CAMPUS MANAGEMENT CORP. CAMPUSNETINFRASTRUCTURE AS A SERVICE (IaaS) AGREEMENT

EX-10.4 5 bpi2016q210-qxexx104cmciaa.htm EXHIBIT 10.4 Exhibit
Exhibit 10.4

***Text Omitted and Filed Separately
Confidential Treatment Requested
Under C.F.R. § 200.84(b)(4) and 17 C.F.R. 24b-2


CAMPUS MANAGEMENT CORP.
CAMPUSNET® INFRASTRUCTURE AS A SERVICE (IaaS) AGREEMENT

This INFRASTRUCTURE AS A SERVICE AGREEMENT, the Exhibits hereto, and Addenda as mutually executed from time-to-time (collectively, the “Agreement”) is effective as of this __________ day of Jun 30, 2016    , 2016 (the “Effective Date”), between BRIDGEPOINT EDUCATION INC., a Delaware corporation, having its principal place of business at 13500 Evening Creek Drive North, Suite 120, San Diego, California 92128 (hereinafter “Customer” or “BPI”), and CAMPUS MANAGEMENT CORP., a Florida corporation, having its principal place of business at 5201 Congress Avenue, Boca Raton, Florida 33487 (hereinafter “CMC”).
BACKGROUND
WHEREAS, CMC is engaged in part in the business of operating an infrastructure as a service business (“CMC IaaS”);
WHEREAS, under a software license agreement with CMC (the “Master Agreement” or “Software License Agreement”), Customer has licensed certain software; and
WHEREAS, CMC is willing to provide Customer with non-exclusive rights to deploy the approved software on the CMC IaaS in accordance with this Agreement;
NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows.
The general terms (“General Terms”) below apply to CMC IaaS. Specific terms and conditions that apply are contained in the applicable Exhibits. In the event of a conflict between the General Terms and any term contained in an Exhibit, and/or Addendum, the following shall be the order of precedence: the Addendum, the Exhibit and the General Terms.
GENERAL TERMS
1.    DEFINITIONS
“Application(s)” means any web or other application Customer creates using the CMC IaaS including any source code written by Customer to be used with the CMC IaaS, or hosted on a Virtual Machine (as defined below).
“CMC Content” means any Content (as defined below) that CMC or any of its affiliates make available in connection with the CMC IaaS (as defined below) to allow access to and use of the CMC IaaS.
“CMC Infrastructure as a Service (IaaS)” means a managed or an unmanaged Virtual Server that is running on the Infrastructure.
“Licensed CMC Software” means software licensed from CMC pursuant to a Master Agreement or Software License Agreement.
“Data Center” means CMC’s secure and fault tolerant managed facility where CMC IaaS is physically located.
“CMC Marks” means any trademark, service marks, service or trade names, logos and other designations of CMC and its affiliates that CMC may make available to Customer in connection with this Agreement.
 
“Content” means software (including machine images), data, text, audio, video, imagines or other content.
“Customer Content” means Content that Customer or any User (as defined below) (a) runs on the CMC IaaS, (b) causes to interfere with the CMC IaaS, or (c) uploads to the CMC IaaS under Customer’s account or otherwise transfers, processes, uses or stores in connection with Customer’s account.
“Documentation” means the developer guides, user guides and any other technical and operations manuals and specifications for the CMC IaaS provided by CMC.
“Downtime” means unplanned service disruptions to the CMC IaaS. Downtime shall exclude service disruptions arising from Customer’s systems or service providers or service disruptions due to Customer’s own errors. CMC will pass through, on a proportionate basis, to Customer any credits received from its third party hosting provider as a result of the Downtime.
“Infrastructure” means the datacenters, security devices, cables, routers, switches, hosts, computer nodes, physical servers, and other equipment CMC uses to host Virtual Servers (as defined below).
“Login Credentials” mean any password, authentication keys or security credentials that enable Customer’s access to and management of the CMC IaaS.
“Policies” means CMC’s written policies to the extent applicable (e.g., Acceptable Use Policy, E-mail and Anti-Spam Policies) all of which are posted on the CMC web site at http://www.campusmanagement.com/EN-US/aboutUs/Pages/CampusNet.aspx, as may be updated from time to time.
“Production Environment” means the specific environments including hardware, software, and database instance, which are exclusively used as the single authoritative and live system Customer uses for transactional processing. Production Environment excludes any and all testing, training, and other non-live application or environments.
“Third Party Content” means Content made available to Customer by any third party in conjunction with the CMC IaaS.
“User” means any individual that directly or indirectly through another user (a) accesses or uses Customer Content; or (b) otherwise accesses or uses the CMC IaaS under Customer’s account.


CampusNet IAAS Agreement    Page 1 of 8    Confidential
TA-042516



“Virtual Servers” means one of any number of isolated server emulations running on a single physical servicer located on the Infrastructure.
2.    USE OF THE CMC IAAS
2.1    Generally. Customer may access and use the CMC IaaS in accordance with this Agreement. Customer will adhere to all laws, rules and regulations applicable to its use of the CMC IaaS, including the Policies. The CMC IaaS is provided to Customer for its internal use and Customer shall not resell the CMC IaaS to any third party.
2.2    Third Party Content. Third Party Content, such as software applications provided by third parties, may be made available by other entities under separate terms and conditions. Customer is responsible to comply with applicable terms and conditions for Third Party Content. Customer’s use of any Third Party Content is at Customer’s sole risk. CMC is not responsible for providing support to Third Party Content.
Customer understands that not all external Third Party Content may comply with CMC’s information security policies and Customer agrees to submit any new interface or connectivity requirement requests to CMC prior to installation into the Data Center. Third Party Content that does not comply with CMC’s information security policies will not be installed in the Data Center.
2.3    Facilities and Use of Customer Data. CMC will maintain appropriate administration, physical and technical safeguards that adhere to security standards that a reasonably prudent service provider in the same industry would provide under like circumstances to store and process Customer Data. CMC accesses and uses Customer Data only as necessary to provide the IaaS Service, perform or enforce contractual obligations or comply with applicable law. By using the CMC IaaS, Customer consents to the processing and storing of Customer Data. The parties agree that CMC is merely an information technology service provider.
3.    CHANGES
3.1    To the CMC IaaS. Subject to Section 10.2(a)(ii), due to technology advancements and changes to Licensed CMC Software, CMC may change, discontinue or deprecate the CMC IaaS or change or remove features or functionality of the CMC IaaS from time to time. CMC will provide Customer with six (6) months prior notice of any material changes or discontinuance.
4.     CMC OBLIGATIONS
4.1    Scope of Services. The CMC IaaS shall include: (i) the deployment and administration of server hardware and the licensed CMC software at the CMC hosting center; (ii) monitoring communication circuit that is reasonably within the control of CMC or CMC’s Internet service provider and hardware availability; (iii) installation of all updates, upgrades, releases, error corrections, and enhancements (except that configuration of new features exposed by such installation will require configuration by Customer or a separate Statement of Work) of the licensed CMC Software; and (iv) routine backups of software and data residing on the data repository location (“Data Repository Location”). This Agreement is strictly for the CMC IaaS described herein and does not grant a license to access or use the CMC software, which must be licensed by Customer under a separate Master Agreement or Software License Agreement, as applicable. The CMC IaaS shall be pursuant to the Service Level Agreement set forth in Exhibit C-4. CMC will not support environments that are not supported/certified by CMC product development or by third party vendors.
 
