MASTER SERVICESAGREEMENT
Exhibit 10.35
MASTER SERVICES AGREEMENT
This Master Services Agreement (Agreement) is made as of September 9, 2004 (Effective Date) and is entered into by Thomson Healthcare Inc., a Florida corporation having offices located at 6200 South Syracuse Way, Greenwood Village, Colorado 80111 and Virtusa Corporation (SP) a Delaware corporation having offices located at 2000 West Park Drive, Westborough, Massachusetts 01581.
1. Standard Terms And Conditions:
The attached Standard Terms and Conditions for Master Services Agreement shall be deemed to be incorporated by reference into this Master Services Agreement and each Statement of Work entered into by Thomson Healthcare Inc. or any Affiliated Entity (as defined below), and SP as of the date thereof (and if such incorporating reference is omitted for any reason, such omission may be remedied at any time by either party, without additional consideration therefor, as of the effective date of the Statement of Work) so long as this Agreement is in effect at the time such Statement of Work is executed or is later revived during the term of performance of such Statement of Work.
2. Notice:
Except as otherwise provided in this Agreement, whenever notice, demand or other communication shall or may be given to either party in connection with this Agreement, it shall be in writing and shall be sent by certified mail, postage prepaid, return receipt requested or by overnight express carrier, and shall be sent to the following addresses (or to such other address or addresses as may be from time to time hereinafter designated in writing by the parties):
If to Thomson Healthcare Inc.:
Frank Licata
Senior Vice President and CTO, Thomson Scientific and Healthcare
3501 Market Street
Philadelphia, Pennsylvania 19104
With a copy to the Affiliated Entity for which Services under the relevant and affected Statement(s) of Work are performed:
With a copy to
Darren Pocsik
General Counsel, Thomson Scientific and Healthcare
1 Station Place
Stamford, Connecticut 06902
If to SP:
Thomas Holler
CFO
2000 West Park Drive
Westborough, MA 01581
IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be effective as of the day, month and year first written above.
THOMSON HEALTHCARE INC. |
| VIRTUSA CORPORATION | ||
|
|
| ||
By: | /s/ Fred Lauber |
| By: | /s/ Thomas Holler |
|
|
|
|
|
Name: | Fred Lauber |
| Name: | Thomas Holler |
|
|
|
|
|
Title: | CTO |
| Title: | CFO |
STANDARD TERMS AND CONDITIONS FOR MASTER SERVICES AGREEMENT
1. Definitions:
Unless defined elsewhere in this Agreement, the capitalized terms in this Agreement shall have the meanings set forth in this Section 1. The terms defined below or used elsewhere in this Agreement shall be deemed to refer to the singular or plural as the context requires.
1.1 Affiliated Entity means any company, person or other legal entity that directly, or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with Thomson Healthcare Inc. where control means the possession, directly or indirectly, of the power to direct the management and policies of a party, whether through the ownership of voting securities, contract or otherwise.
1.2 Dedicated Staffing Levels means the resources specified by level of technological or managerial expertise, competencies, level of training and experience, team composition, physical work location, compensation levels or other specifications as set forth in a Statement of Work which SP agrees to assign over the Performance Period to fulfill the Thomson Requirements at the Outsourcing Center or at Thomson Sites, as Thomson and SP may determine.
1.3 Intellectual Property means any trademarks, service marks, patents, inventions, trade names, copyrights, moral rights, and trade secrets (whether or not any of these rights are registered) names, logos, websites, know-how, ideas, rights in designs, and other marks, reports, computer programs, software (source code and object code), programming aides, guides or material, documentation, manuals, charts, specifications, algorithms, formulas, data files, descriptions, diagrams, screen displays, schematics, blueprints, drawings, tapes, devices, listings, notes, records, tables, plans, schedules, flow charts, creative concepts and designs, program listings, or other materials, and any draft of any of the foregoing, including all applications for any such right, matter or thing or registration thereof and all rights or forms of protection of a similar nature or having equivalent or similar effect to any of these rights which may subsist anywhere in the world.
1.4 Key Resources means SP Personnel specified as key resources in the relevant Statement of Work.
1.5 OC Specifications means the requirements and specifications agreed between Thomson and SP concerning the physical location and facilities, technological capabilities and operational and environmental aspects of an Outsourcing Center as more particularly set forth in Schedule 1.5 attached hereto.
1.6 Outsourcing Center (OC) means a Services facility located in a mutually agreed location, operated by and leased or under the control of SP, which conforms to the OC Specifications.
1.7 Performance Period means the term set forth in a Statement of Work during which SP shall provide the Dedicated Staffing Levels at the Outsourcing Center
2
or at Thomson Sites, as applicable, in support of the Thomson Requirements in performance of the Services.
1.8 Personnel means SPs employees, technical advisors and specialists and any agents, contractors, and subcontractors used by SP in fulfilling the Dedicated Staffing Levels as set forth in a Statement of Work. For the avoidance of doubt, Personnel includes all billable/non-billable employees, agents and staff as noted above.
1.9 Services means the maintenance, enhancement, development and/or consulting services to be provided by SP pursuant to this Agreement as set forth in a Statement of Work; and any services, functions and responsibilities not specifically described which are required for the proper performance and delivery of the Services set forth between Thomson and SP.
1.10 SP Confidential Information means SPs Proprietary Intellectual Property (as defined in Section 7.4).
1.11 Statement of Work means the Exhibit(s) (a form of which is attached hereto in Exhibit A) listing the Services or Work Product to be provided or delivered by SP and the Thomson Requirements, Dedicated Staffing Levels, Key Resources, Service Levels, Payment Terms, and Performance Period related to the same. Statement(s) of Work shall be signed by both Thomson and SP and shall be subject to and made a part of this Agreement. Statement(s) of Work may be revised from time to time subject to an appropriate change order or amendment to the applicable Statement of Work, which is executed and delivered by Thomson and SP.
1.12 Thomson Confidential Information means: (i) the Work Product; (ii) all information provided to or obtained by SP in the course of performing the Services including, without limitation, Intellectual Property, sign-on passwords and access codes whether proprietary to Thomson or third parties; (iii) any documents developed by SP for training of Personnel on applications and systems used by Thomson and/or knowledge transfer; (iv) any hard assets of Thomson; (v) any identification of competitors of Thomson provided by Thomson to SP as part of a Statement of Work; and (vi) any other information about the operations of Thomson or its customers, including, without limitation, financial information, health information, requests for proposals, information about business plans, product design information and other information, which Thomson considers to be confidential.
1.13 Thomson Requirements means collectively, the Services, the scope of work to be performed and service levels to be met by SP as set forth in writing between Thomson and SP, including, but not limited to, project proposals, project descriptions, deliverables, delivery dates, performance and acceptance criteria, pricing and payment terms, minutes and meeting notes, and technical requirements and specifications.
3
1.14 Thomson Sites means facilities under the operational control of Thomson at which SP may perform Services or deliver Work Product conforming to the Thomson Requirements.
1.15 Thomson means Thomson Healthcare Inc. and its Affiliated Entities, all of which may be referred to individually and collectively in this Agreement as Thomson and each of which (in its individual capacity) may from time to time request SP to perform Services pursuant to a Statement of Work. Neither Thomson Healthcare Inc., nor any Affiliated Entity entering into a Statement of Work with SP shall be responsible under any other Statement of Work between SP and another Affiliated Entity or Thomson Healthcare Inc.
1.16 Work Product means any product or deliverable SP is to provide Thomson under this Agreement as set forth in a Statement of Work, including, without limitation, all Intellectual Property relating thereto. Work Product shall not include any Intellectual Property developed by SP or any third party prior to SPs commencement of work for Thomson or outside the scope of the Services without use of any Thomson Confidential Information.
2. Provision of Services and Work Product:
2.1 Thomson may, from time to time, issue a Statement of Work to SP under this Agreement requesting SP to provide Services. The Affiliated Entity that issues a Statement of Work (or Thomson Healthcare Inc., if such entity issues a Statement of Work) shall be solely responsible for the duties and obligations with respect to such Statement of Work. In no event shall Thomson Healthcare Inc. or any Affiliated Entity be deemed to be a guarantor of, or otherwise responsible for, any obligation of any other party entering into a Statement of Work hereunder.
2.2 The Statement of Work shall be in writing and shall be executed by both parties. If SP accepts a Statement of Work from Thomson, it shall do so promptly by executing and returning the Statement of Work. However, if SP begins to perform the Services designated in a written Statement of Work that has been signed by a Thomson employee at the Vice President level or higher and such Statement of Work had been agreed to in all respects by SP except that SP has not yet signed and returned the Statement of Work, SP shall be deemed to have accepted the Statement of Work in accordance with all of its terms on the date work begins. Each Statement of Work accepted by SP shall be completed in accordance with the provisions of the Statement of Work and the provisions of this Agreement, including the Standard Terms And Conditions For Master Services Agreement and no other provisions shall be deemed applicable.
2.3 The Performance Period will be specified in each Statement of Work. SP agrees and understands that prompt performance by SP of all Services is required by Thomson in order to enable Thomson to meet its schedules and commitments, and that time is of the essence for the Services to be provided (including Work Product to be delivered) by SP, and that timeliness of Work Product and the Services to be performed by SP are also expressly subject to Thomsons timely and satisfactory performance of its obligations and other assumptions, all as set
4
forth in the applicable Statement of Work. While SP shall control the detail, manner and method of performing Services under this Agreement, it is understood that all Services shall be subject to inspection and approval of Thomson. SP agrees to submit, from time to time or as requested by Thomson, written and oral reports, programs, conclusions, process reports, recommendations and other materials concerning the Services.
2.4 SP agrees to supply the Dedicated Staffing Levels, to perform the Services and supply Work Product at the Outsourcing Center or at a Thomson Site as designated by the parties and agreed to in writing in a Statement of Work. Services and Work Product shall at all times be subject to the acceptance criteria as set forth in an applicable Statement of Work. SP further agrees to train the necessary person(s) and develop skills as needed or acquire the necessary resources, at its expense, to supply the Dedicated Staffing Levels as required.
2.5 Prior to assigning Personnel, SP shall notify Thomson of the proposed assignment, shall offer to introduce the individual to appropriate representatives of Thomson, and shall provide Thomson with a resume and other information regarding the individual that may be reasonably requested by Thomson. SP shall appoint and identify to Thomson at least one Key Resource for each Statement of Work who shall have overall responsibility for decision-making and managing SPs Personnel assigned to each Statement of Work under this Agreement. SPs assignment of Key Resources shall be subject to Thomsons written consent, which shall not be unreasonably withheld. Replacement or re-assignment of Key Resources shall not be done upon less than three (3) months prior written notice to Thomson, except for issues outside of SPs control such as immigration issues or attrition. Key Resources may include SPs relationship manager, the Outsourcing Center manager, the Thomson Site manager (if any), project managers and senior technical people.
2.6 SP will use all reasonable commercial efforts to manage its resources to ensure that the performance of the Services is not adversely affected by changes in the identity of persons performing such Services. Thomson reserves the right to require Personnel changes, or object to SP, to any person assigned by SP used in the performance of the Services who shall, in the reasonable opinion of Thomson, engage in any misconduct or be incompetent or negligent and SP shall immediately remove such person from performing the Services, except if any resource is sought to removed for performance related issues, Thomson shall provide 10 (ten) days written notice to SP and specify the nature of the performance issues which if uncured within such period, SP shall promptly remove such person. SP shall promptly provide an appropriate replacement. SP will only substitute a person performing Services with another person of at least equal or substantially similar professional competence. Thomson shall have the right to request the removal of any Personnel who do not comply with Thomsons security, health and safety rules and such other Thomson policies and staff rules. SP is prohibited from changing Personnel without prior written notice of the proposed change, Thomson approval of the replacement Personnel (not to be unreasonably withheld), an appropriate overlap and knowledge transfer period (to
5
be no less than ten (10) days), and completion of training and orientation, at SPs expense.
2.7 In the event that the nature of Services to be provided under a Statement of Work requires SP to work on a Thomson Site, or Thomson consents to a request therefor, Thomson shall provide to SP such facilities, space, office supplies and support as may be reasonably required by the nature of such Services. Except as provided to the contrary in a Statement of Work, SP shall otherwise be responsible to provide such supplies, equipment and facilities, including but not limited to software, hardware, and tools, as it may require to perform the Services and shall be responsible for all costs and expenses thereof.
2.8 SP shall cause all Personnel to execute appropriate instruments of assignment, as set forth in Exhibit C or such other form as provided by Thomson, and at Thomsons request, SP shall provide copies of such instruments to Thomson and cooperate with respect to any action taken by Thomson to secure or protect ownership of the Work Product.
2.9 SP shall not assign, request or retain any non-employee agent, consultant or subcontractor to assist it in the performance of Services without prior written consent of Thomson. SP shall be responsible for all acts, defaults or neglects of any and all Personnel in the performance of this Agreement, including any such agent, consultant or subcontractor, as fully as if they were acts, defaults or neglects of SP, and no relationship of employer and employee is hereby created or implied as between Thomson and such Personnel. SP shall be solely responsible for payment to all Personnel, including any such agent, consultant, or subcontractor. SP shall include a provision in all of its agreements with employees, agents, consultants, and subcontractors stating the same.
2.10 All Personnel assigned to perform Services shall be required to read and certify that they will comply with all Thomson written policies and procedures, as such policies and procedures are amended from time to time by Thomson, in its sole discretion, including, but not limited to, programming policies and procedures, code version, configuration management, bug tracking, security access, code staging, acceptance testing, project tracking, and naming conventions. SP agrees that it will not, nor will any Personnel, tamper with, compromise, or attempt to circumvent any physical or electronic security or audit measures employed by Thomson in the course of its business. SP agrees that Thomson may review any information, electronic mail communications, or other data stored on or contained in any computer hard drive, disk or any other storage medium used in and related to the performance of a Statement of Work to determine whether there has been any breach of security or violation of this Agreement, regardless of whether such computer hard drives, disks, storage media or electronic mail communications are on equipment owned or leased by SP or any Personnel.
2.11 In the event it is necessary for SP to obtain visas or work permits for Personnel, Thomson will cooperate with SP by taking all reasonably necessary actions to facilitate SPs efforts, including providing documentation indicating the nature and location of the work to be performed, the necessity of the work to be
6
performed, and other documentation as may be reasonably required and related to this Agreement, and posting such notices as may be legally required. Notwithstanding the foregoing, SP shall ensure that all Personnel will have satisfied all necessary and applicable legal requirements in obtaining such visas or work permits and SP shall be solely responsible for acquiring all work permits and visas for Personnel, and Thomson will not be liable for any costs or issues arising from or relating thereto.
