Software License and Maintenance Agreement between ServiceWare Technologies, Inc. and Cingular Wireless LLC

Contract Categories: Intellectual Property License Agreements
Summary

This agreement, effective December 13, 2001, is between ServiceWare Technologies, Inc. and Cingular Wireless LLC. ServiceWare grants Cingular a nonexclusive, nontransferable license to use specified software products for internal purposes, along with related documentation and maintenance services. Cingular may allow its employees and authorized contractors to use the software, but ownership and intellectual property rights remain with ServiceWare. The agreement also covers software updates, maintenance, and conditions for relocating or modifying the software. Confidentiality and usage restrictions apply.

Read More Arrow
EX-10.24 3 j9346101ex10-24.txt SOFTWARE LICENSE AND MAINTENANCE AGREEMENT ENTERPRISE AGREEMENT Effective December 13, 2001 Exhibit 10.24 - ------------------------------------------------------------------------------- ServiceWare Technologies, Inc. has requested that the marked portions of this document be granted confidential treatment pursuant to Rule 24b-2 under the Securities Exchange Act of 1934 - ------------------------------------------------------------------------------- SOFTWARE LICENSE AND MAINTENANCE AGREEMENT This Software License and Maintenance Agreement (the "Agreement"), dated this 13th day of December, 2001, is by and between ServiceWare Technologies, Inc., a Delaware corporation, having offices at 333 Allegheny Avenue, Oakmont, Pennsylvania 15139 (hereinafter referred to as "Licensor" or "SERVICEWARE") and Cingular Wireless LLC, (hereinafter referred to as "Licensee"), on behalf of itself and its affiliates, a Delaware limited liability corporation, having its principal offices at 5565 Glenridge Highlands Two, Atlanta, Georgia, 30342. R E C I T A L S: --------------- A. SERVICEWARE wishes from time to time to provide software and provide software maintenance for Licensee and Licensee wishes to engage SERVICEWARE for such purposes. B. SERVICEWARE and Licensee wish to agree in advance as to certain terms and conditions under which such products and services may be rendered. THEREFORE, for good and valuable consideration given pursuant to the terms, conditions and covenants contained herein, SERVICEWARE and Licensee hereby agree as follows: SECTION 1: DEFINITIONS As used in this Agreement, 1.1 "AUTHORIZED USER" means (i) any employee of Licensee, and/or (ii) any contractor, agent or representative of Licensee (and their employees) who is authorized by Licensee to use the Products as provided in Sections 2.1 and 2.3.1. 1.2 "DOCUMENTATION" means the Product(s)' user manuals, specifications, including additional, updated or revised Documentation, if any, supplied to Licensee by SERVICEWARE on computer media and/or hard copy. 1.3 "ERROR" means any failure of a Product(s) to conform in any material aspects to its published Documentation. PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 1 ENTERPRISE AGREEMENT Effective December 13, 2001 1.4 "LICENSED SITE(S)" means the location(s) specified on Exhibit "A". Licensed Sites may be changed from time to time as provided in Section 2.3.2. 1.5 "MAINTENANCE RELEASE" means a new release of a Product(s) with a change in the ZZ component of that Product(s)' X.YY.ZZ version number or a fix. 1.6 "MAJOR RELEASE" means a new release of a Product(s) with a change in the X component of that Product(s)' X.YY.ZZ version number. 1.7 "MODIFICATIONS" means changes, upgrades or enhancements in the specifications, functionality, delivery systems, rules or operation, security measures, accessibility, procedures and any other matters relating to the Product(s). 1.8 "NEW VERSION" means a new release of a Product(s) with a change in the X component of that Licensed Program's X.YY.ZZ version number. 1.9 "REASONABLE OUT-OF-POCKET EXPENSES" means travel (coach-economy), lodging, meals, automobile expenses (including rentals) and other Cingular pre-approved actual expenses incurred by SERVICEWARE while performing work under this Agreement. Expenses shall be in accordance with the maximum amounts allowed by IRS guidelines. 1.10 "REMEDIATION SERVICES" means error correction services, consisting of SERVICEWARE using all reasonable commercial efforts to design, code and implement programming changes to the Software, and modifications to the documentation, to correct reproducible errors therein so that the Software is brought into substantial conformance with its Documentation. 1.11 "SERVER" means the computers of Licensee on which the Product(s) may be used as the same may be changed from time to time as provided in Section 2.3.2. 1.12 "SOFTWARE PRODUCTS" (the "Product(s)") shall mean the runtime version of SERVICEWARE's licensed Products specified in Exhibit "A" and any improvement or modification thereof, as well as Documentation relating thereto, and including any third party products licensed by SERVICEWARE and embedded in the Products. The terms "Software", "Software Products" and "Product(s)" may be used interchangeably and shall have the same meaning for purposes of this Agreement. 1.13 "UPDATES" shall mean unspecified improved releases of the Product(s) which are generally made available to SERVICEWARE supported licensees consistent with prices, terms and conditions of the Maintenance provisions of this Agreement. "Updates" ("Updated Product(s)") shall not include any options or future Products or modules which SERVICEWARE licenses separately or are generally licensed for an PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 2 ENTERPRISE AGREEMENT Effective December 13, 2001 additional license fee. The term "Upgrade" shall be used interchangeably with "Update". 1.14 "WORKSTATION" means a computer workstation or terminal of an Authorized User with respect to which Licensee has paid a license fee for use of the Products. The initial number of Authorized Users is set forth on Exhibit "A" SECTION 2: LICENSED MATERIALS 2.1 GRANT OF LICENSE. SERVICEWARE hereby grants to Licensee a nonexclusive, nontransferable license, without the right to sublicense, for Licensee's and its Authorized Users' own internal use, and described as such on Exhibit "A". 2.2 DOCUMENTATION. SERVICEWARE shall deliver to Licensee the Software accompanied by at least one (1) copy of the related Documentation on computer media or hard copy. 2.3 RESERVATION. All rights to the Product(s) not expressly granted to Licensee in this Agreement are reserved by SERVICEWARE. Without limiting the generality of the foregoing, Licensee shall use the Product(s) only for the purposes specified in Section 2.1 and in accordance with the following: 2.3.1 Users. Any employee, contractor, agent or representative of Licensee shall qualify as an Authorized User only in accordance with Licensee's obligations under this Section 2. Licensee shall ensure that all Authorized Users comply with Sections 2 and 13 of this Agreement. 2.3.2 Location and Relocation of Workstations and Servers. Only locations under the control of Licensee shall qualify as Licensed Sites. If Licensee installs the Product(s) at a different location, Licensee must give written notice to SERVICEWARE of the address of the new Licensed Site. 2.3.3 Back-up Copies. Licensee may reproduce the Product(s) as necessary for bona fide back-up or archival purposes. 2.3.4 Modifications. Licensee assumes full responsibility for any changes, modifications to the Product(s) made by any person other than SERVICEWARE or SERVICEWARE's authorized agent. Licensee hereby releases SERVICEWARE from all liability and waives all rights, claims and remedies against SERVICEWARE for any and all damages of any kind or nature, to the extent that they arise out of any such changes, modifications or improvements made by Licensee. PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 3 ENTERPRISE AGREEMENT Effective December 13, 2001 2.3.5 No Conveyance of Ownership; Trade Secrets. SERVICEWARE and its licensors shall retain all title, copyrights, patents and other proprietary rights to the Product(s). This Agreement does not convey to Licensee ownership of the Product(s) or any media delivered to Licensee on which the Product(s) shall be stored, but only the right to use the Product(s) as provided in this Agreement. Licensee acknowledges that the Product(s) and all Documentation, technical data and information associated therewith constitute trade secrets and are the valuable property of SERVICEWARE and its licensors, and that the Product(s) are protected by copyright and trademark rights, and that SERVICEWARE has applied for patent protection for the Product(s). 2.3.6 Proprietary Legends. Licensee shall not remove, obscure or alter any notice of copyright, patent, trade secret, trademark or other proprietary right appearing in or on Product(s) and shall ensure that each copy of all or any portion of the Product(s) made by Licensee includes such notices. 2.3.7 Reverse Engineering. Licensee shall not modify, translate, decompile, disassemble, create or attempt to create, by reverse engineering or otherwise, the source code from the object code supplied hereunder or use the Product(s) to create a derivative work. In no event shall Licensee modify or use the Product(s) to create a standalone software program. Without limiting the generality of the foregoing, Licensee shall not use the Product(s) as a basis to create or develop or contribute to the creation or development of any standalone software program that incorporates any portion of the Product(s) makes direct function calls to or operation of which is otherwise dependent upon any portion of the Product(s), and shall not create or develop or contribute to the creation or development of any program or suite of programs functionally similar to the Product(s) unless independently developed by Licensee without access or reference to the Product(s) except as required for use with Licensee's product(s). 2.4 SITE PREPARATION. It is Licensee's obligation to provide computer hardware, software and facilities, and a compatible computing environment (the "Site") necessary for the Software to operate according to its Documentation prior to scheduling installation of the Software. Licensee shall have trained personnel available to assure the adequacy of the Site preparation. If the Software does not function as designed due to the Site preparation, the Licensee will take all steps necessary to immediately remedy the deficiency. PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 4 ENTERPRISE AGREEMENT Effective December 13, 2001 SECTION 3: CHARGES, FEES, PAYMENT AND INVOICING 3.1 RATES. SERVICEWARE's schedule of fees for Software Licenses, related Maintenance and Support, shall be set forth in the applicable Exhibit A attached hereto. 3.2 INVOICING AND PAYMENT TERMS. SERVICEWARE shall submit invoices for payment and Licensee shall pay for such invoices as follows or other terms set forth in the applicable Exhibit A: 3.2.1 For Software. SERVICEWARE shall issue an invoice to Licensee for all Software License fees due under this Agreement upon execution of this Agreement, Exhibit A, or receiving a firm commitment or purchase order from the Licensee. 3.2.2 For Maintenance and Support. SERVICEWARE shall invoice the Licensee for Maintenance and Support ("Maintenance Fee") for one year's coverage in advance upon execution of this Agreement, Exhibit A, or Licensee purchase order. 3.2.3 Payment Terms. All undisputed invoices are due and payable in 30 days unless other terms are stated in Exhibit "A" or on the invoice. 3.3 SALES TAXES. The prices and charges hereunder do not include any excise, sales or use taxes or duties. If any excise, sales or use taxes or duties, are, or should ultimately be, assessed against or is required to be collected by SERVICEWARE or by any taxing authority in connection with their performance required hereunder, Licensee agrees to pay an amount equal to any and all such charges, except where Licensee is exempt by law and Licensee provides a bona fide exemption certificate to SERVICEWARE. SECTION 4: PERSONNEL 4.1 INDEPENDENT CONTRACTOR. The only relationship between SERVICEWARE and Licensee which is intended to be created by this Agreement is that of licensee and licensor and neither party will be, nor represent itself to be, an agent, employee, or partner of the other. SERVICEWARE is an independent contractor. Neither SERVICEWARE nor any of SERVICEWARE's agents, subcontractors, or employees are or shall be deemed for any purpose to be employees of Licensee. Licensee shall not be responsible for, and SERVICEWARE shall indemnify and hold Licensee harmless against, any cost, expense, liability, claim, damages, action, or proceeding relating to any payroll-related taxes for any person who produces any Products, or provides maintenance, support or training to be performed, produced or PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 5 ENTERPRISE AGREEMENT Effective December 13, 2001 provided by SERVICEWARE hereunder or any claim arising out of or relating to the employment or application for employment of any such person. 4.2 EMPLOYMENT OF EACH OTHERS EMPLOYEES. During the term of this Agreement and for one (1) year thereafter and without the other's prior written consent, neither SERVICEWARE nor Licensee shall knowingly solicit or hire any employee from the other which has been involved in the implementation or provision of any part of this Agreement during such involvement and for a period of one (1) year following the completion of such individual's work in connection with this Agreement. 4.3 NONEXCLUSIVE. SERVICEWARE shall retain the right to perform work for others during the terms of this Agreement. Licensee shall retain the right to cause work of the same or a different kind to be performed by its own personnel or other contractors during the term of this Agreement. SECTION 5: MAINTENANCE AND SUPPORT 5.1 SERVICES PROVIDED. During the term of this Agreement, SERVICEWARE shall support Product(s) by providing the services described in the following paragraphs of this Section. SERVICEWARE has no obligation to correct or support Errors resulting from Licensee's, or its Authorized Users, misuse, improper use, alteration, or damage to the Product(s) or Licensee's, or its Authorized Users, combining or merging the Product(s) with any hardware or software not identified as compatible by SERVICEWARE. 5.2 TECHNICAL SUPPORT. SERVICEWARE will provide telephone technical support regarding use of the Product(s) and resolution of Errors to Designated Contacts in accordance with SERVICEWARE's Customer Support Center Policies and Procedures set forth in Exhibit C. 5.2.1 Notwithstanding anything to the contrary regarding service responsibilities of ServiceWare in this Agreement, if ServiceWare is responsible for severity events leading to complete loss of service to Licensee, then ServiceWare, at no cost to Licensee, will provide onsite staff for the duration of time in order to resolve and restore normal service to Licensee. ServiceWare shall not be responsible for such no-cost restoration if severity events causing complete downtime of service of Licensee are outside the control of ServiceWare. 5.3 SUBSEQUENT RELEASE(S). SERVICEWARE will send Major Releases and New Versions to Licensee when made generally available by SERVICEWARE to its customers; provided that Licensee has paid the Maintenance Fee for that year. Maintenance Releases will also be provided to Licensee pursuant to Section 2.3 when Licensee is experiencing or in SERVICEWARE's sole judgment may PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 6 ENTERPRISE AGREEMENT Effective December 13, 2001 experience a high priority situation. Each Major Release, Maintenance Release and New Version delivered by SERVICEWARE under this Agreement shall be automatically deemed to be included under the definition of Product(s) under this Agreement. All Major Releases, New Versions and Maintenance Releases will be shipped FOB Licensee, freight prepaid by SERVICEWARE. 5.4 LIMITS OF SUPPORT. This Agreement covers the support that SERVICEWARE is able to provide for Product(s) by telephone, fax or electronic mail. Support shall either be performed on site at the Licensee's premises or off site by remote linkage as shall be mutually determined by SERVICEWARE and Licensee. 