4.2    Standard of Performance. CMC agrees to provide the CMC IaaS to and for the benefit of Customer in accordance with the terms of this Agreement, including all Schedules and Exhibits hereto, and use industry practices and methods to avoid, prevent, and mitigate any material adverse effect on the IaaS or the continuity and quality of the services being provided to Customer.
4.3    Infrastructure. CMC shall (i) provide the Infrastructure to meet the functional and performance requirements based on the components defined in Exhibit A; (ii) be responsible for the day-to-day management and maintenance of the Infrastructure required to support the licensed CMC Software and Applications; (iii) monitor the Infrastructure for thresholds and availability 7x24x365; and (iv) administer all operating systems, database, networking, virtualization, including Citrix and VMware, required to operate CMC’s Licensed Software.
CMC will be responsible for software licenses for Microsoft Windows Operating System, Microsoft SQL Server, and Citrix software (if applicable) for non-CMC licensed software. In the case that the Customer requires additional infrastructure/environments to support non-CMC licensed software, then Customer shall be responsible for such licenses.
4.4    Software Licenses. CMC will provide third party software licenses required to operate CMC’s Licensed Software.
4.5    Information Security. CMC will make commercially reasonable efforts to keep Customer’s Content and data appropriately secured against unauthorized access including:
(i) CMC will maintain Internet firewalls to protect Customer’s Infrastructure and Applications from unwanted and inappropriate access;
(ii) CMC requires that all Internet traffic to and from the Infrastructure use encrypted methods to protect the confidentiality of the data stored in the Customer’s Applications;
(iii) CMC will provide a Virtual Private Network (VPN) router at the CMC primary datacenter using IPSec/3DES encryption technologies for connecting the networks between the Data Center and Customer’s premises. Customer must provide a Cisco compatible device on its premises and local IP network configuration that does not conflict with the Data Center private IP addressing. Alternatively, Customer may choose to install a point to point circuit from Customer’s premises network with an endpoint to the Data Center as the primary mode of connectivity. All related expenses and costs for the point to point circuit and the projected date of availability will be Customer’s responsibility;
(iv)    All systems and services in the Data Center are subject to vulnerability scanning to identify any information security risks that may be present and trigger remediation efforts;
(v)    CMC will provide, install and maintain active anti-virus services on all appropriate systems and services installed in the Data Center;
(vi)    CMC requires that all Internet facing application services use SSL communications for proper encryption of data transmitted between the Data Center and Customer; and


CampusNet IAAS Agreement    Page 2 of 8    Confidential
TA-042516



(vii)    CMC will maintain regular patch management practices so that newly released security patches are applied to servers supporting Customer’s Applications.
4.6    Data Backup. CMC shall perform a complete backup of the Data Repository Location each night using generally accepted backup procedures (“Backup Data”). The Backup Data shall be maintained at the CampusNet Services colocation center and shall be retained for up to seven (7) days before being destroyed; provided, weekly, CMC shall make a copy of the Backup Data and store it at an off-site storage location (“Off-site Center”). The Backup Data shall be retained at the Off-site Center for twelve (12) months before being destroyed. Upon Customer request and for no additional charge, so long as Customer is not in default of the Agreement, CMC shall provide a copy of the Backup Data on a monthly basis. For an additional charge, Customer may request a copy of the Backup Data on a more frequent basis. The CMC IaaS is operated in a manner designated to provide for high levels of system availability. This includes redundancy for all major system components, or where appropriate, equipment supported by manufacturers providing the CMC IaaS with 24/7/365 service.
4.7    Availability of Service. The CMC IaaS and all Customer Content shall be accessible to Customer’s authorized users 24 hours per day, 7 days a week, excluding scheduled times for maintenance and updates of CMC IaaS infrastructure software of which Customer will be notified in advance, and any Downtime due to Internet outages resulting from failures reasonably outside the control of CMC or CMC’s hosting provider, corruption of Internet route information within a tier 1 internet route server environment, major connectivity failures within or between major tier 1 providers or corruption of internet root level DNS services. In the event that, during any three (3) month period, the Customer Content experiences three or more episodes of Downtime with one or more episodes of Downtime lasting at least six (6) hours each and two (2) or more additional episodes of Downtime lasting at least three (3) hours each, Customer shall have the right to terminate this Agreement upon fifteen (15) days written notice from the last episode of Downtime, within 180 days following the written notice to CMC, without payment of any penalty, which termination right shall be Customer's sole and exclusive remedy for Downtime other than Downtime caused by CMC's willful misconduct.
4.8    Control of Services. CMC shall manage the CMC IaaS. CMC may, in its sole discretion (i) reengineer CMC network components and/or change locations where services are performed; (ii) perform its obligations through its subsidiaries or affiliates, or through the use of selected independent subcontractors; and (ii) modify and/or replace technology or service architectures relating to the services. Notwithstanding clause (ii) above, CMC shall be responsible for such other party’s performance of CMC obligations under CMC IaaS.
4.9    Personnel. CMC will dedicate personnel necessary to perform its responsibilities hereunder. CMC reserves the right to determine the personnel assigned to the CMC IaaS and to replace, rotate or reassign such personnel during the CMC IaaS Term (as defined in Section 10.1 below).
4.10    Services Outside Scope. Any custom services provided outside the scope set forth above shall be engaged under professional services, subject to CMC's requirements, including, without limitation, any billing, and technical requirements. Any changes in federal, state or local requirements, or any Customer specific requirements, including, without limitation, with respect to security or privacy, that result in CMC providing additional services or incurring
 
costs, shall be billed to and promptly paid by Customer. CMC reserves the right to refuse to provide certain services in the event Customer's requirements are not practicable or changes in law affect CMC’s performance of obligations hereunder.
4.11    Minimization of Planned Service Disruptions. Whenever conditions reasonably permit, the parties will mutually agree on the scope, timing, frequency and duration of any planned service disruptions or delays and will jointly attempt to minimize any unnecessary impact on Customer’s business operations. Routine daily maintenance will be accomplished whenever possible by scheduling between the hours of 10:00 p.m. and 8:00 a.m. Eastern Time. In addition, longer maintenance will be accomplished when possible on weekends between the hours of 6:00 p.m. ET Saturday and 8:00 a.m. ET Monday, unless CMC notifies Customer otherwise. CMC shall monitor the CMC IaaS Services 24/7/365.
4.12    Unplanned Service Disruptions. Downtime may occur from time-to-time. CMC will use commercially reasonable efforts to attempt to prevent Downtime that could impact Customer’s business operations to the extent such factors are within CMC's reasonable control; provided, Customer acknowledges that conditions of Customer and third parties may affect Customer's use of the CMC IaaS, for which CMC shall have no liability or obligations (by way of example and not limitation, Internet disruptions or third party software bugs), although CMC will attempt to coordinate with Customer as reasonably requested to assist to correct the Downtime to the extent practicable.
4.13    Disaster Recovery Plan. Throughout the CMC IaaS Term, CMC shall maintain a disaster recovery plan and the capacity to execute such plan. Upon request by Customer, which shall not be more frequently than annually, CMC shall provide Customer with an executive summary of CMC’s most current disaster recovery plan.
4.14    Disaster Recovery. If the Data Center is damaged, in whole or part, by fire or other casualty at any time during the Term of this Agreement, CMC will promptly and diligently seek to have such damage repaired. If the Data Center is damaged in such a way that prevents CMC from securely delivering its services defined hereunder within a reasonable amount of time, then CMC shall failover the Production Environment and licensed CMC software to CMC’s disaster recovery warm facility. In such event, CMC expects the recovery time to be no more than forty-eight (48) hours, and CMC’s disaster recovery warm facility will support Customer’s Infrastructure at sixty percent (60%) of the Production Environment’s normal operating capacity.
5.    CUSTOMERS OBLIGATIONS
5.1    Technical Data and Information. Customer shall provide CMC with all technical data and all other information CMC may reasonably request from time to time to allow CMC to supply the CMC IaaS to Customer. All information Customer supplies will be complete, accurate and given in good faith.
5.2    Lawful Use. Customer will use the CMC IaaS for legitimate and lawful business purposes only. Any breach of this Section 5.2 will constitute a material breach of this Agreement and in addition to CMC’s termination rights set forth in Section 10.2(b) below, CMC may, at any time and at CMC’s sole option, suspend all or part of the CMC IaaS immediately and until the breach is remediated.
5.3    Content. Customer is solely responsible for the Customer Content that Customer, Users or


