7098 Fully executed Contract
Docusign City Council Transmittal Coversheet
File Name
Purchasing Contact
City Council Target Date
Piggy Back Option
Contract Expiration
Ordinance
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
Cyber Security Services - IBM
FILE
Suzzen Stroman
7098
Yes
June 25, 2019
June 25, 2022
19-1407
Z126-6955-US-02 (Direct) 03-2016
IBM Global Technology Services Statement of Work
for
IBM Security Services –
City of Denton
324-B E. McKinney Street
Denton, TX 76201
DIR-TSO-3996
Xforce IRIS Tier 2 renewal 3-year proposal
5-9-19
The information in this Statement of Work may not be disclosed outside of your enterprise and may not be
duplicated, used or disclosed in whole or in part for any purpose other than to evaluate the services, provided that
if a contract is awarded to IBM as a result of or in connection with the submission of this Statement of Work, you
will have the right to duplicate, use or disclose the information to the extent provided by the contract. This
restriction does not limit your right to use information contained in this Statement of Work if it is obtained from
another source without restriction. IBM retains ownership of this Statement of Work.
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
Z126-6955-US-02 (Direct) 03-2016
Order Document
Services will be provided to Client in accordance with the terms and conditions of this Order Document
and its incorporated documents, including the Services Descriptions.
Unless otherwise expressly stated in this Order Document or in a document incorporated by reference,
Services do not include hardware or software content, or maintenance subscriptions.
Client understands and acknowledges that IBM is permitted to use global resources (non-permanent
residents used locally and personnel in locations worldwide) for delivery of Services.
1. Consulting and System Integration Services Summary of Services
Consulting and System Integration Services (“C&SI”) are comprised of two parts; 1) the terms and
conditions detailed in the selected Services Descriptions, and 2) the Security Services Statement of Work
for Services (“SOW”) document number: Z126-6954-US-02. The SOW is an integral part of each
Services Description.
The terms of the SOW prevail over those of the Agreement; the terms of the applicable Services
Description(s) prevail over those of the SOW; and the terms of this Order Document prevail over all
documents.
Estimated Schedule is defined as the estimated schedule start date of the first service activity and the
estimated schedule end date of the last service activity specified in the C&SI Summary of Services
Charges table below.
If the Order Document signature date is beyond Estimated Start Date(s), Estimated Start Date(s) will
automatically be extended to the date of the last signature on this Order Document and Estimated End
Date(s) will automatically be extended by the same number of days.
Normal business hours are defined as a.m. to p.m. through in Client's time zone, except national
holidays, unless otherwise specified.
1.1. Consulting and System Integration Services Charges
Unless otherwise stated herein, C&SI Charges are based upon a contiguous work schedule. Delays in
the work schedule are subject to the Project Change Control Procedure and may result in an increase in
charges.
Charges for C&SI described in this Order Document, exclusive of applicable taxes and travel expenses
are as specified in the Consulting and System Integration Services Summary of Services Charges table
below. This total charge will be divided into equal monthly increments over the contract term and you will
be invoiced monthly for such increments.
If travel is required, you are responsible for all reasonable travel and living expenses, which would include
actual transportation and lodging, per diem meal expenses and other reasonable and necessary charges
associated with such travel and living expenses (e.g., luggage charges) incurred by IBM’s personnel
during the performance of the Services. Travel and living expenses are in addition to the above charges
and are currently estimated at 20-25% of the total Services charge. Travel and living expenses will be
invoiced monthly. Travel and living expenses will be invoiced monthly after they are incurred.
You also agree to pay the following additional charges, as applicable, which will be invoiced within three
calendar months following the calendar month during which they are incurred:
a. all charges for miscellaneous expenses, in response to your written request, for purposes related to
the performance of the Services (including any applicable shipping charges);
b. all charges (including travel and living expenses) associated with any additional Emergency Incident
Declarations you make during the term of the SOW; and
c. all charges for additional Emergency Incident Declaration hourly support, in response to your written
request or approval, for purposes related to the performance of the Services.
Amounts are due upon receipt of invoice and payable within 30 days. Late payment fees may apply.
Payment may be made electronically to an account specified by IBM or by other means agreed to by the
parties.
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
1.2. Consulting and System Integration Services Summary of Services Charges
Consulting & System Integration - Selectable Feature Summary
Services
Code Services Description Service Activities
Metric or Quantity
Estimated
Schedule Start
& End Dates
Charges
X-Force IRIS – Vision Retainer
Document: Z126-6954-US-02
X-Force IRIS - Vision Retainer
Services are sold in tiers, where each
tier involves different levels of services
commitments. Each tier includes
Project Initiation, Emergency Incident
Support, Quarterly IR Related Support
and a certain number of Purchased
Retainer Hours – Number of
Emergency Incident Support or
consulting hours included annually for
the contract term. Also, certain tiers
contain additional services and service
commitments.
Note: Purchased Retainer Hours
that are not used during the
Estimated Start and End dates will
expire.
Select one of the following X-Force
IRIS - Vision Retainer service tiers
below.
Estimated Start
Date:
09/2/2019
Estimated End
Date:
09/1/2022
Fixed charge of
$135,000
Selected
Vision Retainer Tier 1
If selected, includes the following
services commitments:
● 60 Purchased Retainer Hours
Vision Retainer Tier 2
If selected, includes the following
annual services commitments:
● 80 Purchased Retainer Hours
● Incident Program Assessment
● 5 IR Playbooks included in
Retainer:
● 1 Tabletop Exercises
● 2 IBM X-Force Hosted Threat
Analysis Service seats
Vision Retainer Tier 3
If selected, includes the following
services commitments:
● 150 Purchased Retainer Hours
● Incident Program Assessment
● 10 IR Playbooks included in
Retainer:
● 2 Tabletop Exercises
● 4 IBM X-Force Hosted Threat
Analysis Service seats
Additional Retainer Hourly
Support:
Additional hourly support
IBM agrees to provide additional
emergency incident hourly support, in
response to Client's written request.
Such support will be provided based
on the Usage charge specified in this
Order Document.
During an emergency incident and
upon Client written request to IBM,
IBM will provide additional support
beyond the number of hours specified
above for services included in the
subscription. Client will be charged
Rate of $350 USD
for Tier 2
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
for usage of any additional hours
provide by IBM during an emergency
incident. Only actual hours used will
be invoiced at the current hourly rate.
Usage charge of:
$350/hr
Consulting and System Integration Services Charges
C&SI Total Services Charges
$135,000
Additional options
Clients may elect to dedicate retainer hours towards the development of a Cyber
Security Incident Response Plan or the Cyber Security Range engagement.
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
Statement of Work for Services
IBM Security Services – Security Testing
This Statement of Work (“SOW”) is governed by the terms and conditions of the agreement specified in
the Order Document for IBM Security Services (“Order Document”). If there is a conflict between the
terms in the documents, the terms of the Order Document prevail over those of the SOW, and the terms
of the SOW prevail over those of the agreement specified in the Order Document ("the Agreement").
Client means and includes the company, its authorized users or recipients of the IBM Security Services
("Services").
Capitalized terms not otherwise defined in this SOW are defined in the Agreement and have the same
meaning in this SOW as ascribed to them therein.
1. Scope of Work
The IBM Security Services are comprised of a dynamic portfolio of offerings designed to provide tools,
technology and expertise to help optimize Client’s existing security programs.
The IBM Security Services (“Services”) consist of IBM X-Force Incident Response and Intelligence
Services (IRIS) Vision Retainer and are designed to provide resources to assist Client with computer
security incidents or assist with emergency response preparation. IBM will provide resources to assist
Client in preparing for, managing and responding to computer security incidents, including steps for
analysis, intelligence gathering, containment, eradication, recovery and prevention. IBM will use existing,
commercially available tools, as well as IBM proprietary tools, to perform Services.