5.5 On-site support assistance, if required and outside the scope of this Agreement, will be provided at Professional Service rates then in effect, unless primarily in the nature of Remediation Services, in which case there shall be no additional fee for providing on-site service, except that Licensee shall in all events be responsible for reasonable and actual out-of-pocket expenses. Professional Services provided as part of this Agreement shall be billed at the rates listed in Exhibit A for the term of this Agreement. SECTION 6: COOPERATION AND MAINTENANCE CONTACTS. 6.1 DESIGNATED CONTACTS. Licensee will designate no more than two (2) authorized Designated Contacts and agrees that each Designated Contact will be knowledgeable in all aspects of the Licensee's operating environment in which the Product(s) is (are) being used. 6.2 RESTORATION OF DATA. Licensee shall be responsible for data backup and to periodically test the backup system to ensure that it is functioning properly. IN NO EVENT SHALL SERVICEWARE BE RESPONSIBLE FOR FAILED BACKUPS OR LOSS OF DATA DUE TO LACK OF PROPER BACKUPS. 6.3 REQUIRED MAINTENANCE COVERAGE. The following maintenance coverage conditions must be satisfied in order for this Section 6 to continue to be effective: 1) All Product(s) licensed by Licensee must be included, and 2) all Product(s) to be covered by this Agreement on the effective date of this Agreement are no greater than two releases behind the then current Product(s) furnished by SERVICEWARE. Thereafter, Licensee may remain on a previously supported version of the Product(s) for one (1) year from the release date of the current version to receive coverage under this Agreement. 6.4 NOTICE OF CHANGE IN ANNUAL FEE. SERVICEWARE may change its Maintenance Fee terms and conditions upon ninety (90) days written notice, but no such change will be effective prior to the end of the then current term. SERVICEWARE reserves PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 7 ENTERPRISE AGREEMENT Effective December 13, 2001 the right upon ninety (90) days' written notice to increase Maintenance Fees in subsequent years. Licensee reserves the right to renew or terminate maintenance or this Software License and Maintenance Agreement based on such change in terms, conditions and Maintenance Fee for the ServiceWare notice given to Licensee. 6.5 ADDITIONAL PRODUCT(S). If after the execution of this Agreement, Licensee increases the Authorized Users of the Product(s) or acquires additional Product(s), Licensee shall pay an additional Maintenance Fee proportional to the increase in license fees under the License Agreement pro-rated in order to reflect how much of the annual term is then remaining in the current annual term. Licensee shall pay this additional pro-rated fee to SERVICEWARE within thirty (30) days after the date of the SERVICEWARE invoice. 6.6 TERM. The duration of the initial Maintenance term shall be one (1) year and shall commence ninety (90) days from the Effective Date of this Agreement. The Maintenance term shall automatically renew for one (1) year periods unless notice of termination is provided by Licensee prior to the end of the current term. 6.7 ServiceWare will work in a professional and workmanlike manner to implement this program in conjunction with any third party that Cingular has chosen for implementation services. 6.8 ServiceWare and Licensee shall enter into a software escrow agreement with a mutually agreeable escrow agent in substantially the form set forth in Exhibit B hereto, or in such other form as ServiceWare and Licensee may mutually agree in writing. SECTION 7: WARRANTIES 7.1 MEDIA. SERVICEWARE represents to Licensee that the media on which the Product(s) is delivered by SERVICEWARE to Licensee will be virus fee and free from defects in materials and workmanship for a period of ninety (90) days from the date of delivery of the Product(s) to be used in the live production environment. 7.2 INFRINGEMENT. SERVICEWARE represents to Licensee that use in accordance with this Agreement of the Product(s) as delivered by SERVICEWARE to Licensee does not infringe any valid copyright, patent or trademark laws of the United States. 7.3 BUGS AND ABATEMENT. Without limiting the foregoing, SERVICEWARE does not warrant that the Product(s) is (are) free from bugs, errors, or omissions, nor does it warrant that the operation of the Product(s) will be uninterrupted or error free in all circumstances, or that it will operate in the combinations that may be selected for use by Licensee or an Authorized User. PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 8 ENTERPRISE AGREEMENT Effective December 13, 2001 7.4 YEAR 2000 COMPLIANCE. SERVICEWARE represents that any Software or customization of third party Software developed by SERVICEWARE and provided to Licensee hereunder, will properly (a) record, store, process, calculate or present calendar dates falling on and after (and if applicable, spans of time including) January 1, 2000 as a result of the occurrence, or use of data consisting of, such dates, and (b) calculate any information dependent on or relating to dates on or after January 1, 2000 in the same manner, and with the same functionality, data integrity and performance, as such Product(s), records, stores, processes, calculates and presents calendar dates on or before December 31, 1999, or information dependent on or related to such dates. 7.5 WARRANTY OF TITLE. SERVICEWARE represents that it has all right, title, and interest in the Product(s) and the Documentation and that its execution of this Agreement does not violate any contract it is presently a party to nor does it violate the rights or interests of any third party. 7.6 PERFORMANCE. SERVICEWARE represents to Licensee that the Software as delivered by SERVICEWARE to Licensee shall perform in all material respects in accordance with the Documentation for a period of ninety (90) days from the date the Product(s) is used in the production environment. 7.6.1 ServiceWare represents to Licensee that the Unix/Solaris version of the Software shall perform in all material respects. 7.6.2 ServiceWare represents that the Software is suitable for use in an environment with approximately 14,000 active users with an average response time of under five seconds during peak workload provided that Licensee uses the appropriate hardware as mutually agreed as outlined in RFP DV92401. 7.7 AUTHORITY. SERVICEWARE represents that it has the requisite corporate authority to enter into this Agreement and to grant the license hereunder, and that there are no outstanding assignments, grants, licenses, encumbrances, obligations or agreements of SERVICEWARE which would prevent SERVICEWARE from performing under the terms of this Agreement. 7.8 EXCEPT AS OTHERWISE SET FORTH IN THIS AGREEMENT, SERVICEWARE MAKES NO REPRESENTATION OR WARRANTY, AND HEREBY DISCLAIMS ANY OTHER REPRESENTATION OR WARRANTY, EXPRESS OR IMPLIED, ARISING BY LAW OR OTHERWISE, WITH REGARD TO THE PRODUCT(S) DOCUMENTATION OR OTHER ITEMS OR SERVICES FURNISHED UNDER THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 9 ENTERPRISE AGREEMENT Effective December 13, 2001 A PARTICULAR PURPOSE, OR ANY IMPLIED WARRANTY ARISING FROM THE COURSE OF PERFORMANCE, COURSE OF DEALING OR USAGE OF TRADE, OR ANY CLAIM OF OR IN THE NATURE OF INFRINGEMENT. SECTION 8: LIMITATIONS OF LIABILITY 8.1 LIMITATION OF LIABILITY. EXCEPT AS STATED HEREIN, NEITHER PARTY SHALL BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT AND/OR CONSEQUENTIAL DAMAGES OF ANY KIND, RESULTING FROM EITHER PARTY'S PERFORMANCE OR FAILURE TO PERFORM PURSUANT TO THE TERMS OF THIS AGREEMENT OR ANY OF THE ATTACHMENTS OR EXHIBITS HERETO, OR RESULTING FROM THE FURNISHING, PERFORMANCE OR USE OR LOSS OF ANY LICENSED PRODUCTS OR OTHER MATERIALS DELIVERED TO LICENSEE THEREUNDER, INCLUDING WITHOUT LIMITATION ANY INTERRUPTION OF BUSINESS, WHETHER RESULTING FROM BREACH OF CONTRACT OR BREACH OF WARRANTY, EVEN IF THE PARTIES HERETO HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. EXCEPT BREACHES OF SECTION 9 AND 10, IN NO EVENT WILL EITHER PARTY'S LIABILITY ARISING UNDER OR RELATED TO THIS AGREEMENT EXCEED THE FEES PAID BY LICENSEE HEREUNDER. 8.2 LIMITS OF LIMITATION OF LIABILITY. Notwithstanding anything set forth in this Agreement, no limitation of liability or exculpation of either party hereto shall apply to: (a) losses by the other party (or any of its affiliates) that arise in connection with any infringement or misappropriation of the other party's (or any of its affiliate's) intellectual property by the party to be exculpated (or any of its affiliates); (b) any liability, loss or claim arising out of or related to any claim of infringement of any copyright, trade secret or other proprietary right of a third party. 8.3 BREACH OF WARRANTY. EXCEPT AS PROVIDED IN SECTION, 6.5, 6.7 AND 10.2, IN THE EVENT OF ANY BREACH OF WARRANTY OR THE FAILURE OF THE PRODUCT(S) TO PERFORM IN CONFORMITY WITH THE DOCUMENTATION, LICENSEE'S SOLE REMEDY SHALL BE FOR SERVICEWARE TO PROVIDE, IN SERVICEWARE's SOLE DISCRETION, BUG FIXES, CORRECTED DOCUMENTATION AND/OR NEW PRODUCT(S) RELEASES AS DEFINED IN THE MAINTENANCE AND SUPPORT SECTION OF THIS AGREEMENT. IN NO EVENT SHALL SERVICEWARE BE LIABLE PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 10 ENTERPRISE AGREEMENT Effective December 13, 2001 TO THE LICENSEE, ITS SUCCESSORS AND/OR ASSIGNS FOR SPECIAL, COLLATERAL, EXEMPLARY, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES AS A RESULT OF BREACH OF ANY OF THE PROVISIONS OF THIS AGREEMENT EVEN IF SERVICEWARE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SECTION 9: NON-DISCLOSURE If either party receives from the other party information which due to the nature of such information is reasonably understood to be Confidential and/or Proprietary, the receiving party agrees that it shall not use or disclose such information except in the performance of this Agreement, and further agrees to exercise the same degree of care it uses to protect its own information of like importance, but in no event less than reasonable care. "Confidential Information" shall include all nonpublic information. Confidential Information includes, without limitation, financial, marketing, research and development, organizational, technical, merger or acquisition, and other information related to the other party, information relating to released or unreleased software or hardware products, source code, technical proprietary information, the marketing or promotion of either party's product, a party's business policies or practices, and information received from third parties that a party is obligated to treat as confidential. Confidential Information includes not only written information but also information transferred orally, visually, electronically, or by other means. Confidential Information disclosed to either party by any subsidiary and/or agent of the other party is covered by this Agreement. The foregoing obligations of non-use and nondisclosure shall not apply to any information that (i) has been disclosed in publicly available sources; (ii) is, through no fault of the party receiving the information hereafter disclosed in a publicly available source; (iii) is in rightful possession of the party receiving the information without an obligation of confidentiality; (iv) is required to be disclosed by operation of law so long as the disclosing party is given prompt written notice prior to such disclosure; or (v) is independently developed by the receiving party without reference to information disclosed by the other party hereunder. Both parties warrant that any information disclosed to the other will not contain any trade secrets of any third party, unless disclosure is permitted by such third party. This Section 9 shall survive the expiration or termination of this Agreement. In the event that either party is required by law, regulation or court order to disclose any Confidential Information of the other, the disclosing party shall promptly notify the other in writing prior to making such disclosure in order to facilitate that party to seek a protective order or other appropriate remedy from the proper authority. Both parties agrees to cooperate with the other in seeking such court order or other remedy, and further agrees that if a court order or other remedy is not successfully obtained it will furnish only that portion of the other party's Confidential Information that is legally required and will exercise all reasonable efforts to obtain reliable assurances that confidential treatment will be accorded the Confidential Information. PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 11 ENTERPRISE AGREEMENT Effective December 13, 2001 SECTION 10: REMEDIES 10.1 PERFORMANCE REMEDY. If any Product(s) fails to comply with the warranties set forth in Sections 7.1 and 7.6 and Licensee provides written notice of the same to SERVICEWARE within the warranty period, then SERVICEWARE will either repair or, at its option, replace any non-conforming media or Software. The warranties in Section 7 shall automatically abate to the extent that the Product(s) has been damaged, abused, modified, or combined with other software by persons other than SERVICEWARE's authorized employees or representatives, or other than at SERVICEWARE's express direction or, to the extent that the Product(s) fails to perform due to bugs caused by defects, problems or failures of hardware or software not provided by SERVICEWARE or by the negligence of Licensee or an Authorized User. 10.2 INFRINGEMENT REMEDY. SERVICEWARE shall defend and indemnify Licensee against any proceeding based upon any failure to satisfy the warranty set forth in Section 7.2, provided that (a) Licensee shall notify SERVICEWARE in writing of any claim of infringement promptly after it has been made, (b) Licensee shall provide such assistance in defense of the proceeding as SERVICEWARE may reasonably request, at SERVICEWARE's reasonable expense, and (c) Licensee shall comply with any settlement or court order made in connection with the proceeding. In the event that use of the Product(s) becomes, or in SERVICEWARE's reasonable opinion is likely to become, the subject of a claim of infringement of any intellectual property right of any third party, SERVICEWARE shall have the right to: (a) procure the continuing right of Licensee to use the Product(s); replace or modify the Product(s) in a functionally equivalent manner so that it no longer infringes; or (b) terminate the License and refund to Licensee an amount equal to the license fee paid by Licensee. SERVICEWARE shall have no liability or obligation under this Agreement or otherwise to Licensee or any other indemnities or anyone claiming through or on behalf of Licensee or any indemnities for any patent, copyright, trade secret or other intellectual property right infringement or misappropriation or any claim thereof based upon (i) compliance with one or more designs, SOWs or specifications of or any program loaded by Licensee or an PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 12 ENTERPRISE AGREEMENT Effective December 13, 2001 Authorized User, (ii) use of a altered release of the Software if such infringement would have been avoided by use of a current release, (iii) the combination or use of the Product(s) with software, hardware or other materials not furnished by SERVICEWARE if such infringement would have been avoided by use of the Product(s) alone, (c) use of any aspect of the Product(s) in an application or environment for which it was not designed or contemplated, (d) any claim of infringement of an intellectual property right in which Licensee or an Authorized User or an affiliate thereof has an interest or license. The foregoing states the entire liability of SERVICEWARE with respect to infringement or misappropriation of patent, copyright, trade secret or other intellectual property rights or by the performance, operation or use of the Product(s) and is (are) in lieu of (and SERVICEWARE hereby disclaims) any other warranty, express or implied, as to any such infringement or misappropriation. SECTION 11: TERM AND TERMINATION 11.1 TERM. The term of the license(s) granted to Licensee under Section 2 shall commence upon delivery of the Software and of payment in full for such licenses and the term for Maintenance shall commence in accordance with Section 6 and each shall continue unless this Agreement shall be terminated in accordance with Section 11. 