The URL can be used to link to this page

Exhibit 2 - Proposal IBM Security Services IBM Security Transformation Services Agreement for CITY OF DENTON DOU Rev Split 4-1-2024 Prepared for CITY OF DENTON ACCOUNTS PAYABLE 215 E MCKINNEY ST Denton, TX 76201 US 02/21/24 Z126-6955-US-05 (Direct) Page 1 of 27 Table of Contents 1. Scope of Work ................................................................................................................... 3 1.1 Services Coordination ........................................................................................................ 3 1.2 Client Point of Contact Responsibilities ............................................................................ 3 1.3 Client General Responsibilities ......................................................................................... 3 2. Services .............................................................................................................................. 5 2.1 List of Services .................................................................................................................. 5 3. Estimated Schedule ............................................................................................................ 5 4. Facilities and Hours of Coverage ...................................................................................... 5 5. Deliverables ....................................................................................................................... 5 6. Completion Criteria ........................................................................................................... 5 7. Charges .............................................................................................................................. 5 8. Other Terms and Conditions .............................................................................................. 5 8.1 Termination ........................................................................................................................ 5 8.2 Limitation of Services ........................................................................................................ 6 8.3 Open-Source Software Disclaimer .................................................................................... 6 8.4 Employment of Assigned Personnel .................................................................................. 6 Appendix A: Project Procedures ................................................................................................................. 7 Appendix B: Service Descriptions .............................................................................................................. 8 9. IBM Security X-Force Incident Response Retainer .......................................................... 9 9.1 Service Activity – X-Force IR Retainer Project Initiation ................................................ 9 9.2 Other Terms and Conditions – Limitation of IBM X-Force Incident Response Retainer12 Appendix C: Deliverable Guidelines ........................................................................................................ 22 1. Consulting and System Integration Services ................................................................... 24 1.1 C&SI Estimated Schedule ............................................................................................... 24 1.2 C&SI Payment Terms ...................................................................................................... 24 1.3 C&SI Summary of Charges ............................................................................................. 24 1.4 Ongoing Support Services Transition .............................................................................. 24 2. Security Service Summary of Charges ............................................................................ 25 3. Additional Terms and Conditions .................................................................................... 25 3.1 Regulatory Services ......................................................................................................... 25 3.2 Disclaimer ........................................................................................................................ 25 3.3 Permission to Perform Testing ........................................................................................ 25 3.4 Systems owned by a Third Party ..................................................................................... 26 3.5 Security Data ................................................................................................................... 26 Z126-6955-US-05 (Direct) Page 2 of 27 4. Travel and Living Expenses ............................................................................................ 26 5. Taxes and Payment .......................................................................................................... 27 6. Billing for Online Orders ................................................................................................. 27 Z126-6955-US-05 (Direct) Page 3 of 27 Statement of Work for Services Security Services This Statement of Work (“SOW”) is governed by the terms and conditions of the agreement specified in the Order Document for IBM Security Services (“Order Document”). If there is a conflict between the terms in the documents, the terms of the Order Document prevail over those of the SOW, and the terms of the SOW prevail over those of the agreement specified in the Order Document ("the Agreement"). Client means and includes the company, its authorized users, or recipients of the IBM Security Services ("Services"). Capitalized terms not otherwise defined in this SOW are defined in the Agreement and have the same meaning in this SOW as ascribed to them therein. 1. Scope of Work The IBM Security Services are comprised of a dynamic portfolio of offerings designed to provide tools, technology, and expertise to help optimize Client’s existing security programs. Services consist of the IBM X-Force Incident Response Retainer (IRIS). IRIS helps clients intelligently prepare for, detect & respond to attacks, reducing the timeline for potential impact. Clients have 24x7x365 phone access to our elite team of IR consultants, with 24-48 hour boots on the ground emergency incident support if needed. 1.1 Services Coordination IBM Responsibilities IBM will designate an IBM Services specialist who will be IBM’s focal point during performance of the Services who, with Client Point of Contact, will: a. review the SOW and any associated documents; b. establish and maintain communications; c. administer the Project Change Control Procedure described in the Project Procedures appendix; and d. coordinate the technical activities of IBM’s assigned personnel. e. have completed Services Coordination when the remaining IBM activities specified in this Statement or Work are complete. 1.2 Client Point of Contact Responsibilities Prior to the start of the Services, Client will designate a Client Point of Contact to whom all communications relative to the Services will be addressed, and who will have the authority to act on Client's behalf in all matters regarding this SOW, applicable Service Description(s), and Order Document. Client's Point of Contact will: a. complete and return any questionnaires or checklists within business days of receipt, if applicable; b. serve as the interface between IBM’s project team and all Client departments participating in the Services; c. attend status meetings, as required; d. obtain and provide applicable information, data, consents, decisions, and approvals as required by IBM to perform the Services, within business days of IBM’s request, unless Client and IBM agree in writing to a different response time. As applicable, review deliverables submitted by IBM in accordance with the Deliverable Acceptance Procedure described in the Project Procedures appendix; e. help resolve and escalate Services issues within Client's organization, as needed; and f. administer the Project Change Control Procedure with the IBM. 1.3 Client General Responsibilities IBM's performance is dependent upon Client's fulfillment of its responsibilities at no charge to IBM. Any delay in performance of Client's responsibilities may result in additional charges and/or delay of the completion of the Services and will be handled in accordance with the Project Change Control Procedure. Z126-6955-US-05 (Direct) Page 4 of 27 Client will: a. make appropriate personnel available to assist IBM in the performance of IBM’s responsibilities; b. provide safe access, suitable office space, supplies, high speed connectivity to the Internet, and other facilities needed by IBM personnel while working at the location specified in the Order Document; c. provide information and materials IBM requires to