PROFESSIONAL SERVICES AGREEMENT
Exhibit 10.38
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
PROFESSIONAL SERVICES AGREEMENT
This Professional Services Agreement (this Agreement) is dated as of April 25, 2008 (the Effective Date) between AIG Global Services, Inc., a New Hampshire corporation located at 2 Peach Tree Hill Road, Livingston, New Jersey 07039 (AIGGS) and Virtusa Corporation, a Delaware corporation with offices at 2000 West Park Drive, Westborough, MA 01581(Vendor). Customer shall mean AIGGS or any Affiliate on whose behalf Services are performed pursuant to a Work Order (or Change Order).
In consideration of the mutual promises contained herein and other good and valuable consideration, the receipt and sufficiency of which the parties hereby acknowledge AIGGS and Vendor agree as follows:
1. DEFINITIONS.
1.1 Acceptance Criteria shall have the meaning set forth in Section 5 (Acceptance).
1.2 Acceptance Testing shall mean the testing by Customer or its designee(s) of particular Deliverables provided to Customer hereunder in order to ascertain if such Deliverables meet the Acceptance Criteria. Acceptance Testing shall be carried out on the terms and conditions set forth in Section 5 (Acceptance).
1.3 Affiliate shall mean any corporation, partnership, venture, or other business entity that directly or indirectly, controls, is controlled by, or is under common control with AIGGS. For purposes of the foregoing definition, control (including control by and under common control with) shall mean: (a) ownership of or the right to acquire: (i) not less than thirty percent (30%) of the voting stock of a corporation, (ii) the right to vote not less than thirty percent (30%) of the voting stock of a corporation (or, in the case of a non-corporate entity, equivalent rights), or (iii) not less than thirty percent (30%) ownership interest in a partnership, limited liability company, joint venture or other entity; and/or (b) with respect to any entity, the ability of AIGGS, or any entity that otherwise qualifies under the foregoing definition, to direct the management of such entity. An entity that otherwise qualifies under the foregoing definition shall be deemed included within the meaning of Affiliate even though it qualifies as such after the Effective Date. At AIGGSs option, the purchaser of all or substantially all of the assets of any line of business of AIGGS or any Affiliate (including the assets of the business in a specific geographic area or set of geographic areas) shall be deemed an Affiliate of AIGGS for twelve (12) months after the date of such purchase, with respect to the business acquired.
1.4 Application Parts shall have the meaning as set forth in Section 2.2 (Knowledge Transfer).
1.5 Assignment shall have the meaning set forth in Section 11.1 (Assignment).
1.6 Background Technology shall mean any creations (including any technology, inventions, discoveries, works of authorship or other prior creations) that were conceived, created or reduced to practice by or for Vendor (alone or with others) prior to commencement of Vendors contractor arrangement with Customer, as are set forth in a Work Order.
1.7 Change Order shall mean any change order executed by a duly authorized representative of each of Vendor and Customer in accordance with Section 2.6 (Change Orders), a form of which is attached to this Agreement as Exhibit A attached hereto.
1.8 Claim shall have the meaning set forth in Section 14.2 (Notice; Cooperation; Settlement).
1.9 Code shall mean computer programming code (including microcode, as applicable) and, unless otherwise expressly stated in a Work Order, includes both object code and source code.
1.10 Confidential Information shall have the meaning given in Section 9 (Confidentiality and Security).
1.11 Client Data shall have the meaning given in Section 9 (Confidentiality and Security).
1.12 Data Center shall mean AIGGS or such other data center as may be designated by Customer (in its sole discretion) from time to time.
1.13 Deliverables shall mean, collectively, any and all software (including Code), documents, information and other materials delivered or to be delivered by Vendor hereunder, as may be more fully detailed in each
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
Work Order.
1.14 Disabling Code shall mean any Code that is intended to disrupt, modify, delete, damage, deactivate, disable, shut down, harm or otherwise impede in any manner, in whole or in part, the operation of any software, firm ware, hardware, computer system or network, including any device, method or token that permits any person to circumvent the normal security of the software containing such Code.
1.15 Disaster shall mean any acts of war, terrorism, riots, civil disorders, rebellions or revolutions or any other act that could reasonable be expected to pose a threat to the safety, security, integrity or functionality of any Facility, Personnel or Customer Confidential Information.
1.16 Disaster Recovery Plan shall mean Vendors disaster recovery plan in such form as has been approved by Customer in accordance with Section 2.4 (Disaster Recovery Requirements). Any such Disaster Recovery Plan shall be incorporated hereto as Exhibit E.
1.17 Facilities shall mean those facilities owned, operated or leased by Customer, Vendor or a third party, at which Personnel provide any Services hereunder (including any Secondary Site).
1.18 Fixed Price Period shall have the meaning set forth in Section 4.3 (Payment; Expenses).
1.19 Fixed Price Services shall mean those Services provided by Vendor on a fixed price basis.
1.20 Force Majeure shall have the meaning set forth in Section 19 (Force Majeure).
1.21 Governmental Authority shall mean any applicable (a) federation, country, nation, state, sovereign, or government; (b) federal, supranational, regional, state, local, or municipal political subdivision; (c) governmental or administrative body, instrumentality, department, or agency; (d) court, administrative hearing body, arbitrator, commission, or other similar dispute resolving panel or body; or (e) any other entity exercising executive, legislative, judicial, regulatory, taxing, or administrative functions of a government with jurisdiction over the applicable matter.
1.22 Indemnified Party shall have the meaning set forth in Section 14.1 (General Indemnity).
1.23 Knowledge Transfer Plan shall have the meaning set forth in Section 2.2(a) (Knowledge Transfer).
1.24 Laws shall mean any laws, statutes, ordinances, codes, rules, regulations, published standards, permits, judgments, decrees, writs, injunctions, rulings, orders, administrative guidance, and/or other requirements of any Governmental Authority.
1.25 Maintenance Period shall have the meaning set forth in Section 4.3 (Payment; Expenses).
1.26 Maximum Dollar Amount shall have the meaning set forth in Section 2.1(a) (Work Orders).
1.27 Milestone Period shall have the meaning set forth in Section 4.3 (Payment; Expenses).
1.28 Performance Requirements shall mean that list of service levels, performance metrics and reporting requirements, if applicable, as may be set forth in Exhibit D attached hereto, which may be revised by written agreement of the parties hereto.
1.29 Personnel shall mean those Vendor employees and Vendor Subcontractors who perform Services or who have access to Customers Confidential Information.
1.30 Personnel Non-Disclosure & Assignment of Invention Agreement shall mean the form agreement attached hereto as Exhibit F attached hereto.
1.31 Privacy Laws shall mean any laws, rules or regulations of any country relating to nonpublic personal information, including the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act of 1999, CA SB 1386 regarding privacy and other federal, state and local laws and regulations of any jurisdiction relating to nonpublic personal information.
2
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
1.32 Professional Day shall have the meaning set forth in Section 4.1 (Fees).
1.33 Project Manager shall mean the key contact person designated by each of Vendor and Customer with respect to Services provided under a specific Work Order.
1.34 Proprietary Rights shall have the meaning set forth in Section 11.1 (Assignment).
1.35 Records shall have the meaning set forth in Section 18.1 (Record Retention).
1.36 Relationship Manager shall have the meaning set forth in Section 8.1 (Relationship and Project Managers).
1.37 Secondary Site shall have the meaning set forth in Section 2.4(b) (Disaster Recovery Requirements).
1.38 Security Requirements shall mean that list of security requirements set forth in Exhibit C attached hereto, which may be revised by Customer (in its sole discretion) from time to time.
1.39 Services shall mean (a) any services described in any Work Order(s), Change Order(s) and Knowledge Transfer Plan(s), (b) the Training Services, (c) any Termination Assistance.
1.40 T&M Services shall mean those Services provided by Vendor on a time and materials basis.
1.41 Term shall have the meaning set forth in Section 12.1 (Term).
1.42 Termination Assistance shall have the meaning set forth in Section 12.7(a) (Termination Assistance).
1.43 Termination Assistance Period shall mean that period of time commencing upon the earliest to occur of (a) notice by a party of termination of this Agreement (in whole or in part), (b) notice by Customer of its need for Termination Assistance, or (c) ninety (90) days prior to expiration of this Agreement, and ending no later than 90 days after termination of the Agreement or Work Order, as the case may be.
1.44 Third Party Technology shall mean any software, materials or other technology that are owned or controlled by a third party, as identified on a Work Order. Use of any such Third Party Technology shall be in accordance with American International Groups Office of the Chief Information Officer standards and guidelines, which shall be provided to Vendor from time to time.
1.45 Training Services shall have the meaning set forth in Section 6 (Training Services).
1.46 Turnover Plan shall have the meaning set forth in Section 12.7 (c) (Termination Assistance).
1.47 Vendor Affiliate shall mean any entity controlling, controlled by or under common control with Vendor whether by ownership or control of voting securities, by contract or otherwise, director, manager or executive officer of such entity. Vendor Affiliates shall include, without limitation, the following entities: Virtusa UK Limited, Virtusa (India) Private Limited and Virtusa (Sri Lanka) Private Limited. Vendor may update this list on written notice to Customer.
1.48 Vendor Proprietary Information shall have the meaning set forth in Section 11.3 (Background Technology, Third Party Technology and Vendor Proprietary Information).
1.49 Vendor Provided Hardware shall mean that written list of hardware and equipment, including servers, back-up devices, routers, switches, modems, which list Vendor shall provide to Customer in connection with its performance of the Services.
1.50 Vendor Subcontract shall have the meaning set forth in Section 3.1 (Approval Process; Approval of Subcontractors).
1.51 Vendor Subcontractor shall have the meaning set forth in Section 3.1 (Approval Process; Approval of Subcontractors).
3
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
1.52 Virus shall mean: (a) Code intentionally constructed to, or that has the ability to, damage, interfere with, or otherwise adversely affect other Code, computer programs, data files or operations, including disabling Code; or (b) any other Code typically designated to be a virus, including any Trojan horse, worm, or other harmful or disruptive component.
1.53 Work Order shall mean any work order executed by a duly authorized representative of each of Vendor and Customer for the provision of Services, a form of which is attached to this Agreement as Exhibit B attached hereto, as may be amended by a Change Order.
2. SERVICES.
2.1 Work Orders. Customer may from time to time issue Work Orders. Each Work Order shall, upon execution by the parties, constitute a separate agreement and, except for any provisions of this Agreement that are specifically excluded or modified in such Work Order, shall incorporate therein the terms and conditions of this Agreement. Unless otherwise expressly stated in a Work Order, in the event of any conflict between the terms of this Agreement and the terms of such Work Order, the terms of this Agreement shall govern
(a) Any Work Order providing for T&M Services shall include with reasonable specificity, if applicable: (i) a description of the Services to be performed; (ii) the Deliverables, if any, to be produced by Vendor; (iii) appropriate testing and acceptance procedures; (iv) the schedule for completion of each of the foregoing; (v) the daily rate to be charged; (vi) estimated expenses (travel-related or otherwise) to be incurred by Vendor in connection with the project; (vii) the maximum dollar amount billable (including expenses) in connection with such Services (Maximum Dollar Amount), if any; (viii) the parties respective Project Managers; (ix) any reports (in additional to those set forth in Section 7 (Reporting; Certifications) to be provided by Vendor to Customer; and (x) such additional information as the parties may wish to include. Notwithstanding anything to the contrary contained herein, Customer shall not be liable for any charges and/or expenses for any T&M Services in excess of the Maximum Dollar Amount specified on the applicable Work Order. In the event that Vendor reasonably believes its fees and/or billable expenses for any T&M Services may exceed the applicable Maximum Dollar Amount, Vendor shall promptly notify Customer of such fact in writing, and if the parties execute a Change Order in accordance with Section 2.6 (Change Orders), a new Maximum Dollar Amount shall be applicable to such T &M Services.
(b) Any Work Order providing for Fixed Price Services shall include with reasonable specificity, if applicable: (i) a description of the Services to be performed; (ii) the Deliverables, if any, to be produced by Vendor; (iii) appropriate testing and acceptance procedures; (iv) the schedule for completion of each of the foregoing (including milestone dates); (v) estimated expenses (travel-related or otherwise) to be incurred by Vendor in connection with the project; (vi) total fees and a schedule of payments; (vii) the parties respective Project Managers; (viii) any reports (in additional to those set forth in Section 7 (Reporting; Certifications) to be provided by Vendor to Customer; and (ix) such additional information as the parties may wish to include.
2.2 Knowledge Transfer.
(a) Preparation of Knowledge Transfer Plan. In connection with each Work Order for Fixed Price maintenance and enhancement Services that are being transitioned from either Customers third party vendors or from Customer directly, Vendor shall, pursuant to the terms of the Work Order, prepare a draft knowledge transfer plan with respect to knowledge transfer activities to be undertaken by Vendor and Customer and/or its designee(s) with respect to the software applications, or any part(s) thereof (including any modules, components, elements or functional units) (the Application Part(s)), covered by such Work Order. The draft knowledge transfer plan, which may or may not be a part of a larger project plan, shall (i) identify Application Parts covered by the plan; (ii) set forth in detail steps and procedures to be undertaken by Vendor and Customer and/or its designee(s) to facilitate the transfer of knowledge to Vendor in order to enable Vendor to provide the Services set forth in the Work Order in accordance with the terms and conditions of this Agreement (e.g., documents to be reviewed, tests to be conducted); (iii) identify Personnel responsible for undertaking such steps and procedures; (iv) set forth milestones to be achieved pursuant to the plan; and (v) set forth schedules for achieving such milestones. Customer shall have the right to review and require revisions to any draft knowledge transfer plan until such time as the parties agree to such plan in writing (each such agreed to knowledge transfer plan herein referred to as a Knowledge Transfer Plan).
4
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
(b) Execution of Knowledge Transfer Plan. Vendor shall be responsible for undertaking the activities set forth in each Knowledge Transfer Plan subject to its terms and conditions and those set forth herein and in the applicable Work Order. Customer shall reasonably cooperate with Vendor in connection with such activities, and shall, as and when milestones are achieved in all respects with the Knowledge Transfer Plan, certify in writing to Vendor that such milestones have been achieved.
2.3 Performance of Services. Vendor shall, subject to the terms and conditions in the Work Order and the terms hereunder, render the Services in a timely and professional manner consistent with industry standards by the completion dates, if any, set forth in the applicable Work Order.
(a) In performing Fixed Price Services, Vendor agrees to provide, all its sole expense, all Vendor Provided Hardware and Third Party Technology, Background Technology set forth in the Work Order and identified as a responsibility of Vendor therein.
(b) In performing T&M Services, Vendor agrees to provide, at its sole expense Vendor Provided Hardware and Background Technology as set forth in the Work Order and identified as a responsibility of Vendor therein.
(c) For any Services performed at Vendors or third-party Facilities or any other off site location, Vendor shall use all reasonable efforts to ensure that (i) Vendors hardware and software environment comply with Customers technical standards, which may be updated from time to time; and (ii) at all times Vendor maintains and adheres to a Disaster Recovery Plan.
(d) Unless otherwise specified in a Work Order, all Deliverables shall be written in the English language and shall be delivered in a format and on media acceptable to Customer. The medium of delivery (e.g., download, tape, e-mail or diskette) will be agreed to by the parties in writing.
(e) Vendor shall observe and comply with all Customer security procedures, rules, regulations, policies, working hours and holiday schedules and will not disrupt Customers normal business operations. Vendor shall comply with all Customer information security policies, standards and guidelines while using Customers systems, networks and applications, and when communicating with Customer via email and/or over the Internet in the course of performing Services, including, without limitation, the security requirements set forth in Exhibit C (Security Requirements) hereto, and shall notify Customer of any situation that will or is reasonably likely to put Customer systems, networks or applications at risk. Throughout the Term, Vendor shall comply with the AIG Vendor Certification Program, details of which can be found at http://www.aigscreen.com and all background checks of Vendor Personnel shall be completed prior to the start of such Vendor Personnels assignment hereunder and shall be in accordance with the AIG Vendor Certification Program. If Customer determines that the results of any background check do not to meet its requirements, Vendor may not assign such Vendor Personnel to perform Services hereunder. Vendor represents, warrants and covenants that Vendor has and will secure the prior written consent of each of its Vendor Personnel to disclose information regarding each such Vendor Personnel to Customers designated background check provider. Customer is in the process of implementing a supplier diversity program and Vendor will provide any information reasonably requested by Customer regarding Vendors demographics and diversity policies and the demographics and diversity policies of its subcontractors.
(f) Vendor guarantees to Customer the full performance of any and all responsibilities, obligations, and liabilities of each Vendor Affiliate arising under or in connection with this Agreement and each Work Order, including, without limitation, all indemnity obligations. No extension, modification, alteration or assignment of this Agreement or any Work Order will in any manner release or discharge Vendor from the obligations set forth in this Section 2.3(f). Customer may, at its option, institute legal proceedings against Vendor without having commenced any action or having obtained a judgment against a Vendor Affiliate. This Section 2.3(f) shall survive any termination or expiration of this Agreement for a period of three (3) years from the effective date of termination or expiration of this Agreement.
(g) For each and every Work Order issued by an Affiliate domiciled and/or existing in a jurisdiction outside of the United States (a Foreign Jurisdiction), if there is a Vendor Affiliate domiciled and/or existing in the same country, such Work Order shall be issued to the Vendor Affiliate; provided that Vendor hereby guarantees the obligations of such Vendor Affiliate under this Agreement and such Work Order. As far as such Work Order is concerned, Vendor Affiliate shall be the party that executes the Work Order and is responsible for performance thereunder. However, Vendor hereby guarantees to Customer the full performance
5
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
of any and all responsibilities, obligations, and liabilities of such Vendor Affiliate under such Work Order and this Agreement. Where there is no Vendor Affiliate domiciled and/or existing in the same Foreign Jurisdiction as the Affiliate issuing the Work Order, the Affiliate shall execute such Work Order and remain responsible for its performance thereunder. However, Vendor hereby guarantees to Customer the full performance of any and all responsibilities, obligations, and liabilities of such Affiliate under such Work Order and this Agreement.
2.4 Disaster Recovery Requirements.
(a) Prior to the commencement of any offsite Services hereunder, Vendor shall develop and Customer shall agree (in writing) on a Disaster Recovery Plan(s) for the Services. During the Term, Vendor shall comply in all respects with and perform the obligations set forth in a Disaster Recovery Plan. Vendor shall, at least annually, (i) review, test, and update each Disaster Recovery Plan to validate whether the Disaster Recovery Plan addresses material changes in Customers operating environments, software and hardware enhancements, and changes in the scope or nature of the Services; and (ii) provide Customer with a written report of such test results and proposed changes to the Disaster Recovery Plan, that if adopted, would have a material diminution in service levels or material adverse impact on the operations of the Customer projects on which Vendor has been engaged. Any material proposed changes to any Disaster Recover Plan (the materiality of which shall be mutually agreed upon between the parties) shall not require approval by Customer unless such changes substantially and materially reduce or degrade then existing procedures. Any non-material proposed changes to any Disaster Recovery Plan may be incorporated into the revised Disaster Recovery Plan without Customers prior written approval.
