Loading...
HomeMy WebLinkAboutCAG2024-053 - Original - Wing Security, Inc. - Wing SaaS Security Posture Management (SSPM) - 01/19/2024 FOR CITY OF KENT OFFICIAL USE ONLY Sup/Mgr: Agreement Routing Form DirAsst: • For Approvals,Signatures and Records Management Dir/Dep: KENT This form combines&replaces the Request for Mayor's Signature and Contract Cover (optional) W A S H I N G T O N Sheet forms. (Print on pink or cherry colored paper) Originator: Department: Ikhra Mohamed IT Date Sent: Date Required: c 02/06/2024 02/20/2024 Q Mayor or Designee to Sign. Date of Council Approval: Q Q Interlocal Agreement Uploaded to Website N/A Budget Account Number Grant? Yes NoF71 T00011.64260.1800 Budget? Yes E]No Type: N/A Vendor Name: Category i Wing Security, Inc. Contract Vendor Number: Sub-Category: = 2539138 Original O Project Name: Wing SaaS Security Posture Management (SSPM) 3- Project Details: Procurement of SaaS Security Posture Management to monitor SaaS accounts, at a cost O of $88,080.80, including any applicable Washington State Sales Tax, under Mayor's signature authority. Purchase under new Platform as a Service (PaaS) Agreement. C Basis for Selection of Contractor: � AgreementAmoun • $$$,080.80 Direct Negotiation E __ Memo to Mayor must br 3- Start Date: O1/�9/2024 Termination Date: 1/18/2026 Q Local Business? Yes Fv—(]No*If meets requirements per KCC 3.70.100,please complete'Vendor Purchose-Local Exceptions"form on Cityspace. Business License Verification: ❑Yes In-Process❑Exempt(KCC 5.01.045) ❑✓ Authorized Signer Verified Notice required prior to disclosure? Contract Number: Yes ✓❑No CAG2024-053 Comments: 1 OK to sign, TW, 2/6/2024. c c Vf O O 3 � a, a, cc Date Received:City Attorney: 2/6/24 Date Routed:Mayor's Office2/7/24 City Clerk's Office 2/8/24 adccW22373_1_20 Visit Documents.KentWA.gov to obtain copies of all agreements rev.20221201 DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 • KENT w^ � ° AGREEMENT FOR PLATFORM AS A SERVICE Between the City of Kent and Wing Security, INC. This Platform as a Service (PaaS) Agreement (Agreement) is between the CITY OF KENT (City or Customer or Client or User), a Washington Municipal Corporation located at 220 Fourth Avenue South, Kent, WA 98032 and WING SECURITY, INC. (Wing or Vendor or Company or Contractor), organized under the laws of the State of Delaware with its principal place of business at 181 Metro Drive Ste 290, San Jose, CA 95110, effective on the last date signed below. This Agreement is to obtain access to Vendor's products and services, on an as-needed basis, all of which will continue to be supported and maintained by Vendor under the terms of this Agreement. 1. Description of Work and Services Provided by Vendor. 1.1 Products and Services Provided. Vendor shall provide the City with those Vendor products, platform or software licenses, and maintenance services that the City determines are necessary for City operations, in accordance with the statement of work attached hereto as Exhibit A, or under any other proposal mutually agreed by the parties ("SOW"). Upon the City's request, Vendor will provide the City with a proposal that describes the platform, software, support, and/or maintenance services desired by the City, along with their total cost inclusive of Washington State sales tax. If the City accepts the pricing provided for in Vendor's proposal, Vendor shall provide those products and services under the terms provided for in the SOW attached to this Agreement. Upon acceptance of the proposal and SOW by the City, such proposal and SOW shall form an addendum to this Agreement and shall be subject to its terms and conditions. However, the proposal and SOW shall provide only for the stated product(s) and services and their associated cost; no additional purchase terms or contract provisions included on any Vendor proposal or within any SOW shall be given effect or shall otherwise alter the provisions of this Agreement or apply to the City's purchase. 1.2 Grant of License to Access and Use Platform, Products, and Services. For the term of this Agreement including any renewals subject to the SOW, Vendor hereby grants to City, including to all its Authorized Users under the SOW, a revocable, non-exclusive, non-sublicensable, non- assignable, royalty-free, and worldwide license to access and use the platform, products, and services Vendor makes available to the City through the SOW of this Agreement, which may include products and services accessible for use by the City on a subscription basis, Vendor professional services, content from any professional services, or other required equipment components or other required hardware (the "Services") for City's non-commercial government operations. The Services shall include those platforms, products, and services specified within Exhibit A, as well as any additional or future products and services that are added during the term (subject to the parties' mutual consent) of this Agreement under the process provided for in Section 1.1 of the Agreement. The City shall refrain from taking any steps such as reverse assembly or reverse compilation, to derive a source code equivalent to the Services as further described in Section 9.3. 1.3 Privacy Policy. In providing the Services under this Agreement, the City agrees to Vendor's privacy policy and data processing agreement attached and incorporated as Exhibit F and Exhibit G, respectively. 2. Term. The initial term of this Agreement shall be two (2) year(s), commencing on 1/19/2024 and expiring on 1/18/2026. This Agreement may be extended beyond this initial two-year term through the negotiation and execution of an amendment to this Agreement. Any reference in this Agreement to "days" shall mean "calendar days" unless a different meaning is expressly stated. AGREEMENT FOR PLATFORM AS A SERVICE Page 1 DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 3. Subscription Fees/Taxes. 3.1 Subscription Fees. Subscription fees and payment terms for the Services ordered at the time this Agreement was originally signed are as set forth in the attached and incorporated Exhibit A and, for any additional Services provided by Vendor on an as-needed basis as set forth in Section 1.1 of the Agreement, the City agrees to pay any invoice issued by the Vendor that is consistent with a previously approved Vendor proposal, and upon the City's receipt and acceptance of such items as conforming to the terms of this Agreement. For any platform or software license or maintenance fees due for those Services, the Vendor shall invoice the City for those fees at least 30 days before the commencement of the term applicable to those license and maintenance fees. 3.2 Discount in Exchange for City Feedback. Vendor has not previously provided access to its platform, products, or services to any municipality within the State of Washington or the United States of America. In exchange for the City providing Vendor with feedback and other reasonable assistance to allow Vendor to tailor and improve its platforms, products, and services for municipal purposes, Vendor agrees to discount the cost charged to the City for access to Vendor's platform, products, or services under this Agreement by 20%. Further, in any renewal or extension of this Agreement, Vendor agrees that the cost for any platform, product, or other service purchased during the initial two-year term shall not increase by more than 7.5% percent in any renewal or extension term. 3.3 Undisputed Fees. Undisputed invoices shall be due and payable within 30 days following the City's receipt of an accurate invoice and acceptance of the product as conforming, whichever event occurs last. City shall notify Vendor in writing of any disputed amount within 15 business days of receipt of the applicable invoice. Portions of invoices that are subject to a good faith billing dispute shall not be considered delinquent for purposes of this Agreement. Disputed billings are subject to Section 16.2, Dispute Resolution. 3.4. Taxes. All contract amounts shall be inclusive of sales or other applicable taxes, and invoices shall include all tax obligations stated separately from the contract amounts. City shall pay all applicable sales, use, value added or similar taxes to Vendor and Vendor shall remit all such taxes, if imposed by local and/or state authorities on all platform, software, and other taxable goods and services procured by the City under this Agreement. 3.5 Card Payment Program. The Vendor may elect to participate in automated credit card payments provided for by the City and its financial institution. This Program is provided as an alternative to payment by check and is available for the convenience of the Vendor. If the Vendor voluntarily participates in this Program, the Vendor will be solely responsible for any fees imposed by financial institutions or credit card companies. The Vendor shall not charge those fees back to the City. 4. System Availability and Support Services. The Services shall be available to the City along with support services as described in the attached and incorporated Exhibit B. S. Representation and Warranties. 5.1 Mutual Representations and Warranties. Each Party represents and warrants to the other Party that (a) such Party has the required power and authority to enter into this Agreement and to perform its obligations hereunder, and shall have obtained and continue to maintain all licenses, permits, and certifications required for such Party in connection with the performance of this Agreement; (b) the execution of this Agreement and performance of its obligations hereunder do not and will not violate any other agreement to which it is a party; and (c) this Agreement constitutes a legal, valid, and binding obligation when signed by both Parties. AGREEMENT FOR PLATFORM AS A SERVICE Page 2 DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 5.2 Vendor Warranties and Representations. Vendor represents and warrants that the Services will be performed in a professional and workmanlike manner, consistent with applicable industry standards and the corresponding specifications set forth in the applicable Statement of Work and Service Level commitments. a. Deliverables. Vendor represents and warrants that each deliverable shall meet and confirm to its applicable specifications as provided herein following its acceptable and during the Term. Vendor also represents and warrants that the Services, in whole and in part, shall operate in accordance with the applicable configuration documentation, and this Agreement b.. Services. Vendor represents and warrants that (a) it shall perform the Services required pursuant to this Agreement in a professional manner, with high quality, and (b) it shall give due priority to the performance of the Services. C. Title Warranty and Warranty against Infringement. Vendor hereby warrants and represents that Vendor is the owner of the Services licensed hereunder, or otherwise has the right to grant to the City, the licensed rights to Vendor's Services through this Agreement without violating any rights of any third-party worldwide. Vendor represents and warrants that (i) Vendor is not aware of any claim, investigation, litigation, action, suit or administrative or judicial proceeding pending or threatened based on claims that Vendor's platform or software infringes or misappropriates any patents, copyrights, trade secrets or other intellectual property rights of any third-party; and (ii) Vendor's Services does not knowingly infringe upon or misappropriate any patents, copyrights, trade secrets or any other intellectual property rights of any third-party. d. Maintenance Services Warranty. Vendor warrants that, in performing the Services under the Agreement, Vendor shall substantially and materially comply with the descriptions and representations as to the Services, including performance capabilities, accuracy, completeness, characteristics, Statement of Work, configurations, standards, function, and requirements, which appear in this Agreement. e. Warranty of Compliance with Applicable Law. Vendor warrants the Services shall comply with all applicable federal, state and local laws, regulations, codes and ordinances to which it is subject. Vendor warrants that, throughout the Term of this Agreement, including any renewals, the Services shall comply with changes to and new applicable federal, state, and local laws, regulations, codes, and ordinances to which it is subject. Vendor represents and warrants that it shall comply with all applicable local, state, and federal licensing, accreditation, and registration requirements and standards necessary in the performance of the Services. f. Warranty of Services. General Responsibilities. Vendor warrants the Services for the term of this Agreement. Vendor shall provide Warranty Services as described in this Agreement at no additional cost to correct deficiencies in the Services and to repair and maintain the Services in accordance with the specifications, subject to the Service Level Agreement. Vendor's warranty service responsibilities shall include, but not be limited to the following: i. Promptly and diligently perform and reperform the Services which is not in compliance with documentation/specifications, representations, and warranties at no additional cost to the City; ii. Maintain the Services in accordance with the specifications and terms of this Agreement and meet all availability and system performance service levels as specified in this Agreement. In the event the Service requires failover activities, then Vendor shall be responsible for continuance of the Services and the City shall not be subject to additional costs unless otherwise specified in this Agreement. AGREEMENT FOR PLATFORM AS A SERVICE Page 3 DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 iii. Promptly coordinate with the City all tasks related to correcting problems and deficiencies connected with the Services. iv. Not disable any City software, including Vendor's platform or software, without notice to and agreement by the City. V. If Vendor and/or City reasonably determines that Vendor is unable to remedy such deficiencies, Vendor or City may terminate the Agreement and Vendor shall issue a prorated refund to City of the fees previously paid by City to Vendor for any unused term of this agreement and fees from the date of termination. 6. City Data/Vendor Obligations. 6.1 Ownership and Use. City owns all of the information and materials that it submits, uploads or transfers, or causes to be submitted, uploaded, or transferred utilizing Vendor's Services (City's Data). 6.2 Data Protection. Vendor shall maintain and handle all of City's Data with commercially reasonable physical, electronic, and procedural safeguards to protect and preserve the confidentiality and security of City's Data (including personal information) in accordance with applicable data protection legislative requirements and as further described in Vendor's policies which should reflect the highest industry standards for privacy and security, which applicable policies are incorporated herein by reference. 