The URL can be used to link to this page

Home My WebLink AboutAgreement A-19-376 with Clearwater Compliance LLC.pdf1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 under this Agreement, and setting out certain of the terms for CONTRACTOR'S provision of Services, including the scope of work, deliverables, fees, costs, and payment terms. Each SOW is deemed to be incorporated into this Agreement as an Exhibit A (the initial SOW being labeled as Exhibit A-1, and any subsequent SOWs shall be labeled Exhibit A-2, Exhibit A-3 and so forth), and made a part hereof. Any changes to the Services as set out in any SOW must be agreed in writing by both parties, by the execution of a Change Order to a State ment of Work ("Change Order") in the form of that set out in Exhibit 3. The Internal Services Director/Chief Information Officer (ISD Director/CIC) or his or her designee has the authority to execute further SOWs. B.SOFTWARE SUBSC RIPTIONS If set forth on any SOW as part of the Services purchased by COUNTY, CONTRACTOR may convey to COUNTY certain non-transferrable subscription(s) to its proprietary Software (the "Subscription(s)"). Details of the Software being provided under such Subscription(s), including the edition, (if applicable) the quantity of entities allotted under such Subscription(s), the terms relating to the payment of fees for the Subscription(s), and the initial length of period for which COUNTY shall have the right of access to the Subscription(s) shall also be set out in any SOW. All Subscriptions conveyed under this Agreement shall be conveyed solely in accordance with the terms of the Software Subscription Agreement attached to this Agreement as Exhibit 1 ("SSA"), which is incorporated by this refence. Upon expiration or termination of this Agreement for any reason, the SSA shall survive, at the option of COUNTY, so long as COUNTY elects to renew its Subscription(s) under its terms. 2.OBLIGATIONS OF THE COUNTY A.COUNTY CONTRACT ADMINISTRATOR COUNTY appoints its ISO Director/Clo or his or her designee, as COUNTY's Contract Administrator ("Contract Administrator"), with full authority to deal with CONTRACTOR in all matters concerning this Agreement. B.CONTRACTOR RESPONSE COMMIT MENT COUNTY shall designate one or more Application Administrator(s), each of whom shall be an employee or contractor of COUNTY. Only a designated Application Administrator may request support. It is the responsibility of COUNTY to instruct Users to route support requests through the Application -2- 1 2 3 4 5 6 7 8 Administrator. No support shall be provided with respect to any request made by a person who is not an Application Administrator. 3.TERM The term of this Agreement shall be for a period of three (3) years, commencing on Effective Date through and including August 5, 2022. This Agreement may be extended for two (2) additional consecutive twelve (12) month periods upon written approval of both parties no later than thirty (30) days prior to the first day of the next twelve (12) month extension period. The ISO Director/Clo or his or her designee is authorized to execute such written approval on behalf of COUNTY based on CONTRACTOR'S satisfactory 9 performance. 10 4.TERMINATION 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 A.Non-Allocation of Funds -The terms of this Agreement, and the Services to be provided hereunder, are contingent on the approval of funds by the appropriating government agency. Should sufficient funds not be allocated, the Services provided may be modified, or this Agreement or any SOW may be terminated at any time, without penalty, by giving CONTRAC TOR ninety (90) days' advance written notice. From the time of receipt of such notice to the effective date of termination, the provision of the Services under any SOW then in effect shall continue as if no notice had been given. B.Breach of Contract -The COUNTY may suspend or terminate this Agreement in whole or in part, where in the determination of the COUNTY there is: 1)An illegal or improper use of funds; 2)A failure to comply with any term of this Agreement; 3)A substantially incorrect or incomplete report submitted to the COUNTY; 4)Improperly performed service. In the case that COUNTY reasonably considers that CONTRACTOR has breached this Agreement, COUNTY shall give written notice to CONTRACTOR and CONTRACTOR shall have thirty (30) days from the date of notice to cure its breach. In no event shall any payment by the COUNTY constitute a waiver by the COUNTY of any breach of this Agreement or any default which may then exist on the part of the CONTRACTOR. Neithe r shall such payment impair or prejudice any remedy available to the COUNTY with respect to the breach or default. The COUNTY shall have the right to demand of the CONTRACTOR the -3- 1 repayment to the COUNTY of any funds disbursed to the CONTRACTOR under this Agreement, which in 2 the judgment of the COUNTY were not expended in accordance with the terms of this Agreement. The 3 CONTRACTOR shall promptly refund any such funds upon demand. 4 C.Without Cause-[INTENTIONALLY OMITTED] 5 D.Termination for Cause. Either party may terminate this Agreement and any SOW 6 hereunder for cause: (a) upon thirty (30) days' written notice of a material breach to the other party if the 7 breach remains uncured at the expiration of such thirty (30) day cure period; or (b) if one party sends the 8 other party written notice that the latter's becoming a subject of a petition in bankruptcy will result in 9 termination of this Agreement if the bankruptcy case is not dismissed within ninety (90) days. Upon any 1 O termination for cause by COUNTY, CONTRACTOR shall refund COUNTY any prepaid fees for the 11 remainder of the term of any SOW (as defined in the SOW), or, issue an invoice for Services performed for 12 which COUNTY has not prepaid, as appropriate, after the date of termination. Termination for any reason 13 shall not relieve COUNTY of the obligation to pay any fees and Taxes accrued or payable to 14 CONTRACTOR prior to the effective date of termination. 15 5.COMPENSATION/INVOICING: COUNTY agrees to pay CONTRACTOR and 16 CONTRACTOR agrees to receive compensation as outlined in the applicable SOW. CONTRACTOR shall 17 submit monthly invoices referencing the contract number, either electronically or via mail, in triplicate to the 18 County of Fresno, Internal Services Department, Attention: Business Office, 333 W. Pontiac Way, Clovis, 19 CA 93612 (isdbusinessoffice@fresnocountyca.gov). 20 COUNTY shall maintain complete and accurate billing and contact details and instructions with 21 CONTRACTOR and will promptly notify CONTRACTOR of any material change in such details and 22 instructions. Fees for the Services will be invoiced in accordance with the payment terms and schedule set 23 forth in the relevant SOW. Unless otherwise stated in the relevant SOW, all payments made under this 24 Agreement shall be in United States dollars. 25 Unless otherwise stated, CONTRACTOR's fees as set out in any SOW do not include any local, 26 state, federal or foreign taxes, levies or duties of any nature ("Taxes"). COUNTY is responsible for paying 27 all applicable Taxes, excluding only taxes based on CONTRACTOR's business income and employees. If 28 CONTRACTOR has the legal obligation to pay or collect Taxes for which COUNTY is responsible under -4- -5- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 this section, CONTRACTOR will include the appropriate amounts on its invoices to be paid to CONTRACTOR by COUNTY, unless COUNTY provides CONTRACTOR with a valid tax exemption certificate authorized by the appropriate taxing authority. In no event shall compensation paid for Services performed under this Agreement exceed $250,000.00 during the initial three-year term of this Agreement. If this Agreement is extended for an additional Year 4, in no event shall compensation for the four-year term exceed $275,000.00. If this Agreement is extended for an additional Year 5, in no event shall compensation for the total possible five-year term exceed $300,000.00. It is understood that all expenses incidental to CONTRACTOR'S performance of services under this Agreement shall be borne by CONTRACTOR, excluding any pre-approved travel, lodging, and meals required to perform the Services outlined in an SOW under this Agreement. COUNTY shall pay CONTRACTOR within forty-five (45) days of receipt of an approved invoice. If any payment on COUNTY's account is more than thirty (30) days past due (except with respect to amounts then under reasonable and good faith dispute), then in addition to any of its other rights or remedies, CONTRACTOR reserves the right to suspend the Services provided to COUNTY, without incurring any liability to COUNTY, until the overdue amounts are paid in full. If COUNTY fails or refuses to pay any undisputed amounts due hereunder, and CONTRACTOR institutes suit for collection of such amounts, COUNTY shall reimburse CONTRACTOR for all reasonable expenses incurred by CONTRACTOR in connection with such collection actions. 6.THIRD-PARTY INFORMATION In order for CONTRACTOR to render the Services hereunder, it may be necessary for COUNTY to disclose to CONTRACTOR or otherwise provide CONTRACTOR access to information concerning COUNTY’s business, operations, and intellectual property, including information concerning or obtained from customers, vendors and/or other third parties. COUNTY represents and warrants to CONTRACTOR that all such information heretofore, and in the future, disclosed to CONTRACTOR in pursuance of the Services contemplated has been, and will be, disclosed in a manner which does not violate the rights of third parties. CONTRACTOR represents, warrants and covenants to COUNTY that CONTRACTOR shall disclose and use such information only in the performance of its obligations hereunder or to obtain advice from its advisors, and shall treat such information as Confidential Information under Section 7 hereof. The foregoing obligations do not apply to information which (a) is or becomes publicly available, (b) 1 CONTRACTOR has lawfully obtained from third parties, (c) CONTRACTOR knew prior to its disclosure by 2 COUNTY, or (d) CONTRACTOR independently developed the information prior to its receipt from 3 COUNTY. 4 5 7. A. CONFIDENTIALITY: INTELLECTUAL PROPERTY; LICENSE As used in this Agreement, "Confidential Information" means all confidential and proprietary 6 information of a party ("Disclosing Party") disclosed, directly or indirectly, to the other party ("Receiving 7 Party"), whether orally or in writing, that is designated as confidential or that reasonably should be 8 understood to be confidential, given the nature of the information and the circumstances of disclosure, 9 business and marketing plans, technology and technical information, product designs, employees, 10 consultants and other agents and customers, vendors and suppliers, and business strategies and 11 processes, including information concerning or obtained from customers, vendors and other third parties. 12 Confidential Information shall not include any information that demonstrably: 13 (i)is or becomes generally known to the public without breach of any obligation owed to the 14 Disclosing Party; 15 (ii)was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of 16 any obligation owed to the Disclosing Party; 17 (iii)was independently developed by the Receiving Party without breach of any obligation owed to 18 the Disclosing Party; or 19 (iv)is received from a third party without breach of any obligation owed by such third party to the 20 Disclosing Party. 