IBM X-Force IRIS Vision Retainer is sold in tiers, where each tier involves different levels of services
commitments. Each tier includes a certain number of support hours (called "Purchased Retainer Hours)
available to the Client for emergency incident support or consulting hours included annually for the
contract term and depending on tier level selected by Client will also include additional services activities
described herein. Services selected by Client will be specified in the Order Document.
Note: Purchased Retainer Hours that are not used during the Estimated Start and End dates specified in
the Order Document will expire.
The details of the Services are specified in the Order Document.
1.1 Services Coordination
IBM Responsibilities
IBM will designate an IBM Services specialist who will be IBM’s focal point during performance of the
Services who, with Client Point of Contact, will:
a. review the SOW and any associated documents;
b. establish and maintain communications;
c. administer the Project Change Control Procedure described in the Project Procedures appendix;
and
d. coordinate the technical activities of IBM’s assigned personnel.
e. have completed Services Coordination when the remaining IBM activities specified in this Statement
or Work are complete.
1.1 Client Point of Contact Responsibilities
Prior to the start of the Services, Client will designate a Client Point of Contact to whom all
communications relative to the Services will be addressed, and who will have the authority to act on
Client's behalf in all matters regarding this SOW, applicable Service Description(s) and Order Document.
Client's Point of Contact will:
a. complete and return any questionnaires or checklists within business days of receipt, if applicable;
b. serve as the interface between IBM’s project team and all Client departments participating in the
Services;
c. attend status meetings, as required;
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
d. obtain and provide applicable information, data, consents, decisions and approvals as required by
IBM to perform the Services, within business days of IBM’s request, unless Client and IBM agree in
writing to a different response time. As applicable, review deliverables submitted by IBM in
accordance with the Deliverable Acceptance Procedure described in the Project Procedures
appendix;
e. help resolve and escalate Services issues within Client's organization, as needed; and
f. administer the Project Change Control Procedure with the IBM.
1.2 Client General Responsibilities
IBM's performance is dependent upon Client's fulfillment of its responsibilities at no charge to IBM. Any
delay in performance of Client's responsibilities may result in additional charges and/or delay of the
completion of the Services and will be handled in accordance with the Project Change Control Procedure.
Client will:
a. make appropriate personnel available to assist IBM in the performance of IBM’s responsibilities;
b. provide safe access, suitable office space, supplies, high speed connectivity to the Internet, and
other facilities needed by IBM personnel while working at the location specified in the Order
Document;
c. provide information and materials IBM requires to provide the Services. IBM will not be responsible
for any loss, damage, delay or deficiencies in the Services arising from inaccurate, incomplete, or
otherwise deficient information or materials supplied by or on behalf of Client;
d. provide IBM with relevant information regarding Client’s current business environment. Such
information is to include:
(1) business strategies and growth plans;
(2) major business processes;
(3) organizational charts of the user community and IT organizations;
e. provide IBM with information regarding Client’s current environment. Such information is to include:
(1) current and planned IT and projects and priorities;
(2) general IT and strategies, policies, and procedures;
(3) IT and security (physical and logical) policies, procedures, and standards; and
(4) service level agreements;
f. if making available to IBM any facilities, software, hardware or other resources in connection with
IBM’s performance of Services, obtain at no cost to IBM any licenses or approvals related to these
resources that may be necessary for IBM to perform the Services. IBM will be relieved of its
obligations that are adversely affected by Client’s failure to promptly obtain such licenses or
approvals. Client agrees to reimburse IBM for any reasonable costs and other amounts, including
costs of litigation and settlements, that IBM may incur from Client’s failure to obtain these licenses
or approvals;
g. obtain all necessary permissions for IBM to use, provide, store and process data to which Client
gives IBM access to perform the Services. Client is responsible for the security and privacy of such
data. Client will not give IBM access to data subject to governmental regulation or requiring security
measures beyond those specified in this SOW unless IBM has first agreed in writing to implement
additional required security measures;
h. ensure that current maintenance, license, and other applicable agreements are in place with third
parties whose work may affect IBM’s ability to provide the Services. Unless specifically agreed to
otherwise in writing, Client is responsible for the management and performance of the third parties
and for any third-party hardware, software or communications equipment used in connection with
the Services;
i. be responsible for implementing or not implementing IBM’s recommendations and for the results
achieved;
j. allow IBM to cite Client’s company name and the general nature of the Services IBM performed for
Client to IBM’s other clients and other prospective clients;
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
k. consent and will obtain any necessary consents for IBM and its subcontractors to process the
business contact information of Client, its employees and contractors worldwide for our business
relationship. IBM will comply with requests to access, update, or delete such contact information;
l. acknowledge and agree that IBM does not provide legal services or represent or warrant that the
services or products IBM provides or obtains on Client's behalf will ensure Client's compliance with
any particular law, including but not limited to any law relating to safety, security or privacy;
m. obtain any necessary consents and take any other actions required by applicable laws, including but
not limited to data privacy laws, prior to disclosing any of Client's employee information to IBM.
Client also agrees that with respect to data that is transferred or hosted outside of the country or
countries specified in the Order Document(s), Client is responsible for ensuring that all such data
transmitted outside of the country or countries specified in the Order Document(s) adheres to the
laws and regulations governing such data;
n. be responsible for the content of any database, the selection and implementation of controls on its
access and use, backup and recovery, and the security of the stored data. This security will also
include any procedures necessary to safeguard the integrity and security of software and data used
in the Services from access by unauthorized personnel; be responsible for the identification of
interpretation of, and compliance with, any applicable laws, regulations, and statutes that affect
Client's existing systems, applications, programs, or data to which IBM will have access during the
Services, including applicable data privacy, export, and import laws and regulations. It is Client's
responsibility to ensure the systems, applications, programs, and data meet the requirements of
those laws, regulations and statutes;
o. IBM’s Data Processing Addendum (DPA) at http://ibm.com/dpa and the applicable
DPA Exhibit (DPA Exhibit for C&SI and/or DPA Exhibit for MSS) for Security
Services located at http://www.ibm.com/services/us/dpa applies and supplements
the Agreement, if and to the extent (a) IBM is processing personal data on behalf of
Client, and (b) the current European General Data Protection Regulation applies to
such processing of personal data, DPA and DPA Exhibit(s) applies and
supplements the Agreement.
p. be responsible, at its expense, for establishing, maintaining, and operating Client’s connection to
the Internet (the speed of which may have a significant impact on the responsiveness of the
Services) including all computer hardware and software, web browsers configured in accordance
with industry standards, modems and access lines.
Service Description for X-Force Incident Response and Intelligence Services – Vision
Retainer
Service Activities – X-Force IRIS Project Initiation
The purpose of this activity is to review the processes for making a declaration for a computer security
incident that presents a real or a possible threat to Client's computer system and network environment
(“Emergency Incident Declaration”), and to validate the schedule.
IBM Responsibilities
IBM will:
q. facilitate an on-site or remote project initiation workshop, for up to one day (eight business hours),
on a mutually agreed date and time;
r. introduce the X-Force IRIS management personnel that will be providing Services;
s. confirm Client's locations to be included for Services;
t. define the process for making an Emergency Incident Declaration, including establishing the
designated telephone number(s) and e-mail address(es);
u. review processes for responding to an Emergency Incident Declaration and for exchanging security
incident data in a secure manner;
v. document the Service schedule in a document entitled "Service Calendar"; and
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
w. have completed X-Force IRIS Project Initiation when IBM has conducted the project kickoff
workshop and delivered the Service Calendar to Client's Point of Contact.
