Master Agreement for Subcontracted Services Statement of Work

Contract Categories: Business Operations - Services Agreements
EX-10.47 8 ex1047.htm IBM STATEMENT OF WORK FOR CIGNA IBM Statement of Work for CIGNA
 
Exhibit 10.47
[*] = CERTAIN INFORMATION IN THIS EXHIBIT HAS BEEN OMITTED AND FILED SEPARATELY WITH THE COMMISSION.  CONFIDENTIAL TREATMENT HAS BEEN REQUESTED WITH RESPECT TO THE OMITTED PORTIONS.
 
Master Agreement for Subcontracted Services
Statement of Work
MASS Agreement #4902A20003
SOW #4906AT0073

This Statement of Work ("SOW")#4906AT0073 adopts and incorporates by reference the terms and conditions of the Master Agreement for Subcontracted Services - IBM as Prime # 4902A20003 (the “Agreement” or “MASS”), between International Business Machines Corporation (“IBM” or “Buyer”), and Chordiant Software, Inc. (“Supplier” or “Chordiant”). This SOW is effective beginning on the latest date of signature by both parties and will remain in effect until [*] (the “Initial Term”). Transactions performed under this SOW will be conducted in accordance with and be subject to the terms and conditions of this SOW, the Agreement, and any other applicable attachments or amendments. In the event of any conflict between this SOW, or the Agreement, this SOW will govern and any applicable Work Authorizations (“WAs”). This SOW is not a WA.

Not withstanding anything in the MASS to the contrary, the MASS shall remain in effect with respect to this SOW through the term of this SOW.

1.0  
SCOPE OF WORK
Supplier resources will assist Buyer with the following services for the Call Center Application (CCA) Tower Project for CIGNA Corporation (“CIGNA” or “Customer”):

1.1  
Support of JSF SDK to Enable Portlet Development

Supplier will provide JSF SDK support in Chordiant Foundation which will provide the platform on which to build portlets for the reference CIGNA Architecture. Chordiant will demonstrate JSF/SDK test scenarios in lab environment.
 
Definition of Chordiant JSF SDK
The JSF SDK allows developers to build Java Server Faces user interfaces which connect with Chordiant processes (via the Interaction Controller), and Chordiant business services. JSF SDK pages can be hosted by the existing Chordiant Cafe desktop, or alternative custom desktops. The contents of this JSF SDK are:
-  [*]

The JSF SDK will be used by Buyer, with Supplier’s support, to deliver a Reference Build. The reference build will provide the following:
-  [*]


1.2  
Services Support for CIGNA Development & Build Effort

Supplier will assist Buyer in the following activities of the CIGNA Call Center Application (CCA) Tower Project:
·  
Support the baseline Portlet development by providing [*] hours of architect support to assist with initial JSF SDK implementation, the Reference Architecture outlined above and the Portlet development. (These hours are included in the total hours noted in Section 3.0.)
·  
Assist with the high and low level design of the Chordiant functional solution
·  
Provide guidance and mentoring on how to maximize the value from the Chordiant product
·  
Assist with the high and low level design of Chordiant software integration in the overall architecture
·  
Provide guidance and mentoring on techniques to extend the Chordiant Physical Data Model and the Chordiant Business Object Model
·  
Assist with the extension of the Chordiant Physical Data Model and the Chordiant Business Object Model
·  
Assist with the design and development of Chordiant Business Flows and Chordiant Business Services
·  
Assist with design and development of Chordiant Queue management
·  
Assist with the installation and configuration of the Chordiant solution in the customer environments
·  
Assist with performance testing and tuning the Chordiant solution
·  
Provide Subject Matter Expertise for Information Technology Governance related to managing a Chordiant engagement leveraging Harmony Methodology, Chordiant Product and Chordiant Integration Architecture

2.0  
SUPPLIER ROLES

Supplier will provide consultants for the following type(s) of roles:

o  
Technical Architect
o  
Functional Architect
o  
Consultancy Services Manager
o  
Data Architect
o  
Portal Architect
o  
Application Architect
o  
Business Analyst
o  
Class Modeler
o  
Interaction Flow Designer
o  
Business Services Designer
o  
Performance Tuning Specialist
o  
Infrastructure Architect

3.0  
COMPLETION CRITERIA
Supplier will have fulfilled its obligations under this SOW when anyone of the following first occurs:
·  
IBM has agreed that Supplier has provided the hours as defined in Section 5.0 below in this Statement of Work or
·  
Either party terminates the SOW in accordance with the provisions of the Master Agreement for Subcontractor Services, or IBM terminates the SOW upon thirty days prior written notice.


4.0  
SUPPLIER’S RESPONSIBILITIES
In addition to delivering the Services on schedule, Supplier will:
·  
Participate in progress reviews, as requested by Buyer, to demonstrate Supplier’s performance of its obligations;
·  
As part of Supplier’s importation requirements, provide to Buyer on the commercial invoice:
·  
An invoice description that provides enough detail to verify the effort and time period expended for the month.

5.0  
PAYMENTS
Supplier services will be payable and invoiced to Buyer on a time and materials basis at rates provided in the table below per consultant, plus applicable sales taxes and expenses; total estimated to be [*] for Supplier Services as follows:

Table 1

Positions
Roles
Estimated Hours
Hourly Rates
Technical Architect
Technical Architect
Functional Architect
Performance Tuning Specialist
Data Architect
Portal Architect
Application Architect
Infrastructure Architect
Interaction Flow Designer
Business Services Designer
[*]
$[*]
Consultancy Services Manager
Consultancy Services Manager
[*]
$[*]
Business Analyst
Business Analyst
Class Modeler
[*]
$[*]
Total Estimated Hours
 
[*]
 

  The service fee estimate related for the Supplier Services described under this SOW is intended to be an estimate for Buyer's budgeting and Supplier's resource scheduling purposes; the estimate does not include expenses or taxes. Once fees for services reach this estimate, Supplier will cooperate with Buyer to provide continuing services on a time and materials basis or at Buyer’s direction, stop performing services. In the event that additional services are required, Buyer and Supplier will handle such services through the Change Control Process and such additional services will be mutually agreed to by both parties. All amounts due to Supplier hereunder will be invoiced monthly. All such invoices shall be payable net 45 days for this SOW only. Actual travel and living expenses are in addition to the service fees. Chordiant will be reimbursed for actual expenses incurred and adhere to the IBM expense policy. Chordiant will work with IBM to manage expenses.
  
  All travel and living invoices are at actual cost with no mark-up. (Buyer will reimburse Supplier for the following travel expenses only, provided they are incurred in performance of this SOW and with Buyer’s prior written approval: (i) tolls, parking fees, taxis, buses or auto rentals fees for autos rented from a Buyer designated rental company; (ii) personal automobile use under the applicable automobile allowance plan, excluding normal commutation; (iii) air transportation at the economy, tourist or coach class rate for the most direct route of a scheduled airline; (iv) reasonable lodging charges for the immediate area; (v) reasonable and actual meal expenses; (vi) necessary business calls made on Buyer’s behalf; (vii) reasonable tipping; (viii) reasonable valet and laundry charges if a trip extends beyond four consecutive (4) days. Supplier must submit an invoice listing all travel expenses, and all applicable receipts for lodging, airline travel, rental cars or any other reimbursable expenditure to the Technical Coordinator. Buyer will not reimburse Supplier for personal expenses.)

The rates provided in the above table are only relevant to the SOW. Buyer may request up to an additional 10,000 hours based on the rates in the table above. Any additional hours beyond the table above and 10,000 hours will be billed at the following rates:

Table 2


Positions
Hourly Rates
Technical Architect
$[*]
Consultancy Services Manager
$[*]
Business Analyst
$[*]
Developer
$[*]

For services billed under Table 2, actual travel and living expenses are in addition to the service fees.


6.0  
SUPPLIER SOFTWARE

Buyer and Supplier will enter into an order form regarding the purchase and resale of Supplier Software by Buyer to Customer in the form attached as Exhibit 4-D hereto (the “Order Form”), and Supplier and Customer will enter into a software license agreement in the form attached as Exhibit 4-E hereto (the “End User Agreement”), which End User Agreement contains the terms and conditions, including warranty and indemnification, governing Customer’s use of the Supplier Software.

6.1 Documentation.
 
Following execution of the Order Form and the End User Agreement, Supplier shall deliver to Buyer on behalf of the Customer one copy of the Supplier Software (via CD-Rom or electronic download) and all necessary and reasonable documentation, including user, systems, operating and program manuals for the Supplier Software which Supplier customarily provides to end user licensees of the Supplier Software.

7.0  
ASSET PROTECTION
In the event that assets are loaned to Supplier and there is no separate loan agreement in place between Buyer and Supplier for those assets, Supplier will be responsible for risk of loss and for the return of those assets to Buyer.

8.0  
SUPPLIER SUPPORT SERVICES

The ongoing support and maintenance obligations for the Supplier Software are set forth in Exhibit 1 hereto (the “Service Level Agreement”). So long as Buyer has paid the annual support and maintenance fee under the Order Form, Supplier is then offering support and maintenance services for the Supplier Software and neither Buyer nor Customer has otherwise breached any provision of the End User Agreement, Supplier shall provide the support and maintenance services specified on the Service Level Agreement to Buyer on behalf of Customer. With regard to the provision of support and maintenance services under the Service Level Agreement, for so long as the Service Level Agreement is in effect, Supplier shall comply with Sections 16 (Security), 27 (Audit), 25 (Compliance), 38 (Confidentiality) and 39 (IBM Data). The Service Level Agreement shall survive the termination of this SOW, so long as Buyer has paid the annual support and maintenance fee under the Order Form, Supplier is then offering support and maintenance services for the Supplier Software and neither Buyer nor Customer has otherwise breached any provision of the End User Agreement.

10.0 Buyer's Responsibilities
 
Responsibilities. Attachment A-1
 
Buyer and the IBM team when necessary has the right to interview and approve staffing before supplier personnel are brought onto the project.
 
In addition to Buyer's responsibilities as expressly set forth elsewhere in this SOW or the Base Agreement, Buyer shall be responsible for the following:
 
 
Buyer shall designate one individual to communicate directly with the Supplier Account Executive, to whom all Supplier communications concerning this SOW shall be addressed ( “the Relationship Manager").
 
 
Buyer shall cooperate with Supplier, including by making available timely management decisions, information, approvals and acceptances, as reasonably requested by Supplier so that Supplier may accomplish its obligations and responsibilities hereunder. The Relationship Manager, or his or her designee, will be the principal point of contact for obtaining such decisions, information, approvals and acceptances. Only personnel as expressly so designated by Buyer will be authorized to make commitments on the part of Buyer that amend this SOW.
 

12.0 Communications
All communications between the parties will be carried out through the following designated coordinators. All notices required in writing under this Agreement will be made to the appropriate contact listed below at the following addresses and will be effective upon actual receipt. Notices may be transmitted electronically, by registered or certified mail, or courier. All notices, with the exception of legal notices, may also be provided by facsimile.



Business Coordinators
FOR SUPPLIER
 
FOR BUYER
 
Name
  [*]
Name
  [*]
Title
  Sales Manager
Title
  Partner
Address
  8 Commerce Drive
  Bedford, NH 03110
Address
  55 Main St, 1 Financial Plaza, Hartford, Ct.
Phone
  [*]
Phone
  [*]
Fax
  [*]
Fax
  [*]
E-mail
  [*]
E-mail
  [*]

Legal Coordinators
FOR SUPPLIER
 
FOR BUYER
 
Name
  Derek Witte
Name
  [*]
Title
  General Counsel
Title
  Procurement Solution Advisor
Address
  20400 Stevens Creek Blvd.
  Cupertino, CA 95014
Address
 
Phone
  [*]
Phone
  [*]
Fax
  [*]
Fax
 
E-mail
  [*]
E-mail
  [*]

Technical Coordinators
FOR SUPPLIER
 
FOR BUYER
 
Name
  [*]
Name
  [*]
Title
  Sales Manager
Title
  same as above
Address
  8 Commerce Drive
  Bedford, NH 03110
Address
 
Phone
  [*]
Phone
 
Fax
  [*]
Fax
 
E-mail
  [*]
E-mail
 


13.0 Electronic Commerce

Unless previously submitted by Supplier, in order to initiate electronic transfer of payments associated with this SOW, Supplier will complete the attached form entitled “Authorization for Electronic Funds Transfer” and fax the completed form to Accounts Payable at the number included on the form.

Unless previously submitted by Supplier, in order to initiate electronic transfer of payments associated with this SOW, Supplier will provide the required information in the attachment entitled “Electronic Funds Transfer.”

14.0 Training.
 
Supplier shall be responsible for the training of Supplier Personnel at no additional cost to Buyer. This training includes all new-hire training of all types (including with respect to technical and domain requirements and necessary cultural and communication skills) prior to the point when the Supplier employee is qualified to meet the skill set requirements for his or her respective activities under the Subcontract, including so that such Supplier Personnel has expertise with Supplier’s then-in-effect architecture and technology. Supplier shall provide training necessary to meet all compliance requirements mandated on a country, state, federal or local level for the duties performed in connection with the Supplier’s Supplier Services.
 
Any training required on Supplier Software for Buyer or Customer personnel will be charged at the following rates:
 
Course
# Days
Tuition
per person per course
Chordiant Foundation Server
   
CSF - Technical Developer
[*]
$ [*]
CSF - Technical Developer Sandpit
[*]
$ [*]
CSF - Design
[*]
$ [*]
Business Analyst
[*]
$ [*]
Business Analyst Sandpit
[*]
$ [*]
     
Chordiant Certifications
 
 
Technical Developer (CCTD)
[*]
$ [*]
Business Analyst (CCBA)
[*]
$ [*]

 
Subcontractor shall retain IBM specific training materials and other documentation used in connection with the Subcontractor’s Subcontractor Services in accordance with IBM provided record retention policies and CIGNA’s seven year retention requirement.
 
16.0 Security
 
Throughout the Subcontract Term and the Termination Assistance Period, Supplier shall, at no additional cost to Buyer, maintain the security requirements specified in Exhibit 4-C. 
 
17.0 Supplier Personnel Equipment.
 
Except for the IBM Equipment Buyer shall provide pursuant to the Subcontract (including CIGNA Equipment provided by Buyer), Supplier shall provide to Supplier Personnel all standard desktop computer Equipment and Software required to perform the Supplier Services (including standard Microsoft Office products or compatible, functionally equivalent products that are compatible with IBM identified systems, e-mail and LAN/WAN servers). Buyer and Supplier shall agree on the necessary set of application-specific tools, and which items Supplier shall provide and which items Buyer shall provide. Supplier shall provide all office equipment (including PCs), consumables, services and the like required to support Supplier Personnel at Supplier Service Locations.
 
20.0 IBM/CIGNA Facilities

  20.1 Use of IBM/CIGNA Service Locations. The IBM/CIGNA Service Locations shall be made available to Supplier on an “as is, where is” basis. Supplier shall follow any directions of Buyer with respect to the use of such space. Supplier and Supplier Agents shall: (a) keep the IBM/CIGNA Service Locations in good order; (b) not commit or permit waste or damage to such facilities; (c) not use such facilities for any unlawful purpose; and (d) act and comply with all of Buyer’s and CIGNA’s standard policies and procedures, which have been provided to Supplier in writing (for the avoidance of doubt, electronic notification is considered “in writing”), as in effect from time to time, including procedures for the physical security of the IBM/CIGNA Service Locations, including those set forth on Exhibit 3 hereto. Supplier shall be responsible for damage to the IBM/CIGNA Service Locations caused by Supplier or Supplier Agents, subject to reasonable wear and tear. Subcontractor shall not make any improvements or changes involving structural, mechanical or electrical alterations to such space without IBM’s or CIGNA’s prior written consent. Improvements to the IBM/CIGNA Service Locations shall become the property of IBM or CIGNA (as applicable). When the IBM/CIGNA Service Locations are no longer required for performance of the Subcontractor Services, Subcontractor shall return the IBM/CIGNA Service Locations to IBM or CIGNA in substantially the same condition as when Subcontractor began use of the facilities, subject to reasonable wear and tear. Supplier shall permit Buyer of CIGNA and Buyer’s or CIGNA’s designees to enter into those portions of the IBM/CIGNA Service Locations occupied by Supplier’s staff at any time. Except for the IBM/CIGNA Service Locations described in this Subcontract which shall be made available to Supplier, Supplier shall be responsible for providing all other space that is necessary to provide the Supplier Services at Supplier’s own or other facilities. Supplier acknowledges that the location of the IBM/CIGNA Service Locations may change and Supplier shall provide the Supplier Services with respect to any such relocated IBM/CIGNA Service Locations at the same cost, subject to Buyer being financially responsible for Supplier’s incremental expenses for a Buyer-initiated relocation of the Supplier Services to any such relocated IBM/CIGNA Service Location, but Subcontractor shall use commercially reasonable efforts to avoid any significant incremental expenses above the expense estimate set forth in Section 5.0 above and shall notify IBM the of any incremental expense increase and additional Subcontractor Services Charges, if any, for compliance with IBM’s direction to relocate such Subcontractor Services.
 
  20.2 Use of IBM/CIGNA Facility Items. Buyer and CIGNA shall provide reasonable use of IBM/CIGNA Facility Items substantially equivalent to those made available by Buyer or CIGNA to its own personnel who perform similar functions. Supplier may only use the IBM/CIGNA Facility Items for the sole and exclusive purpose of providing the Supplier Services. Any other uses are subject to the prior written approval of Buyer or CIGNA in their discretion. Supplier shall keep and use the IBM/CIGNA Facility Items in a reasonable and efficient manner. Supplier shall not commit waste or damage to the IBM/CIGNA Facility Items or use them for any unlawful purpose or act. Supplier is responsible for any damage to IBM/CIGNA Facility Items resulting from the abuse, misuse, neglect or gross negligence of Supplier (or its subcontractors or other guests) or other failure to comply with its obligations respecting such resources. Supplier shall (and shall cause Supplier Personnel to) review, be knowledgeable of and comply with Buyer’s and CIGNA’s policies and procedures regarding access to and use of the IBM/CIGNA Facility Items which have been provided to Supplier in writing, including procedures for physical and logical security, including those set forth on Exhibit 2 hereto, and shall follow any of Buyer’s reasonable directions with respect to the use of such items.
 
