The URL can be used to link to this page

7098 Fully executed Contract Docusign City Council Transmittal Coversheet File Name Purchasing Contact City Council Target Date Piggy Back Option Contract Expiration Ordinance DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF Cyber Security Services - IBM FILE Suzzen Stroman 7098 Yes June 25, 2019 June 25, 2022 19-1407 Z126-6955-US-02 (Direct) 03-2016 IBM Global Technology Services Statement of Work for IBM Security Services – City of Denton 324-B E. McKinney Street Denton, TX 76201 DIR-TSO-3996 Xforce IRIS Tier 2 renewal 3-year proposal 5-9-19 The information in this Statement of Work may not be disclosed outside of your enterprise and may not be duplicated, used or disclosed in whole or in part for any purpose other than to evaluate the services, provided that if a contract is awarded to IBM as a result of or in connection with the submission of this Statement of Work, you will have the right to duplicate, use or disclose the information to the extent provided by the contract. This restriction does not limit your right to use information contained in this Statement of Work if it is obtained from another source without restriction. IBM retains ownership of this Statement of Work. DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF Z126-6955-US-02 (Direct) 03-2016 Order Document Services will be provided to Client in accordance with the terms and conditions of this Order Document and its incorporated documents, including the Services Descriptions. Unless otherwise expressly stated in this Order Document or in a document incorporated by reference, Services do not include hardware or software content, or maintenance subscriptions. Client understands and acknowledges that IBM is permitted to use global resources (non-permanent residents used locally and personnel in locations worldwide) for delivery of Services. 1. Consulting and System Integration Services Summary of Services Consulting and System Integration Services (“C&SI”) are comprised of two parts; 1) the terms and conditions detailed in the selected Services Descriptions, and 2) the Security Services Statement of Work for Services (“SOW”) document number: Z126-6954-US-02. The SOW is an integral part of each Services Description. The terms of the SOW prevail over those of the Agreement; the terms of the applicable Services Description(s) prevail over those of the SOW; and the terms of this Order Document prevail over all documents. Estimated Schedule is defined as the estimated schedule start date of the first service activity and the estimated schedule end date of the last service activity specified in the C&SI Summary of Services Charges table below. If the Order Document signature date is beyond Estimated Start Date(s), Estimated Start Date(s) will automatically be extended to the date of the last signature on this Order Document and Estimated End Date(s) will automatically be extended by the same number of days. Normal business hours are defined as a.m. to p.m. through in Client's time zone, except national holidays, unless otherwise specified. 1.1. Consulting and System Integration Services Charges Unless otherwise stated herein, C&SI Charges are based upon a contiguous work schedule. Delays in the work schedule are subject to the Project Change Control Procedure and may result in an increase in charges. Charges for C&SI described in this Order Document, exclusive of applicable taxes and travel expenses are as specified in the Consulting and System Integration Services Summary of Services Charges table below. This total charge will be divided into equal monthly increments over the contract term and you will be invoiced monthly for such increments. If travel is required, you are responsible for all reasonable travel and living expenses, which would include actual transportation and lodging, per diem meal expenses and other reasonable and necessary charges associated with such travel and living expenses (e.g., luggage charges) incurred by IBM’s personnel during the performance of the Services. Travel and living expenses are in addition to the above charges and are currently estimated at 20-25% of the total Services charge. Travel and living expenses will be invoiced monthly. Travel and living expenses will be invoiced monthly after they are incurred. You also agree to pay the following additional charges, as applicable, which will be invoiced within three calendar months following the calendar month during which they are incurred: a. all charges for miscellaneous expenses, in response to your written request, for purposes related to the performance of the Services (including any applicable shipping charges); b. all charges (including travel and living expenses) associated with any additional Emergency Incident Declarations you make during the term of the SOW; and c. all charges for additional Emergency Incident Declaration hourly support, in response to your written request or approval, for purposes related to the performance of the Services. Amounts are due upon receipt of invoice and payable within 30 days. Late payment fees may apply. Payment may be made electronically to an account specified by IBM or by other means agreed to by the parties. DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 1.2. Consulting and System Integration Services Summary of Services Charges Consulting & System Integration - Selectable Feature Summary Services Code Services Description Service Activities Metric or Quantity Estimated Schedule Start & End Dates Charges X-Force IRIS – Vision Retainer Document: Z126-6954-US-02 X-Force IRIS - Vision Retainer Services are sold in tiers, where each tier involves different levels of services commitments. Each tier includes Project Initiation, Emergency Incident Support, Quarterly IR Related Support and a certain number of Purchased Retainer Hours – Number of Emergency Incident Support or consulting hours included annually for the contract term. Also, certain tiers contain additional services and service commitments. Note: Purchased Retainer Hours that are not used during the Estimated Start and End dates will expire. Select one of the following X-Force IRIS - Vision Retainer service tiers below. Estimated Start Date: 09/2/2019 Estimated End Date: 09/1/2022 Fixed charge of $135,000 Selected Vision Retainer Tier 1 If selected, includes the following services commitments: ● 60 Purchased Retainer Hours Vision Retainer Tier 2 If selected, includes the following annual services commitments: ● 80 Purchased Retainer Hours ● Incident Program Assessment ● 5 IR Playbooks included in Retainer: ● 1 Tabletop Exercises ● 2 IBM X-Force Hosted Threat Analysis Service seats Vision Retainer Tier 3 If selected, includes the following services commitments: ● 150 Purchased Retainer Hours ● Incident Program Assessment ● 10 IR Playbooks included in Retainer: ● 2 Tabletop Exercises ● 4 IBM X-Force Hosted Threat Analysis Service seats Additional Retainer Hourly Support: Additional hourly support IBM agrees to provide additional emergency incident hourly support, in response to Client's written request. Such support will be provided based on the Usage charge specified in this Order Document. During an emergency incident and upon Client written request to IBM, IBM will provide additional support beyond the number of hours specified above for services included in the subscription. Client will be charged Rate of $350 USD for Tier 2 DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 for usage of any additional hours provide by IBM during an emergency incident. Only actual hours used will be invoiced at the current hourly rate. Usage charge of: $350/hr Consulting and System Integration Services Charges C&SI Total Services Charges $135,000 Additional options Clients may elect to dedicate retainer hours towards the development of a Cyber Security Incident Response Plan or the Cyber Security Range engagement. DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 Statement of Work for Services IBM Security Services – Security Testing This Statement of Work (“SOW”) is governed by the terms and conditions of the agreement specified in the Order Document for IBM Security Services (“Order Document”). If there is a conflict between the terms in the documents, the terms of the Order Document prevail over those of the SOW, and the terms of the SOW prevail over those of the agreement specified in the Order Document ("the Agreement"). Client means and includes the company, its authorized users or recipients of the IBM Security Services ("Services"). Capitalized terms not otherwise defined in this SOW are defined in the Agreement and have the same meaning in this SOW as ascribed to them therein. 