Client Responsibilities
Client will:
assign internal resources with appropriate level of skill and responsibility to act on Client’s behalf
and to represent Client’s business interest as it pertains to security group, information technology,
audit, risk and operations management at Client’s facility during Services; and
ensure and mandate appropriate Client personnel participation during Services and as required by
IBM with responsibility ownership for the following areas:
(1) various management levels with representative skills; and
(2) identity and access ownership.
Service Activities – Incident Program Assessment
Incident Program Assessment services are provided, if selected by the Client and specified in the Order
Document.
IBM Responsibilities
At Client's request, and for the charges specified in the Order Document, IBM will:
a. conduct a review of existing Incident Response program documentation;
b. identify five critical stakeholders to conduct an one hour telephonic interview to provide greater
depth on the existing IR program documentation;
c. collate the interview and written documentation and map into a written deliverable (called the
"Incident Program Assessment final presentation") containing an one year roadmap mapped to
maturing the program by identifying milestones to serve as future goals; and
d. have completed Incident Program Assessment when IBM has delivered the Incident Program
Assessment final presentation to Client's Point of Contact.
Client Responsibilities
Client will:
e. provide IBM the documentation requested for review within five (5) business days from the initial
request;
f. work with IBM to identify stakeholders needed for interview requests;
g. ensure stakeholders respond within a timely manner to schedule interviews at earliest possible
request; and
h. ensure executive stakeholders are available to participate in the final briefing for IR Program
Assessment deliverable.
Service Activities – Incident Response Tabletop Exercise
Incident Response Tabletop Exercise services are provided, if selected by the Client and specified in the
Order Document.
IBM Responsibilities
At Client's request, and for the charges specified in the Order Document, IBM will:
a. provide Client with number of Incident Response Tabletop Exercises identified in the Order
Document for the contract term;
b. conduct a targeted attack simulation for up to six (6) hours to provide first responder and executive
training, for up to twenty (20) attendees;
c. work remotely and/or onsite with Client's key members to develop a computer security incident
simulation exercise that will test Client's computer security incident response plan and procedures,
with focus on the areas that may need to be updated or improved;
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
d. conduct and supervise the incident simulation exercise on-site for up to six (6) hours at Client's
location, paying particular attention to:
(1) how Client's team properly triage the incident;
(2) how well the members of Client's computer security incident response team work with each
other;
(3) how well Client's computer security incident response team performs in the five phases of
incident response (analysis, containment, eradication, recovery, and prevention);
(4) how well Client's team interfaces with external entities (Internet service providers,
administrators of other sites, other response teams, law enforcement entities, etc.); and
(5) how well Client's team communicates with customers, external users, employees, and the
public media;
e. document findings and recommendations in a written deliverable (called "Incident Response
Tabletop Exercise Report");
f. discuss findings, for up to two (2) hours, via conference call with Client's computer security incident
response team; and
g. have completed Incident Response Tabletop Exercise when IBM has conducted the conference call
and delivered the Incident Response Tabletop Exercise Report to Client's Point of Contact.
Client Responsibilities
Client will:
i. provide IBM the documentation requested for review within five (5) business days from the initial
request;
j. work with IBM to identify stakeholders needed for interview requests and workshop attendance;
k. ensure stakeholders respond within a timely manner to schedule interviews at earliest possible
request; and
l. ensure executive stakeholders and security incident response team are available to participate in
the final briefing.
Service Activities - Emergency Incident Support- Tier 2- 80 hours per year
The purpose of this activity is to provide emergency response for each Emergency Incident Declaration.
IBM Responsibilities
At Client's request, and for the charges specified in the Order Document, IBM will:
a. provide emergency response 24 hours/day, 7 days/week for Emergency Incident Declarations per
the term of Client's contract. Such response will utilize included subscription hours for on-site
and/or remote support as specified in the Order Document;
b. host a conference call with Client's designated personnel to discuss the symptoms Client is
observing, actions taken and similar items within approximately one hour after receiving Client's call
or e-mail for an Emergency Incident Declaration;
c. provide an estimate of hours and costs, and availability for response, if it is determined from the call
that Client requires IBM to engage in support of the incident;
d. provide assistance and advice if possible for handling the Emergency Incident Declaration including:
(1) analysis of computer security incident data to determine the source of the incident, its cause,
and its effects;
(2) preventing the effects of the computer security incident from spreading to other computer
systems and networks;
(3) stopping the computer security incident at its source and/or protecting Client's computer
systems and networks from the effects of the computer security incident;
(4) recommendations for restoration of the affected computer systems and networks to normal
operation; and
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
(5) suggesting protection methods for Client's computer systems and networks from future
occurrences of the computer security incident.
e. prepare and provide an incident analysis report (“Incident Analysis Report”) to Client's Point of
Contact describing the computer security incident, causes and effects, actions taken by IBM, and
recommended future actions to mitigate risk; and
f. have completed Emergency Incident Support when IBM has delivered any Incident Analysis
Reports, as applicable and provided the Purchased Subscription Hours or the contract end date has
been reached.
Client Responsibilities
Client will:
m. agree and acknowledge:
(1) that Client may not make an Emergency Incident Declaration until after the project kickoff
session has been conducted;
(2) that Client's additional locations, or locations not specified in the Order Document, must be
contracted for separately;
(3) that one IBM consultant will be assigned for remote and/or on-site Emergency Incident
Declaration response to the declared physical location. Additional IBM consultants must be
contracted for separately and are subject to availability; and
(4) that if IBM discovers what it considers, in its sole discretion, to be inappropriate content during
the performance of Services, IBM has the authority to report such information to law
enforcement. Examples of what IBM would consider inappropriate content includes, but is not
limited to, content or activity that involves obscene, pornographic or violent material.
g. provide the IBM Services specialist with the names and telephone numbers (including after-hours
telephone or pager numbers) of Client's lead investigator, technical and management contact
personnel (including backup personnel) who have the authority to make Emergency Incident
Declarations and act upon suggestions and recommendations made by IBM;
h. make appropriate personnel available during IBM’s response to an Emergency Incident Declaration
to answer questions, obtain requested data, perform suggested actions, and similar items;
i. provide copies of all configuration information, log files, intrusion detection events, and other data
related to an Emergency Incident Declaration and its analysis;
j. manage the collection and dissemination of information regarding an Emergency Incident
Declaration with Client's technical and managerial personnel, legal and public relations
departments, others within Client's organization, and other companies as applicable;
k. be responsible for and facilitate all communications between IBM and any third party vendors,
including Internet service providers and content-hosting firms used by Client to implement Client's
Internet presence;
l. provide supervised access to Client's computer systems and computer networks during the agreed
upon times and days;
m. provide an executive sponsor for Services to communicate management commitment to the project;
and
n. be responsible for all charges associated with any additional Emergency Incident Declarations
Client makes during the term of Client's contract.
Service Activities - Quarterly Incident Response (IR) Related Support and Status Update
The purpose of this activity is to provide Client with ongoing IR related support, up-to-date threat trends,
and status updates.
IBM Responsibilities
IBM will:
o. provide a checkup via remote teleconference for up to two (2) hours to review quarterly status,
relevant events, service hours utilized and remaining, update service schedule, provide update on
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
threat trends, ensure Client's incident response readiness, and provide recommendations if
appropriate;
p. document result of each telephone support and discussion of the checkup teleconference in a
quarterly status report (“Quarterly Status Report”); and
q. have completed Quarterly Incident Response Related Support and Status Update when IBM has,
per the service calendar, delivered the Quarterly Status Report to Client's Point of Contact and
provided the Purchased Subscription Hours or the contract end date has been reached.
