The URL can be used to link to this page

Home My WebLink AboutIT18-302 - Amendment - SHI International Corporation - HoxHunt SaaS End User License Agreement - 9/1/24 FOR CITY OF KENT OFFICIAL USE ONLY Sup/Mgr: Agreement Routing Form Dir Asst: • For Approvals,Signatures and Records Management Dir/Dep: KE N T This form combines&replaces the Request for Mayor's Signature and Contract Cover (optional) W A S H I N G T O N Sheet forms. Originator: Department: Lynnette Smith IT Date Sent: Date Required: > 08/30/2024 09/06/2024 0 p. Director or Designee to Sign. Date of Council Approval: Q 07/03/2018 Budqet Account Number: Grant?:Yes PINo Multiple Budget?W]YesE]No Type: N/A Vendor Name: Category: SHI International Corp Contract Vendor Number: Sub-Category: 1629084 Other 0 Project Name: HoxHunt SaaS End User License Agreement E Project Details:Initial Two-Year SaaS End User License Agreement of HoxHunt Security Awareness Training (replaces KnowBe4 4-0 platform for Security Awareness Training for end users), under Director's signature per Council approval on C 07/03/2018. Purchase under Council approved Omnia cooperative agreement# 2018011-02,which expires 09/28/2025. C Agreement Amount: N/A Basis for Selection of Contractor: Cooperative Purchase E *Memo to Mayor must be attached i Start Date: 09/01/2024 Termination Date: 08/31/2026 Q Local Business?E]Yes P11No* If meets requirements per KCC3.70.700,please complete"VendorPurchase-Locol Exceptions"form onCityspace. Business License Verification:YesElln-ProcessElExempt(KCC 5.01.045) Notice required prior to disclosure? Contract Number: ElYesw]No IT18-302 Comments: _ <<signature on attached EULA p. 02/15>> 0 3 0 Mike Carrington, IT Director Date: <<date on attached EULA p. 02/15>> �> a c �a c in Date Routed to the City Clerk's Office: Interlocal Agreement has been uploaded to website: ad«w22373_1_20 Visit Documents.KentWA.gov to obtain copies of all agreements rev.20210513 HOXHUNT Hoxhunt SaaS End User License Agreement This Hoxhunt SaaS End User License Agreement ("Agreement") is entered into by Hoxhunt Inc., a Delaware corporation with offices at 3601 Minnesota Drive, Suite 435, Minneapolis, MN 55435, US ("Service Provider") , and the customer using the Services provided through the Reseller ("Customer") , each a "Party" and together the "Parties", as of the date the Agreement is signed by both Parties ("Effective Date") . A separate agreement regarding the sale and purchase of the Services is entered into by the Reseller and the Customer ("Main Agreement") . THIS AGREEMENT CONTAINS, among other things, warranty disclaimers, liability limitations and use limitations. The Agreement comprises this signature page, Hoxhunt General Terms of Service, Hoxhunt Specification, Hoxhunt Service Level Agreement as well as Hoxhunt Data Processing Agreement attached hereto and made a part hereof. Contact Information Customer: City of Kent Contact: James Endicott Address: 220 Fourth Ave South, Kent, WA 98032 Employer identification number (EIN) : 916001254 Service Provider: Hoxhunt Inc. Contact: Molly Miesen Contact for topics related to this Agreement: Hoxhunt Legal legal@hoxhunt.com Service Term (including Trial Period, if applicable) , Service Capacity and Service Fees shall be specified in the Main Agreement and in the Purchase Order Form. IN WITNESS WHEREOF, the Parties hereto have duly executed this Agreement as of the Effective Date. Hoxhunt Inc. City of Kent By. Ati(6(,l, (AAS6V, By. ` Michael Carlson Mike Carrington Name: Name: CRO Title: Title: IT Director Date: 8/29/2024 1 21:54:27 EEDT Date: 09/0 3/2 0 24 Hoxhunt SaaS End User License Agreement template version 2024-04-29 1 Hoxhunt General Terms of Service ("General Terms") 1. Definitions The following terms have the meanings set forth below: 1.1 "Additional Users" means User subscriptions in excess of the number of Users included in the fixed yearly Service Fees; 1.2 "Affiliate" means any legal entity that: (a) directly or indirectly owns or controls a Party; (b) is under the same direct or indirect ownership or control as a Party; or (c) is directly or indirectly controlled by a Party, in each case where "control" means ownership of more than fifty percent (500) of the outstanding shares or securities representing the right to vote for the election of directors or other managing authority of such entity; 1.3 "Confidential Information" means all non-public information disclosed by one Party to the other Party in any form or medium, whether written, oral or electronic, that is marked as confidential or that the receiving Party should reasonably understand is confidential from the circumstances of disclosure or the nature of the information, provided that the terms of the DPA shall always prevail over these General Terms in respect of the processing of Personal Data. Confidential Information includes, but is not limited to, the terms of any agreement, including this Agreement, and the discussions, negotiations and proposals related thereto, and information concerning a Party's products and services, business and operations including, but not limited to, information relating to business plans, financial records, customers, suppliers, vendors, products, product samples, costs, sources, strategies, inventions, procedures, sales aids or literature, technical advice or knowledge, contractual agreements, pricing, product specifications, trade secrets, procedures, distribution methods, inventories, marketing strategies and interests, algorithms, data, designs, drawings, work sheets, blueprints, concepts, samples, inventions, manufacturing processes, computer programs and systems and know-how or other Intellectual Property Rights of a Party and its Affiliates, and the Service Provider Properties; 1.4 "Customer Data" means all data and information collected, processed, stored or generated as a result of Customer's or its Users' use of the Service Provider's provision of the Services; 1.5 "Documentation" means the then-current technical and non-technical specifications for the Services contained in the user system, specification, support and configuration documentation made generally available by the Service Provider to its customers or otherwise provided to the Customer, including, without limitation, the Specification attached hereto; 1.6 "Environment of Use" means all hardware and software devices and infrastructures situated downstream from the demarcation point of the Service Provider's network and which are used by the Customer to facilitate use of the Services; 1.7 "Feedback" means all comments, feedback, development ideas, inventions or other opinions provided by the Customer or Users to the Service Provider; 1.8 "Intellectual Property Rights" means any and all intellectual property rights, such as patents, inventions, rights in designs, rights in know-how, trademarks, database rights, trade secrets, domain names, techniques, methods and copyrights (including without limitation right to amend and further develop as well assign one's rights) , in each case whether registered or not, whether registrable or not, and including applications for grant of any of the