CampusNet IAAS Agreement    Page 3 of 8    Confidential
TA-042516



subcontractors create, install, upload or transfer on, from or through the CMC IaaS.
5.4    Backups. Customer is solely responsible for backing up all Customer Content on the CMC IaaS to the Data Repository Location. Customer acknowledges and agrees to maintain outside the CMC IaaS a current backup copy of all Content stored in the CMC IaaS.
5.5    Software Updates. Customer acknowledges and agrees that from time to time CMC and third party providers will release critical patches or updates. Customer must agree to not unreasonably delay application of any software or hardware patches or updates identified by CMC as mandatory for use with the CMC IaaS. CMC may elect to discontinue service related to the applications or infrastructure with the identified vulnerability.
5.6    Digital Certificates. Customer agrees that it will provide 128bit, SSL Digital Certificates to support all internet facing services in support of Customer’s environment.
5.7    Customer Relationship Manager. Customer will appoint a relationship manager to manage the relationship established by this Agreement (“Customer Relationship Manager”) who will:
(a)    Coordinate and monitor Customer’s obligations under this Agreement, and serve as the primary liaison with the CMC relationship manager.
(b)    Provide communication on events and reporting problems with the CMC IaaS.
(c)    Provide CMC with an outage communications plan consisting of the name, telephone number including cell phone number, and email address of Customer personnel to be notified in the event of an outage. CMC shall contact Customer promptly regarding an outage or Downtime.
5.8    Connectivity. Customer agrees to provide the high-speed Internet and telecommunications connections and supporting equipment required by CMC to maintain connectivity between Customer’s remote location(s) and the CMC IaaS location. Customer will bear the costs of such connections and supporting equipment. CMC may assist Customer in defining such connectivity in which case Customer may, at CMC’s discretion, be billed for such professional services.
5.9    Software Licenses. CMC software and the CMC IaaS use many components of Microsoft products. At all times during the CMC IaaS Term, Customer is required to hold a basic Microsoft® Office license for each Customer computer that will be used on the CMC IaaS. To the extent applicable, Customer’s statement attesting to the existence of such valid license is attached as Exhibit C-2.
5.10    Print Drivers. CMC uses the Citrix universal print driver. Other printers may work, but Customer acknowledges that formatting and functionality may fail on any non-compliant printing standards or drivers. Customer may require assistance from its authorized printer vendor.
6.    SECURITY AND DATA PRIVACY
6.1    Security. CMC IaaS provides Customer with certain software and functionality to help Customer protect Customer Content from unauthorized access. Customer shall properly configure and use the CMC IaaS so that it is suitable for Customer’s use. Customer is responsible for maintaining appropriate security and protection of Customer Content, which may include the use of encryption technology to protect Customer Content from unauthorized access. Customer is
 
responsible for providing any necessary notices to Users and obtaining any legally-required consents from Users concerning use of the CMC IaaS. Customer is solely responsible for complying with any laws or regulations that might apply to Customer Content. Login Credentials are for Customer’s internal use only. Customer is responsible for any use that occurs under Login Credentials. If Customer believes an unauthorized User has gained access to Login Credentials, Customer will notify CMC immediately. Neither CMC nor its affiliates are responsible for any unauthorized access to or use of Customer’s account. If CMC determines that there has been unauthorized access to, or use or disclosure of, Customer Content, CMC shall use commercially reasonable efforts to notify Customer, taking into account any applicable law, regulation, or governmental request.
6.2    Transfer of Data. Customer consents that CMC shall store Customer Content in the United States. CMC transfers Customer Data solely pursuant to CMC’s Backup Data obligations as set forth in Section 4.6 above. By uploading Customer Content into the CMC IaaS, Customer may transfer and access Customer Content from around the world, including to and from the United States. To the extent that Customer provides Customer Content in connection with CMC customer support, Customer consents that CMC may handle Customer Content in any country in which CMC or its affiliates maintain facilities. It is the responsibility of Customer to ensure that Customer complies with applicable law with respect to transferring data across geographical locations.
6.3    Compliance with Laws. CMC shall comply with all laws applicable to our provision of the CMC IaaS, including applicable security breach notification laws, but not including any laws applicable to Customer that are not generally applicable to information technology service providers. Customer shall comply with all laws applicable to Customer Data and Customer’s use of the CMC IaaS, including any laws applicable to Customer.
7.    FEES, PAYMENT AND TAXES
7.1    General. The pricing for the CMC IaaS provided herein is set forth in Exhibit A.
7.2    Late Fees. Any amount invoiced under this Section 7 and not paid in full as required herein shall bear interest at the lesser of 1.5% per month or the highest rate allowed by applicable law, and shall be subject to reasonable costs and attorney's fees related to collection. Upon written notice, CMC reserves the right to suspend any or all services to delinquent accounts until such time as the account is brought current and Customer agrees to hold CMC harmless for any interruption of CMC IaaS arising from any payment delay.
7.3    Taxes. Customer will promptly pay, indemnify and hold CMC harmless from all taxes on the CMC IaaS, including transaction, local, value-added, sales and service taxes, other than taxes on the net income or profits of CMC. Subject to any applicable laws, the foregoing will not apply to the extent Customer is formed as a not-for-profit or publically funded state organization and promptly provides CMC an applicable tax exempt certificate. All prices quoted are net of taxes.
7.4    Disputed Invoice. Customer may withhold any invoiced line item amounts due hereunder if it, in good faith, disputes the item in a detailed writing within twenty (20) days of receipt of the invoice and promptly pays the undisputed amounts. CMC reserves the right to cease work without prejudice if undisputed amounts are not paid within thirty (30) days after the date of the invoice. CMC may allocate


CampusNet IAAS Agreement    Page 4 of 8    Confidential
TA-042516



payments received to fees and expenses in its sole discretion and Customer’s communications on or with payments shall not be construed as a novation.
8.    BILLING AND PAYMENT PROCEDURES
8.1    Payment Schedule. CMC will bill Customer as further described in Exhibit A.
8.2    Billing and Payment Dates. CMC will bill Customer monthly by the 10th of the following month as set forth in Exhibit A. Customer shall pay CMC in full on or before the fifteenth (15th) day following the date of the invoice. If Customer falls into arrears on payments, CMC may require Customer to maintain a deposit as a condition to CMC continuing to provide the CMC IaaS.
8.3    Changes. Customer may request to expand the CMC IaaS by delivering a written request and entering into a mutually executed Addendum.
9.    TEMPORARY SUSPENSION
9.1    Generally. CMC may suspend Customer’s right to access or use any portion of all of the CMC IaaS immediately upon notice to Customer if:
(a)    Customer’s use of the CMC IaaS (i) poses a security risk to the CMC IaaS or any third party; (ii) may adversely impact the CMC IaaS or the systems or Content of any other CMC customer; (iii) may subject CMC, its affiliates or any third party to liability; (iv) may be fraudulent; or (v) violates Policies;
(b)    Suspension is required pursuant to CMC’s receipt of a subpoena or other request by a law enforcement agency; or
(c)    Customer is in breach of this Agreement, including Customer is delinquent on its payment obligations (except for Section 7.4 above) for more than 30 days.