2.12 SP shall not use any Thomson resource for performing services for any party other than Thomson and agrees that any and all Restricted Personnel (as defined below) providing Services or delivering Work Product as provided herein on behalf of Thomson pursuant to a particular Statement of Work will not be assigned or involved in any projects directly or indirectly performed for the benefit of any Thomson competitor(s) identified in such Statement of Work (a Named Competitor) during the term of such Restricted Personnels performance of services under the Statement of Work and for a period of 6 months thereafter. Identification of Named Competitors shall be those companies competitive to the Thomson entity engaging SP under the Statement of Work and will not exceed at any time 10 companies per such Thomson entity and may be updated in writing by Thomson, in its reasonable discretion, from time to time but no more than once every 6 months. Such update shall be effective upon delivery to the SP Relationship Manager as such term is defined in Section 3.1 hereof. Restricted Personnel shall mean a Virtusa resource engaged under the applicable Statement of Work with titles, responsibilities or functions of project manager, architect, design engineer, technical lead, developer, senior engineers or engineer.
2.13 Thomson may revise the Services set forth in a Statement of Work in a manner which does not vary the nature of SPs work or materially increase the burden on SP (material shall mean an increase of time or resources of 1% or more (individually or in the aggregate) of the estimated time or resources as of the time of the revision) Any other revision to Services may be effected from time to time only pursuant to Thomsons request to SP for a quotation based upon the proposed revision. Such quotation shall be provided by SP no more than seven (7) days after SPs receipt of such request, and Thomson shall accept or reject such quotation within seven (7) days from its receipt thereof. Failure by Thomson to affirmatively accept a quotation in writing shall be deemed a rejection; diligent pursuit of negotiation of a quotation by Thomson shall stay the seven (7) day period for so long as such negotiations are pending.
3. Relationship Management:
3.1 During the term of this Agreement, Thomson and SP shall each designate an employee with sufficient knowledge and background to act as the primary liaison between Thomson and SP (the Thomson Relationship Manager or SP Relationship Manager as the case may be). Each Relationship Manager will have primary operational responsibility for its responsibilities hereunder and will serve as the primary liaison with the other party to the relevant Statement of Work. SP hereby initially designates the sales executive on such account
7
as the SP Relationship Manager. The SP Relationship Manager shall be deemed a Key Resource.
4. SPs Representations and Warranties:
4.1 SP represents and warrants that: (i) it has the expertise, experience and the necessary personnel, software, licenses, and equipment to perform the Services and to fulfill the Thomson Requirements; (ii) it has all necessary power and authority to enter into this Agreement and has fully disclosed all material circumstances that may affect its performance under this Agreement; (iii) this Agreement and its performance hereunder do not and will not violate the terms of any other contract, covenant or agreement between SP and any third party now existing or hereinafter entered into; and (iv) subject to the terms specified in Sections 8.1, 8.2, 8.3, 8.4 and 8.5, neither the Work Product nor the performance of the Services infringes upon or violate the rights of any third party and, except as expressly set forth in a Statement of Work, SP is the owner of or has the right to assign to Thomson all Work Product or has the right to license the use thereof.
4.2 SP shall comply with all applicable laws or other requirements imposed by U.S. or foreign law in its performance of this Agreement including, but not limited to (i) any and all data protection laws that are or may come into effect during the term of this Agreement in all relevant jurisdictions; and (ii) the export control restrictions of the United States, and shall obtain all appropriate permits and authorizations necessary to perform the Services. SP shall use all reasonable efforts to identify and notify Thomson of any changes in applicable laws and regulations that may directly relate to the delivery or receipt of Services. SP shall be responsible for any fines and penalties arising from any noncompliance by SP or its Personnel with the laws or regulations applicable to SP or, as specified in the Statement of Work, in respect of the delivery or receipt of Services. To the extent that any of the Services or Work Product cannot be performed or provided without violation of any law, regulation, or other control, then SP shall use commercially reasonable efforts to develop and, upon Thomson approval, implement a suitable work-around until such time as SP can perform the Services without such work-around.
4.3 SP ensures that Work Product when finally delivered to Thomson by SP under this Agreement and a Statement of Work shall be free from harmful viruses or disabling code of any description designed to damage, interfere with, degrade the performance of, or otherwise adversely affect Thomsons computer hardware, networks, systems, programs and/or data files.
4.4 SP shall exercise all reasonable care for the protection of Work Product, works in progress, Thomson Confidential Information, and other Thomson information, data, and files and shall maintain data integrity safeguards against the deletion or alteration of such data and materials in conformity with industry best practices. SP shall not use any electronic means, including, but not limited to, any hidden files, any software or hardware limiting function, any virus, any key lock or illicit code, whether implemented by electronic or other means, to block Thomsons access under this Agreement or any Statement of Work. In the event that any
8
such data or material is lost or destroyed because of any act or omission of SP, or any noncompliance with the obligations of SP under this Agreement, then SP shall, at its own expense, use its best efforts to reconstruct such data and materials as soon as feasible.
4.5 For a period consisting of the longer of the period set forth in the Statement of Work (if any) or three (3) months from the date on which the Work Product is finally accepted by Thomson in accordance with the acceptance criteria set forth in a Statement of Work, the Work Product shall operate without any Material Defects (as defined below) from the technical specifications and requirements agreed to in writing by the parties as set forth in the applicable Statement of Work. During this period, SP undertakes to use reasonable commercial efforts to expeditiously correct and remediate at its own expense and in consultation with Thomson, any such Material Defects which are able to be replicated. The foregoing warranty in this Section shall not apply to: errors in, or non-conformance by, the Work Product caused by (i) Thomsons negligent misuse, (ii) Thomsons hardware malfunction, or other causes beyond the reasonable control of SP, (iii) third party software not licensed through or provided by Virtusa, or (iv) modification, customization or damage to the Work Product (other than as authorized by, or by, SP) or errors in the Work Product caused directly by the performance or non-performance of Thomson of its obligations under any Statement of Work. Material Defects shall be defined as material errors in the Work Product that have caused the system to crash, or material errors in the Work Product that would destabilize the system if not remedied or the Work Product lacks major functionality (from that set forth in the written specifications).
4.6 SP shall establish and maintain precautions to prevent its Personnel from making, receiving, providing, or offering substantial gifts, entertainment, payments, loans, or other consideration to employees, agents, or representatives of Thomson.
4.7 SP agrees that it shall not incorporate, embed, or otherwise involve any third party materials, including, but not limited to any open source software in any Work Product, and that it shall not use any third party materials, including, but not limited to any open source software, in the performance of Services without the prior written consent of Thomson.
4.8 SP agrees to notify Thomson promptly upon discovery of any instance where SP fails to comply with this Section 4.
4.9 EXCEPT AS STATED IN THIS SECTION 4, SP MAKES NO OTHER REPRESENTATIONS OR WARRANTIES WHATSOEVER, WHETHER ORAL, EXPRESSED, IMPLIED, OR STATUTORY AND HEREBY DISCLAIMS ANY AND ALL WARRANTIES WITH REGARD TO THE SERVICES, THE DELIVERABLES, ANY SOFTWARE AND ANY OTHER MATERIALS OR ITEMS PROVIDED HEREUNDER. SP SPECIFICALLY DISCLAIMS ANY AND ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.
9
5. Personnel Payments/Benefits:
5.1 Personnel shall not be entitled to any sick pay or benefits, holiday pay, any pension, bonus or other fringe benefits or any other advantage or privilege enjoyed by employees of Thomson and hereby waive any claim thereto. SP shall indemnify Thomson and each of its directors, employees and agents in respect of any claims that may be made to the contrary. SP shall treat any such Personnel as its employee for all purposes including, but not limited to, the payment of any federal, state and local employment and social security taxes and shall deduct from such Personnels salaries all applicable taxes, charges for benefits and any and all other deductions and withholdings which are required by law. SP shall indemnify Thomson for any breach of its obligations under this Section 5.
5.2 SP shall be fully responsible for any payment required to be made to any person which is payable under statute, contract or common law as a consequence of such persons employment being terminated or his conditions of employment being adversely changed as a result of a reduction in Thomsons requirements for the Services or the termination of this Agreement or any Statement of Work.
6. Confidentiality:
6.1 With regard to SP Confidential Information disclosed under this Agreement and any Statement of Work, Thomson shall be deemed to be the Receiving Party and SP shall be deemed to be the Disclosing Party. With regard to Thomson Confidential Information disclosed under this Agreement or any Statement of Work, SP shall be deemed to be the Receiving Party and Thomson shall be deemed to be the Disclosing Party. Confidential Information shall be deemed to be SP Confidential Information when Thomson is the Receiving Party, or Thomson Confidential Information when SP is the Receiving Party. The Receiving Party shall hold all Confidential Information of the Disclosing Party at all times in trust and confidence, shall take all appropriate action to ensure the confidentiality and security of the Disclosing Partys Confidential Information, and shall treat the Disclosing Partys Confidential Information with the same degree of care that it uses to protect its own most confidential information of like kind and value, but in no case less than a reasonable degree of care. Without Disclosing Partys express written authorization, Receiving Party shall not use Confidential Information for its own benefit or for the benefit of any party other than Disclosing Party, and shall not duplicate or disclose the Confidential Information in any manner to any other party other than such of its Personnel or employees who have a need to know such information solely in connection with the express purposes of this Agreement. In no event shall SP use Thomson Confidential Information to Thomsons detriment. Receiving Party shall not, and shall not assist others to, disassemble, decompile, reverse engineer or otherwise attempt to recreate Confidential Information. Notwithstanding the foregoing, from time to time, Disclosing Party may require that any Confidential Information held by Receiving Party be returned to Disclosing Party, or destroyed or erased by Receiving Party, at Disclosing Partys option.
6.2 Neither party shall, without Disclosing Partys express written consent and, if such Confidential Information has been provided by Thomson, without complying with Thomsons security procedures: (i) remove from a Thomson Site or the
10
Outsourcing Center any Confidential Information of the Disclosing Party or any information or other property of Disclosing Party, in any form or medium; or (ii) access any such Confidential Information or computer systems of Disclosing Party, unless expressly set forth in a Statement of Work hereto.
6.3 Upon the termination of this Agreement, any Statement of Work, or upon request of Disclosing Party, Receiving Party shall: (i) at the Disclosing Partys option promptly destroy or return all Confidential Information to the Disclosing Party, whether in written or electronic form, and neither Receiving Party nor any of its employees or Personnel shall retain any copies, extracts, or other reproductions thereof, in whole or in part, in any form whatsoever; and (ii) take all reasonable steps to assure that all documents, memoranda, notes, and other writings or electronic records prepared by it which include or reflect any Confidential Information belonging to the Disclosing Party and cannot be returned pursuant to (i) above, or, if otherwise requested by Disclosing Party, are destroyed or erased from its computer systems. If requested by Thomson, SP shall certify in writing its exacting compliance with this provision.
6.4 Receiving Party recognizes that Disclosing Party may suffer irreparable harm as a result of the unauthorized disclosure, reproduction or use of any Confidential Information of the Disclosing Party and that monetary damages will be inadequate to compensate Disclosing Party for such breach. Therefore, Receiving Party agrees that in the event of any failure to comply with the provisions of this Section, Disclosing Party shall be entitled to a preliminary injunction, and any other equitable relief in order to protect and recover the Confidential Information.
6.5 Notwithstanding anything herein to the contrary, if disclosure of any Confidential Information of the Disclosing Party is legally required to be made by Receiving Party in or pursuant to a judicial, administrative or governmental proceeding or order or similar proceeding or order of a self-regulatory organization or otherwise required to be disclosed by law of any governmental agency (including the SEC), the Receiving Party may make such disclosure but only to the extent required to comply with the law; provided, however, that if required, Receiving Party will cooperate if Disclosing Party seeks a protective order or other legal action to resist such disclosure and shall limit such disclosure to the minimum required.
6.6 Notwithstanding the foregoing, the obligation to treat information as Confidential Information shall not apply to: (i) information received independently from a third party by the Receiving Party, which third party is not under a confidentiality obligation to Disclosing Party with regard to such information; (ii) information in the possession of the Receiving Party prior to the Effective Date other than by reason of the Services to be performed or received pursuant to this Agreement; (iii) information that is or becomes generally available through no wrongful act of either party or (iv) information that is independently developed by or for the Receiving Party without benefit of the Disclosing Partys Confidential Information; provided that, for each of the foregoing exceptions, the Receiving Party provides the Disclosing Party with written documentation evidencing the same upon request of the Disclosing Party.
11
6.7 SP shall advise its Personnel of their obligations under this Section 6 and that such obligations continue even in the event such Personnel leave the employ of SP (if applicable) or cease work on a Statement of Work, and SP shall be responsible for each such Personnels compliance with such obligations and shall require each such Personnel to execute Thomsons Non-Disclosure Agreement, as set forth in Exhibit B or an agreement which is no less restrictive than the terms set forth therein.
6.8 This Section 6 shall survive termination of this Agreement, regardless of the party that terminated this Agreement or the reasons therefor.
7. Ownership of Work Product:
7.1 SP acknowledges that Thomson shall have exclusive, unlimited ownership rights to all Work Product and all materials, information, works in progress, and/or deliverables prepared hereunder or developed, conceived, reduced to practice or fixed in a tangible medium of expression as a result of SPs performance hereunder, both as individual items and/or a combination of components and whether or not a Statement of Work is completed, including, without limitation, all rights to patents, copyrights, trademarks, trade secrets, know-how, and other Intellectual Property rights inherent therein or appurtenant thereto now known or later developed, in any jurisdiction. Thomson shall be deemed the author of the Work Product within the meaning of the copyright laws. Work Product shall be deemed to be work made for hire and made in the course of services rendered and shall belong exclusively to Thomson, with Thomson having the sole right to obtain, hold and renew, in its own name and/or for its own benefit, patents, copyrights, and/or other appropriate protection. To the extent that exclusive title and/or ownership rights may not originally vest in Thomson as contemplated hereunder, SP hereby makes a continuing, irrevocable assignment, transfer and conveyance thereof, as created, to Thomson, and shall cause Personnel to make such continuing, irrevocable assignment, transfer and conveyance thereof, as created, to Thomson, of all right, title and interest therein including, without limitation, all rights to patents, copyrights, trademarks, trade secrets, know-how, and other Intellectual Property rights inherent therein or appurtenant thereto, now known or later developed, in any jurisdiction. Except for SP Proprietary Intellectual Property, no right or interest in Work Product is retained by SP, whether by implication, estoppel, or otherwise. To the extent that any such assignment, transfer and conveyance set forth herein may be limited, prohibited, or without effect, SP, without need for additional consideration, hereby grants to Thomson an exclusive, irrevocable, perpetual, royalty free, world-wide, fully transferable (in whole or in part) license to all Work Product and all materials, information, works in progress, and/or deliverables prepared hereunder or developed, conceived, reduced to practice or fixed in a tangible medium of expression as a result of SPs performance hereunder, both as individual items and/or a combination of components and whether or not a Statement of Work is completed, including, without limitation, an exclusive, irrevocable, perpetual, royalty free, world-wide, fully transferable (in whole or in part) license to all rights in patents, copyrights, trademarks, trade secrets, know-how, and other Intellectual Property inherent therein or appurtenant thereto now known or later
12
developed, in any jurisdiction. Upon termination of any Statement of Work, or this Agreement, or upon Thomsons earlier request, SP shall promptly deliver to Thomson all Work Product, including, but not limited to all works in progress (or any lesser part designated by Thomson in writing) and all materials, including, but not limited to Thomson Confidential Information, which Thomson furnishes to SP in connection with this Agreement
7.2 At Thomsons request SP shall execute and deliver, and shall cause its Personnel to execute and deliver, any documents necessary or useful to give effect to the provisions of Section 7.1. For the avoidance of doubt, no rights of any kind in or with respect to any Work Product are reserved to SP.