6.3 Data Restrictions. Vendor shall restrict access to City Data to Vendor employees, affiliates' employees, or others who need to know that information to provide services to City. City Data shall be stored and hosted within the United States of America. Vendor will use City Data for the purposes described in this Agreement. Vendor will not sell, license, transmit or disclose this information outside of Vendor's business unless: (1) City expressly authorizes Vendor to do so; (2) it is necessary to allow Vendor's Licensors to perform services under this Agreement); (3) in order to provide Vendor's products or services to City; (4) otherwise as Vendor is required by law after written notice to City of such requirement. Notwithstanding the foregoing, Vendor is responsible for any disclosures of City Data by Vendor's Licensors made contrary to the terms of this Agreement. 6.4 Data Backup. Vendor shall protect City's data by having a backup system that includes running the Vendor's Services on geographically dispersed data centers with extensive backup, data archive, and failover capabilities. Disaster recovery plan shall include: (1) Data backup procedures that create multiple backup copies of City's data, in near real time, at the disk level; and (2) A multi- level backup strategy that includes disk-to-disk-to-tape data backup in which tape backups serve as a secondary level of backup, not as the primary disaster-recovery data source; or other data backup system providing at least the same or higher protection of City's Data in the event of a potential data loss. 7. Intellectual Property Ownership. Vendor (and its Licensors, where applicable) shall own all right, title and interest, including all related intellectual property rights, in and to the Service, the content, the platform, the software, and in its technology. This Agreement, does not convey to City any rights of ownership in or to the Vendor's Services, technology, platform, software, or the intellectual property rights owned by Vendor and its Licensors, where applicable. S. Non-Disclosure of Confidential Information. The Parties' obligations regarding non- disclosure of Confidential Information is contained in the attached and incorporated Exhibit C. All Confidential Information is and shall remain the property of its owner to the extent consistent with applicable law. The disclosure of Confidential Information to the other party does not grant to it any AGREEMENT FOR PLATFORM AS A SERVICE Page 4 DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 express or implied right to or under any patents, copyrights, trademarks, or trade secret information except as otherwise provided herein. 9. City Obligations. 9.1 Hardware Obligations. Except for any equipment or hardware provided by Vendor under this Agreement, the provision and maintenance of which is part of Vendor's required performance under this Agreement, the City shall be responsible for obtaining and maintaining all other computer equipment, hardware, platform, software, and communications equipment needed to internally access and utilize the Services. 9.2 Anti-Virus Obligations. The City will use commercially reasonable efforts to safeguard against computer infection, viruses, worms, Trojan horses, and other code that manifest contaminating or destructive properties (collectively "Viruses") that may reasonably affect the performance of Vendor's platform and software. 9.3 Restricted Uses. The City will not: a. knowingly upload or distribute any files that contain viruses, corrupted files, or any other similar platform, software or programs that may damage the operation of the Services, b. modify, disassemble, decompile or reverse engineer the Services or pre-release equipment or hardware devices, platform, or software disclosed, C. copy, reproduce, resell or commercially exploit the Services, d. reverse engineer, decompile or disassemble any platform or software code and/or pre-release equipment or hardware devices disclosed. 10. Indemnification Obligations. 10.1 City Indemnification Obligations. Subject to Section 10.3 below, City shall defend, indemnify, and hold Vendor and its parent organizations, subsidiaries, Affiliates, officers, directors and employees harmless from and against any and all claims, costs, damages, losses, liabilities and expenses (including reasonable attorneys' fees and costs) arising out of or in connection with: (i) a third-party claim alleging that the use of City Data infringes the rights of, or has caused harm to, a third-party; (ii) a third-party claim alleging a breach of any of City's representations and warranties; or (iii) a third-party claim alleging City's use of Confidential Information or intellectual property rights of Vendor or its Licensors is in violation of this Agreement; (iv) third-party claim of injury or death to person or damage to property arising from City's negligence. 10.2. Vendor Indemnification Obligations. Subject to Section 10.3 below, Vendor shall defend, indemnify, and hold City and its elected officials, officers, employees, agents and attorneys harmless from and against any and all claims, costs, damages, losses, liabilities and expenses (including reasonable attorneys' fees and costs) arising out of or in connection with: (i) any breach by Vendor (or any of Vendor's employees, agents, subcontractors, or by anyone else for whose acts any of them may be liable) of any of the promises, agreements, representations, warranties, or insurance requirements contained in this Agreement; (i) a third-party claim alleging that the Vendor' Services, content, platform, software, or technology infringes or misappropriates the rights of, or has caused harm to, a third-party; (ii) a third-party claim alleging a breach of any Vendor representations and warranties in this Agreement; (iii) a third-party claim alleging Vendor's use of City Data is in violation of this Agreement; or (iv) a third-party claim alleging a breach of Vendor's confidentiality or data security obligations, that infringes the rights of, or has caused harm to, a AGREEMENT FOR PLATFORM AS A SERVICE Page 5 DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 third-party, (v) third-party claim of injury or death to person or damage to property arising from Vendor's negligence. 10.3 As an express condition of the foregoing indemnification obligations, the parties hereby agree that: a. the indemnified party shall promptly notify the indemnifying party in writing for any claim for which indemnification is sought; b. the indemnified party shall cooperate with all reasonable requests of the indemnifying party (at the indemnifying party's expense) in defending or settling such claim. C. the indemnifying party shall be allowed to control the defense and settlement of such claim; d. the indemnifying party may not settle any claim that includes an admission of liability, fault, negligence or wrongdoing on the part of the indemnified party unless the indemnified party provides prior written consent, e. the indemnified party shall have the right, at its option and expense, to participate in the defense of any action, suit or proceeding relating to such a claim through counsel of its own choosing; f. each indemnified party will undertake commercially reasonable efforts to mitigate any loss or liability resulting from an indemnification claim related to or arising out of this Agreement. 11. Limitation of Liability 11.1. EXCEPT FOR CLAIMS ARISING FROM EITHER PARTY'S INDEMNIFICATION OBLIGATIONS, CONFIDENTIALITY AND SECURITY OBLIGATIONS, REPRESENTATIONS AND WARRANTIES, AND INTELLECTUAL PROPERTY INFRINGEMENT OBLIGATIONS, IN NO EVENT SHALL EITHER PARTY'S AGGREGATE LIABILITY WITH RESPECT TO ANY CLAIM ARISING OUT OF THIS AGREEMENT EXCEED THE PARTY'S STATED INSURANCE LIABILITY CAP. 11.2. NEITHER PARTY WILL BE LIABLE FOR BREACH-OF-CONTRACT DAMAGES SUFFERED BY THE OTHER PARTY THAT ARE REMOTE OR SPECULATIVE, OR THAT COULD NOT HAVE REASONABLY BEEN FORESEEN ON ENTRY INTO THIS AGREEMENT. 11.3. THE ABOVE LIMITATIONS WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY. 12. Insurance. Vendor shall maintain insurance that is sufficient to protect its business against all applicable risks, at a minimum as set forth in the attached and incorporated Exhibit D, "Insurance Requirements." Vendor shall promptly provide City with certificates of insurance to evidence Vendor's continued compliance with Exhibit D. 13. Termination of Agreement. 13.1 Termination for Convenience. Either party may terminate this Agreement without cause. In the event of such desire, the City may terminate upon giving the Vendor 60 days advance written notice of termination, and the Vendor upon giving the City 180 days advance written notice of termination. AGREEMENT FOR PLATFORM AS A SERVICE Page 6 DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 13.2 Termination by City for Cause. In addition to any other rights granted to City in this Agreement or under law, City has the right to terminate this Agreement upon written notice due to: a. a material breach of a term, representation, or warranty under this Agreement (including a material breach under any incorporated attachment, addendum and/or exhibit to this Agreement) by Vendor of any of its subcontractors or licensors of services if such material breach is not remedied within 30 days following receipt of written notice from City; or b. a third-party's claim that Vendor's Services, content, data, infrastructure, professional services, technology, platform, software, or any other services and products provided to the City by Vendor or its subcontractors or Licensors or other third-parties and the intellectual property rights associated therewith, infringes upon such third-party's intellectual property rights. C. City Council fails to appropriate funds for payment of Vendor's products or services under this Agreement. d. Vendor files for protection under bankruptcy laws, makes an assignment for the benefit of creditors, appoints or suffers appointment of a receiver or trustee over its property, files a petition under any bankruptcy or insolvency act or has any such petition filed against it which is not discharged within 60 days of the filing thereof. 13.3 Termination By Vendor for Cause. In addition to any other rights granted to Vendor in this Agreement or under law, Vendor reserves the right, upon written notice to City, to terminate this Agreement due to: a. any undisputed amounts City owes that are delinquent greater than 90 days; or b. a material breach of the terms of this Agreement, other than a payment obligation, by City or its users if such breach is not remedied within 30 days following receipt of written notice of such breach from Vendor to City; or C. a third-party's claim that City's Data, and/or intellectual property infringes upon such third-party's rights. 13.4 No Suspension of Services. Provided City continues to timely make all undisputed payments, Vendor warrants that during the term of this Agreement, Vendor will not withhold Services provided herein, for any reason, including but not limited to a dispute between the parties arising under this Agreement, except as may be specifically authorized herein. 13.5 Effect of Termination. a. If City terminates for cause or Vendor terminates without cause, City will only be obligated to pay the amounts then due for services provided meeting Vendor's contractual commitments as calculated up to the date of termination and, if applicable, City will be reimbursed a prorated amount of unused, prepaid fees. b. If Vendor terminates for cause that City does not dispute or if City terminates without cause and a balance is still due on City's account, then City agrees that Vendor may bill City for such unpaid fees due up to the date of termination. C. In the event this Agreement terminates for any reason, Vendor shall provide the City a file of City's Data in a format acceptable (and at no cost) to City within 30 days of the effective date of termination. City shall have 60 days following termination to notify Vendor if litigation, laws, regulations, or other lawful process requires Vendor retain City's data beyond the AGREEMENT FOR PLATFORM AS A SERVICE Page 7 DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 termination of this Agreement. City will thereafter promptly notify Vendor when such litigation, laws, regulations, or other lawful process no longer requires Vendor maintain the City's data. Vendor may dispose of City's data at Vendor's expense as permitted by law 61 days after termination, if City provides no notice otherwise; or after City notifies Vendor there are no laws, regulations, litigation, etc. requiring further retention. Retained data is subject to the confidentiality provisions of the Agreement. 14. Remedies. Termination of this Agreement shall not affect any right of action of either party prior to the termination being affected. All remedies shall be cumulative and may be exercised concurrently, or separately, which shall not be deemed to constitute an election of any one remedy to the exclusion of any other. In addition to any other remedy provided for herein, or at law or equity, City shall have the right to recover from Vendor all damages reasonably caused by default of any representation or warranty. This paragraph shall not limit City's right to pursue any other remedy available to it in law, at equity or pursuant to this Agreement. 15. Non-Discrimination. In the hiring of employees for the performance of this Agreement or any subcontract, the Vendor, its subcontractors, or any person acting on behalf of the Vendor shall not, by reason of race, religion, color, sex, age, sexual orientation, national origin, or the presence of any sensory, mental, or physical disability, discriminate against any person who is qualified and available to perform the work to which the employment relates. The Vendor shall execute the City of Kent Equal Employment Opportunity Policy Declaration, Comply with City Administrative Policy 1.2, and upon completion of the contract work, file the Compliance Statement, all attached and incorporated as Exhibit E. 16. General Provisions 16.1 Governing Law and Venue. The Agreement will be governed by the laws of Washington and its choice of law rules. Vendor irrevocably consents to the exclusive personal jurisdiction and venue of the federal and state courts located in King County, Washington, with respect to any dispute arising out of or in connection with the Agreement and agrees not to commence or prosecute any action or proceeding arising out of or in connection with the Agreement other than in the aforementioned courts. 16.2. Dispute Resolution. The City and Vendor desire, if possible, to resolve disputes, controversies and claims (Disputes) arising out of this Agreement without litigation. To that end, upon written notification of dispute by a party to the other, each party shall appoint a knowledgeable, responsible management representative to meet and negotiate in good faith to resolve any Dispute arising under this Agreement. If the parties are unable to settle any Dispute, the exclusive means of resolving that Dispute shall only be by filing suit as provided for under Section 16.1, unless the parties agree in writing to an alternative dispute resolution process. 16.3 Severability. If any provision of the Agreement is held to be invalid or unenforceable for any reason, the remaining provision will continue in full force without being impaired or invalidated in any way. The City and Vendor agree to replace any invalid provision with a valid provision that most closely approximates the intent and economic effect of the invalid provision. 16.4. Nonwaiver. Any failure by either party to enforce strict performance of any provision of the Agreement will not constitute a waiver of its right to subsequently enforce such provision or any other provision of the Agreement. 