provide the Services. IBM will not be responsible for any loss, damage, delay, or deficiencies in the Services arising from inaccurate, incomplete, or otherwise deficient information or materials supplied by or on behalf of Client; d. provide IBM with relevant information regarding Client’s current business environment. Such information is to include: e. provide IBM with information regarding Client’s current environment. Such information is to include: (1) current and planned IT and projects and priorities; (2) general IT and strategies, policies, and procedures; (3) IT and security (physical and logical) policies, procedures, and standards; and (4) service level agreements; f. if making available to IBM any facilities, software, hardware, or other resources in connection with IBM’s performance of Services, obtain at no cost to IBM any licenses or approvals related to these resources that may be necessary for IBM to perform the Services. IBM will be relieved of its obligations that are adversely affected by Client’s failure to promptly obtain such licenses or approvals. Client agrees to reimburse IBM for any reasonable costs and other amounts, including costs of litigation and settlements, that IBM may incur from Client’s failure to obtain these licenses or approvals; g. obtain all necessary permissions for IBM to use, provide, store and process data to which Client gives IBM access to perform the Services. Client is responsible for the security and privacy of such data. Client will not give IBM access to data subject to governmental regulation or requiring security measures beyond those specified in this SOW unless IBM has first agreed in writing to implement additional required security measures; h. be responsible for implementing or not implementing IBM’s recommendations and for the results achieved; i. allow IBM to cite Client’s company name and the general nature of the Services IBM performed for Client to IBM’s other clients and other prospective clients; j. consent and will obtain any necessary consents for IBM and its subcontractors to process the business contact information of Client, its employees, and contractors worldwide for our business relationship. IBM will comply with requests to access, update, or delete such contact information; k. acknowledge and agree that IBM does not provide legal services or represent or warrant that the services or products IBM provides or obtains on Client's behalf will ensure Client's compliance with any particular law, including but not limited to any law relating to safety, security, or privacy; l. obtain any necessary consents and take any other actions required by applicable laws, including but not limited to data privacy laws, prior to disclosing any of Client's employee information to IBM. Client also agrees that with respect to data that is transferred or hosted outside of the country or countries specified in the Order Document(s), Client is responsible for ensuring that all such data transmitted outside of the country or countries specified in the Order Document(s) adheres to the laws and regulations governing such data; m. be responsible for the content of any database, the selection and implementation of controls on its access and use, backup and recovery, and the security of the stored data. This security will also include any procedures necessary to safeguard the integrity and security of software and data used in the Services from access by unauthorized personnel; be responsible for the identification of interpretation of, and compliance with, any applicable laws, regulations, and statutes that affect Client's existing systems, applications, programs, or data to which IBM will have access during the Services, including applicable data privacy, export, and import laws and regulations. It is Client's responsibility to ensure the systems, applications, programs, and data meet the requirements of those laws, regulations, and statutes; and Z126-6955-US-05 (Direct) Page 5 of 27 n. be responsible, at its expense, for establishing, maintaining, and operating Client’s connection to the Internet (the speed of which may have a significant impact on the responsiveness of the Services) including all computer hardware and software, web browsers configured in accordance with industry standards, modems, and access lines. 2. Services 2.1 List of Services As part of this SOW, IBM will perform the services activities outlined in the following Services Description(s) which can be found in the Services Description appendix: 3. Estimated Schedule Services will be performed based on the estimated schedule detailed in the Order Document and will be used to establish the contract term. Both parties agree to make reasonable efforts to carry out our respective responsibilities in order to achieve the estimated schedule. 4. Facilities and Hours of Coverage a. Services will be performed off-site or on-site at Client's physical location(s) specified in Order Document and may be performed at IBM location(s). b. IBM may use personnel and resources in locations worldwide and third-party suppliers to support the delivery of products and services. c. IBM will provide Services during normal business hours specified in Order Document. Client may be required to provide access to its locations outside normal business hours, as mutually agreed between Client and IBM. Client may incur a charge for Services provided outside of normal business hours, as mutually agree between Client and IBM, which may result in additional charges. 5. Deliverables The deliverable Materials, resulting from completion of the Services, are detailed within the “Deliverable Materials Table”, with can be found in the Deliverables Guidelines appendix A. 6. Completion Criteria IBM will have fulfilled its obligations for the Services when any one of the following first occurs: a. when the contract end date has passed; or b. IBM completes the IBM responsibilities described in this SOW and the IBM responsibilities described within the selected Services Description(s) specified in the Order Document, including provision of the deliverables, if any; or c. IBM has provided the number of hours specified in the Order Document, or in any subsequent change authorization; or d. this SOW expires; or e. the Services are terminated in accordance with the provisions of this SOW, or the Agreement identified in the Order Document. 7. Charges The charges, if applicable for the Services are detailed in the Order Document. IBM shall not be responsible for delays or additional requirements imposed by any government agencies, labor disputes, fire, unavoidable casualties, or unforeseen conditions. 8. Other Terms and Conditions 8.1 Termination Refer to the Order Document for any associated termination charges. 8.1.1 Termination for Cause Either party may terminate this SOW for cause by giving the other party at least 30 days written notice. Z126-6955-US-05 (Direct) Page 6 of 27 8.1.2 Termination of an SOW for Convenience Either party may terminate this SOW by giving the other party at least written notice. 8.2 Limitation of Services Client acknowledges and agrees: a. IBM is not required to perform any work outside the scope described in the SOW b. to the extent IBM does perform any work outside of scope, IBM may cease to perform such work at any time; and c. any changes to the scope must be agreed to in accordance with the Project Change Control Procedure specified in this SOW. 8.3 Open-Source Software Disclaimer Client understands and agrees that Linux and any other Open Source Software (“OSS”), including patches, fixes, and updates, which IBM installs, configures, updates, operates, or otherwise assists in procuring on Client's behalf as a result of providing services under this SOW are licensed and distributed to Client by Linux and OSS distributors and/or respective copyright and other right holders, including Red Hat, Inc. and/or Novell, Inc. (“Right Holders”) under such Right Holders’ terms and conditions. IBM is not a party to the Right Holders’ terms and conditions and installs any OSS ‘AS IS’. Client and IBM agree that any modification or creation of derivative works of OSS is outside the scope of this SOW. IBM is not a distributor of OSS and does the work described in this SOW for Client upon Client's specification. Client receives no express or implied patent or other license from IBM with respect to any OSS. IBM makes no representations and disclaims all warranties with respect to any OSS, express or implied, including the implied warranties of merchantability and fitness for a particular purpose. IBM does not indemnify against any claim that OSS infringes a third party's intellectual property rights. UNDER NO CIRCUMSTANCES SHALL IBM BE LIABLE FOR ANY DAMAGES ARISING OUT OF THE USE OF OSS. 8.4 Employment of Assigned Personnel Client understands and agrees: a. This SOW will not affect the employment