including those related to data privacy, data protection, communications, SPAM, or the transmission, recording, or storage of technical data, personal data, or sensitive information; and (c) Client will comply with the Acceptable Use Policy available at www,smarsh.com/lIegaIJAU . Smarsh may update the Acceptable Use Policy from time to time. 2) Replace Section 6.1 in its entirety, as follows: Term. The Agreement will begin an the Effective Date and will remain in effect for the term specified in the Order Form or, if no term is specified, 12 months ("Initial Term"). The Initial Term may be renewed by Client for additional, successive 12- month terms (each a "Renewal Term") upon the execution of a Renewal Order Form. The Initial Term plus any Renewal Term are, collectively, the "Term." Any Order Form executed after the Effective Date will co -terminate with Client's then -current Term. 3) Replace Section 6.2 in its entirety, as follows: Termination for Breach. Either party may terminate this Agreement if the other party materially breaches its obligations under this Agreement and such breach remains uncured for a period of 30 days following the non -breaching party's written notice thereof. Smarsh may suspend Client's access to the Services in the event Client fails to pay undisputed Fees within 60 days after the due date, and Smarsh will not be liable for any damages resulting from such suspension. 4) Replace Section 9 In its entirety, as follows: Taxes. All Fees payable by Client under this Agreement are exclusive of taxes and similar assessments. Smarsh acknowledges that Client is tax-exempt. 5) Replace Section 10.2 in its entirety, as follows: Obligations with Respect to Confidential Information. Each party agrees: (a) that it will not disclose to any third party, or use for the benefit of any third party, any Confidential Information disclosed to it by the other parry except as expressly permitted by this Agreement; and (b) that it will use at least reasonable measures to maintain the confidentiality of Confidential Information of the other party in its possession or control but no less than the measures it uses to protect its own confidential information. Either party may disclose Confidential Information of the other party: (i) pursuant to the order or requirement of a court, administrative or regulatory agency, or other governmental body, provided that the receiving party, if feasible and/or legally permitted to do so, gives reasonable notice to the disclosing party to allow the disclosing party to contest such order or requirement; (ii) to the parties' agents, representatives, subcontractors or service providers who have a need to know such information provided that such party shall be under obligations of confidentiality at least as restrictive as those contained in this Agreement; or (III) pursuant to a CA public records request, provided that the Client gives notice to Smarsh in a US: +1 (866) 762-7741 UK: +44 (0) 800-048-8612 www.smarsh.com Page 4 of 5 Agreement No. 6362A reasonable amount of time to allow Smarsh the opportunity to seek a protective order preventing such disclosure. Each party will promptly notify the other party in writing upon becoming aware of any unauthorized use or disclosure of the other party's Confidential Information. 6) Replace Section 13.1 in its entirety, as follows: Client Indemnification. To the extent permitted by CA law, and without in any manner waiving its rights to sovereign immunity or increasing the limits of liability thereunder, Client will defend, indemnify and hold harmless Smarsh, its officers, directors, employees and agents, from and against all claims, losses, damages, liabilities and expenses (including fines, penalties, and reasonable attorneys' fees), arising from or related to the content of Client Data and Client's breach of the Service Specific Terms or Sections 4.2, 4.3, 4.4, 4.5, or 15.1 of this Agreement. Smarsh will (a) provide Client with prompt written notice upon becoming aware of any such claim; except that Client will not be relieved of its obligation for indemnification if Smarsh fails to provide such notice unless Client is actually prejudiced in defending a claim due to Smarsh's failure to provide notice In accordance with this Section 13.1(a); (b) allow Client sole and exclusive control over the defense and settlement of any such claim; and (c) if requested by Client, and at Client's expense, reasonably cooperate with the defense of such claim 7) Replace Section 15.4 in its entirety, as follows: Governing law. This Agreement will be governed by and construed in accordance with the laws of the State of CA, without regard to conflict/choice of law principles. Any legal action or proceeding arising under this Agreement will be brought exclusively In the federal or state courts located in , in the State of CA, and the parties hereby irrevocably consent to the personal jurisdiction and venue therein, 8) Replace Section 15.9 in its entirety, as follows: Entire Agreement; Electronic Signatures. This Agreement Is the entire agreement between the parties with respect to its subject matter, and supersedes any prior or contemporaneous agreements, negotiations, and communications, whether written or oral, regarding such subject matter. Smarsh expressly rejects all terms contained in Client's purchase order documents, or in electronic communications between the parties, and such terms form no part of this Agreement. The parties agree that electronic signatures, whether digital or encrypted, give rise to a valid and enforceable agreement. This Agreement may only be modified, or any rights under it waived, by a written document executed by both parties. 9) Delete Section 16, concerning alternative jurisdiction, in its entirety. U5: +1(866) 762-7741 UK: +44 (0) 800-048-8612 www.smarsh.com Page 5 of 5 Agreement No. 6362A Smarsh Services Agreement -General Terms WHEN YOU CLICK BOX INDICATING ACCEPTANCE OF THIS AGREEMENT OR WHEN YOU EXECUTE AN ORDER FORM THAT REFERENCES THIS AGREEMENT, YOU, THE COMPANY ENTERING THIS AGREEMENT ("CLIENT"), AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ACCEPT THIS AGREEMENT ON BEHALF OF YOUR COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITYTO THIS AGREEMENT. IF CLIENT PREVIOUSLY EXECUTED A SUBSCRIPTION FORM OR AN ORDER FORM (OR ENTERED INTO ANYOTHER ORDER DOCUMENT IN ELECTRONIC OR HARD COPY FORM) FOR SERVICES OR SOFTWARE, CLIENT AGREES THAT UPON ACCEPTING THE TERMS OF THIS AGREEMENT, WHETHER BY CLICK THROUGH OR BY ORDER FORM REFERENCING THIS AGREEMENT, THIS AGREEMENT SUPERSEDES ANY AND ALL PRIOR TERMS AND CONDITIONS ASSOCIATED WITH PREVIOUS ORDER FORM(S), AND SUCH PREVIOUS ORDER FORM TERMS AND CONDITIONS ARE OF NO FORCE OR EFFECT, EXCEPT THATTHE "EFFECTIVE DATE" OF CLIENT'S AGREEMENT IS THE DATE ON WHICH CLIENT FIRST EXECUTED AN ORDER FORM FOR SERVICES OR SOFTWARE, AND THE TERM OF CLIENT'S AGREEMENT FOR ALL SERVICES OR SOFTWARE WILL CONTINUE TO RENEW ON THE ANNIVERSARY OF THAT EFFECTIVE DATE, BUTACCORDING TO THE RENEWALTERMS OF THIS AGREEMENT. This Smarsh Services Agreement -General Terms (the "Agreement") constitutes a binding agreement between Smarsh Inc. ("Smarsh") and the Client identified in an order document that references this Agreement ("Order Form"), or the Client who accepts the terms of this Agreement via click -through acceptance. Client agrees that the terms of this Agreement will govern Client's use of the Services (as defined in Section 1). This Agreement includes four parts: (1) the legal terms that are included in this "Smarsh Services Agreement - General Terms", (2) the terms that are specific to each service included in the "Service Specific Terms", (3) the description of what is included with each service in "Service Descriptions"; and (4) the Acceptable Use Policy (or "AUP"). 1. Services. Smarsh will provide the Services specified in each Order Form ("Services"), according to the Agreement, the Service Specific Terms (including the applicable Service Level Agreement(s)), and the Service Descriptions, which describe the features and functionality of each Service. The Service Specific Terms and Service Descriptions are located at,). Smarsh grants Client a revocable, non-exclusive, non -transferable, limited license to access and use the Services purchased by Client during the Term (as defined in Section 12). 