The URL can be used to link to this page

CONTRACT 7568 Vender AgreementZoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 ZOHO MASTER SUBSCRIPTION AGREEMENT This MASTER SUBSCRIPTION AGREEMENT ("Agreement"), is made and entered into on S-''r`2026 ("Effective Date") by and between Zoho Corporation, a California corporation having its principal place of business at4141 Hacienda Drive, Pleasanton, CA 94588 ("Zoho") and City of El Segundo, a Municipal Corporation and general law city having its principal place of business at 350 Main St. I El Segundo, CA 90245 ("Subscriber"). Zoho and Subscriber are each a "party", and together are "parties" to this Agreement. NOW THEREFORE the parties, intending to be legally bound, agree as follows: 1. Definitions. 1.1. "Affiliates" shall mean any entity which directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control" for the purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity. 1.2. "Authorised User" shall mean an individual user for whom a user license has been purchased by Subscriber pursuant to the terms of the Invoice and this Agreement, and to whom unique user credentials have been given to access On -Demand Services. Authorised Users may include employees, individual contractors or consultants of Subscriber or Subscriber's Affiliates or third party service providers. 1.3. "Confidential Information" shall mean all information disclosed by a party ("Disclosing Party") to the other party ("Receiving Party"), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Zohos Confidential Information shall include the terms of this Agreement and all Invoices (including all non-public pricing information).Confidential Information of each party shall include the business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such party. However, Confidential Information shall not include any information that (i) is or becomes generally known to the public without breach of obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party without the use of Disclosing Party's Confidential Information. 1.4. "Documentation" shall mean the user manuals and documentation(s), whether in written or electronic form, provided by Zoho to the Subscriber from time to time detailing the features, functionalities and operation of On -Demand Services. 1.5. "Deprecation" shall mean and include deprecation, discontinuation, or backward incompatible change to any of (i) the On -Demand Services, (ii) features or functionality within On -Demand Services, or (iii) Zoho Service APIs. Zoho Confidential MSAJan2024 Page 11 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 l' Z O H O 1.6. "Non -On -Demand Services" shall mean third party applications (including third party applications accessed from Zoho Marketplace), services, software, networks, systems, websites or databases that are integrated with On -Demand Services to interoperate with On - Demand Services. 1.7. "Invoice" shall mean the document evidencing a subscription to On -Demand Services that specifies the name of the On -Demand Services subscribed, subscription plan, Subscription Period, number of user licenses purchased and applicable fees. 1.8. "Subscriber Data" shall mean electronic data and information submitted to and stored within the On -Demand Services by the Subscriber or an Authorized User as a result of Subscriber's or Authorised User's use of the On -Demand Services. 1.9. "Subscription Fees" shall mean the fees paid by Subscriber specifically for the Subscription Period, excluding any other fees or charges listed on the applicable Invoices or related to Non -On -Demand Services. 1.10. "Subscription Period(s)" shall mean, in respect of each of the On -Demand Services, the duration of validity of each fee -based subscription plan purchased by Subscriber. 1.11. "Usage Limits" shall mean the limits on use of each of the On -Demand Services corresponding to the fee -based subscription plan purchased by the Subscriber. 1.12. "Taxes" shall mean all taxes, duties, levies, imposts, fines or similar governmental assessments, including sales and use taxes, value-added taxes, goods and services taxes, excise, business, service, and other similar transactional taxes imposed by any local, state, provincial or foreign jurisdiction and include the interest and penalties thereon. 1.13. "Terms of Service" shall mean the terms and conditions available at https:/ondemand.tiianageengirue.com_1ternis.hWil and any additional terms and conditions, for access and use of On -Demand Services, as modified from time to time. 1.14. "Zoho Marketplace" shall mean the online marketplace for applications that are designed to interoperate with On -Demand Services. 1.15. "On -Demand Service(s)" shall mean one or more of the Zoho hosted software services listed in Exhibit E that are purchased by the Subscriber under an Invoice or online purchasing portal, including additional downloadable or mobile applications. 2. Use of the On -Demand Services, Restrictions and Responsibilities. 2.1. Rights Granted. Subject to the terms and conditions of this Agreement, Zoho will make the On -Demand Services available to Subscribers for the Subscription Period as set out in the Invoice. Zoho grants Subscriber a non-exclusive, non -transferable right and limited license to access, use and, where applicable, download the On -Demand Services during such Subscription Period for Subscriber's internal business purposes. If the Subscriber exceeds the Usage Limits of the On -Demand Services or functionalities within On -Demand Services, Subscriber may purchase additional quantities of the On -Demand Services by making payment(s) for such excess usage. 2.2. Usage Restrictions. Subscriber shall not and shall not permit its Authorised Users to: 2.2.1.copy, modify, create derivative works or otherwise attempt to gain unauthorised access to the On -Demand Services. Zoho Confidential MSAJan2024 Page 12 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 t� Z O H O 2.2.2.except as permitted under applicable law, attempt to disassemble, reverse engineer or decompile On -Demand Services. 2.2.3.use On -Demand Services on behalf of any third party or include On -Demand Services as part of service bureau or provide any business process service. 2.2.4. use On -Demand Services in any manner that interferes with or disrupts the integrity, security or performance of the On -Demand Services, its components and the data contained therein. 2.2.5.sell, resell, license, sublicense, rent, lease, transfer, assign or otherwise make On -Demand Services available to any third -party without an Authorised User subscription. 2.2.6.use On -Demand Services to send or store material containing software viruses, worms or other harmful computer codes, files, scripts or programs. 2.2.7.use On -Demand Services to store or transmit any material that is unlawful, abusive, malicious, harassing, tortious, defamatory, vulgar, obscene, libellous, or violates any third party rights. 2.2.8. permit direct or indirect access to or use of On -Demand Services in a way that circumvents the Usage Limits. 2.2.9. use On -Demand Services in any manner that could damage, disable, overburden, impair or harm any server, network, computer system, or resource of Zoho. 2.2.10. allow Authorised User licenses to be shared or used by more than one individual other than by way of reassigning the user license to a new user. 2.2.11. remove or obscure any proprietary or other notices contained in the On -Demand Services. 2.2.12. attempt to gain unauthorized access to the On -Demand Services (including features and functionality) or its related systems or network. 2.2.13. use On -Demand Services for any form of competitive or benchmarking purposes. 2.3. Subscriber Responsibilities. Subscriber shall be responsible for (i) providing accurate, current and complete information regarding the Subscriber in connection with Subscriber's access and use of On -Demand Services; (ii) Authorized Users' compliance with the Agreement, Documentation and Invoice; (iii) accuracy, quality and legality of the Subscriber Data; (iv) means by which the Subscriber Data was acquired and Subscriber's use of the Subscriber Data; (v) using commercially reasonable efforts to prevent unauthorised access to or use of On -Demand Services; (vi) using the On -Demand Services in accordance with this Agreement, Documentation and Invoice; (vii) all activities that occur under Subscriber's account; (viii) compliance with all applicable laws and regulations; and (ix) compliance with the terms applicable to the use of Non -On -Demand Services. 