11.2 Termination. 11.2.1 Termination by Licensee. Licensee may terminate this Agreement at any time after installation of Software by: (a) removing and returning all copies of the Software and Documentation then in its possession to SERVICEWARE or destroying all copies of the Software and Documentation in whatever form then in its possession; and (b) certifying in writing to SERVICEWARE that all of such copies have been returned or destroyed. 11.2.2 Termination for Breach. This Agreement may be terminated if either party materially breaches the terms of this Agreement and, if said breach is curable, the party having so breached the Agreement fails to begin good faith efforts to cure the breach within thirty (30) days of written notification by the other party that the breach has occurred. Such written notice will specify the default and state the intention to terminate if the default is not cured. PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 13 ENTERPRISE AGREEMENT Effective December 13, 2001 11.3 POST-TERMINATION OBLIGATION. In the event of termination or expiration of this Agreement, (i) all indemnification and confidentiality obligations shall survive, (ii) all Licensee's rights to use the Product(s) shall cease, and Licensee shall have no further rights hereunder to Updates, Modification or any notices with respect to any Product(s), and (iii) SERVICEWARE shall no longer have any obligation to provide Licensee with technical support services. Following termination of this Agreement, however arising, Licensee shall destroy all copies of the Product(s) within fifteen (15) days of such termination, and all copies of Product Documentation within fifteen (15) days of such termination, including any modified, partial or merged versions, and immediately thereafter provide SERVICEWARE with a written certification signed by an authorized representative of Licensee certifying that all copies of the Software have been destroyed and all use of the Product(s) has been discontinued. SECTION 12: COMPLIANCE WITH LAW Licensee shall comply with all applicable laws and regulations in the use of the Product(s). Without limiting the generality of the foregoing, Licensee shall not export or re-export, directly or indirectly, any Product(s) in violation of any applicable export control laws and regulation and shall promptly provide SERVICEWARE with any "letter of assurance" required by SERVICEWARE pursuant to such laws and regulations. SECTION 13: PROTECTION AGAINST UNAUTHORIZED USE Licensee shall promptly notify SERVICEWARE of any unauthorized use of any Product(s) of which Licensee becomes aware. In the event of any unauthorized use by any user (or by any employee, agent, representative or contractor of Licensee or of any user), Licensee shall use its commercially reasonable best efforts to immediately terminate and prevent further occurrences of such unauthorized use. In the event that Licensee commences any legal proceeding in connection with such unauthorized use, SERVICEWARE may, at its option and expense, participate in any such proceeding. In such event, Licensee and SERVICEWARE shall each provide the other with such authority, information and assistance related to such proceeding as may be reasonably necessary to safeguard SERVICEWARE's interests and Licensee's rights under this Agreement. SECTION 14: MISCELLANEOUS 14.1 If any provision of this Agreement is declared or found to be invalid, illegal, unenforceable or void, then both parties shall be relieved of all obligations arising under such provision, but only to the extent that such provision is invalid, illegal, unenforceable or void, it being the intent and agreement of the parties that this Agreement shall be deemed amended by modifying such provision to the extent necessary to make it valid, legal and enforceable while preserving its intent or, if that is not possible, by substituting therefor another provision that is valid, legal and PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 14 ENTERPRISE AGREEMENT Effective December 13, 2001 enforceable and achieves the same objective. Each party agrees that it will perform its obligations hereunder in accordance with all applicable laws, rules and regulations now or hereafter in effect. 14.2 Headings are for reference purposes only. 14.3 Any notices required or permitted to be sent hereunder shall be served personally or by registered or certified or electronic mail, return receipt requested, reputable overnight delivery services such as Federal Express, Airborne Express or DHL, or by facsimile with confirmation of receipt, to the addresses listed above. 14.4 This Agreement shall be interpreted and construed in accordance with the Copyright laws of the United States and the internal law of State of Georgia, without regard to the conflicts of law principles thereof, and any action brought in relation to this Agreement shall be brought in a Federal or state court. This Agreement may not be modified or altered except by a written instrument executed by both parties. The failure of either party to exercise in any respect any right provided for herein shall not be deemed a waiver of any rights. This Agreement constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes and all prior proposals, understandings and all other agreements, oral and written between the parties relating to such subject matter. 14.5 The contract documents are personal to the Parties and neither the Contract Documents nor any of the rights or duties under them may be assigned or otherwise transferred by either Party without the other Party's prior written consent, subject to the following exceptions: (a) a Party shall be permitted to assign to any person or entity acquiring greater than 30% of the assets or voting securities of the assigning Party if the assignee assumes the assigning Party's obligations under the Contract Documents and gives the other Party written notice of that assignment. 14.6 ServiceWare will issue to Licensee a press release for Cingular Wireless Public Relations review and approval prior to release. 14.7 Unless otherwise agreed to, any preprinted terms set forth on the reverse side of a Licensee purchase order shall be considered null and void and of no effect. Unless specifically provided otherwise in the purchase order or SOW, in the event of any conflict between the terms of this Agreement and the terms set forth in a purchase order or SOW, the terms of this Agreement shall govern. 14.8 This Agreement may be executed in two or more counterparts, each of which shall be deemed an original, but all of which taken together shall constitute one and the same instrument. PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 15 ENTERPRISE AGREEMENT Effective December 13, 2001 IN WITNESS WHEREOF, the parties, by their duly authorized representatives, hereto have executed this Agreement as of the day and year noted below. SERVICEWARE TECHNOLOGIES, INC. CINGULAR WIRELESS LLC By: /s/ John Kerkorian By: /s/ Kathy Dowling ------------------------------------ --------------------------- Name: John Kerkorian Name: Kathy Dowling ----------------------------------------- ------------------------ Title: General Counsel /Asst. Corporate Secretary Title SVP Customer Service ------------------------------------------ ----------------------- Date: 12-14-01 Date: 12-12-01 ------------------------------------------- ---------------------- PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 16 PRICING SCHEDULE Exhibit A EXHIBIT A Schedule No. 001 ---------------- This Schedule, dated as of November 16, 2001, is issued pursuant to, and incorporates herein, the Software License and Maintenance Agreement dated as of November 14, 2001 ("Agreement"), by and between ServiceWare Technologies, Inc. ("Licensor" or "SERVICEWARE") and Cingular Wireless LLC ("Licensee"), and Licensee's Authorized Users. Any capitalized term herein shall have the meaning ascribed to it in the Agreement. LICENSED SITE(S): SHIP TO: BILL TO: All Cingular Authorized User locations Cingular Wireless LLC Cingular Wireless Accts.Payable Monica Browning 1000 Abernathy Road, Suite ###-###-#### Glenridge Connector 400 Northpark Town Center Suite 1491 Atlanta, GA30328 Atlanta, GA 30342 ###-###-#### ###-###-####
ENTERPRISE LICENSED PRODUCTS LICENSE FEE ---------------------------- ----------- Enterprise Product License (including first year of annual maintenance and 135 days of professional services*) $3,375,000 ========== - ------------------------------------------------------------------------------- TOTAL LICENSED PRODUCT(S) $3,375,000* =========== - ------------------------------------------------------------------------------- *PLUS REASONABLE OUT-OF-POCKET EXPENSES PROFESSIONAL SERVICES SERVICES FEE - --------------------- ------------ All subsequent professional services $1,600/day* *PLUS REASONABLE OUT-OF-POCKET EXPENSES
MAINTENANCE ANNUAL MAINTENANCE LICENSE FEE RATE ANNUAL MAINTENANCE FEE ------------------ ----------- ---- ---------------------- All subsequent years of annual maintenance $3,050,000 14% $427,000 ========= == =======
ADDITIONAL TERMS AND CONDITIONS: Notwithstanding anything to the contrary elsewhere in the Agreement, the terms herein shall prevail. On behalf of Cingular Wireless, all rights are reserved. SERVICEWARE TECHNOLOGIES, INC. CINGULAR WIRELESS LLC By: /s/John Kerkorian By: /s/ Kathy Dowling ------------------------------------ ------------------------ Name: John Kerkorian Name: Kathy Dowling ----------------------------- ------------------- Title: General Counsel /Asst. Corporate Secretary Title SVP Customer Service ------------------------------------------ --------------------- PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 17 PRICING SCHEDULE Exhibit A Date: 12-14-01 Date: 12-12-01 ------------------------------------------- --------------------- PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 18 ESCROW AGREEMENT Exhibit B EXHIBIT B FORM OF SOFTWARE ESCROW AGREEMENT THIS ESCROW AGREEMENT, effective 2001, (the "Escrow Agreement"), is among Cingular Wireless LLC ("CINGULAR"), and ServiceWare Technologies Inc. ("Supplier") and __________________________ ("Escrow Agent"). Pursuant to that certain Software License and Maintenance Agreement ("the Agreement"), the parties agree as follows: 1. Supplier agrees to keep current copies of the source code and other materials for the Supplier Licensed Software ("Deposit Materials") described in ATTACHMENT 1, attached hereto and made a part hereof, (herein referred to as the "Software") in escrow with Escrow Agent during the license term of such Software in accordance with the provisions of the Agreement and this Escrow Agreement. 2. CINGULAR and Supplier shall share equally all costs of providing and maintaining the Deposit Materials in escrow, including the fees of Escrow Agent. The copy of the Deposit Materials provided to CINGULAR placed in escrow shall be reproduced and maintained on magnetic tape compatible with workstations and the Systems on which the Software will operate and shall be accompanied by full documentation therefor. When a new release or substantial change to the current release of the Software is issued by or on behalf of Supplier during the term of the Escrow Agreement, the revised Deposit Materials, including the change, shall be delivered to the Escrow Agent as soon as practicable after the change is effected by or on behalf of Supplier. Copies of the revised Deposit Materials and the Deposit Materials prior to the then latest revision, shall be maintained in escrow as provided herein. 3. Escrow Agent shall release the Deposit Materials to CINGULAR under the following conditions (a "Release Condition"): a. Supplier's failure to cure a Material breach under and within the timeframes specified in the Agreement, or applicable Work Order; or b. Except as limited below, existence of any one or more of the following circumstances, uncorrected for more than sixty (60) days: entry of an order for relief under Title 11 of the Federal Bankruptcy Code; the making by Supplier of a general assignment for the benefit of creditors; the appointment of a general receiver or trustee in bankruptcy of Supplier's business or property; or action by Supplier under any state insolvency or similar law for the purpose of its bankruptcy, reorganization, or liquidation. Notwithstanding the foregoing, the occurrence of the described events will not trigger release of the Deposit Materials if, within the specified sixty (60) day period, Supplier provides to CINGULAR adequate assurances, reasonably acceptable PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 19 ESCROW AGREEMENT Exhibit B to CINGULAR, of its continued ability and willingness to fulfill all of its maintenance and support obligations. If CINGULAR believes in good faith that a Release Condition has occurred, CINGULAR may provide to Escrow Agent written notice of the occurrence of the Release Condition and a request for the release of the Deposit Materials ("REQUEST FOR RELEASE"). Such Request for Release shall be accompanied by an affidavit (the "AFFIDAVIT") signed by CINGULAR attesting: 1. To a full description of the Release Condition; and 2. That the Deposit Materials shall continue to be the sole property of Supplier and shall be subject to the confidentiality provisions of the Agreement; and 3. That the Deposit Materials shall be used solely for CINGULAR's support and maintenance, modification or correction of the Supplier Licensed Software licensed by Supplier to CINGULAR, including the creation of derivative works in order to provide CINGULAR the benefits intended under the Agreement or Work Order (but not for purposes of sublicensing); and 4. That a copy of the Request for Release and said Affidavit have been provided to Supplier. Within three (3) business days of receipt of a Request for Release, Escrow Agent shall provide a copy of the Request for Release and the Affidavit to Supplier, by certified mail, return receipt requested, or by commercial express mail. From the date Escrow Agent mails the notice requesting release of the Deposit Materials, Supplier shall have ten (10) business days to deliver to Escrow Agent contrary instructions. "CONTRARY INSTRUCTIONS" shall mean the written representation by Supplier that a Release Condition has not occurred or has been cured. Upon receipt of Contrary Instructions, Escrow Agent shall send a copy to CINGULAR by certified mail, return receipt requested, or by commercial express mail. Additionally, Escrow Agent shall notify both CINGULAR and Supplier that there is a dispute to be resolved pursuant to the Dispute Resolution section of the Agreement. Escrow Agent will continue to store the Deposit Materials without release pending the first to occur of: (a) joint instructions from Supplier and CINGULAR; (b) resolution pursuant to the Dispute Resolution provisions; or (c) order of a court. If Escrow Agent does not receive Contrary Instructions from Supplier, Escrow Agent is authorized to release the Deposit Materials to CINGULAR 4. Escrow Agent shall be responsible to perform its obligations under this Agreement and to act in a reasonable and prudent manner with regard to this Escrow Agreement. Provided Escrow Agent has acted in the manner stated in the preceding sentence, the party on whose PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 20 ESCROW AGREEMENT Exhibit B behalf, or pursuant to whose direction Escrow Agent acts, shall indemnify, defend and hold harmless Escrow Agent from any and all claims, actions, damages, arbitration fees and expenses, costs, attorney's fees and other liabilities incurred by Escrow Agent relating in any way to this Escrow Agreement. Absent any such direction, Supplier and CINGULAR shall jointly and severally indemnify and hold harmless Escrow Agent from any and all claims, actions, damages, arbitration fees and expenses, costs, attorney's fees and other liabilities incurred by Escrow Agent relating in any way to this Escrow Agreement, except for any Liability, costs or expenses that may be sustained or incurred by the gross negligence or willful misconduct on the part of Escrow Agent, its employees or agents. 