21 Except for receiving advice from its professional advisors, the Receiving Party shall not use any 22 Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement other 23 than with the Disclosing Party's prior written permission (such permission is hereby granted for sending 24 information to the Disclosing Party or its personnel regarding solutions and services which may be of 25 interest). In addition, the Receiving Party shall not disclose any Confidential Information of the Disclosing 26 Party to any third party (except for its service providers and professional advisors) without notifying 27 Disclosing Party (which may occur after the disclosure), and the Receiving Party shall restrict access to 28 such Confidential Information to personnel, subcontractors and service providers (including its professional -6- 1 advisors) who have a need for such disclosure of the Confidential Information in connection with the 2 services provided by them to CONTRACTOR or its personnel, provided that all such persons (i) have been 3 instructed that such Confidential Information is subject to the obligation of confidence set forth by this 4 Agreement and (ii) are bound either by contract, employment policies, or fiduciary or professional ethical 5 obligations to maintain such information in confidence. The Receiving Party agrees to protect the 6 confidentiality of the Confidential Information of the other party in the same manner that it protects the 7 confidentiality of its own proprietary and confidential information of like kind, but in no event shall either 8 party exercise less than reasona ble care in protecting the Confidential Information. If the Receiving Party is 9 compelled by law or the rules of an applicable stock exchange to disclose Confi dential Information of the 10 Disclosing Party, it shall 11 (a)provide the Disclosing Party with prior notice of the compelled disclosure (to the extent legally 12 permitted and to the extent feasible) and reasonable assistance, at Disclosing Party's cost, if the 13 Disclosing Party wishes to contest the disclosure, 14 (b)exercise reasonable efforts to obtain reasonable assurance that confidential treatment will be 15 accorded the Confidential Information so disclosed, and 16 (c)disclose only that information which is legally required, or required by any applicable stock 17 exchange rule, to be disclosed. 18 If the Receiving Party becomes aware that Confidential Information has been lost or disclosed in an 19 unauthorized manner, whether due to a breach in security or otherwise, it shall provide the Disclosing Party 20 with notice in reasonable detail of the disclosure promptly. If the Receiving Party discloses or uses (or 21 threatens to disclose or use) any Confidential Information of the Disclosing Party in breach of this Section 7, 22 the Disclosing Party shall be entitled, in addition to any other remedies available to it, to seek injunctive 23 relief to enjoin the acts, all without the requirement of posting bond or having to prove the inadequacy of 24 monetary damages, it being specifically acknowledged by the parties that any other available remedies are 25 inadequate. 26 B.Protected Health Information -While providing the Services, it is not necessary for 27 CONTRACTOR to receive, create, maintain or transmit personally identifiable data, including without 28 limitation, Protected Health Information ("PHI"), as defined in the Health Insurance Portability and -7- 1 Accountability Act of 1996 ("HIPAA"), on behalf of COUNTY. COUNTY agrees not to: (i) permit 2 CONTRACTOR to access, receive, create, maintain or transmit such personally identifiable data; or, (ii) to 3 send CONTRACTOR any personally identifiable data related to the Services. 4 C.All of CONTRACTOR's intellectual property used or generated by CONTRACTOR during 5 the provision of the Services and creation of the deliverables shall remain the sole property of 6 CONTRACTOR. With the exception of the Subscription(s) that may be issued to or software licensed to 7 COUNTY as set out on any SOW, CONTRACTOR hereby grants to COUNTY a royalty-free (except for the 8 payments described elsewhere herein), unlimited, perpetual, irrevocable, worldwide, non-exclusive license 9 to use, create derivative works from, perform, display, but not to sell, transfer or sublicense, such 1 O intellectual property insofar as necessary to enable COUNTY to realize intended benefits of the Services 11 provided by CONTRACTOR hereunder (and any deliverables provided in connection therewith); provided, 12 however, that this license does not apply to (i) any trademark, service mark, trade name, or corporate name 13 owned or used by CONTRACTOR or any of its affiliates identified to COUNTY or (ii) any Subscription 14 issued to or software licensed to COUNTY by CONTRACTOR under this Agreement or any separate 15 agreement. 16 D.It is understood that information in an intangible or electronic format cannot be immediately 17 removed, erased or otherwise deleted from system back-ups but that such information will continue to be 18 protected under the confidentiality requirements contained in this Agreement. Notwithstanding the foregoing 19 or any other provision of this Agreement, the Receiving Party may retain a copy of the Confidential 20 Information solely to fulfill either a legal or regulatory obligation, or its document retention policies and 21 practices (including any litigation data destruction holds). 22 8.INDEPENDENT CONTRACTOR: In performance of the work, duties and obligations 23 assumed by CONTRACTOR under this Agreement, it is mutually understood and agreed that 24 CONTRACTOR, including any and all of the CONTRACTOR'S officers, agents, contractors, and 25 employees ("CONTRACTOR'S Personnel") will at all times be acting and performing as an independent 26 contractor, and shall act in an independent capacity and not as an officer, agent, servant, employee, joint 27 venturer, partner, or associate of the COUNTY. Furthermore, COUNTY shall have no right to control or 28 supervise or direct the manner or method by which CONTRACTOR or CONTRACTOR'S Personnel shall -8- 1 perform its work and function. However, COUNTY shall retain the right to administer this Agreement so as 2 to verify that CONTRACTOR or CONTRACTOR'S Personnel is performing its obligations in accordance 3 with the terms and conditions thereof. 4 CONTRACTOR and CONTRACTOR'S Personnel and COUNTY shall comply with all applicable 5 provisions of law and the rules and regulations, if any, of governmental authorities having jurisdiction over 6 matters the subject thereof. 7 Because of its status as an independent contractor, CONTRACTOR and CONTRACTOR'S 8 Personnel shall have absolutely no right to employment rights and benefits available to COUNTY 9 employees. CONTRACTOR shall be solely liable and responsible for providing to, or on behalf of, 10 CONTRACTOR'S Personnel all legally-required employee benefits. In addition, CONTRACTOR shall be 11 solely responsible and save COUNTY harmless from all matters relating to payment of CONTRACTOR'S 12 Personnel, including compliance with Social Security withholding and all other regulations governing such 13 matters. It is acknowledged that during the term of this Agreement, CONTRACTOR may be providing 14 services to others unrelated to the COUNTY or to this Agreement. 15 9.NON-SOLICITATION 16 Each party (the "Restricted Party") hereby covenants and agrees that during the term of this 17 Agreement and for one (1) year after the effective date of termination of this Agreement, it shall not 18 knowingly solicit any employee of the other party to terminate that employment or to seek or accept 19 employment with the Restricted Party. However, either party cannot prevent any person from responding to 20 an open job posting, and this provision shall not apply to that situation, and such party is not prohibited from 21 hiring any employee or former employee of the other party in that situation. 22 10.WORK ENVIRONMENT POLICY 23 It is the policy of CONTRACTOR and COUNTY to provide a work environment free of harassment, 24 either physical or verbal, including, but not limited to, sexual, racial, ethnic, age-related, and other areas 25 prohibited by law. The parties shall communicate their respective policies to their respective employees, 26 contractors, agents and representatives. 27 11.MODIFICATION: Any matters of this Agreement may be modified from time to time by the 28 written consent of all the parties without, in any way, affecting the remainder. -9- 1 12.NON-ASSIGNMENT: Neither party shall assign, transfer or sub-contract this Agreement nor 2 their rights or duties under this Agreement without the prior written consent of the other party, which 3 consent shall not be unreasonably withheld or delayed. COUNTY acknowledges that CONTRACTOR may 4 subcontract certain of the Professional Services that may be provided under an SOW and COUNTY hereby 5 consents to such subcontracting by CONTRACTOR, provided that CONTRACTOR shall be responsible for 6 such subcontractor's performance of its obligations according to the terms of this Agreement. 7 Notwithstanding the foregoing, CONTRACTOR may assign this Agreement together with all rights and 8 obligations under this Agreement, without consent of the COUNTY, in connection with a merger, 9 acquisition, corporate reorganization, or sale of all or substantially all of its assets not involving a direct 1 O competitor of the COUNTY. Any attempt by a party to assign its rights or obligations under this Agreement 11 in breach of this Section 12 shall be void and of no effect. 12 13.WARRANTIESj DISCLAIMERS 13 Each party represents and warrants that it has the legal power to enter into this Agreement. 14 CONTRACTOR represents and warrants during the term of this Agreement that (a) it shall perform the 15 Services in a professional, workmanlike and timely manner with due care in a manner consistent with 16 general industry standards reasonably applicable to the provision of the Services; (b) it shall perform the 17 Services in conformance with the specifications in this Agreement and the applicable SOW; (c) it owns or 18 otherwise has sufficient rights to the Services necessary or appropriate for the performance of its 19 obligations under this Agreement and each SOW; (d) the Services (including any deliverables/work product 20 provided in connection therewith) and COUNTY's receipt thereof in the manner contemplated under this 21 Agreement, do not and will not infringe any intell ectual property or other rights of any third party; and (e) it is 22 not a party to any agreements, terms of use or commitments that would prevent or interfere in any manner 23 with the full performance of its material obligations set forth in this Agreement. EXCEPT AS EXPRESSLY 24 PROVIDED IN THIS AGREEMENT, CONTRACTOR MAKES NO WARRANTY OF ANY KIND, WHETHER 25 EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. CONTRACTOR SPECIFICALLY DISCLAIMS ALL 26 IMPLIED WARRANTIES, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A 27 PARTICULAR PURPOSE, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. 28 14.LEGAL DISCLAIMER -10- 1 COUNTY acknowledges and agrees that the Services provided by CONTRACTOR do not 2 constitute legal advice. The information conveyed by CONTRACTOR to COUNTY may be based in part on 3 current federal law and subject to change based on changes in federal law or subsequent interpretative 4 guidance. Where this information is based on federal law, it must be modified to reflect state law where that 5 state law is more stringent than the federal law or other state law exceptions apply. Information and 6 recommendations provided by CONTRACTOR should not be relied upon as a substitute for competent 7 legal advice specific to COUNTY's circumstances. COUNTY SHOULD EVALUATE ALL INFORMATION, 8 OPINIONS AND RECOMMENDATIONS PROVIDED BY CONTRACTOR IN CONSULTATION WITH 9 COUNTY'S LEGAL OR OTHER ADVISORS, AS APPROPRIATE. 10 15.LIMITATION OF LIABILITY 11 TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EXCEPT FOR ANY 12 INDEMNITY PROVIDED BY EITHER PARTY IN THIS AGREEMENT, IN NO EVENT SHALL EITHER 13 PARTY'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER 14 IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE) OR UNDER ANY OTHER 15 THEORY OF LIABILITY, EXCEED THE AMOUNTS ACTUALLY PAID AND/OR DUE FROM COUNTY 16 UNDER THIS AGREEMENT. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, 17 EXCEPT FOR ANY INDEMNITY PROVIDED BY EITHER PARTY IN THIS AGREEMENT, IN NO EVENT 18 SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY LOST PROFITS, 19 LOSS OF USE, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY 20 INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED 21 AND, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE) OR 22 UNDER ANY OTHER THEORY OF LIABILITY, WHETHER OR NOT THE PARTY HAS BEEN ADVISED 23 OF THE POSSIBILITY OF THE DAMAGE. 24 16.DISPUTE RESOLUTION 25 Except for claims for which equitable relief is required, any controversy or claim arising out of or 26 relating to this Agreement including (without limitation) breach, termination or validity thereof, shall first be 27 attempted to be resolved directly by discussion and/or informal mediation between the parties within a 28 reasonable period after such dispute arises. -11- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 17.FORCE MAJEURE Noncompliance with any obligation under this Agreement for reasons of force majeure (such as: acts, regulations or laws of any government; war or civil commotion or destruction of production facilities or materials; fire, earthquake or storm; labor disturbances; failure of public utilities, telecommunications, internet service providers, or common carriers; and any other causes beyond the reasonable control of the party affected) shall not constitute a breach of this Agreement; provided, that each party shall use commercially reasonable efforts to mitigate the effect or impact of such events. 