16.5 No Assignment. Either party may assign this Agreement and all of its rights and obligations hereunder as part of a corporate reorganization, consolidation, merger, or sale of substantially all of its assets so long as said assignee accepts all of the respective Agreements rights and obligations of its predecessor as provided in this Agreement without limitation. Except as expressly stated in this Agreement, neither party may otherwise assign its rights or obligations under AGREEMENT FOR PLATFORM AS A SERVICE Page 8 DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 this Agreement either in whole or in part without the prior written consent of the other party, and any attempted assignment or delegation without such consent will be void. 16.6 Notices. All communications regarding this Agreement shall be sent to the parties at the addresses listed on the signature page of the Agreement, unless notified to the contrary. Any written notice hereunder shall become effective three (3) business days after the date of mailing by registered or certified mail, and shall be deemed sufficiently given if sent to the addressee at the address stated in this Agreement or such other address as may be hereafter specified in writing. Either party may change its address by giving written notice of such change to the other party. 16.7 Legal Fees. In any claim or lawsuit for damages arising from the parties' performance of this Agreement, each party shall pay all its legal costs and attorney's fees incurred in defending or bringing such claim or lawsuit, including all appeals, in addition to any other recovery or award provided by law; provided, however, nothing in this paragraph shall be construed to limit either party's right to indemnification under Section 10 of this Agreement. 16.8. Force Majeure. Neither party shall be liable to the other for breach due to delay or failure in performance resulting from acts of God, acts of war or of the public enemy, riots, pandemic, fire, flood, or other natural disaster or acts of government ("force majeure event"). Performance that is prevented or delayed due to a force majeure event shall not result in liability to the delayed party. Both parties represent to the other that at the time of signing this Agreement, they are able to perform as required and their performance will not be prevented, hindered, or delayed by the current COVID-19 pandemic, any existing state or national declarations of emergency, or any current social distancing restrictions or personal protective equipment requirements that may be required under federal, state, or local law in response to the current pandemic. If any future performance is prevented or delayed by a force majeure event, the party whose performance is prevented or delayed shall promptly notify the other party of the existence and nature of the force majeure event causing the prevention or delay in performance. Any excuse from liability shall be effective only to the extent and duration of the force majeure event causing the prevention or delay in performance and, provided, that the party prevented or delayed has not caused such event to occur and continues to use diligent, good faith efforts to avoid the effects of such event and to perform the obligation. Notwithstanding other provisions of this section, the Vendor shall not be entitled to, and the City shall not be liable for, the payment of any part of the contract price during a force majeure event, or any costs, losses, expenses, damages, or delay costs incurred by the Vendor due to a force majeure event. Performance that is more costly due to a force majeure event is not included within the scope of this Force Majeure provision. If a force majeure event occurs, the City may direct the Vendor to restart any work or performance that may have ceased, to change the work, or to take other action to secure the work or the project site during the force majeure event. The cost to restart, change, or secure the work or project site arising from a direction by the City under this clause will be dealt with as a change order, except to the extent that the loss or damage has been caused or exacerbated by the failure of the Vendor to fulfill its obligations under this Agreement. Except as expressly contemplated by this section, all other costs will be borne by the Vendor. 16.9 Independent Contractor. City and Vendor intend that an independent Contractor relationship be created with this Agreement. Vendor shall not be considered an agent or employee of City for any purpose and the employees of Vendor are not entitled to any of the benefits that City provides for its employees. Nor shall this Agreement be evidence of a joint venture between Vendor and City. AGREEMENT FOR PLATFORM AS A SERVICE Page 9 DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 16.10 Problem Notification. Each party will promptly notify the other in writing of any events or circumstances that will affect the performance of its obligations under this Agreement including the delivery of any deliverable or delay in completion of any of its obligations. Vendor shall notify City in writing of all material defects in the Services, whether discovered by other parties or by Vendor, within five (5) business days of their discovery and fix or replace the affected hardware, platform, or software within a commercially reasonable time. A defect is considered material if it has the potential to delay or inhibit the primary functionality of the Services or if said defect has the potential to corrupt City data. 16.11 Entire Agreement/Modification. This Agreement, together with all exhibits comprise the entire agreement between the parties and supersedes all prior or contemporaneous negotiations, discussions, or agreements, whether written or oral, between the parties regarding the subject matter contained herein. This Agreement may be amended, modified, or added to only by written instrument properly signed by both parties hereto. 16.12 Public Records Act. The Vendor acknowledges that the City is a public agency subject to the Public Records Act codified in Chapter 42.56 of the Revised Code of Washington and documents, notes, emails, and other records prepared or gathered by the Vendor in its performance of this Agreement may be subject to public review and disclosure, even if those records are not produced to or possessed by the City of Kent. As such, the Vendor agrees to cooperate fully with the City in satisfying the City's duties and obligations under the Public Records Act. 16.13 City Business License Required. Prior to commencing performance under this Agreement, Vendor agrees to provide proof of a current city of Kent business license pursuant to Chapter 5.01 of the Kent City Code. 16.14 Counterparts and Signatures by Fax or Email. This Agreement may be executed in any number of counterparts, each of which shall constitute an original, and all of which will together constitute this one Agreement. Further, upon executing this Agreement, either party may deliver the signature page to the other by fax or email and that signature shall have the same force and effect as if the Agreement bearing the original signature was received in person. IN WITNESS, the parties below execute this Agreement, which shall become effective on the last date entered below. All acts consistent with the authority of this Agreement and prior to its effective date are ratified and affirmed, and the terms of the Agreement shall be deemed to have applied. VENDOR: CITY: WING SECURITY INC. CITY`` OF KENT By: raw SU J vmfy BY:-1. — — - — Print Name: ran Senderovitz Print Name: Dana Ralph Its coo Its Mayor 1/31/2024 DATE: DATE: 02/08/2024 NOTICES TO BE SENT TO: NOTICES TO BE SENT TO: Wing Security, Inc. City of Kent -Information Technology 181 Metro Drive Ste 290 220 Fourth Avenue South San Jose, CA 95110 Kent, WA 98032 (503) 333-8638 (telephone) (253) 856-4601 (telephone) ran@win .securit email ITA kentwa. ov email AGREEMENT FOR PLATFORM AS A SERVICE Page 10 DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 APP ,DVED AS TO FORM: oKeitILw Department Aa�'- Kent City Clerk AGREEMENT FOR PLATFORM AS A SERVICE Page 11 DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 EXHIBIT A SCOPE OF WORK Wing Security Product Description s. Product Description 1.1 The WING Security SSPM Enterprise Tier Product provides the folioWng fun ckionalitF s: 1.1-1 Identification and Tracking:The produ ct identifies SaaS applications connected to the customer organ¢ation, along with associated users,permissions,and data shared with these applications- 1.1.2 Integration and Connectivity:Customers have the option to integrate the product with more than 25 different hula applications(Connectars)that share tokens,permissions,and authentication with other apps. 1.1.3 Client Extensions(E$gk s'r Optional client extensions scan employee devices for evidence of using additional applications. 1.1.4 Apps reputation Database:The product utikzes an extensive Apps Reputation Database that constantly tracks over 260,000(as of the date mentioned in this contract)apps for security, compiiance,and breaches. 1.1.5 Security-f]rtven Workflow: The product offers a suite of security-driiven workfbows that assist CISOs in remediating and reducing attack surfaces and responding to app breach events with precision and priority- 1.2 Use Cases:The product supports various use cases,used to automate and reduce the risk of the company from SaaS applications, including but not limited t-o: (a)Application43ased Risks: Reniediation of applicatior4ased risks(fnore than I different use cases) (b)User-Based Risks:Detection of user-based risks(more than 10 different use cases) (c)data-Based Risks: Identification of data-based risks with more than 5 most typical use cases (d)Updates and Customization:The product allows customers to easify customize their own woMows and automate them from within the syst,ern- These usage cases,automation-and insights are periodically updated to enhance security and ease of use. EXHIBIT B - SERVICE LEVEL AGREEMENT AND SUPPORT SERVICES (to Agreement for Platform as a Service) DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 �:3VIN Security General Information Prepared By .lack Blumenthal Quote Number 00000169 Email jack@wing security Created Date 1/23/2024 Expiration Date 2/16/2024 Contact Name James Endicott Account Name City of Kent Email jendicott@kentwa gov Billing Address 220 4th Avenue South Billing Contact James Endicott Kent.WA 98032 Name United States Billing Contact Emaiijjendicott@kentwa gov Products&Services Product Code Product Name List Price Quantity Discount WING-SEC-T4 WING-SEC-T4 $50.00 1.000.00 20 00% 540.000 00 WING-SEC-T4 WING-SEC-T4 $50.00 1.000.00 20 00% 540,000.00 Subtotal 5100.000 00 Discount 20 00% Grand Total 580,000 00 Start Date 2/1/2024 Contract Length 24 months Payment Terms Net 30 Notes Including 10 1%Annual Sales Tax Year 1 540.000+54.040 sales tax=544.040 Year 2.$40,000+$4.040 sales tax=$44.040 Wing Platform Terms and Conditions Apply Customer Approval ��n �1 _ Wing Security Billing Address: Signature 0aA ,c,- \ Wing Security INC 181 Metro Dr Ste 290 Name Dana Ralph San Jose.CA 95110 Title Mayor Date 02/12/2024 EXHIBIT B — SERVICE LEVEL AGREEMENT AND SUPPORT SERVICES (to Agreement for Platform as a Service) DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 EXHIBIT B MAINTENANCE AND SUPPORT SERVICES 1. Maintenance Services. 1.1. Wing will provide Subscriber with remedial and preventive maintenance and support services to the Platform, as provided in and subject to the terms set forth in Wing's SLA (the "SLA") as detailed herein ("Maintenance Services") to keep the most current release of the Platform in good operating condition, and subject to the terms of the Software-as-a-Service Agreement, Entered between the Subscriber and Wing(the "Agreement"). 1.2. Wing's obligation to provide Maintenance Services is dependent upon: (i)the Agreement being in effect; and (ii) the performance by Subscriber of all of its obligations set forth in the Agreement and the obligations set forth herein. 1.3. Without derogating from the provisions of the SLA, Wing shall not be obligated to provide Maintenance Services pursuant to this Maintenance and Support Program, that are required as a result of any of the following: (i)abuse, misuse,accident or neglect; (ii)repairs,alterations, customization and/or modifications;or(iii) use of materials composed by the Subscriber which may not comply with Wing's requirements; (iv) use of the Platform for other than the intended purpose for which it was licensed; (v)alternations, modifications or integration of the Platform with third party software(for the avoidance of doubt Wing shall provide Maintenance Services the Wing in its 'out of the box' configuration); or (vi) inadequate backups of the Platform by the Subscriber that prevent Wing from reinstalling the Platform before or after the reported problem was solved. 2. Updates and New Versions. 2.1. During the term of the Agreement, Wing shall make available to Subscriber updates to the Platform,consisting of one copy of modifications and improvements to the Platform that Wing determines are required to achieve the specifications established by Wing for the Platform(the "Updates"). For the avoidance of doubt, Updates shall only include such modules of the Platform licensed by Subscriber, under the Agreement. The Updates will be made available to Subscriber at no additional cost. 2.2. Wing shall maintain prior versions of the Platform until the earlier of (i) a period not earlier than 18 months from the release of each new version release;or(ii)termination of this Support and Maintenance Agreement. Upon receipt and installment of Updates, Subscriber may keep one copy of the previous version of the Platform for archival purposes only and shall destroy all other copies of the previous version of the Platform. 3. Service Level Agreement("SLA") 3.1. Wing will support the Subscriber with problems generated directly by and as part of the Platform, as defined in this Maintenance and Support Program, including support for technical or installation problems, implementation and documentation errors. For the purpose of this SLA, the terms technical problems or installation problems shall be defined herein as defects ("Defects"). 3.2. Initiating Support Requests. EXHIBIT B — SERVICE LEVEL AGREEMENT AND SUPPORT SERVICES (to Agreement for Platform as a Service) DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 Support calls shall be initiated by a designated individual nominated by Subscriber (the "Representative") by email to support@wing.security. 3.3. Handling of Support Requests. 3.3.1. The Subscriber Support Team (SST) shall recreate the Defect reported in Wing's labs using the relevant 'out of the box'version of the Platform. 3.3.2. Wing may request the Representatives: 3.3.2.1. To provide additional information (e.g. screen shots, log information etc). 3.3.2.2. To perform troubleshooting activities to enable identification of the source of the reported problem. 3.3.2.3. To install patches or files that are sent by Wing to be executed accurately in accordance with Wing's instructions and the results of such installation will be reported back to the SST. 3.3.2.4. In any case where the Defect was successfully recreated by SST, Wing shall send an appropriate fix in accordance with the timetables set forth herein below. 