Amendment #3
Exhibit 10.7
*** Confidential Treatment Requested
Amendment #3
| |
Amended and Restated Services and Material Agreement |
This Amendment Number 3 (“Amendment #3”), effective as of February 29, 2016 (“Amendment #1 Effective Date”), between Silver Spring Networks, Inc. (“Silver Spring”) and Commonwealth Edison Company (“ComEd”) amends the Amended and Restated Services and Material Agreement, dated January 25, 2012, between Silver Spring and ComEd (the “Agreement”). Silver Spring and ComEd are referred to herein as the “Parties” or a “Party,” as applicable. Capitalized terms not defined in this Amendment #3 will have the same meaning as in the Agreement.
The Parties agree to amend the Agreement as follows:
| 1. | Section 25.3 is hereby deleted in its entirety and the following inserted in its stead: |
“25.3 Receiving Party’s Obligations
During the term of this Agreement and thereafter, except as a Disclosing Party may otherwise authorize in writing in advance, each Receiving Party shall use the other Party’s Confidential Information only to fulfill its commitments and exercise its rights under this Agreement. Each Receiving Party agrees not to disclose any Confidential Information of the other Party to anyone other than those employees, agents, contractors or Subcontractors of the Receiving Party who need to know such Confidential Information for the purposes of this Agreement and who have entered into binding written obligations of confidentiality substantially similar to the obligations set forth herein. Upon reasonable request by the Disclosing Party, the receiving Party will provide copies of the confidentiality agreements entered into with its employees, agents or contractors. Each Receiving Party shall treat all Confidential Information of the Disclosing Party with the degree of care it accords to its own Confidential Information, but not less than reasonable care. Neither Receiving Party shall reverse engineer, disassemble or decompile any prototypes, firmware, software or other tangible objects which embody the other Party’s Confidential Information. Each Receiving Party will notify and cooperate with the other Party in enforcing the Disclosing Party’s rights if such Receiving Party becomes aware of a threatened or actual violation of the confidentiality requirements of this Section. Upon completion of Work pursuant to this Agreement, except as otherwise provided in this Agreement, except as otherwise provided in the Agreement, upon written request, a Receiving Party shall return any and all tangible embodiments of Confidential Information to the Disclosing Party or destroy any and all electronic copies of Confidential Information maintained by each Receiving Party using a media sanitization process mutually agreed to by the Parties.”`
| 2. | The attached Exhibit O “Special Terms and Conditions for Personally Identifiable Information (SF) shall be added to the Agreement. |
| 3. | Integration; Conflict. The foregoing provisions shall govern notwithstanding any contrary provision in the Agreement or any previously executed agreement between the Parties. Except as otherwise expressly provided or modified herein, the (i) terms and conditions of the Agreement remain in full force and effect, and (ii) this Amendment #1 and the Agreement constitute the entire and exclusive agreement between the Parties regarding the subject matter hereof, and supersede all proposals and prior agreements, oral or written, and all other communications. In the event of a conflict between this Amendment #3 and the Agreement, this Amendment #3 shall govern. |
*** Certain omitted portions of this exhibit have been filed with the Securities and Exchange Commission pursuant to a request for confidential treatment under Rule 24b-2 promulgated under the Securities Exchange Act of 1934
IN WITNESS WHEREOF, the Parties have caused this Amendment #1 to be executed by their duly authorized representatives.