relationship that exists between IBM’s assigned personnel and IBM during the applicable contract period. No IBM assigned personnel will be deemed for any purpose to be the agent, servant, employee, or Client's representative in the performance of his or her services hereunder. b. IBM staffs Services on a national basis with either local or non-local resources based upon resource availability at Services enablement. At the start of Services and on an ongoing basis, our point of contacts will work together to mutually determine any on-site requirements of non-local perform resources. For on-site engagements spanning multiple weeks, the typical 40-hour work week of full time non-local resources normally consists of the resource traveling to Client's site(s) on Monday, returning to their home city at the end of the workday on Thursday and performing Services related activities remotely on Friday, as applicable. During weeks with a national holiday or during periods when a resource is not required to be on-site full time, both parties will work together to define an alternate full-time work schedule. Such alternate work schedule may include the resource performing applicable Services-related activities remotely. Z126-6955-US-05 (Direct) Page 7 of 27 Appendix A: Project Procedures Project Change Control Procedure A Project Change Request (“PCR”) is used to document a change and the effect the change will have on the Services. Both parties will review the PCR and agree, in writing, to implement it, recommend it for further investigation, or reject it. IBM will specify any charges for such investigation. The requesting party will submit the PCR to the other party and Client agrees to notify its IBM Business Partner of any proposed changes. Client's IBM Business Partner will inform Client of any revised charges for proposed changes. Escalation Procedure Client and IBM will meet to resolve issues relating to the Services. a. If an issue is not resolved within three (3) business days, Client’s executive sponsor will meet with IBM’s Services Specialist to resolve the issue. b. If the conflict is resolved, the resolution will be addressed through the Project Change Control Procedure. c. While a conflict is being resolved, IBM will provide Services relating to items not in dispute, to the extent practicable pending resolution of the conflict; Client agrees to pay invoices per this SOW. Z126-6955-US-05 (Direct) Page 8 of 27 Appendix B: Service Descriptions Z126-6955-US-05 (Direct) Page 9 of 27 IBM Security X-Force Incident Response Retainer The services described herein are governed by the terms and conditions of the agreement specified in the Order Document for IBM Security Services (“Order Document”). If there is a conflict between the terms in the documents, the terms of the Order Document prevail over those of this document, and the terms of this document prevail over those of the agreement specified in the Order Document ("the Agreement"). Capitalized terms not otherwise defined in this document are defined in the Agreement, or any other referenced document, and have the same meaning in this document as ascribed to them therein. 9. IBM Security X-Force Incident Response Retainer IBM X-Force Incident Response (IR) Retainer (called “Services”) are designed to provide resources to assist Client with computer security incidents or assist with emergency response preparation. IBM will provide resources to assist Client in preparing for, managing, and responding to computer security incidents, including steps for analysis, intelligence gathering, containment, eradication, recovery, and prevention. IBM will use existing, commercially available tools, as well as IBM proprietary tools, to perform Services. IBM X-Force IR Retainer is sold in tiers, where each tier involves different levels of services commitments. Each tier includes a certain number of support hours (called “Purchased Retainer Hours) available to the Client for emergency incident support or consulting hours included annually for the contract term and depending on tier level selected by Client will also include additional services activities described herein. Services selected by the Client will be specified in the Order Document. Also, certain tiers contain additional services and service commitments, in the form of Proactive Units. Clients can choose IBM to perform any of the following X-Force IR Retainer Proactive Services from the menu table below, however, each service will utilize a specific number of Proactive Units as reflected in the table below. In order to use X-Force IR Retainer Proactive Services, Clients must have contracted for the applicable number of Proactive Units where the available number of Proactive Units will be specified in the Order Document. Additional terms supporting X-Force IR Retainer Proactive Services will be presented as separate Services Descriptions. Note: Purchased Retainer Hours and Proactive Units that are not used during the contract annually will expire. X-Force IR Retainer Proactive Services Menu Proactive Units Document # Incident Response Program Assessment 1 I126-8513 Cyber Threat Intelligence Program Assessment 1 I126-8514 Strategic Threat Assessment 1 I126-8025 Incident Response Playbook Customization 1 I126-8516 Tabletop Exercise 1 I126-8517 Cybersecurity Incident Response Plan – High Level Review 1 I126-8518 Dark Web Search Services 1 I126-8519 Security Incident First Responder Training 1 I126-8520 Cybersecurity Incident Response Plan – Full Development 4 I126-8521 Active Threat Assessment (up to 5000 endpoints) 4 I126-7516 Responsibilities matrix legend The following responsibilities matrix describes the Services Activities to be provided and the responsibilities of IBM and Client. The below responsibilities are necessary for successful delivery of the Services and are assigned to the contracting parties, as follows: O = Owner (Solely Responsible For) P = Primary (Is Responsible, with assistance from Secondary) S = Secondary (Participates or Assists, but is not responsible for) 9.1 Service Activity – X-Force IR Retainer Project Initiation Z126-6955-US-05 (Direct) Page 10 of 27 The purpose of this services activity is to review the processes for making a declaration for a cybersecurity incident that presents a real or a possible threat to Client’s computer system and network environment (“Cybersecurity Incident Declaration”), review the menu of proactive services and to validate the Service schedule. Responsibilities IBM Client a. Facilitate a remote project initiation workshop, for up to two (2) hours, on a mutually agreed date and time; P S b. Introduce the X-Force IR personnel that will provide Services; O c. Confirm Client contacts authorized to utilize retainer hours (authorized incident declarers); S P d. Define the process for making a Cybersecurity Incident Declaration and for exchanging security incident data in a secure manner; O e. Review processes for responding to a Cybersecurity Incident Declaration and for exchanging security incident data in a secure manner; O f. Review the menu of proactive services and process for scheduling services; O g. Ensure and mandate appropriate Client personnel participation during Services and as required by IBM with responsibility ownership for the following areas: (1) various management levels with representative skills; and (2) identity and access ownership; S P h. Document the Service schedule in a document entitled “Service Calendar”. O Completion Criteria: This service activity has been completed when IBM has conducted the project initiation workshop and delivered the Service Calendar to Client's Point of Contact. 