foregoing and all rights or forms of protection having equivalent or similar effect to any of the foregoing which may now or at any time hereafter exist anywhere in the world; 1.9 "Internal Business Purposes" means use of the Services in the course of the Customer's typical business operations solely for the purposes of conditioning the Customer's Users to identify and report social engineering-based threats; 1.10 "Purchase Order Form" means the Service Provider's purchase order form or any other agreement or document, in which the Service Provider and the Reseller agree in writing on provision of Services to the Customer; 1.11 "Reseller" means the third-party reseller agreed in each case who shall resell the Services to the Customer; 1.12 "Services" means the information, documents, products and services the Service Provider provides to the Customer under this Agreement; 0 2 1.13 "Service Capacity" means the maximum number of Users from time to time entitled to use the Services; 1.14 "Service Fees" means any fees payable by the Customer or otherwise due to the Reseller; 1.15 "Service Term" means the twelve (12)-month period of time (unless otherwise agreed on the Purchase Order Form) during which the Service Provider provides the Services to the Customer, renewing automatically (unless otherwise agreed on the Purchase Order Form) or terminated by either Party in accordance with the Clause 9 of the General Terms; 1.16 "Trial Period" means the first sixty (60) days of the initial Service Term (unless otherwise agreed in the Purchase Order Form and in the Main Agreement) ; and 1.17 "Users" means those certain employees, agents, and contractors of the Customer and its Affiliates who are authorized by the Customer to use the Services in accordance with this Agreement. 2. Rights and Restrictions 2.1 Of the Customer — 2.1.1 Subject to the ongoing compliance with this Agreement by the Customer and its Users, in consideration for the Service Fees paid to the Reseller, the Service Provider grants to the Customer a limited, non-exclusive, non-transferable, non-sublicensable, revocable right to access and use the Services during the Service Term within the territory, scope and limitations as set forth herein and in the applicable Purchase Order Form, solely for the Customer's Internal Business Purposes and in accordance with the Documentation and this Agreement. The Service Provider and its licensors reserve all rights not expressly granted in this Agreement. 2.1.2 Users may access the Services on a "one-User-per-subscription" basis. Subscriptions cannot be used by more than one (1) User at any one time. The Customer shall have sole liability and responsibility for the acts and omissions of Users, including, without limitation, Users' compliance with this Agreement and the Documentation. 2.1.3 The Customer shall not to sell, rent out, lend, transfer, or otherwise make available the right of use of the Services to third parties (other than independent contractors of the Customer who are authorized Users) without express prior written consent from the Service Provider. The Customer shall not copy, save, reproduce, transfer, distribute, sell, disclose, or otherwise make public the contents of the Services or any part thereof. 2.1.4 The Customer shall not interfere with, limit, or prevent the activities of the other customers of the Service Provider or the use of the Services with its own activities, for example by load testing the Services. 2.1.5 The Customer shall not repair, open, disassemble, decompile, reverse engineer or otherwise modify any software provided by the Service Provider as part of the Services. 2.1.6 Interoperating Features — When the Customer elects to use features of the Services which interoperate with third party software, products or services ("Interoperating Features") , the Customer warrants and represents that its Users with administrator rights have the authority to act on the Customer's behalf with regards to enabling and disabling any Interoperating Features. If the Customer enables an Interoperating Feature, it gives express consent to the Service Provider to transfer data, including the Customer Data (which may include Personal Data) , to the third party provider(s) of the Interoperating Features unless and until the Interoperating Feature is disabled. The Service Provider reserves the right to disable any Interoperating Features due to, inter alia, violation of applicable laws or third party rights. Use by the Customer of third party software shall be pursuant to agreement solely between the Customer and such third party. The Customer is solely responsible for compliance with any terms of use of the third party software, products or services. The Service Provider disclaims all liability for third party software, products or services, including with regards to the security and privacy of the Customer Data. The Service Provider disclaims any endorsement or association with third party software, products or services unless expressly indicated. The Service Provider may modify the availability of the Interoperating Features from time to time. 2.1.7 AI Features — When the Customer elects to use features of the Services which allow the Customer to utilize artificial intelligence, machine learning, or similar technologies through the Services in connection with the Customer Data (including Personal Data) ("AI Features") , the Customer warrants and represents that its Users with administrator rights have the authority to act on the Customer's behalf with regards to enabling and disabling any AI Features. The Customer or its Users may provide input, including the Customer Data, for use with the AI Features ("AI Input") and receive output generated and returned by the 0 3 AI Features based on the AI Input ("AI Output") . The Customer acknowledges that other customers of the Service Provider providing similar AI Input may receive the same or similar AI Output. The Customer is solely responsible for reviewing and validating the AI Output for its needs before electing to use such AI Output. The Customer shall comply with any AI Features restrictions in accordance with the Service Provider's written instructions. The Service Provider does not represent or warrant that the AI Output will be accurate, complete, error-free, or fit for a particular purpose. The Service Provider may modify the availability of the AI Features from time to time. 2.2 Of Service Provider — 2.2.1 The Service Provider has the right to develop and change the Services, its availability and the system requirements for the equipment needed to use the Services, provided that there is no material degradation to the Services. 2.2.2 The Service Provider has the right to prevent or limit the access of the Customer or certain Users to the Services if the Service Provider has reasonable grounds to suspect that the Services are being used in breach of this Agreement. The Service Provider exercising its right under this Clause 2.2.2 shall in no event be deemed a waiver of any other provision or prejudice any other rights of the Service Provider under this Agreement. 