Client Responsibilities
Client will designate a Point of Contact, to whom all communications relative to the Quarterly Incident
Related Support and Status Update will be addressed and who will have the authority to act on Client's
behalf in all matters regarding this activity.
Service Activities - IBM X-Force® Hosted Threat Analysis Service- 2 seats
IBM X-Force Hosted® Threat Analysis Services are provided, if selected by the Client and specified in the
Order Document.
The IBM X-Force® Hosted Threat Analysis Service is a security intelligence service that is designed to
deliver customized information about a variety of threats that could affect Client's network security.
The managed security services portal (called “Portal”) provides Client with access to an environment (and
associated tools) designed to monitor and manage Client's security posture by merging technology and
service data from multiple vendors and geographies into a common, Web-based interface.
The Portal may also be used to deliver Education Materials. All such Education Materials are licensed
not sold and remain the exclusive property of IBM. IBM grants Client a license in accordance with the
terms provided in the Portal. EDUCATION MATERIALS ARE PROVIDED “AS IS” AND WITHOUT
WARRANTY OR INDEMNITY OF ANY KIND BY IBM, EXPRESS OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
AND NON-INFRINGEMENT OF PROPRIETARY AND INTELLECTUAL PROPERTY RIGHTS.
IBM Responsibilities
At Client's request, and for the charges specified in the Order Document, IBM will:
a. provide Client with number of X-Force Hosted Threat Analysis Service seats identified in the Order
Document for the contract term;
b. enable Client to access the Portal, and will work with Client to activate Services during deployment
and initiation;
c. provide access to the Portal 24 hours/day, 7 days/week;
d. request one name and e-mail address for each seat purchased;
e. enable Services access for each seat purchased;
f. provide access to Education Materials in accordance with the terms provided in the Portal;
g. send each licensed Services user a welcome e-mail with a user ID and temporary password to the
Portal;
h. provide Client with access to the X-Force® Hosted Threat Analysis Service;
i. provide Client with a username, password, URL and appropriate permissions to access the Portal;
j. display security information on the Portal as it becomes available;
k. if configured by Client, provide security intelligence specific to Client's defined vulnerability watch
list, via the Portal;
l. if configured by Client, provide an Internet security assessment e-mail each business day;
m. publish an Internet AlertCon via the Portal;
n. provide Portal feature functionality for Client to create and maintain a vulnerability watch list;
o. provide additional information about an alert, advisory, or other significant security issue as IBM
deems necessary;
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
p. provide access to the Threat IQ via the Portal; and
q. have completed IBM X-Force® Hosted Threat Analysis Service when IBM has provided Client with
the number of X-Force Hosted Threat Analysis Service seats specified and provided the Purchased
Subscription Hours or the contract end date has been reached.
Client Responsibilities
Client will:
n. utilize the Portal to perform daily operational Services activities;
r. ensure Client's employees accessing the Portal on Client's behalf comply with the terms of use,
provided therein including, but not limited to, the terms associated with educational materials;
s. appropriately safeguard Client's login credentials to the Portal (including not disclosing such
credentials to any unauthorized individuals);
t. promptly notify IBM if a compromise of Client's login credentials is suspected;
u. indemnify and hold IBM harmless for any losses incurred by Client or other parties resulting from
Client's failure to safeguard Client's login credentials;
v. provide IBM with one name and e-mail address for each subscription purchased;
w. change Client's temporary password upon first login to the Portal;
x. agree to adhere to an individual license which entitles a single person in an organization to login to
the IBM Managed Security Services (“IBM MSS”) portal (called “Portal”) and customize the delivery
of Services content. This person is entitled to view information in the Portal and to receive e-mail
notifications configured in the Portal. The individual is not authorized to share or distribute Services
information. Although an organization can transfer an individual license from one person to another
if needed, an individual license cannot be shared with other individuals who do not have a proper
license; and
y. use the Portal to:
(1) subscribe to the daily Internet security assessment e-mail, if desired;
(2) create a vulnerability watch list, if desired; and
(3) access the Threat IQ.
Other Terms and Conditions – Limitation of IBM X-Force IRIS Vision Retainer
Client acknowledges and agrees that the following are not included as part of Services described herein:
h. Services involving incidents of violence, injury to persons, or damage to or theft of tangible personal
property;
i. Services to identify a perpetrator; however, determining the source of network traffic or specific
digital activity may be included in Services;
j. investigatory interrogation;
k. testifying in judicial or administrative proceedings;
l. communication on Client's behalf with any entity, such as law enforcement, the news media, or its
customers;
m. any services requiring professional licensing of the service provider;
n. evidentiary chain of custody control or management, but IBM may adhere to Client's chain of
custody procedures in performing its obligations hereunder, provided these are reviewed and
agreed to by IBM prior to starting work;
o. legal counsel of any kind;
p. opinions as to the credibility of any person; or
q. any other related services which IBM, at its reasonable discretion, may at any time decline.
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
Your Security Testing Responsibilities
You agree to:
r. work with IBM to schedule the project initiation conference call identified in the “Project Initiation”
activity such that all participants have enough notice to attend and can complete required input
documents (such as the data collection questionnaire) prior to the call;
s. invite and confirm attendance of all intended participants of the project initiation conference call, and
arrange the meeting room and all logistics at your premises;
t. ensure, to the extent possible, participation by various management levels with representative skills
and data protection ownership and mandates within the business units, security group, information
technology, audit and risk departments, and operations management at your facility;
u. ensure the in-scope systems and infrastructure remain in a static state throughout the testing
period; and
Note: Configuration or infrastructure modifications made during the testing may cause
inconsistencies in the results, and may incur additional charges.
v. ensure the IP addresses associated with the technical testers are added to any filtering devices
(such as firewalls and intrusion prevention systems), such that the testers have unfiltered access to
the target systems.
2. Estimated Schedule
The estimated schedule for the Services is detailed in the Schedule.
Both parties agree to make reasonable efforts to carry out our respective responsibilities in order to
achieve the estimated schedule.
If the Schedule signature date is beyond the Estimated Start Date, the Estimated Start Date will
automatically be extended to the first business day following the date of the last signature on the
Schedule. The Estimated End Date will automatically be extended by the same number of days.
IBM shall not be responsible for delays or additional requirements imposed by any government agencies,
labor disputes, fire, unavoidable casualties, or unforeseen conditions.
3. Deliverable Materials
The deliverable Materials resulting from the completion of the activities for Services are specified above
for each activity.
Certain deliverable Materials are exempt from the Deliverable Materials Acceptance Process and will be
considered accepted by you upon delivery to your Point of Contact.
4. Completion Criteria
IBM will have fulfilled its obligations for the Services when any one of the following first occurs:
a. IBM completes the activities described in this SOW, including provision of the deliverable Materials;
or
b. the Services are terminated in accordance with the provisions of the Agreement identified in the
Schedule.
5. Charges
The charges for the Services described in this SOW, exclusive of applicable taxes, are as specified in the
Schedule.
Unless otherwise stated in the Schedule, pricing is based upon a contiguous work schedule. Delays in
the work schedule are subject to the Project Change Control Procedure and may result in an increase in
pricing.
6. Other Terms and Conditions
6.1 Permission to Perform Testing
Certain laws prohibit any unauthorized attempt to penetrate or access computer systems. You authorize
IBM to perform the Services as described herein and acknowledge that the Services constitute authorized
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
access to your computer systems. IBM may disclose this grant of authority to a third party if deemed
necessary to perform the Services.