9.1.2 Service Activity – Cybersecurity Incident Support The purpose of this services activity is to provide cybersecurity response for each Cybersecurity Incident Declaration, based on the level of support (Tier1, Tier 2 or Tier 3) contracted by Client, with the corresponding response time and as specified in the Order Document. The following responsibilities are provided upon Client’s request and for the charges specified in the Order Document. Responsibilities IBM Client a. Provide cybersecurity incident response 24 hours/day, 7 days/week for Cybersecurity Incident Declarations per the term of the Client’s contract; O b. Agree and acknowledge, that if additional physical location coverage is required outside of the country where the contract originates, a separate contract may be required; O c. Provide the IBM Services specialist with the names and telephone numbers (including after-hours contact information) of client’s lead investigator, technical and management contact personnel (including backup personnel) who have authority to make Cybersecurity Incident Declarations and act upon suggestions and recommendations made by IBM; O d. Respond after receiving Client’s call or e-mail for a Cybersecurity Incident Declaration, by: (1) schedule and host a triage conference call with Client’s designated personnel to discuss the symptoms; O Z126-6955-US-05 (Direct) Page 11 of 27 (2) if determined during the triage conference call, Client requires IBM to engage in on-site support of the incident, provide an estimate of the Purchased Retainer Hours and travel costs, if applicable, needed for response; O (3) help and advice for handling the Cybersecurity Incident Declaration, including: O (a) analysis of computer security incident data to determine the source of the incident, its cause, and effects; and O (b) analysis of volatile and non-volatile electronic evidence including, but not limited to computer disk images, memory images, log data, malware, or other system artifacts; O (4) provide advice and short-term recommendations to contain an incident and eradicate the threat actor from the impacted environment(s), including: O (a) short-term containment and eradication measures tailored to the incident and Client’s environment based on findings gathered from analysis; O (b) guidance regarding benefits and operational risks associated with the recommended measures; and O (c) guidance on incident remediation planning and execution; O (5) provide advice and long-term recommendations for establishing broader security controls aimed at increasing cyber resiliency, incident response program efficiency, and preventing or mitigating the risk of similar attacks in the future; and O (6) prepare and provide an incident analysis report (“Incident Analysis Report”) to Client’s Point of Contact describing the cybersecurity incident, causes and effects, actions taken by IBM, and recommended future actions to mitigate risk; O e. Make appropriate personnel available during IBM’s response to a Cybersecurity Incident Declaration to answer questions, obtain requested data, perform suggested actions, and similar items; O f. Be responsible for executing and enforcing containment and remediation controls recommended by IBM; O g. Provide copies of all configuration information, log files, intrusion detection events, and other data related to a Cybersecurity Incident Declaration and its analysis; O h. Manage the collection and dissemination of information regarding a Cybersecurity Incident Declaration with Client’s technical and managerial personnel, legal and public relations departments, others within Client’s organization, and other companies, as applicable; O i. Be responsible for, and facilitate all communications between IBM and any third-party vendors, including internet service providers and content-hosting firms used by Client to implement Client’s internet presence; O j. Provide supervised access to Client’s computer systems and computer networks during the agreed upon times and days; and O k. Provide an executive sponsor for Services to communicate management commitment to the project. O Completion Criteria: This service activity has is considered complete when IBM has delivered applicable Incident Analysis Reports to the Client Point of Contact. Z126-6955-US-05 (Direct) Page 12 of 27 9.1.3 Service Activity – Quarterly Incident Response (IR) Related Support and Status Update The purpose of this services activity is to provide Client with ongoing IR related support, up-to-date threat trends, and status updates. Responsibilities IBM Client a. Provide a quarterly email to Client’s Point of contact to review quarterly status, relevant events, service hours used and remaining, update service schedule, provide update on threat trends, and provide recommendations, if applicable; and O b. Designate a Point of Contact, to whom all communications relative to the Quarterly Incident Related Support and Status Update will be addressed and who will have the authority to act on Client’s behalf in all matters regarding this activity. O Completion Criteria: This service activity is considered complete when IBM has delivered the quarterly email to Client’s Point of Contact. 9.1.4 Service Activity – Additional Retainer Hourly Support The purpose of this services activity is to provide client ability to request additional hourly support as needed. Responsibilities IBM Client a. Submit a written request to IBM for Additional Retainer Hourly Support during a cybersecurity incident and/or as required for a proactive service; O b. In response to Client’s written request, provide a recommendation as to how many additional retainer hours may be required to fulfill Client’s written request; O c. Provide additional cybersecurity incident and/or proactive services support beyond Client’s contracted annual subscription hours limitation at the usage charge specified in the Order Document; and O d. Be responsible for all charges associated with any additional cybersecurity incident and/or proactive services hourly support beyond the number of Purchased Retainer Hours specified in the Order Document. O 9.2 Other Terms and Conditions – Limitation of IBM X-Force Incident Response Retainer Client acknowledges and agrees that the following are not included as part of Services described herein: a. services involving incidents of violence, injury to persons, or damage to or theft of tangible personal property; b. services to identify a perpetrator, however, determining the source of network traffic or specific digital activity may be included in the Services; c. investigatory interrogation; d. communication on Client’s behalf with any entity, such as law enforcement, the news media, or its customers; e. any services requiring professional licensing of the service provider; f. evidentiary chain of custody control or management, but IBM may adhere to Client's chain of custody procedures in performing its obligations hereunder, provided these are reviewed and agreed to by IBM prior to starting work; Z126-6955-US-05 (Direct) Page 13 of 27 g. legal counsel of any kind; h. opinions as to the credibility of any person; or i. any other related services which IBM, at its reasonable discretion, may at any time decline. Z126-6955-US-05 (Direct) Page 14 of 27 Consulting & System Integration – X-Force Incident Response and Intelligence Services – Vision Retainer This Service Description describes the Service IBM provides to Client. 10 Service IBM X-Force Incident Response and Intelligence Services (IRIS) Vision Retainer (called “Services”) are designed to provide resources to assist Client with computer security incidents or assist with emergency response preparation. IBM will provide resources to assist Client in preparing for, managing, and responding to computer security incidents, including steps for analysis, intelligence gathering, containment, eradication, recovery, and prevention. IBM will use existing, commercially available tools, as well as IBM proprietary tools, to perform Services. IBM X-Force IRIS Vision Retainer is sold in tiers, where each tier involves different levels of services commitments. Each tier includes a certain number of support hours (called “Purchased Retainer Hours) available to the Client for emergency incident support or consulting hours included annually for the contract term and depending on tier level selected by Client will also include additional services activities described herein. Services selected by the Client will be specified in the Order Document. Note: Purchased Retainer Hours that are not used during the Estimated Start and End dates specified in the Order Document will expire. 10.1 Service Activities – X-Force IRIS Project Initiation The purpose of this activity is to review the processes for making a declaration for a computer security incident that presents a real or a possible threat to Client's computer system and network environment (“Emergency Incident Declaration”), and to validate the schedule. IBM Responsibilities IBM will: a. facilitate an on-site or remote project initiation workshop, for up to one day (eight business hours), on a mutually agreed date and time; b. introduce the X-Force IRIS management personnel that will be providing Services; c. confirm Client's locations to be included for Services; d. define the process for making an Emergency Incident Declaration, including establishing the designated telephone number(s) and e-mail address(es); e. review processes for responding to an Emergency Incident Declaration and for exchanging security incident data in a secure manner; f. document the Service schedule in a document entitled "Service Calendar"; and g. have completed X-Force IRIS Project Initiation when IBM has conducted the project kickoff workshop and delivered the Service Calendar to Client's Point of Contact. Client Responsibilities Client will: a. assign internal resources with appropriate level of skill and responsibility to act on Client’s behalf and to represent Client’s business interest as it pertains to security group, information technology, audit, risk, and operations management