(b) Notwithstanding anything to the contrary in any Disaster Recovery Plan (DRP), Vendor hereby agrees to perform the following:
(i) Vendor shall create and maintain daily back-up files and off-site storage for all data, software programs and documentation provided hereunder. Any off-site storage provider shall be deemed to be a Vendor Subcontractor.
(ii) Vendor will run a full disaster recovery tests under its DRP Site at least once a year to validate Vendors procedures and demonstrate their ability to recover the development environment within the recovery time(s) as specified in any Disaster Recovery Plan, which recovery times shall in no event be designed to exceed twenty-four (24) hours or such other time periods in the DRP (depending on the nature of the disaster).
(iv) Vendor shall (A) identify to Customer each Disaster affecting any Services promptly upon identification by Vendor thereof and consult with Customer prior to declaration of a disaster; (B) notify Customer as soon as possible of any situation that in Vendors reasonable judgment may escalate to a Disaster; (C) develop and maintain a list of Customer personnel to contact in the event of a Disaster and comply with Customers reasonable notification procedures; and (D) maintain communications with Customer as to the status of the Disaster and the progress of the implementation of the Disaster Recovery Plan procedures and the Services restoration process.
(v) Notwithstanding the foregoing, in the event of an outage affecting the operation of the Vendors development environment being used for Services, which outage exceeds six (6) hours and for which recovery time is unknown or expected to exceed twenty-four (24) hours, Vendor shall declare a Disaster.
(vi) If there is a Disaster, Vendor shall implement fully the agreed upon Disaster Recovery Plan and provide Services, without material interruption and at the service levels set forth in this Agreement or such other alternate location with comparable communication links, security, hardware and software environment as well as duplicate data, software programs and documentation, subject in each case to the terms of the Disaster Recovery Plan.
(c) Customer shall not be responsible for any fees associated with time or Services Personnel were unable to perform as a result of any Disaster.
2.5 Facilities. The following terms and conditions shall apply to the Facilities, any Personnel performing the Services or other Vendor obligations at or with respect to the Facilities, and any services provided in or from the
6
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
Facilities:
(a) Customer shall make its Facilities available to Vendor as reasonably necessary in connection with the Services, provided that Vendor and its Personnel fully comply with the terms of Section 2 .4(e)
(b) Vendor shall ensure that neither Vendor, nor any Personnel, commits in (or with respect to) the Facilities any violation or breach of: (i) any Laws; (ii) Vendors insurance policies; (iii) any Customer access or physical security policies or procedures, including the Security Requirements; or (iv) Customers obligations under any real estate leases or other agreements applicable to the Facilities. Vendor shall, and shall cause all Personnel to, immediately inform Customer of any actual, alleged, or potential breaches in security at Facilities. Vendor shall be fully responsible and liable to Customer for any and all violations of the foregoing and any loss or damage arising therefrom or related thereto.
(c) Vendor shall only use, and shall only permit Personnel to use, the Customers Facilities for the purpose of providing the Services.
(d) Vendor shall, and shall cause Vendors Personnel to, keep the Facilities in good order and not commit or permit waste or damage thereto. Vendor shall use reasonable care and shall use reasonable efforts to cause Vendors Personnel to use, the Facilities in a reasonably efficient manner. Vendor shall be solely responsible and liable for any tangible physical damage to the Facilities resulting from the abuse, misuse, neglect, or gross negligence of Vendor, or any Vendors Personnel or from any other failure to comply with Vendors obligations in regards to the Facilities.
(e) Vendor shall remain fully responsible and liable for the acts and omissions of all Personnel in or in connection with any Facilities.
2.6 Change Orders. Customer may, upon written notice to Vendor, request additions, reductions, or other changes to the scope of any or all Services to be provided pursuant hereto or under a particular Work Order, including the addition of new services to supplement such Services only pursuant to a change request (such request, a Change Request). Within three (3) business days of Vendors receipt of a Change Request from Customer, Vendor shall provide Customer with a written response (a Change Order) detailing the tasks to be performed to accomplish the proposed changes in scope and/or services set forth in such Change Request, as well as any changes in the Charges that may arise therefrom. Each Change Order shall be in a format substantially similar to that of the Sample Change Order attached hereto as Exhibit B (Sample Change Order). Vendor shall use reasonable efforts to accommodate each Change Request, at rates no greater than the applicable rates, if any, set forth in the Work Order to which such Change Request applies. Customer, in its sole discretion, reserves the right to accept, modify, or reject any or all Change Orders received from Vendor. No Change Order shall bind either party unless and until both parties have accepted the terms and conditions of such Change Order in writing, in which event, upon execution by both parties of such Change Order, the terms and conditions of such Change Order shall be deemed an amendment to the applicable Work Order. Vendor may not increase the fees under any Work Order, nor may any amendment or modification to a Work Order be effective, except through a Change Order executed by both parties pursuant to this Section 2.6 (Change Orders).
2.7 Delays. Subject to the terms of a Work Order, Vendor shall be responsible for meeting the project milestones, development methodologies, quality of the developed products, Deliverables, acceptance and documentation as further described in the applicable Work Order. Vendor may be required to adopt flexible hours or work in shifts to accommodate United States time zones. Vendor understands that failure to meet any scheduled milestones due to Vendors conduct (after reasonable attempts to cure any alleged failures occur) will result in immediate review by Customer and possible termination of the applicable Work Order under the terms of this Agreement.
3. PERFORMANCE OF SERVICES BY SUBCONTRACTORS.
3.1 Approval Process; Approval of Subcontractors. Prior to entering into discussions with any third party to subcontract or otherwise to delegate any Services or any other Vendor obligations hereunder, Vendor shall notify Customer of the proposed subcontractor, which notice shall include in addition to any other information requested by Customer: (a) the specific obligations that Vendor proposes to subcontract; (b) the scope of the proposed subcontract; (c) the identity, qualifications, and financial resources of the proposed subcontractor. Vendor shall not enter into any such discussions with such proposed subcontractor unless and until Customer approves such discussions in writing. If Customer approves such discussions, Vendor shall require the proposed subcontractor to execute those documents as required and described in Section 3.3 (Vendor Subcontracts).
7
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
Notwithstanding the foregoing, Vendor shall not enter into any agreement or other arrangement with any third party to subcontract or otherwise delegate any Services or any of Customers other obligations under this Agreement without Customers prior written. A proposed Vendor subcontractor that is approved by Customer in accordance with the foregoing shall be deemed a Vendor Subcontractor, and such Vendor Subcontractors subcontract with Vendor shall be deemed a Vendor Subcontract, for purposes of this Agreement.
3.2 Replacement of Vendor Subcontractors. Without limiting any other provision of this Agreement, upon Customers request, Vendor shall replace any Vendor Subcontractor with a different third-party subcontractor (or shall perform the applicable subcontracted services or obligations itself) if Customer determines in its sole discretion that the continued use of such Vendor Subcontractor is not in Customers best interests.
3.3 Vendor Subcontracts. Without limiting any other provision of this Agreement, Vendor shall ensure that: (a) each Vendor Subcontract to include (i) as flow-down provisions, terms and conditions substantially similar to the provisions of Section 5 (Acceptance), Section 8 (Staffing), Section 9 (Confidentiality and Security), Section 11 (Intellectual Property Rights), Section 12.4 (Effect of Termination), Section 13 (Warranties), Section 14 (Indemnification), Section 15 (Limitation of Liability), Section 16 (Non-Solicitation), Section 18 (Record Retention and Audit) and Section 20 (Insurance) of this Agreement and any other provisions as necessary for Vendor to fulfill its obligations hereunder.
3.4 Responsibility. Vendor shall remain fully responsible and liable for all obligations, services, and functions performed by any Vendor Subcontractor to the same extent as if such obligations, services, and functions were performed by Vendor employees, and for purposes of this Agreement, such work shall be deemed work performed by Vendor.
4. PRICING AND PAYMENT.
4.1 Fees. All fees payable and that Vendor may charge under this Agreement (the Charges) for any Services, Deliverables, and any licenses or other rights hereunder, including any applicable fixed price and/or time and materials charges, are set forth in the applicable Work Order(s) hereto; provided, however that time and materials rates for staff augmentation Services shall be in accordance with Exhibit C (Rate and Discount Schedule) hereto. In the event that any Work Order contains an estimate of the Charges payable thereunder, the total Charges payable under such Work Order shall in no event exceed such estimate, unless otherwise agreed to in writing by the parties. For any T&M Services that are billed at a daily rate, Vendors daily billing rate shall be based on [***************] (including a lunch break not to exceed one hour) (a Professional Day). For Services performed on a time and materials basis that are billed a daily rate, any hours worked in excess of a Professional Day in any one day or on Saturdays, Sundays or holidays, shall be at no additional cost to Customer unless specifically authorized in advance in writing by Customer. Vendor may not include in Charges any fee associated with or cost or expense incurred by Vendor in preparing a bid to perform Services under this Agreement. Any time and materials Services billed on an hourly basis and performed on Saturdays, Sundays or holidays and/or after business hours shall be billed at the same rates provided in the applicable Work Order for Services performed during business hours. Vendor may not include in Charges any fee associated with or cost or expense incurred by Vendor in preparing a bid to perform Services under this Agreement.
4.2 Currency, Payment Details. All invoices and payments hereunder shall be in United States Dollars or such other local currency as the Parties may mutually agree in writing.
4.3 Payment; Expenses.
(a) As full compensation for any Services performed by Vendor pursuant to any Work Order, Customer shall pay Vendor fees and expenses for such Services rendered under the terms of such Work Order. Vendor shall invoice Customer monthly in arrears (or as otherwise mutually agreed to by the parties in writing) for fees and expenses incurred as a result of performing Services under the terms of the applicable Work Order. If expressly agreed to by the parties in a given Work Order, Customer shall pay for reasonable out-of-pocket expenses required and actually incurred by Vendor while performing Services (including air transportation (coach-economy only) and hotel/overnight accommodations, as applicable), provided that: (a) such expenses are in accordance with Customers expense policies, as may be modified from time to time; (b) Customer has approved such expenses in advance in writing; and (c) Vendor has described such expenses in writing in detail to Customer, and has submitted supporting documentation satisfactory to Customer. Notwithstanding the foregoing, the parties agree that (a) Customer shall not reimburse Vendor for normal commutation expenses or for travel and living expenses incurred by Vendor in performing Services at a Customer facility located in the same metropolitan area as that of Vendors address; and (b) any entertainment by or on behalf of Vendor shall be at no cost to Customer.
8
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
(b) Upon any termination of this Agreement or any Work Order in accordance with Section 12.3 (Termination for Cause):
(i) With respect to T&M Services, Vendor shall be paid fees on a time and materials basis at the applicable rate set forth in Exhibit F for Vendor Application Development resources or, in the event Vendor is providing T&M Services unrelated to development on Vendors proprietary commercially available software applications, under the applicable Work Order for Services actually performed up to and including the effective date of such termination.
(ii) With respect to Work Orders for Fixed Price Services, other than for maintenance services, as to which there are not any interim milestones, Vendor shall be paid the lesser of: (A) time and materials fees (using the daily rates set forth in the applicable Work Order for the days spent performing Services up to and including the effective date of such termination; or (B) the total fixed fee identified in the applicable Work Order divided by the Fixed Price Period, as defined below. The Fixed Price Period shall mean the total number of days (calendar days or business days, as specified in the applicable Work Order) for provision at such Services as initially estimated in the Work Order divided by the number of such days that Vendor actually performed Services under the Work Order.
The following example, which is given for illustrative purposes only, demonstrates how the above formula shall be used: Customer has engaged Vendor for development Services with a fixed fee of ninety thousand dollars ($90,0000.00) in which the estimated end date is ninety (90) calendar days from the start date. Customer then terminates the Work Order for convenience effective on the thirtieth (30th) day after the start date. As of the effective date of termination, Vendor has expended thirty (30) days using eight (8) programmers at a rate of one hundred and fifty dollars ($150.00) per day each. Thus, Vendor has expended thirty-six thousand dollars ($36,000.00) on the Work Order. However, upon termination, Customer will owe Vendor no more than thirty thousand dollars ($30,000.00) because the Fixed Price Period of thirty thousand dollars ($30,000.00) is lower than the amount\Vendor has expended on a time and materials basis, which in this example is thirty-six thousand dollars ($36,000.00).
(iii) With respect to Work Orders for Fixed Price Services as to which there are interim payments based on milestones, Vendor shall be paid: (A) any milestone payments associated with any Deliverables which have been accepted by Customer in accordance with Section 5 (Acceptance) prior to the effective date of termination; and (B) the lesser of: (1) time and materials fees (using the daily rates set forth in the Fee Schedule) for the time spent performing Services after the last milestone has been reached up to and including the effective date of termination; or (2) the result of the next milestone payment due divided by the Milestone.
Period (as defined below) which result shall be multiplied by the number of days (calendar or business days, as specified in the applicable Work Order) Vendor actually spent performing Services during the Milestone Period. The Milestone Period shall mean the total number of days (calendar or business days, as specified in the applicable Work Order) from the date the last milestone was reached to the date the next milestone was initially estimated to be reached (as set forth in the Work Order). The Milestone Cap shall mean a cap on fees calculated as follows: (amount of the next milestone payment otherwise due to Vendor divided by the Milestone Period) multiplied by the number of calendar or business days, as applicable, that Vendor actually performed Services during such Milestone Period.
The following example, which is given for illustrative purposes only, demonstrates how the above formula shall be used: Customer has engaged Vendor for development Services with a fixed fee of one hundred thousand dollars ($100,000.00) in which the estimated end date is forty (40) calendar days from the start date. There are four (4) Deliverables with associated milestone payments of twenty-five dollars ($25,000.00) each. The first Deliverable is due on the tenth (10th) day after the start date, the second Deliverable is due on the twentieth (20th) day after the start date, the third Deliverable is due on the thirtieth (30th) day after the start date and the fourth Deliverable is due on the fortieth (40th) day after the start date. Customer terminates the Work Order for convenience effective on the twenty-fifth (25th) date after the start date. As of the effective date of termination, Customer has accepted the first two (2) Deliverables. During the period in between the milestone date for the second Deliverable and the effective date of termination, Vendor expended five (5) calendar days using two (2) programmers at a
9
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
rate of one hundred and fifty dollars ($150.00) each per day. Therefore, Vendor expended one thousand five hundred dollars ($1,500.00) on the Services after the first two (2) Deliverables were completed and accepted by Customer. Upon termination, Customer will owe Vendor fifty-one thousand, five hundred dollars ($51,500.00) for the Services performed under the Work Order, which is equal to payment for the two (2) Deliverables accepted plus time and materials fees based on the remainder of the time Vendor worked on the project. In this example, the amount actually expended by Vendor on a time and materials basis after the second Deliverable was accepted (one thousand five hundred dollars ($1,500.00)) is lower than the Milestone Cap (twelve thousand five hundred dollars ($12,500.00)). The Milestone Cap in this example is reached by dividing the next milestone payment due, which is twenty-five thousand dollars ($25,000.00), by ten (10) days and multiplying the result by five (5), which is the number of days that Vendor spent performing the Services after the first two (2) Deliverables were accepted.
(iv) With respect to Work Orders for maintenance Fixed Price Services (including enhancement Services that are bundled into maintenance Services), Vendor shall be paid for an amount equal to the total fixed price fee divided by the Maintenance Period (as defined below) multiplied by the number of calendar days between the first day of the term of the Work Order and the effective date of termination. The Maintenance Period shall mean the total number of calendar days contained in the term of the applicable Work Order.
The following example, which is given for illustrative purposes only, demonstrates how the above formula shall be used: Customer has engaged Vendor for maintenance Services with a fixed fee of one hundred thousand dollars ($100,000.00). The term of the Work Order is one (1) year. Therefore, the Maintenance Period for the Work Order is three hundred and sixty-five (365) calendar days. Customer then terminates the Work Order for convenience effective on the ninetieth (90th) day after the first day of the term. The amount that Customer will owe Vendor is equal to twenty-four thousand six hundred and fifty seven dollars and fifty-three cents ($24,657.53). This number was calculated by dividing the fixed price fee of one hundred thousand dollars ($100,000.00) by the Maintenance Period of three hundred and sixty-five (365) calendar days and multiplying the result by ninety (90), which is the number of calendar days between the first day of the term of the Work Order and the effective date of termination.
(c) In the event of termination by Customer of this. Agreement or any Work Order in accordance with Section 12.3 (Termination for Cause), Customer shall not be obligated to pay Vendor such amounts as set forth in Section 4.3(b) above.
4.4 Volume Discounts. For purposes of determining volume discounts and other pricing incentives, if any, made available by Vendor to Customer: (a) all Work Orders will be consolidated and the total amount of purchases under those Work Orders will be used for determining volume discounts and other pricing incentives except that all reimbursable expenses, applicable taxes and any expenses that the parties agree are pass through costs or purchases shall be excluded from the total amount of purchases used for the calculation; and (b) any software, hardware or other goods or services purchased by Customer and/or any Affiliate from Vendor pursuant to a separate agreement as of, or prior to, the Effective Date will also be consolidated and the total amount of such purchases will also be used for determining volume discounts and other incentives, except that all reimbursable expenses, applicable taxes and agreed to pass through costs or purchases shall be excluded from the total amount of purchases used for the calculation.
4.5 Taxes. Unless Customer provides Vendor with a valid and applicable exemption certificate within a commercially reasonable time, Customer will pay or reimburse the Vendor for sales, use, excise, services, consumption and other taxes or duties and analogous taxes (collectively, Taxes) that the Vendor is permitted or required to collect from Customer and which are assessed on the purchase, license and/or supply of Services and for which Vendor invoices Customer before the expiration of the later of the applicable Customers or Vendors statutory period for assessment of the relevant Taxes. Taxes shall not include any personal property taxes on property Vendor owns or leases, franchise and privilege taxes on its business and/or taxes based on its net income or gross receipts. Customer will not be responsible for any penalties related to the tax obligations of Vendor unless (i) such penalties accrue solely based on the actions or inactions of Customer and (ii) Customer had received reasonable prior written notice from the Vendor that the actions or inactions of Customer will be the sole basis for such. Vendor will be responsible for remitting applicable taxes. If Customer pays any tax to Vendor and if it is later held that that tax was not due, Vendor will refund the amount paid to Customer, together with all related interest paid by the applicable taxing authority. Any additional sales/use taxes assessed on Vendors provision of Services or Deliverables resulting from Vendors change in location from the location originally contemplated pursuant to the Work Order on which results from the relocation or redirection of the
10
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
delivery, including temporary storage, of such Services or Deliverables, either of which is made for the Vendors convenience, will be paid by Vendor.
4.6 Requisition Invoice System. Customer may use a web-enabled system to automate the requisition and invoicing procedures in connection with the Services (the Requisition Invoice System). As of the Effective Date, the Requisition Invoice System is known as Fieldglass InSite. Vendor hereby agrees that any expenses incurred by Vendor in connection with Vendors access and use of the Requisition Invoice System shall be borne by Vendor. Further, Vendor shall be solely responsible for a transaction fee of one percent (1%) of all gross Charges processed through the Requisition Invoice System (the Transaction Fee). Vendor hereby agrees that Customer shall deduct such Transaction Fee from each invoice total prior to rendering payment to Vendor. Customer reserves the right to increase the Transaction Fee by providing written notice to Vendor.