The Services that IBM performs entail certain risks and you agree to accept all risks associated with such
Services; provided, however, that this does not limit IBM’s obligation to perform the Services in
accordance with the terms of this SOW. You acknowledge and agree to the following:
a. excessive amounts of log messages may be generated, resulting in excessive log file disk space
consumption;
b. the performance and throughput of your systems, as well as the performance and throughput of
associated routers and firewalls, may be temporarily degraded;
c. some data may be changed temporarily as a result of probing vulnerabilities;
d. your computer systems may hang or crash, resulting in system failure or temporary system
unavailability;
e. any service level agreement rights or remedies will be waived during any testing activity;
f. a scan may trigger alarms by intrusion detection systems;
g. some aspects of the Services may involve intercepting the traffic of the monitored network for the
purpose of looking for events; and
h. new security threats are constantly evolving and no service designed to provide protection from
security threats will be able to make network resources invulnerable from such security threats or
ensure that such service has identified all risks, exposures and vulnerabilities.
7. Regulatory Services
IBM does not operate as a provider of services regulated by the Federal Communications Commission
(“FCC”) or state regulatory authorities (“State Regulators”), and does not intend to provide any services
which are regulated by the FCC or State Regulators. If the FCC or any State Regulator imposes
regulatory requirements or obligations on any services provided by IBM hereunder, IBM may: (a) modify,
replace, or substitute products at Customer’s expense, and/or (b) change the way in which such services
are provided to Client to avoid the application of such requirements or obligations to IBM (for example, by
acting as Client's agent for acquiring such services from a third party common carrier).
Disclaimer
Client understands and agrees:
a. that Products and Services are not warranted to operate uninterrupted or error free;
b. that Products and Services are not fault tolerant and are not designed or intended for use in
hazardous environments requiring fail-safe operation, including without limitation aircraft navigation,
air traffic control systems, weapon systems, life support systems, nuclear facilities, or any other
applications in which Product or Services failure could lead to death, personal injury, or property
damage;
c. that it is solely within Client's discretion to use or not use any of the information provided pursuant to
the Services hereunder. Accordingly, IBM will not be liable for any actions that Client takes or
chooses not to take based on the Services performed and/or deliverables provided hereunder;
d. that it is Client's sole responsibility to provide appropriate and adequate security for the company, its
assets, systems and employees;
e. that it is Client's responsibility to add the IP addresses associated with the testers to any filtering
devices, thereby permitting unfiltered network access to the target systems;
f. not to modify the configurations of any in-scope systems and infrastructure devices during the
period of testing; and
g. that new technology, configuration changes, software upgrades and routine maintenance, among
other items, can create new and unknown security exposures. Moreover, computer “hackers” and
other third parties continue to employ increasingly sophisticated techniques and tools, resulting in
ever-growing challenges to individual computer system security. IBM’s performance of the Services
does not constitute any representation or warranty by IBM about the security of Client's computer
systems including, but not limited to, any representation that Client's computer systems are safe
from intrusions, viruses, or any other security exposures. IBM does not make any warranty,
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or
usefulness of any information provided as part of the Services.
Security Data
As part of Service, that includes reporting activities, IBM will prepare and maintain de-identified and/or
aggregate information collected from Services (called "Security Data"). The Security Data will not identify
the Client, or an individual except as provided in (d) below. Client herein additionally agrees that IBM may
use and/or copy the Security Data only for the following purposes:
● publishing and/or distributing the Security Data (e.g., in compilations and/or analyses related to
cybersecurity);
● developing or enhancing products or services;
● conducting research internally or with third parties; and
● lawful sharing of confirmed third party perpetrator information.
Travel and Living Expenses
If travel is required, Client is responsible for all reasonable travel and living expenses, which would
include actual transportation and lodging, per diem meal expenses and other reasonable and necessary
charges associated with such travel and living expenses (e.g., luggage charges) incurred by IBM’s
personnel during the performance of the Services. Travel and living expenses are in addition to the
above charges and are currently estimated at 20-25% of the total Services charge. Travel and living
expenses will be invoiced monthly after they are incurred.
IBM agrees to provide the Services specified in this Order Document provided Client accepts this Order
Document, without modification, by signing in the space provided below on or before the Offer Expiration Date
specified above.
7.1 Systems Owned by a Third Party
For systems (which for purposes of this provision includes but is not limited to applications and IP
addresses) owned by a third party that will be the subject of testing hereunder, you agree:
a. that prior to IBM initiating testing on a third party system, you will obtain a signed letter from the
owner of each system authorizing IBM to provide the Services on that system, and indicating the
owner's acceptance of the conditions set forth in the section entitled “Permission to Perform
Testing” and to provide IBM with a copy of such authorization;
b. to be solely responsible for communicating any risks, exposures, and vulnerabilities identified on
these systems by IBM’s remote testing to the system owner, and
c. to arrange for and facilitate the exchange of information between the system owner and IBM as
deemed necessary by IBM.
You agree:
d. to inform IBM immediately whenever there is a change in ownership of any system that is the
subject of the testing hereunder;
e. not to disclose the deliverable Materials, or the fact that IBM performed the Services, outside your
Enterprise without IBM’s prior written consent; and
f. to indemnify IBM in full for any losses or liability IBM incurs due to third party claims arising out of
your failure to comply with the requirements of this section entitled, "Systems Owned by a Third
Party" and for any third party subpoenas or claims brought against IBM or IBM’s subcontractors or
agents arising out of (a) testing the security risks, exposures or vulnerabilities of the systems that
are the subject of testing hereunder, (b) providing the results of such testing to you, or (c) your use
or disclosure of such results.
7.2 Disclaimer
You understand and agree:
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
a. that it is solely within your discretion to use or not use any of the information provided pursuant to
the Services hereunder. Accordingly, IBM will not be liable for any actions that you take or choose
not to take based on the Services performed and/or deliverables provided hereunder;
b. that it is your sole responsibility to provide appropriate and adequate security for the company, its
assets, systems and employees;
c. that it is your responsibility to add the IP addresses associated with the testers to any filtering
devices, thereby permitting unfiltered network access to the target systems; and
d. not to modify the configurations of any in-scope systems and infrastructure devices during the
period of testing.
e. that new technology, configuration changes, software upgrades and routine maintenance, among
other items, can create new and unknown security exposures. Moreover, computer “hackers” and
other third parties continue to employ increasingly sophisticated techniques and tools, resulting in
ever-growing challenges to individual computer system security. IBM’s performance of the Services
does not constitute any representation or warranty by IBM about the security of your computer
systems including, but not limited to, any representation that your computer systems are safe from
intrusions, viruses, or any other security exposures. IBM does not make any warranty, express or
implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness
of any information provided as part of the Services.
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
Schedule
IBM Security Services – XForce IRIS
This Schedule for IBM Security Services – Security Testing (“Schedule”) is between the Customer (also called
“Services Recipient”, “you”, and “your”) and the IBM legal entity referenced below (“IBM”).