1. Scope of Work The IBM Security Services are comprised of a dynamic portfolio of offerings designed to provide tools, technology and expertise to help optimize Client’s existing security programs. The IBM Security Services (“Services”) consist of IBM X-Force Incident Response and Intelligence Services (IRIS) Vision Retainer and are designed to provide resources to assist Client with computer security incidents or assist with emergency response preparation. IBM will provide resources to assist Client in preparing for, managing and responding to computer security incidents, including steps for analysis, intelligence gathering, containment, eradication, recovery and prevention. IBM will use existing, commercially available tools, as well as IBM proprietary tools, to perform Services. IBM X-Force IRIS Vision Retainer is sold in tiers, where each tier involves different levels of services commitments. Each tier includes a certain number of support hours (called "Purchased Retainer Hours) available to the Client for emergency incident support or consulting hours included annually for the contract term and depending on tier level selected by Client will also include additional services activities described herein. Services selected by Client will be specified in the Order Document. Note: Purchased Retainer Hours that are not used during the Estimated Start and End dates specified in the Order Document will expire. The details of the Services are specified in the Order Document. 1.1 Services Coordination IBM Responsibilities IBM will designate an IBM Services specialist who will be IBM’s focal point during performance of the Services who, with Client Point of Contact, will: a. review the SOW and any associated documents; b. establish and maintain communications; c. administer the Project Change Control Procedure described in the Project Procedures appendix; and d. coordinate the technical activities of IBM’s assigned personnel. e. have completed Services Coordination when the remaining IBM activities specified in this Statement or Work are complete. 1.1 Client Point of Contact Responsibilities Prior to the start of the Services, Client will designate a Client Point of Contact to whom all communications relative to the Services will be addressed, and who will have the authority to act on Client's behalf in all matters regarding this SOW, applicable Service Description(s) and Order Document. Client's Point of Contact will: a. complete and return any questionnaires or checklists within business days of receipt, if applicable; b. serve as the interface between IBM’s project team and all Client departments participating in the Services; c. attend status meetings, as required; DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 d. obtain and provide applicable information, data, consents, decisions and approvals as required by IBM to perform the Services, within business days of IBM’s request, unless Client and IBM agree in writing to a different response time. As applicable, review deliverables submitted by IBM in accordance with the Deliverable Acceptance Procedure described in the Project Procedures appendix; e. help resolve and escalate Services issues within Client's organization, as needed; and f. administer the Project Change Control Procedure with the IBM. 1.2 Client General Responsibilities IBM's performance is dependent upon Client's fulfillment of its responsibilities at no charge to IBM. Any delay in performance of Client's responsibilities may result in additional charges and/or delay of the completion of the Services and will be handled in accordance with the Project Change Control Procedure. Client will: a. make appropriate personnel available to assist IBM in the performance of IBM’s responsibilities; b. provide safe access, suitable office space, supplies, high speed connectivity to the Internet, and other facilities needed by IBM personnel while working at the location specified in the Order Document; c. provide information and materials IBM requires to provide the Services. IBM will not be responsible for any loss, damage, delay or deficiencies in the Services arising from inaccurate, incomplete, or otherwise deficient information or materials supplied by or on behalf of Client; d. provide IBM with relevant information regarding Client’s current business environment. Such information is to include: (1) business strategies and growth plans; (2) major business processes; (3) organizational charts of the user community and IT organizations; e. provide IBM with information regarding Client’s current environment. Such information is to include: (1) current and planned IT and projects and priorities; (2) general IT and strategies, policies, and procedures; (3) IT and security (physical and logical) policies, procedures, and standards; and (4) service level agreements; f. if making available to IBM any facilities, software, hardware or other resources in connection with IBM’s performance of Services, obtain at no cost to IBM any licenses or approvals related to these resources that may be necessary for IBM to perform the Services. IBM will be relieved of its obligations that are adversely affected by Client’s failure to promptly obtain such licenses or approvals. Client agrees to reimburse IBM for any reasonable costs and other amounts, including costs of litigation and settlements, that IBM may incur from Client’s failure to obtain these licenses or approvals; g. obtain all necessary permissions for IBM to use, provide, store and process data to which Client gives IBM access to perform the Services. Client is responsible for the security and privacy of such data. Client will not give IBM access to data subject to governmental regulation or requiring security measures beyond those specified in this SOW unless IBM has first agreed in writing to implement additional required security measures; h. ensure that current maintenance, license, and other applicable agreements are in place with third parties whose work may affect IBM’s ability to provide the Services. Unless specifically agreed to otherwise in writing, Client is responsible for the management and performance of the third parties and for any third-party hardware, software or communications equipment used in connection with the Services; i. be responsible for implementing or not implementing IBM’s recommendations and for the results achieved; j. allow IBM to cite Client’s company name and the general nature of the Services IBM performed for Client to IBM’s other clients and other prospective clients; DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 k. consent and will obtain any necessary consents for IBM and its subcontractors to process the business contact information of Client, its employees and contractors worldwide for our business relationship. IBM will comply with requests to access, update, or delete such contact information; l. acknowledge and agree that IBM does not provide legal services or represent or warrant that the services or products IBM provides or obtains on Client's behalf will ensure Client's compliance with any particular law, including but not limited to any law relating to safety, security or privacy; m. obtain any necessary consents and take any other actions required by applicable laws, including but not limited to data privacy laws, prior to disclosing any of Client's employee information to IBM. Client also agrees that with respect to data that is transferred or hosted outside of the country or countries specified in the Order Document(s), Client is responsible for ensuring that all such data transmitted outside of the country or countries specified in the Order Document(s) adheres to the laws and regulations governing such data; n. be responsible for the content of any database, the selection and implementation of controls on its access and use, backup and recovery, and the security of the stored data. This security will also include any procedures necessary to safeguard the integrity and security of software and data used in the Services from access by unauthorized personnel; be responsible for the identification of interpretation of, and compliance with, any applicable laws, regulations, and statutes that affect Client's existing systems, applications, programs, or data to which IBM will have access during the Services, including applicable data privacy, export, and import laws and regulations. It is Client's responsibility to ensure the systems, applications, programs, and data meet the requirements of those laws, regulations and statutes; o. IBM’s Data Processing Addendum (DPA) at http://ibm.com/dpa and the applicable DPA Exhibit (DPA Exhibit for C&SI and/or DPA Exhibit for MSS) for Security Services located at http://www.ibm.com/services/us/dpa applies and supplements the Agreement, if and to the extent (a) IBM is processing personal data on behalf of Client, and (b) the current European General Data Protection Regulation applies to such processing of personal data, DPA and DPA Exhibit(s) applies and supplements the Agreement. p. be responsible, at its expense, for establishing, maintaining, and operating Client’s connection to the Internet (the speed of which may have a significant impact on the responsiveness of the Services) including all computer hardware and software, web browsers configured in accordance with industry standards, modems and access lines. Service Description for X-Force Incident Response and Intelligence Services – Vision Retainer Service Activities – X-Force IRIS Project Initiation The purpose of this activity is to review the processes for making a declaration for a computer security incident that presents a real or a possible threat to Client's computer system and network environment (“Emergency Incident Declaration”), and