2. Support & User Groups. Smarsh Central, located at,),1,t1�"aw� r�"e�aai,,a�a�,p is where Client may seek support resources for the Services as well as engage with other end users in online forums regarding the Services. 2.1. Smarsh Central. Support FAQ's and other support resources are available on Smarsh Central located at i, uzzLg , Client may initiate support requests by submitting support tickets on Smarsh Central. Changes to Smarsh's support policies will be made available on Smarsh Central. 2.2. Groups. Smarsh Central also provides online forums and related features to Users of the Services (as defined in Section 4.6) for discussion, feedback, and general Q&A purposes (such forums and related features are collectively called "Groups"). Smarsh grants Client and its Users a revocable, non-exclusive, non -transferable license to access and use Groups within Smarsh Central in connection with Client's use of the Services. Client or Users may post comments or content to Groups ("Groups Content"). Client hereby grants Smarsh a worldwide, exclusive, royalty -free, irrevocable license to access, use, reproduce, make derivatives of, and incorporate Groups Smarsh Services Agreement- General Terms I Page 1 of 9 Agreement No. 6362A Content into Smarsh products or services for commercial use. Client acknowledges that Groups Content is not confidential and is subject to the Acceptable Use Policy available at VVVAIw _sang vsii rare fora~ k ^_U . Smarsh may delete Groups Content without prior notice. Client is responsible for all Groups Content posted by its Users. Smarsh disclaims all liability arising from Groups Content and use of Groups, including exposure to content that is potentially offensive, indecent, inaccurate, objectionable, or otherwise inappropriate. Smarsh may suspend or discontinue Groups at any time. Smarsh provide Groups without charge and Groups is not part of the Services. 3. Trial Services. If a trial period is indicated on an Order Form, Smarsh will provide Client with a temporary account to one or more Services ("Trial Account"). The Trial Account will be accessible beginning on the Activation Date (as defined in Section 7) and for the trial period set forth in the Order Form, or if no trial period is stated, the Trial Account period will be thirty (30) days from the Activation Date. DURING THETRIAL PERIOD, THE TRIALACCOUNTANDASSOCIATED SERVICESARE PROVIDED "AS IS" AND "AS AVAILABLE" AND WITHOUT REPRESENTATION OR WARRANTY OF ANY KIND. 4. Client Obligations. 4.1. As used in this Agreement, the term "Client Data" means the data that the Services capture or archive from Client's systems or from Client's Third Party Services (as defined in Section 5), or Client's historical data provided by or on behalf of Client for ingestion by the Services. Client hereby grants Smarsh a limited, non-exclusive license to access, copy, transmit, download, display, and reproduce Client Data as necessary to provide, support, and improve the Services, as directed by Client, or as otherwise authorized hereunder. Data generated by the Services regarding Client's use of the Services is usage data and is not and does not contain Client Data. 4.2. It is Client's sole responsibility to monitor the Services and Client's systems and Third Party Services to ensure that Client Data is being captured. Client will notify Smarsh of any delivery failures or outages of its systems that could affect the transmission of Client Data. It is Client's responsibility to encrypt (i) data sent to the Services from Client's systems and (ii) historical data sent to Smarsh for ingestion. Smarsh will have no responsibility or liabilityfor any data that Client transmits to Smarsh in an unencrypted format. Smarsh is not responsible or liable for any update, upgrade, patch, maintenance or other change to Client's systems orThird Party Services that affects the transmission of Client Data to the Service. It is Client's responsibility to ensure that the Services are configured to capture Client Data from all relevant end -user accounts or devices or web domains, as applicable. 4.3. Client is solely responsible for the content of Client Data. Client represents and warrants that (a) Client Data will not (i) infringe any third party right, including third party rights in patent, trademark, copyright, or trade secret, or (ii) constitute a breach of any other right of a third party, including any right that may exist under contract or tort theories; (b) Client will comply with all applicable local, state, national, or foreign laws, rules, regulations, or treaties in connection with Client's use of the Services, including those related to data privacy, data protection, communications, SPAM, or the transmission, recording, or storage of technical data, personal data, or sensitive information; and (c) Client will comply with the Acceptable Use Policy available at ,+^,.r xrd 0;�1�,�.1 4f;. Smarsh may update the Acceptable Use Policy from time to time. 4.4. Client is responsible for creating an account within the Services and ensuring that (a) Client's account registration information is complete and accurate; and (b) Client's account credentials are confidential. Client will notify Smarsh immediately of any unauthorized use of Client's account or account credentials, or any other known or suspected breach of the security of Client's account. Client is responsible for the activity that occurs within Client's account and for Smarsh Services Agreement — General Terms I Page 2 of 9 Agreement No. 6362A the actions or omissions of Client's employees, contractors or agents, whether such person is or was acting within the scope of their employment, engagement, or agency relationship. Client will not permit Smarsh competitors to access the Services. 4.5. Client may provide Representatives with access to the Services, may purchase Services on behalf of Representatives, or where Client is required to review Representative communications, Client may use the Services to meet such requirement. A "Representative" means any entity (a) that Client controls or that is under common control with Client; or (b) on behalf of which Client has a regulatory requirement to archive or review communications data. Representatives' use of the Services is subject to the terms of this Agreement. Client is responsible for the actions or omissions of each Representative whether such person is or was acting within the scope of their employment, engagement, or agency relationship. 4.6. Client may designate user roles with different levels of access for use or support of the Services. An "Authorized User" is the administrative user(s) with the highest level of access and is responsible for managing the Services for Client, Only Authorized Users may appoint other Authorized Users, request or agree to changes to the Services, add or remove users, make billing inquiries, contact support, or take other, similar actions. A "User" is any individual who is granted login credentials to the Services. Users may not share account log in credentials. S. Third Party Providers. The Services receive Client Data from third party sources and are dependent on the third party's services, software, applications, platforms (such as third party social media, business networking platforms systems, telecommunications carriers, or other messaging or communication services or APIs) ("Third Party Services"). Third Party Services are not offered, controlled or provided by Smarsh. A Third -Party Service may make changes to its service, or components thereof, or suspend or discontinue a service without notice to Smarsh. In addition, the availability of the Third -Party Service may depend on Client's compliance with the Third -Party Service terms. The Third -Party Service will have accessto Client's data and will provide Client Data to Smarsh. Smarsh does not control and is not responsible or liable for how the Third -Party Service transmits, accesses, processes, stores, uses, or provides data to Smarsh. Smarsh expressly disclaims all liability related to or arising from any Third -Party Service, including Client's use thereof, or liability related to or arising from any updates, modifications, outages, delivery failures, corruption of data, loss of data, discontinuance of services, or termination of Client's account by the Third -Party Service. Client is solely responsible for ensuring Client complies with all Third -Party Service terms and conditions. Client acknowledges that certain Third -Party Services do not represent that they are suitable for sensitive communications and do not encrypt messages sent over such Third -Party Services networks, including social media providers, telecommunication carriers and certain messaging platforms. Client agrees that if Client transmits sensitive health or financial information via these unsecure Third Party Services networks, Client assumes all risk associated with such transmission and is responsible for any damages or losses incurred with respect to transmitting such sensitive data over such networks and to Smarsh. Such transmission may also be a breach of the AU P. 6. Term & Termination. 