  20.3 No Violation of Laws. Supplier shall: (a) treat, use and maintain the IBM/CIGNA Service Locations in a reasonable manner, but in no event to a lesser standard than it maintains for its own locations; and (b) not commit, and use all reasonable efforts to ensure that no Supplier employees nor Supplier Agents commit, any act in violation of any Laws in such Supplier occupied IBM/CIGNA Service Location or any act in violation of Buyer’s of CIGNA’s insurance policies or in breach of Buyer’s or CIGNA’s obligations under the applicable real estate leases for such Supplier occupied IBM/CIGNA Service Locations, in each case of which Supplier is apprised in writing by Buyer.
 
  22.0 Safety and Security Procedures. 

 
22.1 While at the IBM/CIGNA Service Locations, Supplier’s employees and the Supplier Agents shall comply with Buyer’s and CIGNA’s reasonable requests, rules and regulations regarding personnel and professional conduct (including the wearing of an identification badge and adhering to regulations and general safety practices or procedures), which have been provided to Supplier in writing (for the avoidance of doubt, electronic notification is considered “in writing”), including the regulations set forth in Exhibit 4-C hereto and otherwise conduct themselves in a businesslike and professional manner.
 
 

 
22.2   Except as otherwise designated, at IBM/CIGNA Service Locations, smoking is prohibited inside all buildings operated or occupied by Buyer or CIGNA, including leased offices and at off-site IBM/CIGNA sponsored conferences and meetings.
 
22.3 If operating at a IBM/CIGNA Service Location, Supplier shall be responsible for adhering to all individual IBM and CIGNA Safety, Occupational Health, Environmental and Operational procedures provided to Supplier in writing in a manner timely enough to enable compliance and updated regularly to allow Buyer to ensure their currency and to all local, state, and federal laws and regulations, including Occupational Safety and Health Act (OSHA) and Environmental Protection Agency (EPA).
 
 
22.4 If located at an IBM/CIGNA Service Location, Supplier shall immediately notify Buyer or CIGNA security department (as appropriate) in the event of a fire or other emergency by calling the emergency telephone number. Supplier shall train all employees located at IBM/CIGNA Service Locations to respond to fire, civil defense, bomb threats, evacuations, and other emergencies alarms, based on procedures established by Buyer or CIGNA which have been provided to Supplier in writing (for the avoidance of doubt, electronic notification is considered “in writing”).
 
 

 
22.5 If the Supplier notices any condition at an IBM/CIGNA Service Location that is unsafe, unhealthy, or in any other way could cause an accident, Supplier shall notify Buyer immediately, if correction of the condition shall take more than routine attention, or remedy the condition, if correction of the condition shall take only minimal attention.
 
23.0 Cooperation.
 
To the extent Buyer performs any of the Supplier Services, or retains IBM Third Party Contractors to do so, Supplier shall fully cooperate with and work in good faith with Buyer and IBM Third Party Contractors as reasonably directed by Buyer. Such cooperation may include (subject to Supplier’s reasonable and appropriate security and confidentiality requirements): (a) providing access to any facilities being used to provide the Supplier Services, as necessary for IBM Third Party Contractors to perform the work assigned to them; (b) providing access (remotely or onsite as requested by Buyer) to the Equipment, Software and/or systems used to provide the Supplier Services; (c) reasonable integration activities to ensure compatibility of systems/products/services of the total solution; and (d) providing written requirements, standards, policies or other documentation for the Supplier Services and for the Equipment, Software or systems procured, operated, supported or used by Supplier in connection therewith. The Parties shall cooperate in good faith to ensure smooth performance of the Supplier Services. To that end, there shall be a continuous exchange of information between the Parties with respect to, but not limited to, the Supplier Services, quality control and encountered difficulties. Supplier will provide the cooperation called for in this Section 23.0 on a time and materials basis for services performed at the rates provided in Section 5.0 above, and on the basis of actual cost for expenses incurred. Supplier will inform and discuss any additional work or expenses with Buyer before incurring such cost or expense.
 
24.0 Notification.
 
Supplier shall immediately notify Buyer when it becomes aware that an act or omission of an IBM Third Party Contractor shall cause, or has caused, a problem or delay in providing the Supplier Services, and shall use commercially reasonable efforts to work with Buyer to prevent or circumvent such problem or delay. Supplier and Buyer shall cooperate with each other to resolve differences and conflicts arising between the Supplier Services and other activities undertaken by Buyer or any of the IBM Third Party Contractors. 
 
25.0 COMPLIANCE 
 
25.1 Governmental Approvals. Supplier shall obtain, provide, file and maintain all Governmental Approvals that are necessary for Supplier or Supplier Agents to commence and complete the Supplier’s provision of the Supplier Services. Upon Supplier’s reasonable request, Buyer shall cooperate with and assist Supplier in obtaining any Governmental Approvals, to the extent reasonably possible. Supplier shall have financial responsibility for all fees and taxes associated with obtaining and maintaining all Governmental Approvals.
 
(a) Without limiting Supplier’s obligations under this Section, Supplier shall be responsible for monitoring and properly notifying Buyer of any Governmental Approvals required in connection with providing the Supplier Services from the Offshore Locations.
 
(b) Buyer shall have the right to terminate upon notice to Supplier the relevant portion of any SOW if the foregoing Governmental Approvals are not obtained or provided within the required time frames, and the charges thereafter will be equitably adjusted to reflect such removal.
 
25.2 Compliance with Laws. Supplier (and Supplier’s Affiliates) and Supplier Personnel shall comply with all laws. If Supplier becomes aware of non-compliance with any laws, Supplier shall promptly notify Buyer in writing. Supplier shall provide Buyer with, upon request, data and reports necessary for Buyer to comply with all laws. If Supplier maintains any records required in electronic form, such records and their confidentiality shall comply with all applicable laws. Supplier shall be responsible for any fines and penalties imposed on Supplier resulting from the failure of Supplier, Supplier Personnel to comply with laws.
 
25.3 Compliance with Laws in Offshore Locations. Supplier shall be responsible for monitoring and complying with all laws relating to licensing, import-export, data flows, technology transfers (but excluding tax laws), applicable to its performance of the Supplier Services from the Offshore Locations. All costs relating to the compliance with such laws shall be paid by Supplier, except that conforming changes to IBM/CIGNA systems to receive the Supplier Services shall be handled by Buyer or CIGNA at their own cost unless the change is a part of the Supplier Services under a Statement of Work. Buyer shall provide reasonable assistance to Supplier in connection with such compliance as requested by Supplier.
 
25.4 Compliance with Privacy Regulations. Subcontractor shall comply with: (a) the European Commission Data Protection Directive (95/46/EC) or Data Protection Act 1998 or any implementing or related legislation of any member state in the European Economic Area; (b) the Health Insurance Portability and Accountability Act of 1996; (c) subject to 15.5, the Sarbanes-Oxley Act of 2002 (Pub. L. 107-204, 116 Stat. 745); and (d) any other applicable data protection laws or regulations to the extent applicable to Subcontractor’s provision of the Subcontractor Services. Specific provisions relating to HIPAA and data protection laws are set forth in Exhibit 13 hereto.
 
25.6 Interpretation of CIGNA Laws. CIGNA shall have final approval over the interpretation and application, and the appropriate method for complying with any CIGNA Laws (i.e., laws that are specific to CIGNA’s business). Supplier (and Supplier’s Affiliates), Supplier Agents, and Supplier Personnel shall comply with all such CIGNA written directions in this regard.
 
27.0 AUDIT
 
27.1 Books and Records. Supplier shall keep and maintain, in accordance with generally accepted accounting principals and practices, and make available for the inspection, examination and audit by Buyer, its authorized employees, agents or representatives and auditors (“IBM Auditors”), upon reasonable notice, complete and accurate books and records in connection with the Service, as necessary to: (a) demonstrate Supplier’s compliance with its obligations under this Subcontract; (b) verify volumes, charges and resource utilization and payment by Supplier of all license, maintenance and other service fees required in connection with the performance of the Supplier Services in accordance with this Subcontract; (c) comply with all applicable Laws; and (d) verify data security measures, pre-placement checks physical security measures related to this Subcontract. Supplier shall permit and cooperate with any audit conducted by Buyer or IBM Auditors. Upon reasonable notice, but not more than once annually, at the sole expense of Buyer, IBM Auditors shall have the right to inspect and audit Supplier’s books, records, systems and operations related to the Supplier Services.
 
27.2 Facilities and Personnel. Supplier shall provide to IBM’s Auditors access upon request to any facility or part of a facility at which Supplier is providing the Supplier Services, to Supplier Personnel, and to data and records relating to the Supplier Services for the purposes of performing audits and inspections of Buyer and its business to verify the integrity of IBM Data and to examine the systems related to the Supplier Services that process, store, support and transmit that data. The foregoing audit rights shall include audits: (a) of practices and procedures; (b) of systems; (c) of security practices and procedures; (d) of disaster recovery and backup procedures; (e) necessary to enable Buyer to meet applicable Laws; and (f) of any Supplier quality assurance processes. 
 
27.3 Fee Audit.
 
a. Upon Buyer’s request, Supplier shall provide IBM’s Auditors with access to such financial records and supporting documentation to the extent necessary to ascertain the correctness of fees due and payable to Supplier hereunder, as may be requested by Buyer or IBM’s Auditors. Such IBM Auditors may audit any of the charges charged to Buyer to determine if such fees are accurate and in accordance with this Subcontract.
 
b. If it is determined that Supplier has overcharged Buyer, IBM shall notify Supplier of the amount of such overcharge and Supplier shall promptly pay to Buyer the amount of the overcharge, plus interest at the rate of 1.5% per month calculated from the date of receipt by Supplier of the overcharged amount until the date of payment to Buyer.
 
c. In addition to Buyer’s rights set forth in Section (b) above, if any such audit reveals an overcharge to Buyer of 5% or more of the aggregate fees being audited Supplier shall, at Buyer’s option, issue to Buyer a credit against the Service Charges or reimburse Buyer, in either case, for the reasonable cost of such audit, provided such audit is not performed on a contingency fee basis.
 
27.4 Cooperation
 
a. Supplier and Supplier Personnel shall assist and cooperate with Buyer or its designees in connection with audit functions and with regard to examinations by regulatory authorities. Supplier shall provide such assistance as reasonably required to carry out the audits, including: (i) providing use of Supplier locations, facilities and resources, including space, office furnishings (including lockable cabinets), telephone and facsimile services, utilities, office-related equipment and duplicating services; and (ii) installing and operating audit software. For the avoidance of doubt, reasonable audit cooperation is part of the Supplier Services (including participation from accountants and other Supplier finance personnel) and shall not be counted against resource utilization. Any actual and reasonable expenses incurred by Supplier outside ordinary course of business expenses as a result of such audit will be reimbursed to Supplier by Buyer.
 
b. Other than in connection with a sales or use tax audit, Supplier shall notify Buyer promptly by telephone or by email if any governmental or regulatory authority requests an inspection or makes written or oral inquiries of Supplier regarding any aspect of Buyer’s activities pursuant to this Subcontract, so long as such notification does not violate any applicable Laws or breach any obligation of confidentiality to a third party. Unless otherwise required by applicable Laws, Subcontractor shall not allow physical access to any governmental or regulatory authority relating to such activities without giving IBM the right to have a representative present. Supplier and Buyer shall cooperate in resolving any concerns of any governmental or regulatory authority. Supplier shall notify Buyer promptly by telephone or by email if Supplier believes that the actions or inactions of any governmental or regulatory authority, including the issuance or failure to issue any report, permit, or license, may cause a negative impact on Supplier’s ability to perform the Supplier Services.
 
c. At the conclusion of a Buyer audit or examination provided for in this Subcontract or any applicable Statement of Work and prior to issuing the final audit report, Buyer shall conduct, or request its external auditors or examiners to conduct, an exit conference with Supplier to discuss issues identified in the review. Supplier and Buyer shall meet to review each final audit report promptly after the issuance thereof and to mutually agree upon an appropriate and effective manner in which to respond to the deficiencies identified and changes suggested by the audit report.
 
d. If any audit by an auditor designated by Buyer or a regulatory authority results in Supplier being notified that Supplier is not in compliance with the terms of this Subcontract or other required compliance requirements, Supplier shall comply with such terms after having a reasonable opportunity to contest such audit finding should such finding be upheld. Subcontractor shall bear the expense of any such response, and any remedial actions, to the extent that Subcontractor was not in compliance with the terms of this Subcontract or the required compliance requirements.
 
27.5 General Procedures. Notwithstanding the intended breadth of Buyer’s audit rights, Buyer and its internal and external auditors, inspectors, regulators and other representatives shall not be given access to: (i) the proprietary information of other Supplier customers; (ii) Supplier locations that are not related to Buyer or the Supplier Services; or (iii) Supplier’s internal costs, except as to the extent such costs are the basis upon which Buyer is charged. In performing audits, Buyer shall endeavor to avoid unnecessary disruption of Supplier’s operations and unnecessary interference with Supplier’s ability to perform the Supplier Services. The external auditors and inspectors designated by Buyer under this Article 27 to conduct operational and/or financial audits shall not be Supplier Competitors. Buyer’s auditors shall comply with Supplier’s applicable, reasonable security requirements, including, where appropriate, execution of a non-disclosure agreement reasonably acceptable to Supplier.
 
27.6 Record Retention. Until: (a) seven years after expiration or termination of this Subcontract; (b) pending matters relating to this Subcontract (e.g., disputes) are closed; or (c) no longer required to meet Buyer’s records retention policy (as modified from time to time), whichever is later, as notified to Supplier, Supplier shall maintain and provide access upon request to the records, documents and other information required to meet Buyer’s audit rights under this Subcontract.
 
27.7 Legal Discovery. Buyer is required to preserve and produce electronic data in support of its legal discovery obligations, as they may arise, for investigations and/or litigation. As part of the Supplier Services, Supplier shall cooperate with any legal discovery requests made by any IBM Entity, including the dissemination of preservation requests, collection of data, imaging of systems, back-up of electronic information, maintenance, retention and production of any such data. Supplier shall keep detailed records of its efforts to preserve data required for legal discovery. 
 
28.0 Change Control Procedures.  
 
28.1 Buyer and Supplier shall comply with the following Change Control Procedures:
 
a. Change Control Procedures shall provide, at a minimum, that: (A) no Change shall be implemented without written agreement by both Parties, except as may be necessary on a temporary basis to maintain the continuity of the Supplier Services; (B) with respect to all Changes, Buyer and Supplier shall: (I) other than those Changes made on a temporary basis to maintain the continuity of the Supplier Services, schedule Changes so as not to unreasonably interrupt Buyer’s business operations; and (II) monitor the status of Changes against the applicable schedule; (C) with respect to any Change made on a temporary basis to maintain the continuity of the Supplier Services, Supplier shall document and provide to Buyer notification (which may be given orally provided that any oral notice must be confirmed in writing to Buyer within five Business Days) of the Change no later than the next Calendar Day after the Change is made; and (D) Supplier shall update the Change Control Procedures as necessary and shall provide such updated Change Control Procedures to Buyer for its approval.
 
30.0 Pre-Placement Checks
 
30.1 Supplier recognizes Buyer’s desire to maintain a safe and secure working environment for Buyer employees. For purposes of this Subcontract, “Certain Supplier Personnel” means any Supplier Personnel who: (i) are to have behind-the-firewall access to Buyer or CIGNA or their Affiliates’ computer and telecommunications network (e.g., Buyer or CIGNA Equipment, Software or Buyer or CIGNA Data), whether such access is provided through an on-site or remote connection; or (ii) perform certain Software development projects Buyer deems to be highly sensitive to Buyer’s or CIGNA’s business operations.
 
30.2 Supplier shall have administrative responsibility for conducting the background checks. Supplier does not conduct drug testing on its personnel. Buyer may conduct drug testing and background checks itself, at Buyer’s expense, on any Supplier personnel scheduled to work at IBM/CIGNA Service Locations. Supplier will make such personnel available for the drug tests and background checks. Buyer shall have financial responsibility therefore and shall reimburse Supplier for the check and test costs on a Pass-Through Expense basis.
 
30.3 Supplier shall permit and cooperate with Buyer’s audits of Supplier compliance with the background screening stated herein.
 
34.0 Replacement, Qualifications and Retention of Supplier Personnel. 
 
34.1 If Buyer determines in good faith that the continued assignment to Buyer of any particular Supplier Personnel is not in the best interests of Buyer, then Buyer shall give Supplier written notice to that effect requesting that such Supplier Personnel be replaced; provided, however, upon Buyer’s request, Supplier shall immediately reassign any individual from the Buyer account so long as Buyer demonstrates to Supplier the need for such immediate reassignment. Promptly after its receipt of such a request by Buyer, Supplier shall investigate the matters stated in the request and discuss its findings with Buyer. If requested to do so by Buyer, Supplier shall immediately remove the individual in question from performance of the Supplier Services pending completion of Supplier’s investigation and discussions with Buyer. If, following discussions with Supplier, Buyer still in good faith requests replacement of such Supplier Personnel, Supplier shall promptly replace such Supplier Personnel with an individual of suitable ability and qualifications. Nothing in this provision shall operate or be construed to limit Supplier’s responsibility for the acts or omissions of Supplier Personnel.
 
34.2 Supplier shall maintain and conduct procedures for the replacement of Supplier Personnel in such a manner so as to assure an orderly succession for any Supplier Personnel who is replaced. Upon request, after a determination that a Supplier Personnel shall be replaced, Supplier shall make such procedures available to Buyer. The timing for transfer, reassignment or replacement of Supplier Personnel shall be closely coordinated with the requirements for timing and other elements of the Supplier Services so as to maintain continuity in the performance of the Supplier Services.
 
34.3 Supplier shall use its diligent and reasonable efforts to keep the turnover rate of Supplier Personnel to a reasonably low level. If Buyer believes that Supplier Personnel’s turnover rate is excessive and so notifies Supplier, Supplier shall: (i) determine the cause of the excess; (ii) develop a mutually agreed upon plan to minimize turnover; and (iii) meet with Buyer to discuss the implementation and timely impact of the plan. Supplier shall be responsible for replacing personnel who are retiring, or who otherwise leave the Buyer account, with professional personnel.
 