to validate the schedule. IBM Responsibilities IBM will: q. facilitate an on-site or remote project initiation workshop, for up to one day (eight business hours), on a mutually agreed date and time; r. introduce the X-Force IRIS management personnel that will be providing Services; s. confirm Client's locations to be included for Services; t. define the process for making an Emergency Incident Declaration, including establishing the designated telephone number(s) and e-mail address(es); u. review processes for responding to an Emergency Incident Declaration and for exchanging security incident data in a secure manner; v. document the Service schedule in a document entitled "Service Calendar"; and DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 w. have completed X-Force IRIS Project Initiation when IBM has conducted the project kickoff workshop and delivered the Service Calendar to Client's Point of Contact. Client Responsibilities Client will: assign internal resources with appropriate level of skill and responsibility to act on Client’s behalf and to represent Client’s business interest as it pertains to security group, information technology, audit, risk and operations management at Client’s facility during Services; and ensure and mandate appropriate Client personnel participation during Services and as required by IBM with responsibility ownership for the following areas: (1) various management levels with representative skills; and (2) identity and access ownership. Service Activities – Incident Program Assessment Incident Program Assessment services are provided, if selected by the Client and specified in the Order Document. IBM Responsibilities At Client's request, and for the charges specified in the Order Document, IBM will: a. conduct a review of existing Incident Response program documentation; b. identify five critical stakeholders to conduct an one hour telephonic interview to provide greater depth on the existing IR program documentation; c. collate the interview and written documentation and map into a written deliverable (called the "Incident Program Assessment final presentation") containing an one year roadmap mapped to maturing the program by identifying milestones to serve as future goals; and d. have completed Incident Program Assessment when IBM has delivered the Incident Program Assessment final presentation to Client's Point of Contact. Client Responsibilities Client will: e. provide IBM the documentation requested for review within five (5) business days from the initial request; f. work with IBM to identify stakeholders needed for interview requests; g. ensure stakeholders respond within a timely manner to schedule interviews at earliest possible request; and h. ensure executive stakeholders are available to participate in the final briefing for IR Program Assessment deliverable. Service Activities – Incident Response Tabletop Exercise Incident Response Tabletop Exercise services are provided, if selected by the Client and specified in the Order Document. IBM Responsibilities At Client's request, and for the charges specified in the Order Document, IBM will: a. provide Client with number of Incident Response Tabletop Exercises identified in the Order Document for the contract term; b. conduct a targeted attack simulation for up to six (6) hours to provide first responder and executive training, for up to twenty (20) attendees; c. work remotely and/or onsite with Client's key members to develop a computer security incident simulation exercise that will test Client's computer security incident response plan and procedures, with focus on the areas that may need to be updated or improved; DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 d. conduct and supervise the incident simulation exercise on-site for up to six (6) hours at Client's location, paying particular attention to: (1) how Client's team properly triage the incident; (2) how well the members of Client's computer security incident response team work with each other; (3) how well Client's computer security incident response team performs in the five phases of incident response (analysis, containment, eradication, recovery, and prevention); (4) how well Client's team interfaces with external entities (Internet service providers, administrators of other sites, other response teams, law enforcement entities, etc.); and (5) how well Client's team communicates with customers, external users, employees, and the public media; e. document findings and recommendations in a written deliverable (called "Incident Response Tabletop Exercise Report"); f. discuss findings, for up to two (2) hours, via conference call with Client's computer security incident response team; and g. have completed Incident Response Tabletop Exercise when IBM has conducted the conference call and delivered the Incident Response Tabletop Exercise Report to Client's Point of Contact. Client Responsibilities Client will: i. provide IBM the documentation requested for review within five (5) business days from the initial request; j. work with IBM to identify stakeholders needed for interview requests and workshop attendance; k. ensure stakeholders respond within a timely manner to schedule interviews at earliest possible request; and l. ensure executive stakeholders and security incident response team are available to participate in the final briefing. Service Activities - Emergency Incident Support- Tier 2- 80 hours per year The purpose of this activity is to provide emergency response for each Emergency Incident Declaration. IBM Responsibilities At Client's request, and for the charges specified in the Order Document, IBM will: a. provide emergency response 24 hours/day, 7 days/week for Emergency Incident Declarations per the term of Client's contract. Such response will utilize included subscription hours for on-site and/or remote support as specified in the Order Document; b. host a conference call with Client's designated personnel to discuss the symptoms Client is observing, actions taken and similar items within approximately one hour after receiving Client's call or e-mail for an Emergency Incident Declaration; c. provide an estimate of hours and costs, and availability for response, if it is determined from the call that Client requires IBM to engage in support of the incident; d. provide assistance and advice if possible for handling the Emergency Incident Declaration including: (1) analysis of computer security incident data to determine the source of the incident, its cause, and its effects; (2) preventing the effects of the computer security incident from spreading to other computer systems and networks; (3) stopping the computer security incident at its source and/or protecting Client's computer systems and networks from the effects of the computer security incident; (4) recommendations for restoration of the affected computer systems and networks to normal operation; and DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 (5) suggesting protection methods for Client's computer systems and networks from future occurrences of the computer security incident. e. prepare and provide an incident analysis report (“Incident Analysis Report”) to Client's Point of Contact describing the computer security incident, causes and effects, actions taken by IBM, and recommended future actions to mitigate risk; and f. have completed Emergency Incident Support when IBM has delivered any Incident Analysis Reports, as applicable and provided the Purchased Subscription Hours or the contract end date has been reached. Client Responsibilities Client will: m. agree and acknowledge: (1) that Client may not make an Emergency Incident Declaration until after the project kickoff session has been conducted; (2) that Client's additional locations, or locations not specified in the Order Document, must be contracted for separately; (3) that one IBM consultant will be assigned for remote and/or on-site Emergency Incident Declaration response to the declared physical location. Additional IBM consultants must be contracted for separately and are subject to availability; and (4) that if IBM discovers what it considers, in its sole discretion, to be inappropriate content during the performance of Services, IBM has the authority to report such information to law enforcement. Examples of what IBM would consider inappropriate content includes, but is not limited to, content or activity that involves obscene, pornographic or violent material. g. provide the IBM Services specialist with the names and telephone numbers (including after-hours telephone or pager numbers) of Client's lead investigator, technical and management contact personnel (including backup personnel) who have the authority to make Emergency Incident Declarations and act upon suggestions and recommendations made by IBM; h. make appropriate personnel available during IBM’s response to an Emergency Incident Declaration to answer questions, obtain requested data, perform suggested actions, and similar items; i. provide copies of all configuration information, log files, intrusion detection events, and other data related to an Emergency Incident Declaration and its analysis; j. manage the collection and dissemination of