2.2.3 The Service Provider purchases, registers, and maintains lookalike domain(s) to be used for the provision of the Services. For example, for the Service Provider's own internal phishing training purposes the Service Provider has registered a lookalike domain hoaxhunt.com. The Customer hereby consents to such registration and use by the Service Provider during the Service Term. Upon the expiration or termination of this Agreement, the Service Provider will use commercially reasonable efforts to transfer the relevant lookalike domains to a designated recipient after receiving written instructions from the Customer without delay. 2.2.4 The Service Provider shall deploy appropriate industry-standard technical and organizational measures which protect the server and operational environment used to provide the Services against accidental, unauthorized, or unlawful access, disclosure, damage, alteration, loss, or destruction. The Customer acknowledges and agrees that the Service Provider shall have the right at its sole discretion to use subcontractors, such as information technology service providers, for data processing of the Customer Data. 3. Customer Responsibilities and Obligations 3.1 The Customer is solely responsible at its own cost for: (i) acquiring and maintaining its Environment of Use; (ii) the protection of its Environment of Use; and (iii) data communication costs. 3.2 The Customer is required to fulfill any reasonable responsibilities which may be designated by the Service Provider in order to facilitate launch of the Services. The reasonable responsibilities of the Customer can include among other things: providing access to relevant systems to the Service Provider, whitelisting of IP addresses from which simulation threats are sent, enabling the Service Provider plugin, and provision of User data. Delays to the launch of the Services flowing from Customer's failure to fulfil its reasonable responsibilities shall not excuse the Customer from payment of Service Fees nor incur any liability on behalf of the Service Provider. 3.3 The Customer shall obtain any necessary licenses, consents, rights of use, and permissions necessary for the Service Provider to perform its obligations under this Agreement, for example a valid license for an email application into which to integrate the Service Provider plugin. 3.4 The Parties shall use best efforts to launch the Services on the date specified on the Purchase Order Form, however the Parties may vary the start date of the Service Term on written agreement. In such case the end date shall also be adjusted accordingly. 3.5 The Customer is liable for any use of the Services that has taken place using the usernames and passwords of the Users. Usernames and passwords are personal and may only be used by the appointed User. The Customer shall immediately inform the Service Provider of any third parties gaining knowledge of a username or password, or of any suspected misuse of a username or password. 4. Intellectual Property Rights 4.1 The Service Provider Properties — All right, title and interest, including all worldwide Intellectual Property Rights, in and to the Service Provider Properties are and shall remain the exclusive property of the Service Provider or its licensors and are protected by U.S., EU and other applicable national and international laws. For purposes of this Agreement, "Service Provider Properties" means the Services, the Documentation, 0 4 and any documentation, materials, methodologies, processes, techniques, ideas, concepts, trade secrets or know-how embodied therein or that the Service Provider may develop and supply in connection with the Services or the Documentation, including all copies, portions, extracts, selections, arrangements, compilations, adaptations, modifications and improvements thereof, and all derivative works of any of the foregoing. This is not an assignment or "work for hire" agreement, and nothing in this Agreement grants to the Customer any ownership or use rights with respect to the Service Provider Properties except for the access and use rights expressly granted in this Agreement. The Customer shall not take any actions to claim or assert ownership of any Service Provider Properties or seek to register Intellectual Property Rights in or to any Service Provider Properties. 4.2 Customer Data — As between the Service Provider and the Customer, all right, title and interest in the Customer Data and all Intellectual Property Rights therein, are and shall remain the exclusive property of the Customer. The Customer hereby grants to the Service Provider the non-exclusive, royalty-free, worldwide, freely transferable right and license to use the Customer Data and perform all acts with respect to the Customer Data: (i) as may be necessary for the Service Provider to provide and develop the Services; and (ii) as otherwise authorized by the Customer in writing. The Service Provider shall have the right to monitor and collect data from the Customer's and its Users' use of the Services for license compliance and to prevent fraud and illegal activity. 4.3 Feedback — By providing Feedback to the Service Provider, the Customer shall assign and hereby assigns all rights in and to the Feedback to the Service Provider and agrees that the Service Provider, at its sole discretion, shall have the right to freely utilize the Feedback as it deems fit as well as to develop, patent, license, distribute, sell future versions of products and services that utilize such Feedback, in whole or in part. The Service Provider is not obliged to pay any compensation to the Customer for any use of Feedback. For the sake of clarity, the Customer has no obligation to give Feedback and the Service Provider has no obligation to use it or take it into account. 5. Payment of Service Fees 5.1 Service Fees — The Customer shall pay the Service Fees as agreed between the Customer and the Reseller to the Reseller in accordance with such agreement. 6. Confidentiality and Non-disclosure 6.1 Mutual Confidentiality Obligations — The Parties agree to keep all Confidential Information confidential and only to use the Confidential Information for purposes of fulfilling the business affairs and transactions between the Parties contemplated by this Agreement. The Parties have the right to (i) copy Confidential Information only to the extent required in furtherance of its performance under this Agreement; (ii) deliver or disclose Confidential Information only to those Affiliates and employees who require access to the Confidential Information in order to fulfill the business affairs and transactions between the Parties contemplated by this Agreement; and (iii) deliver or disclose Confidential Information to the advisers of the Party, providing that the advisers are bound by confidentiality obligation equivalent to the confidentiality obligation defined in this Clause 6. Each Party shall only use the Confidential Information in furtherance of its performance of its obligations under this Agreement or by the Service Provider to improve the Services, and each Party agrees not to use the other Party's Confidential Information for any other purpose or for the benefit of any third party. 