6.1. Term. The Agreement will begin on the Effective Date and will remain in effect for the term specified in the Order Form or, if no term is specified,12 months ("Initial Term"). The Initial Term will renew automatically for additional, successive 12-month terms (each a "Renewal Term"), unless Smarsh or Client provides the other party with written notice of non -renewal at least 60 days prior to the end of the Initial Term or the applicable Renewal Term, or either party terminates in accordance with section 6.2 or 63 below. The Initial Term plus any Renewal Term are, collectively, the "Term" Any Order Form executed after the Effective Date will co -terminate with Client's then -current Term. 6.2. Termination for Breach. Either party may terminate this Agreement if the other party materially breaches its obligations under this Agreement and such breach remains uncured for Smarsh Services Agreement — General Terms I Page 3 of 9 Agreement No. 6362A a period of 30 days following the non -breaching party's written notice thereof. Smarsh may suspend Client's access to the Services in the event of a breach of this Agreement and will not be liable for any damages resulting from such suspension. 6.3. Termination for Bankruptcy. This Agreement will terminate immediately, upon written notice, where (a) either party is declared insolvent or adjudged bankrupt by a court of competent jurisdiction; or (b) a petition for bankruptcy or reorganization or an arrangement with creditors is filed by or against that party and is not dismissed within 60 days. 6.4. Effect of Termination. Upon any termination or expiration of the Agreement: (a) all rights and licenses to the Services granted to Client by Smarsh will immediately terminate; (b) Client will pay any Fees due and payable up to the date of termination, except in the case of Smarsh's termination for Client's breach, and in such case. Clientwill paythe Fees owing for the remainder of the then -current Term; and (c) upon request, each party will return to the other or delete the Confidential Information of the other party; provided that if Client requests Smarsh to return Client Data from within Client's Professional Archive (defined in Professional Archive Service Specific Terms) instance, Client may (i) sign a separate Order Form for such Professional Services and will pay Smarsh's then -current data extraction and exportation fees plus any hardware costs as specified in such Order Form or (ii) sign a separate access -only agreementto maintain access to the Professional Archive with the ability to complete self-service exports. 7. Fees & Payment. Client will pay the fees for the Services as set forth in the Order Form ("Fees"). Following execution of the Order Form, Smarsh will activate or otherwise make available the Services listed in the Order Form by either delivering the software (if on -premise software is purchased) or providing Client with login credentials to an account within the applicable Service ("Activation Date"). Beginning on the Activation Date, Client will be invoiced forthe recurring Fees perthe invoice schedule in the Order Form. One-time fees and fees for professional services will be invoiced per the terms of the Order Form, or the applicable statement of work. Client will pay Fees within thirty (30) days of the date of the invoice. If Client disputes any Fees, Client must notify Smarsh within 120 days of the date of invoice. Invoices not disputed within 120 days from the date of invoice will be deemed accepted by Client. Smarsh may charge a late fee of 1.5% per month on any Fees not paid when due. Smarsh may suspend Client's access to the Services in the event Client fails to pay the Fees when due. Smarsh will increase Fees upon each Renewal Term, provided that any such increase will not exceed five percent (5%) of the then current Fees. Smarsh will provide ninety (90) days' prior written notice of any such increase in Fees. 8. Minimum Commitment & Invoice of Overages. Client agrees that the recurring Fees are Client's minimum purchase commitment during the Initial Term and, upon renewal, each Renewal Term. The minimum commitment is the total sum of the recurring Fees set forth in the applicable Order Form. For Fees invoiced based on usage, (a) if Client's usage exceeds the minimum commitment specified in the Order Form, Smarsh will invoice, and Client will pay the additional Fees due for such usage at the rate specified in the Order Form; and (b) if Client's usage during a month is less than Client's minimum purchase commitment, Smarsh will invoice Client for the minimum purchase commitment. Client understands that even if Client terminates prior to the end of the Term or any Renewal Term, such minimum commitment shall be due to Smarsh. 9. Taxes. All Fees payable by Client under this Agreement are exclusive of taxes and similar assessments. Client is responsible for all sales, service, use and excise taxes, utility user's fees, VAT, 911 taxes, or universal service fund fees or taxes, taxes assessed on the use of software or any other similar taxes, duties and charges of any kind imposed by any federal, state or local governmental or regulatory authority on any amounts payable hereunder, other than any taxes imposed on Smarsh's income. Smarsh Services Agreement— General Terms I Page 4 of 9 Agreement No. 6362A 10. Confidentiality. 10.1. "Confidential Information" means (a) the non-public information of either party, including but not limited to information relating to either party's product plans, present or future developments, customers, designs, costs, prices, finances, marketing plans, business opportunities, software, software manuals, personnel, research, development or know-how; (b) any information designated by either party as "confidential" or "proprietary" or which, under the circumstances taken as a whole, would reasonably be deemed to be confidential; (c) the terms of this Agreement; or (d) Client Data. "Confidential Information" does not include information that: (i) is in, or enters, the public domain without breach of this Agreement; (ii) the receiving party lawfully receives from a third party without restriction on disclosure and without breach of a nondisclosure obligation; (iii) the receiving party knew prior to receiving such information from the disclosing party, as evidenced the receiving party's records; or (iv) the receiving party develops independently without reference to the Confidential Information. 10.2. Obligations with Respect to Confidential Information. Each party agrees: (a) that it will not disclose to any third party, or use for the benefit of any third party, any Confidential Information disclosed to it by the other party except as expressly permitted by this Agreement; and (b) that it will use at least reasonable measures to maintain the confidentiality of Confidential Information of the other party in its possession or control but no less than the measures it uses to protect its own confidential information . Either party may disclose Confidential Information of the other party: (i) pursuant to the order or requirement of a court, administrative or regulatory agency, or other governmental body, provided that the receiving party, if feasible and/or legally permitted to do so, gives reasonable notice to the disclosing party to allow the disclosing party to contest such order or requirement; or (ii) to the parties' agents, representatives, subcontractors or service providers who have a need to know such information provided that such party shall be under obligations of confidentiality at least as restrictive as those contained in this Agreement. Each party will promptly notify the other party in writing upon becoming aware of any unauthorized use or disclosure of the other party's Confidential Information. 