information regarding an Emergency Incident Declaration with Client's technical and managerial personnel, legal and public relations departments, others within Client's organization, and other companies as applicable; k. be responsible for and facilitate all communications between IBM and any third party vendors, including Internet service providers and content-hosting firms used by Client to implement Client's Internet presence; l. provide supervised access to Client's computer systems and computer networks during the agreed upon times and days; m. provide an executive sponsor for Services to communicate management commitment to the project; and n. be responsible for all charges associated with any additional Emergency Incident Declarations Client makes during the term of Client's contract. Service Activities - Quarterly Incident Response (IR) Related Support and Status Update The purpose of this activity is to provide Client with ongoing IR related support, up-to-date threat trends, and status updates. IBM Responsibilities IBM will: o. provide a checkup via remote teleconference for up to two (2) hours to review quarterly status, relevant events, service hours utilized and remaining, update service schedule, provide update on DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 threat trends, ensure Client's incident response readiness, and provide recommendations if appropriate; p. document result of each telephone support and discussion of the checkup teleconference in a quarterly status report (“Quarterly Status Report”); and q. have completed Quarterly Incident Response Related Support and Status Update when IBM has, per the service calendar, delivered the Quarterly Status Report to Client's Point of Contact and provided the Purchased Subscription Hours or the contract end date has been reached. Client Responsibilities Client will designate a Point of Contact, to whom all communications relative to the Quarterly Incident Related Support and Status Update will be addressed and who will have the authority to act on Client's behalf in all matters regarding this activity. Service Activities - IBM X-Force® Hosted Threat Analysis Service- 2 seats IBM X-Force Hosted® Threat Analysis Services are provided, if selected by the Client and specified in the Order Document. The IBM X-Force® Hosted Threat Analysis Service is a security intelligence service that is designed to deliver customized information about a variety of threats that could affect Client's network security. The managed security services portal (called “Portal”) provides Client with access to an environment (and associated tools) designed to monitor and manage Client's security posture by merging technology and service data from multiple vendors and geographies into a common, Web-based interface. The Portal may also be used to deliver Education Materials. All such Education Materials are licensed not sold and remain the exclusive property of IBM. IBM grants Client a license in accordance with the terms provided in the Portal. EDUCATION MATERIALS ARE PROVIDED “AS IS” AND WITHOUT WARRANTY OR INDEMNITY OF ANY KIND BY IBM, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF PROPRIETARY AND INTELLECTUAL PROPERTY RIGHTS. IBM Responsibilities At Client's request, and for the charges specified in the Order Document, IBM will: a. provide Client with number of X-Force Hosted Threat Analysis Service seats identified in the Order Document for the contract term; b. enable Client to access the Portal, and will work with Client to activate Services during deployment and initiation; c. provide access to the Portal 24 hours/day, 7 days/week; d. request one name and e-mail address for each seat purchased; e. enable Services access for each seat purchased; f. provide access to Education Materials in accordance with the terms provided in the Portal; g. send each licensed Services user a welcome e-mail with a user ID and temporary password to the Portal; h. provide Client with access to the X-Force® Hosted Threat Analysis Service; i. provide Client with a username, password, URL and appropriate permissions to access the Portal; j. display security information on the Portal as it becomes available; k. if configured by Client, provide security intelligence specific to Client's defined vulnerability watch list, via the Portal; l. if configured by Client, provide an Internet security assessment e-mail each business day; m. publish an Internet AlertCon via the Portal; n. provide Portal feature functionality for Client to create and maintain a vulnerability watch list; o. provide additional information about an alert, advisory, or other significant security issue as IBM deems necessary; DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 p. provide access to the Threat IQ via the Portal; and q. have completed IBM X-Force® Hosted Threat Analysis Service when IBM has provided Client with the number of X-Force Hosted Threat Analysis Service seats specified and provided the Purchased Subscription Hours or the contract end date has been reached. Client Responsibilities Client will: n. utilize the Portal to perform daily operational Services activities; r. ensure Client's employees accessing the Portal on Client's behalf comply with the terms of use, provided therein including, but not limited to, the terms associated with educational materials; s. appropriately safeguard Client's login credentials to the Portal (including not disclosing such credentials to any unauthorized individuals); t. promptly notify IBM if a compromise of Client's login credentials is suspected; u. indemnify and hold IBM harmless for any losses incurred by Client or other parties resulting from Client's failure to safeguard Client's login credentials; v. provide IBM with one name and e-mail address for each subscription purchased; w. change Client's temporary password upon first login to the Portal; x. agree to adhere to an individual license which entitles a single person in an organization to login to the IBM Managed Security Services (“IBM MSS”) portal (called “Portal”) and customize the delivery of Services content. This person is entitled to view information in the Portal and to receive e-mail notifications configured in the Portal. The individual is not authorized to share or distribute Services information. Although an organization can transfer an individual license from one person to another if needed, an individual license cannot be shared with other individuals who do not have a proper license; and y. use the Portal to: (1) subscribe to the daily Internet security assessment e-mail, if desired; (2) create a vulnerability watch list, if desired; and (3) access the Threat IQ. Other Terms and Conditions – Limitation of IBM X-Force IRIS Vision Retainer Client acknowledges and agrees that the following are not included as part of Services described herein: h. Services involving incidents of violence, injury to persons, or damage to or theft of tangible personal property; i. Services to identify a perpetrator; however, determining the source of network traffic or specific digital activity may be included in Services; j. investigatory interrogation; k. testifying in judicial or administrative proceedings; l. communication on Client's behalf with any entity, such as law enforcement, the news media, or its customers; m. any services requiring professional licensing of the service provider; n. evidentiary chain of custody control or management, but IBM may adhere to Client's chain of custody procedures in performing its obligations hereunder, provided these are reviewed and agreed to by IBM prior to starting work; o. legal counsel of any kind; p. opinions as to the credibility of any person; or q. any other related services which IBM, at its reasonable discretion, may at any time decline. DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 Your Security Testing Responsibilities You agree to: r. work with IBM to schedule the project initiation conference call identified in the “Project Initiation” activity such that all participants have enough notice to attend and can complete required input documents (such as the data collection questionnaire) prior to the call; s. invite and confirm attendance of all intended participants of the project initiation conference call, and arrange the meeting room and all logistics at your premises; t. ensure, to the extent possible, participation by various management levels with representative skills and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility; u. ensure the in-scope systems and infrastructure remain in a static state throughout the testing period; and Note: Configuration or infrastructure modifications made during the testing may cause inconsistencies in the results, and may incur additional charges. v. ensure the IP addresses associated with the technical testers are added to any filtering devices (such as firewalls and intrusion prevention systems), such that the testers have unfiltered access to the target systems. 