3. Fees and Payments. 3.1. Fees: Subscriber will pay to Zoho, without any deductions, the fees set forth in the applicable Invoice. Except as otherwise specified in the Agreement, all payment obligations are non - cancellable and all amounts paid are non-refundable whether or not the On -Demand Services are actively being used.Additional charges will apply for additional purchases or usage in excess of the purchased subscription(s). All pricing terms are confidential and Subscriber agrees not to disclose them to any third party without Zoho's prior written authorization. Zoho Confidential MSAJan2024 Page 13 «Unique ID» Zoho Sign Document ID: DFB143683-TBFSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 Z O H O 3.2. Invoicing and Payment : Payments for Subscription Period of less than one (1) year shall be made through Zoho's online store using a credit card. Other payment options are available to Subscriber only if the Subscription Period is equal to or greater than one (1) year. The Subscription Period will commence only upon receipt of payment or a purchase order acceptable to Zoho. Subscriber shall be responsible for providing complete and accurate payment information to Zoho. Subscriber shall promptly update any change in the billing information. If a purchase order raised by the Subscriber is accepted by Zoho, the payment must be made by the Subscriber within fifteen (15) days from the receipt of an accurate Invoice by email, unless otherwise stated in the Invoice. 3.3. Overdue Payments. Undisputed overdue payments shall bear interest at the rate of one (1)% per month or the maximum rate allowed under applicable law. Subscriber acknowledges and accepts that non-payment of any undisputed fees within the term defined in the applicable Invoice constitutes a material breach of this Agreement and that Zoho shall have the right to: (i) downgrade Subscriber's account to the free plan of the applicable On -Demand Service until all such due and undisputed amounts and applicable interests, if any, have been paid; and/or (ii) terminate the Agreement as specified under Section 12.2. 3.4. Payment Disputes : In the event Subscriber has any disputes with regard to the invoice raised by Zoho, then the Subscriber shall raise the same within five (5) business days from the date of receipt of invoice. Subscriber shall not be considered to have defaulted on Subscriber's payment obligations under this Section, if the Subscriber (i) has disputed the fees in good faith in accordance with Section 3.4 and is co-operating diligently to resolve the dispute; and (ii) remits payment for any undisputed amounts in a timely manner. 3.5. Taxes: Subscriber shall be responsible for paying the Taxes in addition to the fees applicable for On -Demand Services as specified in the Invoice. If the Subscriber is withholding Taxes, Subscriber shall pay the withholding Tax directly to the appropriate government entity and shall furnish a tax certificate to Zoho evidencing such payment. 3.6. Pricing: Zoho reserves the right to unilaterally determine and modify its pricing for On - Demand Services. Where an Invoice is in effect, the pricing for the On -Demand Services shall remain as agreed for the term specified in such Invoice. 4. Availability and Technical Support. 4.1. Service Availability. Zoho will make On -Demand Services available to the Subscriber pursuant to the terms of this Agreement, applicable Invoice and Documentation. Zoho shall use commercially reasonable efforts to make the On -Demand Services available 24 hours a day, 7 days a week and honour the Monthly Uptime Commitment as set forth in Exhibit A, except during : (i) Scheduled Downtime, and (ii) Force Majeure Events. 4.2. Support. Zoho's support commitments offered in the form of classic, premium and enterprise support are specified in Exhibit B. Zoho undertakes to respond and resolve Service Defects reported by Subscriber according to the timeframe specified in Exhibit B. 5. Privacy and Security. 5.1. Privacy. Zoho's processing of Personal Information will, at all times, be compliant with Exhibit D of this Agreement. Exhibit D explains how Zoho will, (i) process Personal Information; (ii) use Zoho Confidential MSAJan2024 Page 14 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 Z O H O third party service providers who process Personal Information on Zoho's behalf; (iii) assist Subscriber to handle data subject requests; (iv) handle Security Incidents; (v) accommodate an audit request from Subscriber; (vi) ensure that its personnel maintain confidentiality and security of Personal Information; and (vii) handle return or deletion of Personal Information. 5.2. Security. Zoho has implemented and will maintain industry -standard administrative, technical, and physical safeguards to reasonably protect the security, confidentiality and integrity of the Subscriber Data as described in Exhibit C of this Agreement. Zoho will periodically review and update its security practices to address new and evolving security threats and to implement evolving security technologies and industry standard practices. Zoho warrants that no modification to the security practices will materially degrade the security of On -Demand Services. 6. Non -On -Demand Services 6.1, From time to time, Zoho and/or third parties may make available certain Non -On -Demand Services.lf the Subscriber chooses to enable, access or use Non -On -Demand Services, Subscriber's access and use of the Non -On -Demand Services shall be governed solely by the terms and conditions applicable to the use of such Non -On -Demand Services.Subscriber shall be responsible for reviewing and accepting such terms and conditions before accessing or using the Non -On -Demand Services. 6.2. Zoho does not endorse or support, and makes no representations with respect to any aspect of such Non -On -Demand Services. Zoho shall not be liable for any damage or loss (including damage or loss of Subscriber Data) caused or alleged to be caused in connection with Subscriber's access or use of such Non -On -Demand Services. 6.3. Zoho cannot guarantee the continued availability of Non -On -Demand Services. Similarly, Zoho cannot guarantee the continued availability of certain features within On -Demand Services that are designed to interoperate with the Non -On -Demand Services. 7. Proprietary Rights and Licenses 7.1. Reservation of Intellectual Property Rights. As between the parties to this Agreement, Zoho retains all the rights, title and interest in and to the On -Demand Services and Documentation, including all related intellectual property rights. Except as expressly stated herein, this Agreement does not grant any additional rights or licenses to the Subscriber in the On - Demand Services or in any intellectual property rights of Zoho. 7.2. License to use Suggestion and Feedback. Subscriber grants to Zoho a fully paid -up, royalty free, worldwide, sub -licensable, assignable, irrevocable and perpetual license to use and incorporate into the On -Demand Services any idea, suggestion for enhancement, recommendation, correction or other feedback provided by Subscriber to Zoho in connection with such Subscriber's use of the On -Demand Services. 8. Confidentiality 8.1. Confidentiality Obligations. Except as otherwise permitted in writing by the Disclosing Party, the Receiving Party shall (i) use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than Zoho Confidential MSAJan2024 Page 15 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 reasonable care) not to disclose or use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, and (ii) limit access to Confidential Information of the Disclosing Party to those of its employees, contractors and agents who need such access for the purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections no less stringent than those contained herein. Any exchange of Confidential Information prior to the execution of this Agreement shall continue to be governed by any non -disclosure agreement executed by and between the parties and not the terms of this Agreement. All copies of Confidential Information, regardless of form, shall, at the discretion of the Disclosing Party, either be destroyed or returned to the Disclosing Party, promptly upon the earlier of: (i) Disclosing Party's written request, or (ii) expiration or termination of this Agreement for any reason. 