3.3.2.5. Wing will not support or provide solutions to problems(i)that were not generated directly by or on the Platform, including but not limited to, problems generated by Subscriber's database, network components, operating systems, applications or integration with other systems; or (ii) in a Platform that has be customized or otherwise modified; or (iii) If the Subscriber did not implement any preventive maintenance steps and procedures that will be directed by Wing. 3.4. Priority Levels of Defects. Initial response for Defects will be provided based on the severity of the Defect as follows: Subscriber Support for the Platform covers (i) development and production issues for the Platform and its components, (ii) Informational and implementation questions about the Platform and features; and (iii) troubleshooting operational problems with the Platform. 3.5. Response Times and Availability SST will attempt to respond to cases within these internal time frames.These are targets only, and are not guaranteed.SST does not guarantee resolution times or delivery dates.These times are subject to change depending on the nature of a case and complexity of the reported case. Categorization Criteria Initial Response Status Update Time Level 1/Priority 1 Critical technical issue Within 12 hours 24 Business Critical/Urgent resulting in a total loss of core (All days) hours functionality in the Platform. No workaround is available. Level 2/Priority 2 Major technical issue resulting Within 24 Business 2 Business Day High in severe performance hours EXHIBIT B - SERVICE LEVEL AGREEMENT AND SUPPORT SERVICES (to Agreement for Platform as a Service) DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 problems in the Platform. No workaround is available. Level 3/Priority 3 A minor technical issue where 1 Business Day 1 Business week Normal/Medium/Lo the Subscriber can use the w Platform with only slight inconvenience. 3.5.1. Subscriber acknowledges that not all Level 3 problems will require a workaround. Wing may, in its reasonable discretion, respond to a Level 3 problem by making correction of the error a feature request. 3.5.2. Subscriber shall initiate contact with SST via email during standard business hours and indicate the probable category of the incident. 3.5.3. SST's standard business hours are 9:00 a.m.—9:OOp.m. EST. 3.5.4. Response time is defined as the time between the creation of the case and the first attempt of a Wing support engineer from SST to contact the Subscriber who initiated a case. 3.5.5. Above severities apply to systems in production, errors in non-production systems (test, development, sandbox) will be automatically downgraded one level. 3.5.6. Problems with the installation of the Platform have Priority/Severity "High" at a maximum. 3.5.7. When a Subscriber initiates a case outside standard business hours,then the case will be handled as if it was initiated at 9:00 a.m. the next business day. 3.5.8. A Wing installation in an environment which is not in compliance with Wing's sizing and technical recommendations will be automatically downgraded by one level. 3.5.9. Above response times apply only if e-mail communication is provided via support@wing.security. 3.5.10. If SST determines that an issue is fixed in a released patch, SST may require the Subscriber to apply this patch before commencing troubleshooting. 3.6. Resolved Queries. An issue is considered resolved when (i) the issue is solved; (ii) the source of the issue is determined to lie with a third party;or(iii)Subscriber does not respond to a request from Wing within seven (7) consecutive days after Wing's request. Solution to Defects may include workaround, Platform patch or new Platform version. EXHIBIT B — SERVICE LEVEL AGREEMENT AND SUPPORT SERVICES (to Agreement for Platform as a Service) DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 EXHIBIT C NON-DISCLOSURE OF CONFIDENTIAL INFORMATION 1. Scope of Confidentiality Obligation in a Software as a Service Agreement The Parties recognize that in a Software as a Service Agreement, the City is placing its information, including Confidential Information, on the Vendor's hosted software application. In providing this hosted service, the Vendor is not disclosing or providing City with its confidential information such as its source code or other proprietary or intellectual property technology. City therefore cannot modify, reverse engineer or otherwise decompile Vendor's technology and City has committed to not doing so in this Agreement. Thus, this Addendum describes Vendor's obligations with respect to City's confidential information, if any, provided to Vendor. 2. Definition of Confidential Information and Exclusions. (a) "Confidential Information" means non-public information that a party to the Agreement ("Disclosing Party") designates as being confidential to the party that receives such information ("Receiving Party") or which, under the circumstances surrounding disclosure ought to be treated as confidential by the Receiving Party. "Confidential Information" includes non-public information that City designates as being confidential or which, under the circumstances surrounding disclosure, Vendor ought to treat as confidential, including but not limited to information in tangible or intangible form relating to and/or including City data, computer programs, code, algorithms, formulas, processes, inventions, schematics and other technical, business , financial and product development plans, forecasts, strategies and proprietary or intellectual property whether or not it is owned by City and information received from others that City is obligated to treat as confidential. Except as otherwise indicated in this Agreement, the term "Vendor" also includes all its subcontractors and Affiliates. An "Affiliate" means any person, partnership, joint venture, corporation or other form of enterprise, domestic or foreign, including but not limited to subsidiaries, that directly or indirectly, controls, are controlled by, or are under common control with a party. "Confidential Information" also includes non-public information that Vendor designates as being confidential, or which, under the circumstances surrounding disclosure ought to be treated as confidential by the City, including without limitation, information in tangible or intangible form relating to and/or including released or unreleased Vendor software or hardware products, the marketing or promotion of any Vendor product, Vendor's business policies or practices, and information received from Vendor that the City is obligated to treat as confidential. (b) Confidential Information shall not include any information, however designated, that: (i) is or subsequently becomes publicly available without Vendor's breach of any obligation owed City; (ii) became known to Vendor prior to City's disclosure of such information to Vendor pursuant to the terms of this Agreement; (iii) became known to Vendor from a source other than City other than by the breach of an obligation of confidentiality owed to City; (iv) is independently developed by Vendor; or (v) is not confidential as a matter of law. 3. Obligations Regarding Confidential Information (a) Receiving Party shall: (i) Refrain from disclosing any Confidential Information of the Disclosing Party to third-parties for two (2) years following the date that Disclosing Party first EXHIBIT C — NON-DISCLOSURE OF CONFIDENTIAL INFORMATION (to Agreement for Platform as a Service) DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 discloses such Confidential Information to Receiving Party, except as expressly provided in Sections 3(b) and 3(c) below; (ii) Take reasonable security precautions, at least as great as the precautions it takes to protect its own confidential information, but no less than prevailing standard of reasonable care in the Receiving Party's industry, to keep confidential the Confidential Information of the Disclosing Party; (iii) Refrain from disclosing, reproducing, summarizing and/or distributing Confidential Information of the Disclosing Party except in pursuance of Receiving Party's business relationship with Disclosing Party, and only as otherwise provided hereunder; and (iv) Refrain from reverse engineering, decompiling or disassembling any software code and/or pre-release hardware devices disclosed by Disclosing Party to Receiving Party under the terms of the Agreement, except as expressly permitted by applicable law. (b) Receiving Party may disclose Confidential Information of Disclosing Party in accordance with judicial action, federal or state public disclosure requirements, state or federal regulations, or other governmental order or requirement of law, provided that Receiving Party gives the Disclosing Party reasonable notice prior to such disclosure to allow Disclosing Party a reasonable opportunity to seek a protective order or equivalent, at the Disclosing Party's sole cost, effort, and expense. In the event the Disclosing Party elects to obtain a protective order or equivalent, or legally contest and avoid such disclosure, the Receiving Party shall fully cooperate with the Disclosing Party. (c) The Receiving Party may disclose Confidential Information only to Receiving Party's employees and consultants on a need-to-know basis. The undersigned Receiving Party will have executed or shall execute appropriate written agreements with third-parties sufficient to enable Receiving Party to enforce all the provisions of this Agreement. (d) Receiving Party shall notify the undersigned Disclosing Party immediately upon discovery of any unauthorized use or disclosure of Confidential Information or any other breach of the Agreement by Receiving Party and its employees and consultants, and will cooperate with Disclosing Party in every reasonable way to help Disclosing Party regain possession of the Confidential Information and prevent its further unauthorized use or disclosure. Upon discovery of an inadvertent or accidental disclosure, the Receiving Party shall promptly notify the Disclosing Party of such disclosure and shall take all reasonable steps to retrieve the disclosure and prevent further such disclosures. If the foregoing requirements are met, a Receiving Party shall not be liable for inadvertent disclosure. (e) The restrictions herein shall not apply with respect to Confidential Information which: (i) Is or becomes known to the general public without breach of this Agreement; or (ii) Is or has been lawfully disclosed to a Receiving Party by a third-party without an obligation of confidentiality; (iii) Is independently developed by a Party without access to or use of the Confidential Information; or (iv) At the end of the period of confidentiality set forth in the Agreement. (f) All tangible information, including drawings, specifications, and other information submitted hereunder, by the Receiving Party to the other shall remain the property of EXHIBIT C — NON-DISCLOSURE OF CONFIDENTIAL INFORMATION (to Agreement for Platform as a Service) DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 the Disclosing Party. The Receiving Party promptly shall return Confidential Information, including all originals, copies, reproductions and summaries of Confidential Information and all other tangible materials and devices provided to the Receiving Party, and shall cease any further use thereof, upon the first to occur of the following events: (i) written request of the Disclosing Party; (ii) termination of the parties' Agreement; or (iii) completion of the purpose for which the Confidential Information was disclosed. In lieu of the foregoing, the Receiving Party, upon mutual consent, may destroy all copies of the Confidential Information and certify to the Disclosing Party in writing that it has done so. (g) The Receiving Party shall not export, directly or indirectly, any Confidential Information or any products utilizing such data unless it first complies with any applicable laws and regulations pertaining thereto, including, but not limited to, U.S. export laws or traffic in arms regulations. 4. Remedies The parties acknowledge that monetary damages may not be a sufficient remedy for unauthorized disclosure of Confidential Information and that Disclosing Party shall be entitled, without waiving any other rights or remedies, to such injunctive or equitable relief as may be deemed proper by a court of competent jurisdiction. 5. Miscellaneous (a) All Confidential Information is and shall remain the property of Disclosing Party. By disclosing Confidential Information to Receiving Party, Disclosing Party does not grant any express or implied right to Receiving Party to or under any patents, copyrights, trademarks, or trade secret information except as otherwise provided herein. Disclosing Party reserves without prejudice the ability to protect its rights under any such patents, copyrights, trademarks, or trade secrets except as otherwise provided herein. Except as expressly herein provided, no rights, licenses or relationships whatsoever are to be inferred or implied by the furnishing of Confidential Information specified above or pursuant to this Agreement. (b) The terms of confidentiality under this Agreement shall not be construed to limit either the Disclosing Party or the Receiving Party's right to independently develop or acquire products without use of the other party's Confidential Information. Further, the Receiving Party shall be free to use for any purpose the residuals resulting from access to or work with the Confidential Information of the Disclosing Party, provided that the Receiving Party shall not disclose the Confidential Information except as expressly permitted pursuant to the terms of this Agreement. The term "residuals" means information in intangible form, which is retained in memory by persons who have had access to the Confidential Information, including ideas, concepts, know-how or techniques contained therein. The Receiving Party shall not have any obligation to limit or restrict the assignment of such persons or to pay royalties for any work resulting from the use of residuals. However, this sub-paragraph shall not be deemed to grant to the Receiving Party a license under the Disclosing Party's copyrights or patents. EXHIBIT C — NON-DISCLOSURE OF CONFIDENTIAL INFORMATION (to Agreement for Platform as a Service) DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 EXHIBIT D INSURANCE REQUIREMENTS Vendor shall procure and maintain for the duration of the contract insurance against claims for security breaches, system failures, injuries to persons, damages to software, or damages to property (including computer equipment) which may arise from or in connection with the performance of the work hereunder by the Vendor, its agents, representatives, or employees. Vendor shall procure and maintain for the duration of the contract insurance against claims arising out of their services and including, but not limited to loss, damage, theft or other misuse of data, infringement of intellectual property, invasion of privacy and breach of data. A. Minimum Scope of Insurance Vendor shall obtain insurance of the types described below: Commercial General Liability insurance shall be written on Insurance Services Office (ISO) occurrence form CG 00 01 and shall cover liability arising from premises, operations, independent consultants, products-completed operations, personal injury and advertising injury, and liability assumed under an insured contract. The Commercial General Liability insurance shall be endorsed to provide the Aggregate Per Project Endorsement ISO form CG 25 03 11 85. The City shall be named as an insured under the Vendor's Commercial General Liability insurance policy with respect to the work performed for the City using ISO additional insured endorsement CG 20 10 11 85 or a substitute endorsement providing equivalent coverage. If a general aggregate limit applies, either the general aggregate limit shall apply separately to this project/location or the general aggregate limit shall be twice the required occurrence limit. The Vendor may use Umbrella or Excess Policies to provide the liability limits as required in this Agreement. This form of insurance will be acceptable if all the Primary and Umbrella or Excess Policies shall provide all the insurance coverages herein required. The Umbrella or Excess policies shall be provided on a true "following form" or broader coverage basis, with coverage at least as broad as provided on the underlying Commercial General Liability insurance. Cyber Liability and Professional Liability insurance shall be sufficiently broad to respond to the duties and obligations as is undertaken by Vendor in this agreement and shall include, but not be limited to, claims involving security breach, system failure, data recovery, business interruption, cyber extortion, social engineering in sub-limits of $250,000, infringement of intellectual property, including but not limited to infringement of copyright, trademark, trade dress, invasion of privacy violations, information theft, damage to or destruction of electronic information, release of private information, and alteration of electronic information. The policy shall provide coverage for breach response costs, regulatory fines, and penalties as well as credit monitoring expenses. Workers' Compensation coverage for the employees of Vendor and subcontractors as required by the Industrial Insurance laws of the State of Washington. B. Minimum Amounts of Insurance Vendor shall maintain the following insurance limits: 1. Commercial General Liability insurance shall be written with limits no less than $1,000,000 per occurrence, and a $1,000,000 products-completed operations aggregate limit. EXHIBIT D — INSURANCE REQUIREMENTS (to Agreement for Platform as a Service) DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 2. Primary Non-Contributory Additional Insured coverage for the City of Kent, et. a/. 