7.3 In the event (and to the extent) that any Work Product contains any items or elements supplied by SP which may be proprietary to any third party, and unless expressly set forth otherwise in any Statement of Work, SP hereby grants to Thomson an irrevocable, perpetual, non-exclusive, royalty-free, world-wide license to: (i) use, execute, reproduce, display, perform, distribute copies of, and prepare derivative works based on, such pre-existing rights as incorporated into the Work Product; and (ii) authorize others to do any of the foregoing.
7.4 Thomson acknowledges that as part of performing the Services, Personnel may use proprietary software, including the tools or data, which has been originated by SP other than as part of its performance hereunder, or which has been purchased by, or licensed to, SP, as identified in the applicable Statement of Work (collectively, SP Proprietary Intellectual Property). Thomson agrees that SP Proprietary Intellectual Property is the sole property of SP (or its licensor) and that SP (or its licensor) will at all times retain sole and exclusive title to and ownership thereof. Notwithstanding the preceding, SP hereby grants to Thomson an irrevocable, perpetual, non-exclusive, world-wide, royalty free license to (i) copy for back-up, archival, and testing purposes, (ii) access, (iii) use, operate, and maintain, and (iv) modify and create derivative works of the SP Proprietary Intellectual Property, as necessary or desirable, in each case, for the proper use, functioning, maintenance, upgrading, and monitoring of Services and Work Product; and hereby grants the right to do any of the foregoing to third parties engaged by Thomson, for Thomsons business purposes. SP shall deliver to Thomson complete and correct copies of all such SP Proprietary Intellectual Property in the form and/or the media being used by SP in connection with the Services and in source code format including, but not limited to, flow charts, user instruction manuals, and all other documentation reasonably necessary to support the purposes of this license thirty (30) days on or before the effective date of any termination or expiration of Services. Thomson may not, without SPs written consent, distribute the source code as a stand-alone product or otherwise use the source code in a manner inconsistent with this license provision. In addition, SP may use and employ (i) its general skills, know-how, techniques, concepts and expertise within its general knowledge and in the regular course of its business and (ii) any enhancements, modifications and derivative works to SP Proprietary Intellectual Property of general application developed by SP during the term of this Agreement and any Work Order hereunder, subject to, in the case of both (i)
13
or (ii), SPs obligation to protect Thomsons Confidential Information under this Agreement.
7.5 Upon Thomsons request, SP shall register, re-register, or release, as the case may be, all Internet addresses provided by SP to Thomson that are held by Thomson or SP in connection with the provision of the Services in Thomsons name pursuant to the Statement of Work. All network identification and access codes issued to Thomson and its representatives and users by, or on behalf of, SP shall be the sole property of Thomson. SP hereby assigns to Thomson all rights which SP may own or possess in and to such codes and agrees to execute such documents or take such other actions as may be reasonably necessary to effect this assignment.
8. Indemnification:
8.1 SP will defend, indemnify and save harmless Thomson and each of its directors, officers, employees and agents against all third party claims, demands, damages, judgments, costs and expenses (including reasonable attorneys fees), taxes and penalties arising out of or related to (i) the use or possession of the Work Product supplied by SP under this Agreement that infringes the intellectual property rights, personal privacy rights or data protection rights of any third party, or any breach of an obligation of confidentiality owed to any third party (ii) a breach by SP of any representation, warranty, covenant or agreement made by it in Section 4.1 (i), (ii), (iii), 4.2, 4.3, 4.4, 4.6, or 4.7 or Section 5 or Section 6 of this Agreement, (iii) the gross negligence or willful misconduct of SP, or (iv) the wrongful death, personal injury, or personal or real property damage arising from SPs acts or omissions, its employees or agents. SP will pay any and all losses and damages with respect to any such third party claim finally awarded to such third party against Thomson (and any indemnified party as set forth above) by a court of competent jurisdiction after all appeals have been exhausted or at the time of a final settlement of such claims or final award, if applicable, as well as all pre-approved (by SP in writing) out of pocket expenses (including reasonable attorneys fees) incurred by Thomson as a result of such third party claim. If SP fails to assume the defense of any actual or threatened action covered by this Section 8 within the earlier of (a) any deadline established by a third party in a written demand or by a court and (b) thirty (30) days of written notice of the claim, Thomson may follow such course of action as it reasonably deems necessary to protect its interest, and shall be indemnified for all costs reasonably incurred in such course of action.
8.2 In the event of any infringement, claim (whether pursuant to Section 4.1(iv) or Section 8.1), or breach arising under Section 8.1, as condition to such indemnification, Thomson shall (i) notify SP promptly in writing of any such infringement, breach, or claim of which it has notice; however Thomsons failure to give prompt notice shall not relieve SP of any liability hereunder (except to the extent SP has suffered actual material prejudice by such failure), (ii) allow SP to have control of the defense, all negotiations and litigation and settlements resulting from any such action, and (iii) at the request of SP, afford all reasonable assistance with such negotiations or litigation at SPs sole expense. In addition, SP shall have the right, with Thomsons express consent, to settle any action if
14
such settlement (a) does not contain a stipulation to or admission or acknowledgement of, any liability or wrongdoing on the part of Thomson, (b) does not involve the incurrence of any costs or expenses by Thomson, and (c) does not impose any obligation upon Thomson. Thomson reserves the right, at its sole cost and expense, to participate in the defense of any matter subject to indemnification by SP.
8.3 If a third party claim or demand is made or action brought to which Subsection 8.1 (i) may apply or in which Section 4.1(iv) may apply, or in Thomsons or SPs reasonable opinion is likely to be made or brought, SP shall at its own expense, either: (i) modify any or all of the Work Product without reducing the performance and functionality of the same, or substitute alternative Work Product or services of equivalent performance and functionality for any or all of the Work Product, so as to avoid the infringement or breach, or the alleged infringement or breach; (ii) procure a license to use the Work Product on terms which are reasonably acceptable to Thomson; or, if neither of these remedies in clause (i) or (ii) are reasonably available to SP, (iii) SP may cause Thomson to cease using the infringing Work Product and remove the infringing or violative Work Product and refund to Thomson all fees paid for such Work Product that are the subject of such a claim (and any Work Product made unusable by the removal of such infringing Work Product).
8.4 SP shall have no obligation under Subsection 8.1(i) for any infringement or misappropriation claim resulting directly from: (i) any unauthorized modification by Thomson or a third party if and only to the extent that such modification caused such infringement; (ii) any aspect of Thomsons software, documentation or data which existed prior to SPs performance of the Services and was used directly in connection with creating and/or providing the Work Product; (iii) Thomson continuing the allegedly infringing activity after being informed and provided with modifications that would have avoided the alleged infringement; or (iv) with respect to a patent infringement claim only, SPs compliance with Thomsons designs, specifications or instructions if and only to the extent that such use caused such infringement.
8.5 Except as otherwise provided in this Agreement, the foregoing Sections 8.1-8.5 state SPs entire liability and obligations and Thomsons sole and exclusive remedy for any patent, copyright or other intellectual property infringement claims against the Work Product under this Agreement, including a breach of Section 4.1(iv), and is in lieu of any warranty of title, non-infringement and the like.
8.6 Thomson will defend, indemnify and save harmless SP and each of its directors, officers, employees and agents against all third party claims, and demands and damages, judgments, costs and expenses (including reasonable attorneys fees), taxes and penalties arising out the use or possession of any existing Thomson code, designs or architecture supplied by Thomson under this Agreement and used by SP in conjunction with the Work Product that infringes the intellectual property rights, personal privacy rights or data protection rights of any third party, or any breach of an obligation of confidentiality owed to any third party by
15
Thomson, except Thomson shall have no liability for any such claim based on the combination or use of the code, designs or architecture with materials not furnished by Thomson, if, but for such combination, no such claim would have occurred.
9.0 Payment Terms / Pricing:
9.1 Thomson agrees to pay the fees for Services and Work Product in accordance with the payment provisions and at the charge rates contained in each applicable Statement of Work. Payments shall be due and payable at the times specified in such Statement of Work. If SP discovers or is advised of any errors or exceptions related to its invoicing for Services, SP and Thomson will together review the nature of the errors or exceptions, and SP will, if appropriate, promptly adjust the relevant invoice(s) or refund overpayments.
9.2 Payment to SP will be subject to any withholding tax provisions as may be applicable. SP is responsible for paying any and all license fees and taxes levied, assessed or imposed on SP to enable it to perform Services under each Statement of Work. Any applicable state and local VAT, sales or use tax, goods and services tax or any similar tax due on Services performed under each Statement of Work are the duty of SP to collect and shall be separately stated on all invoices as such, which invoices shall comply with the requirements of the relevant taxing authority. However, SP shall not collect any VAT, sales or use taxes, goods and services taxes or any similar taxes on Services for which Thomson furnishes a properly completed Exemption Certificate. In the event that SP is entitled to claim a foreign tax credit benefit with regard to withholding taxes associated with cross border payments under any Statement of Work, Thomson shall not be charged or otherwise billed for such taxes. SP shall indemnify and save Thomson completely harmless against all costs and liabilities which Thomson may incur with respect to SPs failure to make any of the payments referenced in this Section 9.2.
10. Insurance Coverage; Limitation of Liability:
10.1 Without limiting its liabilities under this Agreement, including Section 8 and this Section 10, SP shall maintain in force during the term of this Agreement, insurance coverages at the following levels:
10.1.1 Commercial General Liability Insurance - $2,000,000 per occurrence limit and $2,000,000 general aggregate limit;
10.1.2 Workers Compensation and Employers Liability Insurance in accordance with current statutory limits; and
10.1.3 Professional Liability, including Media Liability, Insurance - $1,000,000 per occurrence limit and $3,000,000 general aggregate limit.
10.1.4 All required insurance must be issued by an insurance company that has an A rating. If SP fails to produce evidence of insurance coverage at the
16
reasonable written request of Thomson, then Thomson may terminate this Agreement with immediate effect. SP agrees to name Thomson as an additional insured under its Commercial General Liability Insurance policy. SP shall not modify or cancel any coverage hereunder without providing prior written notification to Thomson of such proposed action.
10.2 NEITHER SP NOR THOMSON SHALL BE LIABLE TO THE OTHER FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH OR ARISING OUT OF THIS AGREEMENT, EVEN IN THE EVENT THAT IT IS ADVISED OF THE POSSIBILITY THAT SUCH DAMAGES MAY ARISE, OR THAT SUCH DAMAGES MAY HAVE BEEN FORESEEABLE.
10.3 SPS LIABILITY TO THOMSON FOR DIRECT DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE SERVICES SHALL NOT EXCEED THE TOTAL FEES PAID BY THOMSON UNDER THE RELEVANT STATEMENT OF WORK GIVING RISE TO SUCH CLAIM, WHETHER SUCH LIABILITY IS BASED ON AN ACTION IN CONTRACT, WARRANTY, STRICT LIABILITY OR TORT (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR OTHERWISE.
10.4 THOMSONS LIABILITY TO SP FOR DIRECT DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE SERVICES SHALL NOT EXCEED, IN THE AGGREGATE, THE TOTAL FEES PAID BY THOMSON TO SP DURING THE PRECEDING TWELVE (12) MONTHS UNDER THE RELEVANT STATEMENT OF WORK WHETHER SUCH LIABILITY IS BASED ON AN ACTION IN CONTRACT, WARRANTY, STRICT LIABILITY OR TORT (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR OTHERWISE.
10.5 NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, THE ABOVE LIMITS SET FORTH IN SECTION 10.2 AND SECTION 10.3 SHALL NOT APPLY TO LIABILITY ARISING FROM SPS BREACH OF SECTION 2.12, 4.2, 4.4, 4.7, 6, 7 OR 13 OF THIS AGREEMENT AND LIABILITY ARISING FROM SPS OBLIGATIONS UNDER SECTION 8 OF THIS AGREEMENT. THE ABOVE LIMITS SET FORTH IN SECTION 10.2 AND SECTION 10.4 SHALL NOT APPLY TO LIABILITY ARISING FROM THOMSONS BREACH OF SECTION 6 OR 7.4 OF THIS AGREEMENT AND LIABILITY ARISING FROM THOMSONS OBLIGATIONS UNDER SECTION 8.6.
11. Term and Termination:
11.1 The Term of this Agreement begins on the Effective Date and shall continue through September 9, 2009, at which time it shall automatically terminate unless extended by the parties in a writing signed by each of them, or unless terminated early, as set forth below.
17
11.2 Either Thomson or SP may terminate this Agreement at any time and for any reason by giving written notice of termination ninety (90) days in advance to the other party. Neither Thomson nor SP shall be liable to the other as a result of termination of this Agreement for any costs, claims, losses, damages or liabilities including, without limitation, loss of anticipated profits. If the Agreement is terminated, Services under all Statements of Work issued to SP shall be completed by SP in accordance with the terms of the respective Statements of Work and this Agreement, which shall be deemed to remain in effect for purposes only of completing each Statement of Work. Notwithstanding anything herein to the contrary, Services under any Statement of Work may be terminated by Thomson, at its sole discretion, as provided in Section 11.3 below.
11.3 Without effect on this Agreement for purposes of any other Statements of Work, Thomson may, at any time and for any reason, terminate the Services in whole or in part under any Statements of Work on 45 days prior written notice to SP and SP shall promptly comply. In the event Services under a Statement of Work are terminated, SP will deliver to Thomson all completed portions of those Services performed up to the date of termination, and Thomson shall promptly pay, subject to the other provisions of this Agreement, (i) for the terminated Services authorized by Thomson and satisfactorily performed by SP to the date of termination, and (ii) for direct costs that SP incurs in terminating those Services, provided those costs (a) were authorized in advance by Thomson, and (b) are properly supported by invoices and the like. Subject to the provisions of this Agreement, Thomsons sole liability to SP for terminating any or all Services under a Statement of Work is contained in this Section 11.3 and Thomson shall not be liable to SP for any costs, claims, losses, damages or liabilities including, without limitation, loss of anticipated profits or reimbursement for Services unperformed as a result of the termination.
11.4 Either Thomson or SP may immediately terminate this Agreement or any Statement of Work if the other party or any of its personnel materially breaches any of the terms of this Agreement and said breach is not cured within thirty (30) days after receipt of notice of default thereof from the non-breaching party. Notwithstanding this Section 11.4, SP may not terminate this Agreement for a period of up to 90 days upon Thomsons failure to pay any amount that is reasonably disputed by Thomson in good faith so long as (i) Thomson notifies SP promptly after the receipt of the notice of default specified in this Section 11.4 of any disputed amount being withheld from SP and specifies the reasons why that amount is disputed and (ii) all amounts not disputed are paid as due. However, if any invoice is unpaid in accordance with the terms herein and has not been disputed in good faith in writing by Thomson within 7 business days of its due date, SP shall also have the right, upon 15 business days written notice, to suspend performance under this Agreement until such time as the amount that is unpaid is paid in full. To the extent that any portion of an invoice is disputed in good faith in writing by Thomson as set forth above, Thomson agrees to pay the non-disputed portion of the invoice in accordance with the terms of this Agreement.