35.0 Subcontractors. 
 
Except for the subcontractors identified on Exhibit 4 hereto (the “Permitted Subcontractors”), Supplier shall not subcontract its material obligations under this Subcontract or any Supplier Services which involve the use of or access to IBM Data without Buyer’s prior written consent. Supplier may use these Permitted Subcontractors in connection with the provision of the Supplier Services subject to the terms of this Subcontract (including the provisions of this Section). Buyer hereby pre-approves those certain subcontracts between Supplier and third party original hardware/equipment manufacturers and original software licensors who perform routine maintenance and support and that do not materially impact a Buyer or Supplier function that is part of the Supplier Services. 
 
35.1 Supplier shall include in its subcontracts as flow-down provisions, provisions substantially similar to those provisions of this Subcontract relating to Buyer facilities, personnel requirements, Buyer’s intellectual property rights, Buyer’s audit rights, confidentiality, representations and warranties. Supplier shall require each of its Affiliates and all Permitted Suppliers to carry insurance at levels customary and appropriate for the types and volumes of Supplier Services being provided by such Affiliates and Permitted Suppliers.
 
35.2 The Change of Control of a Permitted Subcontractor to an IBM Competitor shall in all cases be deemed good cause for the purposes of this Section. Upon any such revocation, Supplier shall, upon Buyer’s request, replace such subcontractor with a new subcontractor, subject to Buyer’s approval of the new subcontractor, the transition plan, and certain material terms of the subcontract reasonably specified by Buyer. Any revocation of the approval of a subcontractor pursuant to this Section shall not excuse Supplier from providing the Supplier Services and meeting the Service Levels; provided that Buyer gives Supplier 30 days’ notice unless a different notice period has been approved or agreed by Buyer.
 
35.3 No subcontracting shall release Supplier from its responsibility for its obligations under this Subcontract. Supplier shall remain responsible for obligations, services and functions performed by subcontractors to the same extent as if these obligations, services and functions were performed by Supplier employees. Supplier shall be Buyer’s sole point of contact. Supplier shall not disclose Buyer or CIGNA Confidential Information to a subcontractor (including an Affiliate of Supplier) until such subcontractor has executed a nondisclosure agreement in a mutually agreed form.
 
35.4 Supplier shall be responsible for all payments to Supplier Agents under contracts between Supplier and Supplier Agents. Supplier shall promptly pay for all services, materials, Equipment and labor used by Supplier or Supplier Agents in providing the Supplier Services and Supplier shall keep Buyer’s premises free of all liens by Supplier or Supplier Agents.
 
35.5 Nothing in this Subcontract shall prevent, and Subcontractor shall not prevent or inhibit (through damages, penalties or otherwise), IBM or any IBM Entity from contracting directly with any of the subcontractors or third party providers used by Subcontractor in connection with the provision of the Subcontractor Services upon the cessation of a Service or expiration or termination of this Subcontract.
 
36.0 REPRESENTATIONS, WARRANTIES AND COVENANTS
 
36.1 By Supplier. Supplier represents, warrants and covenants to Buyer during the Subcontract Term and the Termination Assistance Period that:
 
a It shall render the Supplier Services with promptness and diligence and shall execute them in a workmanlike manner, in accordance with the practices and high professional standards that are the accepted industry norms applicable to the Supplier Services. Supplier represents and covenants that it shall use adequate numbers of qualified individuals with suitable training, education, experience and skill to perform the Supplier Services.
 
b It is now, and shall be during the Subcontract Term and the Termination Assistance Period, an equal opportunity employer complying with all such applicable Laws.
 
c It shall maintain the Equipment and Software for which it is responsible under this Subcontract so that they operate substantially in accordance with their applicable specifications, including: (i) maintaining Equipment in good operating condition, subject to normal wear and tear; (ii) undertaking repairs and preventive maintenance on such Equipment substantially in accordance with the applicable manufacturer’s recommendations; and (iii) performing Software maintenance substantially in accordance with the applicable Supplier’s documentation, recommendations and specifications, in accordance with the provisions of Section 8 above.
 
f It shall perform its responsibilities under this Subcontract in a manner that does not infringe, or constitute an infringement or misappropriation of, the copyright, trademark, trade secret or other proprietary rights of a third party; provided, however, that Supplier shall not have any obligation or liability under this clause (f) if and to the extent any such infringement or misappropriation is caused by: (i) modifications made by Customer, Buyer or IBM Third Party Contractors not specified or authorized (in each case, in writing) by Supplier or Supplier Agents; (ii) IBM/CIGNA’s combination of otherwise non-infringing Supplier’s work product or services with items not furnished or specified by Supplier or Supplier Agents in writing that by sole virtue of such combination, makes the work product, service or item infringing; (iii) a breach of this Subcontract by Buyer; (iv) failure of IBM/CIGNA to use Supplier-provided corrections or modifications that would remedy the non-infringement and that offer equivalent features and functionality; (v) third party Software not provided by Supplier, except to the extent that such infringement or misappropriation arises from the failure of Supplier to obtain the necessary third party Software licenses or Required Consents or to abide by the limitations of the applicable third party Software licenses; (vi) Equipment or Software or other resources provided to Supplier by IBM/CIGNA; or (vii) the distribution, operation or use of Software of Materials for the benefit of a third party outside of the other party’s enterprise.
 
g It has not violated applicable Laws or regulations or Buyer policies (of which Supplier has been given notice) regarding the offering of inducements in connection with this Subcontract. If Supplier does not comply with the foregoing, Buyer shall have the right to terminate this Subcontract for cause without affording Supplier an opportunity to cure.
 
h If any Equipment provided by Subcontractor, including those provided by any Affiliate or third party subcontractor to Subcontractor, directly or indirectly causes any damage or loss to any IBM system or results in the loss of any IBM Data, Subcontractor shall, at no additional charge to IBM, repair or replace affected IBM Equipment.
 
i It shall cooperate with Buyer and shall take commercially reasonable actions and precautions to prevent the introduction and proliferation of Malicious Code into the systems used to provide the Supplier Services or the IBM environment. If Malicious Code is found to have been introduced into the systems used by Supplier to provide the Supplier Services, Supplier shall at no additional charge eliminate the Malicious Code from such systems used by Supplier to provide the Supplier Services and, if the Malicious Code causes a loss of operational efficiency or loss of data, to assist Buyer to the same extent to mitigate and restore those losses with generally accepted data restoration techniques. Without the prior written consent of Buyer, Supplier represents, warrants and covenants that it shall not insert into any Software code that would have the effect of disabling or otherwise shutting down all or a portion of the Supplier Services, and with respect to disabling code that may be part of any Software, that it shall not invoke the disabling code at any time.
 
k It is duly authorized to enter into this Subcontract and to make the commitments set forth in this Subcontract.
 
l Its execution, delivery and performance of this Subcontract does not constitute a violation of any judgment, order, or decree; a material default under any material contract by which it or any of its material assets are bound; or an event that would, with notice or lapse of time, or both, constitute such a default.
 
m Supplier warrants that it will perform the Services using reasonable care and skill, and according to the agreed upon specifications. Buyer agrees that it must report any deficiencies of the Services to Supplier in writing within ninety (90) days of performance of the Services in order to receive the warranty remedy. In such case Supplier will re-perform the Services at no additional charge.
 
n All current and future employees and agents of and consultants to Supplier with access to or involved in the performance of Supplier Services have executed and delivered or shall execute and deliver to Supplier a proprietary rights agreement with Supplier substantially consistent with the form attached as Exhibit 10 hereto pursuant to which such employee or consultant agrees to confidentiality and intellectual property assignment terms sufficient to enable Supplier to meet its obligations to Buyer and Customer under the Subcontract and sufficient to enable Buyer to meet its obligations to Customer under the Prime Contract.
 
37.0 INDEMNIFICATION 
 
37.1 By Supplier. Supplier shall indemnify, defend and hold harmless Buyer and CIGNA and their respective officers, directors, employees, agents, successors and assigns from any and all Losses and threatened Losses arising from or in connection with any of the following:
 
a.  Claims by Governmental Authorities for fines, penalties, financial sanctions or late charges arising from or in connection with Subcontractor’s (or Subcontractor Personnel’s) failure to comply with any laws solely to the extent Subcontractor’s failure to comply with laws constitutes a breach of Subcontractor’s services obligations under the Subcontract or a Statement of Work which services obligation was communicated to Subcontractor by IBM as a written requirement in order to enable IBM to comply with such laws;
 
b.  Supplier’s use or disclosure of information in breach of its confidentiality obligations set forth in this Subcontract;
 
c.  Supplier’s failure to obtain the Required Consents or comply with the terms of any third party consent or underlying agreement;
 
d.  any claim or action initiated by an Affiliate of Supplier or potential or actual agent of Supplier (including Supplier Personnel) asserting rights in connection with this Subcontract;
 
e.  any actual or alleged infringement or misappropriation of the trade secret, copyright or other proprietary rights, alleged to have occurred because of systems or other resources provided by or on behalf of Supplier or Supplier Personnel or based upon performance of the Service; provided, however, that Supplier shall not have any obligation or liability under this clause (h) if and to the extent any such infringement or misappropriation is caused by: (i) modifications made by Buyer, CIGNA, IBM Third Party Contractors or CIGNA Third Party Contractors not specified or authorized (in each case, in writing) by Supplier or Supplier Agents; (ii) Buyer’s or CIGNA’s combination of otherwise non-infringing Supplier’s work product or services with items not furnished or specified by Supplier or Supplier Agents in writing that by sole virtue of such combination, makes the work product, service or item infringing; (iii) a breach of this Subcontract by Buyer; (iv) failure of Buyer or CIGNA to use Supplier-provided corrections or modifications that would remedy the non-infringement and that offer equivalent features and functionality; (v) third party Software not provided by Supplier, except to the extent that such infringement or misappropriation arises from the failure of Supplier to obtain the necessary third party Software licenses or Required Consents or to abide by the limitations of the applicable third party Software licenses; or (vi) Equipment, or Software provided to Supplier by Buyer or CIGNA, neither of which has been authorized or approved by Buyer.
 
f.  any amounts assessed against any IBM Entity, including taxes, penalties and interest, assessed against any IBM Entity, that are the obligation of Supplier under this Subcontract;
 
g.  any claim relating to any violation by Supplier or Supplier Agents or their respective officers, directors, employees, representatives or agents, of any Law or any common law protecting persons or members of protected classes or categories, including laws or regulations prohibiting discrimination or harassment on the basis of a protected characteristic;
 
h.  any claim or action by, on behalf of, or related to, any prospective, then-current or former employees of Supplier or Supplier Agents arising out of hiring practices of Supplier or employment or termination of employment with Supplier, including any claim arising under occupational health and safety, worker’s compensation, ERISA or other applicable Law, except for claims arising out of misrepresentations made by Buyer to Hired Employees, if any, prior to their respective Hire Dates;
 
i.  any claim or action by, on behalf of, or related to, any prospective, then-current or former employees of Supplier or Supplier Agents based on a theory that Buyer is an employer or joint employer of any Supplier or Supplier Agent personnel;
 
j.  any claim or action by, on behalf of, or related to, any third party providing services to Buyer prior to the SOW Effective Date relating to actions of Supplier or Supplier Personnel, including the hiring by Supplier of the third party’s employees;
 
k.  damages for the death or bodily injury of an agent, employee, customer, business invitee or business visitor or other person caused by the tortious conduct of Supplier or Supplier Agents;
 
l.  damages for the damage, loss or destruction of real or tangible personal property caused by the tortious conduct of Supplier or Supplier Agents;
 
m.  any claim or action or other proceeding asserted against Buyer but resulting from an act or omission of Supplier or any Supplier Agent in its capacity as an employer of a person; and
 
n.  any claim in connection with the handling and processing of any and all immigration and employment-related issues and requirements arising in connection with the Supplier Personnel (whether located in the United States or elsewhere).
 
38.0 CONFIDENTIALITY 
 
38.1 IBM or CIGNA Confidential Information. Supplier shall: (a) use the same care and discretion to avoid disclosure, publication or dissemination of IBM or CIGNA Confidential Information as it uses with respect to its own similar information that it does not wish to disclose, publish or disseminate; and (b) use IBM or CIGNA Confidential Information solely to the extent required to fulfill its obligations or exercise its rights under this Subcontract. Supplier shall not disclose, publish, release, transfer or otherwise make available IBM or CIGNA Confidential Information in any form to, or for the use or benefit of, any person or entity without Buyer’s consent. Subject to Section 16.4, Supplier shall, however, be permitted to disclose relevant aspects of the IBM or CIGNA Confidential Information to its officers, directors, agents, professional advisors, Supplier Agents and employees, to the extent that such disclosure is not restricted under this Subcontract or any Governmental Approvals and only to the extent that such disclosure is reasonably necessary for the performance of its duties and obligations, or exercise of its rights, under this Subcontract; provided, however, that all such persons or entities have entered into an agreement containing terms consistent with the terms set forth in this Article and Supplier shall take all reasonable measures to ensure that IBM or CIGNA Confidential Information is not disclosed, published or disseminated in contravention of the provisions of this Subcontract by such officers, directors, agents, professional advisors, Supplier Agents and employees. The obligations in this Section shall not restrict any disclosure pursuant to any law (provided that Supplier shall give prompt notice to Buyer and the disclosing IBM Entity of such order). 
 
38.2 Restricted Materials. Subcontractor hereby acknowledges and agrees that the following items, whether in paper or electronic form, are IBM or CIGNA Confidential Information: all IBM or CIGNA financial, pricing, and costs of or relating to IBM or CIGNA or suppliers or customers of IBM, CIGNA and their Affiliates, all marketing and business plans and forecasts of IBM or CIGNA, any information related to consumer goods in development or discovery, IBM protocols, case report forms, data management plans, data listings, statistical analyses results, minutes, notes, or recollections of contents of meetings or strategy discussions relating to IBM’s or CIGNA’s business operations, personally identifiable information and policy and procedure manuals (excluding any pre-existing Subcontractor Confidential Information) (collectively, “Restricted Materials”). Subcontractor shall treat all Restricted Materials as strictly confidential and: (a) shall use the Restricted Materials only to the extent necessary to perform its obligations or exercise its rights under this Subcontract; (b) shall provide access to such Restricted Materials only to those Subcontractor Personnel who have a need to know in connection with Subcontractor’s performance of its obligations or exercise of its rights under this Subcontract; and (c) shall use the same care and discretion to avoid disclosure, publication or dissemination of Restricted Materials as it uses with respect to its own similar information that it does not wish to disclose, publish or disseminate. Other IBM or CIGNA Confidential Information not expressly listed in this Section may be considered Restricted Materials of IBM or CIGNA and should be treated as such by Subcontractor upon written notice from IBM.
 
38.3 Supplier Confidential Information. Buyer shall: (a) use the same care and discretion to avoid disclosure, publication or dissemination of Supplier Confidential Information as it uses with respect to its own similar information that it does not wish to disclose, publish or disseminate; and (b) use Supplier Confidential Information solely to the extent required to fulfill its obligations or exercise its rights under this Subcontract. Buyer shall not disclose, publish, release, transfer or otherwise make available Supplier Confidential Information in any form to, or for the use or benefit of, any person or entity without Supplier’s consent. Buyer shall, however, be permitted to disclose relevant aspects of the Supplier Confidential Information to its officers, directors, agents, professional advisors, contractors, subcontractors and employees and to the officers, directors, agents, professional advisors, contractors, subcontractors and employees of the IBM Entities, to the extent that such disclosure is not restricted under this Subcontract or any Governmental Approvals and only to the extent that such disclosure is reasonably necessary for the performance of its duties and obligations, or exercise of its rights, under this Subcontract; provided, however, that Buyer shall take all reasonable measures to ensure that Supplier Confidential Information of Supplier is not disclosed, published or disseminated in contravention of the provisions of this Subcontract by such officers, directors, agents, professional advisors, contractors, subcontractors and employees. The obligations in this Section shall not restrict any disclosure pursuant to any Law (provided that the recipient shall give prompt notice to Supplier of such order).
 
38.4 Exceptions. The obligations mentioned under Section 38.1, Section 38.2 and Section 38.3 do not apply if, and to the extent that the receiving party is able to prove that: (a) it previously had such knowledge and information without obligation of confidentiality; (b) such knowledge and information was or becomes part of the public domain, publicly available or public knowledge through no fault of the receiving party; (c) it has received such knowledge and information from a third party, the disclosure to such third party without constituting a breach of the confidentiality undertaking hereunder; or (d) it independently developed such knowledge or information without use of or access to the disclosing party’s confidential information, as demonstrated by reasonable supporting evidence.
 
38.5 No Copies. The receiving party (nor any person or entity to whom the receiving party has a right to disclose the Confidential Information of the disclosing Party under this Article 29) shall not make copies of Confidential Information, in whole or in part, obtained from the disclosing party, except as necessary to perform its obligations under this Subcontract.
 
38.6 Ownership of Confidential Information. For the avoidance of doubt, all IBM or CIGNA Confidential Information (including Restricted Materials) is the property of Buyer or CIGNA, respectively. For the avoidance of doubt, all Supplier Confidential Information is the property of Supplier.
 
38.7 Confidential Agreement. This Subcontract is a confidential agreement between Supplier and Buyer. In no event may this Subcontract be reproduced or copies shown to any third parties by either Buyer or Supplier without the prior written consent of the other Party, except as may be necessary by reason of legal, accounting or regulatory requirements of Supplier or Buyer, as the case may be, or to obtain legal, accounting or other advice in connection with this Subcontract, in which event Supplier and Buyer agree to exercise reasonable diligence in limiting such disclosure to the minimum necessary under the particular circumstances and cause anyone to whom such Party provides this Subcontract to keep it confidential in accordance with the provisions of this Subcontract. Neither Party is permitted to issue any press release, distribute any advertising, or make any public announcement concerning this Subcontract or its business relationship with the other Party without the other Party’s prior written consent. The obligations in this Section 38.7 shall not restrict any disclosure of required pursuant to any Law; provided that: (a) each Party shall give reasonable and prompt advance notice of such disclosure requirement to the other and give the other reasonable opportunity to object to and contest such disclosure; and (b) each Party shall use reasonable efforts to secure confidential treatment of any such information that is required to be disclosed.
 