6.2 Exceptions — However, material or information that is (i) commonly available or otherwise public without the receiving Party having broken confidentiality obligations, or (ii) which the Party has legally obtained from a third party without a confidentiality obligation; or (iii) which was in the possession of the receiving Party prior to receiving it from the other Party; or (iv) which the Party has independently developed without utilizing any material or information received from the other Party as established by competent documentary evidence; or (v) which the Party is obligated to disclose due to laws, regulations, or orders from either authorities or courts, is not considered Confidential Information. 6.3 Return of Confidential Information — Upon expiration or termination of this Agreement, or at any time upon the written request of the disclosing Party, the receiving Party shall immediately cease using the disclosing Party's Confidential Information and return, or at the election of the disclosing Party, destroy, the Confidential Information, together with all copies thereof. Notwithstanding the foregoing, both Parties have the right to keep the copies required by law or as ordered by the authorities. 6.4 Survival — The rights and obligations under this Clause 6 shall survive the termination or expiration of this Agreement, however arising, and shall remain in force for a period of five (5) years from the date of disclosure of the Confidential Information. 0 5 7. Warranty Disclaimer and Limitation of Liability 7.1 Disclaimer of Warranties — EXCEPT AS SET FORTH IN THIS AGREEMENT, THE SERVICE PROVIDER MAKES NO REPRESENTATIONS OR WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. THE SERVICE PROVIDER IS NOT RESPONSIBLE FOR THE IMPACT ON THE ACCURACY, RELIABILITY, AVAILABILITY OR TIMELINESS OF RESULTS OF FACTORS OUTSIDE ITS REASONABLE CONTROL, INCLUDING THE CUSTOMER'S NETWORK ISSUES, VERSIONS OF THE CUSTOMER'S APPLICATIONS, CORRUPTED, INCOMPLETE OR INTERRUPTED DATA RECEIVED FROM THE CUSTOMER OR OTHER PROBLEMS INHERENT IN THE USE OF THE INTERNET AND ELECTRONIC COMMUNICATIONS. THE SERVICE PROVIDER IS NOT LIABLE FOR ANY DAMAGE THAT THE CUSTOMER MAY SUFFER BECAUSE OF A VIRUS, TROJAN, OR ANY MALICIOUS SOFTWARE, A SECURITY BREACH, A FAILURE OR DISRUPTION IN THE GENERAL COMMUNICATIONS NETWORK, OR SOME OTHER SIMILAR REASON. THE SERVICE PROVIDER IS NOT RESPONSIBLE FOR ANY DELAYS, DELIVERY FAILURES, OR OTHER DAMAGES RESULTING FROM SUCH PROBLEMS. 7.2 Limitation of Liability — THE SERVICE PROVIDER SHALL HAVE NO LIABILITY, WHETHER IN TORT (INCLUDING IN NEGLIGENCE) , CONTRACT OR OTHERWISE, FOR ANY INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES; LOSS OF PROFIT, BUSINESS, GOODWILL, REVENUE OR SAVINGS; DAMAGES PAYABLE TO THIRD PARTIES; LOSS OR ALTERATION OF DATA OR EXPENSES CAUSED THEREFROM; OR COST OF COVER PURCHASE ARISING UNDER OR IN CONNECTION WITH THIS AGREEMENT, EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL THE SERVICE PROVIDER'S AGGREGATE LIABILITY (INCLUDING BUT NOT LIMITED TO PRICE REFUNDS OR REDUCTIONS) TO THE CUSTOMER ARISING OUT OF OR RELATED TO THIS AGREEMENT, FOR ANY CLAIM, CAUSE OF ACTION, EVENT, ACT, OMISSION OR FAILURE OCCURRING OR ARISING DURING ANY TWELVE (12) MONTH PERIOD EXCEED THE AMOUNT OF THE NET PRICES PAID BY THE CUSTOMER TO THE RESELLER FOR THE SERVICES DURING THE SAID PERIOD UNDER THIS AGREEMENT. THE LIMITATIONS OF LIABILITY SHALL NOT APPLY TO: DAMAGES CAUSED BY GROSS NEGLIGENCE OR INTENTIONAL ACT, OR DEATH OR PERSONAL INJURY DUE TO NEGLIGENCE, OR BREACH OF CLAUSE 6 (CONFIDENTIALITY AND NON-DISCLOSURE) OR 8 (INDEMNIFICATION) OF THE GENERAL TERMS. 8. Indemnification 8.1 By Service Provider — The Service Provider shall indemnify, defend and hold harmless the Customer and its Affiliates from and against all third-party claims, demands, causes of action and liability of any kind, for damages, losses, costs and expenses, including reasonable outside legal fees and disbursements (collectively, "Third-Party Claim") alleging that the Services infringe or misappropriate a third party's Intellectual Property Rights. Notwithstanding anything to the contrary in this Agreement, the Service Provider's obligation under this Clause 8.1 shall not apply to the extent that the Third-Party Claim arises out of (i) the Customer's breach of this Agreement; (ii) revisions to the Services made without the Service Provider's written consent; (iii) the Customer's failure to incorporate updates or upgrades at the request of the Service Provider; (iv) the Customer's use of the Services in combination with hardware or software not provided by the Service Provider, including, without limitation, the Environment of Use; or (v) infringing or illegal Customer Data. In the defense and or settlement of such a Third-Party Claim, the Service Provider may, at its option, (i) secure the right for the Customer to continue to use the Services; (ii) replace or modify the Services to make them non-infringing provided there is no material degradation to the Services; or (iii) require the Customer to stop using the Services and refund the Service Fees on a pro-rata basis for any unperformed Services. This Clause 8.1 states the Customer's and its Affiliates' and Users' sole rights and remedies and the Service Provider's (including the Service Provider's affiliates, employees, agents, and contractors) sole obligations and liability in respect of infringement of any third-party's Intellectual Property Rights. 8.2 By Customer — The Customer shall indemnify, defend and hold harmless the Service Provider and its Affiliates and licensors and their respective officers, directors and employees from and against all Third-Party Claims arising from or relating to: (i) a claim or threat that the Customer Data infringes, misappropriates or violates any third party's privacy or Intellectual Property Rights; or (ii) the occurrence of any of the exclusions set forth in the Clause 8.1 of the General Terms. 8.3 Indemnification Procedures — Each Party's respective indemnification obligations are conditioned upon: (i) being promptly notified in writing of any Third-Party Claim; (ii) the indemnified Party providing all reasonable assistance in the defense of such Third- Party Claim so as not to materially prejudice the defense; and (iii) the indemnifying Party is given the sole authority to defend or settle such Third-Party Claim. In no event shall an indemnified Party settle any claim without the indemnifying Party's prior written approval. 