Commonwealth Edison Company |
| Silver Spring Networks, Inc. | ||||
|
|
|
|
|
|
|
By: |
| /s/ *** |
| By: |
| /s/ Jim P. Burns |
Name: |
| *** |
| Name: |
| Jim P. Burns |
Title: |
| Principal Category Manager |
| Title: |
| CFO |
Date: |
| 02/29/2016 |
| Date: |
| 02/29/2016 |
Approved by Legal:
***
***
ComEd-SSN Amendment #3 (20160201) | Page 2 of 5 | Confidential |
EXHIBIT O
SPECIAL TERMS AND CONDITIONS
FOR
PERSONALLY IDENTIFIABLE INFORMATION (SF)
Safeguarding Personally Identifiable Information
1.1 Definition. “Personally Identifiable Information” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any (a) name, address, email address, password, account number, social security number, date of birth, official state or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, or any similar identification, (b) personal, financial, or healthcare information, credit card information, bank account number, credit card number or debit card number, (c) unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation, (d) unique electronic identification number, address, or routing code, (e) telecommunication identifying information or access device (as defined in 18 U.S.C. §1029(e)), or (f) personal preferences, demographic data, marketing data, or any other identification data, including customer’s utility account number and usage data. For the avoidance of doubt, Personally Identifiable Information includes all “nonpublic personal information,” as defined under the Gramm-Leach-Bliley Act (15 U.S.C. §6801 et seq.) and “protected health information” as defined under the Health and Insurance Portability and Accountability Act of 1996 (42 U.S.C. §1320d), and “Personal Data” as that term is defined in EU Data Protection Directive (Directive 95/46/EEC) on the protection of individuals with regard to processing of personal data and the free movement of such data.
1.2 Treatment of Personally Identifiable Information. Without limiting any warranty or obligation in the Agreement, and in particular the confidentiality provisions of the Agreement, during the Term and thereafter in perpetuity, Contractor will not gather, store, log, archive, use, or otherwise retain any Personally Identifiable Information to which it has gained access in connection with the Agreement in any manner, and will not disclose, distribute, sell, share, rent, or otherwise transfer any Personally Identifiable Information to any party or person, except (a) as expressly provided in the Agreement, or (b) as specifically and expressly directed in advance in writing by Exelon. Contractor represents, covenants, and warrants that Contractor will use Personally Identifiable Information in compliance with (i) the Agreement, and (ii) all applicable federal, state, and local privacy, confidentiality, consumer protection, advertising, electronic mail, and data security laws and regulations, whether in effect now or in the future and as they may be amended from time-to-time, including the Gramm-Leach-Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1138) and its implementing regulations and the Fair and Accurate Credit Act of 2003 (collectively, “Privacy/Consumer Laws”). In addition to and in no way limiting Contractor’s indemnity obligations under Section 16.5 of the Agreement, Contractor shall indemnify, hold harmless, and defend Exelon and its affiliates and the officers, directors, employees, agents, representatives, successors, and assigns of Exelon and its affiliates (“Exelon Parties”) for any and all claims against Exelon Parties by governmental authorities for actual or alleged failure of an Exelon Party to comply with any applicable laws, including privacy laws, to the extent caused by any act, omission, conduct, negligence, or default by Contractor or Contractor’s failure to comply with the terms of this Addendum. Contractor shall pay any and all costs, losses, damages, awards of settlement, and expenses (including claims, internal administrative costs, third-party fees, attorneys’ fees and expenses, and consultant’s fees and expenses) incurred as a result of such claims, to the extent caused by Contractor’s failure to comply with the terms of this Addendum.
1.3 Retention of Personally Identifiable Information. Contractor will not retain any Personally Identifiable Information for any period longer than necessary for Contractor to fulfill its obligations under the Agreement. As soon as Contractor no longer needs to retain such Personally Identifiable Information in order to perform its duties under the Agreement, Contractor will comply with Section 1.4 (Return of Personally Identifiable Information) with respect to the return or destruction of Personally Identifiable Information.
ComEd-SSN Amendment #3 (20160201) | Page 3 of 5 | Confidential |
1.4 Return of Personally Identifiable Information. On Exelon’s written request or upon expiration or termination of the Agreement for any reason, the Contractor will promptly, and no later than thirty (30) days after such request, expiration or termination (a) return or destroy, at Exelon’s option, all originals and copies of all documents and materials it has received containing Personally Identifiable Information, (b) deliver or destroy, at Exelon’s option, all originals and copies of all summaries, records, descriptions, modifications, negatives, drawings, adaptations, and other documents or materials, whether in writing or in machine-readable form, prepared by Contractor, prepared under its direction, or at its request, from the documents and materials referred to in clause (a), and (c) provide a notarized written statement to Exelon certifying that all documents and materials referred to in clauses (a) and (b) have been delivered to Exelon or destroyed, as requested by Exelon. Contractor’s destruction or erasure of Personally Identifiable Information pursuant to this Section shall be in compliance with best industry practices (e.g., Department of Defense 5220-22-M Standard).