5. ACCEPTANCE.
Unless otherwise stated in a Work Order, Customer shall have [***********] days from its receipt of any Deliverable under any Work Order (the Acceptance Period) to review and evaluate such Deliverable to determine whether the Deliverable conforms in all material respects to the acceptance requirements specific to the particular Deliverable set forth in such Work Order or other acceptance criteria otherwise provided by Vendor to Customer, and agreed to by the parties in writing (Acceptance Criteria) pursuant to an acceptance plan. The Deliverables shall be deemed accepted by Customer upon the earlier of: (a) Customers written notification to Vendor of such acceptance; or (b) Customers use of the Deliverable in a production environment, unless the SOW indicates that the Deliverable will be used in production prior to acceptance by Customer. If Customer rejects a particular Deliverable within the Acceptance Period, Customer shall, at Vendors request, provide Vendor within the Acceptance Period, with a list or description of the inadequacies, defects, deficiencies or other problems that led to the Deliverables non-conformance to the Acceptance Criteria and the rejection. Vendor shall have 20 days following Customers written notice of rejection in which to provide a corrected Deliverable to Customer. In the event that Deliverable again does not comply in all material respects with the Acceptance Criteria and Customer does not accept such corrected Deliverable on such basis, Customer may, in its sole discretion and in addition to any other available remedies, either (a) grant Vendor a further five (5) days (or such longer period as Customer may, in its sole discretion, decide) in which to correct any problems; or (b) deem Vendors failure to provide to Customer an acceptable Deliverable to be a default, and immediately terminate this Agreement or the applicable Work Order in part or in whole without further opportunity to cure.
6. TRAINING SERVICES.
Upon Customers request, Vendor shall train those individual Customer employees and agents designated in writing by Customer on all technical and operational features of the Deliverables, including any features required to operate the Deliverables on a day-to-day basis (collectively, the Training Services). Vendor shall provide sufficient supporting Documentation to enable such Training Services and for an effective knowledge transfer between Vendor and such designated individuals. The Training Services shall be conducted at any Facility selected by Customer, pursuant to the terms of the Work Order and shall be deemed to be Services for purposes of this Agreement.
7. REPORTING; CERTIFICATIONS.
7.1 Reporting. Vendor shall participate in status review meetings as set forth in each Work Order or as requested by Customer. Vendor shall also supply Customer with any other reports specifically set forth in any Work Order. Vendor agrees to provide all such reports and participate in all such meetings at no additional cost to Customer.
8. STAFFING.
8.1 Relationship and Project Managers. During the Term, Vendor will provide (at no additional cost to Customer) a qualified Vendor employee to serve as a relationship manager (Relationship Manager). The Relationship Manager will (a) be the point person in charge of the overall business relationship between Vendor and AIGGS (b) operate as the main interface between AIGGS and Vendor on a national level, and (c) be responsible for all project and metrics performance, company-wide reporting, pricing negotiation and resolution of all related issues. Customer and Vendor shall also each designate an appropriate representative to function as their respective Project Managers for each Work Order. Vendors Project Manager will have responsibility to coordinate and interface its Personnel with Customer and its personnel in a manner reasonable to Customer. Customers Project Manager will be charged with the responsibility of acting as Vendors principal point of
11
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
interface with Customer for the Services covered by such Work Order.
8.2 Continuity and Replacement of Personnel. Vendor agrees to use its best efforts to maintain the continuity of Personnel assigned to perform Services. In the event that any Vendor Personnel performing Services hereunder is found to be unacceptable to Customer (including demonstration that he or she is not qualified to perform based on the tier level and experience requested, or has provided false information on his or her resume), Customer shall have the right to notify Vendor of such fact (without waiving any other rights or remedies it may have hereunder) and Vendor shall promptly remove such Vendor Personnel from performing Services under the applicable Work Order and, if requested by Customer, provide a replacement with similar experience, suitable ability and suitable qualifications who is reasonably acceptable to Customer, at no additional cost to Customer. In the event that any anticipated or actual delays in meeting Customers deadlines or scheduled completion dates for work being performed under any Work Order are caused solely by the unacceptable performance of any Vendor Personnel and no other reason such as failure of Customer to perform its obligations under a Work Order in a timely and reasonable manner, Vendor may provide additional temporary Vendor Personnel and at no additional cost to Customer, in order to complete the applicable Services in a timely manner. For any Services performed on a time and materials basis, Vendor will provide immediate written notice to Customer when any Vendor Personnel leaves his or her assignment and will not reinstate such Vendor Personnel in such assignment without Customers prior written consent.
8.3 Personnel Requirements. Prior to any Personnel providing any Services or having any access to Customers Confidential Information, all such Personnel shall execute (a) a Personnel Non-Disclosure & Assignment of Invention Agreement with Vendor, and (b). Customer shall be provided with a copy of such Personnels individual resumes. Any changes to the Personnel Non-Disclosure & Assignment of Invention Agreement shall be approved in writing by Customer. Vendor further understands that (a) proficient verbal and written English language skills are a requirement for provision of the Services and (b) Personnel may be asked to provide Services at facilities owned, operated or used by or on behalf of competitors of Vendor.
8.4 Competitors. For a period [*************] after any individual Personnel ceases performing Services under an applicable Work Order, Vendor shall not, without Customers prior written permission, assign such Personnel to a third party who is in direct competition with both the Customer identified under a specific Work Order and the products and technology of Customer without Customers prior written consent (Competing Company) if such Personnel was (i) substantively exposed to Customers Confidential Information at any time during the performance of the Services; and (b) if such personnel will be assigned to a competitor project that is similar in Business Scope to the Services performed by the Personnel for Customer. Business Scope shall mean a competitor project with competing technologies and products of Customer related to insurance products and services which supports the same line of business as the Customers line of business for which the Services were performed by Vendor pursuant to a Work Order. Prior to Customer granting or denying consent, Vendor shall identify in writing the name of the Personnel, the name of the Competing Company such Personnel is being considered for, and the type of service such Personnel would perform for the Competing Company (Competing Company Notice). Customer shall provide Vendor with its notification of consent or rejection (in writing) within one (1) week of Customers receipt of the Competing Company Notice.
8.5 Communications.
(a) Vendor and Customer shall agree in the Work Order with respect to terms and conditions regarding provisions related to communications, network, hardware, infrastructure, availability, accessibility and related requirements.
(b) Vendor will provide 256 kbps Internet bandwidth on a shared Internet link to set up a site to site VPN or a Customer initiated VPN.
(c) Dedicated data or Internet bandwidth, including associated hardware may also be provided subject to the terms of a Work Order.
8.6 Relationship of the Parties. Vendors relationship with Customer shall be that of an independent contractor and nothing in this Agreement should be construed to create a partnership, joint venture, agency or employer-employee relationship between the parties. Vendor is not the agent of Customer and is not authorized and shall not have any authority to make any representation, contract or commitment on behalf of Customer, or otherwise bind Customer in any respect whatsoever. Further, it is not the intention of this Agreement or of the parties hereto to confer a third party beneficiary right of action upon any third party or entity whatsoever, and
12
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
nothing in this Agreement shall be construed to confer upon any third party other than the parties hereto a right of action under this Agreement or in any manner whatsoever. Neither Vendor, Vendor Personnel nor any Vendor agent shall be entitled to any of the benefits Customer may make available to its employees, such as group insurance, profit-sharing or retirement benefits. Vendor shall be solely responsible for all tax returns (and all costs related thereto) required to be filed with or made to any federal, state or local tax authority with respect to Vendors performance of services and receipt of fees under this Agreement. Customer may regularly report amounts paid to Vendor with the Internal Revenue Service as required by law. Because Vendor is an independent contractor, Customer shall not withhold or make payments for social security, make unemployment insurance or disability insurance contributions, or obtain workers compensation insurance on Vendors, nor Vendor Personnels and/or Vendor agents behalf. Vendor shall comply with, and shall accept exclusive liability for non-compliance with, all applicable federal, state and local laws, rules and regulations, including obligations such as payment of all taxes, social security, disability and other contributions based on fees paid to Vendor, its agents or employees under this Agreement. Vendor shall indemnify, hold harmless and defend Customer against any and all such liability, taxes or contributions, including penalties and interest, subject to Customers obligations with respect to indemnification set forth in Section 14.2 (Notice; Cooperation; Settlement) below.
9. CONFIDENTIALITY AND SECURITY.
9.1 Each party, in performing its obligations under this Agreement, may have access to or be exposed to, directly or indirectly, confidential and/or proprietary materials of the other party (Confidential Information). In the case of Customer, Confidential Information shall include all Work Product (excluding Vendor Proprietary Information); all information concerning the operations, affairs, products, marketing, systems, technology, customers, end-users, and businesses, including financial affairs, of Customer and/or any Affiliate, and their respective relations with their customers, employees, agents, and service providers (including customer lists, customer data, transaction information, completed insurance forms, supplier data, know-how, third party software and/or products provided by Customer to Vendor for use by Vendor and information regarding consumer markets); all Client Data (as defined below); and any other proprietary and trade secret information of Customer and/or any Affiliate, whether in oral, graphic, written, electronic or machine-readable form. In the case of Vendor, Confidential Information shall include the Vendor Proprietary Information and other Vendor information designated in writing by Vendor as Confidential Information. For purposes of this Agreement, Client Data shall mean (a) any information from which an individual may be identified; (b) any information concerning an individual that would be considered nonpublic personal information within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) and its implementing regulations, as the same may be amended from time to time; (c) any information regarding Customers (and/or its Affiliates) clients or prospective clients received by Vendor in connection with the performance of its obligations under the Agreement, including (i) an individuals name, address, e-mail address, IP address, telephone number and/or social security number, (ii) the fact that an individual has a relationship with Customer and/or its parent, affiliated or subsidiary companies, (iii) an individuals account information; (iv) any information regarding an individuals medical history or treatment; and (v) any other information of or relating to an individual that is protected from disclosure by applicable Privacy Laws. For purposes of this Agreement, Privacy Laws shall mean any national, federal, state or local laws, rules or regulations of any jurisdiction relating to the nonpublic personal information, including the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations and CA SB 1386 regarding privacy, as the same may be amended from time to time. To the extent that there is a conflict between this Section 9 and Section 10 regarding the scope of Vendors confidentiality obligations and/or any applicable confidentiality exclusions with respect to Client Data, the terms and conditions of Section 10 shall govern.
9.2 Exclusions. Except with respect to Client Data, Confidential Information shall not include information which can be demonstrated: (a) to have been rightfully in the possession of the receiving party from a source other than the disclosing party prior to the time of disclosure of said information to the receiving party hereunder (Time of Receipt); (b) to have been in the public domain prior to the Time of Receipt; (c) to have become part of the public domain after the Time of Receipt by a publication or by any other means except an unauthorized act or omission by, or breach of this Agreement on the part of, the receiving party or its employees or agents; or (d) to have been supplied to the receiving party after the Time of Receipt without restriction by a third party who is under no obligation to the disclosing party to maintain such information in confidence. In addition, a recipient may use or disclose Confidential Information to the extent such recipient is legally compelled to disclose such Confidential Information, provided that the recipient shall use reasonable efforts to give advance notice of such compelled disclosure to the disclosing party, and shall cooperate with the disclosing party in connection with any efforts to prevent or limit the scope of such disclosure and/or use of such Confidential Information.
9.3 Restrictions on Use and Disclosure. Each party agrees to hold all Confidential Information of the
13
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
other party in strict confidence and shall not, without the express prior written permission of a member of the disclosing party authorized by the disclosing party to make such decisions, (a) disclose such Confidential Information to third parties other than a regulatory authority having jurisdiction over the receiving party; or (b) use such Confidential Information for any purposes whatsoever, other than the exercise of its rights or performance of its obligations hereunder. Each party shall disclose the other partys Confidential Information only: (i) to those of its employees and agents who have a need to know such Confidential Information in order to exercise such receiving partys rights or perform such receiving partys obligations pursuant to this Agreement and (ii) to any regulatory authority having jurisdiction over the receiving party. Each party shall use reasonable efforts to assist the other party in identifying and preventing any unauthorized use or disclosure of any Confidential Information. Without limiting the foregoing, each party shall immediately advise the other party in the event that it learns or has reason to believe that any person who has had access to the Confidential Information of such party has violated or intends to violate the terms of this Agreement, and shall cooperate in seeking injunctive relief against any such person.
9.4 Vendor Personnel. Vendor shall ensure that any Vendor Personnel performing Services hereunder or Vendor agents comply with the provisions of this Section 9 and Section 10 below. Without limiting the foregoing, Vendor shall cause any Vendor Personnel performing Services hereunder or Vendor agents to enter into a written agreement binding such Vendor Personnel and Vendor agents to the provisions of this Section 9 and Section 10 below.
9.5 No Implied Rights. Nothing contained in this Section 9 shall be construed as obligating either party to disclose its Confidential Information to the other party, or as granting to or conferring on either party, whether expressly or by implication, any ownership interest in or any right or license to any Confidential Information of the other party.
9.6 Survival. This Section 9 shall survive termination or expiration of this Agreement for any reason for a period of three (3) years, except with respect to Client Data and trade secrets, as to which the obligations set forth in this Section 9 shall survive indefinitely.
10. CLIENT DATA
Without limitation of the terms and conditions set forth in Section 9, the following terms and conditions shall apply with respect to all Client Data:
10.1 Generally. The parties acknowledge that the Privacy Laws govern disclosures of nonpublic personal information about consumers. Vendor acknowledges that pursuant to the Privacy Laws, Customer is required to obtain certain undertakings from Vendor with regard to the privacy, use and protection of Client Data. Vendor shall protect and keep strictly confidential all Client Data. At any time, upon Customers request, Vendor shall return to Customer all Client Data in its possession. Customer shall be under no obligation to take any action that, within Customers judgment, would constitute a violation of the Privacy Laws or its internal privacy policies.
10.2 Vendor Covenants With Respect to Client Data. Notwithstanding any other provision of this Agreement, Vendor covenants that, with respect to any Client Data, Vendor shall: (a) comply with all applicable laws, regulations and best practices regarding data security and privacy in performing the Services and its other obligations hereunder; (b) inform itself regarding, and comply with, Customers privacy policies and all applicable privacy laws, including the Privacy Laws; (c) keep all Client Data strictly confidential, and not disclose any Client Data to third parties other than a regulatory authority having jurisdiction over the receiving party or use any Client Data except to the extent necessary to perform the Services and in accordance with Customers privacy policies and all applicable privacy laws, including the Privacy Laws; (d) not disclose any Client Data to any other entity (including Vendors third party service providers), other than a regulatory authority having jurisdiction over the receiving party, without the prior written consent of Customer and an agreement in writing from such other entity to use or disclose such Client Data only to the extent necessary to carry out Vendors obligations under this Agreement and for no other purposes; (e) maintain (and require entities approved in accordance with foregoing subsection (d) to maintain) reasonable administrative, technical, and physical safeguards designed to ensure the security and confidentiality of Client Data, protect against any anticipated threats or hazards to the security or integrity of Client Data, and protect against unauthorized access to or use of Client Data that could result in substantial damage to an individual; (f) not make any changes to its security measures that would materially reduce its present coverages ; (g) notify Customer immediately in writing when Vendor becomes aware of any material breach of its security safeguards or has reason to believe that Client Data may have been subject to
14
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
unauthorized disclosure, access, or use, which notification shall include the following information: (i) the nature of the unauthorized disclosure or use; (ii) the Client Data disclosed or used; (iii) the identity of the person(s) or entity(ies) who received the unauthorized disclosure or made the unauthorized use; (iv) what corrective action Vendor took or will take to prevent further unauthorized disclosures or uses; (v) what Vendor did or will do to mitigate any deleterious effect of such unauthorized disclosure or use; and (vi) such other information as Customer may reasonably request; and (h) take all reasonable and appropriate steps, at Vendors expense, including the provision of notice to affected individuals, to protect Client Data in the event of a failure of Vendors security safeguards or unauthorized access to Client Data from or through Vendor.
10.3 Unauthorized Use or Disclosure of Client Data. Vendor acknowledges and agrees that any unauthorized use or disclosure of Client Data would cause immediate and irreparable harm to Customer for which money damages would not constitute an adequate remedy, and that in the event of any unauthorized use or disclosure of Client Data, Customer will be entitled to immediate injunctive relief. Notwithstanding any other terms or conditions of this Agreement, in the event that Vendor intentionally and willfully, or due to Vendors gross negligence, breaches any of its representations, warranties, or obligations under this Section 10, Customer shall be entitled to recover money damages, including special, incidental, punitive or consequential damages, whether based on breach of contract, tort (including negligence), or otherwise; and, if Vendor is found liable for such breach by court of competent jurisdiction or as a result of a settlement, Vendor shall be required to bear all costs of notifying Customers customers or employees of any unauthorized access to their Client Data. Any breach of this Section 10 shall be deemed a material breach of this Agreement.
10.4 Security. Without limiting any other provisions of this Agreement (including Exhibit C), Vendor shall take reasonable measures intended to protect Customers Confidential Information, including those set forth in the Security Requirements and Vendor shall provide the following throughout the Term:
(a) if set forth in the applicable Work Order as agreed to by the parties, Customers Confidential Information shall be logically and physically segregated from Vendors Confidential Information and from third-party information and materials (including the information and materials of all other clients of Vendor), and that any such separation shall at least be achieved by means of maintaining separate computers and servers for storing, using and accessing Customers Confidential Information;
(b) The Facilities and any other building(s) in which Vendor keeps any Customers Confidential Information shall have restricted access twenty (24) hours a day, with detailed and complete access logs maintained and provided to Customer upon written request;
(c) Electronic and physical access to Customers Confidential Information shall be restricted to persons authorized in writing by Customer to access and use such Confidential Information, and detailed and complete access logs shall be maintained and provided to Customer upon written request; and :
(d) If agreed upon in a Work Order, the network connections between Customer and Vendor shall be separated by a firewall such that the firewall precludes unauthorized access to Customers network, and Vendor access will be limited to systems and data that Vendor requires for the completion of the applicable Services.
11. INTELLECTUAL PROPERTY RIGHTS.
11.1 Assignment. Vendor agrees that any and all Deliverables shall, upon creation and payment, be considered work made for hire within the meaning of the Copyright Act of 1976, as amended (Act), of which Customer is the author within the meaning of such Act. To the extent that any Deliverables may not be considered work made for hire, Vendor, upon payment for such Deliverable, hereby irrevocably assigns and agrees to assign to Customer all right, title and interest worldwide in and to the Deliverables in perpetuity (whether currently existing or conceived, created or otherwise developed later), including all copyrights, trademarks, trade secrets, patents, industrial rights and all other intellectual and proprietary rights related thereto (the Proprietary Rights), effective immediately upon the inception, conception, creation or development thereof and for no further consideration (Assignment). The Proprietary Rights shall include all rights, whether existing now or in the future, whether statutory or common law, in any jurisdiction in the world, related to the Deliverables, together with all national, foreign and state registrations, applications for registration and all renewals and extensions thereof (including any continuations, continuations-in-part, divisionals, reissues, substitutions and reexaminations); all goodwill associated therewith; and all benefits, privileges, causes of action
15
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
and remedies relating to any of the foregoing, whether before or hereafter accrued (including the exclusive rights to apply for and maintain all such registrations, renewals and extensions; to sue for all past, present and future infringements or other violations of any rights relating thereto; and to settle and retain proceeds from any such actions). Except as may be set forth in the applicable Work Order or otherwise agreed to in writing by the parties, Vendor retains no rights to use the Deliverables and agrees not to challenge the validity of Customers ownership in the Deliverables. The Assignment shall not lapse under any circumstances, including any failure of Customer to exercise any of its rights under the Assignment for any period, which includes Customer not making use of the Deliverables for any period.