10.3. Remedies. Each party acknowledges and agrees that a breach of the obligations of this Section 10 by the other party may result in irreparable injury to the disclosing party for which there may be no adequate remedy at law, and the disclosing party will be entitled to seek equitable relief, including injunction and specific performance, in the event of any breach or threatened breach or intended breach by the recipient of Confidential Information. 11. Intellectual Property. As between Smarsh and Client, all right, title and interest in and to the Services, the information technology infrastructure including the software, hardware, databases, electronic systems, networks, and all applications, APIs or Client -Side Software (as defined in the Service Specific Terms) required to deliver the Services, or made available or accessible to Client by Smarsh, including all documentation regarding the use or operation of the Services (collectively "Intellectual Property") are the sole and exclusive property of Smarsh. Except as expressly stated herein, nothing in this Agreement will serve to transfer to Client any right in or to the Intellectual Property. Smarsh retains all right, title and interest in and to Intellectual Property. As between Smarsh and Client, Client Data is the sole and exclusive property of Client and other than the limited license to Client Data granted hereunder, nothing in this Agreement will serve to transfer to Smarsh any intellectual property rights in Client Data. 12. Smarsh Representations and Warranties; Warranty Disclaimer. 12.1. Performance Warranty. Smarsh represents and warrants that it will provide the Services in accordance with generally accepted industry standards. Smarsh Services Agreement — General Terms I Page 5 of 9 Agreement No. 6362A 12.2. Authority. Smarsh represents and warrants that it has the right and authority to enter into this Agreement and that the performance of its obligations under this Agreement will not breach, or conflict with, any other agreement to which Smarsh is a party. 12.3. Compliance with Laws. Smarsh represents and warrants that it will comply with the laws and regulations applicable to Smarsh in its performance of the Services. 12.4. Warranty Disclaimer; No Guarantee. EXCEPT AS SET FORTH ABOVE, SMARSH MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND IN CONNECTION WITH THE SERVICES, PROFESSIONAL SERVICES OR SOFTWARE, INCLUDING, WITHOUT LIMITATION, ANY INFORMATION OR MATERIALS PROVIDED OR MADE AVAILABLE BY SMARSH. SMARSH HEREBY DISCLAIMS ANY AND ALL OTHER REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON -INFRINGEMENT. SMARSH DOES NOT REPRESENT OR WARRANT THAT THE SERVICES OR SOFTWARE WILL BE AVAILABLE OR ERROR -FREE_ SMARSH WILL NOT BE LIABLE FOR DELAYS, INTERRUPTIONS, SERVICE FAILURES OR OTHER PROBLEMS INHERENT IN THE USE OF THE INTERNET, ELECTRONIC COMMUNICATIONS, OR OTHER SYSTEMS OUTSIDE THE REASONABLE CONTROL OF SMARSH. SMARSH DOES NOT GUARANTEE THAT USE OF THE SERVICES BY CLIENT OR THE ADVICE, CONSULTING OR PROFESSIONAL SERVICES PROVIDED TO CLIENT WILL ENSURE CLIENT'S LEGAL COMPLIANCE WITH ANY FEDERAL, STATE, OR INTERNATIONAL STATUTE, LAW, RULE, REGULATION, OR DIRECTIVE. THE SOFTWARE IS NOT DESIGNED OR INTENDED FOR USE IN HAZARDOUS ENVIRONMENTS REQUIRING FAIL-SAFE PERFORMANCE, INCLUDING BUT NOT LIMITED TO ANY APPLICATION IN WHICH THE FAILURE OF THE SOFTWARE COULD LEAD DIRECTLY TO DEATH, PERSONAL INJURY, OR SEVERE PHYSICAL OR PROPERTY DAMAGE. 13. Indemnification. 13.1_ Client Indemnification. Client will defend, indemnify and hold harmless Smarsh, its officers, directors, employees and agents, from and against all claims, losses, damages, liabilities and expenses (including fines, penalties, and reasonable attorneys' fees), arising from or related to the content of Client Data and Client's breach of the Service Specific Terms or Sections 4.2, 4.3, 4.4, 4.5, or 15.1 of this Agreement. Smarsh will (a) provide Client with prompt written notice upon becoming aware of any such claim; except that Client will not be relieved of its obligation for indemnification if Smarsh fails to provide such notice unless Client is actually prejudiced in defending a claim due to Smarsh's failure to provide notice in accordance with this Section 13.1(a); (b) allow Client sole and exclusive control over the defense and settlement of any such claim; and (c) if requested by Client, and at Client's expense, reasonably cooperate with the defense of such claim. 13.2. Smarsh Indemnification. Smarsh will defend, indemnify and hold Client harmless from third - party claims arising from a claim that the Services infringe any United States patent, trademark or copyright; provided that, Client shall (a) provide Smarsh with prompt written notice upon becoming aware of any such claim; (b) allow Smarsh sole and exclusive control over the defense and settlement of any such claim; and (c) reasonably cooperate with Smarsh in the defense of such claim. Notwithstanding the foregoing, Smarsh will not be liable for any claim that relates to or arises from: (i) custom functionality provided to Client based on Client's specific requirements; (ii) any modification of the Services by Client or any third party; (iii) the combination of the Services with any technology or other services, software, or technology not provided by Smarsh; or (iv) Client's failure to use updated or modified versions of the Services made available by Smarsh. Except as expressly provided in Section 14.1.3, the indemnification obligation contained in this Section 13.2 is Client's sole remedy, and Smarsh's sole obligation, with respect to claims of infringement. Smarsh Services Agreement —General Terms I Page 6 of 9 Agreement No. 6362A 14. Remedies and Limitation of Liability, 14.1. Remedies. 14.1.1. In the event of a breach of any warranty under Section 12 Smarsh will use commercially reasonable efforts to provide Client with an error correction or work -around that corrects the reported non -conformity. The foregoing remedy is Client's sole and exclusive remedy for a breach of Section 12. 14.1.2. In the event of a breach of the applicable Service Level Agreement, Smarsh will provide Client with the credit stated in the Service Level Agreement_ The foregoing remedy is Client's sole and exclusive remedy for a breach of the applicable Service Level Agreement. 14.1.3. If the Services are subject to a claim of infringement under Section 13.2, Smarsh may, in its sole discretion, either (a) procure for Client the right to continue to use the Services; (b) modify the Services such that they are non -infringing; or (c) if in the reasonable opinion of Smarsh, neither (a) nor (b) is commercially feasible, then Smarsh may, upon thirty (30) days' prior written notice to Client, terminate the applicable Service. 14.2. Limitation of Liability. 14.2.1.IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER, OR TO ANY THIRD PARTY, FOR ANY SPECIAL, INDIRECT, INCIDENTAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING LOSS OF: USE, DATA, BUSINESS, OR PROFITS), ARISING FROM OR IN CONNECTION WITH THE SERVICES OR SOFTWARE (AS DEFINED IN THE SERVICE SPECIFICTERMS), WHETHER BASED ON BREACH OF CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, REGARDLESS OF WHETHER SUCH DAMAGES WERE FORESEEABLE OR WHETHER THE PARTY HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SMARSH WILL NOT BE LIABLE FOR ANY DAMAGES, WHETHER CONSEQUENTIAL OR OTHERWISE, ARISING FROM OR RELATED TO CLIENT'S NON-COMPLIANCE WITH ANY FEDERAL, STATE, OR INTERNATIONAL STATUTE, LAW, RULE, REGULATION, OR DIRECTIVE. 14.2.2.EXCEPT WITH RESPECT TO SECTION 13.1 (CLIENT INDEMNIFICATION), EACH PARTY'S AGGREGATE LIABILITY FOR ALL DAMAGES ARISING FROM OR RELATING TO THIS AGREEMENT, NOTWITHSTANDING THE FORM IN WHICH ANY ACTION IS BROUGHT (E.G., CONTRACT, TORT, OR OTHERWISE), WILL NOT EXCEED THE TOTAL FEES ACTUALLY RECEIVED BY SMARSH FROM CLIENT FOR THE APPLICABLE SERVICES IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE DATE OF THE INCIDENT FROM WHICH THE DAMAGES AROSE. 