3. Cyber Liability and Professional Liability insurance with limit of $1,000,000 per occurrence or claim, and in the aggregate. If the Vendor maintains broader coverage and/or higher limits than the minimums shown above, the City requires and shall be entitled to the broader coverage and/or the higher limits maintained by the Vendor. Any available insurance proceeds in excess of the specified minimum limits of insurance and coverage shall be available to the City. The above policy limits may be obtained with excess liability (umbrella) insurance. C. Other Insurance Provisions The insurance policies are to contain, or be endorsed to contain, the following provisions: 1. The Vendor's insurance coverage shall be primary insurance with respect to the City. Any insurance, self-insurance, or insurance pool coverage maintained by the City shall be in excess of the Vendor's insurance policies and shall not contribute to the Vendor's insurance policies. 2. Vendor's insurer must deliver, or mail written notice of cancellation to the named insured at least forty-five (45) days before the effective date of the cancellation. The Vendor's insurance policy shall include an endorsement that provides the City with written notice of cancellation forty-five (45) days before the effective date of the cancellation. If Vendor's insurer fails to provide the City with a copy of the notice of cancellation endorsement, the Vendor must notify the City of any cancellation, nonrenewal or termination before the effective date of the cancellation. 3. The City of Kent shall be named as an additional insured on all policies (except Professional Liability) with respect to work performed by or on behalf of the Vendor and a copy of the endorsement naming the City as an additional insured shall be attached to the Certificate of Insurance. The City reserves the right to receive a certified copy of all required insurance policies. The Vendor's Commercial General Liability insurance shall also contain a clause stating that coverage shall apply separately to each insured against whom claims are made or suit is brought, except with respect to the limits of the insurer's liability. D. Acceptability of Insurers Insurance is to be placed with insurers with a current A.M. Best rating of not less than A:VII. E. Verification of Coverage Vendor shall furnish the City with original certificates and a copy of the amendatory endorsements, including but not necessarily limited to the additional insured endorsement, evidencing the insurance requirements of the Vendor before commencement of the work. The City waives no rights, and the Vendor is not excused from performance if Vendor fails to provide the City with a copy of the endorsement naming the City as a Primary Non-Contributory Additional Insured. F. Subcontractors To the extent applicable, Vendor shall include all subcontractors as insureds under its policies or shall furnish separate certificates and endorsements for each subcontractor. All coverage for subcontractors shall be subject to all the same insurance requirements as stated herein for the Vendor. EXHIBIT D — INSURANCE REQUIREMENTS (to Agreement for Platform as a Service) DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 EXHIBIT E CITY OF KENT NON-DISCRIMINATION POLICY AND FORMS DECLARATION CITY OF KENT NON-DISCRIMINATION POLICY The City of Kent (City) is committed to conform to Federal and State laws regarding equal opportunity. As such all contractors, subcontractors, consultants, vendors, and suppliers who perform work with relation to this Agreement shall comply with the regulations of the City's equal employment opportunity policies. The City of Kent and its contractors are subject to and will comply with the following: • Title VI of the Civil Rights Act of 1964 (42 U.S.C. § 2000d et seq., 78 stat. 252), (prohibits discrimination on the basis of race, color, national origin); • 49 C.F.R. Part 21 (entitled Non-discrimination In Federally-Assisted Programs Of The Department Of Transportation-Effectuation Of Title VI Of The Civil Rights Act Of 1964); • 28 C.F.R. section 50.3 (U.S. Department of Justice Guidelines for Enforcement of Title VI of the Civil Rights Act of 1964). • Ch. 49.60 RCW (Washington Law Against Discrimination) The preceding statutory and regulatory cites hereinafter are referred to as"the Acts and Regulations". The following statements specifically identify the requirements the City deems necessary for any contractor, subcontractor, or supplier on this specific Agreement to adhere to. An affirmation of all of the following is required for this Agreement to be valid and binding. If any contractor, subcontractor, or supplier willfully misrepresents themselves with regard to the directives outlined below, it will be considered a breach of contract and it will be at the City's sole determination regarding suspension or termination for all or part of the Agreement. The statements are as follows: 1. I have read the attached City of Kent administrative policy number 1.2. 2. During the time of this Agreement I will not discriminate in employment on the basis of sex, race, color, national origin, age, or the presence of all sensory, mental or physical disability. 3. During the time of this Agreement I, the prime contractor, will provide a written statement to all new employees and subcontractors indicating commitment as an equal opportunity employer. 4. During the time of the Agreement I, the prime contractor, will actively consider hiring and promotion of women and minorities. 5. During the performance of this contract, the contractor, for itself, its assignees, and successors in interest (hereinafter referred to as the "contractor") agrees as follows: A. Compliance with Regulations: The contractor, subcontractor, consultant, vendor, and supplier (hereinafter "Contractor") will comply with all Acts and the Regulations relative to non-discrimination, including those applicable to Federally-assisted EXHIBIT E — NONDISCRIMINATION PROVISIONS (to Agreement for Platform as a Service) DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 programs of the U.S. Department of Transportation, State-assisted programs through the Washington State Department of Transportation, and generally under Washington's Law Against Discrimination, Ch. 49.60 RCW, as they may be amended from time to time, which are herein incorporated by reference and made a part of this contract. B. Non-discrimination: The contractor, with regard to the work performed by it during the contract, will not discriminate on the grounds of race, color, or national origin in the selection and retention of subcontractors, including procurements of materials and leases of equipment. The contractor will not participate directly or indirectly in the discrimination prohibited by the Acts and the Regulations, including employment practices when the contract covers any activity, project, or program set forth in Appendix B of 49 CFR Part 21. C. Solicitations for Subcontracts, Including Procurements of Materials and Equipment: In all solicitations, either by competitive bidding, or negotiation made by the contractor for work to be performed under a subcontract, including procurements of materials, or leases of equipment, each potential subcontractor or supplier will be notified by the contractor of the contractor's obligations under this contract and the Acts and the Regulations relative to non-discrimination on the grounds of race, color, or national origin. D. Information and Reports: The contractor will provide all information and reports required by the Acts and Regulations and directives issued pursuant thereto and will permit access to its books, records, accounts, other sources of information, and its facilities as may be determined applicable to contractor's contract by the City or the Washington State Department of Transportation to be pertinent to ascertain compliance with such Acts and Regulations and instructions. Where any information required of a contractor is in the exclusive possession of another who fails or refuses to furnish the information, the contractor will so certify to the City or the Washington State Department of Transportation, as appropriate, and will set forth what efforts it has made to obtain the information. E. Sanctions for Noncompliance: In the event of a contractor's noncompliance with the non-discrimination provisions of this contract, the City will impose such contract sanctions as it or the Washington State Department of Transportation may determine to be appropriate, including, but not limited to: a. withholding payments to the contractor under the contract until the contractor complies; and/or b. cancelling, terminating, or suspending a contract, in whole or in part. F. Incorporation of Provisions: The contractor will include the provisions of paragraphs (A) through (F) above in every subcontract, including procurements of materials and leases of equipment, unless exempt by the Acts and Regulations and directives issued pursuant thereto. The contractor will take action with respect to any subcontract or procurement as the City or the Washington State Department of Transportation may direct as a means of enforcing such provisions including sanctions for noncompliance. Provided, that if the contractor becomes involved in, or is threatened with litigation by a subcontractor, or supplier because of such direction, the contractor may request the City to enter into any litigation to protect the interests of the City. In addition, the contractor may request the United States to enter into the litigation to protect the interests of the United States. EXHIBIT E — NONDISCRIMINATION PROVISIONS (to Agreement for Platform as a Service) DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 6. During the performance of this contract, the contractor, for itself, its assignees, and successors in interest agrees to comply with the following non-discrimination statutes and authorities; including but not limited to: Pertinent Non-Discrimination Authorities: i. Title VI of the Civil Rights Act of 1964 (42 U.S.C. § 2000d et seq., 78 stat. 252), (prohibits discrimination on the basis of race, color, national origin); and 49 CFR Part 21. ii. The Uniform Relocation Assistance and Real Property Acquisition Policies Act of 1970, (42 U.S.C. § 4601), (prohibits unfair treatment of persons displaced or whose property has been acquired because of Federal or Federal-aid programs and projects); iii. Federal-Aid Highway Act of 1973, (23 U.S.C. § 324 et seq.), (prohibits discrimination on the basis of sex); iv. Section 504 of the Rehabilitation Act of 1973, (29 U.S.C. § 794 et seq.), as amended, (prohibits discrimination on the basis of disability); and 49 CFR Part 27; V. The Age Discrimination Act of 1975, as amended, (42 U.S.C. § 6101 et seq.), (prohibits discrimination on the basis of age); vi. Airport and Airway Improvement Act of 1982, (49 USC § 471, Section 47123), as amended, (prohibits discrimination based on race, creed, color, national origin, or sex); vii. The Civil Rights Restoration Act of 1987, (PL 100-209), (Broadened the scope, coverage and applicability of Title VI of the Civil Rights Act of 1964, The Age Discrimination Act of 1975 and Section 504 of the Rehabilitation Act of 1973, by expanding the definition of the terms "programs or activities" to include all of the programs or activities of the Federal-aid recipients, sub-recipients and contractors, whether such programs or activities are Federally funded or not); viii. Titles II and III of the Americans with Disabilities Act, which prohibit discrimination on the basis of disability in the operation of public entities, public and private transportation systems, places of public accommodation, and certain testing entities (42 U.S.C. §§ 12131-12189) as implemented by Department of Transportation regulations at 49 C.F.R. parts 37 and 38; ix. The Federal Aviation Administration's Non-discrimination statute (49 U.S.C. § 47123) (prohibits discrimination on the basis of race, color, national origin, and sex); X. Executive Order 12898, Federal Actions to Address Environmental Justice in Minority Populations and Low-Income Populations, which ensures Non-discrimination against minority populations by discouraging programs, policies, and activities with disproportionately high and adverse human health or environmental effects on minority and low-income populations; xi. Executive Order 13166, Improving Access to Services for Persons with Limited English Proficiency, and resulting agency guidance, national origin discrimination includes discrimination because of Limited English proficiency (LEP). To ensure compliance with Title VI, you must take reasonable steps to ensure that LEP persons have meaningful access to your programs (70 Fed. Reg. at 74087 to 74100); xii. Title IX of the Education Amendments of 1972, as amended, which prohibits you from discriminating because of sex in education programs or activities (20 U.S.C. 1681 et seq). xiii. Washington Law Against Discrimination (Ch. 49.60 RCW) EXHIBIT E — NONDISCRIMINATION PROVISIONS (to Agreement for Platform as a Service) DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 7. The submission of the final invoice for this contract will constitute a reaffirmation that the preceding statements were complied with during the course of the contract's performance. By signing below, I agree to fulfill the five requirements referenced above. S By: raw SuR jvmf y ran senderovitz For: Title: coo 1/31/2024 Date: EXHIBIT E — NONDISCRIMINATION PROVISIONS (to Agreement for Platform as a Service) DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 CITY OF KENT ADMINISTRATIVE POLICY NUMBER: 1.2 EFFECTIVE DATE: October 20, 2022 SUBJECT: INCLUSIVE CONTRACTING SUPERSEDES: January 1, 1998 APPROVED BY Dana Ralph, Mayor POLICY: Equal employment opportunity and non-discrimination in contracting requirements for the City of Kent will conform to federal and state laws. All contractors, subcontractors, consultants, and suppliers of the City must guarantee equal employment opportunity within their organization and, if holding Agreements with the City amounting to $10,000 or more within any given year, must take the following affirmative steps: 1. Provide a written statement to all new employees and subcontractors indicating commitment as an equal opportunity employer. 