1.5 Security
(i) In General. Contractor will maintain and enforce physical and logical security procedures with respect to its access and maintenance of Personally Identifiable Information that (a) are at least equal to industry standards for such types of locations, and (b) provide reasonably appropriate technical and organizational safeguards against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure, access, or acquisition of Personally Identifiable Information accessible by Contractor under the Agreement. Contractor will use commercially reasonable efforts to secure and defend its location and equipment against “hackers” and others who may seek, without authorization, to modify or access Contractor systems or the information found therein. Contractor will periodically test its systems for potential areas where security could be breached.
(ii) Security Breach Notification. Contractor shall immediately notify Exelon after becoming aware of any unauthorized access to, acquisition, disclosure, loss, use of, or any other potential corruption, compromise, or destruction of any Personally Identifiable Information (“Security Breach”). Contractor will assist and cooperate with Exelon with respect to any investigation, disclosures to affected parties, and other remedial measures as requested by Exelon or required under any applicable Privacy/Consumer Laws. If a Security Breach is caused by Contractor’s failure to comply with this Addendum, Contractor shall promptly reimburse Exelon for its costs and expenses, including any claims, internal administrative costs, third-party fees and expenses (including attorneys and consultants), and any other costs, damages, and losses incurred by Exelon as a result of such Security Breach. In the event of any Security Breach by Contractor that requires notification to any person or entity, including any customer, shareholder, or current or former employee of Exelon Parties under any Privacy/Consumer Laws, such notification shall be provided by Exelon, unless otherwise approved by Exelon in writing. Exelon shall have sole control over the timing and method of providing such notification. Contractor will use best efforts to promptly remedy any breach of security or unauthorized access or acquisition of Personally Identifiable Information and deliver to Exelon within sixty (60) days of such breach or unauthorized access or acquisition a root cause assessment and future incident mitigation plan with regard to any breach of security or unauthorized access or acquisition affecting Personally Identifiable Information.
(iii) Communications and Operational Management. To the extent used to store, transmit, process or otherwise handle Personally Identifiable Information, Contractor shall (a) deploy industry standard anti-virus software and all appropriate back-up protocols to ensure essential business information can be promptly recovered in the event of a disaster or media failure, (b) ensure its operating procedures are appropriately documented and designed to protect information, computer media, and data from theft, misuse, and unauthorized access, and (c) utilize industry standard encryption to protect Personally Identifiable Information while it is at rest, in transit, or residing on backup tapes.
(iv) On-Going Independent Monitoring of Security Controls. Contractor commits to execute on-going, independent monitoring of its control environment at its own cost and expense through Service Organization Control (SOC) 1 evaluations conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16, or SOC 2 audits (a/k/a SSAE Type 2) of the Trust Services Principles (TSPs). Contractor will provide copies of its SOC 1 or SOC 2 reports to Buyer annually with respect to its primary operations. Contractor will ensure any data center, software as a service (SaaS)
ComEd-SSN Amendment #3 (20160201) | Page 4 of 5 | Confidential |
or cloud-computing subcontractors complete and forward SOC reports to Buyer on an annual basis as well. Contractor will report to Buyer its plans to cure any control deficiencies identified through on-going, independent monitoring examinations.
1.6 Termination for Regulatory Non-Compliance. If Contractor’s relationship with Exelon pursuant to this Agreement is identified in writing by any regulatory agency, with jurisdiction over Exelon Parties, to present a risk to any customers, current or former employees, agents, contractors, or subcontractors of Exelon Parties, that requires correction, Exelon shall notify Contractor of such assessment and the need for Contractor to cure, at its sole expense, the risks identified. Notwithstanding anything to the contrary contained in the Agreement, if Contractor fails to cure, or is incapable of curing, the identified risks within the shorter of a) forty-five (45) calendar days after receiving such notice from Exelon, or b) the deadline given by such regulatory agency, Exelon shall be entitled to immediately terminate the Agreement for its convenience and without the obligation to pay any termination fees or other costs to Contractor.