14.2.3_THE LIMITATION OF LIABILITY SET FORTH ABOVE IS CUMULATIVE; ALL PAYMENTS MADE FOR ALL CLAIMS AND DAMAGES WILL BE AGGREGATED TO DETERMINE IFTHE LIMIT HAS BEEN REACHED. 15. General Terms. 15.1. Export Restrictions. The Services and Software (as defined in the Service Specific Terms), including any software, documentation and any related technical data included with, or contained in, the Services of Software, may be subject to United States export control laws and regulations. Smarsh Public IM policy manager is classified under Export Control Classification Number (ECCN) 5D002.c.1 and has been qualified for export under authority of license exception ENC, in accordance with sections 740_17(d) and 740.17(b)(3) of the U.S. Export Administration Regulations, 15 C.F.R. Part 730 et seq. (the "EAR"). It may not be downloaded or otherwise exported or re-exported into (or to a national or resident of) Crimea- Region of Ukraine, Cuba, Iran, North Korea, Sudan, Syria or any other country to which the United States has embargoed goods; or any organization or company on the United States Commerce Department's "Denied Smarsh Services Agreement— General Terms I Page 7 of 9 Agreement No. 6362A Parties List." Client will comply with the export laws and regulations of the United States and other applicable jurisdictions when using the Services. Client will not transfer the Software, or any other software or documentation provided by Smarsh (a) to any person on a government promulgated export restriction list; or (b) to any U.S.-embargoed countries. Without limiting the foregoing: (a) Client represents that it and its Authorized Users and any other users of the Services are not named on any United States government list of persons or entities prohibited from receiving exports; (b) Client represents that Client will not use the Software or Services in a manner which is prohibited under United States Government export regulations; (c) Client will comply with all United States anti -boycott laws and regulations; (d) Client will not provide the Software or Service to any third party, or permit any user to access or use the Software or Service, in violation of any United States export embargo, prohibition or restriction; and (e) Client will not, and will not permit any user or third party to, directly or indirectly, export, re-export or release the Software or Services to any jurisdiction or countryto which, or any partyto whom, the export, re-export or release is prohibited by applicable law, regulation or rule. 15.2. Assignment. Neither party may assign this Agreement, in whole or in part, without the other party's prior written consent, except that either party may assign this Agreement without the other's consent in the case of a merger, reorganization, acquisition, consolidation, or sale of all, or substantially all, of its assets. Any attempt to assign this Agreement other than as permitted herein will be null and void. This Agreement will inure to the benefit of, and bind, the parties' respective successors and permitted assigns. 15.3. Force Majeure. A failure of party to perform, or an omission by a party in its performance of, any obligation of this Agreementwill not be a breach of this Agreement, norwill it create anyliability, if such failure or omission arises from any cause or causes beyond the reasonable control of the parties, including, but not limited to the following (each a "Force Majeure Event"): (a) acts of God; (b) acts or omissions of any governmental entity, (c) any rules, regulations or orders issued by any governmental authority or any officer, department, agency or instrumentality thereof, (d) fire, storm, flood, earthquake, accident, war, rebellion, insurrection, riot, strikes and lockouts; or (e) utility or telecommunication failures; so long as such party uses reasonable efforts to resume performance after any such Force Majeure Event. 15.4. Governing Law. This Agreement will be governed by and construed in accordance with the laws of the State of Delaware, without regard to conflict/choice of law principles. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in Multnomah County, in the State of Oregon, and the parties hereby irrevocably consent to the personal jurisdiction and venue therein. 15.5. Relationship of the Parties. The parties are independent contractors as to each other, and neither party will have power or authority to assume or create any obligation or responsibility on behalf of the other. This Agreement will not be construed to create or imply any partnership, agency, or joint venture. 15.6. Notices. Any legal notice under this Agreement will be in writing and delivered by personal delivery, express courier, certified or registered mail, postage prepaid and return receipt requested, or by email. Notices will be deemed to be effective upon personal delivery, one (1) day after deposit with express courier, five (5) business days after deposit in the mail, or when receipt is acknowledged in the case of email to Smarsh. Notices will be sent to Client at the address set forth on the Order Form or such other address as Client may specify. Notices will be sent to Smarsh at the following address: Smarsh Inc., Attention: Legal, 851 SW 6th Ave, Suite 800, Portland, OR 97204, or in the case of email, to 8ecgj, p 15.7. Publicity. Smarsh may disclose that Client is a customer of Smarsh. 15.8. Severability, Waiver. If for any reason a court of competent jurisdiction finds any provision or portion of this Agreement to be unenforceable, that provision of the Agreement will be enforced to the maximum extent permissible so as to effect the intent of the parties, and the remainder of this Agreement will continue in full force and effect. Failure of either party to insist on strict Smarsh Services Agreement — General Terms I Page 8 of 9 Agreement No. 6362A performance of any provision herein will not be deemed a waiver of any rights or remedies that either party will have and will not be deemed a waiver of any subsequent default of the terms and conditions thereof. 15.9. Entire Agreement; Electronic Signatures. This Agreement is the entire agreement between the parties with respect to its subject matter, and supersedes any prior or contemporaneous agreements, negotiations, and communications, whether written or oral, regarding such subject matter. Smarsh expressly rejects all terms contained in Client's purchase order documents, or in electronic communications between the parties, and such terms form no part of this Agreement. The parties agree that electronic signatures, whether digital or encrypted, or Client's click -through acceptance of this Agreement, give rise to a valid and enforceable agreement. 15.10. Amendments. Smarsh may amend this Agreement by posting a revised version to lei or at the Services log -in prompt. Client accepts the revised version of this Agreement by either (a) click -through acceptance at the Services log -in prompt; (b) execution of an Order Form incorporating the revised version; or (c) continued use of the Services for 30 days following the earliest notice of such revised version provided to an Authorized User at the Services log -in prompt. 16. IF CLIENT IS LOCATED IN EUROPE, THE FOLLOWING MODIFICATIONS TO THE ABOVE TERMS APPLY: 16.1. Sections 14.2.1-14.2.3 are replaced with the following Sections 14.2.1-14.2.3: 14.2.1 Limitation of Consequential Damages. Subject to 14.2.3, in no event shall either party be liable under or in relation to this Agreement or its subject matter (whether such liability arises due to negligence, breach of contract, misrepresentation or for any other reason) for any: (a) loss of profits; (b) loss of sales; (c) loss of turnover; (d) loss of, or loss of use of, any (i) software or (ii) data; (e) loss of use of any computer or other equipment or plant; (f) wasted management or other staff time; (g) losses or liabilities under or in relation to any other contract; or (h) indirect, special or consequential loss or damage. 14.2.2 Limitation on Direct Damages. Subject to Sections 14.2.1 and 14.2.3, Smarsh's aggregate liability arising from or in connection with this Agreement (and whether the liability arises because of breach of contract, negligence, misrepresentation or for any other reason) shall not exceed 1.25 times the amounts paid or payable (having been invoiced but notyet paid) by Client for the license to use the Service. 