8.2. Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party (i) as necessary to comply with an order or subpoena of any administrative agency or court of competent jurisdiction; or (ii) as reasonably necessary to comply with any applicable law or regulation; or (iii) as necessary to establish the rights of the Receiving Party, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure. Any such disclosure shall be limited to only what is required and shall be subject to the confidentiality obligations to the extent reasonably practicable. 9. Representations, Warranties and Disclaimers 9.1. Mutual Representation. Each party represents and warrants to the other party that it is duly organized and validly existing under the laws of the state of its incorporation and has full corporate power and authority, and is duly authorized, to enter into the Agreement and to carry out the provisions thereof. 9.2. Warranty by Zoho. Zoho warrants that during an applicable Subscription Period (i) On - Demand Services will perform materially in accordance with the Documentation when Subscriber uses the On -Demand Services in accordance with such Documentation; (ii) Zoho will, at a minimum, implement administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Subscriber Data, as set forth in Exhibit C of this Agreement; (iii) subject to the "Non -On -Demand Services" Section and except in case of deprecation (as explained below), Zoho will not materially decrease the overall functionality of the On -Demand Services. In case of any breach of warranty listed in this Section, the Subscriber shall be entitled to sole and exclusive remedies against Zoho as described in Sections 12.2. and 12.3. of this Agreement. 9.3. Deprecation. Zoho will announce Deprecations at least three months before such Deprecations are effective ("Deprecation Period") and suggest alternate solution(s), wherever applicable. Subscriber may terminate this Agreement with immediate effect during the Deprecation Period and be entitled to refund of subscription fee proportionate to the unused portion of the Subscription Period. Zoho also warrants that, upon request, Subscriber will be provided complete export of data in order to facilitate migration. Zoho Confidential MSAJan2024 Page 16 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 eas Z O H O 9.4. Warranty Disclaimer. SUBSCRIBER UNDERSTANDS AND AGREES THAT THE USE OF THE ON - DEMAND SERVICES IS AT SUBSCRIBER'S SOLE RISK. EXCEPT AS EXPRESSLY PROVIDED HEREIN, ON -DEMAND SERVICES ARE PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS, WITHOUT ANY WARRANTIES OF ANY KIND. EXCEPT FOR WARRANTIES SPECIFIED IN THIS AGREEMENT, ZOHO DISCLAIMS WARRANTIES OF ALL KINDS, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, AND NON -INFRINGEMENT. ZOHO FURTHER DISCLAIMS WARRANTIES THAT ON - DEMAND SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE, ERROR -FREE OR FREE FROM VIRUSES OR OTHER MALICIOUS SOFTWARE. NO ADVICE OR INFORMATION OBTAINED BY SUBSCRIBER FROM ZOHO OR FROM ANY THIRD PARTY SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THIS AGREEMENT. THE FOREGOING EXCLUSIONS AND LIMITATIONS SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EVEN IF REMEDY FAILS ITS ESSENTIAL PURPOSE. 9.5. Disclaimer with respect to Professional Services provided by Partners and Third Parties. In the event that Subscriber avails professional services which include but are not limited to implementation, integration, optimization or customization of On -Demand Services from third parties including consulting partners listed on Zoho's website ("Third Party Service Providers"), Zoho shall in no way be liable for the acts and omissions of such Third Party Service Providers. 10. Indemnification 10.1. Indemnification by Zoho. 10.1.1. Indemnification. Zoho shall defend Subscriber against any claim, demand, suit or proceeding made or brought by third party against Subscriber alleging that On - Demand Services infringe or misappropriate the intellectual property rights of a third party by reason of Subscriber's use of On -Demand Services as permitted hereunder ("Claim"), and shall indemnify Subscriber from any damages finally awarded against, and for reasonable attorney's fees incurred by Subscriber in connection with any such Claim; provided, that Subscriber (a) promptly gives Zoho written notice of the Claim; (b) gives Zoho sole and exclusive control and authority to select defense attorney(s), and defend and/or settle such Claim (provided that Zoho shall not settle any Claim unless the settlement unconditionally releases Subscriber of all liability); and (c) provide to Zoho all reasonable assistance, at Zoho's expense. 10.1.2. Upon notice of a Claim, or if in Zoho's opinion such a Claim is likely, in addition to its obligations under Section 10.1.1, Zoho has the right, at no cost to Subscriber, to: (i) replace or modify On -Demand Services so that they are non -infringing, (ii) obtain appropriate license for Subscriber's continued use of the On -Demand Services in accordance with the terms of this Agreement, or (iii) if in Zoho's sole discretion, neither option (i) or (ii) is commercially reasonable or practicable, terminate the Subscriber's subscription to the On -Demand Services upon 30 days' written notice and refund Subscriber any prepaid fees covering the remainder of the Subscription Period. Sections 10.1.1 and 10.1.2 sets out Zoho's entire obligation and liability, and Zoho Confidential MSAJan2024 Page 17 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 b Z O H O Subscriber's sole and exclusive remedy, with respect to third party intellectual property infringement claims. 10.1.3. Exclusions. Notwithstanding the foregoing, Zoho shall not be liable and shall have no obligation for any Claim when (i) On -Demand Services are modified by Subscriber or by anyone authorised or engaged by Subsriber; (ii) Claim against the Susbcriber arises from the use or combination of the On -Demand Services or any part thereof with software, program or components not provided by Zoho; (iii) On -Demand Services are used in a manner that breaches this Agreement; (iv) On -Demand Services are not used in accordance with the applicable Documentation; or (v) Claim against the Subscriber arises wholly or partly from Non -On -Demand Services. 10.2. Indemnification by Subscriber. Subscriber shall defend Zoho against any claim made or brought against Zoho by a third party alleging that (i) Subscriber's use of the On -Demand Services is in violation of the Agreement, or (ii) Subscriber's use of Subscriber Data along with the On -Demand Services infringes or misappropriates the intellectual property rights of a third party or violates applicable law, and shall indemnify Zoho for any damages finally awarded against, and for reasonable attorney's fees incurred by Zoho in connection with any such claim; provided, that Zoho (a) promptly gives Subscriber written notice of the claim; (b) gives Subscriber sole and exclusive control to select defense attorney(s), and defend and/or settle such claim (provided that Subscriber shall not settle any claim unless the settlement unconditionally releases Zoho of all liability); and (c) provides to Subscriber all reasonable assistance, at Subscriber's expense. This indemnification obligation of the Subscriber does not apply to the Subscriber if a claim arises on account of Zoho's breach of this Agreement, Documentation or applicable Invoice. 11. Limitation of Liability. 11.1. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT, CONTRACT, PRODUCT LIABILITY, NEGLIGENCE OR OTHERWISE, SHALL EITHER PARTY OR ITS AFFILIATES BE LIABLE TO THE OTHER PARTY OR ANY OTHER AFFILIATE OR THIRD PARTY FOR ANY LOST PROFITS, LOST SALES OR LOST REVENUE, LOSS OF DATA (THROUGH NO FAULT OF ZOHO), BUSINESS INTERRUPTION, LOSS OF GOODWILL OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, EXEMPLARY, CONSEQUENTIAL OR PUNITIVE DAMAGES, EVEN IF A PARTY OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. EXCEPT AS SPECIFIED UNDER SECTIONS, 11.2,11.3, INDEMNIFICATION OBLIGATIONS UNDER CLAUSE 10 AND PARTIES' GROSS NEGLIGENCE, IN NO EVENT SHALL THE LIABILITY OF EITHER PARTY TO THE OTHER PARTY OR ITS AFFILIATES, FOR ANY CLAIM OR ACTION ARISING OUT OF THIS AGREEMENT, EXCEED THE AGGREGATE OF ALL AMOUNTS PAID BY THE SUBSCRIBER TO ZOHO IN THE TWELVE (12) MONTHS PRECEDING THE FIRST EVENT GIVING RISE TO SUCH CLAIM OR ACTION. THE LIMITATIONS SPECIFIED HEREIN WILL NOT LIMIT SUBSCRIBER'S OBLIGATION TO PAY FEES IN ACCORDANCE WITH THIS AGREEMENT. FOR THE PURPOSE OF THIS CLAUSE, GROSS NEGLIGENCE SHALL MEAN A CONSCIOUS AND VOLUNTARY DISREGARD OF THE NEED TO USE REASONABLE CARE, WHICH IS LIKELY TO CAUSE FORESEEABLE LOSS, DAMAGES TO SUBSCRIBER OR GRAVE INJURY OR HARM TO PERSONS. Zoho Confidential MSAJan2024 Page 18 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 Z O H O 11.2. MULTI -YEAR CONTRACT. IF THE SUBSCRIBER ENTERS INTO A MULTI -YEAR CONTRACT AND PAYS THE ENTIRE SUBSCRIPTION FEES UPFRONT, ZOHO'S LIABILITY WILL BE LIMITED TO THE AMOUNT APPORTIONED FOR THE LAST TWELVE (12) MONTHS PRECEDING THE FIRST EVENT GIVING RISE TO THE CLAIM, PROVIDED THAT THE CLAIM ARISES AFTER TWELVE (12) MONTHS FROM THE DATE OF SIGNING THE AGREEMENT. ZOHO'S LIABILITY FOR CLAIMS THAT ARISE WITHIN THE FIRST TWLEVE (12) MONTHS OF THE SUBSCRIPTION PERIOD WILL BE LIMITED TO THE PREPAID LICENSE FEES APPORTIONED FOR THE SUBSCRIBER'S USE OF THE SERVICES DURING THAT PERIOD. 11.3. ZOHO PARTNER SUBSCRIPTIONS. FOR SUBSCRIPTIONS MADE THROUGH A ZOHO AUTHORIZED PARTNER, ZOHO'S LIABILITY SHALL BE LIMITED TO THE SUBSCRIPTION FEES PAID BY THE SUBSCRIBER TO THE PARTNER DURING THE TWELVE (12) MONTHS PRECEDING THE FIRST EVENT GIVING RISE TO SUCH CLAIM OR ACTION, PROVIDED THAT SUCH PAYMENTS WERE DULY RECEIVED BY ZOHO FROM THE PARTNER. ZOHO'S LIABILITY DOES NOT EXTEND TO ANY OTHER FEES OR CHARGES ASSOCIATED WITH THE PARTNER'S SERVICES OR ANY NON -ON -DEMAND SERVICES. 12. Term and Termination. 12.1. Term. The term of this Agreement shall commence on the Effective Date and shall thereafter continue for the duration of the Subscription Period of the relevant Invoice, unless terminated in accordance with the provisions of this Section. Except as otherwise specified in the Agreement or Invoice, subscriptions will automatically renew for additional terms equivalent to the expiring Subscription Period. 12.2. Termination. A party may terminate this Agreement for cause : (i) upon 30 days written notice to the other party of a material breach if such breach remains uncured at the expiration of such period, or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of the creditors. 12.3. Refund. Upon termination for cause by Subscriber, Zoho shall refund Subscriber any prepaid fees covering the unused portion of the Subscription Period. Upon any termination for cause by Zoho, Subscriber shall expedite all payments due to Zoho and in no event will termination of this Agreement relieve Subscriber of its obligation to pay any fees due to Zoho. Notwithstanding anything contained herein, in the event Subscriber terminates the Agreement except as mentioned in Section 12.2 of the Agreement, Zoho is under no obligation to refund the fees paid by the Subscriber. 12.4. Export of Subscriber Data. Upon termination of the Agreement, Zoho will make all Subscriber Data available to Subscriber for electronic retrieval for a period of thirty (30) days in a suitable format supported by On -Demand Services, after which Zoho may permanently and irrevocably destroy all Subscriber Data in its possession or control. 12.5. Surviving Provisions. Sections "Confidentiality;' "Fees and Payments;' "Warranty Disclaimers;' "Limitation of Liability;' "Indemnification;' "Termination;' "Surviving Provisions" and "General" shall survive termination of this Agreement. 13. General. Zoho Confidential MSAJan2024 Page 19 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 Z O H O 13.1. Applicability of Terms of Service. Subscriber understands that, in addition to the terms of this Agreement, Zoho's Terms of Service will apply to Subscriber's access and use of the On - Demand Services. In the event of any conflict between this Agreement and the Terms of Service, the terms of this Agreement shall prevail. 13.2. Entire Agreement. This Agreement, including the Exhibits attached hereto and the Terms of Service, constitute the entire agreement between the parties with respect to the subject matter of this Agreement and supersedes any and all prior and contemporaneous agreements, negotiations, correspondence, understandings and communications between the parties, whether written or oral, concerning the subject matter hereof. 13.3. Amendment. No changes, modifications or amendment of any nature made to this Agreement shall be valid unless evidenced in writing and signed for and on behalf of both parties by the respective authorized representatives. 13.4. Governing Law and Jurisdiction. This Agreement shall be governed by and construed strictly in accordance with the laws of the state of California (excluding the rules governing conflict of laws). Any dispute arising out of or resulting from this Agreement shall be subject to the exclusive jurisdiction of courts in LA County to the exclusion of all other courts. 13.5. Notices. All notices required under this Agreement shall be in writing and shall be sent to the respective address set forth below. Any such notice may be delivered by hand, by overnight courier, by registered post or certified mail with return receipt requested, by facsimile transmission, or by electronic mail to the person to whom such notice is to be sent as per the terms of this Agreement. Such notice shall be deemed to have been received: (i) by hand delivery, at the time of delivery; (ii) by overnight courier, on the succeeding business day; (iii) by registered post or certified mail, on the date marked in proof of receipt; (iv) by facsimile, immediately upon confirmation of transmission, provided a confirmatory copy is sent by first class pre -paid or overnight courier or by hand by the end of the next business day; and (v) by electronic mail, when sent. All notices shall be sent to : If to Zoho: Legal Team If to Subscriber: Zoho Corporation, Todd Selby - Acting ITSD Director 4141 Hacienda Drive, 310.524.2375 - Tselby@elsegundo.org Pleasanton, City of El Segundo, 350 Main St. CA. 94588 El Segundo, CA 90245 13.6. Federal Government End Use. If the Subscriber is a U.S. federal government department or agency, or an entity contracting on behalf of such agency ("Federal Government"), On - Demand Services, including its related software and technology, are licensed to the Subscriber with only those rights provided under the terms of this Agreement. If the Federal Government needs additional rights that are not conveyed under this Agreement, it must negotiate a mutually acceptable written addendum to this Agreement specifically granting those rights. 13.7. Relationship of the Parties. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties.Neither party shall have the power to bind the other or incur obligations on the other party's behalf without the other party's written consent. Zoho Confidential MSAJan2024 Page 110 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 Z O H O 020 13.8. Assignment. Neither party may assign, delegate, or otherwise transfer this Agreement or any of its rights or obligations hereunder to a third party without the other party's prior written consent, which consent shall not be unreasonably withheld, conditioned or delayed. Notwithstanding the foregoing, either party may assign this Agreement in its entirety (including all Invoices), without the other party's consent to : (i) its Affiliate; (ii) any entity which acquires all or substantially all of its capital stock or assets related to this Agreement through purchase, merger, consolidation, or otherwise. Any assignment in violation of the foregoing shall be void. 13.9. No Third Party Beneficiaries. The provisions of this Agreement shall be binding and inure solely to the benefit of the parties, their successors, and permitted assigns. Nothing herein, whether express or implied, will confer any right, benefit or remedy upon any person or entity other than the parties, their successors and permitted assigns. 