18
11.5 If either party repeatedly fails to perform any of its obligations or breaches any representations under this Agreement, regardless of whether such failures or breaches are cured and where such repeated failures have a material effect, the other party may, upon further notice of default to the breaching party, terminate all or part of the Services as of the date specified in such notice of default.
11.6 Thomson may immediately terminate this Agreement or any Statement of Work if SP or any of its consultants, agents, or subcontractors (i) threatens to cease or ceases business as a viable enterprise, commits any act of insolvency (or bankruptcy) or winding-up or becomes subject to any proceeding under an insolvency (or bankruptcy) law; (ii) becomes insolvent; (iii) makes a general assignment for the benefit of creditors; (iv) ceases conducting business in the ordinary course; or (v) files a petition under bankruptcy law or any other insolvency law providing for the relief of debtors, or any such petition is filed against it, and SP fails to have such petition lifted or stayed within five days from the date on which it is entered.
11.7 Thomson may, within 90 days of written notice of a change of control immediately terminate this Agreement or any Statement of Work on 10 days prior written notice in the event of a change in control of SP. For purposes of this Section 11.7, change in control shall mean the acquisition by a person not now in control (within the meaning of this definition) of more than fifty-one percent (51%) of either the voting power or value of the outstanding capital of SP or the right to elect at least fifty-one percent (51%) of the directors of SP but shall not include any transaction involving a public offering of SPs securities or a private equity financing round.
11.8 The rights and obligations of the parties to this Agreement which expressly or by implication comes into or continues in force after the date of termination or expiration of this Agreement, including Sections 4, 5, 6, 7, 8. 9, 10, 11.8, 11.9, 11.10, 15 and 19 shall survive its termination or expiration.
11.9 Upon termination of this Agreement for any reason, Thomson will be entitled to all Work Product, works in progress, information, data and files up to the date of termination in the form in which they exist at that time, including, without limitation source code for all such materials
11.10 In the event of termination for any reason, SP agrees during a six (6) month transition period (Transition Period), on a time and materials basis at mutually agreed rates consistent with SPs rates current at the time of termination which are (1) authorized in advance by Thomson, and (2) properly supported by documentation, including but not limited to timesheets, invoices, etc. to: (i) cooperate with Thomson in effecting the orderly transfer and migration of the Services to another third party as designated by Thomson or the resumption of the Services by Thomson upon Thomsons request, including any and all knowledge gained during the term of this Agreement; (ii) provide access to its Personnel; and (iii) continue to perform those Services as requested by Thomson which may be necessary or useful to effect such transfer. During this Transition Period, SP shall answer all reasonable and pertinent verbal or written questions from Thomson or
19
its representative regarding Services and deliver to Thomson all reports and documentation relevant to Services in SPs possession. In addition, SP shall certify upon the cessation of the Transition Period that SP has returned to Thomson or erased or destroyed, as directed by Thomson, all of the Thomson Confidential Information, data and materials in its possession, including all archival tapes used for back up purposes.
11.11 In the event an entity or business unit of Thomson is sold or otherwise divested (the Divested Entity), SP shall upon Thomsons request, provide all or part of the Services to the Divested Entity for the remaining duration of any applicable Statement of Work only (on the basis that the new owner of the Divested Entity shall be deemed to fall within the definition of Affiliated Entity only for the purpose of accepting assignment of an existing Statement of Work, and each reference to Thomson Healthcare Inc., Thomson, and Affiliated Entity herein shall be replaced with the name of the Divested Entity as though this Agreement had been amended, all without need for additional consideration).
12. Relationship:
12.1 The relationship between Thomson and SP is that of independent contractors. Neither Thomson nor SP is an agent for the other and neither has any authority to make any contract, whether expressly or by implication, in the name of the other party, without that partys prior written consent.
13. Data Protection and Security:
13.1 If SP provides Services to Thomson from an Outsourcing Center that is shared with a third party, SP shall develop a process, subject to Thomsons review and consent, to prohibit electronic, logical, and physical access in any such shared environment to Thomson Confidential Information and other Thomson data, materials, and information. As part of the Services, SP shall establish, implement, and maintain safeguards against the destruction, loss, alteration or unauthorized disclosure of Thomson Confidential Information, data, and materials in the possession of SP in accordance with SPs IT Infrastructure Policy dated as of September 1, 2004 (IT Policy) and SPs Business Continuity Plan dated March 2003 (BCP Plan), all the terms and conditions contained in this Agreement and Thomsons security standards as set out in a Statement of Work, or as provided to SP by Thomson from time to time, including the use of routine data back ups, passwords and access codes. SP shall establish, maintain, and enforce safety and security procedures that are at least: (i) equal to industry best practices for facilities similar to the Outsourcing Center, as those evolve from time to time, and (ii) as rigorous as those procedures in effect currently at SPs facilities. As part of the Services, SP shall maintain safety and security procedures for Thomsons operating system environment and telecommunications infrastructure which protect the data and information of Thomson, its customers, and its suppliers from unauthorized access SP shall inform Thomson of any breaches in security or potential breaches in security, including any breach or potential breach of a LAN or telecommunications network which, contains, processes, or transmits Thomson Confidential Information, data or materials.
20
Upon reasonable prior notice, Thomsons employees and agents shall have access, at all reasonable times, to all Outsourcing Centers used in the performance of Services during the term of this Agreement related to Thomsons audit of the physical security of such Outsourcing Centers, consistent with the purposes of this Section 13.1, or as may be required by law or regulation with respect to storage, access, use, and security of any such data and materials, subject to compliance with the security measures in effect at such Outsourcing Center.
SP shall be responsible for any and all security breaches of those systems that it manages, maintains, or uses in respect of the Services SP shall, as may be specified in a Statement of Work, operate and maintain such audit and tracking software as Thomson may request from time to time.
13.2 SP shall be accountable for the integrity of any test or measurement data, including its generation, recording, reporting and retention, provided by SP to Thomson or to any third party(s) on behalf of Thomson. SP agrees that for any such data, SP shall use all reasonable commercial efforts to ensure that:
13.1.1 Measurement activities and information reported from measurement shall be complete, accurate, and timely.
13.1.2 Specified industry standard test methods and instrument calibration procedures shall be used without modification, unless that modification has been approved by industry standard and/or by Thomson.
13.1.3 Personnel involved in testing and measuring are trained in the necessary skills involved in data generation and data management. This shall include initial and ongoing personnel training, testing, and verification of knowledge transfer.
13.1.4 SP shall utilize a self-monitoring and assessment system to determine the extent to which the requirements above are being met. This system shall include the resolution of all problems found in the assessments, with plans and responsibilities for appropriate follow-up.
14. Force Majeure/ Disaster Recovery Plan:
14.1 Neither Thomson nor SP shall have any liability to the other for failure to perform its obligations delay or loss occasioned by circumstances which are outside the partys reasonable control to prevent, including without limitation war, strike (other than by SPs Personnel or Thomsons employees), lock-out, fire, explosion, natural disaster (Force Majeure). If such delay or failure continues for at least thirty (30) days, the party not responsible for such delay or failure will be entitled to terminate the Agreement by notice in writing if such delay or failure is not cured within such 30 day period. In this event, any moneys paid by Thomson in advance of the performance of Services, or moneys paid in advance of completion of a final deliverable, will be repaid by SP on a pro rata basis. Notwithstanding the foregoing, the occurrence of a Force Majeure event does not limit or otherwise affect SPs obligation to provide either normal business continuation procedures or any other disaster recovery services as described in Section 14.2.
14.2 As part of the Services, SP shall: (i) within thirty (30) days of the Effective Date, develop and submit to Thomson a disaster recovery plan (DRP) for the
21
Outsourcing Center; (ii) unless Thomson rejects such DRP within thirty (30) days of Thomsons receipt of the proposed DRP, implement and manage the DRP for the Outsourcing Center and assist with the preparation and implementation of a DRP for all other locations where Services may be performed; (iii) within ninety (90) days of Thomsons written approval of the DRP, and at least once every calendar year during the term of this Agreement, update and test the operability of the DRP in effect at that time; (iv) upon Thomsons request, certify to Thomson that the DRP are fully operational; and (v) upon discovery by SP, immediately provide Thomson with notice of a disaster and implement the DRP applicable to SPs Outsourcing Center and assist Thomson with implementing DRP at any other location upon the occurrence of a disaster at an Outsourcing Center or other location affecting the provision of the Services. In the event that Thomson rejects the DRP developed under Section 14.2 (i) above, SP shall revise the DRP to meet Thomsons reasonable approval within fifteen (15) days of its receipt of the rejection. Subject to Section 14.3, SP shall re-institute the Services as set forth in the DRP. In the event of a disaster at an Outsourcing Center, SP shall not increase its charges under this Agreement or charge Thomson additional fees
14.3 Whenever a Force Majeure Event or a disaster causes SP to allocate limited resources between or among SPs customers and affiliates, Thomson shall receive at least the same priority in respect of such allocation as SPs other best commercial customers.
15. Record Retention / Audit:
15.1 During the Term and for a period of seven (7) years following the termination date of this Agreement (the Retention Period), SP shall maintain complete and accurate records and supporting data in accordance with United States generally accepted accounting practices. Upon reasonable prior notice during the Retention Period, Thomsons employees and agents shall have access to, and the right to reproduce, SPs and its subcontractors relevant books, records, correspondence, instructions, plans, drawings, receipts, vouchers, financial accounts, data stored in computer files, and memoranda of every description pertaining to Services for the purpose of verifying costs of any or all Services and SPs compliance with the terms of this Agreement and any Statement of Work. SP agrees to include the necessary provisions in its contracts with its subcontractors that shall assure access by Thomsons employees and agents to applicable records of those subcontractors. Thomson shall not be liable for any of SPs or its subcontractors costs resulting from an audit hereunder. SP further agrees that records of all development work will be kept according to the standards that Thomson requires for its own work, provided however that such standards are provided in advance to SP.
16. Transfer or Assignment:
16.1 The rights and obligations of each party in or arising under this Agreement are personal to such party and may not be assigned or transferred to a third party without the previous written consent of the other party, provided that Thomson Healthcare Inc., may assign this Agreement in whole or in part to any Affiliated
22
Entity, and each party may assign this Agreement to a third party in connection with any sale or merger, provided further that such assignee agrees in writing to assume and be bound by all of the obligations under this Agreement, except that Virtusa must obtain the prior written consent of Thomson for any such assignment, which shall not be unreasonably withheld or delayed.
16.2 SP shall not sub-contract any of its obligations under this Agreement except as set forth in Section 2.5 and Section 2.9.
17. Publicity:
17.1 SP shall not, without the prior written consent of Thomson (i) use the name, logo, trade dress, or any trade name or trademark of Thomson Healthcare Inc., any Thomson business unit or division or any of its Affiliated Entities in any advertising or communications to the public in any format; or (ii) make publicity releases or announcements regarding the terms of this Agreement, any Statement of Work, the Services performed or any related activities.
18. Dispute Resolution Procedure:
18.1 In the event of any dispute between Thomson and SP arising from or relating to this Agreement, the Relationship Managers designated by each party (or their respective designees if either person is unavailable) shall attempt to resolve the dispute in good faith for a period of three (3) business days following the date either party first provides a written notice of the dispute to the other requesting that the dispute be resolved in accordance with the procedures contained in this Subsection 18.1. If the dispute is not resolved by the end of such period, the dispute shall be escalated to the level of Vice President (or their respective designees if either person is unavailable) and such representatives shall attempt to resolve the dispute in good faith for a period of three (3) additional business days. If the dispute is still not resolved by the end of such additional period, the dispute shall be further escalated to a more senior executive of each party and such representatives shall attempt to resolve the dispute in good faith for a final period of ten (10) additional business days. Except for those disputes where injunctive relief may be an appropriate remedy, no formal proceedings relating to such dispute may be commenced until the parties complete the dispute escalation procedures set forth in this Subsection 18.1 without reaching a resolution (or if either party breaches the provisions of this Subsection 18.1).
19. Miscellaneous:
19.1 In the event that any provision or part thereof of this Agreement is held to be invalid or unenforceable in any jurisdiction, it shall be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions of this Agreement and no such prohibition or unenforceability in any jurisdiction shall invalidate such provision in any other jurisdiction. The remaining provisions and parts of this Agreement shall remain in full force and effect, and shall be read and construed as if the void or unenforceable provisions were originally deleted. No forbearance or delay by either party in enforcing its
23
respective rights will prejudice or restrict the rights of that party. The waiver by either party of any default or breach of this Agreement shall not constitute a waiver of any other or subsequent default or breach.
19.2 This Agreement, including any Schedules, Exhibits or other attachments hereto, constitutes the entire agreement between Thomson and SP and supersedes all previous agreements, written or oral, with respect to the provision of the Services or the Work Product. This Agreement may not be modified or amended except in writing signed by a duly authorized representative of each party.
19.3 Unless otherwise specified herein, the rights and remedies of each party set forth in this Agreement are not exclusive and are in addition to any other rights and remedies available to it at law or in equity.
19.4 This Agreement will be governed by and construed according to the laws of the State of New York, United States, without regard to any conflicts of laws provisions and without regard to the United Nations Convention on Contracts for the International Sale of Goods. The parties hereby consent to the personal jurisdiction of, and agree on behalf of themselves and any person claiming by or through them that the sole jurisdiction and venue for any litigation arising from or relating to this Agreement shall be an appropriate federal or state court located in the Borough of Manhattan, City of New York, State of New York. SP and Thomson each agree that in the event of any claim by one party against the other under this Agreement, the prevailing party shall be entitled to be paid by the non-prevailing party, the prevailing partys reasonable attorney fees and costs and other related expenses.
19.5 This Agreement is non-exclusive. Except as provided herein, each of the parties remains free to enter into arrangements or agreements with other third parties, subject to the terms and conditions contained herein. SP acknowledges that this Agreement permits Thomson to obtain Services through issuance of Statements of Work, each of which shall be a non-exclusive contract for Services. Thomson retains the right to engage others to perform the same type of services without any liability to SP, and Thomson makes no representation as to the number, frequency or dollar value of Statements of Work under this Agreement.
19.6 To the extent of any conflict or inconsistency between the terms and conditions of this Master Services Agreement and the terms and conditions of any Statement of Work or other document signed by Thomson and SP, the terms and conditions of this Agreement will control,. Neither Thomsons nor SPs acceptance of any such document, including, without limitation, any Statement of Work, Service Level Agreement, or requirements document, shall be construed as an acceptance of provisions which are in any way in conflict or inconsistent with this Agreement.
19.7 Each of Thomson and SP agrees that, subsequent to the execution and delivery of this Agreement and without any additional consideration, each of Thomson and SP shall execute and deliver any further legal instruments and perform any acts that are or may become necessary or desirable to effectuate the purposes of this Agreement.
24
19.8 Headings have been included for convenience only and shall not be used in construing any provision of this Agreement.