38.8 Disclosure. Notwithstanding the confidentiality, non-disclosure and proprietary rights provisions of this Subcontract, Supplier acknowledges and agrees that Buyer and Supplier has the right to file a copy of, and/or disclose, all or part of this Subcontract and related documents and information, including performance reports and fees and invoicing, as may be required or requested by its regulators and auditors.
 
38.9 Unauthorized Acts. Without limiting the rights of the IBM Entities in respect of a breach of this Section 38, Supplier shall: (a) promptly notify Buyer of any unauthorized possession, use or knowledge, or attempt thereof, of the Buyer or CIGNA Confidential Information by any person or entity that may become known to Supplier; (b) promptly furnish to Buyer full details of the unauthorized possession, use or knowledge, or attempt thereof, and assist Buyer in investigating or preventing the recurrence of any unauthorized possession, use or knowledge, or attempt thereof, of IBM or CIGNA Confidential Information; (c) cooperate with Buyer in any litigation and investigation against third parties deemed necessary by Buyer to protect the proprietary rights of Buyer; and (d) promptly use its diligent and reasonable efforts to prevent a recurrence of any such unauthorized possession, use or knowledge, or attempt thereof, of IBM or CIGNA Confidential Information. Without limiting the rights of the Supplier in respect of a breach of this Section 38, Buyer shall: (a) promptly notify Supplier of any unauthorized possession, use or knowledge, or attempt thereof, of the Supplier Confidential Information by any person or entity that may become known to Buyer or CIGNA; (b) promptly furnish to Supplier full details of the unauthorized possession, use or knowledge, or attempt thereof, and assist Supplier in investigating or preventing the recurrence of any unauthorized possession, use or knowledge, or attempt thereof, of Supplier Confidential Information; (c) cooperate with Supplier in any litigation and investigation against third parties deemed necessary by Supplier to protect the proprietary rights of Supplier; and (d) promptly use its diligent and reasonable efforts to prevent a recurrence of any such unauthorized possession, use or knowledge, or attempt thereof, of Supplier Confidential Information.
 
38.10 Injunctive Relief. Supplier acknowledges that, in the event of any breach of the provisions of this Section 38, Buyer may suffer damages that are not easily determinable, and shall be entitled to seek equitable relief, including an injunction or an order for specific performance, in addition to all other remedies available to Buyer at law or in equity. Buyer acknowledges that, in the event of any breach of the provisions of this Section 38, Supplier may suffer damages that are not easily determinable, and shall be entitled to seek equitable relief, including an injunction or an order for specific performance, in addition to all other remedies available to Supplier at law or in equity. 
 
38.11 Shared Service Location. If: (a) Supplier provides the Supplier Services to Buyer from a Shared Environment; and (b) any part of the business of Supplier or any such third party is now or is in the future competitive with Buyer’s or CIGNA’s business as specified through IBM’s or CIGNA’s Competitors, then Supplier shall develop a process, subject to Buyer’s approval, to restrict access in any such Shared Environment to IBM or CIGNA Confidential Information so that Supplier’s employees or Supplier Agents providing services to such IBM or CIGNA Competitors do not have access to IBM or CIGNA Confidential Information.
 
38.12 Attorney Client Privileged Documents. Supplier recognizes that it may obtain access to client documents, data and databases created by and for Buyer or CIGNA and associated communications related thereto which are confidential attorney work product or subject to the attorney-client privilege. Supplier shall not reveal to any third parties any such data or information: (a) marked with the words “attorney-client privilege” or “attorney work product” or words of similar import; or (b) designated by Buyer to Supplier as being subject to the attorney-client privilege or confidential attorney work product (such marked and designated data or information, collectively, “Privileged Work Product”). Supplier shall safeguard to prevent the unintentional disclosure of Privileged Work Product to third parties. The only Supplier Personnel who may have access to Privileged Work Product shall be those for whom such access is necessary for the purpose of providing Supplier Services to Buyer as provided in this Subcontract. Supplier recognizes that Privileged Work Product has been prepared in anticipation of litigation and that Supplier is performing the Supplier Services in respect of the Privileged Work Product as an agent of Buyer, and that all matters related thereto and protected from disclosure by Rule 26 of the United States Federal Rules of Civil Procedure (or any similar law in other local jurisdictions). Should Supplier ever be notified of any judicial or other proceeding seeking to obtain access to Privileged Work Product, Supplier shall: (i) immediately notify Buyer; (ii) take such reasonable actions at Buyer’s expense as may be specified by Buyer to resist providing such access; and (iii) if such access cannot be resisted, then only permit access to the extent required by law. 
 
38.13 Review. Buyer reserves the right to review Supplier’s policies and procedures used to maintain the security and confidentiality of Personal Information, including auditing Supplier concerning such policies and procedures. The provisions of this Section, are in addition to, and shall not be construed to limit any other confidentiality obligations under this Subcontract. Any exclusion from the definition of IBM or CIGNA Confidential Information contained in this Subcontract shall not apply to Personal Information.
 
38.14 Survival. The Parties’ obligations of non-disclosure and confidentiality shall survive the expiration or termination of this Subcontract for a period of seven years.
 
39.0 IBM DATA 
 
39.1 Ownership of IBM or CIGNA Data. All IBM or CIGNA Data is, or shall be, and shall remain the property of IBM or CIGNA (as appropriate), as the case may be, and shall be deemed IBM or CIGNA Confidential Information. Without IBM’s approval (in its sole discretion), IBM or CIGNA Data shall not be: (a) used by Supplier other than is necessary for Supplier’s performance under this Subcontract and solely in connection with providing the Supplier Services and the performance of Supplier’s obligations under this Subcontract; (b) disclosed, sold, assigned, leased or otherwise disposed of or provided to third parties by Supplier except as directed by Buyer; or (c) commercially exploited by or on behalf of Supplier. Supplier shall not possess or assert liens or other rights in or to IBM Data.
 
39.2 IBM Access to IBM Data. Buyer shall have unrestricted access (subject to Supplier’s reasonable security precautions) to, and the right to review and retain the entirety of, all computer or other files containing IBM or CIGNA Data in the possession or under the control of Supplier or Supplier Agents. At no time shall any of such files or other materials or information be stored or held in a form or manner not reasonably accessible to Buyer. Except as specifically set forth in this Subcontract, Supplier shall have no implied right to access any data files, directories of files, or other IBM or CIGNA Confidential Information and shall access and/or use such files and IBM or CIGNA Confidential Information only as and to the extent necessary to perform the Supplier Services that are the subject of this Subcontract or the Statements of Work. Upon the request of IBM, Subcontractor shall confirm that, to the best of its knowledge, all files and other information provided to IBM or its designee are complete and that no material element, amount, or other fraction of such files containing IBM or CIGNA Data or other information that constitutes IBM or CIGNA Data to which IBM may request access or review has been deleted, withheld, disguised or encoded in a manner inconsistent with the purpose and intent of providing full and complete access to IBM or CIGNA Data to IBM or its designee as contemplated by this Subcontract. 
 
39.5 Return of Data. Upon request by Buyer at any time during the Subcontract Term and upon the cessation of a Service or expiration or termination of this Subcontract (or at the end of the Termination Assistance Period if directed by Buyer), Supplier shall: (a) promptly return to Buyer, in the format and on the media requested by Buyer, all or any part of the IBM or CIGNA Data; and (b) erase or destroy all or any part of the IBM or CIGNA Data in Supplier’s possession, in each case to the extent so requested by Buyer. Any archival tapes containing IBM or CIGNA Data shall be used by Supplier solely for back-up purposes.
 
39.6 Data Safeguards.
 
a Supplier shall establish and maintain safeguards against the destruction, loss, or alteration of IBM or CIGNA Data in the possession of Supplier in accordance with Exhibit 4-C. 
 
b Supplier shall implement a data security plan designed to impose security on all parts of Supplier’s organization that are exposed to, or have access to, Buyer or to IBM or CIGNA Data. Such plan shall at a minimum be as protective as required by this Subcontract, including Exhibit 4-C hereto. In addition, Supplier shall at all times comply with all statutory and regulatory requirements.
 
c Supplier shall maintain the security procedures that are required by this Subcontract, including Exhibit 4-C hereto.
 
40.0 PROPRIETARY RIGHTS
 
Definitions.
 
The following definitions shall apply to the defined terms used in this Section 40.
 
“IBM Intellectual Property” means Intellectual Property of IBM existing as of the commencement of this service engagement or subsequently developed by IBM or its subcontractors other than Supplier outside the scope of this SOW.
 
“Intellectual Property” means all present and future right title and interest whatsoever whether legal or beneficial anywhere in the world in any copyright and in any registered designs, unregistered design rights, trade marks (whether or not registered), goodwill, rights or protections equivalent or similar to copyright (including all moral rights), topography rights, patents, petty patents, utility models, database rights, data, know-how, trade secrets, research and development information, preparatory designs, design standards specifications, computer software (including all source code object code in relation thereto) calculations, formulae, confidential information, designations and rights under any international convention for protection of any of the foregoing and any licenses applications or consents (respectively) granted applied for or given in respect of any of the foregoing.
 
“Supplier Intellectual Property” means Intellectual Property of Supplier existing as of the commencement of this service engagement or subsequently developed by Supplier outside the scope of this SOW.
 
“Supplier Software” means all commercially licensed Supplier proprietary Software programs licensed to Customer under the Order Form and End-User Agreement.
 
40.1 Limited License Grant to IBM Technology. Buyer hereby grants to Supplier (and, to the extent necessary for Supplier to provide the Supplier Services, to Supplier Agents designated by Supplier that sign a written agreement with Supplier with terms consistent with the applicable terms contained herein) a world-wide, non-exclusive, non-transferable, limited, license during the Subcontract Term to Use the IBM proprietary Software programs (including any CIGNA proprietary Software programs that CIGNA has licensed to Buyer) and related documentation that is identified as such in the applicable Subcontract that may be delivered by Buyer to Supplier in connection with Supplier’s performance of the Supplier Services (the “Licensed IBM Technology”), such Use to be made solely in connection with Supplier’s performance of the Supplier Services in accordance with the provisions of this Subcontract. 
 
40.2 Conditions on Supplier License Rights to IBM Technology.
 
q Except for the license rights in and to the Licensed IBM Technology granted under Section 40.1, no license or other right in or to any of the Licensed IBM Technology is granted by implication, estoppel or otherwise by Buyer to Supplier. Buyer shall own, and Supplier hereby perpetually assigns to Buyer all right, title and interest in and to the Licensed IBM Technology, including all right, title and interest in and to any modifications, enhancements or derivative works of or based on the Licensed IBM Technology (except as set forth in Section 40.5).
 
r Except as expressly provided in Section 40.1 with respect to Supplier Agents, Supplier may not sublicense, assign, lease or otherwise transfer, distribute or exploit any of the Licensed IBM Technology or any of the license rights granted to it under Section 40.1, to any Affiliate of Supplier or to any third party, whether directly, indirectly or by operation of law, including by merger, stock transfer, or otherwise.
 
s Supplier shall not reverse engineer, decompile, disassemble, modify or enhance any of the Licensed IBM Technology or any part thereof or otherwise attempt to create any derivative works of any of the Licensed IBM Technology or any part thereof except as required in connection with Supplier’ s performance of the Supplier Services.
 
t Supplier shall adhere to all of the operational and security rules, procedures and guidelines that are instituted from time to time by Buyer and communicated to Supplier on a timely basis in connection with the exercise by Supplier of its right to access remotely certain of the Licensed IBM Technology.
 
u All Licensed IBM Technology constitutes IBM or CIGNA Confidential Information and valuable trade secrets of Buyer. As such, Supplier shall keep all Licensed IBM Technology confidential in accordance with the provisions of Section 38.
 
v Supplier’s license rights in and to the Licensed IBM Technology shall terminate automatically upon the cessation of a Service or expiration or earlier termination of the Subcontract Term. Promptly after the cessation of a Service or expiration or earlier termination of the Subcontract Term (or partial termination to the extent the Licensed IBM Technology, or parts thereof, are no longer required to perform the Supplier Services), or as otherwise requested by Buyer, Supplier shall deliver to Buyer or destroy any and all devices, records, data, computer disks and tapes, notes, reports, proposals, lists, correspondence, specifications, drawings, blueprints, sketches, materials, Equipment, other documents or tangible property of any type comprising or containing any Licensed IBM Technology and any and all copies and reproductions of any of the aforementioned items in the possession or control of Supplier. An Executive of Supplier shall provide Buyer with written certification that all devices, records, data, computer disks and tapes, notes, reports, proposals, lists, correspondence, specifications, drawings, blueprints, sketches, materials, Equipment, other documents or tangible property of any type comprising or containing any Licensed IBM Technology and any and all copies and reproductions thereof have been destroyed or deleted from Supplier’s, Supplier’s employees’, subcontractors, and Supplier’s Agents’ electronic storage devices.
 
40.3 IBM Intellectual Property. All worldwide right, title and interest in and to all IBM Intellectual Property, together with any and all intellectual property rights inherent in any of the IBM Intellectual Property and appurtenant thereto including all patent rights, copyrights, trademarks, know-how and trade secrets, shall belong exclusively to Buyer perpetually.
 
40.4 Supplier Intellectual Property.
 
a All worldwide right, title and interest in and to all Supplier Intellectual Property, together with any and all intellectual property rights inherent in any of the Supplier Intellectual Property and appurtenant thereto including all patent rights, copyrights, trademarks, know-how and trade secrets, shall belong exclusively to Supplier perpetually.
 
b. Supplier hereby grants to Customer a worldwide, perpetual, irrevocable, fully paid-up, nonexclusive, unlimited license to Use and sublicense, and to permit third parties to Use, the Supplier Intellectual Property (exclusive of Supplier Software) that is incorporated or embedded in any Customer New Intellectual Property for so long as such Supplier Intellectual Property remains embedded or incorporated in such Customer New Intellectual Property and is not separately commercially exploited by Customer. If any software (exclusive of Supplier Software) is included in the Supplier Intellectual Property, then such software shall be licensed to Customer as set forth in this Section 40.4(c) in both object code and source code format. The rights and licenses granted in this Section 40.4(c) are to all Customer Entities, both current and future, and to the extent part of such operations are sold or divested, such rights and licenses shall extend to such sold or divested part or entity. Upon Customer’s request, Subcontractor shall deliver to Customer a copy of the Subcontractor Intellectual Property (exclusive of Supplier Software) in object code and source code format. Source code to Supplier Intellectual Property constitutes Subcontractor Confidential Information and valuable trade secrets of Supplier. As such, Customer shall keep all such source code confidential in accordance with the provisions of Article 38.
 
c. Notwithstanding the provisions of paragraph b of this Section 40.4 above, any Subcontractor Intellectual Property that is sold or licensed on a commercial basis by Subcontractor (including without limitation the Supplier Software) shall not be licensed to Buyer or Customer except under the terms of a separate license agreement (which may or may not include a license to source code). For the sake of clarification, Supplier has licensed Supplier Software to the Customer under the terms and conditions of the Order Form and End-User Agreement. No Supplier Software has been licensed to Buyer.
 
40.5 New Intellectual Property
 
a. IBM New Intellectual Property. Buyer owns, and Supplier hereby perpetually assigns to Buyer, all rights, title and interests in all modifications and enhancements to, and derivatives of, IBM Intellectual Property (collectively, “IBM New Intellectual Property”). 
 
b. Supplier New Intellectual Property. Supplier shall own all modifications and enhancements to, and derivatives of, Supplier Intellectual Property (exclusive of Supplier Software) that are developed by Supplier during the provision of any Supplier Services (collectively, “Supplier New Intellectual Property”). Supplier hereby grants to Customer an unlimited, worldwide, fully paid-up license to Use (and allow Customer’s agents and third parties to Use) any Supplier New Intellectual Property, subject to Buyer’s ownership of IBM Data and IBM or CIGNA Confidential Information contained therein. Supplier shall own all modifications and enhancements to, and derivatives of, Supplier Software that are developed by Supplier during the provision of any Supplier Services. Supplier hereby grants to Customer a license to Use the New Supplier Software to the same extent as the Customer is permitted to Use the Supplier Software under the terms and conditions of the End-User Agreement.
 
c. Customer New Intellectual Property. Unless expressly stated otherwise in Subcontract and except for modifications and enhancements to, and derivatives of, IBM Intellectual Property, Supplier Intellectual Property or Supplier Software, Customer owns, and Supplier hereby perpetually assigns to Customer, all rights, title and interests in work product that are developed or provided by Supplier in connection with the provision of any Supplier Services, including any Deliverables (including related documentation necessary to use and support the Deliverables and work product embedded in the Deliverables) whether developed or provided in connection with Subcontract (collectively, “Customer New Intellectual Property”).
 
40.6 Deliverables.
 
Supplier shall not introduce any third party-owned or licensed components in Deliverables without obtaining Customer’s prior written approval in each instance. To the extent Customer approves of such introduction, prior to such introduction Supplier shall obtain the right to grant Customer, without additional charge, a perpetual, irrevocable, fully-paid up, non-exclusive license to Use such third party components as part of the Deliverables, and to sublicense such rights to other entities for the purpose of providing services similar to the Supplier Services to Customer. To the extent Supplier is unable to obtain the rights described in this Section 40.6, Supplier shall notify Customer in writing of its inability to grant Customer such a license and of the cost and viability of other components that can perform the requisite functions and with respect to which Supplier has the ability to grant such a license. This notice shall contain the third party Supplier’s proposed terms and conditions, if any, for making the components available to Customer after expiration, upon any partial or whole termination of this Subcontract, or upon cessation of Supplier Services. Supplier may introduce such components in Deliverables only with Customer’s prior written approval. 
 
All reports, processes, methodologies, deliverables, plans, information, materials, data, drawings, inventions, suggestions, computer Software, renditions, mock-ups, prototypes or other works provided by Subcontractor as a deliverable or otherwise under this Subcontract that do not constitute Deliverables shall be licensed by Subcontractor to Customer in accordance with Section 40.4.
 
40.8 Pre-Existing IP. Subcontractor must identify and obtain Buyer’s prior written approval for the use of any pre-existing Subcontractor Intellectual Property that shall be embedded in IBM New Intellectual Property or Customer New Intellectual Property prior to the development of any such IBM New Intellectual Property or Customer Intellectual Property.
 