13.10. Force Majeure. 13.10.1. Force Majeure Event. Neither party shall be responsible to the other party, nor be deemed to have breached this Agreement, for any failure or delay in fulfilling or performing any term of this Agreement, when and to the extent such failure or delay is caused by or results from acts beyond the affected party's reasonable control, including without limitation an act of God; act of war, hostility, or sabotage; pandemic; strikes, lock -outs or other industrial disputes; act of government; electrical, internet, or telecommunication outage that is not caused by the affected party; natural disasters or extreme adverse weather conditions (each a "Force Majeure Event"). 13.10.2. Notice. Both parties shall use reasonable efforts to mitigate against the effects of such Force Majeure Event. If the effects of the Force Majeure Event continue unmitigated for more than 30 days, either party may terminate this Agreement and/or any Invoice, upon prior written notice to the other party. 13.11. Severability. If any provision in this Agreement is held by a court of competent jurisdiction to be unenforceable, such provision shall be modified by the court and interpreted so as to best accomplish the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement shall remain in effect. 13.12. Waiver. No failure or delay in exercising any right under this Agreement will constitute a waiver of that right. Any waiver of any obligation arising out of this Agreement shall not take effect unless agreed to in writing by both the parties to the Agreement. 13.13. Interpretation. No provision of this Agreement shall be construed against one party by reason of being deemed the "author" of the Agreement. The headings used in this Agreement are for convenience only and shall not affect the interpretation of the terms of this Agreement. 13.14. Insurance. Zoho at its own expense will maintain Commercial general liability insurance with a limit of $1,000,000 per claim and annual aggregate to secure its obligations and potential liabilities pursuant to the services provided by it under this Agreement. Upon the Subscribers written request, Zoho shall have issued a Certificate of Insurance evidencing the coverage above and showing that The City of El Segundo, its elected and appointed officials, employees, and volunteers are included as Additional Insured. Zoho Confidential MSAJan2024 Page 111 «Unique ID)) Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 r Z O H O IN WITNESS WHEREOF, THE PARTIES HAVE CAUSED THIS AGREEMENT TO BE EXECUTED BY THEIR RESPECTIVE DULY AUTHORIZED OFFICERS AS OF THE DATE FIRST WRITTEN ABOVE. Zoho Corporation Subscriber Division: ManageEngine Sign: ��I �, �� , �,' Sign } Name: Tony Thomas Name: Todd Selby Title : Director Title: Interim IT Director 13-A r-2026 i Date: P Date : "�..",�' Sign : Name: Susan Truax Title: ity_Clerk Date Sign : Name: David King Title: Assistant City Attorney Date Title: Risk Management Date q— % � —� Zoho Confidential MSAJan2024 Page 112 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 i I Z O H O Exhibit A SERVICE LEVEL TERMS AND CONDITIONS "Downtime" shall mean inability to access On -Demand Services due to a Qualifying Fault. Downtime is measured based on availability of the individual On -Demand Services as measured by Zoho's application monitoring tool. "Qualifying Fault" shall mean and include server side errors and reachability errors attributable to On - Demand Services. "Downtime Period" shall mean ten or more consecutive minutes of Downtime. Intermittent Downtime for a period of less than ten minutes will not be counted towards any Downtime Periods. "Monthly Uptime" shall mean total number of minutes in a calendar month minus the number of minutes of Downtime suffered from all Downtime Periods in a calendar month. "Monthly Uptime Percentage" shall mean the percentage calculated by dividing Monthly Uptime by the total number of minutes in a calendar month. "Scheduled Downtime" shall mean unavailability of On -Demand Services about which Subscriber is informed at least forty eight (48) hours in advance. A Schedule Downtime will not constitute a Qualifying Fault. "Service Credit" shall mean days added to the end of the Subscription Period at no additional cost as compensation for Zoho's failure to meet the monthly uptime commitment. Planning of Scheduled Downtime. Zoho will ensure that Scheduled Downtime is planned on weekends between 9:00 pm to 6:00 am (Pacific Time in the United States). Monthly Uptime Commitment. On -Demand Services will have a Monthly Uptime Percentage of 99.9%. Calculation of Service Credit: Uptime Compensation for Downtime (No. Of Days of Service Credit) 99.5°i° to 99.9°i° 7 99% to 99.5% 15 <9g°i° 30 Request for Service Credit. In order to receive any of the Service Credits described above, Subscriber must notify Zoho within thirty (30) days from the time Subscriber becomes eligible to receive a Service Credit. Failure to comply with this requirement will result in forfeiture of Subscriber's right to receive a Service Credit. Maximum Service Credit. The aggregate maximum number of Service Credits to be issued by Zoho to Subscriber for any and all Downtime Periods that occur in a single calendar month shall not exceed thirty days of Service added to the end of subscription term. Service Credits may not be exchanged for, or converted to, monetary compensation. Zoho Confidential MSAJan2024 Page 113 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 i Z O H O Sole and Exclusive Remedy. Subscriber's sole and exclusive remedy for Zoho's failure to meet the uptime commitment is to receive Service Credit. SLA Exclusions. The SLA does not apply to any performance and availability issues: (i) caused by factors outside of Zoho's reasonable control; (ii) that resulted from any actions or inactions of Subscriber; or (iii) that resulted from Subscriber's equipment and/or third party equipment that are not within Zoho's reasonable control. It is hereby clarified that performance and availability issues caused by factors within Zoho's control and attributable to Zoho or its vendors are not excluded. REMAINDER OF THE PAGE INTENTIONALLY LEFT BLANK Zoho Confidential MSAJan2024 Page 114 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 Z O H O Exhibit B SUPPORT TERMS AND CONDITIONS Severity Level 1: The On -Demand Service does not function without a fix being applied and the problem has significant effect on the revenues or business operations of Subscriber. Severity Level 2: The On -Demand Service can function. However, the On -Demand Service functions providing incorrect results or its performance is inconsistent with the performance described in the Documentation. Severity Level 3: The functionality of the On -Demand Service is not affected by the problem or can be achieved by using other features of the On -Demand Service. Response, Problem Determination and Resolution/Restoration/Work-around Timeframe Severity Level Acknowledgement Problem Resolution/Restoration Determination 1 6 hours 24 hours 48 hours 2 15 hours .. ....I'll, 3 days 8 days _.....� 13 .................... ____.-....... ....... 24 hours 7 days ____ 14 days REMAINDER OF THE PAGE INTENTIONALLY LEFT BLANK Zoho Confidential MSAJan2024 Page 115 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 Z O H O Exhibit C TECHNICAL AND ORGANISATIONAL SECURITY MEASURES Zoho has established, and will maintain at a minimum, an information security management system that includes the following: Security Governance 1. A governance framework that supports relevant aspects of information security through appropriate policies and standards. 2. Formal documentation of the roles and responsibilities of employees with respect to governance of Information Security within Zoho that are communicated by the management to employees. 