5. Any dispute relating to or arising from this Escrow Agreement shall be resolved by arbitration under the Commercial Rules of the American Arbitration Association. Any court having jurisdiction over the matter may enter judgment on the award of the arbitrator(s). Service of a petition to confirm the arbitration award may be made by First Class mail or by commercial express mail, to the attorney for the party or, if unrepresented, to the party at the last known business address. 6. In the event of the nonpayment of fees owed to Escrow Agent, Escrow Agent shall provide written notice of delinquency to the parties to this Agreement affected by such delinquency. Any such party shall have the right to make the payment to Escrow Agent to cure the default. If the past due payment is not received in full by Escrow Agent within one (1) month of the date of such notice, then at any time thereafter Escrow Agent shall have the right to terminate this Agreement to the extent it relates to the delinquent party by sending written notice of termination to such affected parties. Escrow Agent shall have no obligation to take any action under this Agreement so long as any payment due to Escrow Agent remains unpaid. 7. Upon termination of this Agreement by joint instruction of Supplier and CINGULAR, Escrow Agent shall destroy, return, or otherwise deliver the Deposit Materials in accordance with such instructions. Upon termination for nonpayment, Escrow Agent may, at its sole discretion, destroy the Deposit Materials or return them to Supplier. Escrow Agent shall have no obligation to return or destroy the Deposit Materials if the Deposit Materials are subject to another escrow agreement with Escrow Agent. 8. All notices, invoices, payments, deposits and other documents and communications shall be given to the parties specified this Agreement. It shall be the responsibility of the parties to notify each other as provided in this Section in the even of a change of address. The parties shall have the right to rely on the last known address of the other parties. Unless other wise provided in this Agreement, all documents and communications may be delivered by First Class mail. PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 21 ESCROW AGREEMENT Exhibit B IN WITNESS WHEREOF, the foregoing Agreement has been executed by authorized representatives of the parties hereto, in duplicate, as of the date first set forth above. SERVICEWARE TECHNOLOGIES INC. CINGULAR WIRELESS LLC. By: By: ----------------------------------- ------------------------------ - -------------------------------------- --------------------------------- Print Name Print Name Title: Title: -------------------------------- --------------------------- Date Signed: Date Signed: -------------------------- --------------------- - -------------------------------------- (ESCROW AGENT) By: ---------------------------------- - -------------------------------------- Print Name Title: -------------------------------- Date Signed: -------------------------- PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 22 SUPPORT SERVICES Exhibit C EXHIBIT C SERVICEWARE SUPPORT SERVICES STANDARD POLICIES AND PROCEDURES (REV. 3-7-00) OBJECTIVE: Provide timely support for the installation and usage of a standard configuration for ServiceWare's product line in response to Authorized User requests. HOURS OF OPERATION Support Services is staffed from 8:00 a.m. to 9:00 p.m. Eastern Standard Time, Monday through Friday, excluding Company Holidays. In the event Licensee contacts support via the phone during non-business hours a technical support analyst will be paged . The analyst will contact Licensee and will attempt to resolve Severity 1 & 2 issues or escalate as appropriate. Issues with Severity 3 or 4 will be addressed the next business day. METHODS OF COMMUNICATION TO SUPPORT SERVICES
- --------------------------------------------------------------------------------------------------------------------- METHOD CONTACT INFORMATION AVAILABILITY WHEN TO USE - --------------------------------------------------------------------------------------------------------------------- Phone ###-###-####, ext. 431 Standard Business Hours* All incidents - --------------------------------------------------------------------------------------------------------------------- E-mail ***@*** Messages can be sent 24X7, Recommended for less but will be addressed time critical incidents within the first 3 Standard or as a means of Business Hours* of receipt communication to Support - --------------------------------------------------------------------------------------------------------------------- Fax ###-###-#### Faxes can be sent 24X7, but Recommended for less will be addressed within time critical incidents the first 3 Standard Business Hours* of receipt - --------------------------------------------------------------------------------------------------------------------- Self-Support web site www.serviceware.com The knowledge base is Recommended as your available 24X7. Feedback first method for Available only to Designated and Escalations will be solving issues Contacts addressed within 3 Standard Business Hours* of receipt (See Customer Responsibilities on the following page) - ---------------------------------------------------------------------------------------------------------------------
*STANDARD BUSINESS HOURS: 8:00 a.m. to 9:00 p.m. Eastern Standard Time, Monday through Friday, excluding Company Holidays. PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 23 SUPPORT SERVICES Exhibit C PRIORITIZING INCIDENTS To help us handle calls efficiently, the Support Services group will jointly determine the severity of the incident reported with the Licensee and assign a severity level to each case based on the descriptions below. The severity level relates to the impact of the incident on the Licensee's ability to use the product. SEVERITY LEVELS SEVERITY 1: SEVERE/SYSTEM CRASH: The production system is completely down. There is no workaround for the problem, and there is a high sense of urgency for solving the problem. The Licensee will receive a call from Support within 15 minutes of the call being received during normal business hours. Licensees who cannot get through the Support line are encouraged to ask the SERVICEWARE operator to page a member of the Support Services team. SEVERITY 2: MAJOR CORRUPTION/DEGRADATION: The incident severely restricts the usability of the application in a production environment, but the application itself is running. There is no workaround available and there is a high sense of urgency for solving the problem. The Licensee will receive a call from Support within 30 minutes of receiving the call or incident during normal business hours. SEVERITY 3: MODERATE/WORKAROUND AVAILABLE: The product is up and running, but there is a moderate impact on the usability of the application. There is a workaround available. The Licensee will receive contact from Support within 1 hour of the incident being received during normal business hours. SEVERITY 4: MINOR FLAW/COSMETIC: The product is running with a minor flaw. There is a workaround for the problem and the usability of the application is not effected. The Licensee will receive contact from Support within 12 hours of the incident being received during normal business hours. SEVERITY 5: ENHANCEMENT OR INQUIRY The customer has a suggestion for an enhancement or a question about the product. There is little or no impact on the Licensee's normal business operations. The Licensee will receive contact from Support within 1 business day of the incident being received. Notwithstanding anything to the contrary regarding service responsibilities of ServiceWare in this Agreement, if ServiceWare is responsible for severity events leading to complete loss of service to Licensee, then ServiceWare, at no cost to Licensee, will provide onsite staff for the duration of time in order to resolve and restore normal service to Licensee. ServiceWare shall not be responsible for such no-cost restoration if severity events causing complete downtime of service of Licensee which are outside the control of ServiceWare. PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 24 SUPPORT SERVICES Exhibit C ESCALATION PROCEDURE ESCALATION CHART DURING STANDARD BUSINESS HOURS
- ---------------------------------------------------------------------------------------------------------------- Severity Level Recipient Response Time Escalation Time Escalate to - ---------------------------------------------------------------------------------------------------------------- Severity 1 - First Level - 15 minutes - 30 minutes - Second Level, Support Services Director - Second Level - 3 hours - Engineering - Engineering - 24 hours - Executive Management - ---------------------------------------------------------------------------------------------------------------- Severity 2 - First Level - 30 minutes - 30 minutes - Second Level - Second Level - 6 hours - Engineering - Engineering - 48 hours - Executive Management - ---------------------------------------------------------------------------------------------------------------- Severity 3 - First Level - 60 minutes - 1 hour - Second Level - Second Level - 48 hours - Engineering - Engineering - 72 hours - Support Services Director - ----------------------------------------------------------------------------------------------------------------
PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 25 SUPPORT SERVICES Exhibit C - ---------------------------------------------------------------------------------------------------------------- Severity 4 - First Level - 12 hours - 24 hours - Second Level - Second Level - 48 hours - Support Services Director - ---------------------------------------------------------------------------------------------------------------- Severity 5 No escalation required - 24 hours - ----------------------------------------------------------------------------------------------------------------
CUSTOMER RESPONSIBILITIES - - During implementation, Licensee will assign no more than two points of contact per site to be the Designated Contacts. These Designated Contacts will be provided user names and passwords by the SERVICEWARE Support Services organization. - - The Licensee will make appropriate resources available for problem diagnosis and resolution. PRIVATE / PROPRIETARY / LOCK Contains private and/or proprietary information. May not be used or disclosed outside Cingular Wireless LLC, ServiceWare or their affiliated or subsidiary Companies except pursuant to a separate written agreement. 26 [CINGULAR WIRELESS LOGO] SECTION 1: SECTION 2: - ------------------------------------------------------------------------------- 400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE - ------------------------------------------------------------------------------- NOTICE For the purpose of this document, the term "Contractor" referred to herein shall mean contracted individual. The term "Supplier's Employees and Subcontractors" referred to herein shall mean supplier's employees, subcontractors, agents or representatives. The term "Supplier" referred to herein shall mean the provider of goods and/or services pursuant to a written contractual agreement with Cingular Wireless. Liability to anyone arising out of use or reliance upon any information set forth herein is expressly disclaimed, and no representations or warranties, express or implied, are made with respect to the accuracy or utility of any information set forth herein. This document is not to be construed as a suggestion to any manufacturer to modify or change any of its products or services, nor does this document represent any commitment by Cingular Wireless to purchase any product or service whether or not it provides the described characteristics. Nothing contained herein shall be construed as conferring by implication, estoppel or otherwise, any license or right under any patent, whether or not the use of any information herein necessarily employs an invention of any existing or later issued patent. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 27 [CINGULAR WIRELESS LOGO] SECTION 1: SECTION 2: - ------------------------------------------------------------------------------- 400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE - ------------------------------------------------------------------------------- TABLE OF CONTENTS 1. Introduction 1.1 General 1.2 Scope 1.3 Reason for Issuance 1.4 Enforcement 1.5 Accountability 1.6 Remedies 2. Glossary 3. Contractor and Supplier Responsibilities 3.1 General 3.2 Request for Waiver 3.3 Waiver Submission and Approval 3.4 Absence of Waiver 4. Contractor and Supplier Requirements 4.1 General 4.2 Operability 5. System and Software Security Feature Requirements 5.1 General 5.2 Identification 5.3 Authentication 5.4 Access Control 5.5 Network Connections 5.6 Confidentiality 5.7 Data and System Integrity 5.8 Service Availability 5.9 Accountability 6. Use of Root or Administrator Level Access 6.1 General 6.2 Execution and Operation Requiring Root or Administrator Level Access 7. System Administration 7.1 General 8. Access by Contractor and Supplier's Employees and Subcontractors 8.1 Logical Access Requirements 9. Software Integrity 9.1 General 10. Warranty for Year 2000 Issues 10.1 Contract Warranty 1. Introduction 1.1 GENERAL - The information in this document is subject to review and modification. Accordingly, this document may be subject to change at any time. Future issues of this document and/or Cingular Wireless's internal security requirements may differ extensively in content, substance and format. In the event that this document is modified, Cingular Wireless shall provide written notification to Contractor or Supplier along with a copy of the modified document. Upon reaching mutual agreement between the parties, the new document shall control. If no agreement is reached between the parties, then this document shall continue to be in full force and effect. Cingular Wireless reserves the right to select and utilize any Contractor, Supplier or any of Supplier's Employees or Subcontractors based on its own internal criteria at any time, under any circumstances, whether or not the requirements in this document are met. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 28 [CINGULAR WIRELESS LOGO] SECTION 1: SECTION 2: - ------------------------------------------------------------------------------- 400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE - ------------------------------------------------------------------------------- Cingular Wireless does not recommend computer-related products or services and nothing contained herein is intended nor should it be construed as a recommendation of any product or service to anyone. Further, Contractors or Suppliers are not to relate their products, goods, services, etc., to these guidelines in order to infer or imply that such items meet any particular standard of use or utility. 1.2 SCOPE - This standard applies to the purchase from, or development, maintenance, and/or support of Cingular Wireless's information resources by, any person who is not an employee of Cingular Wireless. For the purposes of this document, information resources shall include but are not limited to, computers, computer peripherals, computer communications networks, computer systems/applications/software, public telephone network elements, and their support systems. This includes the protection of all corporate information stored, processed or transmitted on these facilities. Product trials and evaluations using Cingular Wireless information resources shall also be governed by this document. ------------------------------------------------------------------- EXCEPTION 1: Mass produced software packages available for general public use that can be purchased over-the-counter from retail sales establishments within the immediate community are not subject to these requirements. However, the security features available in such products must be evaluated in relation to the functional environment in which the product may be used in Cingular Wireless. If this evaluation identifies shortcomings in the product that, if corrected or eliminated, would enhance security in the Cingular Wireless functional environment, such changes may be requested of the owner/developer/seller of the product. ------------------------------------------------------------------- ------------------------------------------------------------------- EXCEPTION 2: Systems based on micro or personal computers are not subject to these requirements if the micro-computer or personal computer based system is being used as a single user, stand-alone personal computer for general office use, and the PC is not to be connected to any other computer system, server, or computer communications network, including a local area network. ------------------------------------------------------------------- 1.3 REASON FOR ISSUANCE - N/A 1.4 ENFORCEMENT - Contractors, Suppliers and Supplier's Employees and Subcontractors shall protect Cingular Wireless Information Resources in accordance with the terms and conditions of applicable contractual agreements between the Contractor or Supplier and Cingular Wireless. In addition, it is the responsibility of all Contractors, Suppliers and Supplier's Employees and Subcontractors to comply with federal, state, and local acts, statutes, and regulations which relate to the control and authorized use of Cingular Wireless's information and Information Resources. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 29 [CINGULAR WIRELESS LOGO] SECTION 1: SECTION 2: - ------------------------------------------------------------------------------- 400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE - ------------------------------------------------------------------------------- 1.5 ACCOUNTABILITY - Contractors, Suppliers and Supplier's Employees and Subcontractors shall be held accountable for compliance with the standards in this practice. System vulnerabilities identified by these groups and individuals must be reported to the appropriate Cingular Wireless Corporate Security Team. 1.6 REMEDIES - Violations of Cingular Wireless computer, network, and information security policies and standards or governmental statutes may result in remedies up to and including termination of a contractual agreement or any other rights and remedies that Cingular Wireless may have in equity and law. 2. GLOSSARY - Shall - The word "shall" indicates a requirement that is to be met unless Cingular Wireless Corporate Security Team approves a waiver or variance. - Must - The word "must" indicates a requirement that is to be met unless Cingular Wireless Corporate Security Team approves a waiver or variance. - Should - The word "should" indicates a guideline more than a requirement. Waivers or variances are not required for noncompliance with guidelines. 3. CONTRACTOR AND SUPPLIER RESPONSIBILITIES 3.1 GENERAL - It is the responsibility of each Contractor and Supplier to assure Cingular Wireless that its requirements for the security of corporate Information Resources, and the information stored, transmitted, and/or processed on these resources, are met. 3.2 REQUEST FOR WAIVER - A prospective Contractor or Supplier who wishes to provide Cingular Wireless with an Information Resource which is not in compliance with these standards shall document the deviations in a written WAIVER request. The waiver request must specify the following: - Area(s) of non-compliance - Reason(s) for the non-compliance - Available alternative(s) - Reason(s) why an alternative or an omission should be accepted 3.3 WAIVER SUBMISSION AND APPROVAL - Waiver requests shall be submitted through the appropriate Cingular Wireless purchasing organization or person to the Corporate Security Team. The Corporate Security Team will either approve the waiver request, negotiate changes/conditions necessary for approval of the waiver request, or deny the waiver request - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 30 [CINGULAR WIRELESS LOGO] SECTION 1: SECTION 2: - ------------------------------------------------------------------------------- 400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE - ------------------------------------------------------------------------------- Cingular Wireless Corporate Security Team has the sole responsibility for waiver and variance approval in Cingular Wireless. Contractors and Suppliers shall comply with these standards unless a written waiver or variance is issued as noted above. Waiver approvals and other related correspondence may be transmitted via electronic mail or other more formal means of documentation. Approved waivers will be filed with the Cingular Wireless copy of the Agreement and will be retained during the retention period for that Agreement. 3.4 ABSENCE OF WAIVER - Contractors and Suppliers are hereby notified that this Cingular Wireless Corporate Security Technical Reference shall be enforced in its entirety, and the involved Contractor/Supplier shall be held in breach of his/her/its agreement with Cingular Wireless for any omission, unless a waiver is approved, as noted above, for any requirement herein. 4. CONTRACTOR AND SUPPLIER REQUIREMENTS 4.1 GENERAL - Contractors and Suppliers: - Shall protect Cingular Wireless proprietary information provided in accordance with this agreement. - Shall encrypt all Cingular Wireless proprietary information transmitted over a public network such as the Internet. - Shall test all system and/or software security features. - Shall deliver all systems and software with security mechanisms installed and functioning. - Shall deliver all systems and software with default passwords expired except for the password needed to install and initially boot the system. - Shall provide documentation on security setup and administration for system administrators. - Shall not provide user documentation that may compromise security. - Shall provide written documentation to Cingular Wireless concerning any and all known security flaws. - Shall provide security flaw remedies or "fixes" to Cingular Wireless at no additional cost to Cingular Wireless. Such "fixes" shall be supplied to Cingular Wireless in a timely manner commensurate with the threat. - Should have an internal security policy governing its development of systems and software. - Should have a change/configuration management system in place. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 31 [CINGULAR WIRELESS LOGO] SECTION 1: SECTION 2: - ------------------------------------------------------------------------------- 400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE - ------------------------------------------------------------------------------- - Should not allow programmers to be custodians of production software. 4.2 OPERABILITY - Contractor and/or Supplier warrants that information resource(s) provided under the terms of this agreement shall operate in a manner satisfactory to Cingular Wireless while all required security controls and features are installed and functioning. 5. SYSTEM AND SOFTWARE SECURITY FEATURE REQUIREMENTS 5.1 GENERAL - It is the policy of Cingular Wireless to protect its corporate information resources and the information stored, transmitted, and/or processed on those resources. When some type of security is necessary in order to meet this policy, that security shall comply with the following requirements. The security may be provided by the product itself, an underlying operating system, a front-end or intermediary security device, or a combination of any of the above. 5.2 IDENTIFICATION a. The system shall provide an adequate number of UserIDs. The number of UserIDs provided shall be large enough to ensure that each person using the system can have an individual UserID. b. The system shall provide the capability to individually identify each person including users, and development, maintenance and support persons. c. The system and/or software shall require each person to identify themselves with their assigned UserID before allowing any actions or access to be accomplished. d. There shall be no way to bypass identification mechanisms. e. The system shall support a UserID containing at least seven characters. In the character fields, the system must accept any character appearing in the English language alphabet and any number from 0 to 9. 5.3 AUTHENTICATION a. Each entered UserID shall be authenticated using a password or other authentication mechanism associated with that UserID. ------------------------------------------------------------------ NOTE: It is Cingular Wireless's strategic direction to move away from passwords as primary authentication devices. Cingular Wireless will negotiate the use of other authentication mechanisms such as X.509 digital certificates, token based authentication devices, smart cards or biometric devices. Cingular Wireless Corporate Security Team shall specify/approve the certification authority for any and all certificates used for access to Cingular Wireless networks and systems. Approval shall be obtained through the use of a waiver as described earlier in this document. ------------------------------------------------------------------ - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 32 [CINGULAR WIRELESS LOGO] SECTION 1: SECTION 2: - ------------------------------------------------------------------------------- 400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE - ------------------------------------------------------------------------------- b. There shall be no way to bypass the authentication mechanism and obtain entry into the system. Any trust relationships shall be documented by the supplier and submitted to Cingular Wireless for approval prior to execution of the agreement. ------------------------------------------------------------------- NOTE: Use of .rhost files, host.equiv, NT shares, NFS, etc., frequently result in bypassing authentication. ------------------------------------------------------------------- c. Authentication mechanisms and/or data shall be protected from unauthorized access or manipulation. d. Authentication data, including passwords, shall be one-way encrypted in a system's database. e. Passwords stored for use by a system to access external systems, applications and/or data stores must not be stored in clear text. f. If passwords are used as the authentication device, the system or software shall: 1. Not allow anyone other than the owner of the password to know that password. 2. Enforce password aging at least every sixty (60) days. 3. Prevent reuse of a password for at least six months, three aging periods, or at least five password changes, whichever is feasible and longer. 4. Allow the holder of a password to change it at least daily. 5. Not allow any password field to be null or blank. 6 Not display a password on any entry device or associated printer. 7. Require a password to be at least eight characters in length. 8. Allow a password to be at least eight characters in length. 9 Require a password to contain at least one numeric character from 0 to 9. 10. Require a password to contain at least one character from the English Language alphabet. 11. Support the use of all special and/or punctuation characters found on a standard U.S. computer keyboard unless restricted by the operating system. g. Unless necessary for normal and efficient system operation, and to the extent possible, all default and/or hidden UserIDs and passwords will be removed from the system before delivery to Cingular Wireless. Any remaining default and/or hidden UserIDs or passwords - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 33 [CINGULAR WIRELESS LOGO] SECTION 1: SECTION 2: - ------------------------------------------------------------------------------- 400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE - ------------------------------------------------------------------------------- will be disclosed to Cingular Wireless, in writing, upon delivery. Such UserIDs and passwords shall be changeable by Cingular Wireless. h. Where Personal Identification "Numbers" (PINs) are used as part of an authentication procedure and no other authentication device is required to be in the possession of the user, the PIN code is effectively a password, and must be created and aged using the password requirements above. i. Passwords or PINs associated with dynamic password devices, e.g., token cards, must be expired at least every 120 days. j. An IP address shall not be used in lieu of a password or other form of authentication mechanism. k. System to system, application to application and/or machine to machine authentication relationships must be evaluated on a specific basis and meet criteria as established by the Cingular Wireless Corporate Security Team. A copy of this information will be provided to developers of such security relationships upon request. 5.4 ACCESS CONTROL a. Each access shall be controlled by an access control mechanism. b. The access control mechanism shall be protected from unauthorized access, modification or destruction. c. The access control mechanism shall allow or deny access based on an individual authenticated identification of the UserID entered. d. There shall be no way to bypass access control mechanisms. e. There shall be no mode of entry, for any reason, that is not documented in the system documentation provided to Cingular Wireless. f. There shall be multiple access control mechanism permission groups. g. An access control mechanism that allows all persons to access all data and/or system capabilities is not acceptable to Cingular Wireless. At a minimum, the access control mechanism shall provide one class of permissions for those who administer the system and one or more classes of permissions for those who use the system. h. The number of access control mechanism permission groups shall be sufficient to ensure that all persons have access to ONLY the data and/or system capabilities necessary to accomplish their assigned jobs. i. Access control mechanisms shall provide a default of "no capability" for any ID not defined in the access control mechanism. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 34 [CINGULAR WIRELESS LOGO] SECTION 1: SECTION 2: - ------------------------------------------------------------------------------- 400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE - ------------------------------------------------------------------------------- j A "time-out" feature shall invoke re-authentication after no more than fifteen minutes of inactivity. k. The login feature shall abort if the ID and authentication procedure is incorrectly performed three times. l. The ability to authorize or revoke access privileges and grant access to system resources shall be restricted to Cingular Wireless appointed system administrators. m. A Cingular Wireless copyright notice is required on the initial entry page for any system or software developed by or for Cingular Wireless, or on any system or software for which Cingular Wireless has purchased the copyright. n. The following Cingular Wireless proprietary information statement and no trespassing warning shall be displayed on an initial entry screen before any logical access is allowed. ------------------------------------------------------------------------- PRIVATE/PROPRIETARY/LOCK: NO DISCLOSURE OUTSIDE CINGULAR WIRELESS EXCEPT BY WRITTEN AGREEMENT. ANY UNAUTHORIZED ACCESS TO, OR MISUSE OF CINGULAR WIRELESS SYSTEMS OR DATA MAY RESULT IN CIVIL AND/OR CRIMINAL PROSECUTION, EMPLOYEE DISCIPLINE UP TO AND INCLUDING DISCHARGE, OR THE TERMINATION OF VENDOR/SERVICE CONTRACTS. CINGULAR WIRELESS MAY PERIODICALLY MONITOR AND/OR AUDIT SYSTEM ACCESS/USAGE ------------------------------------------------------------------------ 5.5 NETWORK CONNECTIONS a. No device shall be connected to a Cingular Wireless network, including LANs and switching elements, without the knowledge of, and permission from, the network's administrator. b. Persons using remote, e.g., in-dial, ISDN, wireless or other public switched network access shall be individually identified and authenticated by an independent dedicated access control device such as a network access controller. The remote authentication process must utilize a dynamic password, such as a token card. This requirement may be met independently by the Contractor or Supplier's Employees and Subcontractors, or by utilization of a Cingular Wireless system or network access device provided for such purposes. c. Internet (including VPN), extranet, or other direct network access arrangements shall be approved by the Cingular Wireless Corporate Security Team prior to implementation. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 35 [CINGULAR WIRELESS LOGO] SECTION 1: SECTION 2: - ------------------------------------------------------------------------------- 400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE - ------------------------------------------------------------------------------- Approval shall be obtained through the use of a waiver as described earlier in this document. d. Remote access connections to Cingular Wireless internal networks are prohibited unless special arrangements are approved by the Cingular Wireless Corporate Security Team well in advance of the needed access. This includes any provision for remote application or system support, development, and/or other miscellaneous access. Types of remote access may include but are not limited to direct connections or Internet based connections. Approval shall be obtained through the use of a waiver as described earlier in this document. e. Cingular Wireless's internal IP networks may make use of internal firewalls to form IP partitions. The supplier shall document the compatibility of their product with firewalls for IP networks and that documentation shall be submitted to Cingular Wireless for approval prior to execution of the Agreement. Examples of incompatibility include the use of port or socket negotiation for communication, e.g. rpc's and portmapper. f. Use of UDP shall be avoided where possible. g. Any and all traffic traversing a remote access link to a Cingular Wireless internal network is subject to monitoring at any time and without advance warning. There shall be no expectation of privacy in the use of a Cingular Wireless internal network. Cingular Wireless shall have the right to terminate any remote link if illegal or improper traffic is observed. h. Any device connected to a Cingular Wireless internal network shall be subject to security scans (unless a firewall prevents such scans) and other security audit procedures. These scans may be conducted without prior notice. The scans will test the connected platform for security vulnerabilities and compliance with Cingular Wireless security standards. It should be noted that the security scanners do test for denial of service vulnerabilities, may attempt system access and perform other intrusive activities such as password cracking. Cingular Wireless expects connected devices to resist such scanning without affecting service availability. Cingular Wireless further expects Supplier to correct discovered vulnerabilities. i. Remote access connections to Cingular Wireless internal networks may be refused, disconnected or otherwise limited at any time, for any reason and without warning. j. Filter and/or firewall policies used to control access to Cingular Wireless networks shall be under the control of Cingular Wireless personnel, reside on Cingular Wireless owned equipment and shall use a default access policy of "fail all". k. Access to Cingular Wireless networks shall not include access to any infrastructure services such as DNS, mail systems, domain controllers, Internet gateways, etc., without prior approval of the Cingular Wireless Corporate Security Team. Approval shall be obtained through the use of a waiver as described earlier in this document. l. External use of network access translation (NAT) for access to Cingular Wireless internal networks may be permissible but must be approved in advance by the Cingular Wireless - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 36 [CINGULAR WIRELESS LOGO] SECTION 1: SECTION 2: - ------------------------------------------------------------------------------- 400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE - ------------------------------------------------------------------------------- Corporate Security Team. Approval shall be obtained through the use of a waiver as described earlier in this document. In general, pooled NAT and address hiding cannot be supported due to the risks involved. -------------------------------------------------------------- NOTE: To prevent routing difficulties and for security reasons, Cingular Wireless does not normally route external IP addresses (from business partner networks) in its internal networks. Cingular Wireless does not allow its internal private addresses advertised outside of its internal networks. Network Address Translation (NAT) is used to conform with these requirements. NAT can result in problems with certain services and applications and may render a service or application unusable. -------------------------------------------------------------- m. Support for migration of any existing access to new, revised or alternate accesses or methods of authentication shall be provided upon request by Cingular Wireless and at no charge to Cingular Wireless. n. Operators and administrators of systems included in remote access arrangements as well as other individuals using the access arrangement shall be in compliance with Paragraph 8, Access by Contractors and Supplier's Employees and Subcontractors, below. o. All remote access to Cingular Wireless internal networks shall be sponsored by Cingular Wireless personnel. All modification requests to access policies and procedures shall be submitted to the Cingular Wireless Corporate Security Team through that Cingular Wireless sponsor. 5.6 CONFIDENTIALITY - When directed by Cingular Wireless, encryption mechanisms shall be created to protect critical stored or transmitted data. However, no Cingular Wireless proprietary information, including passwords, shall be sent or transmitted over the Internet or another public network unless it is encrypted. 5.7 DATA AND SYSTEM INTEGRITY a. Modifications shall be allowed by authorized entities only. b. The origin of data should be identified and maintained. c. Error detection and correction protocols should be used. 5.8 SERVICE AVAILABILITY - The capability shall be provided to back-up or duplicate system software and data. 5.9 ACCOUNTABILITY a. An audit mechanism shall provide sufficient information for an after-the-fact investigation of loss or impropriety. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 37 [CINGULAR WIRELESS LOGO] SECTION 1: SECTION 2: - ------------------------------------------------------------------------------- 400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE - ------------------------------------------------------------------------------- b. The audit mechanism shall provide end-to-end accountability for all significant events. c. The audit mechanism shall record who did what, and when it was done. d. The audit mechanism shall be protected from unauthorized access, modification or destruction. e. The audit mechanism shall be capable of recording: 1. Invalid identification and authentication attempts. 2. Valid logins by all users including administrative and special privileged users. 3. Unauthorized data or transaction access attempts. 4. Creation, modification or deletion of system resources and data. 5. Action taken by administration or special privileged users. 6 Other security events specified by Cingular Wireless. f. The audit record shall record the following: 1. Date and time of the event. 2. The ID used. 3. The type of event, i.e., read, update, delete. 4. Name of resources accessed. 5. Success or failure of the event. g. The audit record shall not contain actual or attempted unencrypted passwords or other authentication data. h. The audit mechanism shall be of sufficient size to maintain records for at least thirty days. i. The system should have alarm mechanisms that report significant security threats to system administration. 6. USE OF ROOT OR ADMINISTRATOR LEVEL ACCESS 6.1 GENERAL - Most operating systems have privileged accounts with unlimited or nearly unlimited access to the resources of any given system. Some examples of such privileged accounts are: - On UNIX and UNIX-like systems, any account which maps to a UID or EUID of zero (0), - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 38 [CINGULAR WIRELESS LOGO] SECTION 1: SECTION 2: - ------------------------------------------------------------------------------- 400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE - ------------------------------------------------------------------------------- - On Novell servers, any account which has privileges equivalent to those of the user SUPERVISOR , and - On Microsoft Windows NT and similar systems, any account which has administrator privileges or authority. For the purposes of this standard, the use of such privileged accounts will hereinafter be referred to as using root or administrator access. 6.2 EXECUTION AND OPERATION REQUIRING ROOT OR ADMINISTRATOR LEVEL ACCESS - While software may require root or administrator level access to the operating system for installation, controls must be provided to restrict root or administrator level access for normal execution and/or administration of the software. 7. SYSTEM ADMINISTRATION 7.1 GENERAL - If system administration is included as a part of an agreement, Contractors, Suppliers and Supplier's Employees and Subcontractors shall comply with appropriate Cingular Wireless Corporate security polices and standards. 8. ACCESS BY CONTRACTORS AND SUPPLIER'S EMPLOYEES AND SUBCONTRACTORS 8.1 LOGICAL ACCESS REQUIREMENTS a. The contractual agreement or a separate access control document executed between Cingular Wireless and the Contractor or Supplier shall set out the purpose, terms, conditions and parameters for logical access to Cingular Wireless Information Resources. b. Any and all logical access shall be governed by the contractual agreement or a separate access control document and shall be pursuant to the terms, conditions and parameters contained therein. No logical access outside that which is documented shall be allowed by Cingular Wireless, or attempted by Contractor and Supplier's Employees or Subcontractors. c. Contractor or Supplier's Employees and/or Subcontractors shall not be allowed to logically access or utilize a Cingular Wireless information resource unless Security Requirements for System or Network Access by Vendor, Contractor and Supplier Personnel has been incorporated into the agreement between Cingular Wireless and the Contractor or Supplier, and the requirements set forth therein have been met. 9. SOFTWARE INTEGRITY 9.1 GENERAL - The Contractor/Supplier certifies that: a. Computer code created or modified for, or otherwise supplied to Cingular Wireless: 1. Contains only what is stated in the documentation provided, - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 39 [CINGULAR WIRELESS LOGO] SECTION 1: SECTION 2: - ------------------------------------------------------------------------------- 400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE - ------------------------------------------------------------------------------- 2. Is free of any master access key (ID, password, trap door, Trojan horse, back door, etc.) to the system, 3. Has been checked for a computer virus or other destructive code using a regularly updated software package designed for such purpose and has been inspected by seller's authorized personnel, and 4. Is not known by Contractor or Supplier's Employees or Subcontractors to contain a computer virus, other destructive code or expiration date. b. The provided application or other software has not been modified so as to degrade security by interfering with or modifying the normal functions of the operating system on which the application will reside. c. No modifications that will degrade current or future security shall be made to the operating system, application code or other software. 10. WARRANTY FOR YEAR 2000 ISSUES 10.1 CONTRACT WARRANTY - All contracts with software/hardware suppliers shall include a Year 2000 warranty statement. The following is an example of a Cingular Wireless approved warranty statement. Other versions designed to meet individual Cingular Wireless entity needs may be used, but only with prior approval by its Legal organization. ----------------------------------------------------------------------- "Supplier warrants that all Software licensed or developed and delivered hereunder (i) will record, store, process and display calendar dates falling on or after January 1, 2000, in the same manner, and with the same functionality as such Software records, stores, processes and displays calendar dates falling on or before December 31, 1999; and, (ii) shall include without limitation date data century recognition, calculations that accommodate same century and multicentury formulas and date values, and date data interface values that reflect the century. Supplier warrants that all Software will be tested for compliance with the requirements herein, and such test results shall be provided to Customer prior to acceptance of such Software by Customer." ----------------------------------------------------------------------- - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 40 [CINGULAR WIRELESS LOGO] SECTION 3: SECTION 4: 400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL - ------------------------------------------------------------------------------- NOTICE For the purpose of this document, the term "Contractor" referred to herein shall mean contracted individual. The term "Supplier's Employees and Subcontractors" referred to herein shall mean supplier's employees, subcontractors, agents or representatives. The term "Supplier" referred to herein shall mean the provider of goods and/or services pursuant to a written contractual agreement with Cingular. Liability to anyone arising out of use or reliance upon any information set forth herein is expressly disclaimed and no representations or warranties, express or implied, are made with respect to the accuracy or utility of any information set forth herein. This document is not to be construed as a suggestion to any manufacturer to modify or change any of its products or services, nor does this document represent any commitment by Cingular to purchase any product or service whether or not it provides the described characteristics. Nothing contained herein shall be construed as conferring by implication, estoppel or otherwise, any license or right under any patent, whether or not the use of any information herein necessarily employs an invention of any existing or later issued patent. TABLE OF CONTENTS 1. Introduction 1.1 General 1.2 Scope 1.3 Reason for Issuance 1.4 Enforcement 1.5 Accountability 1.6 Remedies 2. Contractor and Supplier Responsibilities 2.1 General 3. Security Waivers 3.1 Request for Waiver 3.2 Waiver Submission and Approval 3.3 Absence of Waiver Exhibit 1 - RF-6835, Contract Personnel Certification Form Exhibit 2 - List of Cingular Corporate Security Standards Exhibit 3 - Cingular Vendor, Contractor and Supplier Personnel Security Requirements - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 41 [CINGULAR WIRELESS LOGO] SECTION 3: SECTION 4: - ------------------------------------------------------------------------------- 400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL - ------------------------------------------------------------------------------- 1. INTRODUCTION 1.1 GENERAL - This document sets out the security requirements that each Contractor and Supplier shall comply with before their employees and/or subcontractors will be allowed to access Cingular's computers, computer peripherals, computer communications networks, computer systems/applications/software, public telephone network elements and their support systems, and the information stored, transmitted, and/or processed using these resources, (referred to herein as "Information Resources"). The information in this document is subject to review and modification. Accordingly, this document may be subject to change at any time. Future issues of this document and/or Cingular's internal security requirements may differ extensively in content, substance and format. In the event that this document is modified, Cingular shall provide written notification to the Contractor or Supplier along with a copy of the modified document. Upon reaching mutual agreement between the parties, the new document shall control. If no agreement is reached between the parties, then this document shall continue to be in full force and effect. Cingular reserves the right to select and utilize any Contractor or Supplier based on its own internal criteria at any time, under any circumstances, whether or not consistent with the terms of this document. Further, readers are specifically advised that each Cingular operating entity or subsidiary may have requirements additional to those found herein. Cingular does not recommend computer-related products or services and nothing contained herein is intended, nor should it be construed, as a recommendation of any product or service to anyone. Further, Contractors and Suppliers are not to relate their products, goods, services, etc., to these standards in order to infer or imply that such items meet any particular standard of use or utility. 