19.9 The parties agree that neither SP nor the Thomson entity or division for which any SP resources have performed services under a Statement of Work shall directly or indirectly hire, or engage as a consultant/employee, (i) with respect to SP, any Thomson resource who performed services under such Statement of Work, and (ii) with respect to Thomson, any SP Restricted Personnel as defined in Section 2.12, in each case, during the term of such Statement of Work and for a period of 6 months thereafter. Nothing contained herein shall prevent either party or any of their affiliates or Affiliated Entities from hiring any such employee who responds to a general hiring program conducted in the ordinary course of business not specifically directed to such employees or who approaches the other party on an unsolicited basis.
25
Schedule 1.5
Outsourcing Center Specifications
OPERATING HOURS:
SPs Personnel will operate the Outsourcing Center from 8:30am to 6pm, local time, Monday through Friday. However, the facility must be available to resolve all issues on a 24x7 basis.
SP will communicate to Thomson in writing annually all dates on which the facility will be closed due to holidays at the beginning of the calendar year and initially before the signing of this contract.
STAFFING:
SP must provide Thomson with resource plans and detailed billing information monthly at the beginning of each month for the previous period, as well as a projection for the next month.
SP must present Thomson with a staffing rotation plan at the beginning of a transition project and on a quarterly basis.
KEY RESOURCES ASSIGNED TO OC FOR THOMSON PROJECTS:
LOGISTICS:
SP RESPONSIBILITIES:
1. Development will be done with data remaining resident in Thomson environments. Where required for ensuring reasonable response timings to ensure productivity of developers based in India, SP will create a suitable development environment with assistance from Thomson at SPs expense.
2. [SP Service Level Agreement (SPSLA) and SP Operating Level Agreement (SPOLA) will be developed for each application taken offshore. Specific details will vary by application and be noted in the individual Statement of Work.]
3. Onshore managers will establish their personnel in a working environment according to the policies and procedures provided.
4. Onshore managers are responsible for all Thomson equipment removed from Thomson premises. Everything must be itemized and signed for using current policies and procedures.
5. SPs managers at Thomson Sites must notify Thomsons managers, facilities, and security of terminations or transfers, obtaining access badges and cards and all Thomson equipment.
6. Local Time will be used to track each individuals hours worked with the exception of fixed bid projects.
7. SP will provide desktops with appropriate office and development tools in their own environments within the offshore facility to support local development and testing activity.
26
8. All SP Personnel will adhere to existing security policy and procedures concerning both physical and data security.
9. Software configuration management policy and procedures will be adhered to including use of version control software that is resident in Thomson facilities.
10. SP will prepare a Statement of Work in conjunction with Thomson, to be mutually agreed by the parties.
11. SP has overall responsibility to create business recovery plans to support Thomsons business in the event of a business interruption. [SP will participate in Thomson business recovery planning meetings in support of all applications that SP manages for Thomson. SP will create test plans, scripts, and data in support of Thomsons business recovery exercises, and SP will be present at any location(s) designated by Thomson during the business recovery exercises to execute the test plans and scripts. SP will be responsible for verification of successful recovery of applications supported by SP during the business recovery exercises.]
SECURITY:
SP will establish and maintain a secure [and dedicated] location within its facilities to house the technology components and people resources required to support Thomson. [This area will have access limited to Personnel assigned to Thomson.] In addition the technology components will have additional security and access limited to only those Personnel assigned to maintain and support the technology.
All documents and work products in soft and hard copy formats are to be secured and available only to Personnel on a need to access basis. All documents related to Thomson are to be retained within the Outsourcing Center and shall not be taken out of the facility without Thomson authorization. All work, property, and documents contained in SPs knowledge repository relating to Thomson are to be copied to Thomson on a [monthly] basis.
27
[FOR DISCUSSION PURPOSES ONLY]
EXHIBIT A
STATEMENT OF WORK
This Statement of Work consists of the following documents and agreements each of which is incorporated into and forms an integral part hereof ; and is entered into between SP and Thomson subject to the terms and conditions of the Master Services Agreement between Thomson and SP dated . The effective date of this Statement of Work is .
Part A
Scope of Work
Project Plan and Deliverables
Project Milestones
Project Process for Risk Management & Reporting
Special Hardware/Software Requirements
Acceptance Criteria
Additional Warranties/ Warranty Period if longer than 6 months
SP Proprietary Intellectual Property (if any)
Part B
Scope of Team/ Support
Standards and Procedures
Staffing Requirements
Key Resources
Minimum Signatures
Metrics, Reporting, and Service Levels
Escalation Procedures
Part C
SP Service Level Agreement
Staffing Requirements
Severity Levels and Expected Responses Times
Response Measures and Reporting Procedures
Part D
Rate Schedule
Milestone Payments
Retention Payment
In witness whereof, the parties have executed this Statement of Work and agree to bound by its terms as of this day of , 2004.
SP |
|
| Thomson |
|
By: |
|
| By: |
|
Name: |
|
| Name: |
|
Title: |
|
| Title: |
|
28
EXHIBIT B
Employee Non-Disclosure Agreement
THIS AGREEMENT is made this day of 2004, by and between , with an address at (the Contractor) and Thomson Healthcare Inc., with an address at 6200 South Syracuse Way, Greenwood Village, CO 80111 (the Company).
WHEREAS, the Contractor desires to obtain certain non-public, confidential or proprietary information from the Company; and
WHEREAS, the Company desires to provide such information and/or materials to the Contractor under certain conditions as hereinafter provided.
NOW, THEREFORE, in consideration of the mutual promises and covenants hereinafter set forth, the parties hereto agree as follows:
1. The Company will make available and disclose to the Contractor such materials, processes and data as the Company deems necessary and desirable to the Contractors tests, analysis, review, study and evaluation (the Information). The Contractor shall exercise due diligence to maintain all Information in confidence; due diligence shall mean at least the same precautions and standard care which a reasonable person in such business would use to safeguard its own proprietary information.
2. The Contractor agrees that the Information shall at all times remain the property of the Company and shall not be used or disclosed to anyone by the Contractor without the prior written consent of the Company. Upon completion of the Contractors tests, analysis, review, study and evaluation, the Contractor shall return to the Company all of the Information supplied to the Contractor or obtained by the Contractor on behalf of the Company, and shall deliver to the Company or, at the election of the Company, destroy any notes, drawings and other documents not supplied by or on behalf of the Company and containing the Information.
3. The Contractor agrees to permit access to the Information only to its employees who need to know the Information for the purposes set forth herein and who shall agree to be bound by the terms and conditions of this Agreement. In any event, the Contractor shall be responsible for any breach of this Agreement by its employees.
4. The term Information does not include information that (a) is or becomes generally available to the public other than as a result of disclosure by the Contractor or anyone to whom the Contractor transmits the information, (b) becomes available to the Contractor on a non-confidential basis from a source other than the Company who is not bound by a confidentiality agreement with the Company, (c) the Contractor can document was known to the Contractor or in its possession prior to the date of disclosure by the Company, or (d) is independently developed by the Contractor without reference to the Information.
5. In the event that the Contractor or anyone to whom it transmits the Information becomes legally compelled to disclose any of the Information, it will provide the Company with prompt notice so that the Company may seek a protective order or other appropriate remedy
and/or waive compliance with the provisions of this Agreement. In the event that such protective order or other remedy is not obtained, or that the Company waives compliance with the provisions of this Agreement, the Contractor will furnish only that portion of the Information which is legally required and exercise its best efforts to obtain a protective order or other reliable assurance that confidential treatment will be accorded the Information.
6. The Contractor agrees that, in the event of any breach of this Agreement, the Company would be irreparably and immediately harmed and could not be made whole by monetary damages. Without prejudice to any rights and remedies otherwise available, the Company shall be entitled to equitable relief by way of injunction if the Contractor breaches any provision of this Agreement.
7. This Agreement will be governed by and construed under, the laws of the Commonwealth of Pennsylvania, without regard to the principles of choice of law.
8. This Agreement represents the entire understanding and agreement of the parties and supercedes all prior agreements and understandings relating to the subject matter hereof. This Agreement may not be modified or amended, except by a written instrument duly executed by both parties. This Agreement may not be assigned by the Contractor.
9. The invalidity or unenforceability of any provision of this Agreement shall not affect the validity or enforceability of the other provisions of this Agreement, which shall remain in full force and effect. If any of the provisions of this Agreement shall be deemed to be unenforceable by reason of its extent, duration, scope or otherwise, then the parties contemplate that the court making such determination shall enforce the remaining provisions of this Agreement, and shall reduce such extent, duration, scope or other provision and shall enforce them in their reduced form for all purposes contemplated by this Agreement.
10. This Agreement may be executed in counterparts, each of which shall be deemed an original and all of which shall constitute one and the same instrument.
IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed by their duly authorized representatives on the date first written above.
THOMSON HEALTHCARE INC. |
| |
|
| |
By: |
|
|
Name: |
| |
Title: |
| |
|
| |
(CONTRACTOR) |
| |
|
| |
By: |
|
|
Name: |
| |
Title: |
|
EXHIBIT C
Assignment Agreement
EXHIBIT D
Notebook Security Policy
NOTEBOOK SECURITY PROTECTING DATA AND PROPERTY
Frank Licata, Sr. Vice President & CTO
January, 2001
Notebook computers and todays mobile computing environment pose special risks to employees using mobile computing resources. Employees must take special care to:
· prevent loss of the notebook computer
· prevent unauthorized access to the notebook computer
· prevent compromise of sensitive data
· protect against viruses on the notebook computer
· protect against risks posed by inadequate data backup
Notebook computers present special data security risks because notebooks are frequently used outside the office or in unattended areas within the building. Key notebook data security risks are:
Loss and theft
· The notebook rate of theft is now growing at a greater rate than the number of notebook computers in use. They are easy to store, easy to transport, easy to steal and easy to sell!
· In-house theft is the most common, and airport theft the second most common.
· Ease of access notebook computers are frequently used in insecure locations - conference rooms, temporary offices and airports, to name a few. The informal protection afforded by an individuals personal workspace is gone, and equipment goes missing.
Data Compromise. Data compromise usually results from one of four security lapses:
· Loss or theft of the notebook computer
· Unauthorized access to the notebook computer for a long enough period to view or copy data
· Loss or theft of data copied to diskettes for printing, backup or data transfer
· Interception or compromise of data transmitted over telephone lines or the Internet
Reducing Notebook Data Security Risks
Notebook data security risks cannot be eliminated. The risks can, however, be reduced to a minimum:
Physical Security
Physical security is the primary concern in notebook computer security. If a notebook computer is never out of the possession and control of the owner, then the risks of unauthorized loss or theft and unauthorized access are virtually eliminated. Thus, the risks of data compromise are greatly reduced.
Physical security is primarily a matter of implementing effective policies and practices, and educating notebook computer users to pay careful, intelligent attention to physical security risks.
THOMSON SCIENTIFIC NOTEBOOK SECURITY POLICY
Thomson Scientific expects each employee using a notebook computer:
· To protect it from theft or loss, exercising the highest standard of care reasonable and appropriate to the circumstances in each case, taking into account the vulnerability of notebook computers to theft or loss and the quantity and nature of the information stored on the computer; and
· To exercise the highest standards of care with respect to company information in electronic form, as is always the case with any business-related information, whether verbal, written or electronic.
· Each Thomson Scientific employee using a notebook computer is required to implement, use and maintain in force at all times a power-on password protection system, approved by the Sr. Manager, Network and User Services.
Thomson Scientific reserves the right to deal with violations of this policy by taking appropriate disciplinary actions, including without limitation, requiring the employee to reimburse the Company for the cost of the notebook computer.
Name: |
|
Date: |
|
Model: |
|
Serial Number: |
|
Security Plate Number: |
I have read Thomson Scientifics Notebook Security Policy statement and agree to abide by it as consideration for my continued employment by Thomson Scientific. I understand that violation of any above policies may result in disciplinary action, up to and including termination.
| / |
|
Employee Signature |
| Date |
EXHIBIT E
Internet Use Policy
Your use of the Internet is governed by this policy
I Internet Management
Certain employees may be provided with access to the Internet to assist them in performing their jobs. The Internet can be a valuable source of information and research. In addition, e-mail can provide excellent means of communicating with other employees, our customers and clients, outside vendors, and other businesses. Use of the Internet, however, must be tempered with common sense and good judgment.
We believe, as a responsible employer, that it is very important to do all we can to ensure that the Internet is used in a responsible manner. If you abuse your right to use the Internet, this privilege will be revoked. In addition, you may be subject to disciplinary action, including possible termination, and you may be held liable for violation of civil or criminal statutes. This document reviews how we expect all employees to use the Internet in order to ensure that their use is consistent with these guidelines.
Effective December 1, 2001, Thomson Scientific will deploy Websense Internet Management Software, an Internet pass-through filtering solution that manages, monitors and reports on employee use of the Internet. In Phase I of the deployment, two areas will be addressed; category blocking (permanent blocking or blocking at certain times of the day) and monitoring via the Websense Reporter.
Category Blocking
Blocking categories, as defined by Websense, are groups of similar Websites that have been determined to be non-business related (example adult, racism/hate, gambling, onlinebroker/trading, etc.) and employee access will be blocked to these sites (however, all attempts are reported and recorded via the Websense Reporter module). Some categories will be permanently blocked, while others will be blocked during core business hours only (see pg.4). Core business hours (subject to change) are Monday to Friday 9:00am 12:30pm and 1:30pm 5:00pm.
II Websense Reporter
Working in combination with Websense Enterprise, Websense Reporter reports on employee use of the Internet. We will use it to monitor all Internet activity 7/24 to ensure that your use of the Internet meets the requirements of our policy.
Disclaimer of liability for use of the Internet
Thomson Scientific is not responsible for material viewed or downloaded by users from the Internet. The Internet is a worldwide network of computers that contains millions of pages of information. Users are cautioned that many of these pages include offensive, sexually explicit, and inappropriate material. In general, it is difficult to avoid at least some contact with this material while using the Internet. Even innocuous search requests may lead to sites with highly offensive content. Users accessing the Internet do so at their own risk.
Employees duty of care
Employees should endeavor to make each electronic communication truthful and accurate. You should use the same care in drafting e-mail and other electronic documents as you would for any other written communication. Please keep in mind that anything created or stored on the computer system may and likely will, be reviewed by others.
III Duty not to waste computer resources
Employees must not deliberately perform acts that waste computer resources or unfairly monopolize resources to the exclusion of others. These acts include, but are not limited to, sending mass mailings or chain letters, spending excessive amounts of time on the Internet, playing games, engaging in online chat groups, printing multiple copies of documents, or otherwise creating unnecessary network traffic. Because audio, video and picture files require significant storage space, files of this sort may not be downloaded unless they are business related.
IV No expectation of privacy
The computers and the computer accounts given to employees are to assist them in performance of their jobs. Employees should not have an expectation of privacy in anything they create, store, send or receive on the computer system. The computer system belongs to the company and may only be used for business purposes.
V No privacy in communications
Employees should never consider electronic communications to be either private or secure. E-mail may be stored indefinitely on any number of computers, including that of the recipient. Copies of your messages may be forwarded to others either electronically or on paper. In addition, e-mail sent to nonexistent or incorrect usernames may be delivered to persons that you never intended.