40.9 Enforceability.
 
a. During the Subcontract Term and any time thereafter, Supplier shall assist Buyer or its designee, at Buyer’s expense, in every reasonable way to secure all of Buyer’s worldwide perpetual ownership rights, title and interest in IBM Intellectual Property and IBM New Intellectual Property (and all licenses to Supplier Intellectual Property granted to pursuant to this Article 40) in any and all countries, including the disclosure to Buyer of all pertinent information and data with respect thereto, the execution of all applications, registrations, filings, specifications, oaths, assignments and all other instruments which Buyer shall deem necessary or appropriate to: (a) apply for and obtain such rights, title and interest and to assign and convey to Buyer, its successors, assigns and nominees the sole and exclusive rights, title and interests worldwide perpetually in and to the IBM Intellectual Property and IBM New Intellectual Property; and (b) obtain such license rights as set forth in this Article 40 in and to Supplier Intellectual Property. Supplier further agrees that its obligation to execute or cause to be executed any such instrument or papers shall continue after the cessation of a Service or expiration or termination of the Subcontract Term. If testimony or information relative to any of said matters or related to any interference or litigation is requested by Buyer either during the Subcontract Term or following its expiration or termination or the cessation of a Service, Supplier agrees to give all information and testimony and do all things reasonably requested that Supplier may lawfully do, at Buyer’s sole expense. Without limiting the foregoing, Supplier, at Buyer’s request, agrees to execute such assignments and confirmations of: (i) assignment of all rights, title and interests in and to the IBM Intellectual Property and the IBM New Intellectual Property; and (ii) license rights as set forth in this Article 40 in and to Supplier Intellectual Property, each of (i) and (ii) in form acceptable to Buyer. If Buyer is unable because of Supplier’ s unavailability, refusal, dissolution or for any other reason to secure a signature by or on behalf of Supplier to apply for or to pursue any application, registration, filing or other instrument for any United States, Indian or foreign intellectual property rights covering the IBM Intellectual Property and the IBM New Intellectual Property, then Supplier hereby irrevocably designates and appoints Buyer and its duly authorized officers and agents as Supplier’s agent and attorney in fact, to act for and on Supplier’ s behalf and stead to execute and file any such application, registration, filing or other instrument, and to do all other lawfully permitted acts to further the prosecution and issuance of such intellectual property rights, with the same legal force and effect as if executed by Supplier. 
 
b. During the Subcontract Term and any time thereafter, Supplier shall assist Customer or its designee, at Customer’s expense, in every reasonable way to secure all of Buyer’s worldwide perpetual ownership rights, title and interest in Customer New Intellectual Property (and all licenses to Supplier New Intellectual Property granted to pursuant to this Article 40) in any and all countries, including the disclosure to Customer of all pertinent information and data with respect thereto, the execution of all applications, registrations, filings, specifications, oaths, assignments and all other instruments which Customer shall deem necessary or appropriate to: (a) apply for and obtain such rights, title and interest and to assign and convey to Buyer, its successors, assigns and nominees the sole and exclusive rights, title and interests worldwide perpetually in and to the Customer New Intellectual Property; and (b) obtain such license rights as set forth in this Article 40 in and to Supplier New Intellectual Property. Supplier further agrees that its obligation to execute or cause to be executed any such instrument or papers shall continue after the cessation of a Service or expiration or termination of the Subcontract Term. If testimony or information relative to any of said matters or related to any interference or litigation is requested by Customer either during the Subcontract Term or following its expiration or termination or the cessation of a Service, Supplier agrees to give all information and testimony and do all things reasonably requested that Supplier may lawfully do, at Customer’s sole expense. Without limiting the foregoing, Supplier, at Buyer’s request, agrees to execute such assignments and confirmations of: (i) assignment of all rights, title and interests in and to the Customer New Intellectual Property; and (ii) license rights as set forth in this Article 40 in and to Supplier New Intellectual Property, each of (i) and (ii) in form acceptable to Buyer. If Buyer is unable because of Supplier’ s unavailability, refusal, dissolution or for any other reason to secure a signature by or on behalf of Supplier to apply for or to pursue any application, registration, filing or other instrument for any United States, Indian or foreign intellectual property rights covering the Customer New Intellectual Property, then Supplier hereby irrevocably designates and appoints Customer and its duly authorized officers and agents as Supplier’s agent and attorney in fact, to act for and on Supplier’ s behalf and stead to execute and file any such application, registration, filing or other instrument, and to do all other lawfully permitted acts to further the prosecution and issuance of such intellectual property rights, with the same legal force and effect as if executed by Supplier.
 
40.10 General Intellectual Property Provisions.
 
aa Copyright Legends. The Parties agree to reproduce copyright legends which appear on any portion of the Intellectual Property which may be owned by third parties.
 
bb No Implied Licenses. Except as expressly specified in this Subcontract, nothing in this Subcontract shall be deemed to grant to one Party, by implication, estoppel or otherwise, license rights, ownership rights or any other intellectual property rights in any Intellectual Property owned by the other Party or any Affiliate of the other Party.
 
cc Residuals. Nothing in this Subcontract shall: (i) restrict either Party from using ideas, concepts or know-how relating to the Supplier Services that are retained in the memories of such Party’s employees or representatives after performing the obligations of such Party under this Subcontract; or (ii) preclude or limit Supplier from providing services and/or developing Software or materials for itself or other clients, irrespective of the possible similarity of such materials that might be delivered to Buyer under this Subcontract, except to the extent that the exercise of any of the foregoing infringes upon a patent or trademark of a Party or its Affiliates. Except as described above, this Section 40.10 shall not be deemed to limit either Party’s obligations under this Subcontract with respect to the disclosure or use of Confidential Information.
 
43.0 Insurance.
 
43.1 Supplier shall, and shall cause Supplier Agents to, throughout the Term and the Termination Assistance Period, maintain in full force and effect from a third party that is rated “A” or “A-” in Best’s Insurance Guide, or otherwise acceptable to Buyer, the following insurance coverage for its worldwide operations:  
 
tt Supplier agrees to maintain a policy of workers’ compensation insurance (as required by the applicable state statute) on its employees. Such policy shall provide statutory limits and contain Employer’s Liability coverage in an amount not less than $5,000,000 per occurrence. To the extent reasonably obtainable, Supplier agrees to have its workers’ compensation insurance policy amended to waive the insurors rights of subrogation against Buyer for recovery of claims paid under Supplier’s policy.
 
uu Automobile liability covering all vehicles owned, non-owned, hired and leased in an amount not less than $1,000,000.00 per claim (combined single limit for bodily injury and property damage).
 
vv Commercial general liability insuring against bodily injury, property damage, contractors’ completed operations and contractual liability (covering Supplier’s indemnification obligations contained herein) with a combined single limit of not less than $5,000,000.00 per claim.
 
ww Professional liability and errors and omissions insurance in an amount not less than $5,000,000.00 per claim and in the aggregate.
 
xx Umbrella coverage (including commercial general liability coverage) of not less than $20,000,000.00 over the coverages shown above.
 
yy Fidelity coverage in the amount of $5,000,000.00 to cover fraudulent or dishonest acts by an employee of Supplier. Buyer shall be named as a loss payee in respect to the Services performed for Buyer.
 
43.2 Inspection. Supplier shall allow Buyer or CIGNA or their representatives or property insurance company representatives, at any time with reasonable advance notice, to inspect, test or examine fire protection and security Equipment, systems and procedures at the IBM or CIGNA Service Location.
 
43.3 Certificates. Supplier shall furnish Buyer with certificates of insurance evidencing the above coverages and endeavoring to notify Buyer 30 days in advance in writing of cancellation. Such certificates or policies shall be in a form and underwritten by a carrier and/or placed through a broker satisfactory to Buyer. Except for the Workers’ Compensation, Professional Liability and Employer’s Liability policies, all policies of insurance shall name Buyer as an additional insured where allowed by local country law. Each policy shall contain a provision that no act or omission of Supplier shall affect or limit the obligation of the insurer to pay Buyer the amount of any loss sustained. Insurance carried on a claims made basis shall be carried for a 60 day after the Term and the Termination Assistance Period to cover all claims.
 
43.4 Use of Proceeds. Proceeds received by Supplier from any claims under the insurance policy referenced in this Article shall be used to rapidly affect necessary repairs or replacement or to reimburse the affected CIGNA Entities.
 
43.5 Waiver of Subrogation. The insurance coverages under this Section 43 with respect to premises liability and only for liability arising out of Supplier’s negligence on such premises, shall be primary, and non-contributing with respect to any other insurance or self insurance which may be maintained by Buyer.
 
43.6 Risk of Loss. Supplier shall be responsible for risk of loss of, and damage to, Equipment, Software or other materials in its possession or under its control , except to the extent such loss or damage is caused by Buyer or CIGNA.
 
Section 44.0 Further Assurances.
 
44.1 Each party agrees to execute documents and provide such information and cooperation as reasonably requested by a party to effectuate the grant of rights hereunder including any documents, information or cooperation reasonably necessary to effectuate the intent of the parties herein.
 

 
 

 



ACCEPTED AND AGREED TO:
 
ACCEPTED AND AGREED TO:
IBM
 
Chordiant Software, Inc.
By: /s/ Dan Reinhard
 
By: /s/ Kelly Hicks
Buyer Signature Date
September 28, 2006
 
Supplier Signature Date September 28, 2006
Dan Reinhard
 
Kelly Hicks
Printed Name
 
Printed Name
Procurement Solutions Advisor/ Client Services Procurement
 
VP, Worldwide Sales Operations
Title & Organization
 
Title & Organization
     
Buyer Address:
2455 South Road
Poughkeepsie, NY 12601
 
Supplier Address:
20400 Stevens Creek Blvd.
Cupertino, CA 95014
USA
 






 
 

 

EXHIBIT 1 - Service Level Agreement
 

1.  INTRODUCTION
 
The Service Level Agreements defined in this schedule are associated with the steady-state management of the Call Center Application.
 
1.1  The Service Levels set forth herein shall be effective upon production implementation of the application.
 
1.2  The primary objective of Chordiant Product Support is to assist IBM in maintaining and/or regaining an operational state by commercially reasonable efforts. The secondary objective of Product Support is to provide in due course the correction of any underlying Errors.
 
Chordiant shall make available to Customer Support in the form of access via e-mail, web and telephone (telephone access during the Support Hours only) in English to the Designated Contacts and/or via the support website for technical information, technical advice and technical consultation regarding Customer’s use of the Supported Software.

Product Support will include the following:

(a) Problem Prevention
1.  
Notification of availability of generally available patches and releases.

(b) Problem Identification
1.  
Clarification of Chordiant error messages,
2.  
Assistance in identifying and verifying the causes of suspected Errors, and;
3.  
Advice on bypassing identified Errors (providing workarounds) in the Supported Software.

(c) Problem Resolution
1.  
Reporting and tracking product defects and enhancement requests,
2.  
Resolution of defects via workaround, maintenance release or in exceptional circumstances emergency patches, and
3.  
Notification of status on issues, including escalation when required.

Resolution of Errors. Chordiant will endeavor to provide an initial response acknowledging Errors reported by Customer in accordance with the priority levels and response times set out in Schedule A. Chordiant will acknowledge each Customer report of a case by written acknowledgment setting forth a Case Problem Number for use by Customer and Chordiant in all correspondence relating to such case. Thereafter, Chordiant shall use commercially reasonable efforts to provide a Resolution.

Exceptions. Chordiant shall have no responsibility to fix any Errors arising out of or related to the following causes:
a.  
any modifications or enhancements made by the Customer to the Software, unless such modifications or enhancements are specifically approved in writing by Chordiant Product Support; this includes but is not limited to;
- location of binaries
- scripts provided by Chordiant
- any application specific object (e.g., table, view, index, trigger)
- any application specific operating system permissions or role privileges
b.  
Any modification or combination of the Software (in whole or in part), including without limitation any portions of the Software code or Source Code customized by the customer that is not part of the unmodified Software delivered by Chordiant or for which Chordiant has not received and acknowledged receipt of the source code and agreed to Support.
c.  
Use of the Software in an environment other than a Supported Environment.
d.  
Accident; electrical or electromagnetic stress; neglect; misuse; failure or fluctuation of electric power, failure of media not furnished by Chordiant; operation of the Software with other media and hardware, software or telecommunication equipment or software; or causes other than ordinary use.

2. IBM Responsibilities 

IBM agrees to:
(i) Provide Chordiant with remote access to the Supported Software during the term of this Agreement via an electronic link; and
(ii) Provide any reasonable assistance that Chordiant may require from the Designated Contacts and other appropriate Customer representatives (e.g. network administrator, as the case may be) to enable Chordiant to provide IBM with Support; and
(iii) Establish and maintain the conditions of the Supported Environment in compliance with Chordiant Certified Matrix and Technical Stack developed for the installed release or any environmental operating ranges specified by the manufacturers of the components of the Designated Center. Any deviation from this Supported Environment voids all Resolutions within the timeframe set forth below unless agreed to by Chordiant in writing.

IBM agrees to designate two (2) appropriately qualified and trained personnel to be the Designated Contacts, and only those individuals shall request Support services. IBM agrees endeavor to adequately train and obtain “Chordiant certification” for, and forward to Chordiant the names and contact details of the Designated Support Contacts. IBM shall provide Chordiant with access to IBM’s personnel and its equipment during Support Hours. This access must include the ability to dial-in from Chordiant facilities to the equipment on which the Supported Programs are operating and to obtain the same access to the equipment as those of IBM’s employees having the highest privilege or clearance level.

IBM agrees to maintain procedures to facilitate reconstruction of any lost or altered files, data or programs and IBM agrees that Chordiant will not be responsible under any circumstances for any consequences arising from lost or corrupted data, files or programs. IBM is solely responsible for carrying out all necessary backup procedures for its own benefit, to ensure that data integrity can be maintained in the event of loss of data for any reason and that Customer programs can be restored.

IBM agrees to notify Chordiant Product Support promptly of any malfunction of the Supported Software.

IBM agrees to provide Chordiant with access to and use of such of the Customer’s information and facilities reasonably necessary to service the Supported Software including, but not limited to, an accurate description of the Designated Center and the current Supported Environment, the problem being reported, the transactions and any error messages, along with screenshots and log files.

IBM agrees to install the Current Release as soon as reasonably practicable, or as stated in the CIGNA SLSA which requires IBM to stay current to N-2. If CIGNA requires IBM to not maintain N-2 IBM will work with Chordiant to purchase extended maintenance support and assess the impact to the SLA below in accordance with the change control process.

 
Problem Management Requirements
 
Severity Level
Response
Escalation & Communication
Resolution
Severity 1
[*] mins
[*] hr during Business Hours
[*] hrs off-hours
[*] hours [*] % of the time
 
IBM must provide 24x7 contact information.
Severity 2
[*] Business Hour
[*] hrs during Business Hours
[*] hrs off-hours
[*] hours [*] % of the time
Severity 3
[*] business hrs
[*] business day
[*] days [*] % of the time
Measurement Process
See Text Below
Measurement Calculation
See Text Below
Measurement Frequency
-  Daily
-  Weekly
Monthly (current + 12 month rolling)
Service Level Weighting
TBD% for each severity category and response/escalation/resolution criteria
Measurement Period Start Date
Two weeks after the Implementation Date
Service Level Effective Date
The first day of the month following 30 days of measurement.
Continuous Improvement Applies
No
Scope of Requirements
These Program Management Requirements apply only to Chordiant Foundation as originally delivered (including subsequently delivered Updates). These Requirements shall not apply to any customizations, modifications or derivative works of Chordiant Foundation.

4.  
Supplier will name an SLA Manager as initial contact person responsible for assisting IBM with meeting Problem Management SLA’s during 8:30 AM to 5:30 PM Eastern Time on Business Days. SLA Manager will provide 7 x 24 coverage model and contact/name and numbers.
 
5.  
Once IBM identifies Chordiant Foundation as the cause of an outage, IBM will notify SLA Manager who will provide Supplier staff to resolve product issues based on the following:
 
a.  
Severity 1: Supplier provides staff to resolve problem on 7X24 basis until resolution or IBM agrees problem is not caused by Supplier product.
 
b.  
Severity 2 and 3: Supplier provides staff to resolve problem on 5 X 8 basis until resolution or IBM agrees problem is not caused by Supplier product.
 
6.  
If Supplier causes IBM to miss a CIGNA Service Level which causes IBM to pay a Service Level Credit, Supplier will refund IBM the percentage of the Annual Maintenance Charge set forth below during the following fiscal quarter:
 
a.  
Supplier’s monthly amount at risk is [*] % of the Annual Maintenance Charges paid by IBM
 
b.  
Supplier’s penalty exposure will be limited to no more than one occurrence per month.
 
c.  
IBM will have no more then one month from the end of the fiscal quarter of a missed CIGNA Service Level to request that Supplier refund a percentage of the Annual Maintenance Charge.
 

7.  
Root Cause Analysis. The Root Cause Analysis shall be completed for all Severity 1 issues and for other severity levels upon IBM’s request. If Supplier product is identified as a contributor to a Severity 1 issue, Supplier SLA Manager will participate in the Root Cause Analysis and assist IBM with documenting the following:
 
§  
What happened?
§  
Why did it happen?
§  
What was done to correct the problem?
§  
What was the business impact?
§  
What's being done to prevent recurrence?

Supplier shall make commercially reasonable efforts to determine the exact root cause for all Severity 1 issues. The root cause analysis shall be completed and available to CIGNA within 5 business days after completion of a workaround or fix.

Supplier shall perform a post evaluation for all Severity 1 issues. The post evaluation shall determine if preventative measures can be enacted to avoid the outage in the future. The post evaluation shall contain a detailed description of the scope and scale of work, the estimated costs and estimated timeframe for implementing the preventive measures.