2. Estimated Schedule The estimated schedule for the Services is detailed in the Schedule. Both parties agree to make reasonable efforts to carry out our respective responsibilities in order to achieve the estimated schedule. If the Schedule signature date is beyond the Estimated Start Date, the Estimated Start Date will automatically be extended to the first business day following the date of the last signature on the Schedule. The Estimated End Date will automatically be extended by the same number of days. IBM shall not be responsible for delays or additional requirements imposed by any government agencies, labor disputes, fire, unavoidable casualties, or unforeseen conditions. 3. Deliverable Materials The deliverable Materials resulting from the completion of the activities for Services are specified above for each activity. Certain deliverable Materials are exempt from the Deliverable Materials Acceptance Process and will be considered accepted by you upon delivery to your Point of Contact. 4. Completion Criteria IBM will have fulfilled its obligations for the Services when any one of the following first occurs: a. IBM completes the activities described in this SOW, including provision of the deliverable Materials; or b. the Services are terminated in accordance with the provisions of the Agreement identified in the Schedule. 5. Charges The charges for the Services described in this SOW, exclusive of applicable taxes, are as specified in the Schedule. Unless otherwise stated in the Schedule, pricing is based upon a contiguous work schedule. Delays in the work schedule are subject to the Project Change Control Procedure and may result in an increase in pricing. 6. Other Terms and Conditions 6.1 Permission to Perform Testing Certain laws prohibit any unauthorized attempt to penetrate or access computer systems. You authorize IBM to perform the Services as described herein and acknowledge that the Services constitute authorized DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 access to your computer systems. IBM may disclose this grant of authority to a third party if deemed necessary to perform the Services. The Services that IBM performs entail certain risks and you agree to accept all risks associated with such Services; provided, however, that this does not limit IBM’s obligation to perform the Services in accordance with the terms of this SOW. You acknowledge and agree to the following: a. excessive amounts of log messages may be generated, resulting in excessive log file disk space consumption; b. the performance and throughput of your systems, as well as the performance and throughput of associated routers and firewalls, may be temporarily degraded; c. some data may be changed temporarily as a result of probing vulnerabilities; d. your computer systems may hang or crash, resulting in system failure or temporary system unavailability; e. any service level agreement rights or remedies will be waived during any testing activity; f. a scan may trigger alarms by intrusion detection systems; g. some aspects of the Services may involve intercepting the traffic of the monitored network for the purpose of looking for events; and h. new security threats are constantly evolving and no service designed to provide protection from security threats will be able to make network resources invulnerable from such security threats or ensure that such service has identified all risks, exposures and vulnerabilities. 7. Regulatory Services IBM does not operate as a provider of services regulated by the Federal Communications Commission (“FCC”) or state regulatory authorities (“State Regulators”), and does not intend to provide any services which are regulated by the FCC or State Regulators. If the FCC or any State Regulator imposes regulatory requirements or obligations on any services provided by IBM hereunder, IBM may: (a) modify, replace, or substitute products at Customer’s expense, and/or (b) change the way in which such services are provided to Client to avoid the application of such requirements or obligations to IBM (for example, by acting as Client's agent for acquiring such services from a third party common carrier). Disclaimer Client understands and agrees: a. that Products and Services are not warranted to operate uninterrupted or error free; b. that Products and Services are not fault tolerant and are not designed or intended for use in hazardous environments requiring fail-safe operation, including without limitation aircraft navigation, air traffic control systems, weapon systems, life support systems, nuclear facilities, or any other applications in which Product or Services failure could lead to death, personal injury, or property damage; c. that it is solely within Client's discretion to use or not use any of the information provided pursuant to the Services hereunder. Accordingly, IBM will not be liable for any actions that Client takes or chooses not to take based on the Services performed and/or deliverables provided hereunder; d. that it is Client's sole responsibility to provide appropriate and adequate security for the company, its assets, systems and employees; e. that it is Client's responsibility to add the IP addresses associated with the testers to any filtering devices, thereby permitting unfiltered network access to the target systems; f. not to modify the configurations of any in-scope systems and infrastructure devices during the period of testing; and g. that new technology, configuration changes, software upgrades and routine maintenance, among other items, can create new and unknown security exposures. Moreover, computer “hackers” and other third parties continue to employ increasingly sophisticated techniques and tools, resulting in ever-growing challenges to individual computer system security. IBM’s performance of the Services does not constitute any representation or warranty by IBM about the security of Client's computer systems including, but not limited to, any representation that Client's computer systems are safe from intrusions, viruses, or any other security exposures. IBM does not make any warranty, DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information provided as part of the Services. Security Data As part of Service, that includes reporting activities, IBM will prepare and maintain de-identified and/or aggregate information collected from Services (called "Security Data"). The Security Data will not identify the Client, or an individual except as provided in (d) below. Client herein additionally agrees that IBM may use and/or copy the Security Data only for the following purposes: ● publishing and/or distributing the Security Data (e.g., in compilations and/or analyses related to cybersecurity); ● developing or enhancing products or services; ● conducting research internally or with third parties; and ● lawful sharing of confirmed third party perpetrator information. Travel and Living Expenses If travel is required, Client is responsible for all reasonable travel and living expenses, which would include actual transportation and lodging, per diem meal expenses and other reasonable and necessary charges associated with such travel and living expenses (e.g., luggage charges) incurred by IBM’s personnel during the performance of the Services. Travel and living expenses are in addition to the above charges and are currently estimated at 20-25% of the total Services charge. Travel and living expenses will be invoiced monthly after they are incurred. IBM agrees to provide the Services specified in this Order Document provided Client accepts this Order Document, without modification, by signing in the space provided below on or before the Offer Expiration Date specified above. 7.1 Systems Owned by a Third Party For systems (which for purposes of this provision includes but is not limited to applications and IP addresses) owned by a third party that will be the subject of testing hereunder, you agree: a. that prior to IBM initiating testing on a third party system, you will obtain a signed letter from the owner of each system authorizing IBM to provide the Services on that system, and indicating the owner's acceptance of the conditions set forth in the section entitled “Permission to Perform Testing” and to provide IBM with a copy of such authorization; b. to be solely responsible for communicating any risks, exposures, and vulnerabilities identified on these systems by IBM’s remote testing to the system owner, and c. to arrange for and facilitate the exchange of information between the system owner and IBM as deemed necessary by IBM. You agree: d. to inform IBM immediately whenever there is a change in ownership of any system that is the subject of the testing hereunder; e. not to disclose the deliverable Materials, or the fact that IBM performed the Services, outside your Enterprise without IBM’s prior written consent; and f. to indemnify IBM in full for any losses or liability IBM incurs due to third party claims arising out of your failure to comply with the requirements of this section entitled, "Systems Owned by a Third Party" and for any third party subpoenas or claims brought against IBM or IBM’s subcontractors or agents arising out of (a) testing the security risks, exposures or vulnerabilities of the systems that are the subject of testing hereunder, (b) providing the results of such testing to you, or (c) your use or disclosure of such results. 