11.2 License; Waiver of Rights. To the extent, if any, that any Deliverables or Proprietary Rights are not assignable or that Vendor retains any right, title or interest in and to any Deliverables or any Proprietary Rights, Vendor (a) unconditionally and irrevocably waives the enforcement of such rights, and all claims and causes of action of any kind against Customer with respect to such rights; (b) agrees, at Customers request and expense, to consent to and join in any action to enforce such rights; and (c) hereby grants to Customer a perpetual, irrevocable, fully paid-up, royalty-free, transferable, sublicensable (through multiple levels of sublicenses), exclusive, worldwide right and license to use, reproduce, distribute, display and perform (whether publicly or. otherwise), prepare derivative works of and otherwise modify, make, have made, sell, offer to sell, import and otherwise use and exploit (and have others exercise such rights on behalf of Customer) all or any portion of such Deliverables in any form or media (now known or later developed). The foregoing license includes the right to make any modifications to such Deliverables regardless of the effect of such modifications on the integrity of such Deliverables, and to identify Vendor, or not to identify Vendor, as one or more authors of or contributors to such Deliverables or any portion thereof, whether or not such Deliverables or any portion thereof have been modified. Vendor further irrevocably waives any moral rights or other rights with respect to attribution of authorship or integrity of such Deliverables that Vendor may have under any applicable law under any legal theory. Vendor hereby waives and quitclaims to Customer any and all claims, of any nature whatsoever, which Vendor now or may hereafter have for infringement of any Deliverables or Proprietary Rights assigned and/or licensed hereunder to Customer.
11.3 Background Technology, Third Party Technology and Vendor Proprietary Information.
(a) The assignment obligations in Section 11.1 (Assignment) above shall not apply to: (i) any Background Technology; or (ii) any Third Party Technology.
(b) Vendor represents and warrants that each applicable Work Order contains a complete list of all Background Technology and Third Party Technology (if any) that Vendor intends to use in connection with the provision of the Services thereunder, or that are or shall be incorporated into, or that are necessary or desirable for the use and exploitation of, any Deliverables provided thereunder.
(c) To the extent that the provision of the Services, or the use or exploitation of any Deliverables, requires the use or incorporation of any Background Technology, Third Party Technology or any other confidential or proprietary information or materials of Vendor or any third party (Vendor Proprietary Information), Vendor shall (i) obtain the prior written authorization of Customer for the use or incorporation thereof, and (ii) at Customers request, provide Customer with copies of any such Background Technology, Third Party Technology and/or Vendor Proprietary Information.
(d) All Vendor Proprietary Information shall be marked confidential or proprietary, or, if disclosed orally or in any other intangible form, shall be summarized in writing within fifteen (15) days after such disclosure. Vendor shall notify Customer in writing before Vendor uses or incorporates, or makes any disclosure to or performs any work on behalf of Customer that appears to conflict with proprietary rights which Vendor or any third party claims in, any Background Technology, Third Party Technology or Vendor Proprietary Information. If Vendor fails to obtain such authorization or give such notice, Vendor agrees that it shall make no claim against Customer with respect to any such Background Technology, Third Party Technology or Vendor Proprietary Information and shall indemnify, defend and hold harmless Customer from any third party claim relating to any such Background Technology, Third Party Technology or Vendor Proprietary Information.
(e) Unless otherwise expressly set forth in a Work Order or otherwise agreed to by the parties in writing, to the extent any Background Technology, Third Party Technology and/or Vendor Proprietary Information is incorporated into or otherwise included in, or is necessary or desirable for the use or exploitation of, any Deliverables, Vendor hereby grants to Customer a perpetual, irrevocable, fully paid-up, royalty-free, transferable, sub licensable (through multiple levels of sublicensees), exclusive, worldwide right and license to
16
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
use, reproduce, distribute, display and perform (whether publicly or otherwise), prepare derivative works of and otherwise modify, make, have made, sell, offer to sell, import and otherwise use and exploit (and have others exercise such rights on behalf of Customer) all or any portion of such Background Technology, Third Party Technology and/or Vendor Proprietary Information in connection with developing, enhancing, marketing, distributing or providing, maintaining or supporting, or otherwise using or exploiting Customer products and services in any form or media (now known or later developed), without any obligation to account to Vendor or any third party.
11.4 Assistance.
(a) Vendor agrees to cooperate with Customer or its designee(s), at Customers expense, both during and after the Term, in applying for, obtaining, perfecting, evidencing, sustaining and enforcing Customers Proprietary Rights in the Deliverables, including executing such written instruments as may be prepared by Customer and doing such other acts as may be necessary in the opinion of Customer to obtain a patent, register a copyright, or otherwise enforce Customers rights in such Deliverables.
(b) For the purpose described in Section 10.4(a) above, Vendor hereby irrevocably appoints Customer and any of its officers and agents as its attorney-in-fact to act for and on Vendors behalf and instead of Vendor, with the same legal force and effect as if such acts were executed by Vendor.
12. TERM; TERMINATION.
12.1 Term. This Agreement shall commence on the Effective Date and continue until the earlier of (a) the end of the term, if any, set forth in the last Work Order, or (b) termination by either party in accordance with this Agreement (the Term).
12.2 Termination for Convenience. Customer may terminate this Agreement and/or any Work Order, in whole or in part, for convenience, with or without cause, at any time upon ten (10) days written notice to Vendor, and agrees to pay Vendor (in accordance with Section 4.3 (Payment; Expenses) for the Services actually received by Customer prior to the effective date of termination.
12.3 Termination for Cause.
(a) If either party materially defaults in any of its obligations under this Agreement, the non-defaulting party, at its option shall have the right to terminate this Agreement by written notice unless the defaulting party remedies the default within thirty (30) days after receipt of written notice of such default.
(b) In the event that Vendor does not meet or exceed the performance standards set forth in the Performance Requirements, or as otherwise established from time to time by Customer, in any four (4) months in any one year period, Customer shall also have the right to terminate this Agreement immediately without any right to cure.
(c) In addition, Customer may terminate this Agreement immediately (without any right to cure) for any breach by Vendor of Section 9 (Confidentiality and Security), Section 10 (Client Data) or the Security Requirements.
12.4 Effect of Termination. Upon the effective date of any termination or expiration of this Agreement or any Work Order for any reason:
(a) Vendor shall immediately cease performing any Services under this Agreement;
(b) Customer agrees to pay Vendor, in accordance with Section 4 (Pricing and Payment), all fees and expenses with respect to Services actually rendered prior to the effective date of termination.
(c) Vendor shall (i) upon full payment to Vendor of all fees and expenses due prior to termination, deliver to Customer a copy of all Deliverables, whether complete or incomplete as of such date; (ii) destroy or erase, and cause all Vendor Subcontractors to destroy or erase, all copies of Customer Confidential Information in Vendors or Vendor Subcontractors care, custody or control; (iii) provide Customer with a certification, by an officer of Vendor, of such destruction or erasure; and (iv) provide Customer with hard copies and electronic copies of all plans, manuals, procedures and policies used by Vendor or Vendor Subcontractors in connection with providing the Deliverables and Services hereunder; and
17
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
(d) Customer shall not be required to make or be liable for any payments to Vendor that would have otherwise accrued after effective date of termination or expiration of this Agreement and/or any Work Order.
12.5 Survival. This Section 12.5 (Survival) and Sections 1 (Definitions), 3.4 (Responsibility), 4 (Pricing and Payment), 8.4 (Competitors), 9 (Confidentiality and Security), 11 (Intellectual Property Rights), 12.4 (Effect of Termination), 12.6 (Rights on Termination), 12.7 (Termination Assistance), 13 (Warranties), 14 (Indemnification), 15 (Limitation of Liability), 16 (Non-Solicitation), 18 (Record Retention and Audit), 20 (Insurance) and 21 (General Provisions) shall survive any termination or expiration of this Agreement. Termination of this Agreement by either party shall not act as a waiver of any breach of this Agreement and shall not act as a release of either party from any liability for breach of such partys obligations under this Agreement.
12.6 Rights on Termination. Neither party shall be liable to the other for damages of any kind solely as a result of terminating this Agreement in accordance with its terms, and termination of this Agreement by a party shall be without prejudice to any rights, remedies or liabilities (including the right to claim damages) of such party under this Agreement or applicable law.
12.7 Termination Assistance. As part of the Services, Termination Assistance shall be provided to Customer at the then prevailing rates (as adjusted pursuant to any terms in the applicable Work Order or this Agreement, as the case may be), in accordance with the following terms and conditions:
(a) Generally. At Customers request, during Termination Assistance Period, Vendor shall provide Customer and its designee(s) with reasonable termination assistance requested by Customer to allow the services provided pursuant to this Agreement (including the Services) to continue without material interruption or material adverse effect on the business operations of AIGGS or any Affiliate following any expiration or termination of this Agreement, and to facilitate the transfer of such services (and any Deliverables being created in connection with such services) to Customer or its designee(s) (such assistance, the Termination Assistance). Vendor shall provide such Termination Assistance in accordance with this Section 12.7(a), even in the event Vendor has terminated this Agreement for cause provided that Customer is current with respect to any outstanding payments, fees and expenses due or owing hereunder.
(b) Charges. All Termination Assistance shall be billed to Customer at the rates set forth in the applicable Work Order at the time of termination (as adjusted pursuant to any terms in the applicable Work Order).
(c) Termination Assistance Services. All Termination Assistance shall be provided subject to the terms and conditions generally governing Vendors provision of the Services hereunder. Vendor shall perform all Termination Assistance with at least the same degree of performance, timeliness, accuracy, quality, completeness, responsiveness, and resource efficiency with which Vendor provided and was required to provide the Services. After the expiration of the Termination Assistance Period, Vendor shall answer questions from and reasonably cooperate with Customer regarding the Services on an as needed basis, at the rates set forth in applicable Work Order. Without limiting the generality of the foregoing, Termination Assistance shall include the following:
(i) Within fifteen (15) days after the commencement of the Termination Assistance Period, Vendor shall provide Customer with (a) a detailed written description of all Services provided pursuant to this Agreement, including: (i) a description of staffing levels and Vendors structure/organization used to provide such Services; (ii) a detailed list of all support and development software and tools used in performing such Services; and (iii) a complete plan for know-how and knowledge transfer that enables a smooth transition of the functions performed by Vendor, including development of Deliverables, and all other Services hereunder, to Customer and its designee(s) (such plan, the Turnover Plan). The Turnover Plan shall be deemed Customers Confidential Information and sole property. Upon Customers approval of the Turnover Plan, Vendor shall provide all further Termination Assistance in accordance with such Turnover Plan. No provision of Termination Assistance shall be deemed complete hereunder until the Customer Project Manager confirms in writing that all tasks and Deliverables set forth in the applicable Turnover Plan have been completed and delivered.
(ii) Vendor shall provide sufficient Personnel with current knowledge of the Deliverables, the Services, and this Agreement, to work with the appropriate staff of Customer and, if
18
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
applicable, its designee(s), to provide any Termination Assistance and to define the specifications for turnover in a manner consistent with the applicable Turnover Plan. Vendor shall cooperate with Customer and its designees in transitioning any functions performed by Vendor or any Vendor Subcontractor under this Agreement in the same manner as described in Section 3 (Performance of Services by Subcontractors) for third parties performing any of the Services.
(iii) Vendor shall promptly cooperate with Customer and its designees, and provide Customer and its designees, with any information necessary to effectuate a smooth transfer of the functions performed under this Agreement.
(iv) Vendor shall use its best efforts to obtain any rights necessary to make available to Customer and its designees and shall make available to Customer and its designees pursuant to reasonable terms and conditions, any third party materials or services then being used by Vendor or Vendor Subcontractors in performing Services (including services being provided through third party service or maintenance contracts).
13. WARRANTIES.
13.1 Vendor Representations and Warranties. Vendor represents, warrants and covenants to AIGGS that:
Vendor represents, warrants and covenants to Customer that: (a) Vendor has the full power and authority to enter into this Agreement and to perform its obligations hereunder, without the need for any consents, approvals or immunities not yet obtained; (b) Vendors execution of and performance under this Agreement shall not breach any oral or written agreement with any third party or any obligation owed by Vendor to any third party to keep any information or materials in confidence or in trust; (c the Services and Deliverables shall be free from material errors, bugs, or other material defects and shall substantially conform to any written specifications for such Services and/or Deliverables as agreed upon by the parties in writing as part of a Work Order or as set forth or referenced in any applicable Work Order for [*************] (or such other period as agreed to the parties in writing) following acceptance of such Services or Deliverables in accordance with Section 5 (Acceptance) (Warranty Period); (d) the Services shall be performed in a professional and timely manner consistent with the generally accepted industry standards; (e) any Vendor Personnel performing Services shall be qualified to perform such Services, have appropriate experience, education and training to perform such Services and be familiar with the technology, processes and procedures used to provide such Services; (f) subject to the IP Exceptions (as defined below) and Section 14 below, including Section 14.3, the Work Product (excluding any third party software) shall be the original work of Vendor, and each Vendor Personnel or other person involved in the development of Work Product has executed (or prior to any such involvement, shall have executed) a written agreement with Vendor in which such person (i) assigns to Vendor all right, title and interest in and to the Work Product in order that Vendor may fully grant the rights and assignments to Customer as provided herein and (ii) agrees to be bound by confidentiality and non-disclosure obligations no less restrictive than those set forth in this Agreement; (g) subject to the IP Exceptions (as defined below) and Section 14 below, Vendor has the right to grant the rights and assignments granted herein, without the need for any assignments, releases, consents, approvals, immunities or other rights not yet obtained; (h) subject to the IP Exceptions (as defined below) and Section 14 below, the Services and Deliverables (excluding any third party software) (and the exercise of the rights granted herein with respect thereto) do not and shall not infringe, misappropriate or violate any patent, copyright, trademark, trade secret, publicity, privacy or other intellectual property or other rights of any third party, and are not and shall not be defamatory or obscene; (i) the Services and Deliverables shall be free from any viruses, worms, Trojan horses or other harmful or malicious code or components, and free from any self-help code or other disabling code; (j) subject to the IP Exceptions (as defined below) and Section 14 below, neither the Deliverables nor any element thereof shall be subject to any restrictions or to any mortgages, liens, pledges, security interests, encumbrances or encroachments; (k) Vendor shall comply with all applicable laws and regulations; (l) if a Deliverable will contain any open source code, Vendor will identify such open source code in the applicable Work Order or Change Order and will attach a copy of the license to such open source code to the Work Order or Change Order, as the case may be; and (m) Vendor shall comply with Section 13 (Client Data) below.
Notwithstanding anything to the contrary, If Customer notifies Vendor in writing of a breach of the warranty in Section 13.1(c) within the Warranty Period, Vendor shall promptly correct and repair (at
19
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
no cost to Customer) any such non-compliance that prevents such Service from conforming and performing as warranted immediately above. Notwithstanding the foregoing, Vendors obligations under this Section 13.1 (c) shall not apply to the extent that the defect, Error or Bug or non-conformance with the specifications or warranty , is caused by (i) modifications or customization of the Deliverables which are not created, authorized in writing, or directed in writing by Vendor, but only to the extent that such modifications, customization caused the non-compliance; (ii) Customers hardware malfunction, but only to the extent that such hardware malfunction caused the non-compliance, (iii) third party software not licensed through Vendor and/or incorporated by Vendor into the Deliverable, but only to the extent that such third party software caused the non-compliance,, or (iv) the installation of the Deliverable in a hardware or operating environment expressly prohibited by the applicable Work Order. For purposes of this Section, Error or Bug shall mean any error or defect in the Services (or Deliverables) in which the Services (or Deliverables) fail to operate in conformity with the Specifications which were tested as part of, and as a condition to, Acceptance testing and Acceptance.
13.2 Disclaimer. EXCEPT AS SET FORTH IN THIS SECTION 13 OR AS OTHERWISE EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER PARTY MAKES, AND EACH PARTY HEREBY DISCLAIMS, ANY OTHER REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED (EITHER IN FACT OR BY OPERATION OF LAW), OR STATUTORY, WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
13.3 Customer Representations and Warranties. Customer hereby represents and warrants to Vendor that (a) Customer is a corporation duly organized, validly existing and in good standing under the laws of the its state of incorporation; and (b) Customer has full power and authority to enter into and perform this Agreement and to perform its obligations hereunder, without the need for any consents, approvals or immunities not yet obtained, including, without limitation, the right to license or sublicense any intellectual property (i.e., software and software licenses) which is provided by Customer to Vendor for its use in connection with the performance of Vendors obligations under this Agreement or any Work Order hereunder.
13.4 Foreign Corrupt Practices Act. Intentionally Deleted.
14. INDEMNIFICATION.
14.1 General Indemnity. Vendor shall indemnify, hold harmless, and defend AIGGS, its Affiliates, and its and their officers, directors, employees, agents, successors, assigns, and subcontractors (each, an Indemnified Party) from and against any and all third party claims, losses, liabilities, damages, settlements, expenses and costs (including attorneys fees and court costs) (Losses) and any and all threatened third party claims, Losses proximately caused by any of the following:
(a) any breach (or claim or threat thereof that, if true, would be a breach) of Section 13 (a), (b), (f), (g), (h), (i), (k) in this Agreement by Vendor;
(b) Subject to Section 14.3, the Deliverables excluding any modifications made to the Code of any Deliverables which are not created, authorized, by Vendor and excluding any third party software for which Customer has purchased, or is obligated to purchase, a license for inclusion in any such Deliverable under the terms of a Work Order) or any Use thereof, constituting an infringement of any intellectual property rights or other rights of any third party (excluding, however, any claim of infringement based solely on the combination of the Deliverables with software or equipment not provided by Vendor or not specified by Vendor for use with the Deliverables and those exceptions to infringement in Section 14.3);
(c) the gross negligence or willful misconduct of Vendor or any Vendor agent (including any Vendor Subcontractor) related to the performance of the Services hereunder ;
(d) any breach of Section 9 (Confidentiality and Security) or Exhibit C hereof or any misuse or unauthorized disclosure of Customer Data or any violation of any Privacy Laws, in either event, arising from or related to the grossly negligent acts or gross negligent omissions of Vendor or any Vendor agent (including any Vendor Subcontractor);
(e) any benefits, taxes, or payments owed by Vendor to its Personnel or any third party;
20
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
(f) any claim by the United States Internal Revenue Service or other domestic or foreign taxing authority that Vendor and/or its Personnel or agents are not independent contractors hereunder;
(g) any Security Incident, Remedial Action (as defined in Exhibit C) taken by Customer as the result of a Security Incident or Info-Sec Risk Increase; and any other costs incurred by Customer with respect to Customers rights in Exhibit C (each as defined in Exhibit C). Vendor shall be fully responsible for, and shall pay, all costs and expenses incurred by Vendor or Vendor Personnel with under this Agreement, including Exhibit C;
(h) any claims based on allegations of personal injury or property damage caused by the gross negligent acts or grossly negligent omissions of Vendor or its agents (including Vendor Subcontractors) in connection with the performance of this Agreement.