14.2.3 Notwithstanding anything to the contrary in this Agreement, neither party excludes or limits its liability in respect of death or personal injury caused by the negligence of'that party, its servants or agents, breach of any condition as to title or quiet enjoyment implied by Section 12 Sale of Goods Act1979 or Section 2 Supply of Goods and Services Act 1982, or liability for fraudulent misrepresentation or such other liability which cannot under applicable law be excluded or limited by Agreement. 16.2. Section 15.4 is replaced with the following: 15.4 Governing Law and Jurisdiction. This Agreement and all matters arising out of or relating to this Agreement shall be governed by the laws of England and Wales and the parties agree to submit to the exclusive jurisdiction of the English courts. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods is specifically excluded from application to this Agreement. Notwithstanding anything in this Agreement to the contrary, nothing in this Agreement prevents either party from seeking injunctive relief in the appropriate or applicable forum. Smarsh Services Agreement- General Terms I Page 9 of 9 Agreement No. 6362A mi r Capture_ Reveal. Respond. Information Security Addendum Overview Smarsh will implement and maintain a written information security program that maintains administrative, technical, and physical safeguards, designed to: • ensure the security and confidentiality of all Client Confidential Information that is processed, stored, or controlled by Smarsh; • protect against anticipated threats or hazards to the security or integrity of such Confidential Information; • prevent unauthorized access to or loss, acquisition, disclosure, or use of such Confidential Information; and • ensure the secure disposal of such Confidential Information in compliance with applicable National Institute of Standards and Technology (NIST) standards. Smarsh will use reasonable efforts to ensure its written information security program and administrative, technical, and physical safeguards align with accepted industry practices [such as applicable security standards published by International Organization for Standardization (ISO) or NIST], and comply with applicable data protection and privacy laws, as well as the terms and conditions of the Agreement, including those contained in this Information Security Addendum. Detailed information about Smarsh's information security program is contained in the security documentation available by secure login at ht s& c d.marh. w . _enj Smarsh will designate a security manager to oversee its information security program and ensure its compliance with this Information Security Addendum. 1. Personnel Security 1.1. Screening. Smarsh will perform criminal background checks on all Smarsh employees prior to commencement of employment. Smarsh shall not allow any employee to perform services for Client or to access Client Data if such background checks reveal such individual was convicted of a crime involving any type of theft, fraud, bribery, other dishonest acts or the violation of any securities law. 1.2. Training. Smarsh will provide annual security awareness training to all Smarsh employees and contractors and will require Subcontractors to provide such training for their employees. Smarsh will provide additional role -based security training for Smarsh employees and contractors with access to Client Data or the applications that process and store Client Data. Page 7 of 7 Agreement No. 6362A Capture. Reveal. Respond. 1.3. Revocation. Smarsh will revoke physical and logical access for each Smarsh employee within 24 hours of such employee's termination of employment. 2. Facilities & Systems Security 2.1.Eggi5 cess. Smarsh will employ physical security procedures to ensure that only authorized individuals and guests have access to corporate facilities. Such procedures will include the use of CCTV, cardkey access, processes to log and monitor visitors, and use of receptionists or security guards. Smarsh will maintain surveillance records for at least ninety (90) days. 2.2. Systems Access. Smarsh will follow the principle of "least privilege" when granting access to Smarsh systems. Smarsh will enforce complex password requirements across all Smarsh systems to minimize password -related access control risks. Smarsh will utilize multi -factor authentication when feasible. Smarsh's information security policies will prohibit Smarsh employees from sharing, writing down, emailing, IM'ing or storing passwords unencrypted on any Smarsh system (including desktops). 3. Product Security 3.1. Smarsh will leverage a "security by design" approach and will utilize a software development life cycle that follows best practices defined by NIST and the OWASP Software Assurance Maturity Model (SAMM). 3.2. Smarsh will proactively ensure the security of its applications and environment by leveraging a "security by design" approach. Smarsh will, in accordance with industry accepted benchmarks such as those published by the Center for Internet Security (or equivalent), security -harden all network devices and servers that will host or process Client Data and code or web applications that are under Smarsh control. Smarsh will perform both static and dynamic automated web application security code analysis on all code prior to deployment in a production environment and correct security flaws discovered by source code analyses prior to deployment. Smarsh will, in accordance with generally accepted industry standards, monitor the Services and Smarsh networks, servers, and applications for potential security vulnerabilities. Smarsh will promptly respond to any identified vulnerabilities and assess criticality to resolve, or implement compensating controls for, such identified vulnerabilities within a reasonable amount of time, taking into account the risks posed by each such vulnerability. 3.3. Smarsh will employ then -current industry -standard measures to test the Services for (a) 'back door,' 'time bomb,' 'Trojan Horse,' 'worm,' 'drop dead device,' 'virus', Page 2 of 7 Agreement No. 6362A Capture. Reveal. Respond. 'spyware' or'malware;' or (b) any computer code or software routine that disables, damages, erases, disrupts or impairs the normal operation of the Services or any component thereof. 3.4.Smarsh QA and test networks and environments will be physically or logically separated from production networks and environments and will not be globally accessible to anyone on the internet. Administrative passwords across QA and test environments will be different than those used in production environments. 3.5. Smarsh will enforce a formal change management process which will include tracking and approving all product changes. Any such changes will be internally reviewed and tested within a staging environment before such changes are finalized and deployed. 3.6. Smarsh will not use Client Data for testing purposes. 4. Data Center Security 4.1. Data Center Access. Smarsh will employ physical security procedures and controls to ensure that only authorized individuals have access to Smarsh data centers. 4.2. Physical Security. Smarsh will employ data center security measures that align with the AICPA trust principles for physical security and will, at a minimum, secure Smarsh data centers using: floor -to -ceiling walls, multi -factor authentication for data center access, 24/7 security monitoring, alarmed exits, and onsite security personnel. 4.3. Data Center Locations. Smarsh primary and disaster recovery data centers will be located in geographically diverse locations to enhance security, availability, and resiliency. S. Secure Configuration Smarsh will use the Centerfor Internet Security (CIS) benchmarks for its secure baseline configurations. Smarsh will use secure configuration management tools to alert of changes to baseline configurations. 6. Data Management 6.1, Segregation. Client Data will be logically segregated from the data of other Smarsh clients. 6.2. Encryption. Smarsh will encrypt Client Data in transit and at rest using encryption techniques that comply with security industry standards published by NIST. Page 3 of 7 Agreement No. 6362A Capture. Reveal. Respond. 