1.2 SCOPE - The standards in this document apply to all Contractors and Suppliers whose Employees and Subcontractors will have a need to access a Cingular Information Resource. Such persons shall not be allowed access to Cingular Information Resources until the requirements of Section 2 of this document have been accomplished and the assigned Cingular management employee in the organization receiving the service, (referred to herein as "Cingular Sponsor") has received a properly executed Form RF-6835 shown as Exhibit 1 in this document. Product trials and evaluations shall also be governed by the requirements of this document. NOTE: As used in this standard, access refers to logical, e.g., computer/electronic access, rather than physical access unless otherwise noted. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 42 [CINGULAR WIRELESS LOGO] SECTION 3: SECTION 4: - ------------------------------------------------------------------------------- 400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL - ------------------------------------------------------------------------------- 1.3 REASON FOR ISSUANCE - This practice has been revised to: [ ] Clarify contractor and supplier responsibilities, [ ] Clarify background check requirements, [ ] Add waiver requirements, and [ ] Make other minor wording changes for clarity. 1.4 ENFORCEMENT - Contractors, Suppliers and Contractor and Supplier's Employees and Subcontractors shall protect Cingular Information Resources in accordance with the terms and conditions of applicable contractual agreements between the Contractor or Supplier and Cingular. In addition, it is the responsibility of all Contractors, Suppliers and Contractor and Supplier's Employees and Subcontractors to comply with federal, state, and local acts, statutes, and regulations which relate to the control and authorized use of a company's information resources. Violations of any of the above shall be reported to the appropriate Cingular Security Organization. 1.5 ACCOUNTABILITY - Contractors and Suppliers are responsible for ensuring that they, and their Employees and Subcontractors who work with Cingular accounts on their behalf, comply with Section 2 of this document. 1.6 REMEDIES - Failure of a Contractor or Supplier, or a Supplier's Employee or Subcontractor to comply with the requirements of Section 2 of this CSS-TR may result in remedies up to and including termination of the contractual agreement or any other rights that Cingular may have in equity and law. 2. CONTRACTOR AND SUPPLIER RESPONSIBILITIES 2.1 GENERAL - Contractor and/or Supplier shall: - Permit Cingular to inspect, at its discretion, all computer equipment utilized in the conduct of Cingular business whether such equipment is owned, leased or controlled by the Contractor, Supplier or the Contractor or Supplier's Employees and Subcontractors. - Protect and otherwise secure all Cingular proprietary and/or private data and information including data and information concerning Cingular's employees. This includes data and information derived or assimilated. - Use Cingular proprietary information and/or data including information and data concerning Cingular's employees only as authorized in this agreement. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 43 [CINGULAR WIRELESS LOGO] SECTION 3: SECTION 4: - ------------------------------------------------------------------------------- 400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL - ------------------------------------------------------------------------------- - Return and otherwise support Cingular in any attempt to have returned, Cingular proprietary and/or private data/information and other resources used or obtained in the performance of this agreement unless other arrangements are made and approved by both parties in writing. - Ensure that each Contractor and Supplier's Employee and Subcontractor who will access a Cingular Information Resource is aware of (1) the security information in Exhibit 3 of this document, and (2) that Cingular has written Security Standards as listed in Exhibit 2. - Provide each Contractor and Supplier's Employee and Subcontractor with a copy of Exhibits 2 and 3 of this document if requested. Copies should be made locally as needed. - Ensure that Contractor and/or Supplier is bound by a nondisclosure agreement and/or an information exchange agreement with Cingular. - Ensure that each of Contractor and Supplier's employees is covered by a legally binding nondisclosure agreement and/or information exchange agreement between their employer and Cingular. - Ensure that Contractor and Supplier's subcontractors are covered by a nondisclosure and/or information exchange agreement with Contractor or Supplier. - Perform an appropriate background check to ensure that no person assigned to a Cingular account is allowed access to a Cingular Information Resource if the person: - has been convicted of a felony offense, - has been convicted of a misdemeanor offense related to computer - security, theft, fraud or violence, or - is currently awaiting trial for any of the above-stated offenses. - Support any effort by Cingular to perform its own background check of individuals assigned to a Cingular account: - As a part of a random sampling for security verification purposes, - As a part of regular screenings to strengthen Cingular security, or - If Cingular has reasonable cause to suspect one is needed. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 44 [CINGULAR WIRELESS LOGO] SECTION 3: SECTION 4: - ------------------------------------------------------------------------------- 400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL - ------------------------------------------------------------------------------- NOTE: For the purposes of the document, an appropriate background check shall consist of research at the county courthouse level for the felony and misdemeanor offenses described above and any pending trial dates for such offenses. Research shall be conducted in all the counties in which the Employee or Subcontractor has resided within the five years prior to proposed assignment to Cingular. - Have each of its employees, subcontractors, agents and representatives who will access a Cingular Information Resource provide the information requested and sign a copy of the Cingular Form RF-6835 shown as Exhibit 1 to this document, and - Complete the "Employing Company Certification" section and forward the signed form RF-6835 to the Cingular Sponsor assigned responsibility for the Contractor and Supplier's Employees and Subcontractors. 3. SECURITY WAIVERS 3.1 REQUEST FOR WAIVER - A prospective Contractor or Supplier shall comply with the requirements of Paragraph 2.1 above unless a security waiver is approved in advance. The waiver request shall document the changes/deviations needed or desired and must also specify the following: - Reason for the request, - Available alternative(s), if any, and - Reason why the request should be accepted. 3.2 WAIVER SUBMISSION AND APPROVAL - Waiver requests shall be submitted through the appropriate Cingular Security Management which will either approve the waiver request, negotiate changes/conditions necessary for approval of the waiver request, or deny the waiver request. If a waiver request is denied, the denial may be appealed by a Cingular management person using the variance process documented in Cingular Corporate Security Standard (CSS) 000-100, Security Management Process. Cingular Corporate Security Management has the sole responsibility for waiver and variance approval in Cingular. Contractors and Suppliers shall comply with these standards unless a written waiver or variance is issued as noted above. 3.3 ABSENCE OF WAIVER - Contractors and Suppliers are hereby notified that this Cingular Corporate Security Standard Technical Reference shall be enforced in its entirety, and the involved Contractor/Supplier shall be held in breach of his/her/its agreement with Cingular for any omission, unless a waiver is approved, as noted above, for any requirement in paragraph 2.1. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 45 [CINGULAR WIRELESS LOGO] SECTION 3: SECTION 4: 400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL - ------------------------------------------------------------------------------- - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 46 [CINGULAR WIRELESS LOGO] SECTION 3: SECTION 4: 400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL - ------------------------------------------------------------------------------- EXHIBIT 1 RF-6835 (6/2001) CONTRACT PERSONNEL CERTIFICATION FOR USE BY A CONTRACT PERSON'S EMPLOYER I have read and acknowledge the Cingular Vendor, Contractor and Supplier Personnel Security Requirements. By: ______________________________________________ Date: ______________ (Signature) (MMDDYYYY) Name: _______________________________________________________________ (Type or Print the Name of the Person) Social Security Number: ____________________ Date of Birth: _________________ (MMDDYYYY) EMPLOYING COMPANY CERTIFICATION The above named employee of ____________________________________________ has signed above and acknowledged receipt of the Cingular Vendor, Contractor and Supplier Personnel Security Requirements. This person is covered by a legally binding nondisclosure agreement between Cingular and my company. Employing Company Representative: ______________________ Date: ________ (Authorized Signature) (MMDDYYYY) Name: ___________________________________ Title: ______________________ (Type or Print Name of Employing Company Representative Signing Above) Company Name: __________________________ Tel. Number: _________________ Business Address: _____________________________________________________ - --------------------------------------------------------------------- PROVIDE THE ORIGINAL OF THIS FORM TO THE CINGULAR MANAGER SPONSORING THIS PERSON'S WORK. Name of Cingular Sponsor: ____________________ Tel. Number _____________ (Type or Print Name) THE CINGULAR SPONSOR SHALL (1) RETAIN THIS FORM FOR ONE YEAR AFTER THE PERSON'S WORK HAS ENDED, AND (2) PROVIDE A COPY OF THIS FORM TO THE APPROPRIATE CINGULAR SECURITY ORGANIZATION. REPRODUCE LOCALLY PRIVATE/PROPRIETARY/LOCK Contains Private and/or Proprietary Information When Completed. May Not Be Used Or Disclosed Outside The Cingular Companies Except Pursuant To A Written Agreement. Must Be Stored in Locked Files When Not In Use. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 47 [CINGULAR WIRELESS LOGO] SECTION 3: SECTION 4: 400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL - ------------------------------------------------------------------------------- EXHIBIT 2 CINGULAR CORPORATE SECURITY STANDARDS The following list provides general information about Cingular's current Corporate Security Standards, which are available for, reference purposes. This list is subject to change without further notice. If needed, copies of these Standards may be obtained through your Cingular Sponsor when required for work being performed for Cingular. SECURITY MANAGEMENT PROCESS AND ADMINISTRATION STANDARDS 000-100 Security Management Process 000-200 General Security Standards for Users of Information Resources 000-300 Security Administration Standards 000-400 Security Vulnerability Management Standards 000-500 Administration of Proprietary Information 000-575 Records Retention Standards (Planned) 000-600 Security Intrusion Response SYSTEMS STANDARDS 100-000 General System Security Standards 100-100 Personal and Portable Computing Security Standards 100-150 Windows NT Workstation Security Standards 100-220 Novell Server Security Standards 100-250 Windows NT Server Security Standards 100-300 UNIX Security Standards 100-500 OS/390 Security Standards 100-600 AS/400 Security Standards 100-700 Database Security Standards 100-800 Public Telephone Network Security Standards COMMUNICATIONS NETWORK STANDARDS 200-000 General Data Communications Network Security Standards 200-100 Security Standards for Provisioning and Administration of Internal Voice Communications Services 200-200 Electronic Communications Security Standards 200-300 Internet/Intranet Usage Standards PHYSICAL SECURITY STANDARDS 300-000 Physical Security Standards for Information Resources 300-100 Physical Site Review Process Standards 300-200 Security Se1f-Assessment Standards 300-300 Disaster Recovery and Contingency Planning Standards for Information Resources VENDOR, CONTRACTOR AND SUPPLIER STANDARDS 400-000 Security Requirements for Use and Development of Information Resources by Vendors, Contractors and Suppliers 400-100 Security Standards for Purchased or Externally Developed Computer Systems, Applications and Software - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 48 [CINGULAR WIRELESS LOGO] SECTION 3: SECTION 4: 400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL - ------------------------------------------------------------------------------- 400-200-TR Security Requirements for Purchased or Externally Developed Computer Systems, Applications and Software * 400-300 Security Standards for System or Network Access by Vendor, Contractor and Supplier Personnel 400-400-TR Security Requirements for System or Network Access by Vendor, Contractor and Supplier Personnel * 400-500 Security for Sourced Work SYSTEM DEVELOPMENT SECURITY STANDARDS 500-000 Security Issues for System/Application Development and Maintenance 500-100 Web Site Development, Maintenance and Administration Standards GENERAL SECURITY STANDARDS 800-100 Data Encryption Standards 800-200 Virus Protection Standards 800-300 E-mail Security Standards 800-400 Telecommuting and Mobile Computing Security Standards * Not proprietary - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 49 [CINGULAR WIRELESS LOGO] SECTION 3: SECTION 4: 400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL - ------------------------------------------------------------------------------- EXHIBIT 3 CINGULAR VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL SECURITY REQUIREMENTS 1. GENERAL 1.1 It is the responsibility of each Contractor and Supplier's Employee and Subcontractor to conduct business with Cingular in a legal and ethical manner. 1.2 Cingular's Information Resources shall be used only for Cingular approved purposes. 1.3 Cingular's Information Resources shall be protected from unauthorized use, theft, misuse, accidental or unauthorized modification, disclosure, transfer or destruction. 1.4 The security, reliability and integrity of Cingular's Information Resources and information processing activities shall be protected. 1.5 Each Contractor and Supplier's Employee and Subcontractor shall permit Cingular to audit/inspect computer equipment and those files located on such equipment that are utilized in the conduct of Cingular business whether such equipment is owned, leased or controlled by the Contractor, Supplier, Supplier's Employees and Subcontractors, or Cingular itself. 1.6 Only Cingular management may borrow or authorize the borrowing of equipment for use by, or in the name of Cingular. 