Vendor will pay any and Losses with respect to any claim or allegation covered under this Section 14 finally awarded against the indemnified party to such third party by a court of competent jurisdiction after all appeals have been exhausted or at the time of a final settlement of such claims or final award, if applicable
14.2 Notice; Cooperation; Settlement. Customer shall notify Vendor promptly of any claim or liability for which indemnification is sought (each a Claim), provided that the failure to give such notice shall not relieve Vendor of its obligations hereunder except to the extent that Vendor was actually and materially prejudiced by such failure. Vendor shall have sole control and defense of any such claim hereunder but Customer may, at its sole option and expense, participate in the defense of any Claim that is conducted and controlled by the Vendor as set forth herein. Customer shall provide reasonable cooperation, upon request of Vendor, with Vendor in the defense and settlement of any such claim and Vendor may not settle any Claim without the prior written approval of Customer.
14.3 Infringement. If any Deliverable becomes, or in Vendors reasonable opinion is likely to become, the subject of any claim or action for infringement, then Vendor shall have the right at its discretion and expense either to: (a) procure for Customer the right to continue to use and exploit such Deliverables in the manner as contemplated in this Agreement; or (b) modify such Deliverables to render them non-infringing, provided that such modification does not adversely affect Customers use or exploitation thereof, or any other Customer rights as contemplated hereunder. If neither of these remedies are reasonably available to Vendor, Vendor may require Customer to cease using the infringing Deliverable and Vendor will issue Customer a pro-rated refund based on a 5 year amortization schedule for the infringing Deliverable. Vendor shall have no liability for any infringement caused, to the extent caused by one or more of the following (each, an IP Exception): (i) any alteration or modification of any Deliverable not provided or authorized by Vendor in writing, if the infringement would not have occurred but for the alteration or modification by a party other than Vendor; (ii) use of the Deliverable in combination with other programs or data not reasonably intended or foreseeable by the parties to be used with the Deliverable(s), if the infringement would not have occurred but for the use in combination with such programs or data; (iii) use of the Deliverable in a way reasonably intended or foreseeable under the applicable documentation and/or Work Order, if the infringement would not have occurred but for such use; (iv) Vendors compliance with Customers designs, specifications or instructions, except in the case of copyright infringement or misappropriation or (v) any Customer-provided intellectual property if the infringement would not have occurred but for the Customer intellectual property.
The foregoing remedy shall be cumulative and in addition to, and not in lieu of, any other remedies available to Customer, whether pursuant to this Agreement or otherwise and whether at law, in equity, or otherwise.
15. LIMITATION OF LIABILITY.
15.1 EXCEPT AS SET FORTH IN SECTION 15.2 BELOW, TO THE EXTENT PERMITTED BY APPLICABLE LAW, UNDER NO CIRCUMSTANCES SHALL EITHER PARTYS AGGREGATE LIABILITY TO THE OTHER PARTY OR ANY THIRD PARTY ARISING FROM OR OUT OF OR RELATING TO THIS AGREEMENT EXCEED [**************]. EXCEPT AS SET FORTH IN SECTION 15.2 BELOW, NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR LOST PROFITS OR FOR ANY SPECIAL, INCIDENTAL, INDIRECT, CONSEQUENTIAL OR EXEMPLARY DAMAGES ARISING OUT OF OR IN ANY MANNER RELATED TO THIS AGREEMENT OR THE SUBJECT MATTER HEREOF, REGARDLESS OF THE FORM OF ACTION AND WHETHER OR NOT SUCH OTHER PARTY OR THIRD PARTY HAS BEEN INFORMED OF, OR OTHERWISE MIGHT HAVE ANTICIPATED, THE POSSIBILITY OF
21
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
SUCH DAMAGES.
15.2 THE LIMITATIONS OF LIABILITY SET FORTH IN SECTION 15.1 ABOVE SHALL NOT APPLY TO OR COVER: (A) VENDORS OBLIGATIONS PURSUANT TO [**********]; (B) ANY BREACH BY VENDOR OF ITS OBLIGATIONS SET FORTH IN [********]; OR (C) ANY COSTS, DAMAGES, EXPENSES, INTEREST, PENALTIES, FINES, OR REASONABLE LOSSES OF REVENUE INCURRED AS A RESULT OF VENDORS OR VENDORS AGENTS (INCLUDING ANY VENDOR SUBCONTRACTORS) [********] OR [********] IN CONNECTION WITH THE [*********] WHICH ARE THE PROXIMATE CAUSE OF DAMAGE TO CUSTOMER.
16. NON-SOLICITATION.
Each party acknowledges that the other partys employees and contractors are valuable business assets, and agrees not to (for itself or for any third party)offer employment to or otherwise hire, engage the services of, solicit or induce the termination of employment or services of, any employee or contractor of the other party (or any Affiliate thereof) engaged in providing services under this Agreement or otherwise introduced to the party as part of the engagement hereunder; and such obligations shall apply during the Term or for a period of one (1) year after such employee terminates his or her employment or service relationship with the other party, whichever occurs earlier, unless the other party gives its express consent thereto in writing. Nothing in this Section 16 shall or shall be construed to prohibit either party from hiring an employee of the other party or an affiliate of such other party who has responded to a general solicitation of employment not specifically directed at that employee, The restrictions hereunder apply to current employees of a party and those within the preceding year of such termination (as well as employees of or any subsidiary or affiliate of a party hereto).
17. INTENTIONALLY DELETED
18. RECORD RETENTION AND AUDIT.
18.1 Record Retention. Vendor shall be required to adhere to Customers record retention policy as it relates to this Agreement, as such policy may be adjusted from time to time in Customers discretion and provided to Vendor. Until the later of (a) seven (7) years after termination or expiration of this Agreement, (b) all pending matters relating to this Agreement (including disputes) have been fully resolved, or (c) receipt of written notice from Customer that Vendor is no longer required to adhere to Customers record retention policy, Vendor shall maintain and provide Customer with access upon request to all records, documents, and other information solely required to support Customers audit rights under this Agreement, including records documenting access to Customers Confidential Information, any fees paid or to be paid hereunder for Deliverables, Services, or otherwise, and any related credits or reimbursements (the foregoing, collectively, the Records).
18.2 Operational and Security Audits. Vendor, subject to confidentiality obligations, shall provide to such auditors (including third-party auditors and the internal audit staff of AIGGS and/or its Affiliates), as Customer may designate in writing, access at all times to any facility at which the Services are being performed, to Vendor and Personnel, and to the data and records maintained by Vendor with respect to the Services, for the purposes of: (a) performing audits and inspections of Vendor, Vendor Subcontractors, and their respective businesses as they relate to the Deliverables and Services (including any audits necessary to enable Customer to meet its applicable regulatory requirements); and (b) confirming that the Deliverables and Services are being provided in accordance with this Agreement, including any applicable service level agreements and security policies. To the extent applicable to the Deliverables or Services, the scope of such audits may include: (i) Vendors practices and procedures; (ii) the adequacy of general controls (e.g., organizational controls, input/output controls, system modification controls, processing controls, system design controls, and access controls) and security practices and procedures; (iii) the efficiency of and costs to Vendor in performing the Services; and (iv) the adequacy of disaster recovery and back-up procedures.
18.3 Financial Audits. Vendor shall provide to such auditors (including third-party auditors and Customers internal audit staff), as Customer may designate in writing, access at all times to the Records for purposes of confirming the accuracy and correct calculation of any fees to be paid by Customer hereunder and any other charges, credits, or fees related to this Agreement. In the event any such audit reveals an overcharge by Vendor, Vendor shall promptly pay to Customer the amount of such overcharge, together with interest from the date of Vendors receipt of such overcharge at the rate of one and one half percent (1.5%) per year or the highest rate permitted by applicable law. Any audits described in this Section 18.3 shall be conducted at Customers expense; provided that, if any such audit reveals an overcharge of more than five percent (5%) in any category of fees or
22
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
other charges, Vendor shall promptly reimburse Customer for the actual cost of such audit.
18.4 Federal Regulatory Audits. Vendor acknowledges that under the Bank Service Corporation Act (12 U.S.C. § 1861 et seq.) and other Laws applicable to Customer, in performing the Services contemplated under this Agreement, Vendor may be subject to examination by Governmental Authorities including United States Federal supervisory agencies. Vendor shall submit to, and cooperate fully with, any such examination. Subject to Customers prior approval, Vendor shall promptly address and implement all recommendations for improvements resulting from such examinations.
18.5 Audit Follow-up. Following any audit or examination performed hereunder, Customer may conduct, or may request its external auditors or examiners to conduct, an exit conference with Vendor to obtain factual concurrence with issues identified in the review. Vendor shall promptly make available to Customer the results of any review or audit conducted by Vendor, its affiliates, or their respective contractors, agents, or representatives (including internal and external auditors), relating to Vendors operating practices and procedures to the extent relevant to the Deliverables, Services or Customer.
18.6 General Principles Regarding Audits. Vendor shall make available on a timely basis any information reasonably required to conduct an audit hereunder, subject to confidentiality or proprietary information considerations, and shall assist Customer and its auditors and other designees with such audits as necessary. Customer shall use reasonable efforts to require third-party auditors to enter into confidentiality and non-disclosure agreements and comply with reasonable security and confidentiality requirements that Vendor may reasonably request in connection with such audits.
19. FORCE MAJEURE.
Neither party will be liable for any delay or failure to perform due to causes beyond its reasonable control and without its fault or negligence, provided, however, that the party whose performance is affected shall provide prompt written notice of such cause to the other party, and further provided that if such cause continues to prevent or delay performance for more than sixty (60) days, the other party, in its discretion, may terminate the applicable Service, the applicable Work Order and/or this Agreement, effective immediately upon written notice to the non-performing party.
Notwithstanding anything to the contrary herein, the occurrence of a Force Majeure event does not excuse, limit or otherwise affect Vendors obligation to perform the disaster recovery services described in a Disaster Recovery Plan and Section 2.4 (Disaster Recovery Requirements) and/or Vendors own standard recovery and business continuity procedures.
20. INSURANCE.
20.1 Coverage. Vendor shall, throughout the Term and at its own expense, have and maintain in force at least the following insurance coverages:
20.2 Coverage. During the term of this Agreement Vendor and its sub-contractors of any tier shall at the minimum obtain and maintain, without interruption, the coverages stipulated hereunder.
(a) Automobile Liability
Form Comprehensive Automobile Liability, including, all owned, non-owned, and hired autos.
Limit - $1,000,000 Combined Single Limit for bodily injury and property damage liability.
(b) General Liability
Form Comprehensive Commercial Liability, including: Premises and Operations, Independent Contractors, C.G.L. Broad Form endorsement, Personal Injury, Contractual Liability, Products/Completed Operations.
Limit - $2,000,000 per occurrence Combined Single Limit for bodily injury and property damage liability.
(c) Workers Compensation
Form Providing coverage to all employees in all states where operations will be performed.
Limit As mandated under the Workers Compensation laws of the state or Federal body having jurisdiction over the location of the project or operation.
23
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
Employers Liability - $100,000 limit.
(d) Professional Liability - $5,000,000 each occurrence and in the aggregate.
20.3 Insurance Companies. All insurance required shall be carried with responsible insurance companies of recognized standing, and licensed to do business in the subject state, and having a rating of at least A+ in Bests Key Rating Guide.
20.4 Non-Limitation of Insurance. It is understood that the above may not be all the types of insurance normally carried by contractors in similar operation or size for their commercial activities. Therefore, compliance with any of the types and limits of insurance stipulated in this Section 20 will not in itself be construed to limit any liability of Vendor, any Vendor Personnel or any Vendor agents. . Vendors obligation to maintain the insurance coverages stipulated in this Section 20 shall be in addition to, and not in lieu of, Vendors other obligations hereunder, and Vendors liability to Customer shall not be limited to the amount of coverage required hereunder.
20.5 Contravention of Insurance. Vendor will not intentionally do any thing on or about Customers premises that will contravene or impair any policies of insurance that may be carried by Customer against loss, damage or destruction by fire, casualty, public liability, or otherwise.
20.6 Evidence of Insurance. Vendor shall deliver to Customer certificates of insurance as evidence of the insurance and limits stipulated above, with provisions for not less than thirty (30) days prior written notice to Customer in the event of cancellation of such insurance.
21. GENERAL PROVISIONS.
21.1 Assignment. Vendor acknowledges that AIGGS has entered into this Agreement on the basis of the particular abilities of Vendor. Accordingly, AIGGS shall be entitled to assign, sell, transfer, delegate or otherwise dispose of, whether voluntarily or involuntarily, by operation of law or otherwise, this Agreement and any of its rights or obligations of this Agreement, but Vendor shall not and shall not have the right to assign, sell, transfer, delegate or otherwise dispose of, whether voluntarily or involuntarily, by operation of law or otherwise, this Agreement or any of its rights or obligations under this Agreement without the prior written consent of AIGGS, which consent shall not be withheld unreasonably. Any purported assignment, transfer or delegation by Vendor shall be null and void. Subject to the foregoing, this Agreement shall be binding upon and shall inure to the benefit of the parties and their respective successors and permitted assigns.
21.2 Compliance. Vendor hereby represents, warrants and covenants to Customer that Vendor shall comply with and be responsible, at its expense, for its compliance with all applicable laws, rules and regulations, including Privacy Laws and all United States laws, rules and regulations regarding licensing, import/export, data flows and technology transfers, and immigration matters required to provide the Services. Vendor will, at Customers written request, furnish reasonable documentation of compliance in the matters set forth above within a commercially reasonable period of time after such request.
21.3 Entire Agreement. This Agreement (which includes any Work Orders, Change Orders or Exhibits referred to herein and attached hereto, each of which is incorporated in this Agreement for all purposes) constitutes the agreement between the parties with respect to the subject matter of this Agreement and there are no representations, understandings or agreements (except for any confidentiality agreement executed by the parties) relating to this Agreement which are not fully expressed herein. No change or amendment hereof shall be valid unless in writing and signed by an authorized representative of the party against which such change or amendment is sought to be enforced. This Agreement specifically supersedes in its entirety the Professional Services Agreement entered into on June 11, 2007 by and between Vendor and American International Underwriters Corp., as assigned to AIGGS.
21.4 Dispute Resolution. . In the event of a dispute between the parties under or concerning this Agreement (a Dispute), either party may provide notice of such Dispute to the other party, and on receipt of such notice the parties will engage in the following informal dispute resolution procedure: (a) during the five (5) day period following receipt of such a notice by either party, the Project Managers of both parties will discuss and diligently endeavor to resolve the Dispute in good faith; (b) if the Project Managers of both parties are unable to resolve the Dispute to both parties satisfaction within such five (5) day period, the Dispute shall be referred immediately to the divisional Chief Information Officer or Chief Operation Officer of the Customer or the Customer Affiliate receiving the Services, as the case may be and, in the case of Vendor, the executive at a vice president level or higher responsible for Customers account (the Customer Chief Information Officer/Chief Operation
24
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
Officer and the Vendor executive, collectively, the Senior Executives), for resolution, and during the immediately subsequent three (3) day period, the Senior Executives of both parties will discuss and diligently endeavor to resolve the Dispute in good faith; and (c) if the Senior Executives of both parties are unable to resolve the Dispute to both parties satisfaction within such three (3) day period, the Dispute may be litigated in accordance with to Section 19 (Governing Law; Venue) of this Agreement. Notwithstanding any other provision of this Section 21.4 (Dispute Resolution), at any time Customer may file suit in accordance with Section 21.5 (Governing Law) to have the Dispute adjudicated in a court of competent jurisdiction.
21.5 Governing Law. This Agreement is to be construed in accordance with and governed by the internal laws of the State of New York (as permitted by Section 5-1401 of the New York General Obligations Law or any similar successor provision), without giving effect to any choice of law rule that would cause the application of the laws of any jurisdiction other than the internal laws of the State of New York to the rights and duties of the parties. Any legal suit, action or proceeding arising out of or relating to this Agreement shall be commenced in a federal court in the Southern District of New York or in state court in the County of New York, New York, and each party hereto irrevocably submits to the exclusive jurisdiction and venue of any such court in any
21.6 Publicity/Media Releases. Vendor shall not use the name, logos or trademarks of Customer and/or its Affiliates in promotional and marketing material or publicity releases, without the prior written consent of Customers Vice President, Global IT Procurement. In the event that Customer provides such written consent, all media releases, public announcements and public disclosures by Vendor or any Vendor Personnel relating to this Agreement, the subject matter hereof or the Services rendered hereunder, including promotional or marketing material (but not including any announcement intended solely for internal distribution at Vendor, as the case may be) shall be coordinated with and approved by Customer prior to the release thereof.
21.7 Legal Fees. If any legal action, including an action for arbitration or injunctive relief, is brought relating to this Agreement or the breach hereof, the prevailing party in any final judgment or arbitration award, or the non-dismissing party in the event of a voluntary dismissal by the party instituting the action, shall be entitled to the full amount of all reasonable expenses, including all court costs, arbitration fees, taxes and actual attorney fees paid or incurred in good faith. Furthermore, any costs, fees or taxes involved in enforcing the award shall be fully assessed against and paid by the party resisting enforcement of the award.
21.8 Notices. Any notice, request, demand, or other communication required or permitted hereunder shall be in writing, shall reference this Agreement and shall be deemed to be properly given: (a) when delivered personally; (b) when sent by facsimile, with written confirmation of receipt by the sending facsimile machine; (c) ten (10) business days after having been sent by registered or certified mail, return receipt requested, postage prepaid; or (d) five (5) business days after deposit with a private industry express courier, with written confirmation of receipt. All notices shall be sent to the addresses set forth below:
In case of Customer |
| In the case of Vendor: |
|
|
|
IT Vendor Management |
| Virtusa Corporation |
Either party may from time to time specify as its address for purposes of this Agreement any other address upon giving five (5) days written notice thereof to the other party.
21.9 Severability. If the application of any provision of this Agreement to any particular facts or circumstances shall for any reason be held to be invalid, illegal or unenforceable by a court, arbitration panel or other tribunal of competent jurisdiction, then (a) the validity, legality and enforceability of such provision as applied to any other particular facts or circumstances, and the other provisions of this Agreement, shall not in any way be affected or impaired thereby; and (b) such provision shall be enforced to the maximum extent possible so as to effect the intent of the parties. If, moreover, any provision contained in this Agreement shall for any reason be held to be excessively broad as to duration, geographical scope, activity or subject, it shall be construed by limiting and reducing it, so as to be enforceable to the extent compatible with applicable law.
21.10 Waiver. The waiver by either party of a breach of or a default under any provision of this Agreement shall not be effective unless in writing and shall not be construed as a waiver of any subsequent breach of or
25
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
default under the same or any other provision of this Agreement, nor shall any delay or omission on the part of either party to exercise or avail itself of any right or remedy that it has or may have hereunder operate as a waiver of any right or remedy.