3. An information security program in accordance with the international standard ISO 27001 that includes technical, organizational and physical security measures in order to protect Personal Information against accidental loss, destruction or alteration, unauthorized disclosure or access, or unlawful destruction. 4. Formally documented information security policy, data privacy policy and other policies that are communicated periodically to employees responsible for the design, implementation and maintenance of security and privacy controls. The policies will be reviewed annually to keep them up-to-date. 5. Compliance with industry standard security measures as described at https://www.zoho.com/compliance.html. Risk Management 1. Annual risk assessment, to prioritize mitigation of identified risks. 2. Established internal audit requirements and periodical audits on information systems and processes at planned intervals. 3. Assessment of the design and operating effectiveness of controls against the established control framework through which corrective actions related to identified deficiencies will be tracked to resolution. Human Resources Security 1. Background verification of all employees having access to confidential data that includes verification of criminal records, previous employment records if any, and educational background. Zoho Confidential MSAJan2024 Page 116 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 Z O H O 2. Signing of confidentiality agreement and acceptable use policy by employees upon their employment with clauses on protection of confidential information. 3. Training on security and privacy awareness including training on Zoho's policies, standards and relevant technologies along with maintenance and retention of training completion records. 4. Employees will be required to adhere to the information security policies and procedures. Disciplinary process for non adherence will be defined and communicated. Identity and Access management of Zoho Personnel 1, Creation of unique identifiers for employees to access information systems and prohibition of sharing user accounts among employees. 2. User authentication to information systems protected by passwords that meet Zoho's password policy requirements derived based on NIST SP 800-63B standards. 3. Strong password configurations that include i) 8 character minimum length; ii) non dictionary words and iii) screening of passwords against list of known compromised passwords. 4. Mandatory Two factor authentication for access to information systems involving confidential data. 5. Secure remote access to the corporate network provisioned via SSL VPN with strong encryption and two factor authentication. 6. Adherence to the principles of least privilege and need -to -know and need -to -use basis for access control. 7. Approval mechanism from appropriate personnel to provide access to information systems. 8. Revocation of access that is no longer required in the event of termination or role change. 9, Recording of approval, assignment, alteration and withdrawal of access rights. 10. User access reviews on a half yearly basis and corrective actions whenever necessary. 11. Restrictions on administrative access to Personal Information and provision of access on a strictly need -to -know basis along with implementation of access -control measures such as mandatory two factor authentication. Asset Management 1. Inventory maintenance of assets associated with information processing. Owners are assigned for each asset and rules for acceptable use of assets are defined. Assets assigned to employees are returned in the event of termination or role change. 2. Capacity management policies through which resources are continuously monitored and projections are made for future requirements. 3. Determined procedures in accordance with industry best practices for the reuse, secure disposal and destruction of electronic media to ensure that the data is rendered unreadable and unrecoverable. 4. Disposal of unusable devices by verified and authorized vendors which includes storing of such devices in a secure location until disposal, formatting any information contained in the devices before disposal, degaussing and physical destruction of failed hard drives using shredder and crypto-erasing and shredding of failed SSDs. Zoho Confidential MSAJan2024 Page 117 «Unique ID» Zoho Sign Document ID: DFB143683-TBFSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 1, Z O H O Physical Security 1. Physical access to Zoho's data center is highly restricted and requires prior management approval. The data centers are housed in facilities that require electronic card key access. Additional two -factor authentication and biometric authentication are required to enter the data center premises and there is continuous monitoring of CCTV cameras and alarm systems. 2. Control of physical access to Zoho's development facilities using access cards and monitoring by security personnel. 3. Installation of CCTV cameras and review of access logs and CCTV footage in case of any incidents. 4. Defined visitor management process to authorize visitor entries and maintenance of access records of visitors. 5. Revocation of physical access to employees in the event of termination of employment or role change. Network Security and Operations 1. A dedicated Network Operations Center (NOC), which operates 24x7 monitoring the infrastructure health. 2. Establishment and implementation of firewall rules in accordance to identified security requirements and business justifications. 3. Review of firewall rules on a quarterly basis to ensure that legacy rules are removed and active rules are configured correctly. 4. Establishment and maintenance of appropriate network segmentation, that includes use of virtual local area networks (VLANS) where appropriate, to restrict access to systems storing confidential data with a data storage layer that is designed to be not directly accessible from the Internet. 5. Clear separation of production, development and integration environments to ensure that production data is not replicated or used in non -production environments for testing purposes. 6. Management of access to production environments by a central directory and authentication for such access using a combination of strong passwords, two -factor authentication, and passphrase-protected SSH keys. Access to the production environment is facilitated through a separate network with strict rules. 7. Deployment of DDOS mitigation capabilities from well established service providers to prevent volumetric attacks and to keep the applications available and performing. Secure Software Development 1. Well defined security process that is implemented and monitored throughout the SDLC taking into consideration confidentiality, availability and integrity requirements. Zoho Confidential MSAJan2024 Page 118 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 Z O H O 2. Implementation of secure software development policies, procedures, and standards that are aligned to industry standard practices such as OWASP, CSA, CWE/SANS including secure design review, secure coding practices, risk based testing and remediation requirements. 3. Training on secure coding principles and industry standards to personnel involved in the development and coding of products. 4. "Secure by design" approach by incorporating security risk assessments and Threat modeling in the planning and analysis phase of SDLC and review of the design to prevent new threats. 5. Examination of Source code changes for potential security issues using Zoho's proprietary SAST (static code analysis) tools and manual review process before deployment. 6. Web Application Firewall (WAF) layer that is embedded in all web applications for protection against Open Web Application Security Project (OWASP) threats, including SQL injections, Cross - site scripting (XSS) and remote file inclusions. 7. Maintenance of inventory of third party software that gets bundled in the products/services . B. Alerts on potential security vulnerabilities in the third party software by Zoho's proprietory SCA(Software Composition Analysis) that is reviewed periodically to check its applicability and impact and to take steps to upgrade third party software to the latest version. 