VI Monitoring of computer usage
The company has the right to monitor any and all aspects of its computer system or any individuals use of the system, including, but not limited to, monitoring sites visited by employees on the Internet, monitoring chat groups and newsgroups, reviewing material downloaded or uploaded by users to the Internet, and reviewing e-mail sent and received by users.
VII Blocking of inappropriate content
The company may use software/hardware to identify inappropriate or sexually explicit Internet sites. Such sites may be blocked from access by company networks. In the event you nonetheless encounter inappropriate or sexually explicit material while browsing on the Internet, immediately disconnect from the site, regardless of whether the site was subject to company blocking software.
VIII Prohibited activities
Material that is fraudulent, harassing, embarrassing, sexually explicit, profane, obscene, intimidating, defamatory, or otherwise unlawful or inappropriate may not be sent by e-mail or other forms of electronic communication (bulletin board systems, newsgroups, egroups, chat groups), downloaded from the Internet, or displayed on or stored in desktop or network computers. Employees encountering or receiving this kind of material should immediately report the incident to their supervisors.
IX Games and entertainment software
Employees may not use the companys Internet connection to download games or other entertainment software, including screen savers, or to play games over the Internet.
X Illegal copying
Employees may not illegally copy material protected under copyright law or make that material available to others for copying. You are responsible for complying with copyright law and applicable licenses that may apply to software, files, graphics, documents, messages, and other material you wish to download or copy. You may not agree to a license or download any material for which a registration fee is charged without first obtaining the express written permission of Sr. Manager Network & User Services.
Accessing the Internet
To ensure security and avoid the spread of viruses, employees accessing the Internet through a computer attached to Thomson Scientifics network must do so through an approved Internet firewall. Accessing the Internet directly, by modem, is strictly prohibited unless the computer you are using is not connected to the companys network.
Virus detection
Files obtained from sources outside the company, including disks brought from home; files downloaded from the Internet, newsgroups, bulletin boards, or other online services; files attached to e-mail; and files provided by customers or vendors, may contain dangerous computer viruses that may damage the companys computer network. Employees should never download files from the Internet, accept e-mail attachments from outsiders, or use disks from non-company sources, without first scanning the material with company-approved virus checking software. If you suspect that a virus has been introduced into the companys network, notify the Sr. Manager Network & User Services immediately.
Sending unsolicited e-mail (spamming)
Without the express permission of their supervisors, employees may not send unsolicited e-mail to persons with whom they do not have a prior relationship.
XI Altering attribution information
Employees must not alter the From: line or other attribution-of-origin information in e-mail, messages, or postings. Anonymous or pseudonymous electronic communications are forbidden. Employees must identify themselves honestly and accurately when participating in chat groups, making postings to newsgroups, sending e-mail, or otherwise communicating on-line.
Use of encryption software
Employees may not install or use encryption software on any of Thomson Scientifics Computers.
XII Export restrictions
The federal government has imposed restrictions on export of programs or files containing encryption technology (such as e-mail programs that permit encryption of messages and electronic commerce software that encodes transactions). Software containing encryption technology is not to be placed on the Internet or transmitted in any way outside the United States without prior written authorization from VP Technology Services.
XIII Other policies applicable
In their use of the Internet, users must observe and comply with all other policies and guidelines of the company.
XIV Amendments and revisions
This policy may be amended or revised from time to time as the need arises. Users will be provided with copies of all amendments and revisions.
Violations of this policy will be taken seriously and may result in disciplinary action, including possible termination and you may be held liable for violation of civil or criminal statutes.
Internet Management Blocking Categories
Category/Sub-category |
| Permanently |
| Available |
Adult Material |
| X |
|
|
Entertainment |
|
|
| Y |
· MP3 |
| X |
|
|
Gambling |
| X |
|
|
Games |
| X |
|
|
Information Technology |
|
|
|
|
· Hacking |
| X |
|
|
· Proxy Avoidance Systems |
| X |
|
|
· URL Translation Sites |
|
|
| Y |
· Web Hosting |
| X |
|
|
Internet Communication |
|
|
|
|
· Web Chat |
| X |
|
|
· Web Based Email |
| X |
|
|
Job Search |
| X |
|
|
Military/Extremist |
|
|
| Y |
Premium Group |
|
|
|
|
· Advertisements |
|
|
| Y |
· Freeware/Software Download |
| X |
|
|
· Instant Messenger |
| X |
|
|
· Message Board & Clubs |
|
|
| Y |
· Online Broker & Trading |
|
|
| Y |
· Pay to Surf |
| X |
|
|
Premium Group II |
|
|
|
|
· Internet Radio & TV |
| X |
|
|
· Internet Telephony |
| X |
|
|
· Peer to Peer File sharing |
| X |
|
|
· Personal Network Storage/ Backup |
| X |
|
|
· Streaming Media |
| X |
|
|
Racism/Hate |
| X |
|
|
Shopping |
|
|
| Y |
· Internet Auctions |
|
|
| Y |
· Real Estate |
|
|
| Y |
Society and Lifestyle |
|
|
|
|
· Alcohol/ Tobacco |
|
|
| Y |
· Gay and Lesbian Issues |
|
|
| Y |
· Hobbies |
|
|
| Y |
· Personal Websites |
| X |
|
|
· Personals/ Dating |
|
|
| Y |
· Restaurants and Dining |
|
|
| Y |
Special Events |
|
|
| Y |
Sports |
|
|
| Y |
· Sport Hunting /Gun Clubs |
|
|
| Y |
Travel |
|
|
| Y |
Vehicles |
|
|
| Y |
Violence |
| X |
|
|
*Core business hours (subject to change) are: Monday to Friday, 9:00am 12:30pm and 1:30pm 5:00pm.
EXHIBIT F
Anti-Virus Policy and Guidelines
Guidelines on Anti-Virus Process
Recommended processes to prevent virus problems:
· Always run Thomsons standard, supported anti-virus software as provided by your local help desk.
· NEVER open any files or macros attached to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then double delete them by emptying your Trash.
· Delete spam, chain, and other junk email without forwarding, in accordance with Thomsons Acceptable Use Policy.
· Never download files from unknown or suspicious sources.
· Avoid direct disk sharing with read/write access unless there is absolutely a business requirement to do so.
· Always scan a floppy diskette from an unknown source for viruses before using it.
· Back-up critical data and system configurations on a regular basis and store the data in a safe place.
· If lab testing conflicts with anti-virus software, run the anti-virus utility to ensure a clean machine, disable the software, then run the lab test. After the lab test, enable the anti-virus software. When the anti-virus software is disabled, do not run any applications that could transfer a virus, e.g., email or file sharing.
· New viruses are discovered almost every day. Periodically check the Lab Anti-Virus Policy and this Recommended Processes list for updates.
Lab Anti-Virus Policy
1.0 Purpose
To establish requirements which must be met by all computers connected to Thomsons lab networks to ensure effective virus detection and prevention.
2.0 Scope
This policy applies to all Thomson lab computers that are PC-based or utilize PC-file directory sharing. This includes, but is not limited to, desktop computers, laptop computers, file/ftp/tftp/proxy servers, and any PC based lab equipment such as traffic generators.
3.0 Policy
All Thomson PC-based lab computers must have Thomsons standard, supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus pattern files must be kept up-to-date. Virus-infected computers must be removed from the network until they are verified as virus-free. Lab Admins/Lab Managers are responsible for creating procedures that ensure anti-virus software is run at regular intervals, and computers are verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into Thomsons networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited, in accordance with the Acceptable Use Policy.
Refer to Thomsons Anti-Virus Recommended Processes to help prevent virus problems.
Noted exceptions: Machines with operating systems other than those based on Microsoft products are excepted at the current time.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
5.0 Revision History
EXHIBIT G
Password Policy
1.0 Overview
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Thomsons entire corporate network. As such, all Thomson employees (including contractors and vendors with access to Thomsons systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
2.0 Purpose
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.
3.0 Scope
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Thomson facility, has access to the Thomson network, or stores any non-public Thomson information.
4.0 Policy
4.1 General
· All passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a quarterly basis.
· User accounts that have system-level privileges granted through group memberships or programs such as sudo must have a unique password from all other accounts held by that user.
· Passwords must not be inserted into email messages or other forms of electronic communication.
· Where SNMP is used, the community strings must be defined as something other than the standard defaults of public, private and system and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).
· All user-level and system-level passwords must conform to the guidelines described below.
4.2 Guidelines
A. General Password Construction Guidelines
Passwords are used for various purposes at Thomson. Some of the more common uses include: user level accounts, web accounts, email accounts, screen saver protection, voicemail password, and local router logins. Since very few systems have support for one-time tokens (i.e., dynamic passwords which are only used once), everyone should be aware of how to select strong passwords.
Poor, weak passwords have the following characteristics:
· The password contains less than eight characters
· The password is a word found in a dictionary (English or foreign)
· The password is a common usage word such as:
· Names of family, pets, friends, co-workers, fantasy characters, etc.
· Computer terms and names, commands, sites, companies, hardware, software.
· The words Thomson Corporation, sanjose, sanfran or any derivation.
· Birthdays and other personal information such as addresses and phone numbers.
· Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
· Any of the above spelled backwards.
· Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Strong passwords have the following characteristics:
Contain both upper and lower case characters (e.g., a-z, A-Z)
Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:;<>?,./)
Are at least eight alphanumeric characters long.
Are not words in any language, slang, dialect, jargon, etc.
Are not based on personal information, names of family, etc.
Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: This May Be One Way To Remember and the password could be: TmB1w2R! or Tmb1W>r~ or some other variation.
NOTE: Do not use either of these examples as passwords!
B. Password Protection Standards
Do not use the same password for Thomson accounts as for other non-Thomson access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, dont use the same password for various Thomson access needs. For example, select one password for the Financial systems and a separate password for IT systems. Also, select a separate password to be used for a Windows account and a UNIX account.
Do not share Thomson passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential Thomson information.
Here is a list of donts:
· Dont reveal a password over the phone to ANYONE
· Dont reveal a password in an email message
· Dont reveal a password to the boss
· Dont talk about a password in front of others
· Dont hint at the format of a password (e.g., my family name)
· Dont reveal a password on questionnaires or security forms
· Dont share a password with family members
· Dont reveal a password to co-workers while on vacation
If someone demands a password, refer them to this document or have them call someone in the Information Security Department.
Do not use the Remember Password feature of applications (e.g., Eudora, OutLook, Netscape Messenger).
Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.
Change passwords at least once every quarter.
If an account or password is suspected to have been compromised, report the incident to InfoSec and change all passwords.
Password cracking or guessing may be performed on a periodic or random basis by InfoSec or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it.
C. Application Development Standards
Application developers must ensure their programs contain the following security precautions. Applications:
· should support authentication of individual users, not groups.
· should not store passwords in clear text or in any easily reversible form.
· should provide for some sort of role management, such that one user can take over the functions of another without having to know the others password.
· should support TACACS+ , RADIUS and/or X.509 with LDAP security retrieval, wherever possible.
D. Use of Passwords and Pass phrases for Remote Access Users
Access to the Thomson Networks via remote access is to be controlled using either a one-time / two factor password authentication or a public/private key system with a strong pass phrase.
E. Pass phrases
Pass phrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the pass phrase to unlock the private key, the user cannot gain access.
Pass phrases are not the same as passwords. A pass phrase is a longer version of a password and is, therefore, more secure. A pass phrase is typically composed of multiple words. Because of this, a pass phrase is more secure against dictionary attacks.
A good pass phrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good pass phrase:
The*?#>*@TrafficOnThe101Was*&#!#ThisMorning
All of the rules above that apply to passwords apply to pass phrases.
5.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
6.0 Definitions
Terms |
| Definitions |
Application Administration Account |
| Any account that is for the administration of an application (e.g., Oracle database administrator, ISSU administrator). |
7.0 Revision History
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
First Amendment to the Master Services Agreement
The First Amendment (First Amendment) made as of January 23, 2007 amends the Master Services Agreement (Agreement) dated September 9, 2004 by and between Thomson Healthcare Inc. and Virtusa Corporation (SP). Any capitalized term not defined herein shall have the meaning given it in the Agreement.
The parties agree to amend the Agreement as follows:
For the time frame March 1, 2006 to December 31, 2006 (2006 Timeframe), and January 1 2007 to December 2007 (2007 Timeframe) fees for the Services and Work Product described in Statements of Works during that timeframe will be based on the hourly rates (rate / hour) established below. [*****************************************************************************.]
[***.]
[**************************************************************************************************** ***************************************************************************************************** ***************************************************************************************************** ***************************************************************************************************** ***************************************************************************************************** *************************,]
[***************************************************************************************************** *************************************************.]
The Thomson Corporation
Mail to:
Richard Hoponick
VP & Controller
Thomson Scientific & Thomson Healthcare
200 First Stamford Place, Suite 400
Stamford, CT 06902
Contracts will be based on daily rates [********************.] These rates can be applied for T&M, Retainer or Fixed price contracts.
All other terms and conditions of the Agreement shall remain in full force and effect.
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
IN WITNESS WHEREOF, each of the parties hereto has caused the First Amendment to be executed by a duly authorized representative.
Thomson Healthcare Inc. |
| Virtusa Corporation |
|
|
|
/s/ Frank Licata |
| /s/ Thomas Holler |
|
|
|
SVP CTO |
| CFO |
|
|
|
Thomson Healthcare |
| Virtusa Corporation |
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
SECOND AMENDMENT TO THE
MASTER SERVICES AGREEMENT
This Second Amendment (Amendment) dated May 29, 2008 (Amendment Effective Date) shall be attached to and be part of the Master Services Agreement dated September 9, 2004 (Agreement) between Thomson Healthcare Inc., a Delaware corporation (Thomson) and Virtusa Corporation (SP). Any capitalized term not defined herein shall have the meaning given it in the Agreement. As of December 31, 2007, the Agreement was assigned by the Florida corporation formerly known as Thomson Healthcare Inc. to its affiliate, which was then renamed as Thomson Healthcare Inc., a Delaware corporation.
WHEREAS, the parties desire to amend the Agreement to address confidentiality, HIPAA, security, compliance requirements, non competition and other provisions as set forth below.
NOW, THEREFORE, the parties agree as follows.
1. Section 2 Provision of Services and Work Product is amended to delete and replace Section 2.12 with the following.
2.12 SP shall not use any Thomson resource for performing services for any party other than Thomson and agrees that any and all Restricted Personnel (as defined below) providing Services or delivering Work Product as provided herein on behalf of Thomson pursuant to a particular Statement of Work (SOW) will not be assigned or involved in any projects directly or indirectly performed for the benefit of any Thomson competitor(s) identified in such SOW(a Named Competitor) during the term of such Restricted Personnels performance of services under the SOW and for a period of 6 months thereafter. Identification of Named Competitors shall be those companies competitive to the Thomson entity engaging SP under the SOW and will not exceed at any time 10 companies per such Thomson entity and may be updated in writing by Thomson, in its reasonable discretion, from time to time but no more than once every 6 months. Such update shall be effective upon delivery to the SP Relationship Manager as such term is defined in Section 3.1 hereof. Restricted Personnel shall mean a Virtusa resource engaged under the applicable SOW with titles, responsibilities or functions of project manager, architect, design engineer, technical lead, developer, senior engineers or engineer.