1.7 Regulatory Examinations. Contractor agrees that any regulator or other governmental entity with jurisdiction over Exelon Parties may examine Contractor’s activities relating to the performance of the Agreement and this Addendum, to the extent such authority is granted to such entities under the law. Contractor shall promptly cooperate with and provide all information reasonably requested by the regulator or other governmental entity in connection with any such examination and provide reasonable assistance and access to all equipment, records, networks, and systems reasonably requested by the regulator or other governmental entity. Contractor agrees to comply with all reasonable recommendations that result from such regulatory examinations within reasonable timeframes at Contractor’s sole cost and expense. The foregoing cooperation and assistance will be rendered at Contractor’s then-current time and materials rates, subject to Exelon’s prior written authorization.
1.8 Insurance. Within 90 days of executing this addendum, contractor shall obtain, pay for, and maintain in full force and effect during the term of the Agreement and any renewals thereof additional insurance as follows: Cyber/Network Security Insurance with a limit of not less than *** dollars (***) per occurrence. The full limit of coverage shall be available to pay for Contractor’s credit monitoring obligations.
ComEd-SSN Amendment #3 (20160201) | Page 5 of 5 | Confidential |
|
| Amendment #4
|
| Amended And Restated Services And Material Agreement |
This Amendment Number 4 (“Amendment #4”), effective as of the last date of execution below (“Amendment #4 Effective Date”), between Silver Spring Networks, Inc. (“Silver Spring”) and Commonwealth Edison Company (“ComEd”) amends the Amended and Restated Services and Material Agreement, dated January 25, 2012, between Silver Spring and ComEd (the “Agreement”). Silver Spring and ComEd are referred to herein as the “Parties” or a “Party,” as applicable. Capitalized terms not defined in this Amendment #4 will have the same meaning as in the Agreement.
The Parties agree to amend the Agreement as follows:
1. | Section 1.8 Insurance of Exhibit O, The Special Terms and Conditions for Personally Identifiable Information (SF) is hereby deleted and replaced by the following in its stead: |
1.8 Insurance. Within 30 days of executing this addendum, contractor shall obtain, pay for, and maintain in full force and effect during the term of the Agreement and any renewals thereof additional insurance as follows: Cyber/Network Security Insurance with a limit of not less than *** dollars (***) per occurrence. The full limit of coverage shall be available to pay for Contractor’s credit monitoring obligations.
2. | Integration; Conflict. The foregoing provisions shall govern notwithstanding any contrary provision in the Agreement or any previously executed agreement between the Parties. Except as otherwise expressly provided or modified herein, the (i) terms and conditions of the Agreement remain in full force and effect, and (ii) this Amendment #1 and the Agreement constitute the entire and exclusive agreement between the Parties regarding the subject matter hereof, and supersede all proposals and prior agreements, oral or written, and all other communications. In the event of a conflict between this Amendment #4 and the Agreement, this Amendment #4 shall govern. |
IN WITNESS WHEREOF, the Parties have caused this Amendment #4 to be executed by their duly authorized representatives.
Commonwealth Edison Company |
| Silver Spring Networks, Inc. | ||||
|
|
|
|
|
|
|
By: |
| /s/ *** |
| By: |
| /s/ Scott R. Blackburn |
Name: |
| *** |
| Name: |
| Scott R. Blackburn |
Title: |
| Commodity Manager |
| Title: |
| VP – Client Delivery |
Date: |
| 6/29/2016 |
| Date: |
| 6/29/2016 |
Approved by Legal:
***
***
ComEd‐SSN Amendment #4 (20160422) | Page 1 of 1 | Confidential |
*** Certain omitted portions of this exhibit have been filed with the Securities and Exchange Commission pursuant to a request for confidential treatment under Rule 24b-2 promulgated under the Securities Exchange Act of 1934