2. Actively consider for promotion and advancement available minorities and women. Further, all contractors, subcontractors, consultants, suppliers, grantees, or subgrantees of the City, regardless of the value of the Agreement, are required to sign the City's Non-Discrimination Policy Declaration, prior to commencing performance. Any contractor, subcontractor, consultant or supplier who willfully disregards the City's nondiscrimination and equal opportunity requirements shall be considered in breach of contract and subject to suspension or termination for all or part of the Agreement. Contract Compliance Officers will be appointed by the Directors of Planning, Parks, and Public Works Departments to coordinate with the City's Title VI coordinator, and perform the following duties for their respective departments. 1. Ensuring that contractors, subcontractors, consultants, and suppliers subject to these regulations are familiar with the regulations and the City's equal employment opportunity policy. 2. Monitoring to assure adherence to federal, state and local laws, policies and guidelines. EXHIBIT E — NONDISCRIMINATION PROVISIONS (to Agreement for Platform as a Service) DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 EXHIBIT F VENDOR'S PRIVACY POLICY 1. Applicability. 1.1. This privacy policy("PP") explains how Wing Security (the "Company") collects, stores, uses, and shares, etc. Personal Data of user ("User") in connection with the Company's website at https://wing.security (the "Site") and the Platform. For the purpose of this PP "Personal Data" shall mean personal data or personal information, pursuant to the Applicable Data Protection Law (as defined below), or any other applicable data protection laws. 1.2. The PP is an integral part of the Company's terms of services,which govern the use of the Platform ("TOS"),together with the PP, and the website terms of use at https://wing.security("TOU"),the "Terms"). 1.3. This PP is in effect as of the date set forth below. 1.4. User is not under any legal obligation to submit Personal Data to Company. However, in case User chooses not to submit Personal Data to Company, User may not be able to become a User and/or use the Site and/or the (entire) Platform. 1.5. By attempting to use or access,or by using or accessing the Site and/or the Platform, User agrees to be bound by the Terms. If User does not agree with the Terms User must not use or access the Site and the Platform. 1.6. The Company may amend this PP from time to time upon approval by User through an amendment to the parties' Platform Agreement. If Company makes any changes to this PP that materially affect Company's practices with regard to the Personal Data Company previously collected from User, Company will endeavor to provide User with notice in advance of such change by highlighting the change on the Site and/or the Platform. Company will seek User's prior consent to any material changes, if and where this is required by Applicable Data Protection Laws. 1.7. For the purposes of this PP "Applicable Data Protection Laws" means all privacy and data protection laws and regulations that apply to the services provided by the Company within the United States of America and to Customer/User within the State of Washington, which may include the following laws and regulations (without limitation) (i) the General Data Protection Regulation (2016/679), including any subordinate or implementing legislation("EU GDPR"); (ii)EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (UK GDPR); (iii) UK Data Protection Act 2018; (iii) the California Consumer Privacy Act of 2018, Cal. Civ. Code 1798.100 et seq. including any subordinate or implementing legislation ("CCPA"); and/or (iv) Protection of Privacy Law 5741-1981 (Israel); (v) Washington Privacy Act (WPA); (vi) and any rules or regulations that amend and/or replace any of the aforementioned Applicable Data Protection Laws. The Company is acting as a processor/service provider, and User is acting as the controller/business, as applicable. 1.8. This PP does not apply to any content processed and/or stored by User when using the Platform. EXHIBIT F—VENDOR'S PRIVACY POLICY DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 1.9. All capitalized terms used but not defined herein shall have the meaning ascribed to them in the TOS or the TOU. 2. Collection of Personal Data. 2.1. Information provided by User. Company collects any data User provides Company with via the Site and/or the Platform, including but not limited to: 2.1.1. User's contact details (e.g. name, surname email address, phone number); 2.1.2. User's IP address; 2.1.3. User password and other authentication and security credential information; 2.1.4. Any communication between User and the Company, e.g. emails, phone conversations, chat sessions. 2.2. Information collected automatically. Company automatically collects data when User visits, interacts with, or uses the Site and/or the Platform, including but not limited to: 2.2.1. identifiers and information contained in cookies; 2.2.2. User's settings preferences, backup information; 2.2.3. Uniform Resource Locators (URL) clickstream to, through, and from the Site and/or the Platform; 2.2.4. content User viewed or searched for, page response times, and page interaction information (such as scrolling, clicks, and mouse-overs); 2.2.5. network and connection information, such as the Internet protocol (IP) address and information about User's Internet service provider; 2.2.6. computer and device information, such as browser type and version, operating system, or time zone setting; the location of device. 2.3. Information collected by Third parties. 2.3.1. This PP does not apply to any content created, used, processed and/or stored by User when using the Site and/or the Platform. Also, the PP does not apply to any products, services, websites, links or any other content that are offered by third parties. User is advised to check the applicable third party policies. Company has no control over such third parties' privacy practices, or the technology used by such third parties. Each User is EXHIBIT F—VENDOR'S PRIVACY POLICY DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 advised to thoroughly review such third parties' privacy policies before making any use of such third party's products and services. 2.3.2. Without derogating from the generality of the above, when clicking on certain social media links provided on the Site (e.g.Twitter, Facebook, Linkedln, Instagram) User will be transferred to Company's sites on such social media ("Social Media Sites"). It shall hereby be clarified that such Social Media Sites are governed by the terms of use and privacy policy of the respective social media and not by the Company. 3. Cookies. 3.1. To facilitate and customize the User's experience of the Site and/or the Platform and to track User's use of the Site and/or the Platform Company may utilize cookies and other industry standard technologies.A cookie is a small text file that is stored on a User's computer for record- keeping purposes which contains information about that User. Most browsers automatically accept cookies, but User may be able to modify its browser settings to decline cookies. Please note that if User declines or deletes these cookies, some parts of the Site and/or the Platform may not work properly. 3.2. By clicking on a link to a third-party website or service,a third party may transmit cookies to User. This PP does not cover the use of cookies by any third parties,and the Company is not responsible for such third parties' privacy policies and practices. 3.3. Without derogating from the foregoing, please note that the Company may use analytic tools such as: 3.3.1. Google Analytics. Please click on www.google.com/policies/privacy/partners/ in order to find out how Google Analytics collects and processes data. 3.3.2. Hotjar. The Company may use Hotjar in order to better understand User's needs and to optimize the Site and/or Platform and experience. Hotjar is a technology service that helps the Company to better understand Users' experience (e.g. how much time they spend on which pages,which links they choose to click,what Users do and don't like,etc.) and this enables the Company to build and maintain the Site and/or Platform with User feedback. Hotjar uses cookies and other technologies to collect data on Company's Users' behavior and their devices. This includes a device's IP address (processed during User session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display the Company Site or Platform. Hotjar stores this information on Company's behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on Company's behalf. Please click on https://www.hotjar.com/legal/policies/privacy/ in order to find out more on how Hotjar collects and processes data. 3.3.3. HubSpot Analytics. The Company may use HubSpot Analytics uses cookies and beacons to track how long Users and visitors are on the Site or Platform, what marketing pages EXHIBIT F—VENDOR'S PRIVACY POLICY DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 they visit, what marketing offers they respond to, and a visitor's identity which enables the Company to improve and provide the Site and Platform. Please click on https://lega1.hubsPot.com/privacy-policy in order to find out more on how HubSpot collects and processes data. 4. The Company's Use of Collected Information. 4.1. The Company processes User's Personal Data to operate, provide, and improve the Site and/or the Platform, including but not limited to: 4.1.1. creating and managing User profiles; 4.1.2. providing the security analysis reports,the Site and the Platform; 4.1.3. contacting User by the Company and communicating with User with respect to the Site and/or the Platform, e.g. by phone call, sms, email, chat; responding to inquiries from User, 4.1.4. providing assistance and support; 4.1.5. fulfilling User requests; meeting contractual or legal obligations; 4.1.6. informing User about updates or offers; 4.1.7. marketing and promoting the Site and/or the Platform; 4.1.8. protecting Users security, e.g. preventing and detecting fraud; 4.1.9. internal purposes, e.g. trouble shooting, data analysis,testing and statistical purposes. 4.2. Except as provided herein,the Company does not use any Personal Data other than as necessary to provide the Site and/or the Platform,without obtaining Users' prior consent. 4.3. The Company may ask for Users' consent to use Users' Personal Data for a specific purpose which will be provided to Users. 4.4. In case User's Personal Data contains third party personal data, User represents and warrants that it has obtained any consent required under the PP to the Company's privacy practices set forth in the PP from such third party. 5. Sharing User's Information. 5.1. In the following cases Company may disclose, without notification, Personal Data, any communications sent or received by each User, and any other information that Company has collected and/or was provided with: 5.1.1. If required to do so by law according to its understanding of such law (including, but not limited to, in cases of court orders or subpoenas); EXHIBIT F—VENDOR'S PRIVACY POLICY DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 5.1.2. To verify the information obtained by Company; 5.1.3. To prevent or investigate suspected fraud, or any activity that Company believes may be illegal or may expose Company to legal liability; 5.1.4. Events involving potential threats to the physical safety of any person or property if Company believes that User's information in any way relates to that threat; 5.1.5. If Company believes that User's conduct on or in connection with the Site and/or the Platform is inappropriate and inconsistent with generally accepted norms of behavior; 5.1.6. In addition, Company may be required to disclose Personal Data to relevant national, state and local law enforcement authorities, whom may further disclose the Personal Data. 5.1.7. To engage with third-party service providers and/or sub-contractors which provide services for Company's business operations; 5.1.8. To disclose to third parties aggregated or de-identified information about Users for marketing, advertising, research, or other purposes; 5.1.9. In the event that Company, or any of its businesses, are sold or disposed of, whether by merger,sale of assets or otherwise, Personal Data collected hereunder may be one of the assets sold or merged in connection with such transaction. Personal Data collected hereunder may also be disclosed in connection with a commercial transaction where Company or any of its businesses are seeking financing, investment, and support or funding. 5.2. When Company shares User's Personal Data with third parties as specified above, Company requires such recipients to agree to only use the Personal Data Company shares with them in accordance with this PP and Company's contractual specifications and for no other purpose than those determined by Company in line with this PP. 6. Direct Marketing and Advertisement. 6.1. Company may provide Users with direct marketing, as such term is defined in the Israeli Privacy Protection Law, 1981. 6.2. Company may also send Users advertisements, as such term is defined in the Israeli Media Law (Bezeq and Broadcasting), 1982. 6.3. User can opt out of receiving these direct marketing and/or advertisements from the Company at any time by unsubscribing using the unsubscribe link within each communication, or emailing the Company at unsubscribe@wine.security to have User's contact information removed from Company's email list. 7. Security. EXHIBIT F—VENDOR'S PRIVACY POLICY DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 Company has taken appropriate technical and organizational measures to protect any User Personal Data from loss, misuse, unauthorized access, disclosure, alteration, destruction, and any other form of unauthorized processing. User should be aware, however,that no data security measures can guarantee 100% security. 8. Access to Information. 