9.2     Effect of Suspension. If CMC suspends Customer’s right to access or use any portion or all of the CMC IaaS:
(a)    Customer is responsible for all fees and charges Customer has incurred through the date of suspension;
(b)    Customer remains responsible for any applicable fees and charges for any CMC IaaS to which Customer continues to have access, as well as applicable data storage fees and charges, and fees and charges for in-process tasks completed after the date of suspension; and
(c)    Customer will not receive any service credits under the Service Level Agreement for any period of suspension.
CMC will not erase any Customer Content as a result of Customer’s suspension. CMC’s right to suspend Customer’s access to CMC IaaS is in addition to CMC’s right to terminate this Agreement pursuant to Section 10 below.
10.    TERM AND TERMINATION
10.1    Term. The CMC IaaS will commence on the Commencement Date and will continue for the period specified in Exhibit A (“CMC IaaS Term”).
10.2    Termination.
(a)    Customer: Customer may terminate this Agreement:
 
(i)    with cause in the event CMC materially breaches its obligations under the Agreement and fails to cure such breach within thirty (30) days after receipt of written notice from Customer.
(ii)    early upon sixty (60) days written notice and payment of early termination fee as set forth in Exhibit A.
(iii)    pursuant to Section 4.7, Availability of Service, set forth above.
(b)    CMC. CMC may terminate this Agreement:
(i)    with cause in the event Customer materially breaches its obligations under the Agreement and fails to cure such breach within thirty (30) days after receipt of written notice from CMC.
(ii)    immediately upon notice to Customer: (A) for cause, if any act or omission by Customer results in a suspension described in Section 9.1 above; (B) if CMC’s relationship with a third party who provides software or other technology CMC uses to provide the CMC IaaS expires, terminates or requires CMC to change the way it provides the software or other technology as part of the CMC IaaS; (C) if it is CMC’s good faith belief that providing the CMC IaaS service offering to the entire customer base creates a substantial economic or technical burden or material security risk for CMC; (D) in order to comply with the law or requests from governmental entities; or (E) if CMC determines that the use of the CMC IaaS has become impractical or unfeasible for any legal or regulatory reason.
10.3    Effect of Termination. Upon termination of the CMC IaaS for any reason, CMC will disable Customer’s access to the CMC IaaS and Customer shall promptly pay all amounts due. Each party shall promptly return or destroy any of the other party’s Content or Confidential Information (as defined below). CMC may erase Customer Content stored on the Infrastructure thirty (30) days after the date of termination. Customer will pay CMC its reasonable fees and expenses on a time and material basis if CMC assists Customer with the transition of Customer Content.
11    CONFIDENTIAL INFORMATION
11.1    Confidential Information. Neither party nor any third party acting on its behalf will for any reason at any time use or disclose any proprietary information of the other party, including, without limitation, relating to the processes, techniques, work practices, customers, prospective customers, suppliers, vendors, business practices, strategies, business plans, financial information, marketing, third party licenses, products, proprietary rights or trade secrets of the other party (collectively the “Confidential Information”). Each party shall use at least the same degree of care in safeguarding the other party’s Confidential Information as it uses in safeguarding its own Confidential Information, but not less than due diligence and care, to prevent the theft, disclosure, copying, reproduction, distribution and preparation of derivative works of the other party's Confidential Information. Either party may disclose Confidential Information to its employees, independent contractors and advisors that have a need to know in the course of their assigned duties and responsibilities in connection with the Agreement, provided such parties are bound by legally binding obligations to protect such Confidential Information in a manner consistent with the Agreement.
11.2    Exceptions. Confidential Information does not include (i) information already known or independently developed by the recipient without use or reliance on the other party’s Confidential Information, as evidenced by records, (ii)


CampusNet IAAS Agreement    Page 5 of 8    Confidential
TA-042516



information in the public domain through no wrongful act of the recipient, or (iii) information received from a third party who was not under a duty of non-disclosure.
11.3    Disclosure Required by Law. If one party (the “Receiving Party”) is required by a lawful order from any court or agency of competent jurisdiction to disclose Confidential Information of the other party (“Disclosing Party”), the Receiving Party shall promptly notify the Disclosing Party of such order so that the Disclosing Party may take reasonable steps to limit further disclosure, including obtaining a protective order or other reasonable assurance that confidential treatment will be accorded to the Confidential Information. If, in the absence of a protective order, the Receiving Party is compelled as a matter of law to disclose Confidential Information, the Receiving Party will use reasonable efforts to disclose only the Confidential Information that is required by law to be disclosed.
With respect to publically funded state institutions, CMC acknowledges that certain information and documents may be subject to public records laws, and Customer shall provide CMC an opportunity to review and object to disclosure (including obtaining a protective order) pursuant to state law.
11.4    Remedies. Confidential Information shall remain the sole property of the Disclosing Party or its respective licensor. In the event of a breach or threatened breach of this provision, the Disclosing Party shall be entitled to obtain preliminary injunctive relief, without posting bond, to prevent the use and disclosure of such Confidential Information, in addition to all other remedies available at law and in equity.
12.    INTELLECTUAL PROPERTY
12.1    CMC Content; CMC IaaS; License Grant. CMC, its affiliates and licensors own and reserve all right, title and interest in and to the CMC IaaS and CMC Content, including all improvements, enhancements, modifications and derivatives works thereof. CMC shall have a royalty-free, worldwide, perpetual license to use or incorporate into the CMC IaaS and Documentation any suggestions, ideas, enhancement requests, feedback, recommendations or other information provided by Customer or its Users relating to the operation of the CMC IaaS or Documentation. CMC grants Customer a non-exclusive and non-transferable license to do the following: (i) access and use the CMC IaaS solely in accordance with this Agreement; and (ii) copy and use the CMC Content solely in connection with Customer’s permitted use of the CMC IaaS.
12.2    Restrictions. Customer shall not (and shall not permit any User, employee, contractor or other party to): (i) copy, modify, create a derivative work of, reverse engineer, decompile, translate, disassemble or otherwise attempt to extract the source code of the CMC IaaS or any component thereof; or (ii) resell or sublicense the CMC IaaS.
12.3    Customer Content. Customer or Customer’s licensor own all right, title and interest in and to Customer Content. Except as provided in this Section 12, CMC obtains no rights under this Agreement to Customer Content. Customer consents to CMC’s use of Customer Content to provide the CMC IaaS to Customer. CMC may disclose Customer Content to provide the CMC IaaS to Customer and User or comply with any request of a governmental or regulatory body.
12.4    Trademarks and Copyrights. Third parties retain trademark, copyright and other proprietary rights in and to Third Party Content. CMC retains all right, title and interest to CMC Marks.
 
13.    WARRANTIES
13.1    CMC’s Limited Warranties. CMC represents, warrants and covenants that:
(a)    CMC has the authority to enter into this Agreement.
(b)    Neither it entering into nor its performance of this Agreement conflicts with or creates a breach of contract or obligation to which it is bound.
(c)    CMC shall perform the CMC IaaS in a professional and workmanlike manner.
(d)    CMC, in the operation of its business, shall remain at all times during the Agreement in compliance in all material respect with applicable federal, state and local laws, including, without limitation, all applicable U.S. Department of Education rules and regulations.
13.2    Customer’s Limited Warranties. Customer represents, warrants and covenants that:
(a)    Customer has authority to enter into and perform in accordance with the provisions of this Agreement.
(b)    Neither it entering into nor its performance of this Agreement conflicts with or creates a breach of contract or obligation to which it is bound.
(c)    No Customer Content on the CMC IaaS is illegal, defamatory, malicious, harmful or discriminatory based on race, sex, religion, nationality, disability, sexual orientation, or age.
(d)    Customer will not attempt to circumvent or disable any of the security-related, management or administrative features of the CMC IaaS.
(e)    Customer, in the operation of its business, shall remain at all times during the Agreement in compliance in all material respects with applicable federal, state and local laws, including, without limitation, all applicable U.S. Department of Education rules and regulations.
14.    DISCLAIMER OF WARRANTIES. THE CMC IAAS IS PROVIDED “AS IS”. CMC AND ITS AFFILIATES AND LICENSORS MAKE NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE REGARDING THE CMC IAAS OR THE THIRD PARTY CONTENT, INCLUDING ANY WARRANTY THAT THE CMC IAAS OR THIRD PARTY CONTENT WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF HARMFUL COMPONENTS, OR THAT ANY CONTENT, INCLUDING CUSTOMER CONTENT OR THIRD PARTY CONTENT, WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED. CUSTOMER ACKNOWLEDGES THAT CMC DOES NOT CONTROL OR MONITOR THE TRANSFER OF DATA OVER THE INTERNET, AND THAT INTERNET ACCESSIBILITY CARRIES WITH IT THE RISK THAT CUSTOMER’S PRIVACY, CONFIDENTIAL INFORMATION AND PROPERTY MAY BE LOST OR COMPROMISED. EXCEPT TO THE EXTENT PROHIBITED BY LAW, CMC, ITS AFFILIATES AND LICENSORS DISCLAIM ALL WARRANTIES, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND ANY WARRANTIES ARISING FORM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
15.    LIMITATION OF LIABILITY. EXCEPT FOR THE OBLIGATIONS HEREIN TO INDEMNIFY AGAINST THIRD