Customer (Services Recipient) Name and Address:
City of Denton
324-B E. McKinney Street
Denton, TX 76201
Customer Number: 5403173
IBM Contact
● Name and Address:
Bernard Barnes
7100 Highlands Pkwy SE
Smyrna, GA 30082
● Telephone: 770-863-1733
● E-mail: barnesbe@us.ibm.com
Your Point of Contact
Zack Moericke
Telephone: 940 453-2688
E-mail: zack.moericke@cityofdenton.com
IBM Customer Agreement or equivalent (“Agreement”):
● Name: IBM Customer Agreement
● Location:
http://www.ibm.com/support/operations/us/en/ica
● Document Number: TBD
Location address(es) where Services will be provided:
Agreement for Exchange of Confidential Information
(“AECI”):
● Name: AECI
● Location:
http://www.ibm.com/support/operations/us/en/aeci
● Document Number: TBD
Apptus quote number-
Q-00050640
Statement of Work (“SOW”):
Name:
Xforce IRIS Tier 2 renewal 3 year proposal
● Document Number: INTC-81374111-02
Schedule Effective Date:
The date on this Schedule when signed by the last party
Offer Expiration Date:
6-30-19
Estimated Schedule:
Estimated Start Date: 9-2-19
Estimated End Date: 9-1-22
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
Summary of Services
Activity Description Quantity
Xforce IRIS retainer
Tier 2
● 80 Purchased Retainer Hours per year
● Incident Program Assessment
● 5 IR Playbooks included in Retainer:
● 1 Tabletop Exercises
2 IBM X-Force Hosted Threat Analysis Service seats
1
8. Facilities and Hours of Coverage
a. The Services will be performed at the location(s) specified above and at IBM location(s). You
understand and acknowledge that IBM is permitted to use global resources (non-permanent
residents used locally and personnel in locations worldwide) for delivery of the Services.
b. IBM will provide the Services during normal business hours, 24 hours a day, except national
holidays, unless otherwise specified. In some cases, you may be required to provide access to
locations outside normal business hours, as mutually agreed between you and IBM. You may incur
a charge for Services provided outside of normal business hours.
9. Charges
Unless otherwise stated herein, Charges are based upon a contiguous work schedule. Delays in the
work schedule are subject to the Project Change Control Procedure and may result in an increase in
charges.
The charges for the Services identified in this Schedule and the SOW, exclusive of applicable taxes,
travel expenses and shipping charges are as specified in the Summary of Charges table below.
If travel is required, you are responsible for all actual and reasonable travel and living expenses, which
would include reasonable and necessary charges associated with such travel and living expenses (e.g.,
luggage charges), incurred by IBM’s personnel during the performance of the Services. Travel and living
expenses are in addition to the above charges and are currently estimated at 20-25% of the total Services
charge. Actual travel and living expenses will be invoiced monthly after they are incurred.
Shipping charges that are incurred by IBM during the performance of this SOW will be invoiced to you as
incurred.
Invoices are due upon receipt and payable within 30 days.
You agree to pay by electronic funds transfer (to an account specified by IBM) or other means acceptable
and agreed to by the parties.
9.1 Summary of Charges
Description Charges
Xforce IRIS Tier 2
IRIS-RETAINER-T2 (36 months)
$135,000
TOTAL SERVICES CHARGES $135,000
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
Payment Schedule
Payment Event Charges
Annual Billing Charge $45,000
TOTAL CHARGES $135,000
10. Project Procedures
10.1 Project Change Control Procedure
The following process will be followed if a change to the SOW or this Schedule is required.
a. A Project Change Request (“PCR”) will be the vehicle for communicating change. The PCR must
describe the change, the rationale for the change and the effect the change will have on the
Services.
b. The requesting party will document the proposed change and submit the request to the other party.
c. Both parties will review the proposed change and recommend it for further investigation or reject it.
IBM will specify any charges for such investigation. A PCR must be signed by authorized
representatives from both parties to authorize investigation of the recommended changes. IBM will
invoice you for any such charges. The investigation will determine the effect that the
implementation of the PCR will have on price, schedule and other terms and conditions of the SOW
or this Schedule.
d. A written Change Authorization and/or PCR must be signed by authorized representatives from both
parties to authorize implementation of the investigated changes. Until a change is agreed in writing,
both parties will continue to act in accordance with the latest agreed upon version of the SOW and
this Schedule.
10.2 Deliverable Materials Acceptance Procedure
Each deliverable Material specified in the “Deliverable Materials” section of the SOW will be reviewed and
accepted in accordance with the following procedure:
a. One copy of the deliverable Material will be submitted to your Point of Contact. It is the
responsibility of your Point of Contact to make and distribute additional copies to any other
reviewers.
b. Within five business days of receipt, your Point of Contact will either accept the deliverable Material
or provide IBM with a written list of requested revisions. If IBM receives no response from your
Point of Contact within five business days, then the deliverable Material will be deemed accepted.
c. IBM will consider your Point of Contact’s timely request for revisions, if any, within the context of
IBM’s obligations as stated in the “Deliverable Materials” section of the SOW.
d. The revisions recommended by your Point of Contact and agreed to by IBM will be made and the
deliverable Material will be resubmitted to your Point of Contact, at which time the deliverable
Material will be deemed accepted.
e. The revisions recommended by your Point of Contact, not agreed to by IBM, will be managed in
accordance with the Project Change Control Procedure.
f. Any conflict arising from this Deliverable Materials Acceptance Procedure will be addressed as
specified in the Escalation Procedure below.
10.3 Escalation Procedure
The following procedure will be followed if resolution is required to a conflict arising during the
performance of the Services.
When a conflict arises between your Point of Contact and IBM, the project team member(s) will first strive
to work out the problem internally.
a. Level 1: If the project team cannot resolve the conflict within two business days, your Point of
Contact and IBM will meet to resolve the issue.
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
b. Level 2: If the conflict is not resolved within three business days after being escalated to Level 1,
your executive sponsor will meet with IBM to resolve the issue.
c. If the conflict is resolved by either Level 1 or Level 2 intervention, the resolution will be addressed in
accordance with the Project Change Control Procedure.
d. If the conflict remains unresolved after Level 2 intervention, then either party may terminate the
applicable Service. If the conflict is addressed by termination, you agree to pay IBM for a) all
Services IBM provides and any products and Materials IBM delivers through termination, b) all
expenses IBM incurs through termination, and c) any charges IBM incurs in terminating the
Services.
e. During any conflict resolution, IBM agrees to provide Services relating to items not in dispute, to the
extent practicable pending resolution of the conflict. You agree to pay invoices per this Schedule
and the SOW.
IBM agrees to provide the Services specified in this Schedule provided you accept this Schedule, without
modification, by signing in the space provided below on or before the Offer Expiration Date specified above.
By signing this Schedule by hand or where recognized by law, electronically, you confirm that you have read and
accept, without modification, the terms of this Schedule, the IBM Customer Agreement or any equivalent
agreement in effect between us identified in this Schedule (“Agreement”), the AECI, and the SOW identified
herein. All such documents are incorporated by reference into this Schedule. If there is a conflict among the
terms in the various documents, 1) the terms of the SOW prevail over those of the Agreement; and 2) the terms of
this Schedule prevail over those of the SOW and the Agreement.
This Schedule, the Agreement, the AECI, and the SOW are the complete agreement between the parties
regarding the Services, and replace any prior oral or written communications between us. Accordingly, in
entering into this Schedule, neither party is relying upon any representation that is not specified in this Schedule
including without limitation, any representations concerning 1) estimated completion dates, hours, or charges to
provide the Services; 2) the experiences of other customers; or 3) results or savings you may achieve.
You are responsible for printing and retaining a copy of all associated documents for your records of this
transaction.
Agreed to:
City of Denton
By______________________________________
Authorized signature
Agreed to:
IBM
By______________________________________
Authorized signature
Title: Title:
Name (type or print): Name (type or print):
Date: Date:
After signing, please return a copy of this Schedule to the “IBM Company address” specified above.
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
6/7/2019
6/7/2019
6/10/2019
Bernard Barnes
Information Security SpecialistCity Manager
Todd Hileman
6/26/2019
6/26/2019
INTC-813574111-02 01-2019
Appendix A
Supported locations (US)
Supported Location for Incident Response (US
State or Country)
Comments
Massachusetts Services performed on systems located in Massachusetts
will be performed by IBM personnel. Per the Certification
Unit, Massachusetts State Police, applicable state law
may be interpreted to require computer forensics
identifying a specific party to be performed by a licensed
party. Additional rates for IBM managed Subcontractor
may apply.