21.11 Further Assurances. At any time or from time to time on and after the Effective Date, Vendor at no cost to Customer unless expressly provided for in writing, shall at the request of Customer (a) deliver to Customer such records, data or other documents consistent with the provisions of this Agreement; (b) execute and deliver or cause to be delivered all such assignments, consents, documents or further instruments of transfer or license; and (c), within the scope, and subject to the terms of the applicable Work Order, take or cause to be taken all such other actions in the ordinary course as Customer may in good faith, reasonably deem necessary or desirable in order for Customer to obtain the full benefits of this Agreement and the transactions contemplated hereby, provided that such actions would not be deemed out of scope of any Work Order or impose a cost on Vendor (other than an immaterial cost) in addition to the costs of such Services (or fees charged) reasonably set forth in such Work Order.
21.12 Construction. This Agreement has been negotiated by the parties and shall be interpreted fairly in accordance with its terms and without any construction in favor of or against either party.
21.13 Interpretation. In this Agreement (a) all capitalized derivative forms of defined terms and phrases have meanings that correspond to the defined terms and phrases; (b) the words include, includes or including shall mean include, without limitation, includes, without limitation, and including, without limitation, respectively; (c) the division of the Agreement into separate Sections, subsections, Exhibits and Work Orders, the Agreements title and the insertion of headings are for convenience of reference only and shall not affect the construction or interpretation of the Agreement; and (d) words or abbreviations that have well known or trade meanings are used herein in accordance with their recognized meanings.
21.14 Counterparts. This Agreement may be executed in several counterparts, all of which taken together shall constitute a single Agreement between the parties hereto.
21.15 Cumulative Remedies. The rights and remedies of either party as set forth in this Agreement are exclusive and not in addition to any other rights and remedies now or hereafter provided by law or at equity.
21.16 Nature of Rights. All rights and licenses granted under or pursuant to this Agreement by Vendor to Customer are, and shall otherwise be deemed to be, for purposes of Section 365(n) of the United States Bankruptcy Code (the Code), licenses to rights to intellectual property as defined under the Code. Customer shall have the rights set forth herein with respect to the Work Product when and as developed or created. Vendor acknowledges that if it, as a debtor in possession or a trustee in bankruptcy in a case under the Code, rejects this Agreement, then Customer may elect to retain its rights under this Agreement as provided in Section 365(n) of the Code. The parties further agree that, in the event of the commencement of any bankruptcy proceeding by or against Vendor under the Code, Customer shall be entitled to retain all of its rights under this Agreement. Vendor agrees and acknowledges that enforcement by Customer of any rights under Section 365(n) of the Code in connection with this Agreement shall not violate the automatic stay of Section 362 of the Code and waives any right to object on such basis. Upon rejection of this Agreement by Vendor or the bankruptcy trustee in a bankruptcy case under the Code and written request of Customer to Vendor or the bankruptcy trustee pursuant to Section 365(n) of the Code, Vendor or such bankruptcy trustee shall: (a) provide Customer the Work Product and other materials that are the subject of the rights and licenses described in this Section (including any Vendor Proprietary Information or any other intellectual property necessary or desirable for Customer to use or exploit any Work Product or to exercise its rights hereunder), and any intellectual property otherwise required to be provided to Customer under this Agreement that is held by Vendor or such bankruptcy trustee; and (b) not interfere with the rights of Customer provided in this Agreement or any other agreement supplementary to this Agreement, to the materials that are the subject of the rights and licenses described in this Section, or any intellectual property provided under such agreements, including any right to obtain the materials that are the subject of the rights and licenses described in this Section and any such intellectual property from another entity. In addition to the foregoing, Vendor shall take all steps reasonably requested by Customer to perfect, exercise and enforce its rights hereunder, including filings in the U.S. Copyright Office and U.S. Patent and Trademark Office, and under the Uniform Commercial Code.
IN WITNESS WHEREOF, the parties hereto have each caused this Agreement to be signed and delivered by their duly authorized officers, all as of the date first set forth above.
26
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
VIRTUSA CORPORATION |
| AIGGS | ||
|
|
| ||
By: | /s/ Danford Smith |
| By: | /s/John Sach |
|
|
|
|
|
|
|
|
|
|
Name: | Danford Smith |
| Name: | John Sach |
|
|
|
|
|
Title: | COO |
| Title: | VP |
27
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
EXHIBIT A
SAMPLE STATEMENT OF WORK
This Statement of Work (SOW), effective as of , 200 [DATE MUST BE SAME DATE AS WHEN ENGAGEMENT FIRST BEGINS] by and between (Vendor) and [AIGGS OR APPLICABLE AFFILIATE NAME] (for purposes of this SOW, Customer) is executed pursuant to and as part of that certain Professional Services Agreement by and between AIG Global Services Inc. and Vendor, dated as of , 200 (the Agreement).
The parties have entered into the Agreement for the provision of certain rights, services, resources, and deliverables to Customer by Vendor. The Agreement contemplates that the parties may enter into specific SOWs describing detailed terms and conditions applicable to specific services, resources, and deliverables to be provided.
NOW, THEREFORE, for and in consideration of the foregoing premises, and the agreements of the parties set forth below, Customer and Vendor agree as follows:
1. Services.
[INSERT DESCRIPTION OF SERVICES TO BE PROVIDED, INCLUDING (1) APPLICABLE AIG ENTITY OR DIVISION FOR WHICH SERVICES WILL BE PERFORMED, (2) LENGTH OF PROJECT IF T&M SERVICES ARE TO BE PROVIDED, AND (3) ANY SPECIFIC MAINTENANCE SERVICES TO BE PROVIDED IN CONNECTION WITH DELIVERABLES, IF APPLICABLE]
2. Service Project Location.
[INSERT NAME OF APPLICABLE AIG ENTITY OR DIVISION AND PHYSICAL LOCATION WHERE SERVICES ARE TO BE PROVIDED]
3. Deliverables; Vendor Proprietary Information; Open Source.
[INSERT DESCRIPTION OF ANY DELIVERABLES TO BE PROVIDED. ALSO: (1) SPECIFICALLY DESCRIBE ANY BACKGROUND TECHNOLOGY AND/OR THIRD PARTY TECHNOLOGY (SUCH AS THIRD SOFTWARE OR REUSABLE TOOLS VENDOR IS PROVIDING) TO BE USED BY VENDOR (IF ANY), OR, IF DELIVERABLES WILL NOT INCORPORATE ANY VENDOR PROPRIETARY INFORMATION, STATE No Vendor Proprietary Information; and (2) IDENTIFY ANY OPEN SOURCE CODE TO BE INCORORATED INTO THE DELIVERABLES (IF ANY) AND ATTACH THE APPLICABLE OPEN SOURCE LICENSE(S) TO THIS SOW, OR, IF DELIVERABLES WILL NOT INCORPORATE ANY OPEN SOURCE CODE, STATE No Open Source Code.]
4. Vendor Personnel.
[INSERT NAME AND JOB TITLE OF SPECIFIC CONSULTANTS TO BE ENGAGED (IF ANY), OR STATE Not Applicable]
5. Schedule and Milestones (If Any).
Project Start Date:
Estimated Project Completion Date:
28
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
[ALSO INSERT DESCRIPTION OF TIMETABLE FOR COMPLETING SERVICES, MEETING MILESTONES AND/OR SUPPLYING DELIVERABLES, IF APPLICABLE]
6. Charges.
[INSERT: (1) EITHER (A) FOR T&M PROJECTS, APPLICABLE DAY RATES, ESTIMATED EXPENSES (IF ANY) AND MAXIMUM ESTIMATED COST FOR TOTAL PROJECT, OR (B) FOR FIXED FEE PROJECTS, FIXED FEE, ESTIMATED EXPENSES (IF ANY) AND TIMETABLE FOR PAYMENTS; AND (2) ANY APPLICABLE DISCOUNTS OR PERFORMANCE-RELATED INCENTIVES OR PENALTIES]
Vendor shall send all invoices under this SOW to the following address:
[INSERT: CUSTOMER ADDRESS AND CONTACT INFORMATION FOR RECEIPT OF INVOICE]
7. Project Managers.
For Customer: |
| For Vendor: | |
| [INSERT NAME & AIG ENTITY OR DIVISION] |
| [INSERT NAME] |
[INSERT TELEPHONE NUMBER] |
| [INSERT TELEPHONE NUMBER] | |
[INSERT E-MAIL ADDRESS] |
| [INSERT E-MAIL ADDRESS] | |
8. Testing and Acceptance Procedures. (NOTE: if no testing/acceptance procedures are set forth in this Section, the testing and acceptance procedures set forth in the Agreement shall govern.)
[INSERT DESCRIPTION OF ANY NECESSARY TESTING AND ACCEPTANCE PROCEDURES, OR STATE As per the Agreement]
9. Individualized Reports; Status Meetings.
[INSERT DESCRIPTION OF ANY INDIVIDUALIZED/ SPECIAL REPORTS OR STATUS MEETINGS RELATED TO THIS PROJECT, OR STATE As per the Agreement]
10. Other Specifications.
[INSERT ANY OTHER SPECIFICATIONS APPLICABLE TO WORK TO BE PERFORMED UNDER THIS STATEMENT OF WORK, FOR EXAMPLE, SPECIFICATIONS FOR DELIVERABLES OR OTHER WORK PRODUCT TO BE PROVIDED HEREUNDER]
11. Flow-Down Provisions for Subcontractors.
[INSERT ANY PROVISIONS THAT SHOULD FLOW DOWN FROM THE AGREEMENT TO VENDORS AGREEMENTS WITH ITS SUBCONTRACTORS RELATED TO WORK TO BE PERFORMED UNDER THIS SOW.]
Except to the extent otherwise expressly set forth in this SOW, this SOW is governed by the terms and conditions of the Agreement. Any defined terms not otherwise defined herein shall have the meanings set forth in the Agreement. This SOW may be modified or amended only by a writing signed by both parties. The parties hereto acknowledge having read this SOW and agree to be bound by its terms.
IN WITNESS WHEREOF, the parties have each caused this SOW to be signed and delivered by their duly authorized officers, all as of the date first set forth above.
29
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
AIG GLOBAL SERVICES, INC OR APPLICABLE AFFILIATE NAME | { Company Name } | |||
|
| |||
By: |
|
| By: |
|
|
|
|
|
|
Name: |
|
| Name: |
|
|
|
|
|
|
Title: |
|
| Title: |
|
30
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
EXHIBIT B
SAMPLE CHANGE ORDER
This Change Order No. (Change Order), effective as of , 200 , is made pursuant to and a part of that certain Professional Services Agreement, dated as of , 200 , by and between AIG Global Services, Inc. and (the Agreement), and [Work Order] [Statement of Work], thereto, dated as of (the Work Order).
This Change Order is governed by the terms and conditions of the Agreement. Any defined terms not otherwise defined herein shall have the meanings set forth in the Agreement. Except to the extent otherwise expressly set forth in this Change Order, the terms of the Work Order shall remain in full force and effect. The parties hereto acknowledge having read this Change Order and agree to be bound by its terms.
The modification(s) set forth below will impact the following terms of the Work Order (please check all that apply):
o Services |
| o Deliverables |
| o Estimated completion date |
o Fees |
| o Schedule |
| o Other: (please specify) |
Please provide a detailed description of the proposed modification(s) and their impact on the Work Order:
[ADD DESCRIPTION OF CHANGES]
IN WITNESS WHEREOF, the parties hereto have each caused this Change Order to be signed and delivered by their duly authorized officers, all as of the date first set forth above.
AIG GLOBAL SERVICES, INC OR APPLICABLE AFFILIATE NAME |
| { Company Name } | ||
|
|
| ||
By: |
|
| By: |
|
|
|
|
|
|
Name: |
|
| Name: |
|
|
|
|
|
|
Title: |
|
| Title: |
|
31
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
EXHIBIT C
SECURITY REQUIREMENTS
I. Definitions
A. Access & Use Controls means policies, procedures and controls to prevent unauthorized access or use of information or systems, including without limitation: (1) a formal user registration, identification and authentication process, including without limitation functionality that tracks users access to Information and Customer System and includes strong passwords; (2) limiting access to Information based on Information classification; (3) requiring managerial authorization for changing Access & Use Rights and access or use policies, procedures and controls; (4) requiring the consistent treatment of access across Vendors organization and systems; (5) Physical Security Perimeters; (6) prohibiting persons from sharing access authentications or establishing or using generic identifications; and (7) automatic workstation locking mechanisms.
B. Access & Use Rights means those rights and limitations with respect to parties accessing and using Vendor Systems, Information or Customer Systems, including without limitation, such rights and limitations with respect to Vendor Personnel and end-users.
C. Adverse Impact means any material adverse impact to: (1) the purposes of this Agreement; (2) Vendors ability to perform its obligations under this Agreement; (3) the CIA of Information, including without limitation, the availability of Vendor Systems; or (4) Customers System.
D. Business Continuity Controls means policies, procedures and controls that ensure accurate and complete back-up copies of Information, uninterrupted storage, processing and transmission of Information, and the continuity of transactions with respect to the Agreement, including without limitation, in the event of any Security Incident.
E. CIA means confidentiality, integrity and availability.
F. Customer System means any computer network, desktop computer, servers, computer application, equipment, Storage Media or software operated by Customer or a third-party on behalf of Customer.
G. Customer Info-Sec Contact means the following person who shall be the contact person for Customer for any issue or notice related to this Schedule: Greg Gardner, AIU Divisional Security Officer/Director Network Planning, 9 Entin Road, F03, Parsippany, NJ, USA, 973 ###-###-####, ***@***.
H. Customer Facilities means the facilities owned, operated or controlled by Customer or a third party retained by Customer, including without limitation, the facilities at which Customers System is housed or Information is stored, processed or transmitted by Customer.
I. Information means any information that is owned, licensed, transmitted by or to, or collected by, Customer, in any format or media, which Vendor has access to, stores, transmits, copies or otherwise uses pursuant to this Agreement, including but not limited to,
32
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
all full or partial copies thereof, databases, financial data, customer materials, intellectual property, corporate confidential information, trade secrets or PII.
J. Info-Sec Controls means Vendors hardware, software, firmware, Access & Use Controls, Physical Security Perimeter, Business Continuity Controls, controls and Info-Sec Policies, the function or purpose of which is to protect and ensure the CIA of information, including without limitation, access and use policy statements, employee background checks, firewalls, filters, DMZs, anti-virus software, locks, intrusion detection, identification cards, the electronic use of passwords or similar identification of authorized users.
K. Info-Sec Law means any regulation, law, ordinance, statute, administrative rule, court ruling or rule, consent decree or mandatory government standard, related to or regulating the CIA of information or Info-Sec Controls, including without limitation, any of the foregoing related to information security, privacy, information retention or destruction (including the preservation of evidence) or requiring notice to persons if their PII has been or is reasonably believed to have been, accessed or used by unauthorized persons.
L. Info-Sec Risk Increase means an increase in the likelihood, frequency, risk of, impact, severity or magnitude of a potential or actual Security Incident or violation of an Info-Sec Law, including without limitation, an increase because of or evidenced by: (1) the development, enactment, implementation or discovery of a new or modified Info-Sec Peril or an existing Info-Sec Peril that has not been adequately addressed by an Info-Sec Control, including without limitation, any Info-Sec Law or adverse finding with respect to any audit of Info-Sec Controls; (2) the discovery of any unauthorized access to or use of Information, Vendor System or Customer System; (3) a change in technology which renders Info-Sec Controls inadequate, obsolete or ineffective; (4) a failure of those parts of Vendor Systems dedicated to business continuity, including without limitation, back-up systems; (5) a change in the character, volume or use Information; or (6) inadequate system capacity.
M. Info-Sec Peril means any: (1) attack, exploit, Malicious Code, denial of service attack, hacking methods or other means of adversely affecting the CIA of information; or (2) vulnerability, hole or weakness with respect to the design, implementation, operation or management of Info-Sec Controls, Vendor System or Customer System, which might adversely affect the CIA of information; or (3) Info-Sec Law.
N. Info-Sec Policies means the policies, procedures and standards the function or purpose of which is to protect and ensure the CIA of information and prevent any Security Incident.
O. Malicious Code means software or computer code designed to perform an unauthorized function on, or permit unauthorized access to, an information system and cause harm to such system, including without limitation, computer viruses, trojan horses, worms, and time or logic bombs.
P. PII means personally identifiable information, including without limitation: (1) any information from which an individual may be identified, including without limitation, an individuals name, address, telephone number, social security number, account relationships, account numbers, account balances, and account histories; (2) information concerning an individual that would be considered nonpublic personal information within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) and its implementing regulations, as the same may be amended from time to time; and (3)
33
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
information concerning an individual that is protected from disclosure by other applicable federal or state laws and regulations, including, without limitation, the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations and CA SB 1386 regarding privacy (as the same may be amended from time to time).
Q. Physical Security Perimeter means physical barriers and controls that prevent or mitigate against unauthorized physical access and environmental hazards (including without limitation, fire, smoke, water, dust), with respect to Vendor Facilities, Vendor Systems or Information, including without limitation, locked doors, entry gates, manned reception areas and intrusion detection alarms.
R. Remedial Action means: (1) a reasonable investigation of an Info-Sec Risk Increase or Security Incident (as applicable), including without limitation, an investigation of the potential for any Adverse Impact caused by either; and (2) all necessary and adequate actions to: (a) prevent and mitigate any Adverse Impact; (b) maintain at least the same level of protection for the CIA of Information as was present at the inception of this Agreement, including without limitation modifying or upgrading Info-Sec Controls; (c) comply with or discontinue a violation of an Info-Sec Law; (d) prevent an Info-Sec Risk Increase from resulting in a Security Incident; (e) employ Business Continuity Controls; and (f) mitigate or reduce the likelihood, frequency, risk of, harm, severity, impact or magnitude of an actual or potential Security Incident or Info-Sec Risk Increase.
S. Security Incident means any unauthorized use of or access to Vendor Systems, Customer Systems or Information, including without limitation, any such unauthorized use or access caused by or resulting from a failure, lack of, or inadequacy of Info-Sec Controls, any Info-Sec Peril, physical intrusion of facilities, or theft or loss of documents or Storage Media.
T. Storage Media means any device or media upon which Information is stored.
U. Vendor Info-Sec Contact means the following person who shall be the contact person for Vendor for any issue or notice related to this Schedule: Virtusa Corporation, Vikram Dhanda, Head of Global IT ***@***).
V. Vendor Facilities means the facilities owned, operated or controlled by Vendor or a third party retained by Vendor, including without limitation, the facilities at which Vendors System is housed or Information is stored, processed or transmitted by Vendor.
W. Vendor Personnel means any employee, independent contractor or other third party retained by the Vendor to work on Vendors behalf, including without limitation, any of the foregoing who have access to Information or Computer Systems.
X. Vendor System means any computer network, desktop computer, computer application, server, equipment, Storage Media or software controlled by Vendor or a third-party on behalf of Vendor.