8.  
DEFINITIONS
 
a.  
Availability”: The aggregate number of hours in any month during which each defined and supported system to be measured for the Service Level is actually available, excluding Scheduled Hours of Operational Downtime.
 
b.  
Business Days”: means Monday through Friday, excluding CIGNA designated holidays during which time the Call Centers are not in operation.
 
c.  
Business Hours”: shall mean (whether capitalized or not) the hours of operation as defined on Eastern Time.
 
d.  
CCA Application”: is defined as the desktop plus the call center interaction history plus Chordiant Foundation.
 
e.  
Normal System Hours of Operation” shall mean 24 x 7 (excluding Scheduled Maintenance and other mutually agreed periods).
 
f.  
Prime Shift”: shall mean 06:00 to 22:00 Eastern Time on Business Days.
 
g.  
Reporting Prime Shift” shall mean 07:00 to 22:00 Eastern Time on Business Days.
 
h.  
Problem Resolution Hours of operation”: Unless specifically stated, Vendor shall work to resolve reported or identified problems on the following work schedule:
 
i.  
Severity 1: 7x24
 
ii.  
Severity 2, 3, 4: Monday through Friday, 7:00 AM to 6:00 PM local time excluding CIGNA holidays, except in cases of Network Data where the operations is to be staffed 24x7
 
iii.  
Service Requests: Monday through Friday, 8:00 AM to 5:00 PM local time excluding CIGNA holidays
 
i.  
Resolve or Resolution”: To correct an Incident or Problem for which Supplier is responsible with either a permanent solution or an interim work around solution. Supplier may, with IBM’s approval, defer the implementation of a Resolution to a mutually agreed time (e.g. implementation of a new software fix or release) beyond the Service Level Agreement.
 
j.  
Severity Definitions
 
Severity Level
Definition
Severity 1 (Highest Impact)
 
Service impacts to an ENTIRE facility, business unit, or system
• A critical system service or critical path process, or an entire network or application is disrupted and is impacting the business.
• Timely resolution is essential to minimize financial loss or missed sales.
• An entire business unit is down or a network or major system is down and is impacting the business.
• When a problem occurs that has the potential for impacting a process or business function at a later time, and requires immediate resolution and/or assistance from another support group.
Severity 2 (High Impact)
 
Service impact to a PORTION of a business unit, or facility;
 
Or Entire team/business unit is missing a PORTION of a critical component or application
• A system service, network, or application is available, but with severe restrictions that impact the ability of a portion of a business unit to complete their work.
• Bypass or work-around is available, and work is continuing with significant inconvenience.
• Timely resolution is essential to avoid financial loss or missed sales.
• When a problem occurs that has the potential for impacting a process or business function at a later time, and requires immediate resolution and/or assistance from another group.
Severity 3
 
(Moderate Impact) An INDIVIDUAL or small group of individuals is unable to perform job functions.
• Unable to perform non-critical business functions.
• No significant impact to revenue or sales.
Severity 4 (Low Impact)
 
An INDIVIDUAL is able to perform job functions with a work around or some minor inconvenience.
• Problem has a low business impact, if any.
• A minor impact to an individual.


 


 
 

 

EXHIBIT 2

On Premises Guidelines
Supplier will ensure that Supplier Personnel assigned to work on Buyer’s or Buyer’s Customer’s premises will comply with this Section.

2.1 Access to Premises
For Supplier Personnel assigned to work on Buyer’s or Buyer’s Customer’s premises, Supplier will:
1.  
to the extent permitted by local law, conduct a preemployment criminal background check, which must be completed prior to placement at Buyer’s or Buyer’s Customer’s premises, covering the counties in which the person was employed or resided for the past seven years (or longer as required by State legislation), and inform Buyer of any negative findings;
2.  
maintain a current and complete list of the persons' names and social security numbers;
3.  
obtain for each person a valid identification badge from Buyer and ensure that it is displayed in order to gain access to and at all times while on Buyer’s premises (it is Buyer's policy to deactivate any such badge if not used for one month);
4.  
maintain a signed acknowledgment that each person will comply with Buyer’s On Premises Guidelines;
5.  
ensure that each person with regular access to Buyer's and Buyer’s Customer’s premises complies with all parking restrictions and with vehicle registration requirements if any;
6.  
inform Buyer if a former employee of Buyer will be assigned work under this Agreement, such assignment subject to Buyer approval;
7.  
at Buyer's request, remove a person from Buyer’s or Buyer’s Customer’s premises and not reassign such person to work on Buyer's or Buyer’s Customer’s premises (Buyer is not required to provide a reason for such request); and
8.  
notify Buyer immediately upon completion or termination of any assignment and return Buyer’s identification badge. Upon Buyer’s request, Supplier will provide documentation to verify compliance with this Subsection.

2.2 General Business Activity Restrictions
Supplier will ensure that Supplier Personnel assigned to work on Buyer’s or Buyer’s Customer’s premises:
1.  
will not conduct any non-Buyer related business activities (such as interviews, hirings, dismissals or personal solicitations) on Buyer's or Buyer’s Customer’s premises;
2.  
will not conduct Supplier's Personnel training on Buyer’s or Buyer’s Customer’s premises, except for on-the-job training;
3.  
will not attempt to participate in Buyer or Customer benefit plans or activities;
4.  
will not send or receive mail unrelated to Buyer or Customer through Buyer's or Customer’s mail systems; and
5.  
will not sell, advertise or market any products or distribute printed, written or graphic materials on Buyer's or Buyer’s Customer’s premises without Buyer's written permission.

2.3 Buyer’s Safety and Security Guidelines
Supplier will ensure that Supplier Personnel assigned to work on Buyer’s or Buyer’s Customer’s premises:
1.  
do not bring weapons of any kind onto Buyer's or Buyer’s Customer’s premises;
2.  
do not manufacture, sell, distribute, possess, use or be under the influence of controlled substances (for nonmedical reasons) or alcoholic beverages while on Buyer's or Buyer’s Customer’s premises;
3.  
do not have in their possession hazardous materials of any kind on Buyer's or Buyer’s Customer’s premises without Buyer's authorization;
4.  
acknowledge that all persons, property, and vehicles entering or leaving Buyer's or Buyer’s Customer’s premises are subject to search; and
5.  
remain in authorized areas only (limited to the work locations, cafeterias, rest rooms and, in the event of a medical emergency, Buyer's or Buyer’s Customer’s medical facilities). Supplier will promptly notify Buyer of any accident or security incidents involving loss of or misuse or damage to Buyer's or Buyer’s Customer’s intellectual or physical assets, physical altercations, assaults, or harassment and will provide Buyer with a copy of any accident or incident report involving the
6.  
above. Supplier must coordinate with Buyer or Buyer’s Customer access to Buyer’s or Buyer’s Customer’s premises during non-regular working hours.

2.4 Asset Control
In the event Supplier Personnel have access to information, information assets, supplies or other property, including property owned by third parties but provided to Supplier Personnel by Buyer ("Buyer Assets"), Supplier Personnel:
1.  
will not remove Buyer Assets from Buyer's or Buyer’s Customer’s premises without Buyer's authorization;
2.  
will use Buyer Assets only for purposes of this Agreement and reimburse Buyer for any unauthorized use;
3.  
will only connect with, interact with or use programs, tools or routines that Buyer agrees are needed to provide Services;
4.  
will not share or disclose user identifiers, passwords, cipher keys or computer dial port telephone numbers; and
5.  
in the event the Buyer Assets are confidential, will not copy, disclose or leave such assets unsecured or unattended. Buyer may periodically audit Supplier's data residing on Buyer's information assets.
2.5 Supervision of Supplier's Personnel
Supplier will provide continual supervision of its Personnel provided under this Agreement, at no additional cost to Buyer. Supplier's supervisor shall have full supervisory authority over all day-to-day employment relationship decisions relating to Supplier’s Personnel, including those decisions relating to: wages, hours, terms and conditions of employment, hiring, discipline, performance evaluations, termination, counseling and scheduling. Supplier's supervisors responsible for each work location will be responsible to know that work location’s planned holiday (and other closing) schedules and the impacts that all such schedules have on Supplier's Personnel. Supplier will conduct orientation sessions with its Personnel before placement on an assignment with Buyer, during which orientation such Personnel will be told the identity and contact information of their supervisor. Supplier will, from time to time, ensure that all of its Personnel working under this Agreement continue to be aware of this information.Electronic Funds Transfer
Certificate of Originality


 
 

 

EXHIBIT 3 Service Locations

IBM/CIGNA Service Locations: The following locations are identified as authorized IBM/CIGNA service locations.


CIGNA Service Locations for CCA
 
Site Address
[*]
[*]
[*]



 
 

 

EXHIBIT 4 - Permitted Subcontractors

Ness

[*]

[*]

 
  
 
 
  
 
 

 
 
 
  
 
 
  
 
 
  
 
 
  EXHIBIT 4-C
 
 

 
 
  Security and Data Safeguards
 
 
  
 

       
       


 
 

 


 
  Exhibit 4-C
 
 
  Security and Data Safeguards
 

 
 
Introduction
 
 
Vendor shall provide security controls and safeguards, and shall follow security procedures, at all Vendor Service Locations and in connection with all Systems and Services (whether dedicated or shared) that at a minimum comply with the requirements set forth in this Exhibit 4-C and the General CIGNA Policies set forth in Exhibit 4-C-1, as such requirements are more specifically defined in the Detailed CIGNA Policies set forth in Exhibit 4-C-2, unless, with respect to a specific SOW, different or additional requirements are set forth in such SOW. In the event that the specific security requirements are not set forth in the Detailed CIGNA Policies, then the Parties shall use this Exhibit 4-C and the General CIGNA Policies to establish Vendor’s obligations.
 
 

 
 
CIGNA may update the ISCD from time to time upon notice to Vendor and, subject to the Change Control Procedure, Vendor shall implement and comply with the updated ISCD, subject to the following:
 
 

 
 
1. In a dedicated or shared environment, Vendor shall bear the cost of any changes that are any one or more of the following:
 
 
 
 
 
(a) evolutionary changes related to security specific issues, such as upgrades, new releases and versions of existing technology or safeguards (e.g., updating anti-virus software, security patches);
 
 

 
 
(b) changes that are a direct result of changes mandated by Vendor regulation or Vendor Law; and
 
 

 
 
(c) changes consistent with generally accepted changes made by other companies in the healthcare industry: (i) if implemented by Vendor and given to its customers at no additional charge or; (ii) which changes shall be chargeable to CIGNA; provided, however, such charge shall be: (A) equitably reduced to reflect any leverage that Vendor may gain by providing such changes to multiple Vendor customers in the healthcare industry; and (B) paid from monies extracted from a fund that CIGNA shall, as of the MSA Effective Date, establish, fund and govern and which Vendor shall manage (the “Security Mitigation Fund”). Any such changes will be discussed by the Parties and made pursuant to the Change Control Procedure.
 
 

 
 
2.  In the event that CIGNA makes a change to the ISCD that would require Vendor to make a change to a shared environment and such change is unique to CIGNA (and not generally implemented by other companies), then Vendor shall: (a) provide a proposal to CIGNA identifying the costs and implications of the change, and upon CIGNA approval, make the change, or (b) upon notice to CIGNA, not make the change but advise CIGNA of the costs of moving to a dedicated environment, or (c) if CIGNA does not wish to move to a dedicated environment, Vendor shall provide a proposal to identify the costs to implement safeguards and practices that mitigate CIGNA’s security concerns, and upon approval by CIGNA, implement such safeguards and practices. 
 
 

 
 
3. Vendor shall obtain CIGNA’s review and comment prior to the implementation of any changes in a shared environment that would materially degrade the level of security safeguards and practices provided to CIGNA. If Vendor were to implement any change that materially degrades the level of security safeguards and practices provided to CIGNA, Vendor will reverse such change and continue to provide Services in accordance with applicable Service Levels. Vendor may propose, however, for CIGNA’s review and approval, alternatives which would not require the reversal of such change, but shall allow Vendor to continue to provide Services in accordance with applicable Service Levels. If CIGNA does not approve any alternative, Vendor shall reverse the change and continue to provide Services in accordance with the Service Levels. Except as provided in paragraph 2 above, the costs of all changes in a shared environment shall be borne by Vendor.
 
 

 
 
Definitions
 
 
“External User” shall mean any user that is a CIGNA customer that accesses CIGNA’s systems .
 
 
“Information Security Controls Document or “ISCD” shall mean this Exhibit and the General CIGNA Policies Exhibit 4-C-1) and Detailed CIGNA Policies (Exhibit 4-C-2), unless, with respect to a specific SOW, different or additional requirements that are set forth in such SOW. The Information Security Controls Document shall be deemed CIGNA’s Confidential Information under the Agreement.
 
 
“Vendor Network” shall mean the system under Vendor’s or Vendor agents’ control that transmits any data, voice and/or video alone or in combination or is otherwise used to provide the Services, either within Vendor or between Vendor and CIGNA, including the network operating system in the Vendor client and server machines, the cables connecting them and all supporting hardware including without limitation bridges, routers and switches.
 
 
“CIGNA Network” shall mean the system under CIGNA’s or its contractor’s control that transmits any data, voice and/or video alone or in combination that are within the scope of the Services, either within CIGNA or between CIGNA and the Vendor Controlled Router as defined in Schedule K (Business Continuity) of the applicable Statement of Work, including the network operating system in the CIGNA client and server machines, the cables connecting them and all supporting hardware including without limitation bridges, routers and switches.
 
 
Remediate” shall mean to alleviate the security issues so that they are no longer a threat (and if not feasible to completely remove the threat, to minimize the threat to a level acceptable to CIGNA, with CIGNA using reasonable discretion), however, it shall not mean alleviating the effects resulting from the security issue.
 
 

 
 
Capitalized terms used herein without specific definition shall have the respective meanings given to them in the Agreement.
 

3. CIGNA Data

3.1 Data Safeguards.

3.1.1 Vendor shall establish and maintain safeguards against the destruction, loss, or alteration of CIGNA Data in the possession of, used or viewed by Vendor that are no less rigorous than those set forth in the ISCD. If the ISCD does not cover certain security control, safeguards or procedures, then Vendor shall implement, comply with and follow controls, safeguards and procedures that are consistent with current generally accepted controls, safeguards and procedures in the healthcare industry. Vendor personnel shall not attempt to access, and shall not allow access to, CIGNA Data to which it is not entitled or that is not required for the performance of the Services by Vendor personnel. Vendor shall institute systems security measures to guard against the unauthorized access, alteration, destruction or loss of CIGNA Data.

3.1.2 Vendor shall Remediate and resolve security issues, at Vendor’s expense (provided it shall be at CIGNA’s expense if and to the extent the issue was caused by CIGNA (i.e., CIGNA is at fault)), identified at Vendor Service Locations or in connection with the Systems or Services located at Vendor Service Locations or managed or controlled by Vendor. This extends to any CIGNA approved Service Locations contracted by Vendor. As part of the Services and at a minimum on an annual basis, Vendor shall (at CIGNA’s request and at Vendor’s cost, except as provided in clause (y) immediately below), provide a report regarding security controls across all of the Services, such report to be carried out by an independent third party appointed by Vendor and approved by CIGNA. The scope of work performed by such third party: (a) shall be valued at the lesser of: (i) Vendor’s actual, out-of-pocket costs to contract for the performance of such work; and (ii) $75,000; provided, however, that: (x) if Vendor’s actual, out-of-pocket cost on an annual basis is less than $75,000, CIGNA shall receive a credit for the difference between such cost and $75,000; and (y) if the Parties mutually agree to scope(s) of work valued in the aggregate at an amount greater than $75,000, CIGNA shall be financially responsible for the difference between such greater amount and $75,000; and (b) shall measure (through identification and testing of controls) against the Information Security Control Document and the terms of the report shall be determined by Vendor.. If CIGNA is dissatisfied by such reports, CIGNA may, at any time, but no more than twice in any consecutive 12 calendar months, carry out or have carried out a security audit of the Services at CIGNA’s cost, the scope and terms of the report to be agreed between the Parties and upon Vendor receiving appropriate assurances that any of the Vendor Confidential Information shall not be compromised. CIGNA's ability to perform security audits shall not be limited by CIGNA business processing that occurs on non-dedicated (i.e. shared) vendor devices, or by work areas that are not dedicated and isolated to CIGNA business.
 
3.1.3 Vendor shall deploy a network and host-based, real-time intrusion detection system and vulnerability assessment process that is consistent with the ISCD. Vendor shall actively monitor these systems and processes for activities that indicate attempts at breaking the security of the services provided and follow notification procedures identified in the Security Incident Service Level set forth in the applicable Statement of Work or Exhibit 2,if any, of the MSA. Along with the deployment of these controls, Vendor shall adopt and follow Vendor’s operational procedures ( or as otherwise agreed to and described in the procedures manual) to disable the source of any perceived attack, Remediate vulnerabilities and escalate to Vendor and CIGNA security groups for follow-up action. For purposes of clarity, “vulnerability assessment process” means a process that tests for known vulnerabilities and produces an evaluation of findings against such vulnerabilities.

3.1.4 CIGNA reserves the right to review Vendor’s policies and procedures used to maintain the security and confidentiality of personal information, including auditing Vendor concerning such policies and procedures.

3.1.5 Vendor must maintain security controls that have been attested to CIGNA in CIGNA’s Service Provider questionnaires and/or during CIGNA standard Service Provider audits to the level as attested. Vendor must report any changes to the control environment immediately to CIGNA.

3.1.6  Design, implementation and integration of all Services shall be consistent with the Information Security Control Document, unless otherwise set forth in the applicable SOW. Connectivity and infrastructure used to provide access to CIGNA systems and/or CIGNA data must meet applicable security controls (encryption, access controls, etc) as defined in the Information Security Controls Document.

3.1.6.1. Design, (All) User Access. Password composition and management policies must comply with or exceed those in the Information Securities Control Document.

·  
Role Based Access Controls (RBAC) authorization models must be utilized for access to information resources as documented in the Information Securities Control Document.

·  
Ongoing administration and lifecycle management must be in accordance with the Information Security Control Document.

3.1.6.2. Design, Internal User Access.
·  
Reasonable effort shall be made to integrate with CIGNA internal authentication and authorization mechanisms. Integration with CIGNA's Enterprise Security Framework is required (TIM/TAM/FIM), where those services can be reasonably expected to fill architecture requirements

3.1.6.3 Design, External User Access.
 
·  
All external users must be provided with a one time ID and ‘PIN’ for initial access authentication and authorization; for which the PIN is randomly generated and sent via out-of-band mechanisms such as U.S./International mail (communication via E-mail is NOT an accepted method).
 
·  
Support requirements for browsers that support 128 bit encryption in communications to CIGNA end-users.
 