9. Appropriate checking and elimination procedures to ensure that the service is not affected by malware/viruses during development, maintenance and operation. 10. Appropriate security controls to ensure the confidentiality, integrity and availability of the Cl/CD pipeline in the software development environment used to develop, deploy, and support the products. 11. Maintenance of clear distinction between the development, QA and production environments. Data Security and Management 1. Information classification scheme with data handling guidelines related to access control, physical and electronic storage, and electronic transfer. 2. Logical separation of each subscriber's service data from other subscriber' data by distributing and maintaining separate logical cloud space for each subscriber. 3. Deletion of data from active database upon termination of On -Demand Services by the subscriber (clean-up occurs once in every 6 months), deletion of backup data within 3 months of deletion from active database and termination of accounts that remain unpaid and inactive for a continuous period of 120 days by giving prior notice to the subscriber. Cryptography 1. Use of transport encryption for information that traverses across networks outside of the direct control of Zoho including, but not limited to the Internet, Wi-Fi and mobile phone networks. 2. Encryption of data transmission to On -Demand Services are made using TLS 1.2/TLS1.3 protocols, with latest and strong ciphers like AES_CBC/AES_GCM 256 bit/128 bit keys, authentication of message using SHA2 and use of ECDHE_RSA as the key exchange mechanism. Zoho Confidential MSAJan2024 Page 119 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 Z O H O 3. Encryption of sensitive Personal Information at rest using 256-bit Advanced Encryption Standard (AES). (The data that is encrypted at rest varies specific to On -Demand Services and also options are provided where the subscriber defines the fields to encrypt depending on their business need and data sensitivity). 4. Irreversible industry standard algorithm (bcrypt) will be used to hash and store the passwords of On -Demand Services with randomly generated per user salt added to the input. 5. Zoho's in-house Key Management Service (KMS) to own and maintain encryption keys that includes additional layer of security by encrypting the data encryption keys using master keys. 6. Separation of master keys and data encryption keys by physically storing them in different servers with limited access. Change Management 1. A change management policy that governs changes in all components of the service environment whereby all changes are planned, tested, reviewed and authorized before implementation into production. 2. Assessment of the potential impacts, including information security and privacy impacts of the changes. 3. Documented fall -back mechanisms including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events. 4. Notification to subscriber of any changes that may affect subscribers in an adverse manner. Configuration Management 1. Implementation of security hardening and baseline configuration standards in accordance with industry standards that are reviewed and updated periodically. 2. Predefined OS images with security baselines are used to build systems in development and production. 3. Hardening standards including (i) ensuring that unnecessary features, services, components, files, protocols and ports are removed from the production environment; and (ii) removing unnecessary user logins and disabling or changing default passwords. 4. Approval from the appropriate personnel to install any software package in the production environment. Vulnerability Management 1. Vulnerability management plan designed to (i) identify promptly, prevent, investigate, and mitigate any cyber security vulnerabilities; (ii) analyze the vulnerability; (iii) perform recovery actions to remedy the impact. 2. Vulnerability assessments using automated scanners performed periodically on Zoho's internet facing systems. 3. Application penetration testing by Zoho's in house security personnel performed annually in accordance to defined test methodologies Zoho Confidential MSAJan2024 Page 120 «Unique ID» Zoho Sign Document ID: DFB143683-TBFSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 Z O H O 4. Review of identified issues from vulnerability assessments and penetration testing, determination of its applicability, impact and priority and rectification in accordance with the SLA definition: High level vulnerabilities within 7 calendar days of discovery, Medium level vulnerabilities within 30 calendar days of discovery and Low level vulnerabilities within 60 calendar days of discovery. 5. Monitoring known vulnerabilities from common sources such as OWASP, CVE, NVD and other vendor security lists and installation of security relevant patches to product and/or supporting systems in accordance with Zoho's patch management policy. 6. Antivirus deployment by running the current version of industry standard anti -virus software as a part of which signature definitions are updated periodically within 24 hours of release, real time scans are enabled and alerts are reviewed and resolved by appropriate personnel. Security Logging and Monitoring 1. Use of centralized logging solution to aggregate and correlate events from various components including network devices, servers and applications. 2. Maintenance of audit logs recording , privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events and retention of logs in accordance with applicable policies and regulations. 3. Host and application intrusion detection (IDS) technology to facilitate timely detection, investigation and response to incidents. 4. Restrictions on physical and logical access of logs by authorized personnel. Business continuity and Disaster recovery 1. Disaster recovery and business continuity plans and processes (i) to ensure continuous availability of the services in case of any disaster; (ii) to provide an effective and accurate recovery. 2. Annual review of business continuity plan to evaluate its adequacy & effectiveness. 3. Redundancy mechanisms to eliminate single point of failure consisting of (i) dual or multiple circuits, switches, networks or other necessary devices; and (ii) storing of application data in a resilient storage that is replicated in near real time across data centers. 4. Taking periodic backups (incremental backups every day and weekly full backups) and storing them in an encrypted format both in primary and secondary datacenter. 5. Retention of backups for a period of three months and testing recovery of backups at planned intervals. 6. SLA for service availability with 99.9% monthly uptime as a part of which real time availability can be viewed in https:Hstatus.zoho.com. Incident Management 1. An incident response plan and program containing procedures that are to be followed in the event of an information security incident. Zoho Confidential MSAJan2024 Page 121 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 Z O H O 2. Dedicated email (incidents@zohcorp.com) to which external parties can report security incidents and creating awareness among employees to report any potential security incident or weakness on time without any delay. 3. Tracking of security incidents, fixing of such incidents through appropriate actions, maintenance of such records in the incident registry and implementation of controls to prevent recurrence of similar incidents. 4. Incident management procedures that lays down the steps for notifying the client, and other stakeholders in a timely manner in accordance with breach notification obligations. 5. Implementation of appropriate forensic procedures including chain of custody for collection, retention, and presentation of evidence in the event of an information security incident likely to result in a legal action. Third -Party Vendor Management 1. Vendor management policy through which Zoho evaluates and qualifies third party vendors as a part of which new vendors are onboarded only after understanding their processes and performing risk assessments. 