II. Info-Sec Warranties
Vendor hereby represents, warrants and covenants to Customer that:
A. Vendors written or oral answers, statements and representations provided with respect to any AIG Security Assessment Questionnaire or Fundamental Assessment Security Test (FAST), or any security assessment or interview provided with this Agreement, and any
34
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
materials, statements or other information provided with the foregoing, are true and accurate;
B. during the time Vendor has access to Information or Customer Systems, Vendor shall implement, maintain, comply with, enforce, upgrade and modify its Info-Sec Controls to provide protection for the CIA of Information at the same level or greater than was present at the inception of this Agreement; and
C. Vendor shall comply with all applicable Info-Sec Laws, including without limitation, modifying and updating Info-Sec Controls as required by any applicable Info-Sec Laws.
III. Info-Sec Controls
A. Conflicts.
In the event of a conflict between the Vendors existing or contemplated Info-Sec Controls and those required by this Agreement, those required under this Agreement shall apply unless Vendors existing or contemplated Info-Sec Controls provide the same or greater protection to the CIA of Information.
B. Security Awareness
Prior to providing access to Information, Vendor shall train Vendor Personnel concerning the implementation of, compliance with and enforcement of, Vendors Info-Sec Controls and Info-Sec Policy. Vendor shall provide training and information to Vendor Personnel with respect to Vendor duties and limitations under this Schedule, including without limitation, Access & Use Rights, Vendors duties for protecting the CIA of Information maintaining and enforcing Info-Sec Controls and reporting Info-Sec Risk Increases and Security Incidents, and that Vendor Personnel shall have no expectation of privacy when accessing or using Information or Customer Systems. In addition, vendor shall train Vendor Personnel concerning the handling of Information in the form of corporate confidential information, trade secrets, intellectual property and any other sensitive information, and shall inform Vendor Personnel that they may not remove or send such Information from Vendor Systems, Vendor Facilities, Customer Systems, Customer Facilities or any other location or system unless they have received Customers prior written consent.
After providing the training in the paragraph set forth above, with respect to each Vendor Personnel, Vendor shall provide Customer with written confirmation that Vendor provided such training, including without limitation the date such training was completed by each Vendor Personnel.
C. Information Classification & Segregation
Vendor shall classify, label, handle, process, transmit and store the Information on the Vendor System consistent with Vendors most sensitive and critical information class. The classification of the Information shall be clearly and conspicuously communicated to Vendor Personnel prior to providing access to such Information or if the classification changes. Vendor shall segregate the Information from Vendors data and internal environment, and from the information and data of its other customers or users.
D. Personnel Security
Prior to providing any access to the Information or Customer System to any individual Vendor Personnel, for each individual, Vendor shall: (1) conduct its own adequate
35
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
background check; (2) complete certification checks in accordance with Customers AIGs Vendor Certification Program details of which can be found at http://www.aigscreen.com; and (3) provide Customer with notice of any adverse findings with respect to an individuals background check. Vendor represents, warrants and covenants that Vendor will secure the prior written consent of each of its Vendor Personnel prior to providing Customer with background check results.
E. Physical Security
Vendor shall maintain an adequate Physical Security Perimeter. Unless removal is specifically authorized by this Agreement or Customer, Vendor Personnel shall not remove any: (1) Information from any system or facility; or (2) part of the Vendor System or Customer System storing Information, from any facility. Vendor shall log any such removal and the return of any Information or part of Vendor System or Customer System.
F. System planning and acceptance
Vendor shall monitor its current Vendor System capacity limitations and project events or trends that may result in, and employ prior systems testing to ensure that implementation will not result in, an Info-Sec Risk Increase, Security Incident Adverse Impact or Info-Sec Law violation.
G. Protection against Malicious Code
(1) Vendor shall implement and maintain software for Vendor System that detects, prevents, removes and remedies Malicious Code (Malicious Code Software) and is at least consistent with commonly accepted industry standards. Vendor shall run its Malicious Code Software on at least a daily basis and update its Malicious Code Software on at least a daily basis, including without limitation, obtaining and implementing the most currently available virus signatures on a daily basis. Vendor shall run its Malicious Code Software with respect to any information, software or e-mail it intends to provide to Customer, and to ensure that such information, software or e-mail is not infected with Malicious Code prior to providing it to Customer.
(2) Any Info-Sec Risk Increase, Security Incident, breach of this Agreement, Adverse Impact or violation of any Info-Sec Law arising from Malicious Code shall not constitute a force majeure event, and addressing Malicious Code, including without limitation, the detection, prevention, removal and remedying of Malicious Code, shall be considered within Vendors control, unless Vendor has complied with the provisions of Section III (G)(I) above.
H. Network management
(1) Vendor shall only connect with or access Customer System through Customers extranet firewall or virtual private network systems, unless Vendor receives prior written consent from Customer to connect in another manner. Vendor shall not utilize wireless technology to transmit or process Information or access Customer System or Information unless: (a) such wireless technology is subject to Access and Use Controls, including without limitation, user authentication; and (b) prior to transmitting any data or Information wirelessly, such data or Information is encrypted utilizing at least 128-bit encryption technology.
(2) With respect to any instant messaging, video streaming and peer-to-peer file sharing, Vendor shall: (a) employ such applications for business purposes only; (b) segregate any network segments running such applications from any network segments upon which
36
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
Information is stored, processed or transmitted; and (c) utilize automated measures on Vendor System to monitor use of such applications.
I. Information Removal, Destruction & Retention
(1) Vendor shall physically destroy or securely delete all Information on Vendor System and Storage Media prior to disposing, selling or relinquishing control of such Information (unless specifically authorized by this Agreement), or upon instructions of Customer. Vendor shall inventory all Information prior to such destruction or deletion and shall certify in writing that all Information has been so destroyed or deleted.
(2) Vendor shall retain the Information during the term of the Agreement. At the termination of the Agreement, Vendor return all Information to Customer unless otherwise instructed by Customer in writing.
(3) Notwithstanding anything to the contrary, Vendor shall not be required to delete, destroy or return Information if prohibited by law in the written opinion of a lawyer retained by Vendor. In addition, Vendor shall comply with all Info-Sec Laws related to deletion or retention of Information, including without limitation, FTC and OSHA regulations, rules of evidence and environmental laws.
(4) Vendor shall not remove or send Information from Vendor Systems, Vendor Facilities, Customer Systems, Customer Facilities or any other location or system unless they have received Customers prior written consent or such removal is specifically required under the Agreement.
J. Exchanges of Information and Software
(1) Exchange via Storage Media and Transfer of PII. Vendor shall not transport Storage Media via courier or mail without the prior consent of Customer. Vendor shall perform reasonable background checks on proposed courier companies prior to use, and shall not utilized any courier or mail if such use would result in an Info-Sec Risk Increase. Vendor shall utilize at least 128-bit encryption with respect to any Information containing PII prior to its transfer or transmittal, including without limitation, electronic transfer or physical transfer in Storage Media.
(2) E-mail Accounts. In the event Vendor Personnel is provided with use of a Customer e-mail account, prior to providing any Vendor Personnel with access and use of such e-mail account, Vendor shall advise such Vendor Personnel of any Customer policies, rules or regulations in place with respect to the use of such e-mail account, including any contained herein, Any such e-mail account may be used only for purposes of satisfying Vendors obligations under this Agreement, and shall not be used for personal purposes. With respect to any e-mail accessed by Vendor through Customers System, Vendor Personnel shall not open any attachments he or she receives unless they know the sender and is expecting the attachment. Vendor Personnel shall not share e-mail accounts.
K. Access Control
(1) Minimum Necessary Access & Use. Vendor shall identify those persons or classes of persons who must access and use the Information or Customer System to fulfill Vendors obligations under the Agreement, and shall grant Access & Use Rights only to those persons. With respect to each such person or classes of persons identified and their Access & Use Rights, Vendor shall limit: (a) access to only those parts of the Information and Customer Systems necessary to fulfill Vendors obligations under the Agreement; and (b) the use of such Information and Customer Systems to only those uses necessary to fulfill Vendors
37
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
obligations under the Agreement. Vendor shall segregate duties between Vendor Personnel with respect to Information to reduce the risk of fraud or the accidental unauthorized use of Customer Systems or Information. Vendor shall monitor and log any access to the Information or Customer Systems, and shall enforce violations of Access & Use Rights.
(2) Access & Use Policy Statements. Vendor shall create a written access and use policy statement with respect Information and Customer Systems that clearly states the Access & Use Rights for each person or class of persons, including without limitation, when Vendor has access to the internal environment of Customer Systems. Prior to providing access to, or allowing use of, Information or Customer Systems, Vendor shall provide a copy of the access and use policy statement to those people who will be provided Access & Use Rights, and require each such person to sign a written statement indicating that they agree not to exceed and to comply with such Access & Use Rights. Vendor shall promptly report to Customer any violation or failure to comply with Access & Use Rights, including without limitation, any access and use policy statement created pursuant to this sub-paragraph.
(3) Review and Termination of Access & Use Rights. At least once every six (6) months for standard access grants and once every three (3) months for non-standard or special privileged grants, Vendor shall review Access & Use Rights in order to reconfirm the identity of those persons with such rights, and to ensure that such rights are authorized, consistent with Information classification and still necessary for Vendor to fulfill its obligations under this Agreement. Notwithstanding the foregoing, Vendor shall immediately terminate Access & Use Rights of Vendor Personnel: (a) who have left Vendors organization, changed jobs, are no longer under contract or are suspected of fraud, theft or any other violation of law with respect to Information; (b) who have violated or exceeded Access & Use Rights; and (c) after termination of this Agreement (except with respect to those Vendor Personnel who must access Information that remains in Vendors possession, if any).
(4) Customer Control of Access & Use Rights. Customer shall have full control over decisions concerning access and use of Information or Computer Systems, including without limitation, vetoing Vendors grant of, authorizing, terminating, extending or reversing Access & Use Rights. Vendor shall promptly implement any decisions Customer makes with respect to Access & Use Rights.
(5) Security of Third Party Access. Vendor shall not provide any third party (including without limitation, any third party that Vendor wishes to work as Vender Personnel with respect to this Agreement) with access to any Information or Customer System unless it has received prior written consent from Customer or such access is specifically authorized by the Agreement. In all events, prior to providing a third party with such access Vendor shall contractually impose upon such third party the same or equivalent contractual duties imposed on Vendor, and rights provided to Customer, in this Schedule, including without limitation, timely notice of Security Incidents and Info-Sec Risk Increases, maintenance of equivalent Info-Sec Controls and compliance with Info-Sec Laws.
L. Business Continuity
Vendor shall: (a) maintain adequate Business Continuity Controls; (b) no less frequently than each quarter during the Agreement, test Business Continuity Controls to ensure effectiveness; (c) segregate Business Continuity Controls from those parts of Vendor System
38
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
used during the normal course of business; and (d) no less frequently than weekly, back-up Information.
M. Information Security Infrastructure
Notwithstanding anything to the contrary, Vendor shall implement, maintain, comply with and enforce at least the following Info-Sec Policies and Info-Sec Controls:
(1) Security Policy
(a) Vendor shall maintain an Info-Sec Policy that applies across its organization and which addresses the following, without limitation: Info-Sec Controls, operating system management, authentication and use of passwords, database management, patch management, business continuity, change management/control, exchange of information through the use of voice, facsimile and video communications, policy development, e-mail and execution of e-mail attachments, auditing and monitoring, source code management and control, Malicious Code, software management, security awareness, use and protection of mobile computing equipment, privacy awareness, Info-Sec law compliance, management of Storage Media, Security Incident response, Info-Sec Risk Increases, system planning and acceptance, third party access, network and system configuration, processing and handling of the information, system recovery, information back-up, system hardening and maintenance. Any material changes to any Info-Sec Policy or Info-Sec Controls shall be formally approved by Vendors Chief Security Officer, Chief Information Officer, or equivalent officer.
(b) Each Vendor Personnel shall fully review Vendors Info-Sec Policy confirm in writing that they have read, understood, and will comply with Vendors Info-Sec Policy. Vendor at least annually shall review and update its training materials with respect to its Info-Sec Policy or Info-Sec Controls, and send written statements to Vendor Personnel informing them of material changes and reminding them of their obligations thereunder. Vendor shall establish a formal disciplinary process with respect to compliance with its Info-Sec Policy and Info-Sec Controls, and shall fully enforce any violation of thereof.
(2) Physical & Environmental Security
(a) Vendors operation centers, server rooms, wiring closets and other critical infrastructure areas shall have highly restricted access with logged authentication processes. Visitors to Vendor Facilities shall be clearly identified and their access limited only to areas they need access to in order to fulfill their functions.
(b) Vendor shall maintain an uninterrupted power supply and redundant back-up generators to supply power to the Vendor System for at least five (5) continuous business days in the event of a power failure or other electrical anomaly.
(c) Vendor shall implement, maintain, comply with and enforce a clear desk and clear screen policy, including without limitation, requiring the locking of Vendor System and measures to prevent unauthorized access to Information that is printed on documents.
39
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
(3) System Planning & Acceptance
Vendor shall implement, maintain, comply with and enforce Info-Sec Policies and Info-Sec Controls for accepting new information systems or applications and alterations or upgrades to Vendor System, including without limitation, policies requiring the identification of significant changes, assessment of the potential impact of such changes (including with respect to Info-Sec Controls and the CIA of Information), and formal managerial approval for changes.
(4) Network management
Vendor shall implement, maintain, comply with and enforce network Info-Sec Policies and Info-Sec Controls with respect to Vendor System, including without limitation: (a) demilitarized zones; (b) intrusion detection; (c) network and system segmentation, including without limitation, the utilization of packet inspecting firewalls to maintain zones segregating the following system components from each other: Internet connection, web servers, application servers, database servers, core network, external networks; (d) enforced path controls that prevent users from accessing portions of the network outside those portions typically accessed by each authorized user; (e) authentication controls for external network connections and automatic network connections; (f) controls to prevent unauthorized access and use of remote network diagnostic ports; (g) network access controls that restrict unauthorized access with respect to electronic mail, one- and two-way file transfer and interactive access; and (i) routing controls across interconnected networks.
(5) Authentication
(a) Vendor shall implement, maintain, comply with and enforce Info-Sec Policies and Info-Sec Controls with respect to any passwords used to authenticate and validate identity, including with out limitation: (a) requiring users to sign a statement agreeing to keep passwords confidential; (b) requiring that temporary passwords be given to users in a secure manner; (c) prohibiting the storage of passwords in an unprotected form; (c) requiring the changing of passwords at regular intervals or based on the number of user accesses; (d) prohibiting recording passwords as part of a paper record; (e) enforcing of the use of passwords to maintain accountability; (f) preventing the display of passwords on the screen when being entered; (g) storing password files separately from application and other system data; (h) altering default vendor passwords following installation of software; and (i) requiring the changing of passwords whenever there is an actual or potential password compromise.
(b) Vendor shall implement automatic terminal identification that authenticates connections to specific network areas and portable equipment. Vendor shall implement, maintain, comply with and enforce a secure log-on process for authorized users to access Vendor System, Information and Customer Systems, including without limitation: (a) a general warning that the computer should be accessed only by authorized users; (b) validation of log-on only upon completion of all input data, without indicating which part of the data is incorrect for failed log-on attempts; (c) limiting the number of unsuccessful log-on attempts to three and requiring specific authorization for log-on after failed attempts; and (d) upon log-on, displaying the date and time of previous successful log-ons and details of unsuccessful log-ons.
40
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
(6) Applications
Vendor shall implement, maintain, comply with and enforce Info-Sec Policies and Info-Sec Controls with respect to the use of application utility programs, including without limitation: (a) authentication and authorization procedures, including without limitation, defining and documenting authorization levels for system utilities; (b) segregation of system utilities from application software; (c) limiting the access and use of system utilities to the minimum practical number of trusted authorized users; (d) logging of all use of system utilities; and (e) removal of all unnecessary software based utilities and system software.
(7) Mobile Computing Equipment
Vendor shall implement, maintain, comply with and enforce Info-Sec Policies and Info-Sec Controls with respect to notebooks, palmtops, laptops, PDAs, mobile phones and any other device that provides access to Vendors System, Customer Systems or Information, including without limitation, requirements for physical protection, access controls, encryption of PII stored thereon and Malicious Code Software.
(8) Security Incident Response Policies and Controls
Vendor shall implement, maintain, comply with and enforce Info-Sec Policies and Info-Sec Controls with respect to Security Incident response, including without limitation, Info-Sec Policies and Info-Sec Controls that: (a) ensure a prompt, effective and orderly response to any Security Incident; (b) limits Security Incident management to only authorized Vendor Personnel; and (c) require documentation of Security Incident response actions taken in detail which shall meet reasonable expectations of forensic admissibility.
N. Implementation of Additional Info-Sec Controls
Vendor shall implement the Info-Sec Controls listed below no later than the applicable implementation date:
Info-Sec Controls |
| Implementation |
|
|
|
|
|
|
|
|
|
Upon implementation of each Info-Sec Control, Vendor shall provide a written confirmation to Customer no later than three (3) days after such implementation. In the event Vendor is unable to, or anticipates that it will be unable to, fully implement an Info-Sec Control outlined above, Vendor shall provide written notice to Customer no later than three (3) days after the applicable implementation date for such Info-Sec Control.
O. Info-Sec Risk Increase and Upgrading Info-Sec Controls
(1) Vendor shall regularly consult with reputable journals, Internet sites, software vendors, information security professionals, attorneys and other sources to discover: (a) Info-Sec Risk Increases; (b) methods to prevent loss by, address, neutralize, remedy and mitigate Info-Sec Risk Increases and Security Incidents; and (c) existing, new or
41
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
modified Info-Sec Laws and how to comply with such laws. Vendor shall regularly and periodically determine whether Vendor needs to upgrade, add to or modify its Info-Sec Controls to prevent or mitigate against an Info-Sec Risk Increase or Security Incident.
(2) Info-Sec Risk Increase Response. In the event of a Level I, II or III Info-Sec Risk Increase as defined in the table below, Vendor shall undertake the applicable Required Vendor Actions set forth below:
Info-Sec Risk Increase Level Definition |
| Required Vendor Actions |
LEVEL I: An Info-Sec Risk Increase that is not reasonably likely to cause an Adverse Impact. |
| Vendor shall undertake Remedial Action. |
|
|
|
LEVEL II: An Info-Sec Risk Increase that is reasonably likely to cause an Adverse Impact and such Adverse Impact is reasonably likely to manifest within thirty (30) days of Vendors discovery of such Info-Sec Risk Increase |
| Vendor shall promptly undertake Remedial Action and provide immediate notice to Customer Info-Sec Contact if Vendor cannot undertake such action or if such action was unsuccessful or inadequate after implementation. |
|
|
|
LEVEL III: An Info-Sec Risk Increase that: (1) is reasonably likely to cause an Adverse Impact and such Adverse Impact reasonably likely to manifest within seven (7) days of Vendors discovery of such Info-Sec Risk Increase; or (2) has resulted in or is reasonably could result in a violation of any Info-Sec Law, or creates or triggers an obligation with respect to any Info-Sec Law. |
| Vendor shall: (1) immediately undertake Remedial Action; (2) provide immediate notice to Customers Security Hotline at ###-###-#### and Customer Info-Sec Contact if Vendor cannot undertake such action or if such action was unsuccessful or inadequate after implementation, and coordinate a response with Customer; and (3) after undertaking Remedial Action, provide a report to Customer indicating the results of the Remedial Action, any Adverse Impact or violation of Info-Sec Law that occurred or could occur because of the InfoSec Risk Increase and any future Remedial Action to be taken. |
IV. Monitoring & Reporting
A. Maintain Information. Vendor shall collect and record information, and maintain logs, planning documents, audit trails, records and reports, with respect to Security Incidents, Info-Sec Risk Increases, Info-Sec Controls, the storage, processing and transmission of Information and the accessing and use of Customer Systems, including, without limitation, the following information: (1) the starting and finishing time of the operations Vendor performs for this Agreement; (2) system errors and corrective actions taken; (3) the existence, nature, and actual and potential impact, of actual or reasonably suspected Security Incidents and Info-Sec Risk Increases, and any post-incident actions taken; (4) the actual or potential impact on the CIA of Information with respect to updates or changes in Info-Sec Controls, Vendor Systems or Customer Systems; (5) Vendors changes to, testing of, implementation, maintenance, compliance with, enforcement of and auditing of Info-Sec Controls; and (6) dates and times for log-on and log-off, including without limitation successful and rejected log-on attempts with respect to Vendor Systems and Customer Systems. Upon request, Vendor shall provide Customer with access to all Information, and any information, logs, planning documents, audit trails, records and reports outlined above.