9. Term and Termination 0 6 9.1 Term — The term of this Agreement shall be in force as long as there is an active Purchase Order Form. After each Service Term, the Purchase Order Form shall renew automatically for additional Service Terms of one (1) year, unless otherwise agreed in the Purchase Order Form or unless either Party gives written notice of termination no less than three (3) months prior to the end of the then-current Service Term. 9.2 Termination for Cause — Both Parties have the right to terminate this Agreement with immediate effect upon written notice if (i) the other Party commits a material breach of this Agreement and does not rectify its breach, if rectifiable, within thirty (30) days of the written notification on the matter by the other Party; (ii) the other Party is insolvent, is petitioned for or applies for bankruptcy or reorganization, is a debtor in recovery proceedings, makes a transaction as an unfair preference to its claimants, or it is otherwise clear that the other Party is not able to properly fulfil its obligations due to financial difficulties or other reasons; or (iii) there is a change in control of the Customer. In addition, the Service Provider may terminate this Agreement immediately upon written notice in the event that the Customer or its Users infringe or misappropriate the Service Provider's Intellectual Property Rights, including, without limitation, use of any Service Provider Properties other than as authorized under this Agreement. Termination shall be in addition to any other remedies that may be available to the non-breaching Party. 9.3 Trial Period Termination — If agreed in the Purchase Order Form and in the Main Agreement, the Customer may terminate this Agreement in writing with immediate effect at any time before the end of the Trial Period. 9.4 Other Termination — In the event it becomes illegal for the Service Provider to perform any of its obligations under this Agreement, then the Service Provider shall be excused from performance and shall have the right to suspend or terminate this Agreement upon written notice to the Customer to the extent necessary to comply with applicable laws, rules or regulations, without liability for breach or termination. 10. Governing Law and Jurisdiction 10.1 This Agreement shall be governed by and construed in accordance with the laws of the State of New York, without regard to principles of conflicts of law. The Uniform Commercial Code, the Uniform Computer Information Transaction Act, and the United Nations Convention of Controls for International Sale of Goods shall not apply. The Parties hereby agree that all disputes arising out of or in connection with this Agreement shall be finally settled under the Rules of Arbitration of the International Chamber of Commerce by one or more arbitrators appointed in accordance with the said Rules. The language of arbitration shall be English and place the City of New York. 11. General Terms 11.1 Force Majeure — Except for a Party's payment obligations, neither Party is liable for delays or damage resulting from a force majeure event. A force majeure is defined as an obstacle beyond the control of either Party that the Party could not have reasonably predicted when entering into the Agreement and that the Party could not have affected or prevented via reasonable precautions. For instance, a strike, lock-out, boycott, war or a comparable armed conflict, natural catastrophes, interruption to general traffic, and legal provisions or other measures by the state that have come into effect after the signing of the Agreement, and which prevent fulfilment of contractual obligations, are considered force majeure. The delay of a Party's subcontractor is also regarded as force majeure, if the delay is caused by a force majeure event. A Party shall immediately inform, in writing, the other Party of a force majeure event. The first Party shall also inform the other of the cessation of the force majeure event. 11.2 Assignment — The Customer shall not, directly or indirectly, by operation of law or otherwise, transfer or assign this Agreement or any rights or obligations granted hereunder, in whole or in part, without the prior written consent of the Service Provider. Any attempted assignment or transfer in violation of this Clause 11.2 shall be void. The Service Provider shall have the right, directly or indirectly, by operation of law or otherwise, to transfer or assign this Agreement or any of its rights or obligations hereunder, in whole or in part, at its sole discretion. 11.3 Amendment — No change, modification, amendment or addition of or to this Agreement shall be effective unless it is in writing and approved by both Parties. 11.4 No Waiver — No failure or delay by a Party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right 0 7 or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy. 11.5 Remedies — Except as expressly provided in this Agreement, the rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law. 11.6 Severance — If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this Agreement. 11.7 Entire Agreement — This Agreement constitutes the entire agreement between the Parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter. 11.8 No Partnership or Agency — Nothing in this Agreement is, unless otherwise expressly provided, intended to or shall operate to create a partnership between the Parties, or authorize either Party to act as agent for the other, and neither Party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power) . 11.9 Third Party Rights — This Agreement, to the greatest extent permissible by law, does not confer any rights on any person or Party other than the Parties to this Agreement and, where applicable, their successors and permitted assigns. 11.10 Interpretation — Unless the context otherwise requires, words in the singular shall include the plural meaning and vice versa. Clause headings shall not affect the interpretation of this Agreement. 11.11 Counterparts — This Agreement may be executed in one or more counterparts, each of which will be deemed to be an original, but all of which together will constitute one and the same instrument, without necessity of production of the others. A counterpart executed by electronic means or delivered in electronic format shall be deemed as effective as an original executed signature page. Hoxhunt Specification ("Specification") 1. Service Provider Services The Service Provider's Human Risk Management Platform is available in three different platform tiers called Professional, Enterprise and Unlimited. All platform tiers include self-service tools for user management, phishing simulation, and security awareness training content management as well as tools for reporting. Otherwise, each tier contains a specific set of platform features as described below. Functionality offering has been assigned into three separate purpose-oriented modules called Comply, Change and Respond. For companies with less than 500 employees there is also a separate SMB module that is designed for smaller companies. Human Risk Management Platform (Professional/Enterprise/Unlimited) Human Risk Management Platform Professional consists of basic features included in the Service Provider's core platform, such as the Hoxhunt reporter plugin and self-service knowledge base. Comply, Change and SMB modules are available for Human Risk Management Platform Professional. Human Risk Management Platform Enterprise contains all features of Human Risk Management Platform Professional and advanced features such as the Hoxhunt onboarding and customer success services, as well as the Hoxhunt API connections when available. Comply, Change and Respond