18.HOLD HARMLESS: CONTRACTOR agrees to indemnify, save, hold harmless, and at COUNTY'S request, defend the COUNTY, its officers, agents, and employees from any and all costs and expenses (including attorney's fees and costs) claims, demands, suits, or proceedings ("Claims") made, alleged or brought against COUNTY from a third-party alleging that the use of the Services as contemplated under this Agreement infringes the intellectual property rights of a third party. The provisions of this Section 18 shall survive the termination of this Agreement. COUNTY shall (a) promptly give written notice of the Claim to CONTRACTOR; (b) give CONTRACTOR control of the defense and settlement of the Claim (provided that CONTRACTOR may not settle or defend any Claim unless it unconditionally releases COUNTY of all liability); and (c) provide to CONTRACTOR, at CONTRACTOR's cost, all reasonable assistance. To the best of COUNTY's knowledge, entry into this Agreement or an SOW for any of the Services will not breach its obligations to any third party. THIS SECTION 18 STATES THE ENTIRE OBLIGATION AND THE EXCLUSIVE REMEDIES WITH RESPECT TO THE PARTIES' INDEMNIFICATION OBLIGATIONS ARISING OUT OF OR RELATING TO THIS AGREEMENT. THIS SECTION 18 SHALL SURVIVE TERMINATION OR EXPIRATION OF THIS AGREEMENT, AND APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. 19.INSURANCE Without limiting the COUNTY's right to obtain indemnification from CONTRACTOR or any third parties, CONTRACTOR, at its sole expense, shall maintain in full force and effect, the following insurance policies or a program of self-insurance, including but not limited to, an insurance pooling arrangement or Joint Powers Agree ment (JPA) throughout the term of the Agreement: -12- 1 A.Commercial General Liability 2 Commercial General Liability Insurance with limits of not less than Two Million Dollars 3 ($2,000,000.00) per occurrence and an annual aggregate of Four Million Dollars ($4,000,000.00). This 4 policy shall be issued on a per occurrence basis. COUNTY may require specific coverages including 5 co mpleted operations, products liability, contractual liability, Explosion-Collapse-Underground, fire legal 6 liability or any other liability insurance deemed necessary because of the nature of this contract. 7 B.Automobile Liability 8 Comprehensive Automobile Liability Insurance with limits of not less than One Million Dollars 9 ($1,000,000.00) per accident for bodily injury and for property damages. Coverage should include any auto 10 used in connection with this Agreement. 11 C.Professional Liability 12 If CONTRACTOR employs licensed professional staff, (e.g., Ph.D., RN., L.C.S.W., M.F.C.C.) in 13 providing services, Professional Liability Insurance with limits of not less than One Million Dollars 14 ($1,000,000.00) per occurrence, Three Million Dollars ($3,000,000.00) annual aggregate. 15 D.Technology Professional Liability (Errors and Omissions) 16 Technology Professional Liability (Errors and Omissions) Insurance appropriate to 17 CONTRACTOR's profession, with limits not less than Two Million Dollars ($2,000,000) per occurrence 18 or claim, Two Million Dollars ($2,000,000) aggregate. Coverage shall be sufficiently broad to respond to 19 the duties and obligations as is undertaken by CONTRACTOR in this Agreement and may include, but 20 not be limited to infringement of copyright, trademark, trade dress, invasion of privacy violations , 21 information theft, damage to or destruction of electronic information, release of private information, 22 alteration of electronic information, extortion and network security. The policy may provide coverage for 23 breach response costs as well as regulatory fines and penalties as well as credit monitoring expenses 24 with limits sufficient to respond to these obligations. 25 E.Cyber Liability 26 CONTRACTOR shall obtain cyber liability insurance with limits not less than Two Million Dollars 27 ($2,000,000) per occurrence. Coverage shall include, but not be limited to, claims involving Cyber Risks. 28 The cyber liability policy shall be endorsed to cover the full replacement value of damage to, alteration -13- 1 of, loss of, or destruction of intangible property (including but not limited to information or data) that is in 2 the care, custody, or control of the CONTRACTOR. 3 For purposes of the technology professional liability insurance and the cyber liability insurance 4 required under this Agreement, Cyber Risks include, but are not limited to, (i) security breaches, which 5 include disclosure of, whether intentional or unintentional, information provided by COUNTY, information 6 provided by or obtained from any inmate, or personal-identifying information relating to any inmate, to an 7 unauthorized third party; (ii) breach of any of CONTRACTOR's obligations under this Agreement relating 8 to data security, protection, preservation, usage, storage, transmission, and the like; (iii) infringement of 9 intellectual property including, but not limited to, infringement of copyright, trademark, and trade dress; 10 (iv)invasion of privacy, including any release of private information; (v) information theft by any person 11 or entity, whatsoever; (vi) damage to or destruction or alteration of electronic information; (vii) extortion 12 related to CONTRACTOR's obligations under this Agreement regarding electronic information, including 13 information provided by COUNTY, information provided by or obtained from any inmate, or personal- 14 identifying information relating to any inmate; (viii) network security; (ix) data breach response costs, 15 including security breach response costs; (x) regulatory fines and penalties related to CONTRACTOR's 16 obligations under this Agreement regarding electronic information, including information provided by 17 COUNTY, information provided by or obtained from an inmate, or personal-identifying information 18 relating to any inmate; and (xi) credit monitoring expenses. 19 F.Worker's Compensation 20 A policy of Worker's Compensation insurance as may be required by the California Labor 21 Code. 22 Additional Requirements Relating to Insurance 23 CONTRACTOR shall obtain endorsements to the Commercial General Liability insurance naming 24 the County of Fresno, its officers, agents, and employees, individually and collectively, as additional 25 insured, but only insofar as the operations under this Agreement are concerned. Such coverage for 26 addition al insured shall apply as primary insurance and any other insurance, or self-insurance, maintained 27 by COUNTY, its officers, agents and employees shall be excess only and not contributing with insurance 28 provided under CONTRACTOR's polic ies herein. This insurance shall not be cancelled or changed without -14- 1 a minimum of thirty (30) days advance written notice given to COUNTY. 2 CONTRACTOR hereby waives its right to recover from COUNTY, its officers, agents, and 3 employees any amounts paid by the policy of worker's compensation insurance required by this 4 Agreement. CONTRACTOR is solely responsible to obtain any endorsement to such policy that may be 5 necessary to accomplish such waiver of subrogation, but CONTRACTOR's waiver of subrogation under 6 this paragraph is effective whether or not CONTRACTOR obtains such an endorsement. 7 Within Thirty (30) days from the date CONTRACTOR signs and executes this Agreement, 8 CONTRACTOR shall provide certificates of insurance and endorsement as stated above for all of the 9 foregoing policies, as required herein, to the County of Fresno, Internal Services Department, 333 W. 1 O Pontiac Way, Clovis, CA 93612, stating that such insurance coverage have been obtained and are in full 11 force; that the County of Fresno, its officers, agents and employees will not be responsible for any 12 premiums on the policies; that for such worker's compensation insurance the CONTRACTOR has waived 13 its right to recover from the COUNTY, its officers, agents, and employees any amounts paid under the 14 insurance policy and that waiver does not invalidate the insurance policy; that such Commercial General 15 Liability insurance names the County of Fresno, its officers, agents and employees, individually and 16 collectively, as additional insured, but only insofar as the operations under this Agreement are concerned; 17 that such coverage for additional insured shall apply as primary insurance and any other insurance, or 18 self-insurance, maintained by COUNTY, its officers, agents and employees, shall be excess only and not 19 contributing with insurance provided under CONTRACTOR's policies herein; and that this insurance shall 20 not be cancelled or changed without a minimum of thirty (30) days advance, written notice given to 21 COUNTY. 22 In the event CONTRACTOR fails to keep in effect at all times insurance coverage as herein 23 provided, the COUNTY may, in addition to other remedies it may have, suspend or terminate this 24 Agreement upon the occurrence of such event. 25 All policies shall be issued by admitted insurers licensed to do business in the State of California, 26 and such insurance shall be purchased from companies possessing a current AM. Best, Inc. rating of A 27 FSC VII or better. 28 20.AUDITS AND INSPECTIONS: The CONTRACTOR shall at any time during business -15 - 1 hours, and as often as the COUNTY may deem necessary, make available to the COUNTY for examination 2 all of its records and data with respect to the matters covered by this Agreement. The CONTRACTOR 3 shall, upon request by the COUNTY, permit the COUNTY to audit and inspect all of such records and data 4 necessary to ensure CONTRACTOR'S compliance with the terms of this Agreement. 5 If this Agreement exceeds ten thousand dollars ($10,000.00), CONTRACTOR shall be subject to 6 the examination and audit of the California State Auditor for a period of three (3) years after final payment 7 under contract (Government Code Section 8546.7). 8 21.NOTICES: The persons and their addresses having authority to give and receive notices 9 under this Agreement include the following: 10 11 12 13 14 COUNTY COUNTY OF FRESNO Director of Internal Services/CIO 333 W. Pontiac Way Clovis, CA 93612 CONTRACTOR Clearwater Compliance LLC ATTN: CEO/COO 242 W. Main St., PMB 316 Hendersonville, TN 37075 no tices@clearwatercompliance.com 15 All notices between the COUNTY and CONTRACTOR provided for or permitted under this 16 Agreement must be in writing and delivered either by personal service, by first-class United States mail, by 17 an overnight commercial courier service, or by email transmission. A notice delivered by personal service is 18 effective upon service to the recipient. A notice delivered by first-class United States mail is effective three 19 COUNTY business days after deposit in the United States mail, postage prepaid, addressed to the 20 recipient. A notice delivered by an overnight commercial courier service is effective one COUNTY business 21 day after deposit with the overnight commercial courier service, delivery fees prepaid, with delivery 22 instructions given for next day delivery, addressed to the recipient. A notice delivered by email is effective 23 when transmission to the recipient is completed (but, if such transmission is completed outside of COUNTY 24 business hours, then such delivery shall be deemed to be effective at the next beginning of a COUNTY 25 business day). For all claims arising out of or related to this Agreement, nothing in this section establishes, 26 waives, or modifies any claims presentation requirements or procedures provided by law, including but not 27 limited to the Government Claims Act (Division 3.6 of Title 1 of the Government Code, beginning with 28 section 810). -16- 1 22.GOVERNING LAW: Venue for any action arising out of or related to this Agreement shall 2 only be in Fresno County, California. 3 The rights and obligations of the parties and all interpretation and performance of this Agree ment 4 shall be governed in all respects by the laws of the State of California. 