CampusNet IAAS Agreement    Page 6 of 8    Confidential
TA-042516



PARTY CLAIMS OR BREACH OF INTELLECTUAL PROPERTY RIGHTS, IN NO EVENT SHALL EITHER PARTY OR ITS AFFILIATES BE LIABLE, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING LOST SAVINGS, PROFIT OR BUSINESS INTERRUPTION EVEN IF NOTIFIED IN ADVANCE OF SUCH POSSIBILITY) ARISING OUT OF OR PERTAINING TO THE SUBJECT MATTER OF THIS AGREEMENT. IN ADDITION, EXCEPT WITH RESPECT TO A WILLFUL BREACH, BREACH OF INTELLECTUAL PROPERTY RIGHTS, OR OBLIGATIONS HEREIN TO INDEMNIFY AGAINST THIRD PARTY CLAIMS, NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY FOR DAMAGES IN EXCESS OF THE TOTAL AMOUNT PAID FOR CMC IAAS DURING THE TWELVE MONTH PERIOD IMMEDIATELY PRECEDING THE DATE ANY SUCH CAUSE OF ACTION AROSE.
The foregoing limitation of liability shall not be construed as an express or implied waiver by a publically funded state institution of its governmental immunity or as an express or implied acceptance by the institution of liabilities arising as a result of actions which lie in tort or could lie in tort in excess of the liabilities allowed under applicable state law.
16.    INDEMNIFICATION
16.1    Customer. Customer shall indemnify, defend and hold harmless CMC and its affiliates, and each of its respective officers, directors, employees, agents, independent contractors, successors and assigns from and against liability for any third party claims based on: (i) Customer’s use of the CMC IaaS or any Customer Content; (ii) Customer’s breach of this Agreement or violation of applicable law; (iii) the alleged infringement or misappropriation of third party rights by Customer Content or by the use, development, design, production, advertising or marketing of Customer Content; (iv) Customer’s relationship with third party software providers for software installed or stored in the CMC IaaS; or (v) Customer’s failure to use reasonable security precautions. Furthermore, if CMC or its affiliates are obligated to respond to a third party subpoena or other compulsory legal order or process described in this Section 16.1, Customer shall also reimburse CMC for reasonable attorneys’ fees and costs and shall pay CMC on a time and material basis for time and materials spent.
16.2    CMC. CMC shall indemnify, defend and hold harmless Customer and its affiliates, and each of its respective officers, directors, employees, agents, independent contractors, successors and assigns from and against liability for any third party claims based upon the CMC IaaS infringing or misappropriating any U.S. patent, copyright, or trademark of such third party. Notwithstanding the foregoing, in no event will CMC have any obligations or liability under this Section 16.2 arising from: (i) Customer’s use of CMC IaaS in a modified, unauthorized or unintended form; (ii) Customer’s violation of this Agreement; (iii) Customer’s use of the non-current versions of the CMC IaaS; or (iv) any Customer Content.
16.3    Process. The indemnified party shall promptly notify the indemnifying party of any claim subject to this Section 16, but the indemnified party’s failure to promptly notify the indemnifying party will only affect the indemnifying party’s obligations under this Section 16 to the extent that the indemnified party’s failure prejudices the indemnifying party’s ability to defend the claim. The indemnifying party may: (i) use counsel of its choice (subject to the indemnified party’s written consent); and (ii) settle the claim as the indemnifying party deems appropriate, provided that the indemnifying party
 
obtains the indemnified party’s prior written consent before entering into any settlement. The indemnified party may also assume control of the defense and settlement of the claim.
Publically funded state institutions shall be liable for damages incurred by CMC, but shall not be required to also indemnify CMC to the extent applicable state laws expressly prohibit the institution from indemnifying CMC.
17.    DISPUTES; CHOICE OF LAW
17.1    Dispute Resolution. The parties agree that prior to commencing any legal action, all disputes between them shall be submitted for informal resolution to their respective chief operating officers or his/her authorized designee with power to bind his/her respective company. The representatives shall meet within ten (10) days at a mutually agreeable location, but shall not be required to meet for more than two (2) business days; the timeline for performance of each party’s obligations hereunder shall be tolled proportionately until, in accordance with the foregoing, the dispute is resolved or the parties stop meeting without having resolved such dispute. Provided, the foregoing process shall not require a party to delay obtaining any injunctive relief or equitable remedies based on a claim arising from the other party’s breach of intellectual property, confidentiality or non-solicitation obligations.
17.2    Jurisdiction; Venue. The parties agree that no oral or written representation made during the course of any settlement discussions shall constitute a party admission. If the parties are still unable to reconcile their differences in accordance with the foregoing procedures, each party hereby agrees that any controversy or claim, whether based on contract, tort or other legal theory, arising out or relating to the Agreement, shall be maintained exclusively in the jurisdiction and venue of the courts sitting in and for Palm Beach County and the Southern District of Florida. The prevailing party shall be entitled to reimbursement of reasonable attorneys' fees and costs. The parties expressly waive right to trial by jury.
The foregoing choice of venue shall not apply to publically funded state institutions to the extent applicable state laws expressly prohibit the institution from litigating outside of its home state.
17.3    Governing Law. The Agreement shall be governed by and construed in accordance with the substantive laws of Florida, without regard to conflict of laws principles. The parties expressly opt out of the application of the UN Convention on the International Sale of Goods.
The foregoing choice of law shall not apply to publically funded state institutions to the extent applicable state laws expressly prohibit the institution from litigating under a foreign state law.
18.    ASSIGNMENT. CMC hereby agrees it shall not withhold consent to Customer’s assignment of the Agreement, in its entirety, in connection with the sale or acquisition of Customer of all or substantially all of the business assets or voting control, provided Customer and the assignee have fulfilled the following conditions prior to the transfer: (i) Customer shall provide written notice to CMC of the proposed assignment at least thirty (30) days prior to the date of such transaction; (ii) the assignee shall assume all liabilities under the Agreement and be bound to the Agreement; and (iii) Customer and assignee (if assignee is a CMC customer) shall not be in material breach of any agreement with CMC at the time of the transaction.
19.    NOTICES. Notices sent to either party shall be effective when delivered in person or transmitted by fax


CampusNet IAAS Agreement    Page 7 of 8    Confidential
TA-042516



machine with printed confirmation page (if delivered after 5:00 p.m. recipient's local time, then effective the next business day), one (1) business day after being sent by overnight courier, or two (2) business days after being sent by first class mail postage prepaid to the address on the first page hereof or such other address as a party may give notice in the same manner set forth in this Section 19.
20.    FORCE MAJEURE. Neither party shall be liable for any delay in performing its obligations under the Agreement, if such delay is caused by circumstances beyond the party’s reasonable control, including without limitation, any acts of God, war, terrorism, floods, windstorm, labor disputes, change in laws or regulations, public health risks or epidemics, or delay of essential materials or services. In the event a non-performance or a delay in performance of obligations under the Agreement is due to a force majeure event, the period of performance shall be extended by the delay due to such event and any additional time that the parties may mutually agree is necessary for the remobilization of personnel and resources. However, the party not affected by the force majeure shall have the right to terminate the Agreement without penalty if the party affected by the force majeure event is unable to resume full performance within thirty (30) days of occurrence of the event.  
21.    INDEPENDENT CONTRACTOR STATUS; COMPLIANCE WITH LAW. Each party and its personnel are independent contractors in relation to the other party with respect to all matters arising under the Agreement. Nothing herein shall be deemed to establish a partnership, joint venture, association or employment relationship between the parties. Each party shall remain responsible, and shall indemnify and hold harmless the other party, for the withholding and payment of all federal, state and local personal income, wage, earnings, occupation, social security, worker's compensation, unemployment, sickness and disability insurance taxes, payroll levies or employee benefit requirements (under ERISA, state law or otherwise) now existing or hereafter enacted and attributable to themselves and their respective personnel. Each party shall comply with all applicable federal and state laws, rules and regulations, in effect or hereafter established, applicable to discrimination and unfair employment practices.
Publically funded state institutions shall be liable for damages incurred by CMC, but shall not be required to also indemnify CMC, to the extent applicable state laws expressly prohibit the institution from indemnifying CMC.  
22.    AUDIT; COOPERATION. CMC reserves the right to verify compliance with this Agreement. In the event of an audit, Customer shall provide information or other materials reasonably requested by CMC. CMC monitors the overall performance and stability of the CMC IaaS. Customer shall not block or interfere with this monitoring. In the event that CMC reasonably believes that a problem with the CMC IaaS may be attributable to Customer’s use or Customer’s Content, then Customer shall cooperate with CMC to identify the source of the problem.
23.    EXPORT LAWS. Customer shall comply with all export and import laws and regulations of the United States and such other governments as are applicable. Customer hereby certifies that it will not directly or indirectly, export, re-export, or transship software or related information, or media in violation of United States laws and regulations.
24.    U.S. GOVERNMENT LICENSING. With respect to the procurement of any CMC IaaS by or for the U.S. Government, any software provided in connection with the CMC IaaS is commercial computer software. To the extent
 