modules are available for Human Risk Management Platform Enterprise. Human Risk Management Platform Unlimited includes all features of Human Risk Management Platform Enterprise as well as all other existing Service Provider's core platform features, such as the Hoxhunt data pipeline and custom branding. Comply, Change and Respond modules are available for Human Risk Management Platform Unlimited. Modules (applicable as ordered in the Order Form) Comply — With Advanced Security Awareness Training and Threat Feed functionality, the Customer can create training packages from a set of training modules and assign, grade, and measure the completion. Additionally, standardized phishing email campaigns can be scheduled and sent to establish a risk baseline for email-based threats. Threat Feed Q 8 functionality collects all of the user-reported threats into a single view for easy navigation and safe inspection. Change — With Adaptive Phishing Training, Intelligent Threat Feed functionality and Instant Feedback feature, personalized phishing emails are scheduled and sent automatically and they get more difficult the better the Users are. Users reporting a threat can instantly receive feedback about what they should do with the email they deemed suspicious. Based on the content of the email, the Service Provider can show threat indicators, which are concrete reasons explaining why the email may be malicious. Additionally, Intelligent Threat Feed functionality includes automatic maliciousness classification for all items in the threat feed. Respond — With Feedback Rules and Incident Orchestration features, the Customer can set up rules to identify safe emails and simulated phishing attacks from third parties. Feedback Rules feature prevents the submission of false positive reports and provides customized feedback to the reporter. Additionally, the user-reported spam and phishing emails are prioritized to an admin's attention based on pre-set triggers, and the number of incidents that the admin needs to handle are decreased by filtering out threats which do not match the pre-set criteria. Further, Incident Orchestration feature eases analyzing reported emails by clustering the emails belonging to the same attack or legitimate campaign under one incident. SMB (only available for companies with less than 500 employees) — With Advanced Security Awareness Training, Adaptive Phishing Training, and Threat Feed functionality, personalized phishing emails are scheduled and sent automatically, and they get more difficult the better the Users are. The Customer can create training packages from a set of training modules and assign, grade, and measure the completion. Threat Feed functionality collects all of the user-reported threats into a single view for easy navigation and safe inspection. 2. Customer Support Customer Success —With Human Risk Management Platform Enterprise and Unlimited, the Customer shall receive periodic check-up meetings with the Service Provider's customer success representative to reflect upon progress, feedback, and areas of development. Onboarding Support — The Service Provider shall provide all necessary customer support in order to launch the Services within the Customer's email environment (defined as either one Microsoft Outlook application tenant or one Google Gmail application tenant) . Onboarding of additional email environments is billable as agreed between the Customer and Reseller. End-User Support — The Users can contact the Service Provider's customer support if they have any questions, feedback, or need help with the Services via the Service Provider's core platform or e-mail at support@hoxhunt.com. The Service Provider also maintains self- service Hoxhunt knowledge base that includes documentation about the Services, answers to frequently asked questions and guides for technical troubleshooting. 3. Integrations SCIM/AD integration — The Service Provider can implement federated user management to active directory and other similar systems supporting the industry standard SCIM protocol. Integrations — The Service Provider offers integrations with third party software, products, or services. Customers can connect such available third party software, products, or services to the Service Provider's application. The Service Provider may, at its sole discretion, modify the availability of the integrations from time to time. For additional information, please contact the Service Provider's account executive or customer success representative. Application Programming Interface ("API") — Customers who require a deeper integration with the Services and other third party information systems can also query the data that is available through the Service Provider's application directly from the Service Provider's API. For additional information and technical documentation, please contact the Service Provider's account executive or customer success representative. 4. Languages The Service Provider provides functionality in several languages and the latest list of supported languages can be found here: https://support.hoxhunt.com/hc/en- us/articles/360024386272-Supported-Languages. The Service Provider may, at its sole discretion, modify the availability of the languages from time to time. 5. Requirements for Environment of Use 9 The latest list of requirements for the Environment of Use required for the Services can be found here: https://support.hoxhunt.com/hc/en-us/articles/360010970659-Client- requirements-for-using-Hoxhunt. The Service Provider may, at its sole discretion, modify the requirements list from time to time. Hoxhunt Service Level Agreement ("SLA") 1. Service Provider Uptime Commitment For any uptime percentage of less than 96.7% in any calendar month subject to the Clause 2 of this SLA, the Customer will be eligible for a free extra month of the Service Provider Services ("Service Credit") . The uptime percentage is calculated by subtracting from 1000 the percentage of minutes during the calendar month in which the Service Provider Services were unavailable. The Service Provider does not guarantee that the Services, hosted on an outsourced server, will work without interruptions or errors. The latest uptime statistics of the Service Provider Services can be found here: https://status.hoxhunt.com/ 2. SLA Exclusions The Service Provider uptime commitment is not affected by unavailability which: (i) is caused by factors outside of the Service Provider's reasonable control, including any force majeure event, Internet access, or problems beyond the demarcation point of the Service Provider network; (ii) results from any actions or inactions of the Customer or any third party; (iii) results from the equipment, software or other technology of the Customer or any third party (other than third party equipment within the Service Provider's direct control) ; (iv) results from any maintenance, that the Customer has been informed about at least three (3) days prior to the maintenance break; or (v) is required by laws, regulations, authorities' orders, instructions, statements, or the recommendations of reputable industry organizations. 