7.2 Disclaimer You understand and agree: DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 a. that it is solely within your discretion to use or not use any of the information provided pursuant to the Services hereunder. Accordingly, IBM will not be liable for any actions that you take or choose not to take based on the Services performed and/or deliverables provided hereunder; b. that it is your sole responsibility to provide appropriate and adequate security for the company, its assets, systems and employees; c. that it is your responsibility to add the IP addresses associated with the testers to any filtering devices, thereby permitting unfiltered network access to the target systems; and d. not to modify the configurations of any in-scope systems and infrastructure devices during the period of testing. e. that new technology, configuration changes, software upgrades and routine maintenance, among other items, can create new and unknown security exposures. Moreover, computer “hackers” and other third parties continue to employ increasingly sophisticated techniques and tools, resulting in ever-growing challenges to individual computer system security. IBM’s performance of the Services does not constitute any representation or warranty by IBM about the security of your computer systems including, but not limited to, any representation that your computer systems are safe from intrusions, viruses, or any other security exposures. IBM does not make any warranty, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information provided as part of the Services. DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 Schedule IBM Security Services – XForce IRIS This Schedule for IBM Security Services – Security Testing (“Schedule”) is between the Customer (also called “Services Recipient”, “you”, and “your”) and the IBM legal entity referenced below (“IBM”). Customer (Services Recipient) Name and Address: City of Denton 324-B E. McKinney Street Denton, TX 76201 Customer Number: 5403173 IBM Contact ● Name and Address: Bernard Barnes 7100 Highlands Pkwy SE Smyrna, GA 30082 ● Telephone: 770-863-1733 ● E-mail: barnesbe@us.ibm.com Your Point of Contact Zack Moericke Telephone: 940 453-2688 E-mail: zack.moericke@cityofdenton.com IBM Customer Agreement or equivalent (“Agreement”): ● Name: IBM Customer Agreement ● Location: http://www.ibm.com/support/operations/us/en/ica ● Document Number: TBD Location address(es) where Services will be provided: Agreement for Exchange of Confidential Information (“AECI”): ● Name: AECI ● Location: http://www.ibm.com/support/operations/us/en/aeci ● Document Number: TBD Apptus quote number- Q-00050640 Statement of Work (“SOW”): Name: Xforce IRIS Tier 2 renewal 3 year proposal ● Document Number: INTC-81374111-02 Schedule Effective Date: The date on this Schedule when signed by the last party Offer Expiration Date: 6-30-19 Estimated Schedule: Estimated Start Date: 9-2-19 Estimated End Date: 9-1-22 DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 Summary of Services Activity Description Quantity Xforce IRIS retainer Tier 2 ● 80 Purchased Retainer Hours per year ● Incident Program Assessment ● 5 IR Playbooks included in Retainer: ● 1 Tabletop Exercises 2 IBM X-Force Hosted Threat Analysis Service seats 1 8. Facilities and Hours of Coverage a. The Services will be performed at the location(s) specified above and at IBM location(s). You understand and acknowledge that IBM is permitted to use global resources (non-permanent residents used locally and personnel in locations worldwide) for delivery of the Services. b. IBM will provide the Services during normal business hours, 24 hours a day, except national holidays, unless otherwise specified. In some cases, you may be required to provide access to locations outside normal business hours, as mutually agreed between you and IBM. You may incur a charge for Services provided outside of normal business hours. 9. Charges Unless otherwise stated herein, Charges are based upon a contiguous work schedule. Delays in the work schedule are subject to the Project Change Control Procedure and may result in an increase in charges. The charges for the Services identified in this Schedule and the SOW, exclusive of applicable taxes, travel expenses and shipping charges are as specified in the Summary of Charges table below. If travel is required, you are responsible for all actual and reasonable travel and living expenses, which would include reasonable and necessary charges associated with such travel and living expenses (e.g., luggage charges), incurred by IBM’s personnel during the performance of the Services. Travel and living expenses are in addition to the above charges and are currently estimated at 20-25% of the total Services charge. Actual travel and living expenses will be invoiced monthly after they are incurred. Shipping charges that are incurred by IBM during the performance of this SOW will be invoiced to you as incurred. Invoices are due upon receipt and payable within 30 days. You agree to pay by electronic funds transfer (to an account specified by IBM) or other means acceptable and agreed to by the parties. 9.1 Summary of Charges Description Charges Xforce IRIS Tier 2 IRIS-RETAINER-T2 (36 months) $135,000 TOTAL SERVICES CHARGES $135,000 DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 Payment Schedule Payment Event Charges Annual Billing Charge $45,000 TOTAL CHARGES $135,000 10. Project Procedures 10.1 Project Change Control Procedure The following process will be followed if a change to the SOW or this Schedule is required. a. A Project Change Request (“PCR”) will be the vehicle for communicating change. The PCR must describe the change, the rationale for the change and the effect the change will have on the Services. b. The requesting party will document the proposed change and submit the request to the other party. c. Both parties will review the proposed change and recommend it for further investigation or reject it. IBM will specify any charges for such investigation. A PCR must be signed by authorized representatives from both parties to authorize investigation of the recommended changes. IBM will invoice you for any such charges. The investigation will determine the effect that the implementation of the PCR will have on price, schedule and other terms and conditions of the SOW or this Schedule. d. A written Change Authorization and/or PCR must be signed by authorized representatives from both parties to authorize implementation of the investigated changes. Until a change is agreed in writing, both parties will continue to act in accordance with the latest agreed upon version of the SOW and this Schedule. 10.2 Deliverable Materials Acceptance Procedure Each deliverable Material specified in the “Deliverable Materials” section of the SOW will be reviewed and accepted in accordance with the following procedure: a. One copy of the deliverable Material will be submitted to your Point of Contact. It is the responsibility of your Point of Contact to make and distribute additional copies to any other reviewers. b. Within five business days of receipt, your Point of Contact will either accept the deliverable Material or provide IBM with a written list of requested revisions. If IBM receives no response from your Point of Contact within five business days, then the deliverable Material will be deemed accepted. c. IBM will consider your Point of Contact’s timely request for revisions, if any, within the context of IBM’s obligations as stated in the “Deliverable Materials” section of the SOW. d. The revisions recommended by your Point of Contact and agreed to by IBM will be made and the deliverable Material will be resubmitted to your Point of Contact, at which time the deliverable Material will be deemed accepted. e. The revisions recommended by your Point of Contact, not agreed to by IBM, will be managed in accordance with the Project Change Control Procedure. f. Any conflict arising from this Deliverable Materials Acceptance Procedure will be addressed as specified in the Escalation Procedure below. 