at Client’s facility during Services; and b. ensure and mandate appropriate Client personnel participation during Services and as required by IBM with responsibility ownership for the following areas: (1) various management levels with representative skills; and (2) identity and access ownership. Z126-6955-US-05 (Direct) Page 15 of 27 10.2 Service Activities – Incident Program Assessment Incident Program Assessment services are provided, if selected by the Client and specified in the Order Document. IBM Responsibilities At Client's request, and for the charges specified in the Order Document, IBM will: a. conduct a review of existing Incident Response program documentation; b. identify five critical stakeholders to conduct a one-hour telephonic interview to provide greater depth on the existing IR program documentation; c. collate the interview and written documentation and map into a written deliverable (called the "Incident Program Assessment final presentation") containing a one-year roadmap mapped to maturing the program by identifying milestones to serve as future goals; and d. have completed Incident Program Assessment when IBM has delivered the Incident Program Assessment final presentation to Client's Point of Contact. Client Responsibilities Client will: a. provide IBM the documentation requested for review within five (5) business days from the initial request; b. work with IBM to identify stakeholders needed for interview requests; c. ensure stakeholders respond within a timely manner to schedule interviews at earliest possible request; and d. ensure executive stakeholders are available to participate in the final briefing for IR Program Assessment deliverable. 10.3 Service Activities – Incident Response (IR) Playbook Customization IR Playbook Customization services are provided, if selected by the Client and specified in the Order Document. IBM Responsibilities At Client's request, and for the charges specified in the Order Document, IBM will: a. provide Client with number of IR Playbook Customizations identified in the Order Document for the contract term; b. conduct a review of existing documented Incident Response playbooks; c. upon review, work closely with Client to determine whether the existing playbooks represent the five highest priority incidents to potentially occur within the environment; d. edit the existing playbooks and/or create new playbooks targeted towards the top five highest priority incidents to potentially occur within the environment; and e. have completed IR Playbook Customization when IBM has delivered the number of IR Playbooks as specified in the Order Document to Client's Point of Contact. Client Responsibilities Client will: a. provide IBM the documentation requested within five business days of the initial request; and b. for subsequent requests, provide IBM the documentation requested within a twenty-four (24) hour timeframe. Z126-6955-US-05 (Direct) Page 16 of 27 10.4 Service Activities – Incident Response Tabletop Exercise Incident Response Tabletop Exercise services are provided, if selected by the Client and specified in the Order Document. IBM Responsibilities At Client's request, and for the charges specified in the Order Document, IBM will: a. provide Client with number of Incident Response Tabletop Exercises identified in the Order Document for the contract term; b. conduct a targeted attack simulation for up to six (6) hours to provide first responder and executive training, for up to twenty (20) attendees; c. work remotely and/or onsite with Client's key members to develop a computer security incident simulation exercise that will test Client's computer security incident response plan and procedures, with focus on the areas that may need to be updated or improved; d. conduct and supervise the incident simulation exercise on-site for up to six (6) hours at Client's location, paying particular attention to: (1) how Client's team properly triage the incident; (2) how well the members of Client's computer security incident response teamwork with each other; (3) how well Client's computer security incident response team performs in the five phases of incident response (analysis, containment, eradication, recovery, and prevention); (4) how well Client's team interfaces with external entities (Internet service providers, administrators of other sites, other response teams, law enforcement entities, etc.); and (5) how well Client's team communicates with customers, external users, employees, and the public media; e. document findings and recommendations in a written deliverable (called "Incident Response Tabletop Exercise Report"); f. discuss findings, for up to two (2) hours, via conference call with Client's computer security incident response team; and g. have completed Incident Response Tabletop Exercise when IBM has conducted the conference call and delivered the Incident Response Tabletop Exercise Report to Client's Point of Contact. Client Responsibilities Client will: a. provide IBM the documentation requested for review within five (5) business days from the initial request; b. work with IBM to identify stakeholders needed for interview requests and workshop attendance; c. ensure stakeholders respond within a timely manner to schedule interviews at earliest possible request; and d. ensure executive stakeholders and security incident response team are available to participate in the final briefing. 10.5 Service Activities - Emergency Incident Support The purpose of this activity is to provide emergency response for each Emergency Incident Declaration. IBM Responsibilities At Client's request, and for the charges specified in the Order Document, IBM will: a. provide emergency response 24 hours/day, 7 days/week for Emergency Incident Declarations per the term of Client's contract. Such response will utilize included subscription hours for on-site and/or remote support for the designated physical locations as specified in the Order Document. If additional physical location coverage is required in response to an incident, additional charges may apply; Z126-6955-US-05 (Direct) Page 17 of 27 b. host a conference call with Client's designated personnel to discuss the symptoms Client is observing, actions taken and similar items within approximately 4 hours after receiving Client's call or e-mail for an Emergency Incident Declaration; c. provide an estimate of hours and costs with ‘best efforts’ availability for response, if it is determined from the call that Client requires IBM to engage in support of the incident; d. help and advice, if possible, for handling the Emergency Incident Declaration including: (1) analysis of computer security incident data to determine the source of the incident, its cause, and its effects; (2) preventing the effects of the computer security incident from spreading to other computer systems and networks; (3) stopping the computer security incident at its source and/or protecting Client's computer systems and networks from the effects of the computer security incident; (4) recommendations for restoration of the affected computer systems and networks to normal operation; and (5) suggesting protection methods for Client's computer systems and networks from future occurrences of the computer security incident. e. prepare and provide an incident analysis report (“Incident Analysis Report”) to Client's Point of Contact describing the computer security incident, causes and effects, actions taken by IBM, and recommended future actions to mitigate risk; and f. have completed Emergency Incident Support when IBM has delivered any Incident Analysis Reports, as applicable and provided the Purchased Subscription Hours or the contract end date has been reached. Client Responsibilities Client will: a. agree and acknowledge: (1) that Client may not make an Emergency Incident Declaration until after the project kickoff session has been conducted; (2) that Client's additional locations, or locations not specified in the Order Document, must be contracted for separately; (3) that one IBM consultant will be assigned for remote and/or on-site Emergency Incident Declaration response to the declared physical location. Additional IBM consultants must be contracted for separately and are subject to availability; and (4) that if IBM discovers what it considers, in its sole discretion, to be inappropriate content during the performance of Services, IBM has the authority to report such information to law enforcement. Examples of what IBM would consider inappropriate content includes, but is not limited to, content or activity that involves obscene, pornographic, or violent material. b. provide the IBM Services specialist with the names and telephone numbers (including after-hours telephone or pager numbers) of Client's lead investigator, technical and management contact personnel (including backup personnel) who have the