2. EXPECTATION OF PRIVACY 2.1 Cingular's Information Resources including, but not limited to, computers, voice and data networks, electronic mail and voice mail are the property of Cingular and as such, are to be used only for purposes approved by Cingular. Cingular shall, therefore, have the right to audit/inspect any or all computer equipment, including software, used by Contractor or Supplier's Employees and Subcontractors in the performance of work under a contractual agreement with Cingular. Additionally, Cingular may periodically monitor, and/or review after the fact, the use of its Information Resources. Contractor and Supplier's Employees and Subcontractors who use Cingular's Information Resources in an inappropriate manner may be subject to remedies up to and including dismissal from a Cingular account and any other rights and remedies in equity and law. 3. VIOLATIONS REPORTING 3.1 Whether observed by a Cingular employee or a Contractor or Supplier's Employee or Subcontractor performing work for Cingular, all violations of Cingular policy or standards, federal, state or local laws, or licensing agreements, shall be immediately reported to the Cingular Security Organization. 3.2 No independent action to correct a security problem should be taken unless failure to immediately respond will result in irreparable harm to Cingular. If action is taken to prevent irreparable harm, include that action along with the report of the problem to the Cingular Security Organization at the earliest possible time. Follow Cingular Security Organization instructions. 3.3 No independent investigation of a security problem or violation shall be undertaken by anyone unless directed by the Cingular Security Organization. 4. VIRUSES AND EXPLOITIVE COMPUTER CODE 4.1 Contractor or Supplier's employees and subcontractors shall endeavor to keep Cingular's information resources free of viruses and other exploitive or destructive computer code. The standards outlined below shall be adhered to. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 50 [CINGULAR WIRELESS LOGO] SECTION 3: SECTION 4: 400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL - ------------------------------------------------------------------------------- a. A contractor or Supplier's Employee and Subcontractor may transfer data files for business purposes from their business computer to a Cingular computer. However, Contractor and Supplier's Employees and Subcontractors undertaking such activity shall use their best efforts to ensure no jeopardy to Cingular. b. Contractor and Supplier's Employees and Subcontractors shall use Cingular approved and provided virus scanning software in an active monitoring mode when using computer equipment provided by Cingular. c. Contractor and Supplier's Employees and Subcontractors shall use a regularly updated virus scanning software product in an active monitoring mode when using computer equipment provided by their employer. d. Contractor and Supplier's Employees and Subcontractors may be held accountable for any damages or costs incurred by Cingular due to a virus or other exploitive or destructive code knowingly or negligently introduced into Cingular Information Resources. 5. SOFTWARE USE RESTRICTIONS 5.1 Software used on Cingular equipment shall be obtained from a Cingular approved source. 5.2 Contractor and Supplier's Employees' and Subcontractors' personal software shall not be used on Cingular computers. 5.3 Importation, use or distribution of public domain software is not allowed in Cingular except as directed by the Cingular Sponsor in accordance with Cingular Corporate Security Standards. 5.4 Software licensing and copyright agreements/restrictions shall be complied with at all times. 5.5 Preventative measures, e.g., locked cabinets, shall be used to prevent the unauthorized use, copying or theft of software. 6. SOFTWARE DEVELOPMENT RESTRICTIONS 6.1 Computer code created, modified for, or otherwise supplied to Cingular: a. Shall be fully documented, b. Shall not contain any master access key (ID, password, trap door, Trojan horse, back door, etc.) to the system, and shall not contain any computer virus or other exploitive or destructive code, device or expiration date. c. Shall not degrade security by interfering with or modifying the normal functions of the operating system on which the software will reside. 6.2 Contractor and Supplier's Employees and Subcontractors performing system or software development under the management of Cingular shall comply with all development and security requirements in the Cingular Corporate Security Standards. Copies of these Standards are available through the Sponsor. 6.3 Contractor and Supplier's Employees and Subcontractors performing work as a part of a Cingular outsourcing agreement, shall follow the software development requirements in the Cingular Corporate Security Standards and other specified affiliated company standards. 6.4 No modification shall be made to the operating system, application code, or other software that will negatively impact the present or future security of the computing environment. 7. PORTABLE COMPUTERS 7.1 Portable computer equipment shall be protected from theft. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 51 [CINGULAR WIRELESS LOGO] SECTION 3: SECTION 4: 400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL - ------------------------------------------------------------------------------- 7.2 When directed by Cingular, proprietary information stored on portable computers shall be encrypted to avoid loss or disclosure if the hardware is lost or stolen. 8. INFORMATION BACK-UP 8.1 Timely back-ups of Cingular work and information shall be accomplished. 8.2 Back-up copies shall be stored off-site or at least outside the immediate work area, i.e., physically separated by a rated fire wall. 9. GOVERNMENT CLASSIFIED INFORMATION 9.1 Government classified or other sensitive information shall be safeguarded in accordance with Cingular policy and applicable laws. 10. PROPRIETARY INFORMATION 10.1 Contractor and Supplier's Employees shall be covered by a nondisclosure agreement and/or an information exchange agreement between their employer and Cingular. 10.2 Contractor and Supplier's subcontractors shall be covered by a nondisclosure agreement and/or an information exchange agreement with Contractor or Supplier. 10.3 Cingular's and Cingular's customer proprietary information is private and confidential and shall not be accessed, used, transferred, modified, disclosed, destroyed or disposed of except in accordance with the contractual agreement. If, no agreement has been reached by the parties, then the Contractor or Supplier's Employees and Subcontractors may not access Cingular's and Cingular's customer proprietary information. 10.4 Cingular may pursue available legal remedies, both civil and criminal, against Contractor and Supplier's Employees and Subcontractors who violate Cingular's policies and standards or applicable laws for the protection of private and/or proprietary information. 10.5 Cingular proprietary information and Cingular customer proprietary information shall not be transmitted across a public network, e.g., the Internet, unless it is encrypted in accordance with Cingular standards. 10.6 All Cingular proprietary information shall be disposed of in accordance with Cingular standards. 11. INTELLECTUAL PROPERTY 11.1 In the event that a Contractor or Supplier has not entered into a contractual agreement with Cingular which includes ownership of intellectual property issues, then each of that Contractor or Supplier's Employees and Subcontractors who will be accessing Cingular Information Resources shall be covered by a separate intellectual property agreement between their employer and Cingular or between the Contractor and Cingular. 11.2 Knowledge contracted individuals gain about Cingular, its work, equipment, installations, networks, computer systems, plans, procedures, etc., while working for/with Cingular shall not be used for personal gain or for the gain of other persons, companies, organizations or governments. 11.3 Cingular intellectual property including software developed by or for Cingular shall not be used by and/or disclosed to others. 11.4 Cingular may pursue available legal remedies, both civil and criminal, against Contractor and Supplier's Employees and Subcontractors who violate Cingular's policies and standards or applicable laws for the protection of intellectual property. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 52 [CINGULAR WIRELESS LOGO] SECTION 3: SECTION 4: 400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL - ------------------------------------------------------------------------------- 12. SOCIAL ENGINEERING 12.1 Social engineering is the art of impersonating an individual or job position in order to obtain information or services in a fraudulent manner. The "social engineer" manipulates a person through conversation or other communications to gain needed knowledge or information. Contractor and Supplier's Employees and Subcontractors may be the target of a "social engineer" while performing work for Cingular. 12.2 Contractor and Supplier's Employees and Subcontractors shall provide information only to persons known or independently verified to have a Cingular need to know such information. 12.3 Contractor and Supplier's Employees and Subcontractors shall not "chat" with unknown callers or provide information that is outside the scope of their responsibility to give to callers. 12.4 If a Contractor or Supplier's Employee or Subcontractor is unsure of what to do and a caller persists, the Contractor or Supplier's Employee or Subcontractor shall obtain a call back name, company, address and telephone number, then discuss the request with, and follow the directions of, his/her Cingular Management Sponsor or other designated Cingular management contact. 12.5 If a caller does not appear to be legitimate, immediately report the incident to the appropriate Cingular Security Organization. 13. IDENTIFICATION 13.1 Contractor and Supplier's Employees and Subcontractors shall have individual UserIDs for Cingular computer, system and network access. 13.2 Cingular shall be provided with the name, address and contact telephone number of each Contractor and Supplier's Employee or Subcontractor who will access a Cingular system. 13.3 Contractor and Supplier's Employees and Subcontractors shall provide their Social Security Numbers upon request. The Social Security Number will be used for individual user identification in the information resource access process. Do not share your UserID or use the UserID of someone else. 14. AUTHENTICATION 14.1 Passwords and other authentication mechanisms shall be protected. 14.2 Passwords shall be manually entered in order to log into any Cingular computer asset. 14.3 Passwords or other authentication mechanisms shall not be programmed into a device or software package in order to avoid manually entering the authentication mechanism at the time of logon. Exceptions shall be approved only by the Cingular Security Segment Team. 14.4 No password shall be used for longer than sixty days. 14.5 No previously used password shall be reused. 14.6 A password shall be known only to the user who creates it. No one shall share a password except in a temporary emergency situation. If a situation requires a password to be revealed to a second person, the owner of the password shall change the password as soon as possible after the emergency situation has passed. 14.7 A compromised password, i.e., a password that has become known to anyone else at any time, shall never be reused. 14.8 Passwords shall be a minimum of eight characters in length. System administrative and other special privileged user passwords should be a minimum of eight characters in length. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 53 [CINGULAR WIRELESS LOGO] SECTION 3: SECTION 4: 400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL - ------------------------------------------------------------------------------- 14.9 Passwords shall contain at least one alpha character and at least one numeric character unless prevented by the computer asset. Passwords should contain at least one special or punctuation character. 14.10 Passwords shall not contain common proper names, words from the English language, or any substring greater than three characters of the UserID. 14.11 Passwords shall not contain a string of three of more identical characters, letters or numbers such as 777 or XXX. 14.12 Passwords shall not contain a string of three or more ascending or descending numeric or alphabetic characters such as 123, XYZ. 14.13 Passwords shall not contain a string of four or more characters of the same type, either alpha, numeric or special/punctuation characters, e.g., ABCD, MIKE, 1492, 1994, or ?@!%. 14.14 Passwords shall not contain all or any part of an associated telephone number, social security number, street address, date of birth, company acronym or work group name. 15. ACCESS CONTROL 15.1 Access controls shall be complied with and not circumvented. 15.2 Unauthorized exploring or pinging of systems and networks is strictly prohibited. Any attempt at hacking or gaining unauthorized access to Cingular's Information Resources, or those of others, is prohibited. This includes any form of system or security penetration such as probing, sniffing, browsing or looping. 15.3 No device shall be connected to a Cingular network without permission from the network's administrator. 15.4 System access devices shall not be left signed on when unattended. Individuals are accountable for system usage traced to their UserID. 15.5 Access to Cingular Information Resources shall be authorized by the Cingular sponsor or his/her delegate. 15.6 Access arrangements shall only be disclosed to persons having a need-to-know and who are authorized to receive such information. 15.7 Contractor and Supplier's Employees and Subcontractors shall not be allowed to remotely access any Cingular asset and change any computer code unless it is a written and approved part of the work description to do so. 15.8 Contractor and Supplier's Employees and Subcontractors shall have access to only the actual Cingular information resources necessary to accomplish their work. 15.9 Because of the critical nature of certain Cingular Information Resources, Cingular management of the system(s) involved must authorize access permission for Contractor and Supplier's Employees and Subcontractors. 15.10 Appropriate nondisclosure, information exchange and intellectual property agreements shall be in place between Cingular and the Contract company or Cingular and the Supplier company, and if necessary, the applicable Contractor and Supplier's Employee or subcontractor, before access to a Cingular Information Resource is allowed. 15.11 A Contractor or a Supplier's Employee or Subcontractor may be granted remote, e.g., in-dial, ISDN, or Internet, access to only the systems they have been previously approved to access. All remote access shall be in accordance with Cingular's approved access methods. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 54 [CINGULAR WIRELESS LOGO] SECTION 3: SECTION 4: 400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL - ------------------------------------------------------------------------------- 15.12 Any access device, e.g. a SecurID card, shall be returned to Cingular when work has ended by the Contractor or Supplier's Employee or Subcontractor. 16. ACCOUNTABILITY 16.1 A violation of Cingular's policies and standards shall, at Cingular's option, be grounds for termination of contract and possible civil action against a Contractor or Supplier's Employee or Subcontractor. 16.2 A violation of any federal, state or local statute or law shall, at Cingular's option, be grounds for termination of contract, and possible civil action and/or criminal prosecution. 16.3 Any Cingular equipment used by a Contractor or Supplier's Employees and Subcontractors shall be immediately returned to Cingular once work is completed or has otherwise ended. 17. SECURITY ADMINISTRATION 17.1 Neither a Contractor nor a Supplier's Employee or Subcontractors shall be allowed to perform security administration functions except when approved by a Cingular Sponsor in accordance with Cingular Corporate Security Standards. 18. VARIANCES FROM SECURITY REQUIREMENTS 18.1 Occasionally, a Contractor or a Supplier's Employee or Subcontractor may feel there is a need to take action that is not in accordance with Cingular policy or standards. If that person's Cingular Sponsor feels that a potential variance has merit, the Sponsor may submit a variance request. - ------------------------------------------------------------------------------- Revision 1: June 5, 2001 55