8.1. Depending on Applicable Data Protection Laws, User may be entitled to request access and/or deletion of User's data held by Company. If applicable in accordance with the relevant Applicable Data Protection Laws, User can send User's request to the Company at privacy@wing.security• Any request to access may be subject to a fee to meet Company's costs in providing such User with details of the data. 8.2. Company will take reasonable steps to verify User's identity before granting User access or making corrections. Also, User's request for access might be subject to a fee to meet Company's costs in providing User with details of User's data held by Company. 9. Retention 9.1. Company will retain Users Personal Data for a period of time consistent with the purpose of collection and in accordance with Applicable Data Protection Law. 9.2. Without derogating from the generality of the foregoing, Company will cease the retention and delete any retained Personal Data of User upon the earlier of(i) any termination or expiration of the Terms between User and Company, or(ii) User's deletion request, as set forth below. 10. Users in the European Economic Area (EEA). 10.1. Legal Basis for Processing of Personal Data Company will only process User's Personal Data if it has one or more of the following legal bases for doing so: 10.1.1. Contractual Necessity: processing of Personal Data is necessary to enter into a contract with User, to perform Company's contractual obligations to User under the TOU, to provide the Platform and/or the Services,to respond to requests from User, or to provide User with customer support; 10.1.2. Legitimate Interest: Company has a legitimate interest to process User's Personal Data; 10.1.3. Legal Obligation: processing of User's Personal Data is necessary to comply with relevant law and legal obligations, including to respond to lawful requests and orders; or 10.1.4. Consent: processing of User's Personal Data with User's consent. 10.2. User's Rights regarding Personal Data EXHIBIT F—VENDOR'S PRIVACY POLICY DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 10.2.1. Subject to applicable law, User has certain rights with respect to User's Personal Data, including the following: 10.2.2. User may ask whether Company holds Personal Data about User and request copies of such Personal Data and information about how it is processed; 10.2.3. User may request that inaccurate Personal Data is corrected; 10.2.4. User may request the deletion of certain Personal Data; 10.2.5. User may request Company to cease or restrict the processing of Personal Data where the processing is inappropriate; 10.2.5.1. When User consents to processing User's Personal Data for a specified purpose by Company, User may withdraw User's consent at any time, and Company will stop any further processing of User's data for that purpose. 10.2.6. In certain circumstances, Company may not be able to fully comply with User's request, such as if it is frivolous or extremely impractical, if it jeopardizes the rights of others, or if it is not required by law, however, in those circumstances, Company will still respond to notify User of such a decision. 10.2.7. User can exercise User's rights of access, rectification, erasure, restriction, objection, and data portability by contacting Company at privacy@wing.security. In some cases, Company may need User to provide Company with additional information, which may include Personal Data, if necessary to verify User's identity and the nature of User's request. 10.3. Transfer of User's Personal Data outside of the EEA. 10.3.1. Personal Data may be processed outside User's jurisdiction, and in countries that may not provide for the same level of data protection as User's jurisdiction.The Company ensures that the recipient of User's Personal Data offers an adequate level of protection, for example by entering into the appropriate data processing agreements and, if required, standard contractual clauses for the transfer of data as approved by the European Commission (Art. 46 GDPR). 10.3.2. Company currently stores User data in Company's data centers located in the USA, and User data will remain stored within the USA unless the User expressly agrees otherwise in writing. 10.3.3. Without derogating from the generality of the foregoing,when transferring data from the EEA to Israel, Company relies on the European Commission's decision that Israel offers adequate data protection for transfers from the EEA. 11. Users in California, USA. EXHIBIT F—VENDOR'S PRIVACY POLICY DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 11.1. Company will at all times comply with all Applicable Data Protection Laws (including the CCPA)to the extent applicable, and only process Personal Data on User's behalf. 11.2. Company will (i) not collect, retain, use, or disclose Personal Data for any purpose other than for the specific purposes set out in the Company terms of use and the Data Processing Agreement or any other agreement, between Company and User; (ii) not sell Personal Data (as defined under the CCPA); and (iii) put in place appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing or accidental destruction, loss or damage. 12. Personal Data of Children.The Site or the Platform are not intended for children. Children under 18 years of age, may use the Site or the Platform only with the involvement of a parent or guardian. 13. Questions Regarding User's Personal Data? If User has any questions about this PP or Company's data practices in general, User may contact Company using the following information: privacy@wing.security. EXHIBIT F—VENDOR'S PRIVACY POLICY DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 EXHIBIT G DATA PROCESSING ADDENDUM 1. Applicability. This Data Processing Addendum ("DPA") shall apply to the parties' agreement to the extent that Wing processes Personal Data(as defined below). 2. Definitions. 2.1. Terms used in this DPA but not defined herein(whether or not capitalized) shall have the meanings assigned to such terms in the Applicable Data Protection Laws. 2.2. "Applicable Data Protection Laws" shall mean, all laws and regulations applicable to Wing's processing of Personal Data within the United States of America and for Client within the State of Washington(with respect to each data subject)including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom and the United States of America, as applicable to the Processing of Personal Data under the Agreement including,as applicable: (i)General Data Protection Regulations(European Parliament and Council of European Union(2016)Regulation(EU)2016/679) (EU GDPR); (ii)EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal)Act 2018 (UK GDPR); (iii)UK Data Protection Act 2018; (iv) California Consumer Privacy Act of 2018(CCPA)and the California Privacy Rights Act of 2020(CPRA);(v)Protection of Privacy Law (Israel); (vi) Washington Privacy Act (WPA); (vii) any rules or regulations that amend and/or replace any of the aforementioned Data Protection Laws. 2.3. "Personal Data" refers to the definition of that term or any other similar term defined under the Applicable Data Protection Laws. 2.4. "Standard Contractual Clauses or SCCs" shall mean: where the EU GDPR applies, the standard contractual clauses pursuant to the EU Commission's Implementing Decision 2021/914 of 4 June 2021 currently set out at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/cj ("EU SCCs"); (ii) where the UK GDPR applies, the EU SCCs together with the UK Information Commissioner's Office addendum, under S 119A(1) of the Data Protection Act 2018 ("UK Addendum"); or any other Standard Contractual Clauses which amended and/or replace such Standard Contractual Clauses in accordance with Applicable Data Protection Law. 3. Processing of Personal Data on behalf of Client. Wing acts as a processor/service provider for Client,and performs processing operations on behalf of Client and upon the instructions of Client as a controller/business, as set forth herein, in the parties' Agreement, and any additional agreement entered into between Client and Wing(collectively,the"Terms"),pursuant to which Client may provide Personal Data to Wing("Contracted Business Purpose"). 4. Client Representations. Client sets forth the details, including the purpose, the means and the ways in which Wing shall process Personal Data, as required by Applicable Data Protection Laws in Appendix A (Details of Processing of Processed Personal Data), attached hereto, and Client represents and warrants that: EXHIBIT G — DATA PROCESSING ADDENDUM DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 4.1. It complies with personal data security and other obligations prescribed by Applicable Data Protection Laws for controller/business,and that the provision of Personal Data to Wing is in strict compliance with Applicable Data Protection Laws; 4.2. It only processes Personal Data that has been collected in accordance with the Applicable Data Protection Laws; 4.3. It has in place procedures in case an individual whose Personal Data is collected,wish to exercise their rights in accordance with the Applicable Data Protection Laws; 4.4. It provides Personal Data to Wing for the Contracted Business Purpose in accordance with the representations Client makes to individuals in Client's privacy policy, and Client does not sell Personal Data to Wing; 4.5. It shall provide to Wing as a processor/service provider, or otherwise have Wing(or anyone on its behalf)process such Personal Data which is explicitly permitted under Applicable Data Protection Laws("Permitted Personal Data"). 4.6. It is and will remain duly and effectively authorized to give the instruction set out herein and any additional instructions as provided pursuant to the Terms, at all relevant times and at least for as long as the Terms are in effect and for any additional period during which Wing is lawfully processing Personal Data. 5. Wing Obligations. 5.1. Wing carries out the processing of Personal Data on Client's behalf, 5.2. Pursuant to the provisions of Article 28 of the GDPR,to the extent applicable with respect to each data subject,Wing agrees that it will: 5.2.1. process Personal Data solely for the purpose of the provision of the Services as described under the Agreement, on Client's behalf and in compliance with Client's instructions, including instructions in this DPA and all Terms, unless required to do so by EU or applicable Member State law, in which case, Wing shall inform Client prior to any processing; 5.2.2. implement appropriate technical and organizational measures to provide an appropriate level of security, including, as appropriate and applicable, the measures referred to in Article 32(1)of the GDPR; 5.2.3. ensure that access to the processed Personal Data is limited on a need to know/access basis, and that all Wing personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Personal Data; 5.2.4. it shall provide reasonable assistance to Client with any data protection obligations of the Client under Applicable Data Protection Laws including impact assessments or prior consultations with supervising authorities in relation to processing of Personal Data by the EXHIBIT G — DATA PROCESSING ADDENDUM DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 processor/service provider,at the written request of the Client,and at Client's sole expense; and 5.3. Pursuant to the CCPA,to the extent applicable with respect to each data subject,Wing agrees that: 5.3.1. Wing is acting solely as a service provider with respect to Personal Data; 5.3.2. Wing shall not retain, use or disclose Personal Data for any purpose other than for the Contracted Business Purpose; 5.3.3. Wing shall not sell Client's Personal Data; 5.3.4. Wing may de-identify or aggregate Personal Data as part of performing the services specified in the Terms; and 5.3.5. Wing will limit personal information collection,use,retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose. 6. Sub-Processing. 6.1. Client authorizes Wing to appoint sub-processors in accordance with the provision of this section 6.Any sub-processor used must qualify as a service provider under the Applicable Data Protection Laws and Wing cannot make any disclosures to the subcontractor that the CCPA would treat as a sale. 6.2. Client acknowledges, agrees and accepts that as of the date of this DPA Wing uses certain sub- processors and may appoint new sub-processors from time to time; a list of the then current sub- processors will be provided upon request. 6.3. Any such Sub-processors to whom Supplier transfers Personal Data will be permitted to obtain Personal Data only to deliver the Services Wing has entrusted them with and will be prohibited from using such Personal Data for any other purpose. Wing remains responsible for any such Sub- processor's compliance with Wing's obligations under the Agreement,including this Addendum. 6.4. Wing will enter into written Agreement with any such Sub-processor which contain obligations no less protective than those contained in this Addendum, including the obligations imposed by the Standard Contractual Clauses, as applicable. 6.5. Wing will inform the Client in advance about all Sub-processors that will Process Personal Data in connection with the performance of the Services and will provide a notice mechanism to inform the Client about changes relating to the Sub-processors. 6.6. Before authorizing any new Sub-processor to process Personal Data in connection with the provision of the Services, Wing will provide the Client with a notice of that update. This notice mechanism represents Wing's duty to inform and request consent from the Client for the use of a new Sub-processor. EXHIBIT G — DATA PROCESSING ADDENDUM DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 6.7. If the Client reasonably objects to the processing of Personal Data by one or more Sub processors, then the Client shall notify Wing in writing (via e-mail) within 21 calendar days after receipt of Wing's notice and full information in order to allow the evaluation.In case the Client did not object to the processing of Personal Data by one or more Sub processors within 21 calendar days following Wing's notice, such Sub processors shall be deemed as approved by the Client. 6.8. In the event Client objects to a Sub-processor, Wing will use reasonable efforts to change the affected Services or to recommend another commercially reasonable change to the Client's use of the affected Services to avoid the processing of Personal Data by the Sub processor concerned. If Wing is unable to make available or propose such change within(60)calendar days,the Client may terminate the relevant part of the Agreement regarding those Services which cannot be provided by Wing without the use of the Sub processor concerned. To that end,the Client shall provide written notice of termination. 7. Data Subjects' Rights. 7.1. Client shall be solely responsible for compliance with any statutory obligations concerning requests to exercise data subject rights under Applicable Data Protection Laws(e.g.,for access,rectification, deletion of processed Personal Data, etc.). Wing shall reasonably endeavor to assist Client insofar as feasible, to fulfil Client's said obligations with respect to such data subject requests, as applicable,at Client's sole expense. 7.2. Wing shall (i) without undue delay and no later than within 3 business days notify Client if it receives a request from a data subject under any Applicable Data Protection Laws in respect of processed personal data; and(ii) not respond to that request, except on the written instructions of Client or as required by Applicable Data Protection Laws, in which case Wing shall,to the extent permitted by Applicable Data Protection Laws, inform Client of that legal requirement before it responds to the request. 