2. Execution of agreements with vendors that require vendors to adhere to confidentiality, availability, and integrity commitments in order to maintain Zoho's security stance. 3. Annual reviews to monitor the operation of vendor's processes and security measures. REMAINDER OF THE PAGE INTENTIONALLY LEFT BLANK Zoho Confidential MSAJan2024 Page 122 «Unique ID» Zoho Sign Document ID: DFBI 43683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 i Z O H O Exhibit D PRIVACY TERMS In the course of providing On -Demand Services under the Agreement, Zoho and its affiliated group entities ("Zoho") may process Personal Information on behalf of the Subscriber. Accordingly, the parties agree as follows: 1. Interpretation 1.1 "Data Subject" means the individual who is identifiable by the Personal Information or to whom the Personal Information otherwise pertains; 1.2 "Security Incident' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information; and 1.3 "Personal Information" means any information relating to an identified or identifiable natural person that is provided to Zoho by, or on behalf of, Subscriber through Subscriber's use of the On - Demand Services. Capitalized terms used but not defined in this Privacy Terms will have the meanings provided in the Agreement. 2. Processing of Personal Information 2.1 Zoho shall process the Personal Information only on behalf of the Subscriber and in compliance with its instructions, unless otherwise required by applicable laws. Subscriber agrees that its instructions to Zoho for processing Personal Information are: (i) to process such data strictly in accordance with the Agreement; (ii) to process data where such processing is initiated by Subscriber via the user interface of the On -Demand Services; (iii) to process data for fraud prevention, spam filtering, and service improvement, including automation; and (iv) to process data to comply with other documented reasonable instructions provided by Subscriber (eg., via email) where such instructions are consistent with the Agreement. Zoho shall not be obliged to act in accordance with any instructions outside the scope of the Agreement except with the prior written agreement of both parties. 3. Service Providers 3.1 Subscriber understands that Zoho engages sub -processors and third party service providers listed by Zoho in its websites for providing (a) specific functionalities of On -Demand Services and (b) certain essential functions such as fraud detection, spam filtering and improvement of Zoho Confidential MSAJan2024 Page 123 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUDBODNYIDSDXRHHFDPOY Agreement No. 7568 Z O H O services (collectively "Service Providers") and that certain data, including Personal Information, may be shared by Zoho to the Service Providers or may be collected by Service Providers in the process of providing such functionalities. 3.2 If Subscriber requests Zoho for information on data processing by Service Providers, such as for conducting a data protection impact assessment, Zoho shall make commercially reasonable efforts to provide relevant information to Subscriber. 3.3 Zoho warrants that it (i) publishes and maintains a list of Service Providers on its website; and (ii) will inform Subscriber prior to appointment of any new Service Provider. 3.4 Upon notification regarding Zoho's intention to engage a new Service Provider, Subscriber may, within 10 days, object to the appointment of such new Service Provider by notifying Zoho. In the event Subscriber objects to appointment of a new Service Provider, Zoho shall recommend to the Subscriber, to the extent feasible, commercially reasonable changes in the configuration or use of the On -Demand Services to avoid data collection or processing by the Service Provider ("Reasonable Alternative"). If Zoho is unable to provide Subscriber with a Reasonable Alternative, Subscriber may, upon written notice to Zoho, terminate use of On -Demand Services and be entitled to full refund of subscription fee for unused portion of the subscription period. 4. Data Subject Requests 4.1 Zoho shall promptly notify the Subscriber about any request received directly from the Data Subject without responding to that request unless it has been otherwise authorized to do so. Subscriber hereby agrees that Zoho is authorized to respond in the first instance to any request in order to determine if the request is in respect of Personal Information processed by Zoho on behalf of the Subscriber. 4.2 Zoho shall implement appropriate technical and organizational measures to enable the Subscriber to comply with Data Subject's requests to Subscriber to delete, rectify, access, or restrict processing Data Subject's data. Where Subscriber requests Zoho's assistance under this section and Zoho has already enabled Subscriber to comply with such requests by implementing appropriate technical and organizational measures, Zoho shall have the right to charge the Subscriber for any reasonable costs or expenses incurred by Zoho in order to assist Subscriber with request(s) from Data Subjects. 5. Confidentiality and Security 5.1 Zoho shall ensure that its personnel engaged in the processing of Personal Information are (i) informed of the confidential nature of the Personal Information; and (ii) subject to confidentiality obligation or professional or statutory obligations of confidentiality. 5.2 Zoho shall implement appropriate technical and organisational security measures as specified under Exhibit C to protect the Personal Information against any Security Incident. 6. Breach Notification 6.1 Zoho shall notify Subscriber without undue delay after becoming aware of any Security Incident. Zoho shall take all commercially reasonable efforts to remediate the Security Incident and Zoho Confidential MSAJan2024 Page 124 «Unique ID» Zoho Sign Document ID: DFB143683-T8FSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 Z O H O prevent recurrence. Zoho's obligation specified herein shall not apply to Security Incidents caused by Subscriber or its authorized users. 7. Audit 7.1 Zoho shall, upon request by Subscriber, demonstrate its compliance with this Privacy Terms or Exhibit — C by way of reports of audits conducted in the previous 12 months by qualified and independent third party auditors. Subscriber acknowledges that all documents and information disclosed by Zoho ("Audit Information") constitute Zoho's confidential information. Accordingly, Subscriber shall take reasonable measures to protect the confidentiality of the Audit Information from unauthorized access, use or disclosure. Subscriber may use the audit reports only for the purposes of meeting its regulatory audit requirements or confirming compliance with the requirements of this Privacy Terms by Zoho. 7.2 Where the information provided by Zoho under above clause is not sufficient to demonstrate compliance with Privacy Terms or Exhibit - C, Subscriber may request Zoho for further information or audit of Zoho's data processing facilities. Subscriber agrees that any audit of Zohos data processing facilities will be subject to an audit plan mutually agreed upon by both parties. 8. Return and Deletion Upon Termination 8.1 Zoho shall provide an option to Subscriber to export Personal Information via the user interface of the On -Demand Services. 8.2 Upon termination or expiration of On -Demand Services, unless required by applicable law, Personal Information shall be automatically deleted from Zoho's primary servers on completion of the next routine clean-up cycle (that occurs once in six months) and from its backups after 3 months of deletion from primary servers. 8.3 Upon the request of the Subscriber, Zoho shall provide confirmation of the completion of the relevant clean-up cycle as certification of destruction of the Personal Information. REMAINDER OF THE PAGE INTENTIONALLY LEFT BLANK Zoho Confidential MSAJan2024 Page 125 «Unique ID» Zoho Sign Document ID: DFB143683-TBFSABVSRT6-IWCAZVOKEMDUD80DNYIDSDXRHHFDPOY Agreement No. 7568 1� Z O H O Exhibit E On Demand Services Subtotal : 4,645.00 Grand Total (USD $) : 4,645.00 Zoho Confidential MSAJan2024 Page 126 «Unique ID»