63. Back-ups. Smarsh leverages data replication across multiple geographically dispersed data centers as well as a local backup data center. 6.4. e, ruction. Smarsh will ensure removal of all data from any media taken out of service and destroy or securely erase such media to make it unreadable, undecipherable, and unrecoverable by any means in compliance with applicable N I ST standards. 6.5. Pemovable media. Smarsh will not allow its employees to store Client Data on any portable removable media (such as USB mass storage, external hard drives, and CD/DVDs); provided, however, that if storage on removable media is required to support the services (such as for client -requested data exports) provided under the Agreement, portable removable media must be encrypted as described above in Section 4.2. 7. Vulnerability Management 7.1. Smarsh will deploy vulnerability scanning mechanisms in its information systems and on hosted applications and will configure such mechanisms to conduct regular scans on Smarsh operating systems and infrastructure, web applications, and databases. Smarsh will analyze and assess all scan reports. 7.2. Smarsh will undergo annual penetration testing and will conduct quarterly security audits to identify potential vulnerabilities in the infrastructure used to provide the Services. Smarsh will implement a software/firmware patching program and will apply updates to all infrastructure components in a timely manner in accordance with the NIST 800-53 vulnerability remediation guidelines for critical or high -risk vulnerabilities. 8. Application Performance and Security Smarsh will use industry -standard technology and tools to monitor the uptime status of its hosted applications and send alerts when any warning conditions need to be reviewed. Smarsh will use industry -standard firewalls, IDS/IPS technology, and malware detection on its networks and hosted applications and will harden its device configurations. Smarsh will require the use of VPN for access to its secure networks. 9. Business Resiliency and Incident Response 9.1. Incident Ides cnse. Smarsh's information security program will include written incident response policies and procedures to define roles and responsibilities in the event that there is any actual, or reasonably suspected, unauthorized access to Smarsh facilities or Smarsh systems ("Security Incident"). Such policies and procedures will include processes to ensure that (i) server logs are maintained; (ii) all Page 4 of 7 Agreement No. 6362A Capture. Reveal. Respond. Security Incidents (defined below) are appropriately logged; (iii) all such server logs are retained for at least ninety (90) days; (iv) all such Security Incident logs are retained for at least three (3) years; and (v) all such logs are appropriately protected to ensure the integrity of such log. Smarsh will immediately implement such procedures immediately upon becoming aware of a Security Incident. 9.2. Clig_nt Qgta i cident. Upon becoming aware of any actual or reasonably suspected unauthorized third -party access to, or disclosure of, Client Data ("Client Data Incident"), Smarsh will: (i) immediately investigate, and take reasonable measures to remediate, the cause of such Client Data Incident, and (ii) promptly, but no later than forty-eight (48) hours after discovery, notify Client of such Client Data Incident. The notification will include, to the extent known, details of the incident, including the time, date, and nature of the incident and contact information for a member of Smarsh's information security team who can answer additional questions. 9.3. B siness Con inuit Disa r Recover , Smarsh will maintain a Business Continuity and Disaster Recovery Plan ("BCP") for the Services and implement the Plan in the event of a disaster, as defined in the BCP. The BCP will include disaster avoidance procedures which are designed to safeguard Client Data and Smarsh's data processing capabilities in the event of a disaster as defined in the BCP. Smarsh will make an executive summary of the BCP available in its Security Packet. Smarsh will test the BCP on at least an annual basis. 10. Annual Security Reviews 10.1. Smarsh will undergo an annual independent third -party SSAE 16 SOC 2 Type II (or its equivalent or successor) assessment of its information security program and its administrative, technical, and physical safeguards for all facilities used to deliver the Services. Such assessment will include, at a minimum, a network -level vulnerability assessment based on recognized industry practices. 10.2. Smarsh will assess criticality and remediate, or implement compensating controls for, all issues identified in such assessment in a timely manner based on level of criticality and risk. 10.3. Smarsh will include an executive summary of the results of such assessment in the Security Packet available to Client via login at I t s: entraq.smarsh. orrr. 11. Vendor and Third -Party Security 11.1. Risk Assessments. Smarsh will conduct an initial risk review and verification before engaging third -party vendors or subcontracting any of the Services. Thereafter, Smarsh will conduct annual risk reviews of such third -party vendors and subcontractors. Page 5 of 7 Agreement No. 6362A Capture. Reveal. Respond. 11.2. Subcontractors. A list of Smarsh subcontractors is available at httos://www.st'n,arsh.com/leaal/subr)ro.cessors. Smarsh will provide prior notice to Client and allow time for Client to object before Smarsh engages any new subcontractors who will have access to or process Client Data. If Smarsh uses subcontractors to perform any of the Services, Smarsh will (a) enter into a written agreement with each such subcontractor that imposes obligations on the subcontractor (i) that are at least as restrictive as those imposed on or required of Smarsh underthe applicable provisions of the Agreement and (ii) that prohibit the subcontractor from accessing or using Client Data except to the extent necessary to perform the subcontracted services; (b) only disclose Client Data to such subcontractor to the extent necessary for the subcontractor to perform the subcontracted services, (c) not be relieved of any of its obligations under this Agreement; and (d) remain liable and responsible for the performance or non- performance of such subcontractor. 12. Client Security Assessments 12.1. 5gcurily Pogumentation. To facilitate Client's risk -based assessment of Smarsh's information security program and administrative, technical, and physical safeguards applicable to Client's Confidential Information, Smarsh will make its Security Packet available to Client via htt s: cei itral.si-narsh.coin. The Security Packet includes, among other documentation, Smarsh's completed industry - standard information gathering questionnaire ("SIG") and Smarsh's annual independent SSAE 16 SOC 2 Type 11 report. Smarsh will update the Security Packet on a regular basis. If Client requests that Smarsh complete Client's security or other questionnaire(s) in lieu of, or in addition to, the Security Packet, Client must execute an order form and pay a professional services fee based on the size and scope of such questionnaire(s). 12.2. Qn-sitp.As5gUments. Where sufficient to allow Client to complete its risk -based assessment of Smarsh's information security program and administrative, technical, and physical safeguards applicable to Client's Confidential Information, Client shall refer to Smarsh's Security Packet. If Client desires to complete an on - site assessment, Client may conduct no more than one on -site assessment in a 12- month period, all such requests must be received by Smarsh at least 30 days prior to the requested assessment date, all such on -site assessments must be conducted during Smarsh's normal business hours, and Client shall bear all costs associated with such on -site assessment. Smarsh will scope the work required to facilitate such assessment and provide Client with a quote for the professional services fees associated with such on -site assessment. If Client desires tb proceed with such on -site assessment, Client must execute an order form or statement of work for such on -site assessment and provide Smarsh with its proposed list of Page 6 of 7 Agreement No. 6362A assmarsh" Capture. Reveal. Respond. attendees. Smarsh will invoice Client for such on -site assessment, and Client shall pay the associated fees within 30-days of the invoice date. 13. Export Controls Smarsh will comply with the export laws and regulations of the United States and other applicable jurisdictions when providing the Services. Smarsh will neither conduct business with nor allow access to its information systems by (a) any person on a government promulgated export restriction list; (b) any U.S.