3. Claim and Sole Remedy The Customer should submit a claim regarding the uptime percentage via email at support@hoxhunt.com. Unless otherwise provided in the Agreement, the Customer's sole and exclusive remedy for any unavailability, non-performance, or other failure by the Service Provider to provide the Services is the receipt of the Service Credit (if eligible) in accordance with the terms of this SLA. Hoxhunt Data Processing Agreement ("DPA") 1. Definitions The same definitions in other parts of the Agreement shall also apply to this DPA. Any terms not defined herein shall be given the meaning allocated to them in the Data Protection Laws from time to time. In addition, the following terms have the meanings set forth below: 1.1 "Data Controller" means the Customer; 1.2 "Data Processor" means the Service Provider; 1.3 "Data Protection Laws" means the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 of the European Parliament and of the Council) , other applicable EU or EU member state law, or any other applicable law that applies to the processing of the Personal Data under this DPA, including all as amended superseded or replaced from time to time; 1.4 "Data Subject" shall have the same meaning as defined by the Data Protection Laws; 1.5 "Personal Data" shall have the same meaning as defined by the Data Protection Laws; 1.6 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed; 1.7 "Standard Contractual Clauses" means the contractual clauses issued by the European Commission by the decision (EU) 2021/914 for international transfers of Personal Data including as amended or replaced from time to time; and 1.8 "Supervisory Authority" means any competent authority under the Data Protection Laws. 2. Scope and Duration of Processing 10 2.1 The Data Processor shall process the Personal Data on behalf of the Data Controller only for the purpose of and to the extent required for providing the Services under the Agreement. The Personal Data shall be processed as long as the Services are provided under the Agreement. The categories of Personal Data processed under this DPA are specified in Annex 1 of this DPA. 3. Data Controller Obligations 3.1 The Data Controller shall: i. process the Personal Data in compliance with the Data Protection Laws and good data processing practices; and ii. ensure that all data processing by the Data Processor in accordance with this DPA and the Agreement is not unlawful and does not violate the rights of third parties. 4. Data Processor Obligations 4.1 The Data Processor shall: i. process the Personal Data with all due care and skill, diligence and prudence, in a workmanlike manner in accordance with good data processing practices and high professional standards and in compliance with the Agreement, this DPA and the Data Protection Laws; ii. process the Personal Data only on documented instructions from the Data Controller, including with regard to transfers of the Personal Data to a third country or an international organization, unless required to do so by applicable law to which the Data Processor is subject. In such case, the Data Processor shall inform the Data Controller of such requirement under the Data Protection Laws before processing of the Personal Data, unless that law prohibits such notification on important grounds of public interest; iii. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; iv. take steps to ensure that any natural person acting under the authority of the Data Processor who has access to the Personal Data does not process them except on instructions from the Data Controller, unless they are required to do so by applicable law; V. implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing the Personal Data; vi. assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Controller's obligation to respond to requests for exercising the Data Subject's rights; vii. delete or return, at the choice of the Data Controller, all the Personal Data to the Data Controller after the end of the provision of the Services relating to the processing, and deletes existing copies unless the applicable law requires storage of the Personal Data; viii. assist the Data Controller in ensuring compliance with its legal obligations, such as, with the Data Controller's data security, data protection assessment and prior consulting obligations set out by the Data Protection Laws; ix. provide the Data Controller with necessary information in its possession for the completion of data protection impact assessments, to a reasonable extent and frequency and provided that the Data Controller does not otherwise have access to the information; X. make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this Clause 4.1 and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller at the Data Controller's cost. The Data Processor shall inform the Data Controller if, in its opinion, an instruction infringes the Data Protection Laws or other applicable data protection provisions; and xi. have the right to amend this DPA from time to time, and shall notify the Data Controller of such amendments as required by the Data Protection Laws. 4.2 In case the Data Subject or Supervisory Authority make a request concerning the Personal Data, including a request for restricting, erasing or correcting the Personal 0 11 Data, delivering them any information or executing any other actions, the Data Processor shall, without undue delay, inform the Data Controller on all such requests prior to any response or other action concerning the Personal Data, or afterwards as soon as reasonably possible in case the Data Protection Laws prescribes an immediate response. The Data Processor may only restrict, erasure or correct the Personal Data processed on behalf of the Data Controller when instructed to do so by the Data Controller or required by the Data Protection Laws. 4.3 In the event of a Personal Data Breach, the Data Processor shall without undue delay but no later than in forty-eight (48) hours after becoming aware of it, notify the Data Controller in writing to its designated contact details provided below. The Data Processor shall use all reasonable endeavors to protect the Personal Data after having become aware of the Personal Data Breach. Contact for the Data Controller: The same as included in the signature page unless specified below. Contact for the Data Processor: Hoxhunt Legal legal@hoxhunt.com 5. International Transfers 5.1 Unless a country outside the borders of the European Economic Area ("EEA") offers an adequate level of data protection based on a decision by the European Commission, the Data Processor is entitled to transfer the Personal Data outside the borders of the EEA only with the Data Controller's express written consent, and provided that the Data Processor ensures that the transfer is protected by appropriate safeguards and supplementary measures as mandated from time to time by the Data Protection Laws. Where the Data Protection Laws require appropriate safeguards, the applicable Standard Contractual Clauses are incorporated and deemed entered into in respect of the transfer. By entering into this DPA, the Data