5 23.DISCLOSURE OF SELF-DEALING TRANSACTIONS 6 This provision is only applicable if the CONTRACTOR is operating as a corporation (a for-profit 7 or non-profit corporation) or if during the term of the agreement, the CONTRACTOR changes its status 8 to operate as a corporation. 9 Members of the CONTRAC TOR's Board of Directors shall disclose any self-dealing transactions 1 O that they are a party to while CONTRACTOR is providing goods or performing services under this 11 agreement. A self-dealing transaction shall mean a transaction to which the CONTRACTOR is a party 12 and in which one or more of its directors has a material financial interest. Members of the Board of 13 Directors shall disclose any self-dealing transactions that they are a party to by completing and signing a 14 Self-Dealing Transaction Disclosure Form, attached hereto as Exhibit B and incorporated herein by 15 reference, and submitting it to the COUNTY prior to commencing with the self-dealing transaction or 16 immediately thereafter. 17 24.ENTIRE AGREEMENT: This Agreement constitutes the entire agreeme nt between the 18 CONTRACTOR and COUNTY with respect to the subject matter hereof and supersedes all previous 19 Agreement negotiations, proposals, comm itments, writings, advertisements, publications, and 20 understanding of any nature whatsoever unless expressly included in this Agreement. In the event of any 21 inconsistency in interpreting the documents which constitute this Agreement, the inconsistency shall be 22 resolved by giving precedence in the following order of pri ority: (1) the text of this Agreement, (2) the 23 COUNTY'S Request for Proposal No. 19-022, and (3) the CONTRACTOR'S Proposal made in response to 24 COUNTY'S Request for Proposal No. 19-022. 25 26 27 28 -17- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 EXHIBIT 1 Software Subscription Agreement All proprietary software developed and owned by Clearwater Compliance LLC (hereafter "CONTRACTOR") and which software is subscribed to by COUNTY OF FRESNO, a Political Subdivision of the State of California ("COUNTY") under purchase terms set out in a Statement of Work ("SOW") under the Agreement between CONTRACTOR AND COUNTY shall be provided to COUNTY under the terms and conditions set out below. The terms of this Software Subscription Agreement (hereafter "SSA") shall survive the termination or the expiration of the Agreement for so long as COUNTY continues to maintain the software under the terms of this SSA. SECTION 1. SOFTWARE. Such software shall be collectively referred to herein as the "Software" and this SSA describes CONTRACTOR's and COUNTY's rights and responsibilities with respect to the Software. A.Subscriptions. CONTRACTOR grants COUNTY the limited, nontransferable (except as otherwise provided herein), non-exclusive, non-sublicensable, revocable, royalty-free (except for the payment terms described in the relevant SOW(s)) right to access and use the Software (hereafter, the "Subscription(s)"), solely for and on behalf of its own internal business operations, for the specified edition, which includes (i) the number of logical assessment and/or reporting entities ("Entity(iesl") allotted to COUNTY; and , (ii) certain features and functions of the Software included in the Subscription(s); based on COUNTY'S payment of the Subscription Fees, as defined herein, and with respect to each Subscription, for the initial length of period ("Subscription Term") as also set out in the related SOW and any Renewal Terms, as defined herein. Each Subscription granted hereunder is subject to the restrictions set out in this SSA. For purposes of this SSA, the verb "use" shall mean to login, access, interact with, enter data into or otherwise benefit from the Software. B.Users and Account Owner(s). COUNTY will select and authorize at least one (1) initial primary account owner of the Software ("Account Owner(s)") on its behalf to serve on behalf of COUNTY as; (i) the subject matter expert for the Software; (ii) the administrator of the Software, its settings and its users and their permissions; (iii) the trainer of other users on the functionality and use of Software; and (iv) the first point of contact to triage questions, potential issues, and/or to generally provide feedback and input to CONTRACTOR, in relation to the use of the Software by COUNTY. COUNTY will provide the name and email address for such initial Account Owner(s) and will request in writing or email that CONTRACTOR set up login credentials for such Account Owner(s). CONTRACTOR will provide and communicate such login credentials directly to the Account Owner(s) on such date COUNTY requires access to the Software. COUNTY will require all Account Owner(s) to engage in introductory training session(s) made reasonably available by CONTRACTOR as described in Section 5 below, with the objective for such Account Owner(s) to develop proficiency in use of the Software and all administrative functions. Additionally, COUNTY's Account Owner(s) may set up login credentials to access the Software for an unlimited number of individual employees and/or contractors COUNTY may authorize from time to time, including additional Account Owner(s). The Account Owner(s) and other individuals authorized by COUNTY to access the Software on its behalf 28 will be collectively referred to as "Users". Such Users will be considered to be authorized by COUNTY (i) when an -19- 1 2 3 4 5 6 7 Account Owner establishes login credentials and permissions to the Software for such individuals, or (ii) if an Account Owner is temporarily unavailable, COUNTY may request CONTRACTOR to do so on its behalf by providing a written request (which may be emailed), communicating the name and email address of such individuals COUNTY authorizes and the permission parameters of such individuals. In this case, CONTRACTOR will create and maintain such User accounts based solely on COUNTY's written instructions or actions. If an Account Owner is anticipated to be unavailable, or has become unavailable, for more than thirty (30) consecutive days, and no additional Account Owner(s} has or have been designated and trained, COUNTY shall promptly designate a new Account Owner. CONTRACTOR shall provide training for up to one (1) new Account Owner per year at no cost to COUNTY. Training of Account Owner(s) in excess of the forgoing shall be subject to billing at then-current hourly rates. 8 COUNTY understands and acknowledges that Users authorized as an Account Owner may authorize and de authorize Users and modify their access permissions. COUNTY also understands and acknowledges that Users will 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 have access to make additions, deletions, or changes to COUNTY Data entered and maintained within the Software, based on permissions granted by an Account Owner. It is the responsibility of COUNTY to establish and maintain its procedures for authorizing and de-authorizing Account Owners and Users and maintaining access permissions of all Users. It is also COUNTY's responsibility to revoke Software access authorization and/or to add or change such access permissions for its Users by (i} implementation of such changes within the Software by an Account Owner; or (ii) if an Account Owner is temporarily unavailable, COUNTY may request CONTRACTOR to do so on its behalf by providing a written request (which may be emailed}, setting out the name and email address of such Users and the action COUNTY authorizes. Use of the Software requires that COUNTY or its Users provide professional and organizational contact information. CONTRACTOR may contact Users directly via email to inquire as to such Users' use of the Software, as well as to make Users aware of Updates to the Software; best practices for use of the Software; education and news relating to HIPAA and/or information risk management; announcements of the availability of new resources; and other such information regarding the Software and its use. Upon receipt of an opt-out notice from any User that he/she is no longer interested in receiving such contact or information, CONTRACTOR shall promptly cease such contact with that User. Such User contact information will not be disclosed or otherwise shared with any third parties and will be used by CONTRACTOR solely for assisting COUNTY and Users with use of the Software and the Subscriptions. C.Right to Copy. Only in the case of any of the policy and procedure Software, which is provided by CONTRACTOR in a one-time download format, COUNTY may make ONE (1) additional copy of such Software solely for archival, emergency back-up, or disaster recovery purposes, provided that: (i) COUNTY shall only make one exact copy of the Software as originally delivered by CONTRACTOR; (ii} COUNTY shall ensure that the one copy contains all titles, trademarks, and copyright and restricted rights notices as in the original; and (iii} such copy shall be subject to the terms and conditions of this SSA. COUNTY understands that at no time will CONTRACTOR have access to or a copy of COUNTY's tailored version of such policy and procedure Software, once it has been downloaded and altered by COUNTY. -20- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 SECTION 2. PURPOSE AND USE OF SOFTWARE. The term "Software" shall mean the CONTRACTOR software, policy and procedure templates and/or "Software as a Service" ("SaaS") services more fully-described in the SOW, and includes without limitation the proprietary computer software, underlying algorithms, formulae and methodology, database design, associated media, printed materials, online or other User documentation provided to COUNTY, release notes, User questions and their sequence and presentation, Data (as defined below) capture forms, and the design of the Output (as defined below) resulting from the operation of the Software on the Data. The Software is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. The Software is not sold. The Saas Software and Data do not reside on COUNTY's systems. COUNTY's access to use the Software is provided solely in the form of a Subscription for which COUNTY shall pay a fee ("Subscription Fee"), which shall be invoiced in the amount and frequency as more specifically described on the SOW under which the Subscription is purchased and conveyed to COUNTY or on any Renewal Proposal, as defined herein. Unless otherwise stated, CONTRACTOR's Subscription Fees, as set out in any SOW or Renewal Proposal, do not include any local, state, federal or foreign taxes, levies or duties of any nature ("Taxes"). COUNTY is responsible for paying all applicable Taxes, excluding only taxes based on CONTRACTOR's business income and employees. If CONTRACTOR has the legal obligation to pay or collect Taxes for which COUNTY is responsible under this Section 2, the appropriate amount shall be invoiced to and paid by COUNTY unless COUNTY provides CONTRACTOR with a valid tax exemption certificate authorized by the appropriate taxing authority. The Software has no requirement for creation, receipt, maintenance or transmission of, nor does it provide for the creation, receipt, maintenance or transmission of any personally identifiable information ("£.!!") or protected health information ("PHI"). The only information comprising the Data or Output is information concerning COUNTY's HIPAA Compliance program; its information systems used to create, receive, maintain or transmit sensitive information; and/or its information risk management program. COUNTY agrees to take reasonable steps to ensure that Authorized Users do not upload or otherwise enter any PHI or PII into the Software. In developing the Software, CONTRACTOR has made commercially reasonable efforts to interpret and apply the provisions and requirements of the HIPAA Security Rule, the HIPAA Privacy Rule, and the HIPAA Breach Notification Rule (the "Rules"), and recommended standards and best practices as set forth by the Office for Civil Rights ("OCR") under such Rules. When used as designed, the Software provides a consistent approach to the performance of certain activities required or suggested by the Rules by guiding the User through a series of questions. The Software follows a proprietary decision flow to pose such series of questions, capture the User's responses and, based on those responses, allows the Software to calculate certain proprietary compliance and/or risk management rating(s), highlight additional controls COUNTY might consider implementing and suggest tasks that COUNTY might consider completing in managing identified risks or closing compliance gaps. Although the Subscriptions to the Software shall support and promote COUNTY's compliance with the Rules, COUNTY's purchase of Subscription(s) to the Software, alone, does not assure COU NTY's compliance with the Rules. SECTION 3. LEGAL DISCLAIMER. COUNTY acknowledges and agrees that the Software provided by CONTRACTOR does not constitute legal advice. 