Maryland Services performed on systems located in Maryland will
be performed by IBM personnel. Please note that as of
date of this SOW, applicable state law may be interpreted
to require computer forensics identifying a specific party
to be performed by a licensed party. Additional rates for
IBM managed Subcontractor may apply.
Texas As of the date of this SOW, the Texas Private Security
Bureau interprets applicable state law, and state law
explicitly requires, computer forensics to be performed by
a licensed investigator. Services performed on systems
located in Texas will be performed by a licensed
subcontractor. Additional rates for IBM managed
Subcontractor may apply.
Michigan As of the date of this SOW, applicable state law explicitly
requires computer forensics to be performed by a
licensed investigator, where such forensics are to be
used as evidence before a court, board, officer, or
investigating committee. Services performed on systems
located in Michigan will be performed by licensed IBM
personnel, as required.
South Carolina As of the date of this SOW, the Office of the Attorney
General and the South Carolina Law Enforcement
Division interpret applicable state law to require computer
forensics to be performed by a licensed investigator.
Services performed on systems located in South Carolina
will be performed by licensed subcontractor. Additional
rates for IBM managed Subcontractor may apply.
Nevada As of the date of this SOW, applicable state law explicitly
requires computer forensics to be performed by a
licensed investigator. Services performed on systems
located in Nevada will be performed by a licensed
subcontractor. Additional rates for IBM managed
Subcontractor may apply.
Kentucky As of the date of this SOW, the Kentucky Board of
Licensure for Private Investigators interprets applicable
state law to require computer forensics to be performed
by a licensed investigator. Services performed on
systems located in Kentucky will be performed by a
licensed subcontractor Additional rates for IBM managed
Subcontractor may apply.
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
INTC-813574111-02 01-2019
Georgia As of the date of this SOW, the Office of the Secretary of
State and the Georgia Board of Private Detective and
Security Agencies interpret applicable state law to require
computer forensics to be performed by a licensed
investigator. Services performed on systems located in
Georgia will be performed by a licensed subcontractor.
Additional rates for IBM managed Subcontractor may
apply.
All other US States Onsite Incident Response
DocuSign Envelope ID: BA7242F0-9C1B-4C54-90CE-A1012E713CCF
Certificate Of Completion
Envelope Id: BA7242F09C1B4C5490CEA1012E713CCF Status: Completed
Subject: Please DocuSign: City Council Contract 7098 Cyber Security Services - IBM
Source Envelope:
Document Pages: 23 Signatures: 5 Envelope Originator:
Certificate Pages: 6 Initials: 1 Suzzen Stroman
AutoNav: Enabled
EnvelopeId Stamping: Enabled
Time Zone: (UTC-06:00) Central Time (US & Canada)
901B Texas Street
Denton, TX 76209
suzzen.stroman@cityofdenton.com
IP Address: 129.120.6.150
Record Tracking
Status: Original
6/7/2019 12:22:40 PM
Holder: Suzzen Stroman
suzzen.stroman@cityofdenton.com
Location: DocuSign
Signer Events Signature Timestamp
Suzzen Stroman
suzzen.stroman@cityofdenton.com
Buyer
City of Denton
Security Level: Email, Account Authentication
(None)
Completed
Using IP Address: 129.120.6.150
Sent: 6/7/2019 4:54:18 PM
Viewed: 6/7/2019 4:55:03 PM
Signed: 6/7/2019 4:55:06 PM
Electronic Record and Signature Disclosure:
Not Offered via DocuSign
Melissa Kraft
Melissa.Kraft@cityofdenton.com
Chief Technology Officer
City of Denton
Security Level: Email, Account Authentication
(None)
Signature Adoption: Pre-selected Style
Using IP Address: 47.190.47.120
Signed using mobile
Sent: 6/7/2019 4:54:18 PM
Viewed: 6/7/2019 4:54:50 PM
Signed: 6/7/2019 4:55:02 PM
Electronic Record and Signature Disclosure:
Not Offered via DocuSign
Lori Hewell
lori.hewell@cityofdenton.com
Purchasing Manager
City of Denton
Security Level: Email, Account Authentication
(None)
Signature Adoption: Pre-selected Style
Using IP Address: 129.120.6.150
Sent: 6/7/2019 4:54:18 PM
Resent: 6/10/2019 11:33:32 AM
Viewed: 6/10/2019 2:37:39 PM
Signed: 6/10/2019 2:37:54 PM
Electronic Record and Signature Disclosure:
Not Offered via DocuSign
Mack Reinwand
mack.reinwand@cityofdenton.com
City of Denton
Security Level: Email, Account Authentication
(None)Signature Adoption: Pre-selected Style
Using IP Address: 129.120.6.150
Sent: 6/7/2019 4:54:18 PM
Viewed: 6/7/2019 4:55:28 PM
Signed: 6/7/2019 4:55:51 PM
Electronic Record and Signature Disclosure:
Not Offered via DocuSign
Signer Events Signature Timestamp
Bernard Barnes
barnesbe@us.ibm.com
Information Security Specialist
Security Level: Email, Account Authentication
(None)Signature Adoption: Pre-selected Style
Using IP Address: 129.42.208.182
Sent: 6/10/2019 2:37:58 PM
Viewed: 6/10/2019 2:57:05 PM
Signed: 6/10/2019 2:57:16 PM
Electronic Record and Signature Disclosure:
Accepted: 6/10/2019 2:57:05 PM
ID: 7ac28cbc-1d3a-48c5-bf43-1f357c2539af
Tabitha Millsop
tabitha.millsop@cityofdenton.com
City of Denton
Security Level: Email, Account Authentication
(None)
Completed
Using IP Address: 129.120.6.150
Sent: 6/10/2019 2:57:18 PM
Viewed: 6/26/2019 8:42:00 AM
Signed: 6/26/2019 8:43:04 AM
Electronic Record and Signature Disclosure:
Not Offered via DocuSign
Todd Hileman
Todd.Hileman@cityofdenton.com
City Manager
City of Denton
Security Level: Email, Account Authentication
(None)
Signature Adoption: Pre-selected Style
Using IP Address: 47.184.66.109
Sent: 6/26/2019 8:43:07 AM
Viewed: 6/26/2019 9:16:20 AM
Signed: 6/26/2019 9:16:24 AM
Electronic Record and Signature Disclosure:
Accepted: 7/25/2017 11:02:14 AM
ID: 57619fbf-2aec-4b1f-805d-6bd7d9966f21
Rosa Rios
Rosa.Rios@cityofdenton.com
Security Level: Email, Account Authentication
(None)
Signature Adoption: Pre-selected Style
Using IP Address: 129.120.6.150
Sent: 6/26/2019 9:16:27 AM
Viewed: 6/26/2019 11:26:03 AM
Signed: 6/26/2019 11:26:42 AM
Electronic Record and Signature Disclosure:
Accepted: 6/26/2019 11:26:03 AM
ID: f4593a70-0932-4cad-a145-7abee22ab9ac
In Person Signer Events Signature Timestamp
Editor Delivery Events Status Timestamp
Agent Delivery Events Status Timestamp
Intermediary Delivery Events Status Timestamp
Certified Delivery Events Status Timestamp
Carbon Copy Events Status Timestamp
Tabitha Millsop
tabitha.millsop@cityofdenton.com
City of Denton
Security Level: Email, Account Authentication
(None)
Sent: 6/10/2019 2:37:56 PM
Electronic Record and Signature Disclosure:
Not Offered via DocuSign
Carbon Copy Events Status Timestamp
Sherri Thurman
sherri.thurman@cityofdenton.com
City of Denton
Security Level: Email, Account Authentication
(None)
Sent: 6/10/2019 2:37:57 PM
Electronic Record and Signature Disclosure:
Not Offered via DocuSign
Jane Richardson
jane.richardson@cityofdenton.com
Assistant City Secretary
City of Denton
Security Level: Email, Account Authentication
(None)
Sent: 6/26/2019 8:43:06 AM
Electronic Record and Signature Disclosure:
Not Offered via DocuSign
Jane Richardson
jane.richardson@cityofdenton.com
Assistant City Secretary
City of Denton
Security Level: Email, Account Authentication
(None)
Sent: 6/26/2019 11:26:44 AM
Viewed: 6/27/2019 3:34:13 PM
Electronic Record and Signature Disclosure:
Not Offered via DocuSign
Witness Events Signature Timestamp
Notary Events Signature Timestamp
Envelope Summary Events Status Timestamps
Envelope Sent Hashed/Encrypted 6/26/2019 11:26:44 AM
Certified Delivered Security Checked 6/26/2019 11:26:44 AM
Signing Complete Security Checked 6/26/2019 11:26:44 AM
Completed Security Checked 6/26/2019 11:26:44 AM
Payment Events Status Timestamps
Electronic Record and Signature Disclosure
ELECTRONIC RECORD AND SIGNATURE DISCLOSURE
From time to time, City of Denton (we, us or Company) may be required by law to provide to
you certain written notices or disclosures. Described below are the terms and conditions for
providing to you such notices and disclosures electronically through your DocuSign, Inc.