authority to make Emergency Incident Declarations and act upon suggestions and recommendations made by IBM; c. make appropriate personnel available during IBM’s response to an Emergency Incident Declaration to answer questions, obtain requested data, perform suggested actions, and similar items; d. provide copies of all configuration information, log files, intrusion detection events, and other data related to an Emergency Incident Declaration and its analysis; e. manage the collection and dissemination of information regarding an Emergency Incident Declaration with Client's technical and managerial personnel, legal and public relations departments, others within Client's organization, and other companies as applicable; f. be responsible for and facilitate all communications between IBM and any third-party vendors, including Internet service providers and content-hosting firms used by Client to implement Client's Internet presence; Z126-6955-US-05 (Direct) Page 18 of 27 g. provide supervised access to Client's computer systems and computer networks during the agreed upon times and days; h. provide an executive sponsor for Services to communicate management commitment to the project; and i. be responsible for all charges associated with any additional Emergency Incident Declarations Client makes during the term of Client's contract. 10.6 Service Activities - Quarterly Incident Response (IR) Related Support and Status Update The purpose of this activity is to provide Client with ongoing IR related support, up-to-date threat trends, and status updates. IBM Responsibilities IBM will: a. provide a checkup via remote teleconference for up to two (2) hours to review quarterly status, relevant events, service hours utilized and remaining, update service schedule, provide update on threat trends, ensure Client's incident response readiness, and provide recommendations if appropriate; b. document result of each telephone support and discussion of the checkup teleconference in a quarterly status report (“Quarterly Status Report”); and c. have completed Quarterly Incident Response Related Support and Status Update when IBM has, per the service calendar, delivered the Quarterly Status Report to Client's Point of Contact and provided the Purchased Subscription Hours or the contract end date has been reached. Client Responsibilities Client will designate a Point of Contact, to whom all communications relative to the Quarterly Incident Related Support and Status Update will be addressed and who will have the authority to act on Client's behalf in all matters regarding this activity. 10.7 Service Activities - IBM X-Force® Hosted Threat Analysis Service IBM X-Force Hosted® Threat Analysis Services are provided, if selected by the Client and specified in the Order Document. The IBM X-Force® Hosted Threat Analysis Service is a security intelligence service that is designed to deliver customized information about a variety of threats that could affect Client's network security. The managed security services portal (called “Portal”) provides Client with access to an environment (and associated tools) designed to monitor and manage Client's security posture by merging technology and service data from multiple vendors and geographies into a common, Web-based interface. The Portal may also be used to deliver Education Materials. All such Education Materials are licensed not sold and remain the exclusive property of IBM. IBM grants Client a license in accordance with the terms provided in the Portal. EDUCATION MATERIALS ARE PROVIDED “AS IS” AND WITHOUT WARRANTY OR INDEMNITY OF ANY KIND BY IBM, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF PROPRIETARY AND INTELLECTUAL PROPERTY RIGHTS. IBM Responsibilities At Client's request, and for the charges specified in the Order Document, IBM will: a. provide Client with number of X-Force Hosted Threat Analysis Service seats identified in the Order Document for the contract term; b. enable Client to access the Portal, and will work with Client to activate Services during deployment and initiation; c. provide access to the Portal 24 hours/day, 7 days/week; d. request one name and e-mail address for each seat purchased; Z126-6955-US-05 (Direct) Page 19 of 27 e. enable Services access for each seat purchased; f. provide access to Education Materials in accordance with the terms provided in the Portal; g. send each licensed Services user a welcome e-mail with a user ID and temporary password to the Portal; h. provide Client with access to the X-Force® Hosted Threat Analysis Service; i. provide Client with a username, password, URL, and appropriate permissions to access the Portal; j. display security information on the Portal as it becomes available; k. if configured by Client, provide security intelligence specific to Client's defined vulnerability watch list, via the Portal; l. if configured by Client, provide an Internet security assessment e-mail each business day; m. publish an Internet AlertCon via the Portal; n. provide Portal feature functionality for Client to create and maintain a vulnerability watch list; o. provide additional information about an alert, advisory, or other significant security issue as IBM deems necessary; p. provide access to the Threat IQ via the Portal; and q. have completed IBM X-Force® Hosted Threat Analysis Service when IBM has provided Client with the number of X-Force Hosted Threat Analysis Service seats specified and provided the Purchased Subscription Hours or the contract end date has been reached. Client Responsibilities Client will: a. utilize the Portal to perform daily operational Services activities; b. ensure Client's employees accessing the Portal on Client's behalf comply with the terms of use, provided therein including, but not limited to, the terms associated with educational materials; c. appropriately safeguard Client's login credentials to the Portal (including not disclosing such credentials to any unauthorized individuals); d. promptly notify IBM if a compromise of Client's login credentials is suspected; e. indemnify and hold IBM harmless for any losses incurred by Client or other parties resulting from Client's failure to safeguard Client's login credentials; f. provide IBM with one name and e-mail address for each subscription purchased; g. change Client's temporary password upon first login to the Portal; h. agree to adhere to an individual license which entitles a single person in an organization to login to the IBM Managed Security Services (“IBM MSS”) portal (called “Portal”) and customize the delivery of Services content. This person is entitled to view information in the Portal and to receive e-mail notifications configured in the Portal. The individual is not authorized to share or distribute Services information. Although an organization can transfer an individual license from one person to another if needed, an individual license cannot be shared with other individuals who do not have a proper license; and i. use the Portal to: (1) subscribe to the daily Internet security assessment e-mail, if desired; (2) create a vulnerability watch list, if desired; and (3) access the Threat IQ. 10.8 Other Terms and Conditions – Limitation of IBM X-Force IRIS Vision Retainer Client acknowledges and agrees that the following are not included as part of Services described herein: a. Services involving incidents of violence, injury to persons, or damage to or theft of tangible personal property; Z126-6955-US-05 (Direct) Page 20 of 27 b. Services to identify a perpetrator; however, determining the source of network traffic or specific digital activity may be included in Services; c. investigatory interrogation; d. testifying in judicial or administrative proceedings; e. communication on Client's behalf with any entity, such as law enforcement, the news media, or its customers; f. any services requiring professional licensing of the service provider; g. evidentiary chain of custody control or management, but IBM may adhere to Client's chain of custody procedures in performing its obligations hereunder, provided these are reviewed and agreed to by IBM prior to starting work; h. legal counsel of any kind; i. opinions as to the credibility of any person; or j. any other related services which IBM, at its reasonable discretion, may at any time decline. Supported Locations (US) Supported Location for Incident Response (US State or Country) Comments Massachusetts Services performed on systems located in Massachusetts will be performed by IBM personnel. Per the Certification Unit, Massachusetts State Police, applicable state law may be interpreted to require computer forensics identifying a specific party to be performed by a licensed party. Additional rates for IBM managed Subcontractor may apply. Maryland Services performed on systems located in Maryland will be performed by IBM personnel. Please note that as of date