10.3 Escalation Procedure The following procedure will be followed if resolution is required to a conflict arising during the performance of the Services. When a conflict arises between your Point of Contact and IBM, the project team member(s) will first strive to work out the problem internally. a. Level 1: If the project team cannot resolve the conflict within two business days, your Point of Contact and IBM will meet to resolve the issue. DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 b. Level 2: If the conflict is not resolved within three business days after being escalated to Level 1, your executive sponsor will meet with IBM to resolve the issue. c. If the conflict is resolved by either Level 1 or Level 2 intervention, the resolution will be addressed in accordance with the Project Change Control Procedure. d. If the conflict remains unresolved after Level 2 intervention, then either party may terminate the applicable Service. If the conflict is addressed by termination, you agree to pay IBM for a) all Services IBM provides and any products and Materials IBM delivers through termination, b) all expenses IBM incurs through termination, and c) any charges IBM incurs in terminating the Services. e. During any conflict resolution, IBM agrees to provide Services relating to items not in dispute, to the extent practicable pending resolution of the conflict. You agree to pay invoices per this Schedule and the SOW. IBM agrees to provide the Services specified in this Schedule provided you accept this Schedule, without modification, by signing in the space provided below on or before the Offer Expiration Date specified above. By signing this Schedule by hand or where recognized by law, electronically, you confirm that you have read and accept, without modification, the terms of this Schedule, the IBM Customer Agreement or any equivalent agreement in effect between us identified in this Schedule (“Agreement”), the AECI, and the SOW identified herein. All such documents are incorporated by reference into this Schedule. If there is a conflict among the terms in the various documents, 1) the terms of the SOW prevail over those of the Agreement; and 2) the terms of this Schedule prevail over those of the SOW and the Agreement. This Schedule, the Agreement, the AECI, and the SOW are the complete agreement between the parties regarding the Services, and replace any prior oral or written communications between us. Accordingly, in entering into this Schedule, neither party is relying upon any representation that is not specified in this Schedule including without limitation, any representations concerning 1) estimated completion dates, hours, or charges to provide the Services; 2) the experiences of other customers; or 3) results or savings you may achieve. You are responsible for printing and retaining a copy of all associated documents for your records of this transaction. Agreed to: City of Denton By______________________________________ Authorized signature Agreed to: IBM By______________________________________ Authorized signature Title: Title: Name (type or print): Name (type or print): Date: Date: After signing, please return a copy of this Schedule to the “IBM Company address” specified above. DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF 6/7/2019 6/7/2019 6/10/2019 Bernard Barnes Information Security SpecialistCity Manager Todd Hileman 6/26/2019 6/26/2019 INTC-813574111-02 01-2019 Appendix A Supported locations (US) Supported Location for Incident Response (US State or Country) Comments Massachusetts Services performed on systems located in Massachusetts will be performed by IBM personnel. Per the Certification Unit, Massachusetts State Police, applicable state law may be interpreted to require computer forensics identifying a specific party to be performed by a licensed party. Additional rates for IBM managed Subcontractor may apply. Maryland Services performed on systems located in Maryland will be performed by IBM personnel. Please note that as of date of this SOW, applicable state law may be interpreted to require computer forensics identifying a specific party to be performed by a licensed party. Additional rates for IBM managed Subcontractor may apply. Texas As of the date of this SOW, the Texas Private Security Bureau interprets applicable state law, and state law explicitly requires, computer forensics to be performed by a licensed investigator. Services performed on systems located in Texas will be performed by a licensed subcontractor. Additional rates for IBM managed Subcontractor may apply. Michigan As of the date of this SOW, applicable state law explicitly requires computer forensics to be performed by a licensed investigator, where such forensics are to be used as evidence before a court, board, officer, or investigating committee. Services performed on systems located in Michigan will be performed by licensed IBM personnel, as required. South Carolina As of the date of this SOW, the Office of the Attorney General and the South Carolina Law Enforcement Division interpret applicable state law to require computer forensics to be performed by a licensed investigator. Services performed on systems located in South Carolina will be performed by licensed subcontractor. Additional rates for IBM managed Subcontractor may apply. Nevada As of the date of this SOW, applicable state law explicitly requires computer forensics to be performed by a licensed investigator. Services performed on systems located in Nevada will be performed by a licensed subcontractor. Additional rates for IBM managed Subcontractor may apply. Kentucky As of the date of this SOW, the Kentucky Board of Licensure for Private Investigators interprets applicable state law to require computer forensics to be performed by a licensed investigator. Services performed on systems located in Kentucky will be performed by a licensed subcontractor Additional rates for IBM managed Subcontractor may apply. DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF INTC-813574111-02 01-2019 Georgia As of the date of this SOW, the Office of the Secretary of State and the Georgia Board of Private Detective and Security Agencies interpret applicable state law to require computer forensics to be performed by a licensed investigator. Services performed on systems located in Georgia will be performed by a licensed subcontractor. Additional rates for IBM managed Subcontractor may apply. All other US States Onsite Incident Response DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF Certificate Of Completion Envelope Id: BA7242F09C1B4C5490CEA1012E713CCF Status: Completed Subject: Please DocuSign: City Council Contract 7098 Cyber Security Services - IBM Source Envelope: Document Pages: 23 Signatures: 5 Envelope Originator: Certificate Pages: 6 Initials: 1 Suzzen Stroman AutoNav: Enabled EnvelopeId Stamping: Enabled Time Zone: (UTC-06:00) Central Time (US & Canada) 901B Texas Street Denton, TX 76209 suzzen.stroman@cityofdenton.com IP Address: 129.120.6.150 Record Tracking Status: Original 6/7/2019 12:22:40 PM Holder: Suzzen Stroman suzzen.stroman@cityofdenton.com Location: DocuSign Signer Events Signature Timestamp Suzzen Stroman suzzen.stroman@cityofdenton.com Buyer City of Denton Security Level: Email, Account Authentication (None) Completed Using IP Address: 129.120.6.150 Sent: 6/7/2019 4:54:18 PM Viewed: 6/7/2019 4:55:03 PM Signed: 6/7/2019 4:55:06 PM Electronic Record and Signature Disclosure: Not Offered via DocuSign Melissa Kraft Melissa.Kraft@cityofdenton.com Chief Technology Officer City of Denton Security Level: Email, Account Authentication (None) Signature Adoption: Pre-selected Style Using IP Address: 47.190.47.120 Signed using mobile Sent: 6/7/2019 4:54:18 PM Viewed: 6/7/2019 4:54:50 PM Signed: 6/7/2019 4:55:02 PM Electronic Record and Signature Disclosure: Not Offered via DocuSign Lori Hewell lori.hewell@cityofdenton.com Purchasing Manager City of Denton Security Level: Email, Account Authentication (None) Signature Adoption: Pre-selected Style Using IP Address: 129.120.6.150 Sent: 6/7/2019 4:54:18 PM Resent: 6/10/2019 11:33:32 AM Viewed: 6/10/2019 2:37:39 PM Signed: 6/10/2019 2:37:54 PM Electronic Record and Signature Disclosure: Not Offered via DocuSign Mack Reinwand mack.reinwand@cityofdenton.com City of Denton Security Level: Email, Account Authentication (None)Signature Adoption: Pre-selected Style Using IP Address: 129.120.6.150 Sent: 6/7/2019 4:54:18 PM Viewed: 6/7/2019 4:55:28 PM Signed: 6/7/2019 4:55:51 PM Electronic Record and Signature Disclosure: Not Offered via DocuSign Signer Events Signature Timestamp Bernard Barnes barnesbe@us.ibm.com Information Security Specialist Security Level: Email, Account Authentication (None)Signature Adoption: Pre-selected Style Using IP Address: 129.42.208.182 Sent: 6/10/2019 2:37:58 PM Viewed: 6/10/2019 2:57:05 PM Signed: 6/10/2019 2:57:16 PM Electronic Record and Signature Disclosure: Accepted: 6/10/2019 2:57:05 PM ID: 7ac28cbc-1d3a-48c5-bf43-1f357c2539af Tabitha Millsop tabitha.millsop@cityofdenton.com City of Denton Security Level: Email, Account Authentication (None) Completed Using IP Address: 129.120.6.150 Sent: 6/10/2019 2:57:18 PM Viewed: 6/26/2019 8:42:00 AM Signed: 6/26/2019 8:43:04 AM Electronic Record and Signature Disclosure: Not Offered via DocuSign Todd Hileman Todd.Hileman@cityofdenton.com City Manager City of Denton Security Level: Email, Account Authentication (None) Signature Adoption: Pre-selected Style Using IP Address: 47.184.66.109 Sent: 6/26/2019 8:43:07 AM Viewed: 6/26/2019 9:16:20 AM Signed: 6/26/2019 9:16:24 AM Electronic Record and Signature Disclosure: Accepted: 7/25/2017 11:02:14 AM ID: 57619fbf-2aec-4b1f-805d-6bd7d9966f21 Rosa Rios Rosa.Rios@cityofdenton.com Security Level: Email, Account Authentication (None) Signature Adoption: Pre-selected Style Using IP Address: 129.120.6.150 Sent: 6/26/2019 9:16:27 AM Viewed: 6/26/2019 11:26:03 AM Signed: 6/26/2019 11:26:42 AM Electronic Record and Signature Disclosure: Accepted: 6/26/2019 11:26:03 AM ID: f4593a70-0932-4cad-a145-7abee22ab9ac In Person Signer Events Signature Timestamp Editor Delivery Events Status Timestamp Agent Delivery Events Status Timestamp Intermediary Delivery Events Status Timestamp Certified Delivery Events Status Timestamp Carbon Copy Events Status Timestamp Tabitha Millsop tabitha.millsop@cityofdenton.com City of Denton Security Level: Email, Account Authentication (None) Sent: 6/10/2019 