-embargoed countries; or (c) any organization or company on the U.S. Commerce Department's "Denied Parties List." Page 7 of 7 Agreement No. 6362A Service Specific Terms — Smarsh University These Service Specific Terms — Smarsh University apply only to Client's purchase and use of Smarsh University training and certification courses. Unless expressly stated otherwise, capitalized terms have the meaning given them in the Smarsh Service Agreement - General Terms. 1. Descriptions. "Smarsh University" or "Smarsh U" is a suite of training and certification courses designed to help Client and its Users understand and leverage the features and functionality of the products Client purchases from Smarsh. Smarsh University courses are offered as Public Courses, Dedicated Courses, and Web -based Courses (defined below). 2. Definitions. "Certification Exam" is an examination related to a specific Smarsh product or Service that if passed leads to certification of expertise in the use of such Smarsh product or Service. "Dedicated Courses" are private instructor -led courses conducted either by web conference or on -site at Client's facilities. "Public Courses" are instructor -led courses attended by Trainees from multiple companies and are conducted by web conference or on -site at a Smarsh-hosted event. "Trainee" is a Client employee, agent, or Representative for whom Client purchases a Smarsh U subscription or attendance at a Dedicated Course or an a la carte Public Course. "Web -based Courses" or "WBC" is a suite of pre-recorded online courses available to Trainees by login to the Smarsh learning management system using the Trainee's Smarsh Central access credentials. "Smarsh U Lab" is a training environment hosted in Smarsh data centers in the U.S. 3. Orders and Payment. Client must execute an Order Form to purchase Smarsh University subscriptions, blocks of Public Courses, and Dedicated Courses. Client must purchase all a la carte courses and Certification Exams through Smarsh Central. Smarsh University course Fees and Certification Exam Fees are non-refundable. 3.1. Subscriptions. Smarsh U subscriptions are offered as Full Access or WBC-only (defined below) and sync to and co -terminate with Client's then -current service Term under the Agreement. A "Unit" with respect to Smarsh U subscriptions is one Trainee. "Full Access" subscriptions include unlimited Public Courses and WBC accessfor each Trainee. "WBC-only" subscriptions include unlimited WBC access for each Trainee. 3.2. Blocksof public Courses. Client may purchase Public Courses in 1-day, 2-day, and 3-day blocks. Blocks of Public Courses are consumed in half -day or one day increments per -Trainee, as specified in the registration information for each Public Course. 3.3. Dedicated Courses. Dedicated Courses are one-time courses offered on a per -Trainee, per -day basis. Dedicated Courses are capped at ten (10) Trainees and are sold in half -day increments. All on -site Dedicated Courses must be scheduled at leasttwo (2) weeks in advance and require a minimum purchase of one full day. Trainer travel expenses will be included in the Fees for on -site Dedicated Courses. 3.4. PumhAsksr m within Smarsh Cen r 1.Payments for Certification Exams and a la carte Public Courses and WBC are processed through Stripe Checkout. Payments processed through Agreement No. 6362A wi e Stripe Checkout are subject to the _;tri Checicoutmglser Terrors Wf® vxc and the rm;° 4. Certification. Client may purchase Certification Exams for Trainees or Users. Once a Trainee or User passes a Certification Exam, the Trainee or User is Smarsh-certified and will receive a verifiable digital certificate of achievement and a verifiable digital badge indicating the Trainee is certified in the use of a specific Smarsh product or Service. Certificates and badges are unique to each User or Trainee and will transfer with such individual if they change employment. Certifications are valid for twenty-four (24) months following a successful Certification Exam. After that time, a Trainee or User must recertify to maintain their Smarsh certification. A recertification exam is available up to six (6) months following certification expiration. Thereafter the Trainee or User must retake the Certification Exam to maintain Smarsh certification. For the avoidance of doubt, Client must purchase a new Certification Exam if User or Trainee wishes to (i) retake a failed Certification Exam (ii) certify in additional products or Services- S. License_ Smarsh grants Client and its Trainees a non-exclusive, non -transferable, limited license to access and use the Smarsh U Lab, course materials and course content solely for training purposes. 6. Client Obligations and Trainee Conduct. 6.1. Trainees may not share access credentials. 6.2. Client must provide a computer for each Trainee and high-speed internet access to enable Trainees to remotely connect to the Smarsh U Lab for all courses. 6.3. Client must provide dedicated classroom space for on -site Dedicated Courses. 6.4. Smarsh may refuse, limit, or cancel any Smarsh U course if, in the sole opinion of Smarsh, any Trainee displays unreasonable behavior or acts in a violent, threatening, inappropriate, abusive, or disruptive manner during a course. 7. Substitutions and Cancellations. 7.1. Substitutions. Client may transfer a Unit up to three (3) times during an annual Term. Client must request all transfers by submitting a support case through Smarsh Central. 7.2. Reauests to Reschedule. Client may reschedule a Dedicated Course one time. Client must submit all requests to reschedule a Dedicated Course by submitting a support case through Smarsh Central. Client must submit its request to reschedule at least one week prior to the scheduled course date for virtual Dedicated Courses and at least two weeks prior to the scheduled course date for on -site Dedicated Courses. Client must submit its proposed reschedule date within 30 days following a reschedule request, and the rescheduled course date must occur not more than 180 days after the original course date. The parties will execute a change order to reflect the rescheduled course date. 7.3. nc II ton m-) Fr. Smarsh will use commercially reasonable efforts to hold all courses as scheduled but may need to cancel or reschedule a course in certain circumstances. If Smarsh cancels an on -site Dedicated Course or a Public Course that Client purchased a la carte, Smarsh will issue Client a reschedule voucher equal to the Fee for the cancelled course. Client may use the voucher to reschedule the Dedicated Course or register for a future Public Course within twelve (12) months of the cancelled course date. All vouchers expire twelve 02) months after the cancelled course date. Agreement No. 6362A T MN 8. Intellectual Property. Smarsh University and related course materials, information technology infrastructure, including the software, hardware, databases, electronic systems, networks, and all applications required to deliverthe Smarsh U Lab are Smarsh Intellectual Property. 9. Warranty Disclaimer No Guarantee. ALL SMARSH UNIVERSITY COURSES, MATERIALS, AND ANY OTHER DOCUMENTATION, PUBLICATIONS, OR OTHER INFORMATION OR MATERIALS PROVIDED BY OR ON BEHALF OF SMARSH TO CLIENT OR ITS TRAINEES FOR TRAINING PURPOSES ARE FURNISHED ON AN "AS -IS" BASIS, WITHOUT REPRESENTATION OR WARRANTY OF ANY KIND_ SMARSH WILL NOT BE LIABLE FOR DELAYS, INTERRUPTIONS, SERVICE FAILURES OR OTHER PROBLEMS INHERENT IN THE USE OF THE INTERNET, ELECTRONIC COMMUNICATIONS, OR OTHER SYSTEMS OUTSIDE THE REASONABLE CONTROL OF SMARSH. SMARSH DOES NOT GUARANTEE THAT SMARSH U COURSES OR CERTIFICATION WILL ENSURE CLIENTS LEGAL COMPLIANCE WITH ANY FEDERAL, STATE, OR INTERNATIONAL STATUTE, LAW, RULE, REGULATION, OR DIRECTIVE.