Controller gives consent to the Data Processor to transfer the Personal Data outside the borders of the EEA to the sub-processors listed at Annex 1 of this DPA. Where the Data Protection Laws require supplementary measures, the Data Processor shall pseudonymize the Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject. 6. Sub-processors 6.1 By entering into this DPA, the Data Controller agrees that the Data Processor may engage the sub-processors listed at Annex 1 of this DPA. The Data Controller acknowledges that the Data Processor may update this list of sub-processors from time to time, and that the Data Processor shall notify the Data Controller of any such update with reasonable notice. The Data Controller may object to the appointment of a new sub-processor on reasonable grounds in writing within fourteen (14) or fewer calendar days from the date of notification. In such case the Data Processor shall use reasonable endeavors to secure, within a reasonable timeframe, an alternative sub-processor so as to avoid any degradation or interruption of the Services without imposing any substantial commercial burden on either Party. If the Data Processor is unable to secure an alternative sub-processor, the Data Controller may terminate the elements of the Services that cannot be delivered without the objected sub-processor. The Data Processor shall ensure that all sub-processors are bound by contractual obligations at least equivalent to this DPA with respect to the protection of the Personal Data, and the Data Processor shall remain fully liable to the Data Controller for the performance of the sub-processor data protection obligations under this DPA. 7. Indemnity 7.1 Notwithstanding Clause 7.2 of the General Terms, the Data Processor shall indemnify, defend and hold harmless the Data Controller against any third-party claims or administrative sanctions brought pursuant to the Data Protection Laws against the Data Controller resulting from the Data Processor's breach of this DPA up to the aggregate value of USD 1,000,000, provided that (i) the Data Processor is given prompt notice of any such claim or possible sanction; (ii) the Data Controller provides reasonable cooperation in relation the defense and settlement of such claim or possible sanction so as not to materially prejudice the defense; and (iii) the Data Processor is given the sole authority to defend or settle such claim and/or make representations to the relevant authorities in relation to any possible sanction. This Clause 7 of this DPA states the Data Controller's sole and exclusive rights and remedies and the Data Processor's entire obligations and liability for any third-party claims or administrative sanctions resulting from a breach of this DPA. Q 12 8. Applicable Law and Jurisdiction This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by the Data Protection Laws. Annex 1 of the DPA Categories of the Data Subjects whose Personal Data is processed — The categories of Data Subjects, which are affected by the Personal Data processing within the framework of this Agreement are the Users of the Services authorized and appointed by the Data Controller. Categories of the Personal Data processed — The categories of Personal Data processed include the following mandatory and optional items, provided at the discretion of the Data Controller: Mandatory: Optional: - Full name; - Telephone numbers; - Email address; - Spoken languages; - Geolocation based on IP; - Time zone; - Last data processing activity (time stamp) ; - Employee-related information - Native language; (such as a country, site, - Browser language; and department, title, and manager) ; - Employee performance statistics in the Services - Employee-generated content and (such as reporting a simulated attack or preferences; and completing a training package) . - Employee-related information from other systems of the Data Controller regarding signals of security behaviors. Subject-matter, nature, and purpose of the Personal Data processing — The execution of the Services by the Data Processor as defined in the Agreement. Frequency and duration of the Personal Data processing — Continuously, and as long as the Services are provided under the Agreement to the Data Controller. Approved sub-processors of the Data Processor — In the below table, the "Service Data" include (i) the user-reported threat data which consist of non-simulated suspected malicious emails reported by the Users that may contain Personal Data, and (ii) the "User Data" which consist of the Personal Data categories stated above. Entity Service Purpose Personal Data Personal International Security Category Data Transfer Certificati Processed Processing Safeguard (if on Location applicable) Infrastructure as a Service ("IaaS") and Platform as a Service ("Pass") Google Cloud Cloud service To provide the Service Data EE_1 V/ ISO/IEC EMEA Ltd. provider infrastructure 27001, to host the ISO/IEC Services 27701, SOC 2 Amazon Web Cloud service To transmit User Data EEA N/A ISO/IEC Services EMEA provider simulation 27001, SARL content (such ISO/IEC as simulated 27701, SOC emails) to the 2 Users Cloudflare Content To provide IP address EEA, and EU SCC ISO/IEC Inc. Delivery CDN, security US 27001, Network and DNS ISO/IEC ("CDN"), services for 27701, SOC Domain Name web traffic 2 System transmitted to ("DNS"), and and from the security Services services MongoD3 Ltd. Database To provide the Service Data EEA N/A ISO/IEC service database 27001, SOC platform 2 hosted on Google's infrastructure Service Supporting Functional Error To provide IP address, US EU SCC, and ISO/IEC Software Inc. tracking real-time user-agent, the 27001, SOC d/b/a Sentry service error tracking and user ID transferring 2 and the is not Q 13 insight needed systematic as to reproduce Sentry is and fix the only involved Services in error cases Zendesk Inc. Customer To provide way User Data EEA N/A ISO/IEC support for the Users 27001, service to contact the ISO/IEC Hoxhunt 27701, SOC customer 2 support, and to triage the potential issue Hoxhunt Oy All Hoxhunt Overall Service Data EEA N/A SOC 2 services responsibility for the provision of the Services Q14 MC TO SIGN_SHI HoxHunt Security Awareness Training_EULA Final Audit Report 2024-09-03 Created: 2024-08-30 By: Brian Liberty(BLiberty@kentwa.gov) Status: Signed Transaction ID: CBJCHBCAABAAALsSO-U5bYilrmSmXlo1m2rdZRs2ySCa WC TO SIGN_SHI HoxHunt Security Awareness Training_EUL A" History Document created by Brian Liberty(BLiberty@kentwa.gov) 2024-08-30-10:32:15 PM GMT Document emailed to LYNNETTE SMITH (Ismith@kentwa.gov)for approval 2024-08-30-10:32:37 PM GMT Email viewed by LYNNETTE SMITH (Ismith@kentwa.gov) 2024-08-30-10:33:03 PM GMT &Q Document approved by LYNNETTE SMITH (Ismith@kentwa.gov) Approval Date:2024-08-30-10:33:20 PM GMT-Time Source:server Icy Document emailed to Mike Carrington (mcarrington@kentwa.gov)for signature 2024-08-30-10:33:24 PM GMT d Document e-signed by Mike Carrington (mcarrington@kentwa.gov) Signature Date:2024-09-03-10:51:19 PM GMT-Time Source:server Agreement completed. 2024-09-03-10:51:19 PM GMT Powered by Adobe ` ENT Acrobat Sign