8. Personal Data Breach. 8.1. Wing shall notify Client without undue delay and no later than within 24 hours upon Wing becoming aware of any personal data breach within the meaning of Applicable Data Protection Laws relating to Personal Data which may require a notification to be made to a supervisory authority or data subject under Applicable Data Protection Laws"Personal Data Breach"). 8.2. Wing shall provide reasonable co-operation and assistance to Client regarding the investigation of any Personal Data Breach and the notification to the supervisory authority and data subjects in respect of such a Personal Data Breach and shall provide to Client all relevant information related to the breach. 8.3. Wing shall timely comply and provide all notices required of it under Applicable Data Protection laws for any Personal Data Breach that occurs, and shall defend, indemnify, and hold Client harmless from any damages or liability associated with such Personal Data Breach in accordance with the parties' Platform Agreement. 9. Deletion or Return of Processed Personal Data. EXHIBIT G — DATA PROCESSING ADDENDUM DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 9.1. Subject to the terms hereof, Wing shall promptly and in any event within up to thirty (30) days (unless a sooner time period is required by Applicable Data Protection Laws) return and then destroy the Personal Data, except such copies as authorized including under this DPA or required to be retained in accordance with Applicable Data Protection Laws, in which case Wing shall inform Client of such requirement and store the data in strict confidentiality solely for the period of time required under such applicable law. 9.2. Upon Client's prior written request, Wing shall provide written certification to Client that it has complied with this Section 9. 10. Audit Rights 10.1. Subject to the terms hereof,and not more than once in each calendar year,or pursuant to a personal data breach, Wing shall make available to a reputable auditor mandated by Client in coordination with Wing, at the cost of the Client, upon prior written request, within normal business hours at Wing premises, such information necessary and relevant to reasonably demonstrate compliance with this DPA, and shall allow for audits by such reputable auditor mandated by the Client in relation to the processing of the Personal Data by the processor/service provider,provided that such third-party auditor shall be subject to confidentiality obligations. 10.2. Client shall use(and ensure that each of its mandated auditors use)its best efforts to avoid causing (or,if it cannot avoid,to minimize)any damage,or injury to the Wing's premises,equipment,while its personnel are on those premises in the course of such an audit or inspection. 11. International Data Transfers 11.1. To the extent that Wing transfers Personal Data to countries outside of the European Economic Area and/or outside of the United Kingdom(UK),which do not provide an adequate level of data protection,as determined by the European Commission pursuant to Article 45 of GDPR, or by the Secretary of State, pursuant to Section 17A of the United Kingdom Data Protection Act 2018, respectively, or other adequate authority as determined by the EU or the UK ("Adequacy Decisions"),and to the extent applicable with respect to each data subject, such transfer of Client's Personal Data shall be subject to: (i)Adequacy Decisions; (ii) exemptions under Article 49 of the GDPR;or(iii)the Standard Contractual Clauses,as incorporated into this DPA by reference,which shall be implemented as follows: 11.1.1. In the case of transfer of Personal Data between Client to Wing,the parties shall implement Module II — "Controller to Processor", of the Standard Contractual Clauses, with modifications detailed under Appendix 13,in which case Wing shall be deemed as a "Data Importer"and Client shall be deemed as a"Data Exporter". 11.1.2. In the case of transfer of Personal Data between Wing and its Sub-Processor for the purposes of carrying out specific Processing activities (on behalf of Client) the Partis will enter into Module III("Processor-to-Processor")of the Standard Contractual Clauses. For the purpose of such engagement,Wing shall be deemed as the Data Exporter and the Sub- Processor shall be deemed as the Data Importer; all other Modules are not applicable EXHIBIT G — DATA PROCESSING ADDENDUM DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 11.1.3. If the applicable Data Exporter, under Section 11.1.1 or 11.1.2, is transferring Personal Data governed by the UK GDPR, the parties will negotiate in good faith and make the required amendments in accordance with the instruction of UK's Information Commissioner's Office ("ICO"), as available at: https://ico.org.uk/mediafor- organisations/documents/4019539/international-data-transfer-addendum.pdf, or as amended and/or replaced by the ICO. 11.2. Appendixes A,B and C attached to this DPA shall also apply in connection with the processing of Personal Data, subject to Applicable Data Protection Law. 11.3. Wing reserves the right to adopt an alternative compliance standard to the SCCs Clauses for the lawful transfer of Personal Data, provided it is recognized under Data Protection Law. Wing will provide 30 days' advance notice of its adoption of an alternative compliance standard. 12. General Terms. 12.1. Governing Law and Jurisdiction. All disputes with respect to this DPA shall be determined in accordance with the governing law provisions set forth in the parties' Agreement. 12.2. Conflict. In the event of any conflict or inconsistency between this DPA and any other agreements between the parties,including agreements entered into after the date of this DPA,the provisions of this DPA shall prevail. 12.3. Changes in Applicable Data Protection Laws. Client may by at least forty-five(45)calendar days' prior written notice to processor/service provider, request in writing any changes to this DPA, if they are required, as a result of any change in any Applicable Data Protection Law, regarding the lawfulness of the processing of Personal Data. If Client provides its modification request, Wing shall make commercially reasonable efforts to accommodate such modification request,and Client shall not unreasonably withhold or delay agreement to any consequential changes to this DPA. 12.4. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be(i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or,if this is not possible,(ii)construed in a manner as if the invalid or unenforceable part had never been contained therein. Appendix A (not applicable to Platform Agreement between Client and Wing) 1. The Parties Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union] Name: Address: Contact person's name,position and contact details: EXHIBIT G — DATA PROCESSING ADDENDUM DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 Activities relevant to the data transferred under these Clauses: Role(controller/processor): Controller Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection] Name:Wing Security Inc. Address: Contact person's name,position and contact details: Activities relevant to the data transferred under these Clauses: Role(controller/processor):Processor 2. Details of Processing of Processed Personal Data (As required by Article 28(3)of the GDPR) a) The subject matter and duration of the processing of processed personal data are set forth in the Terms. b) The nature and purpose of the processing of personal data is rendering services, as detailed and defined in the Terms. c) The types of processed personal data to be processed are as detailed in the parties' Agreement,may include employee first and last name, IP address,employee work email address, employee company role. d) The categories of data subjects to whom the processed personal data relates to are as follows: Client end users and employees. e) The obligations and rights of Client are as set forth in the Terms,herein and in the GDPR. f) Wing's sub-processors engaged for the purpose of processing personal data: AWS,USA. Appendix B EU Standard Contractual Clauses(Module 2: Controller-to-Processor) (not applicable to Platform Agreement between Client and Wing) The Parties agree that for the purpose of transfer of Personal Data between Wing (Data Importer) and the Client (Data Exporter),the following shall apply: I. Clause 7 of the Standard Contractual Clauses shall not be applicable. II. In Clause 9,option 2 shall apply.The Data Importer shall inform the Data Exporter of any intended changes to the list of Sub-Processor at least thirty (30) days prior to the engagement of the Sub-Processor. A list of the Sub-Processors shall be updated accordingly and sent to Client upon request. EXHIBIT G — DATA PROCESSING ADDENDUM DocuSign Envelope ID: 9D16FD14-8521-4E1C-9966-A5DE8091BEF9 111. In Clause 11, Data Subjects shall not be able to lodge a complaint with an independent dispute resolution body. IV. In Clause 17,option 1 shall apply.The Parties agree that the clauses shall be governed by the law of Ireland. V. In Clause 18(b)the Parties choose the courts of Dublin, Ireland as their choice of forum and jurisdiction. Appendix C Wing provides the technical and organizational security measures required under Applicable Data Protection Laws, as defined in the DPA, for the security of the Personal Data it processes as set forth in the parties' Agreement. EXHIBIT G — DATA PROCESSING ADDENDUM 0 cfc INSURANCECERTIFICATE OF IMPORTANT:This Certificate is issued as a matter of information only and confers no rights upon the holder. It does not amend, extend or alter the coverage afforded by the Policy and it does not constitute a contract of insurance. Should the Policy be cancelled before the expiry date stated below, notice will be delivered in accordance with the Policy provisions. POLICY NUMBER: ESM0339860387 THE INSURED: Wing Security Ltd THE INCEPTION DATE: 00:01 Local Standard Time on 12 Jan 2024 THE EXPIRY DATE: 00:01 Local Standard Time on 12 Jan 202S TECHNOLOGY SERVICES: SaaS security software THE UNDERWRITERS: Underwritten by certain underwriters at Lloyd's RETROACTIVE DATE: Professional Liability: 12 Jan 2021 LEGAL ACTION: Worldwide TERRITORIAL SCOPE: Worldwide Authorised Signatory YLZ-\-- CFC Underwriting Ltd DATE:16 Jan 2024 PLEASE REFER TO YOUR POLICY DOCUMENT FOR FULL TERMS AND CONDITIONS r cfc INSURING CLAUSE 1: PROFESSIONAL LIABILITY ALL SECTIONS COMBINED Aggregate limit of liability: USD1,000,000 in the aggregate SECTION A: PRODUCTS AND SERVICES LIABILITY Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION B: BREACH OF CONTRACT Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION C: SUB-CONTRACTOR VICARIOUS LIABILITY Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION D: INTELLECTUAL PROPERTY RIGHTS INFRINGEMENTAND DEFAMATION Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION E: REGULATORY COSTS AND FINES Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION F: DISHONESTY OF EMPLOYEES Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION G: PAYMENT OF WITHHELD FEES Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses Unique Market Reference No.B087523C91\15051 ©2019 CFC Underwriting Ltd,All Rights Reserved 1 cfc INSURING CLAUSE 2: NETWORK SECURITY& PRIVACY LIABILITY ALL SECTIONS COMBINED Aggregate limit of liability: USD1,000,000 in the aggregate SECTION A: NETWORK SECURITY LIABILITY Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION B: PRIVACY LIABILITY Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION C: MANAGEMENT LIABILITY Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION D: REGULATORY INVESTIGATION COSTS Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION E: PCI FINES, PENALTIES AND ASSESSMENTS Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses INSURING CLAUSE 3: CYBER INCIDENT RESPONSE ALL SECTIONS COMBINED Aggregate limit of liability: USD1,000,000 in the aggregate SECTION A: INCIDENT RESPONSE COSTS Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USDO each and every claim, including costs and expenses Unique Market Reference No.B087523C91\15051 ©2019 CFC Underwriting Ltd,All Rights Reserved r cfc SECTION B: LEGAL AND REGULATORY COSTS Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION C: IT SECURITY AND FORENSIC COSTS Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim SECTION D: CRISIS COMMUNICATION COSTS Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim SECTION E: PRIVACY BREACH MANAGEMENT COSTS Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION F:THIRD PARTY PRIVACY BREACH MANAGEMENT COSTS Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION G: POST BREACH REMEDIATION COSTS Limit of liability: USD50,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses INSURING CLAUSE 4: CYBER CRIME SECTION A: ELECTRONIC TH EFT OF YOUR FINANCIAL ASSETS Limit of liability: USD250,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim SECTION B: ELECTRONIC THEFT OF THIRD PARTY FUNDS HELD IN ESCROW Limit of liability: USD250,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim Unique Market Reference No.B087523C91\15051 ©2019 CFC Underwriting Ltd,All Rights Reserved r cfc SECTION C:THEFT OF PERSONAL FINANCIAL ASSETS Limit of liability: USD250,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION D: EXTORTION Aggregate limit of liability: USD1,000,000 in the aggregate, costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION E:TELEPHONE HACKING Limit of liability: USD250,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION F: PUSH PAYMENT FRAUD Limit of liability: USD50,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION G: UNAUTHORISED USE OF COMPUTER RESOURCES Limit of liability: USD250,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses INSURING CLAUSE 5: SYSTEM DAMAGE AND BUSINESS INTERRUPTION ALLSECTIONS COMBINED Aggregate limit of liability: USD1,000,000 in the aggregate SECTION A:SYSTEM DAMAGE AND RECTIFICATION COSTS Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION B: DIRECT LOSS OF PROFITS AND INCREASED COST OF WORKING Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses Unique Market Reference No.B087523C91\15051 ©2019 CFC Underwriting Ltd,All Rights Reserved r cfc SECTION C:ADDITIONAL INCREASED COST OF WORKING Limit of liability: USD50,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim SECTION D: DEPENDENT BUSINESS INTERRUPTION Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses SECTION E:CONSEQUENTIAL REPUTATIONAL HARM Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim SECTION F:CLAIM PREPARATION COSTS Limit of liability: USD25,000 each and every claim,costs and expenses in addition Deductible: USDO each and every claim SECTION G: HARDWARE REPLACEMENT COSTS Limit of liability: USD1,000,000 each and every claim,costs and expenses in addition Deductible: USD5,000 each and every claim, including costs and expenses INSURING CLAUSE 6: COMMERCIAL GENERAL LIABILITY NO COVER GIVEN INSURING CLAUSE 7: LOSS MITIGATION Limit of liability: USD1,000,000 each and every claim Deductible: USD5,000 each and every claim INSURING CLAUSE 8: REPUTATION AND BRAND PROTECTION Aggregate limit of liability: USD100,000 in the aggregate Deductible: USDO each and every claim Unique Market Reference No.B087523C91\15051 ©2019 CFC Underwriting Ltd,All Rights Reserved V cfc INSURING CLAUSE 9: COURTATTENDANCE COSTS Aggregate limit of liability: USD100,000 in the aggregate Deductible: USDO each and every claim Unique Market Reference No.B087523C91\15051 ©2019 CFC Underwriting Ltd,All Rights Reserved