3.1.6.4 Virtualization, Co-location.

·  
Data repositories used to store user information must not be hosted on shared systems that do not meet the requirements of the Information Security Controls Document.

3.1.6.5 Off - Shore Information Protection.

The following agreements augment but do not exclude other provisions in the MSA or a SOW:

·  
Vendor shall not store any CIGNA data classified by CIGNA as Restricted or Highly Sensitive outside of the continental United States except as outlined in the Information Security Controls Document. In support of the Vendor Service Locations outside the United States, Vendor shall ensure the following controls implemented:

(a) If offshore facility is NOT controlled by Vendor, and employees in the facility are NOT employed by Vendor, then the Vendor shall provide a physically isolated, network isolated area for customer service representatives (CSR) handling CIGNA calls;

(b) CIGNA provided and CIGNA managed desktop lockdown software (currently Verdasys Digital Guardian) shall be installed on all Vendor PC’s accessing CIGNA data classified by CIGNA as Restricted or Highly Sensitive. The software policy shall be managed by CIGNA or it’s vendor, and shall be configured to monitor and/or restrict a workstation user’s ability to move, print or upload CIGNA information.

(c) Vendor CSR’s servicing CIGNA shall perform their duties only from within the approved vendor facility,
 
(d) Workstation IDs , antivirus, and personal firewalls must be deployed, managed, and actively audited as outlined in the Information Security Controls Document;

(e) User level audit logging of CIGNA/CSR activity must be enabled, and available to CIGNA upon request. Retention periods must meet CIP policy (90 day raw logs, 6 year incident/activity reporting). Audit logging shall be performed for those activities specified in the Information Security Controls Document.

3.2 Backup Security. CIGNA shall have the right to establish additional Data backups (as a supplement to any of Vendor’s obligations under a SOW) for any Data and to keep backup copies of this Data in CIGNA’s possession. Should CIGNA choose to exercise its rights under this Section 3.2, related expenses shall be borne by CIGNA.

3.3 Media. No media on which CIGNA Data is stored may be used or re-used to store data of any other customer of Vendor or to deliver data to a third party, including another Vendor customer, unless Vendor first implements procedures described in the Detailed CIGNA Policies.

3.4 Breach of Security. In the event Vendor or Vendor Agents discovers or is notified of a breach or potential breach of security controls relating to the CIGNA Data, Systems or Infrastructure under Vendor’s or Vendor Agent’s control, Vendor shall immediately (a) notify the CIGNA Engagement Manager and CIGNA Security Incident Response Team (CSIRT) of such breach or potential breach and (b) if the applicable CIGNA Data was in the possession of Vendor or Vendor Agents at the time of such breach or potential breach, Vendor shall (i) investigate and Remediate the breach or potential breach and (ii) provide CIGNA with assurance satisfactory to CIGNA that such breach or potential breach shall not recur.

 
 
4.0 Security Management
 
 
Vendor shall:
 
 
provide an Vendor Information Security Advisor (or ISA) as focal point with responsibility for day-to-day security management who is a security subject matter expert;
 
 
in conjunction with CIGNA, review security policies and procedures that impact the Vendor software and vendor equipment for effectiveness, and recommend improvements, including control improvements;
 
 
review changes requested by CIGNA to its security policies and standards and advise CIGNA whether or not such changes can be implemented, if Vendor does not implement the changes requested by CIGNA, Vendor shall implement mitigating controls approved by CIGNA, and such change shall be handled in accordance with the Change Control Procedures;
 
 
communicate the security procedures to Vendor Personnel accessing CIGNA applications and/or network (for example, login procedures, password requirements, use of anti virus programs, and data and equipment security procedures); and
 
 
notify CIGNA of any condition discovered or known by Vendor that is likely to affect negatively the confidentiality, integrity, or availability of CIGNA’s information, CIGNA’s ability to use an Vendor provided application or Vendor’s ability to access CIGNA data.
 
 
CIGNA shall:
 
 
provide a CIGNA security subject matter expert focal point individual with responsibility for day-to-day security management;
 
 
communicate the security procedures to CIGNA end users (for example, login procedures, password requirements, use of anti virus programs, data and equipment security procedures);
 
 
in conjunction with Vendor, review security policies and procedures for effectiveness and recommend improvements; and
 
 
notify Vendor of changes CIGNA plans to make to its security policies and standards and the changes to be implemented by Vendor.
 

 
 
5.0 Physical Security
 
 
Vendor shall, to the level or standard specified in the Information Security Controls Document:
 
 
provide physical security controls at Vendor Service Locations;
 
 
restrict access to data processing areas for which Vendor has security responsibility to authorized personnel only as defined in the Information Security Controls Document;
 
 
conduct periodic reviews of the data processing areas for which Vendor has security responsibility including reviews of access logs for unusual occurrences and perform follow-up activities in accordance with the procedures specified in the Information Security Controls Document;
 
 
protect Vendor Network devices on Vendor's premises from any unauthorized access;
 
 
protect printed output from unauthorized access or removal while under Vendor's control;
 
 
provide secure storage for removable storage media under Vendor's control;
 
 
resolve discrepancies discovered during the annual removable storage media audit and inform and obtain acceptance from CIGNA on the resolution;
 
 
implement controls as set forth in the ISCD (and if not set forth therein consistent with current generally accepted practices in the healthcare industry) that are designed to eliminate residual information on removable storage media before disposal or reuse outside of CIGNA;
 
 
during the Transition Period, with CIGNA's assistance, perform a baseline inventory of removable storage media (for example, tapes, disks) for which Vendor has security responsibility.
 
 
CIGNA shall protect LAN servers and infrastructure devices on CIGNA premises from unauthorized physical access.
 
 

 
 
6.0 Network Infrastructure Security
 
 
Vendor shall for equipment under its control:
 
 
control the network operating system security and administrative user IDs;
 
 
provide and maintain current virus avoidance, detection, and elimination software for supported servers in conjunction with the ISCD standards utilizing Vendor approved packages. Virus protection software shall have an automated mechanism for updating the virus definitions, implementing current definitions within 8 hours of issuance by vendor (unless security risk mandates faster deployment);
 
 
perform audits of media (for example, diskettes) and Vendor End User equipment potentially affected by a virus;
 
 
monitor virus protection software alerts, follow notification procedures identified in the Security Incident Service Level set forth in the applicable Statement of Work or Exhibit 2, if any, of the MSA, respond to virus attacks and initiate corrective action to eradicate viruses as detected; and
 
 
remove and/or render inoperable unneeded services.
 
 

 
 
7.0 Data Network
 
 
Vendor shall:
 
 
use Change Control Procedures to control changes to Vendor managed devices used to connect the Vendor network to the CIGNA network. Changes to hardware and/or software must be planned in advance, communicated to CIGNA in advance, and thoroughly tested before being placed into production. Back-out and restoration must be part of the plan and sufficient time must be allocated for restoration to be accomplished;
 
 
validate that access to CIGNA systems is limited to authorized Vendor Personnel, including Vendor agents CIGNA approved Subcontractors, utilizing security controls as described in the Information Security Controls Document;
 
 
encrypt traffic traveling across the Vendor network to CIGNA (and visa versa) network as specified in the Information Security Controls Document
 
 
CIGNA shall provide security to only allow authorized users to access services hosted at Vendor Service Locations.
 

 
 

 

EXHIBIT 4-C-1
 
GENERAL CIGNA POLICIES
 
Vendor shall perform an annual risk assessment across all Services under the MSA intended to identify information resources that require protection. Assessment shall be based upon a mutually agreeable assessment plan, to understand and document risks from security failures that may cause loss of confidentiality, integrity, or availability. Risk assessments shall document the potential adverse impact to CIGNA's operations, and assets. This risk assessment shall be conducted by a team composed of appropriate representatives from Vendor and CIGNA and other personnel associated with the activities subject to assessment. Vendor shall identify resolutions to address issues or risks identified from this assessment within a reasonable timeframe and Vendor shall prepare a proposal in accordance with the Change Control Procedure to Remediate such issues or risks; provided, however, that if the assessment reveals required Remediation due to Vendor nonperformance of its obligations under Exhibit 4-C or the MSA, then such Remediation shall be at Vendor’s expense. The Parties will work together in good faith to approve and implement the proposal prior to any regulatory or legally mandated deadlines.  
 
The sensitivity of a resource, and therefore the level of security controls required, depends upon the sensitivity of the data retained by or accessible through the information resource, as defined in the Detailed CIGNA Policies. CIGNA, as the data owner is the authority on any data classification assignments and the approver for access.

Vendor shall utilize the procedures described in the ISCD (whether or not included in the Procedures Manual) to ensure that the release of data is to only authorized users and is accompanied with proper instructions regarding appropriate use, protection, disposal and removal from premise.

Any CIGNA information classified as proprietary, restricted, or highly sensitive is to be isolated at rest from any other customer’s data. This information is required to be encrypted if the information can be accessed by Parties not working on the CIGNA account as set forth in the Detailed CIGNA Policies. All tape backups must contain only CIGNA information. Tapes and tape backups transported from Vendor Service Locations or located at sites other than Vendor Service Locations must be encrypted. All other storage media must maintain an isolation of CIGNA's information from other customer’s information and/or access, including portable media

CIGNA retains all rights to audit facilities, applications, systems and transports where CIGNA information resides or is transported. Audit times and frequency are at the discretion of CIGNA. Entry and exit logs to facilities that have CIGNA information classified as proprietary, restricted, or highly sensitive must be made available on request.

All privileged access to CIGNA information must be logged and reviewed on a quarterly basis. This would include, but not limited to, all DBA, System Administrator and support personnel access to information. All logs so generated are to be protected to ensure integrity and non-repudiation.

All external facing systems containing CIGNA information are required to pass quarterly penetration testing by third party. All internal systems are required to pass a vulnerability scan quarterly. Vendor will perform necessary measures to address non-compliance or vulerability issues (e.g., resulting from scans) and follow notification procedures identified in the Security Compliance/Vulnerabilty Issue Service Level set forth in the applicable Statement of Work or Exhibit 2, if any, of the MSA.

All security software used by vendor must stay within the software vendor’s definition of currently supported software with all relevant security patches applied.

With the exception of virus protection software, Vendor will implement current signatures/rules for security components within 2 weeks of issuance by security component vendor (unless security risk mandates faster deployment).

Vendor will consider failure of any security hardware or software component (e.g., network intrusion detection failure, virus protection software stoppage, etc.) as a high (Severity 1) alert and follow notification procedures identified in the Security Incident Service Level set forth in the applicable Statement of Work or Exhibit 2, if any, of the MSA.

Vendor will support mechanism for CIGNA to access alert data (e.g., from virus protection, intrusion detection, etc.) at near real time.

Any remote access via either a shared or public network to a device processing CIGNA information requires a dual factor authentication method.

Vendor shall notify and CIGNA must approve all infrastructure and facility changes that impact CIGNA's risk profile including: moving to new facility or changing network configuration.

All systems and designs must implement a Role Based Access Control (RBAC) authorization model that leverages CIGNA definitions and roles where possible. This would include fine grain authorization within the application. This information must be kept current and available in documented form for review and/or audit.

All Design must include, test and validate safeguards addressing the following data protections:
·  
Controls to support necessary access requirement
·  
Protection of data in transit and at rest
·  
Mechanisms and methods to audit systems and configurations
·  
Leverage CIGNA current security framework such as TAM, TIM, and FIM.
·  
Mutual authentication with authorization between application components

Vendor must ensure data protection follows a “Defense in Depth” philosophy. Security services which provide optimal Availability, Confidentiality, Integrity and Non-Repudiation should be implemented based upon agreed upon risk evaluation

Only production equipment shall run in the production environment. Test, development, staging, and training must be physically or virtually separated (segmented) from the production environment. The production environment must be monitored to insure only Production systems are in the Production environment.

Vendor shall not use production data (real data) outside of the production environment.

Vendor sites/locations must pass a CIGNA External Service Provider review before hosting or processing CIGNA information.

All system designs must be documented with security controls identified. These designs must pass CIP approval before construction.

 
 

 


 

 

 

 
EXHIBIT 10
 






Form Non-Disclosure and Assignment Agreement

 
 

 

EXHIBIT 10

Form Non-Disclosure and Assignment Agreement

 
THIS NON-DISCLOSURE AND ASSIGNMENT AGREEMENT (this “Agreement”), dated as of this ____ day of ____________, 200__, is entered into by and between Chordiant Software, Inc. (“Chordiant”) and [insert Chordiant employee or contractor full name]
 

 
 
W I T N E S S E T H:
 
 
WHEREAS, my full name is [insert Chordiant employee or contractor full name] and I am employed by or acting as a consultant to Chordiant;
 
 
WHEREAS, IBM provides certain services (the “Services”) to Connecticut General Life Insurance Company, its affiliates and certain other entities designated by Connecticut General Life Insurance Company (collectively, “CIGNA”) under that certain Master Services Agreement by and between CIGNA and IBM, dated as of September 28, 2006 (the “MSA”);
 
 
WHEREAS, Chordiant provides certain services to IBM under that certain Statement of Work by and between Chordiant and IBM dated as of September 28, 2006 (the “SOW”) on behalf of CIGNA;
 
 
WHEREAS, Chordiant provides licenses and rights to CIGNA pursuant to a certain agreement between Chordiant and CIGNA dated as of September 28, 2006 (the “CIGNA Agreement”);
 
 
WHEREAS, CIGNA possesses certain Confidential Information (as defined below) relating to its business processes, products and technology;
 
 
WHEREAS, I understand and agree that I will have access to such Confidential Information during my [employment] [consultancy] with Chordiant; and
 
 
NOW THEREFORE, in consideration for and as a condition to my assignment to the CIGNA account, I agree to be bound by the terms set forth herein.
 

 
1.  
Definition of Confidential Information. As used herein, “Confidential Information” shall mean any and all materials, information, processes, methodologies, tools, software programs, code, intellectual property and other data, technical or non-technical, whether written, electronic, graphic or oral, furnished or disclosed by CIGNA or on CIGNA’s behalf to you (by IBM or otherwise), either directly or indirectly, with the exception only of the following: (a) information that is now in the public domain or subsequently enters the public domain through no fault or act of the receiving party; (b) information that is presently known or becomes known to the receiving party from its own independent source as evidenced by the receiving party; (c) information that the receiving party receives from any third party not under any obligation to CIGNA to keep such information confidential; (d) information that is independently developed by the receiving party as proven by the receiving party’s written records; and (e) as otherwise allowed in the SOW and the MSA.
 
2.  
Non-Disclosure Obligations. I hereby understand and agree:
 
(a)  
To use the same care and discretion to avoid disclosure, publication or dissemination of Confidential Information as I use with respect to Chordiant’s own similar information that it does not wish to disclose, publish or disseminate and use Confidential Information solely to the extent required to fulfill Chordiant’s obligations under the SOW and IBM’s obligations or exercise IBM’s rights under the MSA.
 
(b)  
Not to deliver to or disclose or otherwise make available to anyone any Confidential Information except as authorized in the SOW and the MSA.
 
(c)  
Except as otherwise expressly stated in this Agreement, not to disclose the existence of this Agreement, any of the activities which may take place pursuant to this Agreement, the relationship formed, if any, under this Agreement or the other party’s interest in the subject matter to which this Agreement relates, to anyone except those employees of Chordiant, CIGNA and IBM with a need to know unless authorized in the SOW and the MSA.
 
(d)  
That Confidential Information delivered by CIGNA (or by IBM, on CIGNA’s behalf), and all copyright, patent, and other proprietary rights therein, shall remain property of CIGNA or its direct and indirect subsidiaries and affiliates, as the case may be, at all times.
 
(e)  
Nothing contained herein shall be construed as: (i) granting to me any right, title or interest in or to, or any license under, any patent or patent application, now or subsequently owned by CIGNA or IBM or their respective designees; and (ii) granting to me any right, title or interest in or to, or any license under Confidential Information provided by CIGNA (or by IBM, on CIGNA’s behalf).
 
(f)  
Upon Chordiant’s completion of Services to IBM and CIGNA, or IBM’s completion of Services to CIGNA, or upon CIGNA or IBM’s earlier request: (i) I shall immediately cease using the Confidential Information; and (ii) return Confidential Information (including all copies and summaries thereof) to CIGNA (or IBM, on CIGNA’s behalf), or, at the CIGNA’s option, destroy the same promptly after a written or oral demand. Upon CIGNA or IBM’s request, I shall certify to the requesting party in writing that I have complied with my obligations under this paragraph.
 
3.  
Assignment Obligations. I hereby understand and agree:
 
(a)  
That during the course of my employment, I may work on and be a part of the development of technology, processes, methodologies, and other work product for CIGNA (or IBM, on CIGNA’s behalf). In accordance with the provisions of the SOW and the CIGNA Agreement, I hereby assign to Chordiant any technology, processes, methodologies, and other work product developed by me and such technology, processes, methodologies, and other work product which shall become the sole and absolute property of Chordiant to enable Chordiant to meet its obligations under the SOW and the CIGNA Agreement and for IBM to meet its obligations to CIGNA under the MSA.
 
(b)  
That any and all inventions, improvements, discoveries, technologies, processes, methodologies, and other work product developed or discovered by me as a result [of my employment at] [or consultancy with] Chordiant shall be fully disclosed to Chordiant (or IBM, on CIGNA’s behalf, as required by the MSA), and in accordance with the provisions of the SOW I hereby assign the same to Chordiant, CIGNA and IBM, respectively, and the same shall become the sole and absolute property of Chordiant to enable Chordiant to meet its obligations under the SOW and the CIGNA Agreement and for IBM to meet its obligations to CIGNA under the MSA. Upon the request of IBM or CIGNA, I shall execute, acknowledge, and deliver such assignments and other documents as Chordiant, IBM or CIGNA may consider necessary or appropriate to vest all rights, titles, and interests therein to enable Chordiant to meet its obligations under the SOW and the CIGNA Agreement and to enable IBM to meet its obligations to CIGNA under the MSA.
 
4.  
Remedies. I hereby understand and agree:
 
(a)  
That unauthorized use or disclosure of Confidential Information may likely result in substantial monetary and other damages to CIGNA (or IBM, on CIGNA’s behalf) and their respective direct and indirect subsidiaries and affiliates and will subject me to disciplinary action, including termination of employment, and civil and criminal legal proceedings.
 