applicable, the use, duplication, or disclosure by the Government is subject to restrictions as set forth in the Agreement and are licensed with “Restricted Rights” as provided for in FAR 52.227-14, FAR 52.227-19(c), DFAR ###-###-####, and other agency data rights provisions, as applicable. Customer is responsible for ensuring that copies are marked with a restricted rights notices and legends. CMC reserves all rights not expressly granted to Customer.  
25.    PROMOTIONAL MATERIALS. CMC may use Customer’s name and reference the existence of the Agreement and ancillary agreements (without referencing detailed terms and pricing) in marketing materials and presentations.   
26.    MISCELLANEOUS. This Agreement constitutes the entire and exclusive agreement between the parties with respect to the subject matter hereof and supersede all prior and contemporaneous communications, whether written or oral. The Agreement may be modified or amended only by the mutual written agreement of the parties. In the event of a conflict between the Agreement and any term contained in an Exhibit or an Addendum, the following shall be the order of precedence: the Addendum, the Exhibit, the General Terms. Any provision hereof found by a tribunal of competent jurisdiction to be illegal or unenforceable shall be automatically conformed to the minimum requirements of law and all other provisions shall remain in full force and effect. Waiver of any provision hereof in one instance shall not preclude enforcement thereof on future occasions. Headings are for reference purposes only and have no substantive effect. The provisions which by their nature should apply beyond their terms will remain in force after any termination or expiration of this Agreement. Copies of the Agreement and notices generated in accordance herewith shall be treated as original documents admissible into evidence, unless a document's authenticity is genuinely placed into question. The Agreement may be executed in counterparts, each of which shall be deemed an original and together shall be deemed the entire Agreement.

AGREED AND ACCEPTED by the undersigned authorized representatives of the parties as of the date first set forth above.
BRIDGEPOINT EDUCATION INC.
By: /s/ Mike Stansbury                                 
Print: Mike Stansbury                                       
Title: Vice President IT                                    
Date: Jun 30, 2016                                           
CAMPUS MANAGEMENT CORP.
By: /s/ Anders Nessen                                  
Print: Anders Nessen                                       
Title: CFO                                                         
Date: Jun 30, 2016                                            

 



CampusNet IAAS Agreement    Page 8 of 8    Confidential
TA-042516



EXHIBIT A

CAMPUSNET® IAAS TERM AND PRICING
CampusNet IaaS Term:
The initial term is five (5) years, commencing on July 1, 2016 (the “Commencement Date”), which Term shall automatically renew for successive periods of one (1) year each (each a “Renewal Term”), unless either party provides written notice of termination at least ninety (90) days prior to the end of the then-current term. If at such time Customer desires the Renewal Term to be on a month-to-month basis, the Monthly Fees will increase by 20% over the then current rates being offered to new CMC customers at that time.

Minimum Commitment:
Customer is agreeing to a minimum commitment of the following components and software licensing for the term of this Agreement:
COMPONENTS
QUANTITY
UNIT
COMPUTE
[***]
vCPU
STORAGE
[***]
Gigabytes (GB)
MEMORY
[***]
Gigabytes (GB) RAM
BANDWIDTH
[***]
Mbps Bandwidth (In/Out)
PUBLIC IPs
[***]
IP address
VPN ENDPOINTS
[***]
Tunnels

SOFTWARE NAME
LICENSE QUANTITY
UNIT
Citrix XenApp
[***]
Concurrent Users / CALs
Microsoft SQL Server
[***]
Server licenses
Microsoft Windows Server
[***]
Server licenses

Customer has the ability to fluctuate [***]% from the Minimum Commitment in either direction on a monthly basis without impacting the monthly pricing or the need to amend the IaaS agreement.     

Minimum Commitment Pricing:
 
 
SETUP FEE
TOTAL
$[***]

 
MONTHLY FEE
July 1, 2016 – December 30, 2016
$[***]
January 1, 2017 – June 30, 2021
$[***]

Customer shall pay the Setup Fee upon execution of this Agreement.
Customer shall pay the Monthly Fees in accordance with Section 8.



CampusNet IAAS Agreement    Page 1 of 2    Confidential
TA-042516

[***] Confidential portions of this document have been redacted and filed separately with the Commission.



Termination Fee:
Should Customer terminate the CMC IaaS early for convenience pursuant to Section 10, Customer shall promptly pay a termination fee as follows:
Termination Period
Termination Fee
Year One
[***] percent ([***]%) of the fees due for the first year, plus [***] percent ([***]%) of the Monthly Fees due for years 2 through 5 under this Agreement.
Years 2-5
[***] ([***]) percent of the Monthly Fee due for remaining months under this Agreement.
Renewal Term
[***] percent ([***]%) of the fees due for the renewal year.

Downgrade Fee:
Should Customer downgrade services from the Minimum Commitment listed above for convenience, Customer shall promptly pay the following downgrade fee:
Downgrade Period
Downgrade Fee
Years 1-5,
Renewal Term
[***] ([***]) percent of the Monthly Fee for the affected Service multiplied by the number of remaining months under this Agreement.

Discounts/Special Pricing:
The above discounts/special pricing are contingent upon timely payments and no default under this Agreement.

Virtual Private Network (VPN):
CMC will provide termination of an IPSec VPN tunnel into the third party VPN equipment delivered with the VPN set-up (“Ancillary Equipment”).  Customer is hereby granted rights to use the Ancillary Equipment.  To the extent available, CMC passes through all warranties and remedies provided by such third party equipment vendor. Customer will be responsible for management of its terminating VPN equipment at its location, including configuration and provisioning of suitable Internet access to its terminating equipment.  CMC will remain responsible for configuration and provisioning of its equipment at its facility.  CMC may provide remote assistance for the Ancillary Equipment, at cost, as requested by Customer.

Configuration:
CMC Configuration and Deployment Tasks:    
CMC will, with Customer’s assistance, analyze Customer’s current workflow and customer inquiries in order to:
Procure the hardware and software required for running the CMC server and database
Set up the operating system and other required software on the servers
Set up CMC Applications
Set up and configure firewall protection
Set up data Back-ups
Designate emergency contacts at CMC and Customer site

Customer Configuration and Deployment Tasks:
Customer is responsible for the following preparations that will need to be made in accordance with the implementation schedule which will be defined after contract signature:
Customer will provide CMC’s staff with a list of any User Information that Customer wants stored in the database associated with the Applications.
Customer will implement and use the e-mail format and SMTP settings specified by CMC that Customer must use to ensure that all e-mails and data transmissions are received by CMC.
Customer must configure its computers, network router and firewall to allow data to flow between its system and the CMC Applications in a secure manner.
Customer will be responsible for configuring, monitoring and maintaining its computer and software systems including but not limited to system security, Local Area Network, network equipment, network and connections.

CampusNet IAAS Agreement    Page 2 of 2    Confidential
TA-042516

[***] Confidential portions of this document have been redacted and filed separately with the Commission.