2:37:56 PM Electronic Record and Signature Disclosure: Not Offered via DocuSign Carbon Copy Events Status Timestamp Sherri Thurman sherri.thurman@cityofdenton.com City of Denton Security Level: Email, Account Authentication (None) Sent: 6/10/2019 2:37:57 PM Electronic Record and Signature Disclosure: Not Offered via DocuSign Jane Richardson jane.richardson@cityofdenton.com Assistant City Secretary City of Denton Security Level: Email, Account Authentication (None) Sent: 6/26/2019 8:43:06 AM Electronic Record and Signature Disclosure: Not Offered via DocuSign Jane Richardson jane.richardson@cityofdenton.com Assistant City Secretary City of Denton Security Level: Email, Account Authentication (None) Sent: 6/26/2019 11:26:44 AM Viewed: 6/27/2019 3:34:13 PM Electronic Record and Signature Disclosure: Not Offered via DocuSign Witness Events Signature Timestamp Notary Events Signature Timestamp Envelope Summary Events Status Timestamps Envelope Sent Hashed/Encrypted 6/26/2019 11:26:44 AM Certified Delivered Security Checked 6/26/2019 11:26:44 AM Signing Complete Security Checked 6/26/2019 11:26:44 AM Completed Security Checked 6/26/2019 11:26:44 AM Payment Events Status Timestamps Electronic Record and Signature Disclosure ELECTRONIC RECORD AND SIGNATURE DISCLOSURE From time to time, City of Denton (we, us or Company) may be required by law to provide to you certain written notices or disclosures. Described below are the terms and conditions for providing to you such notices and disclosures electronically through your DocuSign, Inc. (DocuSign) Express user account. Please read the information below carefully and thoroughly, and if you can access this information electronically to your satisfaction and agree to these terms and conditions, please confirm your agreement by clicking the 'I agree' button at the bottom of this document. Getting paper copies At any time, you may request from us a paper copy of any record provided or made available electronically to you by us. For such copies, as long as you are an authorized user of the DocuSign system you will have the ability to download and print any documents we send to you through your DocuSign user account for a limited period of time (usually 30 days) after such documents are first sent to you. After such time, if you wish for us to send you paper copies of any such documents from our office to you, you will be charged a $0.00 per-page fee. You may request delivery of such paper copies from us by following the procedure described below. Withdrawing your consent If you decide to receive notices and disclosures from us electronically, you may at any time change your mind and tell us that thereafter you want to receive required notices and disclosures only in paper format. How you must inform us of your decision to receive future notices and disclosure in paper format and withdraw your consent to receive notices and disclosures electronically is described below. Consequences of changing your mind If you elect to receive required notices and disclosures only in paper format, it will slow the speed at which we can complete certain steps in transactions with you and delivering services to you because we will need first to send the required notices or disclosures to you in paper format, and then wait until we receive back from you your acknowledgment of your receipt of such paper notices or disclosures. To indicate to us that you are changing your mind, you must withdraw your consent using the DocuSign 'Withdraw Consent' form on the signing page of your DocuSign account. This will indicate to us that you have withdrawn your consent to receive required notices and disclosures electronically from us and you will no longer be able to use your DocuSign Express user account to receive required notices and consents electronically from us or to sign electronically documents from us. All notices and disclosures will be sent to you electronically Unless you tell us otherwise in accordance with the procedures described herein, we will provide electronically to you through your DocuSign user account all required notices, disclosures, authorizations, acknowledgements, and other documents that are required to be provided or made available to you during the course of our relationship with you. To reduce the chance of you inadvertently not receiving any notice or disclosure, we prefer to provide all of the required notices and disclosures to you by the same method and to the same address that you have given us. Thus, you can receive all the disclosures and notices electronically or in paper format through the paper mail delivery system. If you do not agree with this process, please let us know as described below. Please also see the paragraph immediately above that describes the consequences of your electing not to receive delivery of the notices and disclosures electronically from us. Electronic Record and Signature Disclosure created on: 7/21/2017 3:59:03 PM Parties agreed to: Bernard Barnes, Todd Hileman, Rosa Rios How to contact City of Denton: You may contact us to let us know of your changes as to how we may contact you electronically, to request paper copies of certain information from us, and to withdraw your prior consent to receive notices and disclosures electronically as follows: To contact us by email send messages to: purchasing@cityofdenton.com To advise City of Denton of your new e-mail address To let us know of a change in your e-mail address where we should send notices and disclosures electronically to you, you must send an email message to us at melissa.kraft@cityofdenton.com and in the body of such request you must state: your previous e-mail address, your new e-mail address. We do not require any other information from you to change your email address.. In addition, you must notify DocuSign, Inc to arrange for your new email address to be reflected in your DocuSign account by following the process for changing e-mail in DocuSign. To request paper copies from City of Denton To request delivery from us of paper copies of the notices and disclosures previously provided by us to you electronically, you must send us an e-mail to purchasing@cityofdenton.com and in the body of such request you must state your e-mail address, full name, US Postal address, and telephone number. We will bill you for any fees at that time, if any. To withdraw your consent with City of Denton To inform us that you no longer want to receive future notices and disclosures in electronic format you may: i. decline to sign a document from within your DocuSign account, and on the subsequent page, select the check-box indicating you wish to withdraw your consent, or you may; ii. send us an e-mail to purchasing@cityofdenton.com and in the body of such request you must state your e-mail, full name, IS Postal Address, telephone number, and account number. We do not need any other information from you to withdraw consent.. The consequences of your withdrawing consent for online documents will be that transactions may take a longer time to process.. Required hardware and software Operating Systems: Windows2000? or WindowsXP? Browsers (for SENDERS): Internet Explorer 6.0? or above Browsers (for SIGNERS): Internet Explorer 6.0?, Mozilla FireFox 1.0, NetScape 7.2 (or above) Email: Access to a valid email account Screen Resolution: 800 x 600 minimum Enabled Security Settings: •Allow per session cookies •Users accessing the internet behind a Proxy Server must enable HTTP 1.1 settings via proxy connection ** These minimum requirements are subject to change. If these requirements change, we will provide you with an email message at the email address we have on file for you at that time providing you with the revised hardware and software requirements, at which time you will have the right to withdraw your consent. Acknowledging your access and consent to receive materials electronically To confirm to us that you can access this information electronically, which will be similar to other electronic notices and disclosures that we will provide to you, please verify that you were able to read this electronic disclosure and that you also were able to print on paper or electronically save this page for your future reference and access or that you were able to e-mail this disclosure and consent to an address where you will be able to print on paper or save it for your future reference and access. Further, if you consent to receiving notices and disclosures exclusively in electronic format on the terms and conditions described above, please let us know by clicking the 'I agree' button below. By checking the 'I Agree' box, I confirm that: • I can access and read this Electronic CONSENT TO ELECTRONIC RECEIPT OF ELECTRONIC RECORD AND SIGNATURE DISCLOSURES document; and • I can print on paper the disclosure or save or send the disclosure to a place where I can print it, for future reference and access; and • Until or unless I notify City of Denton as described above, I consent to receive from exclusively through electronic means all notices, disclosures, authorizations, acknowledgements, and other documents that are required to be provided or made available to me by City of Denton during the course of my relationship with you.