of this SOW, applicable state law may be interpreted to require computer forensics identifying a specific party to be performed by a licensed party. Additional rates for IBM managed Subcontractor may apply. Texas As of the date of this SOW, the Texas Private Security Bureau interprets applicable state law, and state law explicitly requires, computer forensics to be performed by a licensed investigator. Services performed on systems located in Texas will be performed by a licensed subcontractor. Additional rates for IBM managed Subcontractor may apply. Michigan As of the date of this SOW, applicable state law explicitly requires computer forensics to be performed by a licensed investigator, where such forensics are to be used as evidence before a court, board, officer, or investigating committee. Services performed on systems located in Michigan will be performed by licensed IBM personnel, as required. South Carolina As of the date of this SOW, the Office of the Attorney General and the South Carolina Law Enforcement Division interpret applicable state law to require computer forensics to be performed by a licensed investigator. Services performed on systems located in South Carolina will be performed by licensed subcontractor. Additional rates for IBM managed Subcontractor may apply. Nevada As of the date of this SOW, applicable state law explicitly requires computer forensics to be performed by a licensed investigator. Services performed on systems located in Nevada will be performed by a licensed subcontractor. Additional rates for IBM managed Subcontractor may apply. Kentucky As of the date of this SOW, the Kentucky Board of Licensure for Private Investigators interprets applicable state law to require computer forensics to be performed by a licensed investigator. Services performed on systems located in Kentucky will be Z126-6955-US-05 (Direct) Page 21 of 27 performed by a licensed subcontractor Additional rates for IBM managed Subcontractor may apply. Georgia As of the date of this SOW, the Office of the Secretary of State and the Georgia Board of Private Detective and Security Agencies interpret applicable state law to require computer forensics to be performed by a licensed investigator. Services performed on systems located in Georgia will be performed by a licensed subcontractor. Additional rates for IBM managed Subcontractor may apply. All other US States Onsite Incident Response Z126-6955-US-05 (Direct) Page 22 of 27 Appendix C: Deliverable Guidelines C – 1: Terms a. Any deliverables marked with an asterisk (*) are exempt from the Deliverable Acceptance Procedure and will be considered accepted by Client upon delivery to the Client Point of Contact. b. In the event a deliverable is inadvertently omitted from the list above, IBM will notify Client of the identity and the appropriate designation of the deliverable through the Project Change Control Procedure. C – 2: Definitions Project Materials - works of authorship IBM develops for Client under this document and Client will own the copyright in Project Materials. IBM retains an irrevocable, nonexclusive, worldwide, paid-up license to use, execute, reproduce, display, perform, sublicense, distribute, and prepare derivative works of Project Materials. Existing Works - works of authorship delivered to Client, but not created under this document, and any modifications or enhancements of such works. IBM grants Client an irrevocable (subject to Client’s payment obligations), nonexclusive, worldwide license to use, execute, reproduce, display, perform and prepare derivatives of Existing Works. Z126-6955-US-05 (Direct) Page 23 of 27 Order Document Security Services This Statement of Work (“SOW”) is governed by the terms and conditions of the Texas Department of Information Resources Contract Number DIR-CPO-4942 (“Agreement”), effective through January 04, 2026 (the “Contract Expiration Date”), between the State of Texas, on behalf of itself and its Affiliates, and International Business Machines Corporation a New York corporation, with offices at 1 New Orchard Road, Armonk, New York 10504 (“Vendor”). By signing this Order Document, Client is ordering the Services as specified in this Order Document, the applicable Service Description(s) and Agreement between the Client and IBM. Capitalized terms not otherwise defined in this document are defined in the Agreement or any other referenced document and have the same meaning in this document as ascribed to them therein. Client Information: Company Name: CITY OF DENTON Company Address: ACCOUNTS PAYABLE 215 E MCKINNEY ST Denton, TX 76201 US IBM Information: Address: IBM Corporation 6303 Barfield Road Atlanta, GA 30328 Client's Point of Contact: Contact Name: Leisha Meine Telephone: 940-349-7823 E-mail: leisha.meine@cityofdenton.com IBM Contact: Contact Name: Rob Koehler Telephone: (505) 417-7689 E-mail: rob.koehler@ibm.com Client's delivery location (if different from above): Company Name: City of Denton Company Address: 601 E Hickory Street, Suite A Denton, TX 76205-4303 , Telephone: 940-349-7823 Contact E-mail: leisha.meine@cityofdenton.com Invoicing Information (if different from Client): Company Name: Invoicing Address: ACCOUNTS PAYABLE 215 E MCKINNEY ST Denton, TX 76201 US Invoice Contact Person: Leisha Meine Invoice Contact E-mail: leisha.meine@cityofdenton.com Client identification number: DC3Y4QBP Contract Number: CFTK0LS Agreement: IBM Client Relationship Agreement Document number: Z126-6548-US-XX Confidentiality Agreement: Agreement for Exchange of Confidential Information (“AECI”) Document number: Z125-4322-XX The above agreement document(s) can be found at: IBM Terms Select region and the applicable country to access documents. If any documents are not accessible, please request a copy from Client's IBM sales contact. Offer Expiration Date: 05/31/24 Order Document Effective Date: 04/01/24 The date on this Order Document when signed by the last party. Revised Order Document: (Yes or No): ____ Order Document Transaction number: (if applicable) Z126-6955-US-05 (Direct) Page 24 of 27 Offer Expiration Date is defined as the date after which the terms and conditions offered in this Order Document are no longer valid. Services will be provided to Client in accordance with the terms and conditions of this Order Document and its incorporated documents, including the Services Descriptions. Unless otherwise expressly stated in this Order Document or in a document incorporated by reference, Services do not include hardware or software content, or maintenance subscriptions. Client understands and acknowledges that IBM is permitted to use global resources (non-permanent residents used locally and personnel in locations worldwide) for delivery of Services. 1. Consulting and System Integration Services Consulting and System Integration Services (“C&SI”) are comprised of two parts; 1) the terms and conditions detailed in the selected Services Descriptions, and 2) the Security Services Statement of Work for Services (“SOW”) document number: I126-6954. The SOW is an integral part of each Services Description. The terms of the SOW prevail over those of the Agreement; the terms of the applicable Services Description(s) prevail over those of the SOW; and the terms of this Order Document prevail over all documents. Normal business hours are defined as 8:00 a.m. to 5:00 p.m. through in Client's time zone, except national holidays, unless otherwise specified. 1.1 C&SI Estimated Schedule C&SI Services will begin on the start date of the first service activity and continue through the end date of the last service activity specified in the Consulting & System Integration - Selectable Feature Summary table, above (“the Estimated Schedule”). If the Order Document signature date is beyond Estimated Start Date(s), Estimated Start Date(s) will automatically be extended to the date of the last signature on this Order Document and Estimated End Date(s) will automatically be extended by the same number of days. 1.2 C&SI Payment Terms 1.2.1 Fixed Price The charges for the C&SI Services, exclusive of applicable taxes and travel expenses, are detailed above. Unless otherwise stated herein, Services charges are based upon a contiguous work schedule. Delays in the work schedule are subject to the Project Change Control Procedure detailed in the SOW and may result in an increase in charges. 1.3 C&SI Summary of Charges 1.3.1 SKU Based C&SI Table SKU # Product Description Quantity Selling Frequency Selling Term Total Charge XF- RETAINER- T2-S X-Force Incident Response Retainer - Tier 2 1.00 Monthly 12.00 90,000.00 Client will be invoiced monthly in advance for C&SI Charges. 