28 The information in the Software may be based in part on current federal law and subject to change based on -21- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 24 26 27 28 changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. Information and recommendations provided by CONTRACTOR should not be relied upon as a substitute for competent legal advice specific to COUNTY's circumstances. COUNTY SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH COUNTY'S LEGAL OR OTHER ADVISORS, AS APPROPRIATE. SECTION 4. UPDATES TO THE SOFTWARE. "Update" means a subsequent release of the Software, if any, that CONTRACTOR makes generally available to subscribers of the specified edition of the Software at no additional charge. Updates will be provided at no cost to COUNTY and CONTRACTOR will provide the Software via the Subscription(s) (including all Updates), for so long as COUNTY maintains its Subscription to the specified edition, and for so long as COUNTY is current on its payment obligations; or, in the case of policy and procedure Software, for so long as CONTRACTOR continues to actively provide and maintain such Software. Updates shall include all (i) bug fixes, patches, and maintenance releases, (ii) updates to maintain consistency with Federal regulations; (iii) new point releases denoted by a change to the right of the first decimal point (e.g., v6.0 to 6.1), and (iv) new major version releases denoted by a change to the left of the first decimal point (e.g., v6.0 to 7.0) that are not Upgrades. Updates shall not include any release, option, future services, or any upgrade in features, functionality or performance of the Software which CONTRACTOR provides separately or offers only for an additional fee to all similarly-situated COUNTYs subscribing to the relevant edition. All Updates to the Software shall be considered part of the Software and are subject to the terms and conditions of this SSA. "Upgrade" includes any release, option, future services, or any upgrade in features, functionality or performance of the Software which CONTRACTOR subscribes to all similarly-situated COUNTYs separately or offers only for an additional fee. SECTION 5. TRAINING AND SUPPORT. Concurrent with the initial issuance of the Subscription, CONTRACTOR will schedule and provide introductory training on the functionality of and administration of the Software ("Software Training") to the Account Owner(s) designated by COUNTY, at no charge to COUNTY. Additionally, at its sole option CONTRACTOR will proactively contact Account Owner(s) to suggest or offer ongoing Software Training when Updates occur or in response to COUNTY inquiries about the use of the Software. Software Training may take the form of live, web-based training session(s), or (if available) pre-recorded video training, at COUNTY's option. Software Training will not include the provision training on general subjects not directly related to the functionality of and administration of the Software and the Subscriptions, such as, but not limited to, general HIPAA or state privacy or security regulations and compliance, risk analysis and risk management requirements or processes, National Institute of Standards and Technology ("NIST") publications and requirements, and the like. Such general training may be made available to COUNTY at then current hourly rates. Additionally, throughout the term of COUNTY's Subscription, CONTRACTOR will provide technical support services to Account Owners via phone and email during regular business hours, Central Time, to address issues or questions encountered by Users regarding the administration of, function of and underlying processes associated with the Software. When communicating such questions or issues, Account Owners will make reasonable efforts to provide details of the context of issues, including, but not limited to, screen shots, report examples, descriptions of the sequence of events, details of error messages, etc. Support requests -22- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 will receive an acknowledgement and status of processing such questions and issues within two (2) business hours of receipt. CONTRACTOR will make commercially reasonable efforts to respond to questions and issues within a reasonable period. CONTRACTOR will also make commercially reasonable efforts to correct confirmed defects in the Software of which it is made aware and that are capable of being corrected, based on the severity of the defect. If COUNTY makes requests for Support to assist it to correct errors in its Data or Output and upon investigation, such errors are caused solely by actions of its own Users, CONTRACTOR reserves the right to provide such Support at CONTRACTOR's then-current hourly rates based on the actual time applied to provide such assistance. The Software offers a wide variety of standard dashboards, reports (in CSV and PDF formats) and extracts (in CSV format). If COUNTY requests customized dashboards, reports or extracts, CONTRACTOR reserves the right to provide such customized dashboards, reports or extracts at CONTRACTOR'S then-current rates for the development and provision of such services. SECTION 6. OWNERSHIP. The Software is the sole and exclusive property of CONTRACTOR. All right, title, and interest in and to the Software, any copies thereof, including but not limited to all copyrights, trademarks, and other proprietary rights, are owned by CONTRACTOR. Without limiting the generality of the foregoing, all data entered or information provided by a User (herein "User Data" or "COUNTY Data" and collectively "Data") and the resultant data calculated or generated by the Software in the form of dashboards, charts and reports (herein "Output"), including any related COUNTY copyrights, trademarks, and other proprietary rights, remain the sole and exclusive property of COUNTY. COUNTY grants CONTRACTOR a non-exclusive, revocable, non-transferrable, non-sublicensable license to use the Data and the Output solely for the purposes of: (i) assisting Users and COUNTY with Support and Training on the Software; (ii)assisting Users and COUNTY to evaluate COUNTY's compliance with the Rules; and (iii) only if de-identified and in aggregate and combined with other users' de-identified data for the sole purposes of: improving the validity and capability of the Software; compiling anonymous benchmarking; and/or further evaluating the information privacy and security compliance and risk management market outlook, provided that such use will not, under any conditions, reveal the identity of COUNTY or Users. Data or Output will be maintained in confidence by CONTRACTOR in accordance with the terms of this SSA. Data and Output will be available to COUNTY, without charge, at any time during the Subscription Term. CONTRACTOR will not release, use, alter, de-identify, aggregate, sell, or perform any activity with the Data or the Output outside the scope of services of this SSA. Except for any hosting or data backup service, CONTRACTOR will not distribute Data nor the Output to any third party without first obtaining COUNTY's prior written permission. The recipient of any Data or Output from CONTRACTOR shall be obligated to comply with provisions no less stringent than those of this Section 6. CONTRACTOR will use commercially reasonable administrative, physical, and technical safeguards, to back-up and secure such Data and Output and prevent unauthorized use or disclosure of Data and Output. SECTION 7. SUSPENSION/DISCONTINUANCE OF THE SOFTWARE AND/OR USER ACCESS. CONTRACTOR reserves the right to suspend or discontinue the Software, or any portion thereof, and/or COUNTY's or its Users' use of the Software, without penalty, under certain circumstances: (a)without prior notice or liability to COUNTY or Users, if emergency maintenance is necessary, and CONTRACTOR will promptly notify COUNTY and Account Owners of such suspension and the estimated period of time until the operation will resume; or -23- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 (b)with not less than thirty (30) days' prior written notice to COUNTY for nonpayment of Subscription Fees or other material breach of this SSA or the SOW, provided that COUNTY has been given notice of such nonpayment or breach and such breach has not been cured within such 30-day period, and provided that CONTRACTOR will promptly restore COUNTY'S (or the applicable User's) access to and use of the Software after the event giving rise to the suspension has been resolved; or (c)with not less than one hundred eighty (180} days prior written notice to COUNTY if the Software is being replaced or permanently discontinued for reasons beyond CONTRACTOR's reasonable control. In such case, CONTRACTOR will reimburse COUNTY in the amount of any unused portion of Subscription Fees paid. If the Software is/are being replaced, CONTRACT OR will offer COUNTY the opportunity to subscribe to the replacement Software at the then current Subscription Fee. If COUNTY subscribes to such replacement Software, CONTRACTOR will make all commercially reasonable efforts to migrate the Data to the replacement Software. At the time of discontinuance for any reason, CONTRACTOR will make reasonable efforts to ensure all Data will be available for COUNTY to export in CSV format and that Output can be either exported in CSV format or printed, as appropriate, as of the date of discontinuation. SECTION 8. PROHIBITIONS ON USE; OTHER RESTRICTIONS. COUNTY and its Users will not knowingly use the Software for any purpose that is unlawful or is prohibited by this SSA. By way of example, and not as a complete list, COUNTY and its Users will not knowingly: (a)Alter or tamper with the Software in any way. (b)Attempt to defeat any security measures that CONTRACTOR may take to protect the confidential and proprietary nature of the Software. (c)Remove, obscure, conceal, or alter any marking or notice of patent, copyright, trademark, trade name, or other proprietary rights that may appear on or within the Software. (d)Sell, lease, license, rent, loan, resell, or otherwise transfer (including, but not limited to, transferring or sharing the Software electronically from one computer to another through any communication means or over a computer network), with or without consideration, to or with any third party except as otherwise permitted hereunder. (e)Share use of the Software with third parties through the sharing of login credentials or any other means. (f)Make any attempt to reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code, algorithms or formulae used within the Software. (g)Modify or create derivative works based upon the Software, or any portion thereof, provided that COUNTY may tailor policy and procedure Software solely for its own use. (h)Use the Software in any manner that could damage, disable, overburden, or impair CONTRACTOR's website or servers or networks connected to the website. (i)Use the Software in a manner that interferes with any other party's use of the Software. SECTION 9. LOGIN CREDENTIALS. Each User is responsible for selecting a strong password and for maintaining the confidentiality and security of 28 his/her User ID and password. Each User is responsible for all activity occurring under User's login credentials, -24- 1 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 23 25 26 27 28 except if such login credentials were compromised due to an act or omission of CONTRACTOR or unauthorized third-party intervention. Each party will promptly notify the other upon becoming aware of unauthorized use of any User's login credentials. SECTION 10. ACCESS RIGHTS. If CONTRACTOR reasonably and in good faith believes that a User has violated the terms of this SSA, CONTRACTOR may investigate such alleged misuse of or access to the Software without prior notice to the User or COUNTY to determine whether a violation has occurred. Promptly thereafter, CONTRACTOR shall provide the results of its investigation to COUNTY for the parties to determine, in good faith, the appropriate action to be taken. SECTION 11. TERM; RENEWAL. The