(b)  
That the unauthorized use or disclosure of Confidential Information may give rise to irreparable injury to CIGNA (or IBM, on CIGNA’s behalf) and acknowledge that remedies other than injunctive relief may not be adequate. Accordingly, IBM and CIGNA and their respective direct and indirect subsidiaries and affiliates have the right to seek equitable and injunctive relief to prevent the unauthorized disclosure of Confidential Information.
 
5.  
Miscellaneous. I hereby understand and agree:
 
(a)  
This Agreement embodies the entire understanding between the parties as to the subject matter of this Agreement and supersedes and replaces any and all prior understandings, arrangements and agreements whether oral or written relating to the Confidential Information. The terms of this Agreement shall not be amended or modified except in writing signed by each of Chordiant and me.
 
(b)  
The provisions of this Agreement shall survive the expiration or termination of the MSA and the SOW for a period of seven (7) years.
 
(c)  
This Agreement is a personal, indivisible, nontransferable agreement and may not be assigned or transferred, in whole or in part, by either party.
 
(d)  
CIGNA shall be an intended third party beneficiary of this Agreement but only as to individuals who are no longer employed by Chordiant or retained as a consultant by Chordiant.
 
(e)  
This Agreement shall be governed by, and construed and interpreted in accordance with, the laws of the State of New York, without respect to its rules on the conflict of laws.
 
[REMAINDER OF PAGE LEFT INTENTIONALLY BLANK]
 

 
IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed by their duly authorized officers as set forth below.

CHORDIANT SOFTWARE, INC.
[insert Chordiant employee or contractor full name]
   
   
By:      
By:      
   
Name:      
Name:      
   
Title:      
Title:      
   
Date:      
Date:      
   


 
 

 









EXHIBIT 13






Data Privacy Provisions




This Exhibit 13 - Data Privacy Provisions, consists of the following, attached two parts: (a) Exhibit 13A regarding CIGNA’s Business Associate Addendum; and (b) Exhibit 13B regarding European Union Data Privacy.

 
 

 

EXHIBIT 13A


BUSINESS ASSOCIATE ADDENDUM


I.  
INTRODUCTION.

The Parties acknowledge that the Services may involve the use or disclosure of Protected Health Information, as this term is defined in this Addendum. Accordingly, the Parties agree to the terms in this Addendum to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule and Security Standards as those terms are defined in this Addendum.
 
II.  
DEFINITIONS

For purposes of this Addendum, terms defined herein shall supersede similarly defined terms in the MSA . Terms used in this Addendum shall have the same meaning as those terms in the HIPAA Privacy Rule and Security Standards, currently defined, in relevant part, as follows:

“Protected Health Information” shall mean Individually Identifiable Health Information transmitted or maintained in any form or medium that Vendor creates or receives from or on behalf of CIGNA in the course of fulfilling its obligations under the MSA (which, for clarification, includes this Addendum). "Protected Health Information" shall not include: (i) education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. §1232g; (ii) records described in 20 U.S.C. §1232g(a)(4)(B)(iv); and (iii) employment records held by CIGNA in its role as employer.
 
“Designated Record Set” shall mean a group of records maintained by or for CIGNA that is: (i) the medical records and billing records about individuals maintained by or for CIGNA; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for CIGNA to make decisions about individuals. As used herein, the term “Record” means any item, collection, or grouping of information that includes Protected Health Information and is maintained, collected, used, or disseminated by or for CIGNA.

“Electronic Media” shall mean: (1) electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or (2) transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before transmission.

“Electronic Protected Health Information” shall mean Protected Health Information that is transmitted by or maintained in Electronic Media.

“Individually Identifiable Health Information” shall mean information that is a subset of health information, including demographic information collected from an individual, and

(i)  
is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(ii)  
relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (a) identifies the individual, or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual; and

(iii)  
relates to identifiable non-health information including but not limited to an individual’s address, phone number and/or Social Security number.

“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.

“Secretary” shall mean the Secretary of the Department of Health and Human Services.

“Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Security Standards” shall mean the HIPAA Security Standards, 45 C.F.R.. Parts 160 and 164

III.  
OBLIGATIONS OF VENDOR

Section 1. Use and Disclosure of Protected Health Information.
 
Vendor may use and disclose Protected Health Information only to carry out the obligations of Vendor set forth in the MSA (which, for clarification, includes this Addendum) or as required by law, subject to the provisions set forth in this Addendum. Vendor shall neither use nor disclose Protected Health Information for the purpose of creating de-identified information that will be used for any purpose other than as directed by CIGNA to carry out the obligations of Vendor set forth in the MSA (which, for clarification, includes this Addendum) or as required by law.

Section 2. Safeguards Against Misuse of Information.
 
Vendor agrees that it will implement safeguards to prevent the use or disclosure of Protected Health Information in any manner other than pursuant to the terms and conditions of the MSA (which, for clarification, includes this Addendum). Vendor shall implement administrative, physical and technical safeguards that protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of CIGNA, as required by the Security Standards.
 
Section 3. Reporting of Uses and Disclosures of Protected Health Information and Security Incidents.
 
Upon becoming aware of a use or disclosure of Protected Health Information in violation of this Addendum, Vendor shall promptly report such use or disclosure to CIGNA. Vendor shall promptly report to CIGNA any Security Incident of which it becomes aware.

Section 4. Agreements with Third Parties.
 
Vendor shall contractually require that any agent or subcontractor of Vendor to whom Vendor provides Protected Health Information that is received from CIGNA, or created or received by Vendor on behalf of CIGNA, agrees to be bound by terms and conditions that will allow Vendor (including any agent or subcontractor) to comply with the terms of this Addendum with respect to such Protected Health Information. Vendor warrants and represents that in the event of a disclosure of Protected Health Information to any third party, the information disclosed shall be no more than the minimum necessary for the intended purpose. Vendor shall contractually require that any agent or subcontractor of Vendor to whom Vendor provides Electronic Protected Health Information agrees to implement reasonable and appropriate safeguards to protect such information.
 

Section 5. Access to Information.
 
In the event Vendor maintains Protected Health Information in a Designated Record Set, Vendor shall, within five (5) business days of receipt of a request from CIGNA, provide to CIGNA Protected Health Information in Vendor’s possession that is required for CIGNA to respond to an individual’s request for access to Protected Health Information made pursuant to 45 C.F.R. § 164.524 or other applicable law. In the event any individual requests access to Protected Health Information directly from Vendor, whether or not Vendor is in possession of Protected Health Information, Vendor may not approve or deny access to the Protected Health Information requested. Rather, Vendor shall, within two (2) business days, forward such request to CIGNA.

Section 6. Availability of Protected Health Information for Amendment.
 
In the event Vendor maintains Protected Health Information in a Designated Record Set, Vendor shall, within five (5) business days of receipt of a request from CIGNA, provide to CIGNA Protected Health Information in Vendor’s possession that is required for CIGNA to respond to an individual’s request to amend Protected Health Information made pursuant to 45 C.F.R. § 164.526 or other applicable law. If the request is approved, Vendor shall incorporate any such amendments to the Protected Health Information as required by 45 C.F.R. §164.526 or other applicable law. In the event that the request for the amendment of Protected Health Information is made directly to the Vendor, whether or not Vendor is in possession of Protected Health Information, Vendor may not approve or deny the requested amendment. Rather, Vendor shall, within two (2) business days forward such request to CIGNA.

Section 7. Accounting of Disclosures.
 
Vendor agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for CIGNA to respond to a request by an individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528 or other applicable law. Vendor shall, within ten (10) business days of receipt of a request from CIGNA, provide to CIGNA such information as is in Vendor’s possession and is required for CIGNA to respond to a request for an accounting made in accordance with 45 C.F.R. 164.528 or other applicable law. In the event the request for an accounting is delivered directly to Vendor, Vendor shall, within two (2) business days, forward such request to CIGNA. It shall be CIGNA’s responsibility to prepare and deliver any such accounting requested.

Section 8. Availability of Books and Records.
 
Vendor hereby agrees to make its applicable internal practices, books and records, including policies and procedure, available to the Secretary for purposes of determining CIGNA’s and Vendor’s compliance with the Privacy Rule and Security Standards. The practices, books and records subject to this Section are those practices, books and records that relate to the use and disclosure of Protected Health Information that is created by Vendor on behalf of CIGNA, received by Vendor from CIGNA, or received by Vendor from a third party on behalf of CIGNA.

IV.  
TERMINATION

a. Upon termination of the MSA, Vendor’s obligations hereunder shall terminate when all of the Protected Health Information provided by CIGNA to Vendor, or created or received by Vendor on behalf of CIGNA, is destroyed or returned to CIGNA, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.
 
b. If Vendor has committed a material breach of the MSA (which, for clarification, includes this Addendum) pertaining to the use or disclosure of PHI, CIGNA shall either:
 
1. Provide an opportunity for Vendor to cure the breach or end the violation and terminate the MSA if Vendor does not cure the breach or end the violation within a time period reasonably specified by CIGNA; or
 
2. Immediately terminate the MSA if CIGNA determines cure is not possible.
 
c. Effect of Termination.
 
1. Except as provided in paragraph (2) of this section, upon termination of the MSA or SOW, for any reason, Vendor shall return or destroy all Protected Health Information received from CIGNA, or created or received by Vendor on behalf of CIGNA that relate to the terminated portion of Services. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Vendor. Vendor shall retain no copies of the Protected Health Information.
 
2. In the event that Vendor objectively demonstrates to CIGNA’s reasonable satisfaction that returning or destroying the Protected Health Information is infeasible, Vendor shall extend the protections of this Addendum to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Vendor maintains such Protected Health Information.
 

 
V.  
MISCELLANEOUS

Section 1. Regulatory References. A reference in this Addendum to a section in the HIPAA Privacy Rule or Security Standards means the section as in effect or as amended.

Section 2. Amendment. In the event that state or federal law or regulation, or an arbitration or judicial interpretation of same, or any regulatory or enforcement action should explicitly or otherwise require that this Addendum be changed, altered or modified, then the CIGNA shall notify Vendor and provide such required amendment, and the CIGNA and Vendor shall continue to perform Services under the MSA as modified, subject to Change Control Procedures.

Section 3. Survival. The respective rights and obligations of Vendor under Section III(c)(2) (Effect of Termination), , Section IV(3) (Regulatory References) and Section IV(5) (Survival) of this Addendum shall survive the termination of the MSA or SOW.

VI.  
EFFECT OF ADDENDUM

Notwithstanding anything to the contrary in the MSA, to the extent that this Addendum conflicts with the terms of the MSA relating to Protected Health Information, the terms of this Addendum shall take precedence.

 
 

 

 

EXHIBIT 13B

EUROPEAN UNION DATA PRIVACY


1.  
DATA PROTECTION FOR PERSONAL DATA PROCESSED IN THE EUROPEAN ECONOMIC AREA
 
1.1  
With respect to any CIGNA Data that is “personal data” (as defined in the EU Data Privacy Directive, which is in turn defined below) and is processed within, or transferred out of, the European Union or the European Economic Area (“CIGNA Personal Data”), the Parties shall each comply with their respective obligations under the European Union Data Protection Directive (Directive 95/46/EC) (the “EU Data Protection Directive”), the laws of each member state of the European Union that implement the EU Data Protection Directive or any related or similar Laws of any member state of the European Union or the European Economic Area (collectively, and as any of the same may be amended or replaced from time to time, the “European Data Protection Laws”). Both Parties shall take the necessary precautions to avoid acts that place the other Party in breach of its obligations under the European Data Protection Laws and nothing in the MSA shall be deemed to prevent any Party from taking the steps it reasonably deems necessary to comply with the European Data Protection Laws.
 
1.2  
The Parties acknowledge that, as between CIGNA and Vendor and Permitted Subcontractors:
 
(a)  
CIGNA alone shall determine the purposes for which and the manner in which CIGNA Personal Data is, or is to be, processed by Vendor or Permitted Subcontractors in the performance of the Services;
 
(b)  
CIGNA shall be the data “controller” (as defined in the EU Data Protection Directive) in respect of all CIGNA Personal Data processed by Vendor or Permitted Subcontractors for purposes of the European Data Protection Laws; and
 
(c)  
Vendor shall be the “data processor” (as defined in the EU Data Protection Directive) in respect of CIGNA Personal Data processed by Vendor or Permitted Subcontractors for purposes of the European Data Protection Laws.
 
1.3  
Without limiting the generality of Section 1.1 above, Vendor shall, and shall cause any Permitted Subcontractors to, promptly comply with any written request by CIGNA to (at Vendor's cost and expense except as set forth in subsection (a) as CIGNA's cost): 
 
(a)  
correct or delete inaccurate CIGNA Personal Data processed by Vendor or Vendor Agents to the extent the inaccuracy was caused by Vendor or Permitted Subcontractors (otherwise CIGNA shall be responsible for the correction or deletion);
 
(b)  
provide to CIGNA a copy of CIGNA Personal Data processed by Vendor relating to a “Data Subject” (as defined in the EU Data Protection Directive) that is stored in any form of retrieval or storage facilities in the possession or control of Vendor or Permitted Subcontractors;
 
(c)  
provide reasonable information to CIGNA about Vendor’s or Permitted Subcontractors' processing of CIGNA Personal Data;
 
(d)  
assist in respect of any request or notice, or any anticipated request or notice, by or on behalf of any “Data Subject” (as defined in the EU Data Protection Directive) in respect of CIGNA Personal Data processed by Vendor or Permitted Subcontractors; and
 
(e)  
otherwise provide reasonable assistance to CIGNA as necessary to allow CIGNA to comply with the EU Data Protection Directive.
 
1.4  
Without limiting the generality of Section 1.1 above, Vendor shall not, and shall cause Permitted Subcontractors not to (without CIGNA's prior written authorization):
 
(a)  
use CIGNA Personal Data for Vendor’s or any Permitted Subcontractor’s own purposes, including marketing purposes and for any other purpose other than performing the Services;
 
(b)  
transfer any of CIGNA Personal Data to third parties or across any country’s border which is not reasonably required for the performance of the Services; or
 
(c)  
carry out the processing by automatic means of any CIGNA Personal Data for the purpose of evaluating matters about a “Data Subject” (as defined in the EU Data Protection Directive) that constitutes the sole basis for any decision that significantly affects such Data Subjects.
 
1.5  
Without limiting the generality of Section 1.1 above, Vendor shall, and shall cause Permitted Subcontractors to:
 
(a)  
(i) promptly notify CIGNA if any complaints are received about the processing of CIGNA Personal Data processed by Vendor or Permitted Subcontractors from third parties; (ii) not make any admissions or take any action which may be prejudicial to the defense or settlement of any such complaint; and (iii) provide to CIGNA such reasonable assistance as it may require in connection with such complaint;
 
(b)  
in the event that Vendor, or a Permitted Subcontractor, acquires, on behalf of CIGNA, any CIGNA Personal Data from “Data Subjects” (as defined in the EU Data Protection Directive) as part of the Services, give such individuals a data protection notice describing the intended use of such CIGNA Personal Data, in a form provided by CIGNA.
 
1.6  
Without limiting the generality of Section 1.1 above, with respect to CIGNA Personal Data that is processed by Vendor or Permitted Subcontractors within the European Union or European Economic Area, Vendor shall, and shall cause Permitted Subcontractors to:
 
(a)  
take technical and organizational security measures, in accordance with the requirements of the MSA and this Exhibit, to safeguard against unauthorized and unlawful processing of CIGNA Personal Data processed by Vendor or Permitted Subcontractors and against accidental loss or destruction of, or damage to, CIGNA Personal Data processed by Vendor or Permitted Subcontractors;
 
(b)  
only process CIGNA Personal Data in accordance with written instructions given by to Vendor by CIGNA and as set out in the MSA;
 
(c)  
taking reasonable steps to ensure the reliability of those Vendor Personnel that have access to CIGNA Personal Data; and
 
(d)  
provide all of Vendor Personnel involved in processing CIGNA Personal Data with reasonably adequate training in the care and handling of Personal Data.
 
1.7  
CIGNA hereby instructs Vendor to take such steps as are necessary to the performance of Vendor’s obligations under this Exhibit.
 
2.  
DATA PROTECTION FOR PERSONAL DATA PROCESSED 
 
2.1  
CIGNA and Vendor each covenant that each of them shall provide the other prompt notice of any inquiry, notice of violation, notice of enforcement action, or other similar notice received from the European Union or European government agency with respect to the compliance of CIGNA and/or Vendor with the EU Data Protection Directive with respect to the performance of CIGNA and/or Vendor under the MSA.
 
2.2  
Vendor covenants that at all times during the MSA Term and during any Termination Assistance Period that:
 
(a)  
Vendor shall, and shall cause Permitted Subcontractors to: (i) provide processing of CIGNA Personal Data (including operations that are necessary to support or accomplish the processing) in accordance with the MSA; and (ii) not transfer any of CIGNA Personal Data to third parties or across any country’s border which is not specified in the MSA for the processing of CIGNA Personal Data unless CIGNA has given consent to relocate the processing elsewhere (which consent shall be in CIGNA's sole discretion);
 
(b)  
Vendor shall not, and shall cause Permitted Subcontractors not to, otherwise through any act or omission cause CIGNA Personal Data to be transferred to third parties or across any country’s border which is not specified in the MSA for the processing of CIGNA Personal Data unless CIGNA has given consent for Vendor to relocate the processing elsewhere (which consent shall be in CIGNA’s sole discretion);
 
(c)  
the covenants in subsections (a) and (b) are not intended to restrict Vendor from accomplishing the following from a location that is outside the United States, European Union and/or European Economic Area and otherwise authorized under this Agreement: (i) its own internal processing (e.g., the preparation and transmission of invoices); or (ii) providing Services which do not involve the processing of CIGNA Personal Data (such as engineering services, consulting services, software development services that do not involve tests involving the processing of CIGNA Personal Data); and
 
(d)  
if Vendor or a Permitted Subcontractor breaches the covenants set out in subsections (a) and (b), then in addition to any other remedies to which CIGNA might be entitled under the MSA or at law or in equity, Vendor shall, after notice from CIGNA, at its own expense promptly accomplish all actions necessary to have the data returned so as to be in compliance with subsections (a) and (b).