1.4 Ongoing Support Services Transition Ongoing support (called “Steady State”) is initiated once is complete and IBM has the necessary environment details, tools, access, processes, and procedures to provide Managed Security Services (“MSS”). MSS will begin on the day following completion of the “Transition to Managed Security Services” event listed on the C&SI Payment Schedule, above (“the Contract Period Start Date”). Z126-6955-US-05 (Direct) Page 25 of 27 2. Security Service Summary of Charges Total Security Services Charges C&SI Total Services Charges 90,000.00 Security Services Grand Total 90,000.00 3. Additional Terms and Conditions 3.1 Regulatory Services IBM does not operate as a provider of services regulated by the Federal Communications Commission (“FCC”) or state regulatory authorities (“State Regulators”) and does not intend to provide any services which are regulated by the FCC or State Regulators. If the FCC or any State Regulator imposes regulatory requirements or obligations on any services provided by IBM hereunder, IBM may: (a) modify, replace, or substitute products at Customer’s expense, and/or (b) change the way in which such services are provided to Client to avoid the application of such requirements or obligations to IBM (for example, by acting as Client's agent for acquiring such services from a third party common carrier). 3.2 Disclaimer Client understands and agrees: a. that Products and Services are not warranted to operate uninterrupted or error free; b. that Products and Services are not fault tolerant and are not designed or intended for use in hazardous environments requiring fail-safe operation, including without limitation aircraft navigation, air traffic control systems, weapon systems, life support systems, nuclear facilities, or any other applications in which Product or Services failure could lead to death, personal injury, or property damage; c. that it is solely within Client's discretion to use or not use any of the information provided pursuant to the Services hereunder. Accordingly, IBM will not be liable for any actions that Client takes or chooses not to take based on the Services performed and/or deliverables provided hereunder; d. that it is Client's sole responsibility to provide appropriate and adequate security for the company, its assets, systems, and employees; e. that it is Client's responsibility to add the IP addresses associated with the testers to any filtering devices, thereby permitting unfiltered network access to the target systems; f. not to modify the configurations of any in-scope systems and infrastructure devices during the period of testing; and g. that new technology, configuration changes, software upgrades and routine maintenance, among other items, can create new and unknown security exposures. Moreover, computer “hackers” and other third parties continue to employ increasingly sophisticated techniques and tools, resulting in ever-growing challenges to individual computer system security. IBM’s performance of the Services does not constitute any representation or warranty by IBM about the security of Client's computer systems including, but not limited to, any representation that Client's computer systems are safe from intrusions, viruses, or any other security exposures. IBM does not make any warranty, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information provided as part of the Services. 3.3 Permission to Perform Testing Certain laws prohibit any unauthorized attempt to penetrate or access computer systems. Client authorizes IBM to perform the Services as described herein and acknowledge that the Services constitute authorized access to Client's computer systems. IBM may disclose this grant of authority to a third party if deemed necessary to perform the Services. The Services that IBM performs entail certain risks and Client agrees to accept all risks associated with such Services; provided, however, that this does not limit IBM’s obligation to perform the Services. Client acknowledges and agrees to the following: a. excessive amounts of log messages may be generated, resulting in excessive log file disk space consumption; Z126-6955-US-05 (Direct) Page 26 of 27 b. the performance and throughput of Client's systems, as well as the performance and throughput of associated routers and firewalls, may be temporarily degraded; c. some data may be changed temporarily as a result of probing vulnerabilities; d. Client's computer systems may hang or crash, resulting in system failure or temporary system unavailability; e. any service level agreement rights or remedies will be waived during any testing activity; f. a scan may trigger alarms by intrusion detection systems; g. some aspects of the Services may involve intercepting the traffic of the monitored network for the purpose of looking for events; and h. new security threats are constantly evolving, and no service designed to provide protection from security threats will be able to make network resources invulnerable from such security threats or ensure that such service has identified all risks, exposures, and vulnerabilities. 3.4 Systems owned by a Third Party For systems (which for purposes of this provision includes but is not limited to applications and IP addresses) owned by a third party that will be the subject of testing hereunder, Client agrees: a. that prior to IBM initiating testing on a third-party system, Client will obtain a signed letter from the owner of each system authorizing IBM to provide the Services on that system, and indicating the owner's acceptance of the conditions set forth in the section entitled “Permission to Perform Testing” and to provide IBM with a copy of such authorization; b. to be solely responsible for communicating any risks, exposures, and vulnerabilities identified on these systems by IBM’s remote testing to the system owner, and c. to arrange for and facilitate the exchange of information between the system owner and IBM as deemed necessary by IBM. Client agrees: d. to inform IBM immediately whenever there is a change in ownership of any system that is the subject of the testing hereunder; e. not to disclose the deliverables, or the fact that IBM performed the Services, outside Client's Enterprise without IBM’s prior written consent; and f. to indemnify IBM in full for any losses or liability IBM incurs due to third party claims arising out of Client's failure to comply with the requirements of this section entitled, "Systems Owned by a Third Party" and for any third party subpoenas or claims brought against IBM or IBM’s subcontractors or agents arising out of (a) testing the security risks, exposures or vulnerabilities of the systems that are the subject of testing hereunder, (b) providing the results of such testing to Client, or (c) Client's use or disclosure of such results. 3.5 Security Data As part of Service, that includes reporting activities, IBM will prepare and maintain de-identified and/or aggregate information collected from Services (called "Security Data"). The Security Data will not identify the Client, or an individual except as provided in (d) below. Client herein additionally agrees that IBM may use and/or copy the Security Data only for the following purposes: a. publishing and/or distributing the Security Data (e.g., in compilations and/or analyses related to cybersecurity); b. developing or enhancing products or services; c. conducting research internally or with third parties; and d. lawful sharing of confirmed third party perpetrator information. 4. Travel and Living Expenses If travel is required, Client is responsible for all reasonable travel and living expenses, which would include actual transportation and lodging, per diem meal expenses and other reasonable and necessary charges associated with such travel and living expenses (e.g., luggage charges) incurred by IBM’s personnel during the performance of the Services. Travel and living expenses are in addition to the Z126-6955-US-05 (Direct) Page 27 of 27 above charges and are currently estimated at 20-25% of the total Services charge. Travel and living expenses will be invoiced monthly after they are incurred. 5. Taxes and Payment Client agrees to adhere to the taxes and payment terms of the Agreement. Amounts are due upon receipt of the invoice and payable within 30.00 days of the invoice date to an account specified by IBM. Late payment fees may apply. 6. Billing for Online Orders Based upon Client's selected payment method, IBM will bill such charges each month by sending Client an invoice or, where available bill Client's credit card on file. IBM will add any custom, duty, tax (including withholding tax), levy or fee imposed by any authority resulting from Client's purchase or use of this Service. Where applicable, taxes are based upon the location(s) Client identifies as receiving benefit of the Services. IBM will apply taxes based upon the business address listed for the account as the primary benefit location unless Client provides additional information to IBM. Client is responsible for keeping such information current and providing any changes to IBM.