term of any Subscription begins on the date COUNTY is granted access to the Subscription and continues for the initial length of period set out in the SOW under which it was conveyed (the "Subscription Term"), so long as CONTRACTOR receives payments for invoices for Subscription Fees as also set out in the SOW, except as provided in Section 12 of this SSA. Invoices for Subscription Fees are issued and are payable based on the timing and terms set out in the SOW. Not less than sixty (60) days prior to the expiration of any Subscription Term or Renewal Term as described herein CONTRACTOR will provide written notice of such expiration and will issue a written proposal ("Renewal Proposal") setting out the optional lengths of term COUNTY may elect to renew the Subscription ("Renewal Term"), along with CONTRACTOR's then-current Subscription Fees for such optional Renewal Terms. If COUNTY wishes to renew the Subscription, COUNTY will select its desired length of Renewal Term on the Renewal Proposal, and will return the signed Renewal Proposal to Clearwater. Clearwater will issue an invoice in the amount of the applicable Subscription Fees, and COUNTY will pay the invoice for any Renewal Term by the later of the begin date of the Renewal Term, or in accordance with the payment terms set out in the SOW under which the Subscription was originally conveyed. If COUNTY does not wish to renew the Subscription, the Subscription will expire at the end of the relevant Renewal Term or Subscription Term. Any Renewal Proposals agreed under this SSA as set out in this Section 11 are hereby incorporated by reference into the Agreement. SECTION 12. TERMINA.TION OF SUBSCRIPTION; NONFUNDING TERMINATION. Upon expiration of the Subscription or termination of a Subscription by COUNTY as provided herein, or termination of a Subscription or discontinuation of the Software by CONTRACTOR for any reason, COUNTY's access to the Software will be eliminated as of midnight on the date such termination is effective (the "Termination Date"). In the event the Software should materially fail to function as described in User documentation provided, COUNTY may terminate a Subscription(s) for cause upon thirty (30) days written notice of such failure if such failure remains uncured at the expiration of such thirty (30) day cure period. Upon any termination for cause by COUNTY, CONTRACTOR shall refund COUNTY any prepaid fees prorated for the remainder of the applicable billing period remaining upon the Termination Date. Termination for any reason shall not relieve COUNTY of the obligation to pay any undisputed fees accrued or payable to CONTRACTOR prior to the Termination Date. It will be the responsibility of COUNTY's Account Owner to export the Data and export or print all Output from the Software prior to the Termination Date; provided, however, that if requested, CONTRACTOR will assist COUNTY with such export prior to the Termination Date. CONTRACTOR shall retain all Data and Output for a period of ninety (90) days following the Termination Date and upon COUNTY's request in writing, CONTRACTOR will grant temporary -25- 1 3 4 5 6 access to the terminated Subscription during such period so as to enable COUNTY to obtain a good export of its Data and Output. Promptly thereafter, CONTRACTOR shall delete the relevant Data and Output. Non-Allocation of Funds -The terms of this SSA, and the Subscriptions to be provided hereunder, are contingent on the approval of funds by the appropriating government agency. Should sufficient funds not be allocated, the Subscriptions provided may be modified, or this SSA terminated, at any time during the initial Subscription Term by giving CONTRACTOR ninety (90) days advance written notice prior to the anniversary of the beginning of the Subscription Term. 7 SECTION 13. FEEDBACK. 8 In the event a User or COUNTY provides any comments, suggestions, or ideas ("Feedback") to CONTRACTOR regarding the Software or otherwise, COUNTY acknowledges and agrees that (i) at its sole option, CONTRACTOR 9 10 11 12 shall have the right to retain and use such Feedback to develop or improve current or future products or services, without obligation or compensation to COUNTY or User and without COUNTY's or its Users' approval, provided that CONTRACTOR removes from the Feedback any confidential or proprietary information of COUNTY and any information that could disclose the identity of COUNTY, any User, or the creator of the Feedback; and (ii) CONTRACTOR may already have something similar to the Feedback from other COUNTYs or users or under consideration or development. SECTION 14. DISCLAIMER OF WARRANTIES. 17 21 26 28 CONTRACTOR represents and warrants that it has the legal power to enter into this SSA. CONTRACTOR represents and warrants that (i) it shall supply the Subscriptions in conformance with the specifications in this SSA; (ii) the Software and the Training and Support of the Software described in Section 5 of this SSA will be provided in a professional, workmanlike and timely manner with due care in a manner consistent with general industry standards reasonably applicable to the provision of such Software and support; (iii) the Subscriptions shall comply with all applicable laws; (iv) it owns and has sufficient rights to the Software necessary or appropriate for the performance of its obligations under this SSA; and (v) the Software and use thereof as contemplated by this SSA does not and will not infringe any intellectual property or other rights of any third party or violate applicable law. CLEARWATER REPRESENTS AND WARRANTS THAT THE SOFTWARE IS AND WILL REMAIN FREE FROM VIRUSES AND MALWARE. EXCEPT AS SPECIFICALLY SET FORTH IN THIS SSA, CLEARWATER, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EXPRESSLY DISCLAIMS ANY AND ALL OTHER WARRANTIES FOR THE SOFTWARE WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTY OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CLEARWATER CANNOT ENSURE THAT ACCESS TO THE SOFTWARE WILL BE UNINTERRUPTED AND ERROR FREE. SECTION 15. LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EXCEPT FOR ANY INDEMNITY PROVIDED BY EITHER PARTY TO THE OTHER IN THIS SSA OR ANY OTHER AGREEMENT, IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY PUNITIVE, SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER, WHETHER BASED IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), OR OTHERWISE, ARISING OUT OF THE USE -26- 2 3 4 5 6 OF OR INABILITY TO USE THE SOFTWARE, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF COUNTY IS DISSATISFIED WITH ANY PORTION OF THE SOFTWARE, THE SOLE AND EXCLUSIVE REMEDY IN RESPECT OF THE SOFTWARE IS TO DISCONTINUE USE OF THE SOFTWARE AND TERMINATE THE AGREEMENT. EXCEPT FOR ANY INDEMNITY PROVIDED BY EITHER PARTY TO THE OTHER IN THIS SSA, IN NO EVENT SHALL EITHER PARTY'S LIABILITY TO THE OTHER PARTY ARISING OUT OF OR RELATED TO THIS SSA, WHETHER IN CONTRACT, TORT {INCLUDING WITHOUT LIMITATION NEGLIGENCE), OR UNDER ANY OTHER THEORY OF LIABILITY, EXCEED THE AMOUNTS ACTUALLY PAID BY AND DUE FROM COUNTY UNDER THIS SSA. BECAUSE SOME JURISDICTIONS DO NOT 7 ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY, THE ABOVE LIMITATION MAY NOT APPLY TO COUNTY. 8 9 10 11 12 13 14 15 16 17 SECTION 16. INDEMNIFICATION. Subject to the terms and conditions of this SSA, COUNTY will defend, indemnify and hold harmless CONTRACTOR, its licensors, officers, employees, managers, members and agents from and against any claims, actions, suits, losses, damages, fines, liabilities, judgments, costs and expenses {including reasonable costs and reasonable attorney fees) {collectively, "Claims") arising out of or relating to any inaccurate Data knowingly entered into the Software by COUNTY or intentional misuse of the Software by COUNTY or its Users. Subject to the terms and conditions of this SSA, CONTRACTOR will defend, indemnify and hold harmless COUNTY, its officers, employees, directors and agents from and against any Claims arising out of or relating to any Claim by a third party that the Software or COUNTY's purchase of a Subscription or use of the Software violates any intellectual property rights of such third party. THIS SECTION 16 STATES THE ENTIRE OBLIGA TION AND THE EXCLUSIVE REMEDIES WITH RESPECT TO THE PARTIES' INDEMNIFICATION OBLIGATIONS ARISING OUT OF OR RELATING TO THIS SSA. THIS SECTION 16 SHALL SURVIVE TERMINATION OR EXPIRATION OF THIS SSA AND APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. 18 SECTION 17. CONFIDENTIALITY. 19 20 21 22 24 "Confidential Information" means any information of any type in any form that (i) is disclosed, directly or indirectly, to or observed or obtained by one party from the other party in the course of, or by virtue of, this SSA; and (ii) either is designated as confidential or proprietary at the time of such disclosure or within a reasonable time thereafter or is of a nature that the recipient knew or reasonably should have known, under the circumstances, would be regarded by the owner of the information as confidential or proprietary. Without limiting any other provisions of this SSA, and whether or not otherwise meeting the criteria described herein, the Software shall be deemed conclusively to be Confidential Information of CONTRACTOR and all Data and Output shall be deemed conclusively to be Confidential Information of COUNTY. For purposes of this SSA, however, the term "Confidential Information" specifically shall not include any portion of the foregoing that {i) was in the recipient's possession or knowledge at the time of disclosure and that was not 26 acquired directly or indirectly from the other party, (ii) was disclosed to the recipient by a third party not having 27 an obligation of confidence of the information to any person or body of which the recipient knew or which, under the circumstances, the recipient reasonably should have assumed to exist, (iii) is or, other than by the act or 28 omission of the recipient, becomes a part of the public domain not under seal by a court of competent jurisdiction, -27- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 21 22 24 or (iv) was independently developed by the recipient without breach of any obligation owed to the disclosing party. In the event of any ambiguity as to whether information is Confidential Information, the foregoing shall be interpreted strictly and there shall be a rebuttable presumption that such information is Confidential Information. COUNlY represents and warrants to CONTRACTOR that all such Confidential Information heretofore and in the future disclosed to CONTRACTOR in connection with this SSA has been and will be disclosed in a manner which does not violate the rights of third parties. Except as otherwise may be permitted by this SSA, neither party shall disclose any Confidential Information of the other party to any person without the express prior written consent of the other party; provided, however, that either party may disclose appropriate portions of Confidential Information of the other party solely to those of its employees, contractors, agents, service providers and professional advisors having a substantial need to know the specific information in question in connection with professional advice to be provided to the party or with such party's exercise of rights or performance of obligations under this SSA, provided that all such persons (i) have been instructed that such Confidential Information is subject to the obligation of confidence set forth by this SSA and (ii) are bound either by contract, employment policies, or fiduciary or professional ethical obligations to maintain such information in confidence. Notwithstanding the above, if either party is ordered by a court, administrative agency, or other governmental body of competent jurisdiction, or is otherwise required by law or under the rules of any applicable stock exchange, to disclose Confidential Information, then such party shall: (i) if such law, order or rule calls for immediate disclosure and such party is not prohibited by order or law from informing the other party, promptly request a stay of such order or rule to permit the other party to respond as set forth in this paragraph; (ii) immediately notify the other party of the law, order or rule (if not prohibited by order or law from informing the other party) by the most expeditious possible means; (iii) not oppose a motion or similar request by the other party for an order protecting the confidentiality of the Confidential Information, including not opposing