B. Change Reporting Requirements. Vendor shall provide Customer with at least thirty (30) days notice prior to making any updates or modifications to Info-Sec Controls, Vendor Systems or Customer Systems that may reasonably cause an Adverse Impact.
C. Security Incident & Info-Sec Risk Increase Reporting Requirements. Vendor shall provide the following information for any notice of any Security Incident or Info-Sec Risk Increase to Customer: (1) when the Security Incident or Info-Sec Risk Increase began, was discovered and is expected to end; (2) a description of the cause and nature of the
42
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
Security Incident or Info-Sec Risk Increase; (3) the actual or potential impact of the Security Incident or Info-Sec Risk Increase; (4) the Remedial Actions taken, anticipated or recommended by Vendor; (5) the date the last back-up of Information occurred and the identity of any Information that was not backed-up; and (6) any other relevant information concerning the CIA of Information.
D. Vendor Internal Audit. Vendor shall perform regular and periodic internal vulnerability assessments and audits with respect to its Info-Sec Controls and Info-Sec Policies, and shall retain an independent third-party vulnerability assessment and audit with respect to the same on at least an annual basis. Such assessment and audit shall test Vendors compliance with its Info-Sec Policies and applicable Info-Sec Laws.
E. Customer Audit Rights. Upon the provision of reasonable notice to Vendor, Customer may, at its cost and expense, undertake a general audit of Vendors Info-Sec Controls and Vendor System once per year during the term of the Agreement. In addition to such yearly audits, Customer may audit Vendors Info-Sec Controls and Vendor System at any time after: (1) any Level II or III Security Incident or Info-Sec Risk Increase; (2) any adverse audit of Vendors Info-Sec Controls; (3) Vendor reports the implementation of additional Info-Sec Controls as required under this Schedule; or (4) Customer receives information indicating that Vendor may not be implementing, maintaining, complying with or enforcing its Info-Sec Controls. With respect to a Level II or III Security Incident or Info-Sec Risk Increase, Vendor shall use reasonable commercial efforts to provide access for an audit at a time that will allow Customer to analyze and address such Security Incident or Info-Sec Risk Increase prior to any Adverse Impact or violation of Info-Sec Law.
F. General Obligations and Principles Regarding Audits. As part of any audit by Customer, Vendor shall provide Customer with: (1) access to: (a) Vendor Facilities, including reasonable office space and clerical support to support audit activities, and (b) Vendor Personnel that work with or Info-Sec Controls or who have information concerning Security Incidents or Info-Sec Risk Increases, including without limitation, contact information for such persons and time allotted for interviews; and (2) use of Vendors Systems to the extent reasonably necessary to conduct the audit, including without limitation, access and use of Vendor Systems for the purposes of analyzing and testing Info-Sec Controls and the CIA of Information.
G. Customer Monitoring of Information and Customer Systems. Customer has the right to monitor or track the access and use of Information or Customer System, and Vendor agrees that Vendor Personnel shall not have any right of privacy with respect to such access or use.
V. Security Incident Response
In addition to any actions set forth in Vendors InfoSec Policies or otherwise, in the event of a Level I, II or III Security Incident as defined in the table below, Vendor shall undertake the applicable Required Vendor Actions set forth below:
Security Incident Severity Level Definition |
| Required Vendor Actions |
LEVEL I: A Security Incident or reasonably suspected Security Incident, which is not reasonably likely to cause an Adverse Impact. |
| Vendor shall undertake Remedial Action. |
|
|
|
LEVEL II: A Security Incident that has caused an Adverse Impact, but is not reasonably likely to cause any additional or more severe Adverse Impact. |
| Vendor shall promptly undertake Remedial Action and provide notice of such Security Incident to Customer Info-Sec Contact as soon as practicable. |
43
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
LEVEL III: A Security Incident or reasonably suspected Security Incident, which: (1) is reasonably likely to cause an Adverse Impact; (2) has caused an Adverse Impact, and is reasonably likely to cause an additional or more severe Adverse Impact; or (3) has resulted in or is reasonably could result in a violation of any Info-Sec Law, or creates or triggers an obligation with respect to any Info-Sec Law. |
| Vendor shall: (1) promptly undertake Remedial Action; (2) provide immediate notice of such Security Incident to Customers Security Hotline at ###-###-####; (3) provide notice to Customer Info-Sec Contact as soon as practicable; and (4) coordinate a response with Customer. |
VI. Security Incidents and Info-Sec Risk Increases of Customer System Discovered by Vendor
Notwithstanding anything to the contrary in sub-paragraph III.O.(2) or Clause V., in the event Vendor discovers an Info-Sec Risk Increase or Security Incident with respect to Customer Systems: (a) Vendor may undertake Remedial Action with respect to Vendor Systems, but shall not undertake Remedial Action with respect to, modify or alter, Customer Systems without prior consent of the Customer; and (b)Vendor shall provide immediate notice of such Info-Sec Risk Increase or Security Incident to Customer Info-Sec Contact.
VII. Breach of InfoSec Schedule and Customer Remediation Rights
A. Breach of Info-Sec Schedule. Any material failure by Vendor to comply with the material obligations set forth in this Schedule shall be considered a material breach or material default of the Agreement (subject to cure as stated therein), including without limitation, the failure to comply with any access and use policy statement with respect to Information or Customers System or removal or sending of Information from Vendor Systems, Vendor Facilities, Customer Systems, Customer Facilities or any other location or system without Customers prior written consent or specific authorization under the Agreement. In addition, any Security Incident that results in an Adverse Impact, or Security Incident or Info-Sec Risk Increase that results in a violation of any Info-Sec Law, shall be considered a material breach or default of the Agreement (subject to cure as stated therein).
B. Customer Rights. In the event of an actual or reasonably suspected Security Incident or Info-Sec Risk Increase with respect to Vendor System or Customer System, Customer may, at its sole and absolute discretion, discontinue access or connectivity to Customer System or Information. Under no circumstances shall Customers discontinuance of access or connectivity, or request to discontinue access or connectivity pursuant to this Schedule, equal a breach or default of this Agreement by Customer. If requested by Customer after a Security Incident or Info-Sec Risk Increase, at Vendors own expense, Vendor shall undertake any and all Remedial Action reasonably demanded by Customer and agreed to by Vendor using good faith and mutual agreement of the parties.
VIII. Miscellaneous
See Section 14 of the Agreement.
44
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
EXHIBIT D
PERFORMANCE REQUIREMENTS
I. General Requirements
These Performance Requirements apply to those engagements where the applicable Work Order states that Vendor is responsible for the Performance Requirements set forth in Exhibit D to the Agreement.
Customer reserves the right to modify the following performance data and reporting requirements at any time after discussion with Vendor. Such modifications will be within the normal operating capacities of any SEI-CMM organization and shall be confirmed in writing by Customer.
Variable priced Work Orders must comply with all requirements described herein. For fixed priced Work Orders, Vendors (1) are requested, but are not required, to provide any metrics associated with resource performance such as internal defects, effort and activities as these specifics are considered to be Vendor proprietary, and (2) shall comply with all other requirements described herein. For purposes of this Exhibit D only, fixed priced Work Orders are defined as Work Orders that (a) make no reference to specific staffing requirements other than management related personnel, (b) provide a predetermined charge, in the form of dollars or hours, for a specific scope of work and (c) are based solely on specific Deliverables or service levels. Work Orders that do not comply with this definition, regardless of how the Work Order describes the project, shall be considered a variable priced project.
In tracking the required information, Vendor shall be required to use Customers project and process management tool(s) unless an individual Work Order stipulates otherwise. These tool(s) may vary from Work Order to Work Order.
II. Service level Requirements
The parties in each Work Order shall describe SLs, and any specific plan for delivering them. SLs for new support engagements are typically established after a period of time to acquire the experience necessary to provide objective targets.
Vendor shall provide Root cause analyses for any missed service level target at the request of the individual Customer.
The SL metric definitions described herein establish a standard reporting requirement that cannot be overridden in a Work Order except that (1) support Severity level definitions may be modified to suit the needs of Customer and (2) additional SL metrics may be required.
The Service Level targets described herein shall establish a minimum target unless overridden in a Work Order.
III. Reporting Requirements
The reporting requirements described herein are meant to provide a general understanding of the type and summary levels of the reports and are illustrative only. They are not meant to be an exhaustive description of a given reports content. The report formats and requirements shall vary depending on the needs of the individual Customer organizations receiving these reports. Such organizations include business groups, Customer management and Affiliate management. Vendors are encouraged to submit their ideas regarding the formatting and presentation of these reports.
The inclusion of a less comprehensive set of reporting requirements in anyone Work Order shall not override the requirements described herein.
The reports shall be considered by Customer to be an engagement deliverable that must be provided, by close of business on the 15th of each month, for the projects SLs to be met.
D -1
45
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
IV. Data Requirements
The data elements described herein are specific and are to be provided by Vendor to Customer each month, in a spreadsheet file(s), in Vendors format unless a specific format is provided by Customer. This data shall be the same data that was used by Vendor to create the above reports such that those reports can be duplicated from the provided data. These data elements shall be considered by Customer to be an engagement deliverable that must accompany the reports, by close of business on the 15th of each month, for the projects SLs to be met.
V. Vendor Managed Projects (Fixed or Variable Price)
This section applies to one-time, non-staff augmentation Work Orders with a discrete timeframe (project start and end dates) including development, implementation, migration, assessment, or transition projects. Other (non-software development) project and sub-project categories shall track effort according to the higher activity phases described in their project plans.
VI. Project Service level Definitions and Targets
A. On-Time
Using the last approved completion date:
Item 1- The calculated Schedule Slippage in business days (actual completion date last approved completion date)
Item 2- The calculated actual time to complete in business days (last approved completion date - actual start date)
The Schedule Slippage Percentage is computed as follows:
Schedule Slippage Percentage = item 1 * 100 / item 2
If the Schedule Slippage Percentage for a project less than or equal to 10%, Vendor schedule performance shall be deemed to be satisfactory for that project.
B. Application Quality
The number and type of defects, as discovered by Customer quality assurance (OA) and user acceptance test (UAT) groups, determine application quality.
A defect is described as any application logic created, Customer OA or UA T testing result that does not conform to any documented business or technical requirement.
The defect level classification is as follows:
Defect level Descriptions for Reported UAT Defects | ||
Level 1 |
| Testing cannot continue until the error is fixed |
Level 2 |
| System cannot go live until it is fixed. |
Level 3 |
| An adverse effect has been identified, however, Customer and Vendor agree that a temporary workaround can be implemented so the system can go live. |
Level 4 |
| No major adverse effects to the business environment. Customer shall schedule a re-test upon notification by Vendor when the error has been corrected. |
Defect Service Level |
| Target |
Level 1 UAT defects/size* |
| Not greater than 2 per size volume** |
Level 2 UAT defects/size* |
| Not greater than 3 per size volume** |
Level 3 UAT defects/size* |
| Not greater than 5 per size volume** |
Level 4 UAT defects/size* |
| Not greater than 10 per size volume** |
46
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
D -2
47
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
* Size may be determined by a standard Customer provided sizing method that all Vendors shall follow. If a standard Customer sizing method is not provided the Vendor shall determine size by either FTE hours or FPs, at the discretion of the Vendor.
** Vendor and Customer to jointly agree on size volume according to the sizing method utilized.
VII. Reporting
Using the data described herein, the following reports shall be provided by Vendor monthly to the applicable Customer groups for each project until project completion. Vendor shall provide non-development project reporting, as appropriate. Vendor may combine these requirements into common reports according to the needs of the various Customer groups involved.
· Service level performance
· On-time (schedule) (budget to actual- by deliverable)
· On-budget (effort hours) (budget to actual- by phase)
· On-expense (budgeted project costs outside of effort based costs such as agreed to hardware or software items to be procured and installed by Vendor as part of project)
· On-scope/requirements volatility (change ratio absolute size changes/original estimated size)
· Number of requirement changes (regardless of size impact)
· On-size (last approved estimated size to actual size)
· Earned value (size credit by phase based on estimated effort %)
· Quality control
o Defect analysis (where discovered vs. where created and type and severity)
o Defects/size by type and overall
o Rework hours/size by type and overall
o Rework cost/size by type and overall
o Rework hours/total programmer hours by type and overall
· Programmer (all) productivity (hours/size)
· Analyst/programmer ratio
· Project manager/programmer ratio
· Project manager/senior programmer ratio
· Ratio of non-programmer US hours/ non-programmer offshore hours
· Ratio of programmer US hours/ programmer offshore hours
· Size normalized 12 month trending by completed development projects for defects, effort, elapsed days, scope change, cost, etc.
· Scatter chart for the last 20 completed projects by size and productivity
Note - After the project is started, all project budgets and estimates shall be baselined and frozen. Changes to any project budget or estimate can only result from a Customer-approved Change Order. Vendor shall then use such changes for any budget to actual comparisons. The original baselined budgets and estimates shall be maintained.
VIII. Development Phases and Activities.
Not all activities apply to every engagement. Vendor should enter time against major (underlined) activities whether performing the activities or assisting another group in performing the activities. The activities are:
Pre-assignment
o Needs assessment
Proiect initiation
o Proposal (scope and high level plan/approach) o Analysis (build or buy)
o High level technical architecture
o High level application architecture
o Business case Justification)
48
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
Requirements/Specification
o Define business requirements
o Business requirements inspection
o Preliminary plan
D -3
Design
o Detailed technical design
o Detailed application design
o Design inspection
o Sizing & estimating
o Detailed plan (include product & process quality activities)
Construction
o Coding or Integration
o Code inspection
o Unit testing
Testing/Certification
o String/Integration testing
o Volume testing
o Quality control (IVV) testing
o UAT
o Production stress testing
o Pre-production rework
Implementation
o Prepare user documentation
o Prepare user training materials
o Cutover to production
o Post-production rework (Warranty Period)
Post implementation
o Finalize service level reports
o Project review (within 30 days of implementation)
o Product review (within 90 day~ of implementation)
IX. Required Data Elements
For each individual Customer and for each project:
· Start date
· Original scheduled completion date by Customer phase
· Final revised scheduled completion date by Customer phase
· Number of revisions to final completion date (due to scope changes only)
· Actual completion date (not set until all Deliverables have been completed and turned over)
· Original estimated effort hours by Customer phase and resource type (based on the titles provided in this agreement for both on and off shore)
· Final revised estimated effort hours by Customer phase and resource type (based on the titles provided in this agreement for both on and off shore)
· Actual effort hours by Customer phase and resource type (based on the titles provided in this agreement for both on and .off shore)
· Original size estimate
· Final revised size estimate
· Actual size at completion
· Inspection results (for requirements, code, test script) - Defect count and type, found vs.caused
· Testing defect count and type, found vs. caused
· UAT defect count and type, found vs. caused
· Warranty period defect count, type and caused
· Rework effort for each defect
49
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
D - 4
50
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
EXHIBIT E
DISASTER RECOVERY PLANS
The following documents referenced below are incorporated herein by reference.
Virtusa Private Limited (Sri Lanka) BCP Document V 1.0, Colombo, Sri Lanka) December 2000, as amended
Virtusa (India) Private Limited Business Continuity Plan (Hyderabad, India) October 2006, as amended
Virtusa (India) Private Limited Business Continuity Plan (Chennai, India) V.1.3, October 2006, as amended
51
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
EXHIBIT F
RATE CARD
Exhibit F to Professional Services Agreement
Volume Discounts. Subject to the assumptions set forth below, for each dollar of Spend (as defined below) based on the rate card set forth below, during the period of [***************] (the Discount Period), Vendor will provide Customer with the applicable discounts set forth in table below. Vendor shall make volume discount payments following the expiration of the Discount Period after all Spend for the Discount Period has been tabulated. Vendor shall make volume discount payments to Customer in the form of checks or credits, as directed by Customer and/or its Affiliates.
Slab Based Volume Discount Table | ||
Dollars of Spend |
| Discount Applicable to Each Such |
[**] to [***] |
| [***] |
[***] to [***] |
| [***] |
[***] to [***] |
| [***] |
[***] to [***] |
| [***] |
[***] to [***] |
| [***] |
[***] to [***] |
| [***] |
[***] to [***] |
| [***] |
For example: If Spend for a Discount Period is [***] the discount due Customer following the Discount Period would be [****************************************************].
For purposes of this Agreement, Spend shall mean all fees charged and billed by Vendor to Customer (and any Affiliate thereof) for services provided during the Discount Period, and excludes all reimburseable expenses, any pass-through costs and taxes billed or incurred by Vendor during such Discount Period. No other fees from a prior or future period are included in the Spend. In addition, as a condition to each monthly amount of eligible fees invoiced by Vendor to Customer to be considered Spend under this Agreement, Customer must pay Vendor in a timely fashion, but in no event later than [***] days after the applicable due date as set forth in the Agreement of applicable Statement of Work (or by the Disputed Payment Period as set forth below). For the avoidance of doubt, any potential fees invoiced to Customer but not paid by Customer within the foregoing time periods shall be excluded from the calculation of Spend, and thus the eligible Discount calculations.
Early Pay Discount. Vendor will provide Customer with the following early pay discounts: (a) for each invoice related to Spend that Customer pays within [*******] of receiving such invoice, Vendor shall provide a discount to Customer equal to [**********] of the total amount of Spend due under such invoice, but if within [*********] of receiving such invoice, Vendor shall provide a discount to Customer equal to [*******] of the total amount of Spend due under such invoice; provided that with respect to any invoice (or portion thereof) disputed in good faith by Customer in writing within [********] of receipt by Customer, Customer shall pay Vendor the Disputed Amount within the earlier of (a) [*****] days following the date the written notice of dispute was given, or (b) [*********] after Virtusas fiscal year end (the Dispute Payment Period) in order for the Disputed Amount to be counted towards Spend hereunder.
52
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS
For each invoice in which Customer has satisfied the early payment criteria as set forth above, Customer shall deduct the applicable early pay discount from its payment for the applicable invoice.
The rate card set forth below is valid for the Discount Period for all engagements with Customer (and any Affiliate thereof) with respect to Spend during the Discount Period:
[********]
53