For purposes of this Agreement, Thomson Business means Thomson and Affiliated Entities issuing Statements of Work under this Agreement that are in the business of providing decision support information, applications, tools and integrated solutions to business and professional customers.
Unless otherwise agreed in writing by Thomson from time to time, [****************************************** ************************************************************************************************* ************************************************************************************************* ************************************************************************************************* ************************************************************************************************* *********.]
2. Section 2 Provision of Services and Work Product is amended to add as a new section 2.14 as follows:
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
2.14 Unless prohibited by applicable law, each person to be assigned by SP to a Thomson Services project must have been screened for illegal (according to applicable law) drug use. Screens conducted in the U.S.A. must, at a minimum include (i) for drugs: marijuana, amphetamine, methamphetamine, cocaine, opiates, and phencyclidine (PCP); and (ii) for adulterants: nitrite.
Unless prohibited by applicable law, SP must conduct a background check of each SP staff member prior to starting work on a Thomson Services project. The background check must, at a minimum include:
(i) confirmation of prior work experience and reference check with the individuals most recent employer;
(ii) criminal background check in each county where the individual resided, going back a period of seven years and inclusive of felonies and misdemeanors, (including crimes involving violence, fraud, theft, dishonesty or breach of trust), and conducted at the highest county level court in that county, subject to limitations and customary practices of the background check process in the countries in which the individual resides, particularly non-US residents;
(iii) if applicable, confirmation of eligibility of the individual to work in the U.S.A (includes checking lists maintained by the U.S.A. government of persons or entities with whom any U.S.A. person or entity is prohibited from conducting business) and confirmation that SP has no knowledge that any illegal immigrant will be used to perform the Services; and
(iv) if the Services require the individual to operate a motor vehicle, a Department of Motor Vehicle check in each state that the individual resided in for the past seven years. For non-U.S. based SP staff, the parties will agree upon similar background checks as may be available in the country where the staff is based.
SP shall cause each screen or check of the SP staff member performing Services for Thomson to have been completed no earlier than 90 days prior to the start date. If a SP staff member is returning to an assignment at Thomson, there can be no more than a 90-day period from the end of the previous assignment to the beginning of the new assignment without performing a new drug or criminal background check. SP shall not assign and shall immediately remove if they were assigned, staff members who have failed the background check or produced a positive drug screen result. For staff members already assigned to Thomson projects, SP shall immediately notify in writing the Thomson Relationship Manager of those staff members who have failed the background check or produced a positive drug screen result. In addition to the foregoing, SP will provide a written pass/fail status of all checks and screens at the request of Thomson.
3. Section 2 Provision of Services and Work Product is amended to add as a new section 2.15 as follows:
2.15 SP acknowledges that it is not presently excluded or debarred from participating in any Federal health care program, including Medicare, Medicaid, CHAMPUS, maternal and child health block grants, and social service block grants. Further, SP represents that it has not received from the Office of Inspector General any notice of intent to exclude, notice of exclusion or notice of proposal to exclude. SP agrees to provide immediate written notice to Thomson in
2
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
the event the party is excluded or debarred from any Federal health care program or receives any notice of intent to exclude, notice of exclusion, or notice of proposal to exclude prior to the
delivery of all goods or services to be provided hereunder. SP agrees that it shall not employ or subcontract for provision of any of the goods or services to be provided hereunder with any individual or entity which is excluded or debarred from participation in any Federal health care program.
4. Section 6 Confidentiality is amended to delete and replace Section 6.1 with the following:
6.1 Exhibit H contains terms and conditions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 C.F.R. §§ 160-164 that apply to SPs use, disclosure, exchange, creation and storage of Protected Health Information (as defined in 45 C.F.R. § 164.501) (PHI) on behalf of Thomson or its customers. SP agrees to comply with the provisions of Exhibit H, as well as any other applicable laws regarding the privacy and confidentiality of PHI and other Confidential Information received from Thomson. If and to the extent that any other non-Protected Health Information Confidential Information is exchanged between the parties, the following terms of Section 6 shall apply with respect to such Confidential Information.
With regard to SP Confidential Information disclosed under this Agreement and any Statement of Work, Thomson shall be deemed to be the Receiving Party and SP shall be deemed to be the Disclosing Party. With regard to Thomson Confidential Information disclosed under this Agreement or any Statement of Work, SP shall be deemed to be the Receiving Party and Thomson shall be deemed to be the Disclosing Party. Confidential Information shall be deemed to be SP Confidential Information when Thomson is the Receiving Party, or Thomson Confidential Information when SP is the Receiving Party. The Receiving Party shall hold all Confidential Information of the Disclosing Party at all times in trust and confidence, shall take all appropriate action to ensure the confidentiality and security of the Disclosing Partys Confidential Information, and shall treat the Disclosing Partys Confidential Information with the same degree of care that it uses to protect its own most confidential information of like kind and value, but in no case less than a reasonable degree of care. Without Disclosing Partys express written authorization, Receiving Party shall not use Confidential Information for its own benefit or for the benefit of any party other than Disclosing Party, and shall not duplicate or disclose the Confidential Information in any manner to any other party other than such of its Personnel or employees who have a need to know such information solely in connection with the express purposes of this Agreement. In no event shall SP use Thomson Confidential Information to Thomsons detriment. Receiving Party shall not, and shall not assist others to, disassemble, decompile, reverse engineer or otherwise attempt to recreate Confidential Information. Notwithstanding the foregoing, from time to time, Disclosing Party may require that any Confidential Information held by Receiving Party be returned to Disclosing Party, or destroyed or erased by Receiving Party, at Disclosing Partys option.
5. Section 6 Confidentiality is amended to delete and replace Section 6.6 with the following:
6.6 The obligation to treat information as Confidential Information shall not apply to: (i) information received independently from a third party by the Receiving Party, which third party is not under a confidentiality obligation to Disclosing Party with regard to such information; (ii) information in the possession of the Receiving Party prior to the Effective Date other than by reason of the Services to be performed or received pursuant to this Agreement; (iii) information that is or becomes generally available through no wrongful act of either party or (iv) information
3
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
that is independently developed by or for the Receiving Party without benefit of the Disclosing Partys Confidential Information; provided that, for each of the foregoing exceptions, the
Receiving Party provides the Disclosing Party with written documentation evidencing the same upon request of the Disclosing Party. Notwithstanding any provision in this Agreement to the contrary, any individually identifiable health information shall be considered Confidential Information.
6. Section 10 Insurance Coverage; Limitation of Liability is amended to delete and replace Section 10.5 with the following:
10.5 NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, THE ABOVE LIMITS SET FORTH IN SECTION 10.2 AND SECTION 10.3 SHALL NOT APPLY TO LIABILITY ARISING FROM SPS BREACH OF SECTION 2.12, 4.2, 4.4, 4.7, 6, 7 OR 13 OF THIS AGREEMENT AND LIABILITY ARISING FROM SPS OBLIGATIONS UNDER SECTION 8 OF THIS AGREEMENT. THE ABOVE LIMITS SET FORTH IN SECTION 10.2 AND SECTION 10.4 SHALL NOT APPLY TO LIABILITY ARISING FROM THOMSONS BREACH OF SECTION 6 OR 7.4 OF THIS AGREEMENT AND LIABILITY ARISING FROM THOMSONS OBLIGATIONS UNDER SECTION 8.6. BOTH PARTIES AGREE THAT THOMSONS REASONABLE COSTS OF COVER UPON A TERMINATION FOR UNCURED MATERIAL BREACH SHALL BE DEEMED TO BE DIRECT DAMAGES FOR PURPOSES OF THIS AGREEMENT.
7. Section 11 Term and Termination is amended to delete and replace Section 11.1 with the following:
11.1 The Term of this Agreement begins on the Effective Date and shall continue through September 9, 2009 (the Initial Term). After the Initial Term, Thomson may renew this Agreement for three consecutive one-year terms (Renewal Term), each such renewal only upon the prior written consent of SP. Thomson may elect not to renew this Agreement by providing SP with notice of such non-renewal at least thirty (30) days prior to the commencement of any Renewal Term. Notwithstanding the foregoing, the Agreement continues to govern any SOW outstanding at the time of termination as if it had not been terminated.
8. Section 11 Term and Termination is amended to delete and replace Section 11.10 with the following:
11.10 Upon termination of all SOWs that are outstanding with respect to a Thomson Line of Business or LOB (as defined below) in connection with a complete termination of the relationship and all engagements between SP and such LOB, a (LOB Termination Event), for any reason, and at such LOBs request pursuant to written notice to SP by such LOB of any such LOB Termination Event as set forth in the Agreement (LOB Termination Notice), SP shall cooperate to transition the applicable Services to such LOB or to a third-party chosen by the LOB, for a period not to exceed one hundred eighty days. Upon a LOB Termination Event and receipt by SP of a LOB Termination Notice, to facilitate such transition, the LOB, may, in its sole discretion, make offers to hire any of SPs Personnel solely for hire by the [****** ************************************************************************************************* *************************************************************************************************
4
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
************************************************************************************************* **********************.]
(a) [***]
(b) [***]
(c) [***]
(d) [***]
[****]
9. Section 13 Data Protection and Security is amended to delete and replace in its entirety with the following:
13.1 SP shall maintain a security plan (Security Plan) that meets the minimum standards defined in Exhibit I, Thomson Information Security Requirements (as updated by Thomson from time to time). In addition, such Security Plan will, at all times, comply with such reasonable minimum security standards required by applicable law. The Security Plan shall include without limitation SPs Outsourcing Centers. Upon approval by Thomson, the Security Plan is incorporated into the Agreement. SP shall, at least once annually, (i) update the Security Plan; and (ii) engage a third-party auditor to audit the Security Plan as it directly relates to, or covers Thomson (if covered in a general audit). SP shall promptly provide the results of each audit to Thomson that relates to Thomson, its plans for remediation (if necessary), and the results of any such remediation. SP shall make all requests for access to Thomson facilities or systems to the Thomson Relationship Manager.
SP shall be responsible for any and all security breaches of those systems that it manages, maintains, or uses in respect of the Services. SP shall use commercially reasonable efforts in managing its Security Plan and related policies. SP shall, as may be specified in a SOW, operate and maintain such audit and tracking software as Thomson may request from time to time.
13.2 SP shall maintain a business continuation plan (Business Continuation Plan or BCP) that meets the minimum standards specified in Exhibit J, Business Continuation Plan Requirements of Suppliers (as updated by Thomson from time to time). Upon approval by Thomson, the BCP is incorporated into the Agreement. The BCP shall include without limitation SPs Outsourcing Centers. SPs BCP shall ensure that SP can cause reasonable resumption of providing Services to Thomson within acceptable industry standards (but not later than 48 hours from the time of interruption) and with no loss of Thomson data. SP shall test the operation and effectiveness of its BCP no less frequently than indicated in the Exhibit J and SP shall promptly provide the results of such tests to Thomson, its plans for remediation (if necessary), and the results of such remediation. SP will use commercially reasonable efforts to make the necessary improvements to its BCP based on the results of its testing and SPs reasonable judgment.
10. Section 19 Miscellaneous is amended to delete and replace section 19.9 with the following:
19.9 [**********************************], the parties agree that neither SP nor the Thomson entity or division for which any SP resources have performed services under a SOW
5
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
shall directly or indirectly hire, or engage as a consultant/employee, (i) with respect to SP, any Thomson resource who performed services under such SOW, and (ii) with respect to Thomson, any SP Restricted Personnel as defined in Section 2.12, in each case, during the term of such SOW and for a period of [*] months thereafter. Nothing contained herein shall prevent either party or any of their affiliates or Affiliated Entities from hiring any such employee who responds to a general hiring program that is conducted in the ordinary course of business and is not specifically directed to or attempting to solicit such employees.
11. Section 19 Miscellaneous is amended to add as a new section 19.10 as follows:
19.10 Pursuant to the Federal Acquisition Regulation (FAR) 44.402 (Oct 1995) (which governs contracting for commercial items), the FAR provisions listed below apply to a Services order at the dollar thresholds indicated, if the Services order is identified as a subcontract under a U.S. Government Prime Contract.
All Services orders:
52.222-26 Equal Opportunity
Services orders over $10,000:
52.222-35 Affirmative Action for Disabled Veterans and Veterans of the Vietnam Era
52.222-36 Affirmative Action for Workers with Disabilities
Services orders over $500,000
52.219-8 Utilization of Small Business Concerns
52.219-9 Small Business Subcontracting Plan
Unless exempted, Section 202, paragraphs 1-7 of Executive Order 11246 as amended, and the affirmative action clauses as set forth in 41 C.F.R. 60-741.4 (for contracts over $2,500), 41 C.F.R. 60-250.4 (for contracts over $10,000) and 41 C.F.R. 61-250.10 (requiring the annual reporting of Vietnam era and special disabled veterans) are incorporated herein by reference.
12. Section 19 Miscellaneous is amended to add as a new section 19.11 as follows:
19.11 SP agrees to provide access to its training programs and training facilities in India for use by Thomson SP agrees to allow Thomson use of its facilities for work as set forth under a SOW and if applicable, SP agrees that SPs Personnel may work at Thomson facilities in India as further set forth in the applicable Statement of Work. Notwithstanding anything to the contrary, the number of Thomson resources that shall have access and use of SP facilities, whether for training or work, shall not exceed 15 Thomson resources, in the aggregate, at any point in time, unless expressly agreed to in writing by SP.
13. The following Exhibits attached to the Amendment are hereby incorporated into and made a part of the Agreement:
Exhibit H - HIPAA Terms and Conditions
Exhibit J - Business Continuation Plan
14. Exhibit I - Thomson Information Security Requirements, attached to the Amendment, is hereby incorporated into the Agreement and replaces in their entirety Exhibits D, E, F, and G.
6
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
This Amendment shall not constitute a waiver, amendment or modification of any other provision of the Agreement not expressly referred to herein. Except as expressly amended herein, the provisions of the Agreement are and shall remaining full force and effect in accordance with their terms. This Amendment shall in all respect be integrated and construed in accordance with and governed by the laws of the State of New York without regard to its principles governing conflicts of law, regardless of the place of its, execution or performance.
IN WITNESS WHEREOF, the parties hereto have caused this Amendment to be effective of the Amendment Effective date.
THOMSON HEALTHCARE INC. |
| VIRTUSA CORPORATION | ||
| ||||
By: /s/ Frank Licata |
| By: /s/ Dan Smith | ||
|
|
| ||
Name: Frank Licata |
| Name: Dan Smith | ||
|
|
| ||
Title: SVP CTO |
| Title: COO | ||
7
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
EXHIBIT H
to the
MASTER SERVICES AGREEMENT
Dated September 9, 2004, as amended
Between Virtusa and Thomson
HIPAA TERMS AND CONDITIONS
Thomson may be considered a business associate of Thomson customers under the Privacy and Security Rules and regulations promulgated under HIPAA. Pursuant to separate agreements, on behalf of Thomson customers, Thomson performs or assists in the performance of functions and activities involving the use and disclosure of Individually Identifiable Health Information (as defined in 45 C.F.R. § 164.501). Thomsons provision of these services may involve the disclosure of Individually Identifiable Health Information by a Thomson customer (or another business associate of a Thomson customer) to Thomson. This Agreement is intended to meet the requirements of HIPAAs Privacy and Security Rules, and will govern the terms and conditions under which SP, as Thomsons contractor, may create, use or receive PHI on behalf of Thomson and Thomson customers.