a motion for leave to intervene by the other party; and (iv) exercise reasonable efforts to obtain reasonable assurance that confidential treatment will be accorded the Confidential Information so disclosed. The recipient agrees to protect the confidentiality of the Confidential Information of the other party in the same manner that it protects the confidentiality of its own proprietary and confidential information of like kind, but in no event shall either party exercise less than reasonable care in protecting the Confidential Information. If the recipient becomes aware that Confidential Information has been lost or disclosed in an unauthorized manner, whether due to a breach in security or otherwise, it shall provide the disclosing party with notice in reasonable detail of the disclosure promptly. If the recipient discloses or uses (or threatens to disclose or use) any Confidential Information of the disclosing party in breach of this Section 17, the disclosing party shall be entitled, in addition to any other remedies available to it, to seek injunctive relief to enjoin the acts, all without the requirement of posting bond or having to prove the inadequacy of monetary damages, it being specifically acknowledged by the parties 26 that any other available remedies are inadequate. Both parties shall return or delete relevant Confidential Information held by it upon termination of any Subscription or this SSA, subject to CONTRACTOR's obligations in Section 12; provided, however, that it is understood that -28- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 inf ormation in an intangible or electronic format cannot be immediately removed, erased or otherwise deleted from system back-ups but that such information will continue to be protected under the confidentiality requirements contained in this SSA. Notwithstanding any other provision of this SSA, upon termination of this SSA, either party may retain a copy of Confidential Information solely to fulfill a legal or regulatory obligation, or its document retention policies and practices (including any litigation data destruction holds). The obligations and rights of this Section 17 shall survive termination of this SSA or any Subscriptions granted hereunder. SECTION 18. ENTIRE AGREEMENT. The Agreement, this SSA, the related SOW under which it was originally conveyed, and any Renewal Proposals agreed under this SSA as set out in Section 11 of this SSA, constitute the entire agreement between COUNTY and CON TRACTOR relating to the Software, and supersede all prior or contemporaneous communications, proposals, or understandings between COUNTY and CONTRACTOR relating to the subject matter hereof. No terms or conditions disclosed on CONTRACTOR's website(s) relating to the Software that vary those set out in this SSA are applicable unless agreed to in a separate writing by the parties. SECTION 19. GOVERNING LAW. Venue for any action arising out of or related to this SSA shall only be in Fresno County, California. The rights and obligations of the parties and all interpretation and performance of this SSA shall be governed in all respects by the laws of the State of California. SECTION 20. COMPLIANCE. CONTRACTOR's performance of this SSA is subject to existing laws and legal process, and nothing contained in this SSA is in derogation of CONTRACTOR's obligation to comply with governmental, court, and law enforcement requests or requirements relating to COUNTY'S use of the Software or information provided to or maintained by CONTRACTOR with respect to such use. SECTION 21. SEVERABILITY. If a court, tribunal or other forum of competent jurisdiction shall declare any provision of this SSA to be invalid, illegal or unenforceable, that provision shall be severed from this SSA and all the remaining provisions of this SSA shall continue in full force and effect. The invalidity, illegality or unenforceability of any term of this SSA shall not affect the validity, legality or enforceability of the remaining terms of this SSA; however, if permitted by applicable law, any invalid, illegal or unenforceable provision may be considered in determining the intent of the parties with respect to other provisions of this SSA. 24 SECTION 22. RELATIONSHIP OF THE PARTIES. 26 27 28 This SSA does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties other than that of independent contractors entering into an agreement with each other solely for the purpose of effecting the provisions of this SSA. There are no third-party beneficiaries to this SSA. Neither of the parties has any express or implied rights nor authority to assume or create any obligation or responsibility on behalf of or in the name of the other party, except as may otherwise be set forth in this SSA. -29- SECTION 23. WAIVER. No failure or delay by either party in exercising any right under this SSA shall constitute a waiver of that right. Other than as expressly stated in this SSA, the remedies provided in this SSA are in addition to, and not exclusive 3 of, any other remedies of a party at law or in equity. 4 5 6 7 8 9 1 0 13 15 16 17 18 24 26 27 28 -30- 1 3 4 5 6 7 8 EXHIBIT2 STATEMENT OF WORK Form of Exhibit A-X Statement of Work No. X [Name of Project] This Statement of Work No. X ("SOW") is appended to and made a part of the Agreement between COUNTY OF FRESNO, a Political Subdivision of the State of California ("COUNTY"), and Clearwater Compliance LLC ("CONTRACTOR") dated August 2019 ("Agreement"). Except as specifically agreed herein, the terms of the 9 Agreement shall apply to the Services provided under this SOW. 10 11 Scope of Work 12 Rationale: 16 17 18 19 20 21 [Statement summarizing the general objective of the engagement/why COUNTY is engaging CONTRACTOR to perform the Services) Scope Boundaries [Details of specific boundaries to the scope of the Services) Key Work Tasks/Process Steps [Details of the key work tasks or process steps to be accomplished during completion of the engagement] COUNTY Responsibilities [Details of actions required by COUNTY to facilitate timely and effective completion of the key work tasks or process steps] Out of Scope Work Items [Details of activities or services that are not considered to be within the scope of the engagement) CONTRACTOR Deliverables 24 [Details of CONTRACTOR's deliverables from the engagement] Fees, Costs and Payments 26 [Details of Fees, Costs, Payment Schedule and Payment Terms pertaining to the engagement] 27 SOW Term 28 [Details· relating to the Term of the engagement) 1 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 23 24 27 28 Approvals IN WITNESS WHEREOF, the parties hereto have executed this SOW as of the date last entered below (the "SOW Effective Date"). AGREED AND ACCEPTED BY: SIGNATURE BLOCK -32- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 EXHIBIT 3 CHANGE ORDER FORM Form of Exhibit A-X-CO#Y Change Order to a Statement of Work This Change Order No. Y ("Change Order") to Statement of Work No. X between COUNTY OF FRESNO, a Political Subdivision of the State of California ("COUNTY"), and Clearwater Compliance LLC ("CONTRACTOR") dated _____ _, 20_ (hereafter "SOW #X"), and is incorporated as Exhibit A-X-CO#Y to the Master Services Agreement between the parties dated August --J 2019 ("Agreement"). Except as specifically agreed herein, the terms of the Agreement and SOW #X shall apply to the Services as amended via this Change Order. Scope of Work [General statement describing the change in rationale or scope of the work previously agreed] Scope Boundaries [Details of specific changes to the scope of the work previously agreed which may include any of the following:] Key Work Tasks/Process Steps [Details of changes to the key work tasks or process steps to be accomplished during completion of the engagement] CONTRACTOR Deliverables] [Details of changes to CONTRACTOR's deliverables from the engagement] COUNTY Responsibilities [Details of changes to the actions required by COUNTY to facilitate timely and effective completion of the key work tasks or process steps] Out of Scope Work Items [Details of changes in activities or services that are not considered to be within the scope of the engagement] Fees, Costs and Payments The Professional Services Fees shall be adjusted as follows: [Details of changes in Fees] The Payment Schedule for the $YY,YYY difference in Professional Services Fees shall be invoiced/applied as a credit to the original Payment Schedule as follows: •XX%, or $YY,YYY shall be invoiced/applied upon execution of this Change Order •XX%, or $Y,YYY shall be invoiced/applied upon completion of [milestone] -33- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 SOW Term •XX%, or $Y,YYY balance, shall be invoiced/applied upon the earlier of, CONTRACTOR'S delivery of final FOR Report to COUNTY or, twenty-one (21) days following CONTRACTOR's delivery of a draft FOR Report [Details of changes to the SOW Term] General Except as modified herein, all of the original terms and conditions set forth in SOW #X and the Agreement remain in full force and effect and are hereby reaffirmed by the parties as of this date. Approvals IN WITNESS WHEREOF, the parties hereto have executed this Change Order as of the date last entered below (the "Change Order Effective Date"). AGREED AND ACCEPTED BY: SIGNATURE BLOCK -34- 1 EXHIBIT A-1 STATEMENT OF WORK [TO BE INCLUDED] 17 Exhibit A-1 Statement of Work No. 1 Provision of Clearwater HIPAA Policies and Procedures ToolKits™ and Subscriptions to IRM I Pro™ Software; Professional Services Block-of-Time to Tailor the HIPAA Policies and Procedures ToolKits™ to Customer's Needs; and Clearwater OCR-Quality Risk Analysis™ and Risk Response/Risk Management Support Services This Statement of Work No. 1 ("SOW") is appended to and made a part of the Master Services Agreement between County of Fresno {"Customer"), and Clearwater Compliance LLC {"Clearwater") dated July 9, 2019 ("Agreement"). Except as specifically agreed herein, the terms of the Agreement shall apply to the Services provided under this sow. Scope of Work Rationale: One of the essential requirements of each of the HIPAA Privacy, Security and Breach Notification Rules ("Rules") for covered entities and business associates alike is to have appropriate policies and procedures implemented, and ideally, in written form. The 2016 Office for Civil Rights ("OCR") Audit Protocol (72 for the Security Rule; 89 for the Privacy Rule and 19 for the Breach Notification Rule) calls for the auditors to "Inquire of management as to whether policies or procedures exist to ... " meet the requirements of that Standard and/or Implementation Specification. The HIPAA Security Rule sets out an explicit requirement to complete a periodic Security Compliance Evaluation at 45 C.F.R. §164.308(a){8} Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subseq uently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart. The HIPAA Security Rule also sets out explicit requirements to complete a periodic Risk Analysis and to appropriately manage risks identified at 45 CFR §164.308(a)(l)(ii)1 (A)Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. (B)Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with§ 164.306(0). Unlike the HIPAA Security Rule, there is no explicit requirement that organizations complete a periodic evaluation of either the HIPAA Privacy or the Breach Notification Rules. However, it is important to note that both the HIPAA Privacy and Breach Notification Rules apply to all protected health information ("PHI") whether electronic, paper or in any format. Due to the magnitude of applicable sanctions and penalties associated with non-compliance with both the HIPAA Privacy and Breach Notification Rules, it is good business practice to implement a rigorous, periodic assessment of the organization's compliance with both the HIPAA Privacy and Breach Notification Rules. 