EXHIBIT B

CAMPUSNET® IAAS MICROSOFT® LICENSE COMPLIANCE

The undersigned company, a corporation, whose primary place of business is 13500 Evening Creek Drive North, Suite 120, San Diego, California 92128, acknowledges that Campus Management Corp. has advised it as to the following Microsoft License requirements:

1.
Software Licenses
CMC has informed Customer that its software relies on certain functional capabilities of Microsoft Word, Excel, and/or Outlook in order to accomplish various operating tasks. Customer attests that all Customer computers accessing the CMC IaaS have and will maintain current Microsoft licenses in compliance with Microsoft’s Licensing requirements as spelled out in its Software Use Rights.

Customer acknowledges that having three specific software licenses (Word, Excel, and Outlook), or Microsoft Office, for each desktop may fulfill compliance with Microsoft licensing requirements. Alternatively, the recommended option is for each Customer desktop to be licensed to use all Microsoft Office components.

2.
Software Support
Customer further acknowledges that CMC is not responsible for the operation or suitability of any Microsoft product for any business purpose, other than use with the CMC IaaS. Customer agrees that any technical support related to Microsoft products, but not directly related to CMC software, are not the responsibility of CMC.

3.
Software Version Functionality
CMC may periodically recommend newer versions of Microsoft products should Customer’s versions be so outdated as to impair functionality used in future versions of CMC IaaS. CMC will make reasonable efforts to insure that integrated functionality will be backward compatible with earlier versions of Office (Word, Excel, and Outlook) to the greatest extent possible.

4.
Hold Harmless and Indemnity
Customer specifically agrees to hold harmless, indemnify, and defend, CMC, its officers, directors, employees, contractors, and sub-contractors from any license enforcement action(s), infringement suit(s), tort(s), demand(s), or judgment(s), including, without limitation, attorneys’ fees, expenses and all damages, resulting from Customer’s failure to maintain proper software licenses for each of its desktops, or use of unlicensed software on the CMC IaaS. Publically funded state institutions shall be liable for damages incurred by CMC, but shall not be required to also indemnify or hold harmless CMC to the extent applicable state laws expressly prohibit the institution from indemnifying CMC.

5.    General
This Exhibit regarding Microsoft License Compliance incorporates by reference all of the terms and conditions set forth in the Agreement.

AGREED AND ACCEPTED by the undersigned duly authorized representative of Customer.
BRIDGEPOINT EDUCATION INC.
Campus Management
By: [s1]   /s/ Mike Stansbury   
By: [s3]   /s/ Anders Nessen
Print: [p1]   Mike Stansbury   
Print: Anders Nessen
Title: [t1]   Vice President IT   
Title: CFO
Date: [d1]   Jun 30, 2016   
Date: Jun 30, 2016


CampusNet IAAS Agreement Exhibit B    Page 1 of 1    Confidential
TA-042516



EXHIBIT C

CAMPUSNET® IAAS SERVICE LEVEL AGREEMENT

CMC provides this CMC IaaS Service Level Agreement (“SLA”) to the Production Environment included in this scope of this agreement identified in Exhibit A and subject to the terms and conditions below.   

A.    Monthly Service Level

1.
The Service Level is [***]%.

2.
The Monthly Uptime Percentage is calculated for a given calendar month using the following formula:
 
Monthly Uptime Percentage =
Total number of minutes
in a given calendar month
minus
Total number of minutes of Downtime in a given calendar month
Total number of minutes
in a given calendar month
 
B.    Service Availability and Performance

1.
CMC acknowledges that service availability and performance are critical. Customer may report service outages or performance issues via CMC’s ServiceDesk. Additionally, CMC will proactively monitor the overall health and availability of the service. Service availability and performance will be measured using user experience transactions “Transactions” conducted at 5 minute intervals (excluding non-business hours defined below) to validate availability (uptime) and performance (response time) for the following user functions:
a.
CMC and Customer will agree upon the appropriate response times prior to the production environment is built out in the CampusNet data center.
b.
CMC and Customer acknowledge that neither party currently has this monitoring capability deployed and CMC commits to having this within 6 months after the execution of this Agreement.
c.
CMC and Customer agree to review the performance metrics on a yearly basis to ensure the appropriate metrics are being tracked and provide an opportunity to update as mutually agreed upon.

Product
Transaction
Description
Response Time


CampusNexus CRM
Login to CRM
Login to CRM
TBD
Load a lead record
Load a lead record after initial logon
TBD
Run Default Advisor Filter
Run default advisor filter after initial logon
TBD
CampusNexus Student

Login to Student
Login to Student
TBD
Load Student Master
Load a Student Master after initial logon
TBD
View -> Student Accounts -> Ledger Card
View a student’s Ledger Card after initial logon
TBD
View -> Academic Records -> Degree Progress Audit
View a Degree Progress Audit after initial logon
TBD
Daily - > Academic Records -> Schedule Classes -> Filter Term
Bring up a class schedule in edit mode after initial logon
TBD


d.
If the performance SLA is not met and persists for longer than 15 minutes, Customer may deem that the event is materially impactful, and Customer can request the event be treated as an outage for the period of SLA non-compliance, and applicable service credits will apply.
e.
Based on technical changes within the supported Product, CMC will substitute the technology/method used to provide equivalent monitoring as required.

CampusNet IAAS Agreement Exhibit C    Page 1 of 6    Confidential
TA-042516

[***] Confidential portions of this document have been redacted and filed separately with the Commission.




2.
External Web Response Time
a.
A list of URLs can be monitored to record average response time and mimic a real end-user experience.

Product
URL
Description
Response Time

CampusNexus CRM iServices
https://cloud339-web2.campusnet.net/HEFoundationiService/SISConnectorSvc.Asmx

Web service for the connector
TBD

TBD
COF iServices
TBD


CampusVue Portal
https://cloud339-web1rockies.campusnet.net
Website for Rockies’ CampusVue Portal
TBD
https://cloud339-web4ashford.campusnet.net
Website for Ashford’s CampusVue Portal
TBD
Rockies & Ashford TBD
Student Portal logon as measured from within the local data center
TBD

a.
Monitoring of CRM websites will be contingent on the adoption of CRM 10.1 or higher
b.
URLs will be updated with production links once production is available
c.
Based on technical changes within the supported Product, substitute Web Response URLs (or the technical equivalent) may be monitored to as required.


C.    Service Credits

1.
Should the Service Level fall below [***]% for a given month, CMC shall provide a Service Credit as noted in the chart below:
 
Monthly Uptime Percentage
Service Credit*
< [***]%
[***]%
< [***]%
[***]%
<[***]%
[***]%
In the unlikely event of an outage that is over [***] hours from the initial time of reporting and not successfully cutover to the secondary disaster recovery site.
[***]%
 
*Service Credit will be issued against the applicable month’s Subscription Fee paid by Customer for the Service.
 
2.
A Service Credit is Customer’s sole and exclusive remedy for any violation of this SLA.

3.
A Service Credit awarded in any calendar month shall not, under any circumstance, exceed Customer’s monthly Subscription Fee.

D.    Claims

1.
In order to make a Claim, Customer must be in compliance with policies for acceptable use of the Service found in the Agreement.
2.
In order to be eligible to submit a Claim with respect to any Incident, Customer must first have notified CMC support service of the Incident within five (5) business days following an Incident by calling ###-###-#### or by e-mailing CMC Support at ***@***. Customer must provide all reasonable details regarding the Incident including but not limited to, detailed description of the Incident, the duration of the Incident, the number of affected users and the locations of such users and any attempts made by Customer to resolve the Incident.
3.
Customer must submit the Claim to CMC support service by calling ###-###-#### or e-mail at ***@*** and providing any additional evidence reasonably required by CMC to support the Claim (as set forth in Section C(2) above), by the end of the month following the month in which the Incident which is the subject of the Claim occurs (for example, Incident occurs on January 15th, Customer provides Notice on January 20th, Customer must provide sufficient evidence to support Claim by February 28th).


CampusNet IAAS Agreement Exhibit C    Page 2 of 6    Confidential
TA-042516

[***] Confidential portions of this document have been redacted and filed separately with the Commission.