A. Definitions:
Unless otherwise described in this Agreement, all terms used herein shall have the same meaning as in the Privacy Rule and the Security Rule under HIPAA as applicable and the corresponding implementing regulations, as amended from time to time. Also, as used herein, Secretary means the Secretary of the Department of Health and Human Services.
B. Obligations and Activities of SP:
1. SP agrees not to use or disclose PHI other than as permitted or required by this Exhibit or as required by law.
2. SP at all times, agrees to maintain and use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. Furthermore, SP agrees to implement and use appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information (EPHI), as defined in 45 C.F.R 160.103, it creates, receives, maintains or transmits on behalf of the Thomson to prevent use or disclosure of such EPHI.
3. SP agrees to mitigate, to the extent practicable, any harmful effect that is known to SP of a use or disclosure of PHI by SP in violation of the requirements of this Exhibit.
4. SP agrees to report to Thomson any use or disclosure of the PHI not provided for by this Agreement of which it becomes aware. Furthermore, SP agrees to report to Thomson any security incident involving EPHI of which it becomes aware.
5. SP agrees to ensure that any agent, including a lower-tier subcontractor, to whom it
8
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
provides PHI received from, or created or received by SP on behalf of Thomson, agrees to the same restrictions and conditions that apply through this Exhibit to SP
with respect to such information. Furthermore, SP agrees to ensure that its agents, including a lower-tier subcontractor, implement reasonable and appropriate safeguards for the PHI received from or on behalf of the SP.
6. SP agrees to provide access, at the request of Thomson, to PHI received by the SP in the course of performance, to Thomson or, as directed by Thomson, to an individual in order to meet the requirements under 45 CFR 164.524.
7. SP agrees to make any amendments to PHI in a designated record set that the Thomson directs or agrees to make pursuant to 45 CFR 164.526 at the request of Thomson or an individual.
8. SP agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by SP on behalf of the Thomson, available to the Thomson, or to the Secretary for purposes of the Secretary determining a Thomson customers compliance with the Privacy Rule.
9. SP agrees to document such disclosures of PHI and information related to such disclosures as would be required for a Thomson customer to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
10. SP agrees to provide to Thomson or an individual information collected under this Agreement, to permit a Thomson customer to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
C. Permitted Uses and Disclosures by SP
Except as otherwise limited in this Agreement, SP may
(a) Use the PHI in its possession for its proper management and administration and to fulfill any legal responsibilities of SP;
(b) Disclose the PHI in its possession to a third party for the purpose of SPs proper management and administration or to fulfill any legal responsibilities of SP, provided that the disclosures are required by law or SP has received from the third party reasonable assurances that (i) the information will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the third party; and (ii) the third party will notify SP of any instances of which it becomes aware in which the confidentiality of the information has been breached
D. Obligations of Thomson
1. Thomson shall notify SP of any limitations in the notice of privacy practices of any Thomson customers in accordance with 45 CFR 164.520, to the extent that such limitation may affect SPs use or disclosure of PHI.
2. Thomson shall notify SP of any changes in, or revocation of, permission by individual to use or disclosure PHI, to the extent that such changes may affect SPs
9
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
use or disclosure of PHI.
3. Thomson shall notify SP of any restriction to the use or disclosure of PHI that a Thomson customer has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect SPs use or disclosure of PHI.
E. Permissible Requests by Thomson
Thomson shall not request SP to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by a Thomson customer.
F. Term of Exhibit.
1. The term of SPs obligations as provided in this Exhibit shall be effective as of the effective date of the Agreement and shall terminate when all of the PHI provided by Thomson to SP, or created or received by SP on behalf of Thomson, is destroyed or returned to Thomson, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Exhibit.
2. Upon Thomsons knowledge of a material breach by SP, Thomson shall either:
a. Provide an opportunity for SP to cure the breach or end the violation. Consistent with the termination provisions of this Agreement, Thomson may terminate this Agreement if the SP does not cure the breach or end the violation within the time specified by Thomson;
b. Consistent with the termination provisions of this Agreement, terminate this Agreement if SP has breached a material term of this Exhibit and cure is not possible; or
c. If neither termination nor cure is feasible, Thomson shall report the violation to any affected Thomson customers.
3. Effect of Termination.
a. Except as provided in paragraph (b) of this section, upon termination of this Agreement for any reason, SP shall return or destroy all PHI received from Thomson, or created or received by SP on behalf of Thomson. This provision shall apply to PHI that is in the possession of lower-tier subcontractors or agents of SP. SP shall retain no copies of the PHI.
b. In the event that SP determines that the returning or destroying the PHI is infeasible, SP shall provide to Thomson notification of the conditions that make return or destruction infeasible. Upon such notice that return or destruction of PHI is infeasible, SP shall extend the protections of this Exhibit to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as SP maintains such PHI.
G. Miscellaneous.
1. A reference in this Exhibit to a section in the Privacy Rule means the section as in
10
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
effect or as amended.
2. The Parties agree to take such action as is necessary to amend this Exhibit from time to time as is necessary for Thomson customers to comply with the requirements of the Privacy and Security Rules and the Health Insurance Portability and Accountability Act of 1996, PL 104-191.
3. The respective rights and obligations of SP under this Exhibit shall survive the termination of the Agreement.
4. Any ambiguity in this Exhibit shall be resolved to permit Thomson and Thomsons customers to comply with the Privacy and Security Rules.
11
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
EXHIBIT I
to the
MASTER SERVICES AGREEMENT
Dated September 9, 2004, as amended
Between Virtusa and Thomson
THOMSON INFORMATION SECURITY REQUIREMENTS
These security requirements pertain to organizations outside of Thomson which will be providing information services to, or on behalf of, Thomson.
I. NETWORKS
1. Firewalls which meet International Computer Security Association (ICSA) Labs or Trust Technology Assessment Program (TTAP) certification shall be used to protect all networks and servers hosting Thomson information from hostile networks. This requirement must be implemented before going into production.
2. Network-based intrusion detection (IDS) shall be used to monitor all networks on which servers hosting Thomson information are located. This requirement shall be implemented within thirty (30) day of the Amendment Effective Date.
II. OPERATING SYSTEMS
1. Host-based intrusion detection (IDS) shall be used to monitor server(s) on which Thomson information is hosted. This requirement shall be implemented within thirty (30) day of the Amendment Effective Date.
2. All servers hosting Thomson information and/or providing services on behalf of Thomson shall run common, industry standard anti-virus software with real-time signature updates enabled.
3. Service SP shall have a documented patch management program.
III. VULNERABILITY MANAGEMENT
1. Vulnerability assessment and/or penetration testing using commercial products and/or services of all network subnet(s) and servers hosting Thomson information shall be conducted at least semi-annually.
2. Remediation of critical and service affecting vulnerabilities shall be completed within 90 days of discovery.
IV. APPLICATIONS
1. Vulnerability assessment and/or penetration testing using commercial products and/or services of all applications processing Thomson information shall be conducted at least annually, at Thomsons cost and expense.
12
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
2. Service SP shall have a documented patch management program, and shall use all commercially reasonable efforts to adhere to application vendors recommended best practices.
V. ENCRYPTION
Definition: Strong encryption is defined as the use of 1024-bit or greater keys for public keys and 128-bit or greater length keys for symmetric keys. AES is the preferred cipher with 3DES being acceptable if AES is not available. Under no circumstances should proprietary or secret cipher algorithms be utilized. Use of any other ciphers must be reviewed by the market group security department.
1. In all cases where personal information is collected from a customer or a Thomson employee Secure Sockets Layer (SSL, version 3.0 required) session encryption shall be used to protect the privacy of that information during collection and transit.
2. Use of SSL shall be with Strong Encryption using a Global Server ID from VeriSign or GeoTrust.
3. All personal information collected from a customer or a Thomson employee shall be stored encrypted, using strong encryption.
4. If Thomson employees login to a server (e.g., to upload content, or to perform any administrative function), then that logon shall utilize session encryption to protect authentication information (e.g., username + password). This session encryption may be SSL, Secure Shell (SSH), SFTP or similar. Use of insecure means for logon (i.e., username + password transmitted in the clear) is not acceptable (e.g. telnet, ftp).
VI. ACCESS CONTROL
1. All systems hosting Thomson information and/or providing services on behalf of Thomson shall be maintained in a secured data center environment that is commercially reasonable and is intended to ensure an unbroken barrier to unauthorized access.
2. Access to all systems hosting Thomson information and/or providing services on behalf of Thomson shall be actively controlled through the use of physical and logical access control systems which uniquely identify each individual requiring access, grant access based on least privileges best practices, and log all relevant access events.
3. Each person requiring access shall be issued a unique non-transferable system ID which will be revoked upon termination of employment or when access to Thomson related systems is no longer required.
VII. INCIDENT RESPONSE
1. Service SP shall have a security incident response plan that will provide reports and notifications to appropriate IT security managers on any suspected unusual activity that may represent a potential security threat. Any and all security breaches to systems hosting Thomson information and/or providing services on behalf of Thomson shall be reported to Thomson immediately.
13
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
VIII. SECURITY PROGRAM
SP will have a data security program, including policies and procedures, in place that documents the physical, technical and administrative safeguards and controls that SP shall use to project the security and integrity of the Data. Such safeguards and controls will, at a minimum be commercially reasonable and shall include policies and procedures that define protections for Data that SP personnel (as defined below) must follow for
access to Data. At a minimum such policies and procedures will include individual employee responsibilities for protecting Data and permitted uses of such Data, including but not limited to, the limitations on use of Data to the engagement on which the employee is working and limitations on access to detailed Data as set forth below.
The Data Security Program will provide reasonable assurance that:
1. The organization structure provides a division of responsibilities within SP.
2. Implementations or changes to new or existing operating systems/hardware are authorized, tested, documented, and approved prior to being implemented.
3. Implementations of new applications and changes to existing applications are authorized, tested, version controlled, documented, and approved prior to being implemented.
4. Logical access for internal company personnel to operating systems, applications and data files is restricted to authorized individuals and programs.
5. Logical access by customers and their representatives to applications and information is limited to customer-approved individuals.
6. Physical access to the data center, headquarters and off-site storage is restricted to authorized individuals.
7. Critical systems are backed up and monitored for performance and capacity metrics.
IX. EMPLOYEES OBLIGATIONS
All SP personnel (deemed to include SP employees as well as individuals who are agents or independent contractors of SP) who have access to Thomson data shall be bound by SPs Code of Conduct. All employees and contractors who have access to Thomsons data and are assigned to work on Thomsons clients, shall attend an initial training program on SPs Confidentiality and Security policies and shall be trained not less than annually on the security policies. Upon request by Thomson, SP shall make available for onsite review an overview of SPs current security policies. SP will promptly notify
14
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
Thomson of any material changes to the policies and procedures that would reasonably be considered to weaken or relax such policies and procedures.
X. CERTIFICATION AND AUDIT RIGHTS
During the term of this Agreement, Thomson may request, once per calendar year, to certify SP is in full compliance with the terms of this Agreement.
15
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
EXHIBIT J
to the
MASTER SERVICES AGREEMENT
Dated September 9, 2004, as amended
Between Virtusa and Thomson
BUSINESS CONTINUATION PLAN
To be agreed.
16
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
Amendment No. 3 to the Master Services Agreement
This Amendment No. 3 (the Amendment) is effective as of March 1, 2008 and hereby amends the Master Services Agreement (Agreement) dated as of September 9, 2004, as amended by and between Thomson Healthcare Inc. (Thomson) and Virtusa Corporation (SP). Any capitalized term not defined herein shall have the meaning given it in the Agreement.
FOR VALUABLE CONSIDERATION, the parties agree as follows:
1.
[**************************************************************************************** ************************************************************************************************* ***********************************.]
2.
[**************************************************************************************** ************************************************************************************************* ************************************************************************************************* ************************************************************************************************* ************************************************************************************************* ****************************************************.]
3.
[**************************************************************************************** ************************************************************************************************* ************************************************************************************************* ************************************************************************************************* ************************************************************************************************* ***************.]
a. [***.]
b. [***.]
4.
[*****************************************************************
1
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
************************************************************************************************* *************************************************************************************************
************************************************************************************************* ************************************************************************************************* *************************************.]
5.
[***************************************************************************************** *************************************************************************************.]
· [************
· *********
· ***********
· ************
· *********]
5. Except as specifically modified or amended by this Amendment, the terms and conditions of the Agreement shall remain in full force and effect. In the event of any conflict between the terms and conditions of this Amendment and the Agreement, the terms and conditions of this Amendment shall take precedence over the Agreement.
IN WITNESS WHEREOF, each of the parties hereto has caused the Amendment to be executed by a duly authorized representative.
Thomson Healthcare Inc. |
| Virtusa Corporation |
|
|
|
/s/ Frank Licata |
| /s/ Thomas Holler |
Signature |
| Signature |
Frank Licata |
| Thomas Holler |
Name |
| Name |
SVP CTO |
| CFO |
Title |
| Title |
2
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
AMENDMENT No. 4
to the
Master Consulting Services Agreement (as amended, the Agreement)
Dated September 9, 2004 Between
Virtusa Corporation (Virtusa)
and
Thomson Reuters (Healthcare) Inc. (TRH) (f/k/a/ Thomson Healthcare Inc.)
[Capitalized terms used but not defined herein have the meanings ascribed to them in the Agreement.]
WHEREAS, pursuant to Section 9.1 of the Agreement, the parties wish to establish [*************** *******************************************************************************************************]; and
NOW, THEREFORE, in consideration of the agreements and obligations set forth in the Agreement and this Amendment No. 4, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows:
1. Beginning on [***************] and ending on [************************************************************************************************ ************************************************************************************************* *******************************************************************************.]
2. All terms and conditions not specifically modified in this Amendment shall remain in full force and effect, and shall apply to this Amendment. In the event that there is any inconsistency or contradiction between the terms of the Agreement and this Amendment, the terms of this Amendment shall prevail.
1
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
IN WITNESS WHEREOF, the parties hereto have entered into this Amendment intending it to be effective as of June 1, 2009.
Thomson Reuters (Healthcare) Inc. |
| Virtusa Corporation | |||||
|
|
| |||||
|
|
| |||||
By: | /s/ John E. Thomas |
| By: | /s/ Paul Tutun | |||
| John E. Thomas |
|
| ||||
| Technology Counsel |
| Print: | Paul D. Tutun | |||
|
|
|
| ||||
|
| Title: | V.P & General Counsel | ||||
Date: | May 27,2009 |
|
|
| |||
|
| Date: | May 14, 2009 | ||||
2
PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS.
EXHIBIT No. 1
[***]
3