(DocuSign) Express user account. Please read the information below carefully and thoroughly,
and if you can access this information electronically to your satisfaction and agree to these terms
and conditions, please confirm your agreement by clicking the 'I agree' button at the bottom of
this document.
Getting paper copies
At any time, you may request from us a paper copy of any record provided or made available
electronically to you by us. For such copies, as long as you are an authorized user of the
DocuSign system you will have the ability to download and print any documents we send to you
through your DocuSign user account for a limited period of time (usually 30 days) after such
documents are first sent to you. After such time, if you wish for us to send you paper copies of
any such documents from our office to you, you will be charged a $0.00 per-page fee. You may
request delivery of such paper copies from us by following the procedure described below.
Withdrawing your consent
If you decide to receive notices and disclosures from us electronically, you may at any time
change your mind and tell us that thereafter you want to receive required notices and disclosures
only in paper format. How you must inform us of your decision to receive future notices and
disclosure in paper format and withdraw your consent to receive notices and disclosures
electronically is described below.
Consequences of changing your mind
If you elect to receive required notices and disclosures only in paper format, it will slow the
speed at which we can complete certain steps in transactions with you and delivering services to
you because we will need first to send the required notices or disclosures to you in paper format,
and then wait until we receive back from you your acknowledgment of your receipt of such
paper notices or disclosures. To indicate to us that you are changing your mind, you must
withdraw your consent using the DocuSign 'Withdraw Consent' form on the signing page of your
DocuSign account. This will indicate to us that you have withdrawn your consent to receive
required notices and disclosures electronically from us and you will no longer be able to use your
DocuSign Express user account to receive required notices and consents electronically from us
or to sign electronically documents from us.
All notices and disclosures will be sent to you electronically
Unless you tell us otherwise in accordance with the procedures described herein, we will provide
electronically to you through your DocuSign user account all required notices, disclosures,
authorizations, acknowledgements, and other documents that are required to be provided or
made available to you during the course of our relationship with you. To reduce the chance of
you inadvertently not receiving any notice or disclosure, we prefer to provide all of the required
notices and disclosures to you by the same method and to the same address that you have given
us. Thus, you can receive all the disclosures and notices electronically or in paper format through
the paper mail delivery system. If you do not agree with this process, please let us know as
described below. Please also see the paragraph immediately above that describes the
consequences of your electing not to receive delivery of the notices and disclosures
electronically from us.
Electronic Record and Signature Disclosure created on: 7/21/2017 3:59:03 PM
Parties agreed to: Bernard Barnes, Todd Hileman, Rosa Rios
How to contact City of Denton:
You may contact us to let us know of your changes as to how we may contact you electronically,
to request paper copies of certain information from us, and to withdraw your prior consent to
receive notices and disclosures electronically as follows:
To contact us by email send messages to: purchasing@cityofdenton.com
To advise City of Denton of your new e-mail address
To let us know of a change in your e-mail address where we should send notices and disclosures
electronically to you, you must send an email message to us at melissa.kraft@cityofdenton.com
and in the body of such request you must state: your previous e-mail address, your new e-mail
address. We do not require any other information from you to change your email address..
In addition, you must notify DocuSign, Inc to arrange for your new email address to be reflected
in your DocuSign account by following the process for changing e-mail in DocuSign.
To request paper copies from City of Denton
To request delivery from us of paper copies of the notices and disclosures previously provided
by us to you electronically, you must send us an e-mail to purchasing@cityofdenton.com and in
the body of such request you must state your e-mail address, full name, US Postal address, and
telephone number. We will bill you for any fees at that time, if any.
To withdraw your consent with City of Denton
To inform us that you no longer want to receive future notices and disclosures in electronic
format you may:
i. decline to sign a document from within your DocuSign account, and on the subsequent
page, select the check-box indicating you wish to withdraw your consent, or you may;
ii. send us an e-mail to purchasing@cityofdenton.com and in the body of such request you
must state your e-mail, full name, IS Postal Address, telephone number, and account
number. We do not need any other information from you to withdraw consent.. The
consequences of your withdrawing consent for online documents will be that transactions
may take a longer time to process..
Required hardware and software
Operating Systems: Windows2000? or WindowsXP?
Browsers (for SENDERS): Internet Explorer 6.0? or above
Browsers (for SIGNERS): Internet Explorer 6.0?, Mozilla FireFox 1.0,
NetScape 7.2 (or above)
Email: Access to a valid email account
Screen Resolution: 800 x 600 minimum
Enabled Security Settings:
•Allow per session cookies
•Users accessing the internet behind a Proxy
Server must enable HTTP 1.1 settings via
proxy connection
** These minimum requirements are subject to change. If these requirements change, we will
provide you with an email message at the email address we have on file for you at that time
providing you with the revised hardware and software requirements, at which time you will
have the right to withdraw your consent.
Acknowledging your access and consent to receive materials electronically
To confirm to us that you can access this information electronically, which will be similar to
other electronic notices and disclosures that we will provide to you, please verify that you
were able to read this electronic disclosure and that you also were able to print on paper or
electronically save this page for your future reference and access or that you were able to
e-mail this disclosure and consent to an address where you will be able to print on paper or
save it for your future reference and access. Further, if you consent to receiving notices and
disclosures exclusively in electronic format on the terms and conditions described above,
please let us know by clicking the 'I agree' button below.
By checking the 'I Agree' box, I confirm that:
• I can access and read this Electronic CONSENT TO ELECTRONIC RECEIPT OF
ELECTRONIC RECORD AND SIGNATURE DISCLOSURES document; and
• I can print on paper the disclosure or save or send the disclosure to a place where I can
print it, for future reference and access; and
• Until or unless I notify City of Denton as described above, I consent to receive from
exclusively through electronic means all notices, disclosures, authorizations,
acknowledgements, and other documents that are required to be provided or made
available to me by City of Denton during the course of my relationship with you.