4.
CMC will use all information reasonably available to it to validate Claims and make a good faith judgment on whether the SLA and Service Levels apply to the Claim.

5.
CMC will use commercially reasonable efforts to process Claims within 30 days.

E.    Exclusions

1.
Downtime does not include:
a.    The period of time when the Service is not available as a result of Scheduled Downtime; or
b.    Performance or availability issues that may affect the Service:
i.    Due to factors outside CMC’s reasonable control;
ii.    Related to add-on features for the Service, including, but not limited to Reporting Services;
iii.    That resulted from Customer’s or third party hardware, software or services;
iv.    That resulted from actions or inactions of Customer or third parties;
v.
That resulted from actions or inactions by Customer or Customer’s employees, agents, contractors, or vendors, or anyone gaining access to CMC’s network by means of Customer’s passwords or equipment. 
vi.
That were caused by Customer’s use of the Service after CMC advised Customer to modify its use of the Service, if Customer did not modify its use as advised; or
viii.
Through Customer’s use of beta, trial offers, early access programs and/or demos (as determined by CMC).

F.    General Support and Service Incident Response Targets:

1.
Standard Hours of CampusNet Support
a.
Normal Business Hours are defined as 8:00 AM Eastern Time to 8:00 PM Eastern Time, Monday through Friday and exclude public holidays and CMC observed holidays.
2.
Emergency Support
a.
Emergency support is provided 24x7x365 as defined in the Response Times
3.
Response Times
a.
Response times listed below reflect targets and are not contractual obligations. Response time commitments do not promise a complete resolution within the stated time frames. Rather, the time commitment is intended to indicate the estimated target time interval in which the Client will be contacted by CMC after CMC initial triage and confirmation from the Client to verify the severity of the incident. All Severity One issues need to be submitted telephonically as well as through ServiceDsk.

Response Times – Normal Business Hours


Severity Level
Description – Normal Business Hours
Initial Response Time
Notification Schedule
1 – Critical
•    Production Emergency
o    Inoperability of critical business functions with no reasonable workaround available
o    Significant data corruption with no reasonable workaround available
o    Significant financial impact with no reasonable workaround available
•    Reasonable workaround may not be possible.  If it is then this should be downgraded to a Severity 2
15 Minutes
Every 60 minutes after triage via email or phone until resolution and via ServiceDesk incident management tool.


CampusNet IAAS Agreement Exhibit C    Page 3 of 6    Confidential
TA-042516





Severity Level
Description – Normal Business Hours
Initial Response Time
Notification Schedule
2 – High
•    Implementation Emergency
o    Impedes (does not allow the product to be installed and deployed) progress during the implementation phase of the project
•    Go-live
o    Is not impeding progress during implementation, but is required to be resolved prior to going into production
•    Any partial business down scenario or significant productivity impact to the customer
    Reasonable workaround possible - WITHOUT requiring any significant effort on the customers part
1 Hours
Updates via ServiceDesk incident management tool.
3 – Medium
•    A reasonable workaround is/may be available - product is functional and does not create bad data
•    Product is fully functional but the issue may create a negative impression on the quality and/or functional capabilities of the product
•    No business down scenario but productivity impact such as performance or process
12 Hours
Updates via ServiceDesk incident management tool.
4 – Low
•    Usability and/or moderate functionality or low impact performance issues
•    Low impact and low frequency type issues

24 Hours
Updates via ServiceDesk incident management tool.

Response Times – After Hours Business Hours

Severity Level
Description – Normal Business Hours
Initial Response Time
Notification Schedule
“1” Critical
•    Production Emergency
o    Inoperability of critical business functions with no reasonable workaround available
o    Significant data corruption with no reasonable workaround available
o    Significant financial impact with no reasonable workaround available
Reasonable workaround may not be possible.  If it is then this should be downgraded to a Severity 2
30 Minutes
Every 60 minutes after triage via email or phone until resolution and via ServiceDesk incident management tool.


CampusNet IAAS Agreement Exhibit C    Page 4 of 6    Confidential
TA-042516





Severity Level
Description – Normal Business Hours
Initial Response Time
Notification Schedule
“2” High
•    Implementation Emergency
o    Impedes (does not allow the product to be installed and deployed) progress during the implementation phase of the project
•    Go-live
o    Is not impeding progress during implementation, but is required to be resolved prior to going into production
•    Any partial business down scenario or significant productivity impact to the customer
Reasonable workaround possible - WITHOUT requiring any significant effort on the customers part
Next business day as defined under Normal Business Hours
Updates via ServiceDesk incident management tool.
“3” Medium
•    A reasonable workaround is/may be available - product is functional and does not create bad data
•    Product is fully functional but the issue may create a negative impression on the quality and/or functional capabilities of the product
No business down scenario but productivity impact such as performance or process
Next business day as defined under Normal Business Hours
Updates via ServiceDesk incident management tool.
“4” Low
•    Usability and/or moderate functionality or low impact performance issues
•    Low impact and low frequency type issues

Next business day as defined under Normal Business Hours
Updates via ServiceDesk incident management tool.



G.    Definitions:

1.
“Agreement” means the CampusNet® IaaS Agreement that governs the Service.

2.
“Claim” means a claim submitted by Customer to CMC that a Service Level under this SLA has not been met and that a Service Credit may be due to Customer.

3.
“CMC” means Campus Management Corp.

4.
“Customer” means the person or organization that contracted for Services under the Agreement.

5.
“Downtime” means a period of time when Customers are unable to access the Service at the furthest point on CMC’s firewall facing the public Internet.

6.
“Exclusions” means the performance or availability issues that are noted in Section D.

7.
“Incident” means a set of circumstances resulting in an inability to meet a Service Level.

8.
“Notice” means that within five (5) business days following an Incident, Customer must notify Customer Support of the Incident.

9.
“Service” or “Services” means the infrastructure as a service provided to Customer pursuant to the Agreement.

10.
“Scheduled Downtime” means published maintenance windows or times where CMC notifies Customer of periods of Downtime for scheduled network, hardware, Service maintenance or Service upgrades at least twenty-four (24) hours prior to the commencement of such Downtime, except for unforeseen emergency maintenance that can be carried out during the next published maintenance window.

11.
“Service Credit” means the amount credited to Customer by CMC for a validated Claim.





CampusNet IAAS Agreement Exhibit C    Page 5 of 6    Confidential
TA-042516





12.
“Service Level” means the percentage of Service availability for a given month that CMC agrees to provide Customer, which is measured by the Monthly Uptime Percentage.

13.
“Subscription Fee” means the monthly amount that Customer pays CMC for their subscription to the Service.



CampusNet IAAS Agreement Exhibit C    Page 6 of 6    Confidential
TA-042516





EXHIBIT D

CAMPUSNET® ROLES AND RESPONSIBLITIES

CMC and Customer have identified and agreed upon the high-level roles and responsibilities that are necessary to provide the services outlined within this Agreement. This list is not meant to be all inclusive and CMC and Customer can make mutually agreeable changes in the future with a contract addendum.

A.    CMC and Customer agree to adhere to the following Roles and Responsibilities as outlined below. If there is a conflict or dispute on a specific point, CMC and Customer agree to mutually resolve any immediate critical issues (as defined in Exhibit C, Section F of this Agreement). Thereafter, CMC and Customer can make modifications to the Roles and Responsibilities as needed.

[***]




















CampusNet IAAS Agreement Exhibit D    Page 1 of 8    Confidential
TA-042516

[***] Confidential portions of this document have been redacted and filed separately with the Commission.



EXHIBIT E

CAMPUSNET® IAAS SECURITY

In addition to the default hardware provided and the security measures in place with the standard IaaS offering, CMC will provide Customer with the following:   

A.    Encryption Key Management

1.
CMC agrees to rotate the encryption keys for the data storage used by Customer every two years commencing on the Commencement Date.


B.    Firewall (Perimeter)

1.
CMC agrees to a technology refresh of the existing perimeter firewalls to more current technology on or before June 30, 2017.




CampusNet IAAS Agreement Exhibit E    Page 1 of 1    Confidential
TA-042516