1 http://www.ecfr.gov/ cgi-bin/text-idx ?SI D=f2 7b0e2ed3 da04ecf 4c9fe25c2edb8d 1& mc-tru e&node-se45 .1.164 1308&rgn-div8 Page 1 of 16 The completion of this engagement (the "Project"} will: •facilitate Customer's satisfaction of the above HIPAA implementation standards related to HIPAA policies and procedures; hasten the process of developing high-quality, written policies and procedures; provide a basis for workforce training on those policies and procedures; and provide evidence of its compliance with the Rules; •equip Customer to satisfy the above specific requirement to " ... complete a non-technical evaluation ... of Customer's security environment to determine its compliance with the standards established in the Security Rule; •facilitate Customer's satisfaction of both the above HIPAA Security Rule requirements to: a} complete a risk analysis; and, b} to implement sec urity measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with§ 164.306(a} for all in-scope information systems utilized by Customer to create, receive, maintain or transmit electronic protected health information ("ePHI"); and •equip Customer to rigorously evaluate Customer's compliance with the HIPAA Privacy and Breach Notification Rules. Scope Boundaries The Project will be led by a Principal Consultant Clearwater will assign to the Project, who will be assisted by a Clearwater Customer Success Representative assigned to support Customer and Customers' use of the IRM I Pro™ Software both during this Project and ongoing. The Project will begin with an Initial Engagement Meeting between the Clearwater team and Customer's Project Owner(s) and Customer's Project team to make introductions, review the SOW, overview the process to be undertaken, discuss other subject matter experts ("SM Es") that should be involved in the Project, introduce Customer to the secure Project messaging and file-sharing platform hosted by Clearwater, and schedule a Planning Meeting including all Project team members. Following the Initial Engagement Meeting, Clearwater will provide a Document Request list to Customer relevant to each Work Stream. By way of example, Customer's general network/information technology policies and procedures, existing HIPAA policies and procedures, and existing risk management policies and strategies, if any, will be requested. Add itional information pertaining to each of the Work Streams will be shared during the detailed planning sessions with each Project Team. During the Planning Meeting, the Clearwater-Customer Project team will collaborate to establish a Project plan with tasks to be completed and due dates for completion. The Services described in this SOW #1, will be comprised of four (4) Work Streams: 1.Provision of Clearwater HIPAA Policies and Procedures Tool Kits™ and Subscriptions to IRM I Pro™ Software selected by Customer 2.Professional Services Block-of-Time to Tailor the HIPAA Policies and Procedures Tool Kits ™ to Customer's Needs 3.Conduct an OCR-Quality Risk Analysis™ 4.Co-create a Plan to Reduce Risks Identified to a Reasonable and Appropriate Level and Support Services to Execute the Plan Complete details of each Work Stream are provided below. Page 2 of 16 This Project Relies Heavily on Customer Representations. In performing the Services under this SOW, Clearwater relies heavily on information provided in interviews and documentation provided by Customer SM Es assigned to the Project, which, unless otherwise determined, are assumed to be current and factual. Project Success of Work Streams #3 and #4 Relies on Customer's Information Risk Management Framework and Governance. The success of the Project also relies on the degree to which Customer's executive management and Board has clearly communicated its information risk management ("IRM") strategy and guidelines for decision-making. This Project assumes Customer has established its IRM strategy, has adopted a framework and process for governance of its program and for decision-making. An effective IRM program includes the use of a framework to articulate desired outcomes and adoption of a formal process that has a series of well-defined steps that supports informed decision making through the identification of risks, their likely impact and the organization's risk tolerance or threshold. IRM should be a continuous and maturing process which is aligned with the organization's strategy and the implementation of that strategy, methodically addressing all information risks associated with the organization's present and future activities. Key Work Tasks/Process Steps Common to All Work Streams •Form Customer-Clearwater Project Teams •Conduct Initial Engagement Meeting (Zoom Meeting) with Clearwater Team and Customer Proj ect Owner(s) and Project Teams •Provide Documentation Request List •Conduct Planning Meeting(s) and Co-create a Project plan Work Stream #1 -Provision of Clearwater HIPAA Po.licies and Procedures Too/Kits™ and Subscriptions to /RM/ Pro'"' Software Selected by Customer Scope Boundaries While the Rules require HI PAA-covered entities to implement and document policies and procedures, the Rules do not define either "policy" or "procedure." Generally, policies define an organization's values and/or approach to demonstrate how it is going about implementing a practice or requirement. Procedures describe how the organization carries out that approach, setting forth explicit, step-by-step instructions that implement the organization's policies. Clearwater offers a separate Tool Kit™ pertaining to each of the Rules, and Customer has elected to purchase all three Clearwater HIPAA Policies and Procedures Tool Kits ™ for its own use. Each ToolKit™ has been developed to ensure all implementation standards and specifications related to each Rule are considered. Clearwater will assist Customer in selecting the best Tool Kit™ for their situation. Each ToolKit™ is delivered in a compressed (zipped) folder via one of two means as selected by Customer. Clearwater's HIPAA Policies and Procedures ToolKits™ are subject to the terms and conditions of Clearwater's Software Subscription Agreement (the "SSA"). From time-to-time, should regulatory or enforcement updates or practices change or improvements to the Tool Kits™ be made, Clearwater will deliver updates to Customer for so long as Clearwater continues to offer the ToolKitsr"' commercially. Page 3 of 16 Additionally, Clearwater has developed a suite of software products designed to enable healthcare organizations to operationalize their HIPAA Privacy, Breach Notification and Security Rule compliance and information risk management programs. This software is delivered and supported via a Software-as-a-Service model. The five (5) primary software products comprising the suite are: •IRM I Analysis™ - Clearwater's information risk analysis and risk response/management software •IRM !Security'"' -Clearwater's HIPAA Security Rule compliance gap assessment and remediation management software •IRM I Privacy™ - Clearwater's HIPAA Privacy and Breach Notification Rules compliance gap assessment and remediation management software •IRM I Framework™ -Clearwater's software to assist organizations to assess the current state of adoption of the National Institute of Standards and Technology ("NIST') Cybersecurity Framework •IRM I Maturity™ -Clearwater's software to facilitate an assessment of an organization's information risk management program in relation to five (5) core capabilities, establish its desired level of maturity and plan, document and monitor a course of action to achieve that desired level of maturity Customer has elected to purchase a five-year, single-entity Silver Edition Subscription to the IRM I Analysis™ Software and five-year, single-entity Subscriptions to IRM I Security™ and IRM I Privacy™ for its own use. Key Work Tasks/ Process Steps: •Identify Account Owner(s) for Tool Kits ™ and each of the IRM I Pro™ Software products selected •At Customer's option, Clearwater either sends Customer-designated Project Owner the HIPAA Policies and Procedures ToolKits™ as attachments to an email, or sends email with secure download link for Customer to retrieve the ToolKits™ •Customer-designated Project Owner downloads, extracts and saves folder for each ToolKit"" with unaltered copies of all templates within its own library as backup •Customer-designated Project Owner saves/creates working folders for use in tailoring as described in Work Stream #2 •Provision Subscription •Schedule and conduct training on each of the selected Software products Work Stream #2 -Professional Services Block-of-Time for Tailoring HJPAA Policies and Procedures Too/Kits ™ to Customer's Needs Scope Boundaries: The completion of this Work Stream #2 will reduce the time required of Customer's resources and shorten the elapsed time for the development of Customer's final documented HIPAA policies and procedures that accurately depict Customer's values, business practices and processes and satisfy the standards and specifications set out in the Rules. The Principal Consultant will conduct interviews with Customer subject matter experts ("SME(s)") to understand Customer's organization, culture, business processes and the flow of PHI throughout the organization. Based on the information learned, Clearwater's Consultant will edit and enhance the ToolKit™ templates to provide Page 4 of 16 customized policies that document Customer's corporate values relating to HIPAA compliance. Sample procedures found within the templates will be carefully evaluated for relevance to Customer's business processes and included or discarded where appropriate. Sample procedures found in the templates will be customized to describe the processes that Customer follows or intends to follow to safeguard protected health information ("PHI") as required by the Rules. Customer is entirely responsible for establishing and/or chartering the HIPAA compliance oversight body that will ultimately approve the final documentation; ensuring its legal counsel reviews and approves its documentation before they are published; publishing the final policies and procedures; providing a policy and practice to regularly review and revise the policies and procedures to ensure they properly reflect the organization's practices as well as any changes in the Rules; and ensuring communication to and periodic training of its workforce to fully and accurately-implement the policies and procedures within the organization. Both parties acknowledge and recognize that the amount of time required by Clearwater's Consultants to perform the Services is dependent on several factors, including, but not limited to: the completeness and accuracy of any prior documentation Customer has that sets out its processes and the flow of information and the availability; access to Customer's SM Es to participate in interviews, provide answers to questions or other information; and the turnaround time for Customer's review and feedback to draft documents. It is anticipated that all Services in this Work Stream #2 will be performed remotely. If Customer requests on-site support and approves travel expenses, Clearwater will perform on-site Services as requested and mutually agreed. Consultant time spent performing services under this SOW ("Applied Time") shall include time spent performing Services remotely, in transit to or at Customer's site and will be logged to the Project in increments of .25 hours. Clearwater will notify Customer in advance if Applied Time is expected to exceed the hours purchased in the initial Block of Time ("Excess Hours"). If Customer approves Excess Hours, Customer will either purchase an additional Block-of-Time via execution of a Change Order to this SOW, or at Customer's option and by receipt of Customer's written authorization, all Excess Hours may be invoiced in arrears on a time and materials basis. Any time remaining on any Block-of-Time purchased by Customer may be carried over and applied to any other Customer statement of work executed with Clearwater, so long as such statement of work is executed within six (6) months of the end of this SOW Term. All Clearwater Applied Time to the Project will be reported in the periodic Project Status Report available for Customer review at any time. Both parties acknowledge and agree that the services to be performed within this Work Stream #2 may require time in excess of the initial Block-of-Time purchased or may require less than the initial Block-of-Time. Key Work Tasks/ Process Steps: •Formation of Customer Work Team •Project Preparation and Planning •Identify appropriate Customer SM Es, schedule and conduct interviews and other discovery work •Create and deliver initial draft of tailored policies and procedures for Customer review and input •Customer reviews and provides feedback •Clearwater incorporates Customer feedback •Clearwater provides final Draft policies and procedures for review and approval by Customer's HIPAA compliance policy and procedure governance body and legal counsel Page 5 of 16 Work Stream #3 -Conduct an OCR-Quality Risk Analysis TM Scope Boundaries Clearwater will utilize its proprietary Clearwater IRM I Analysis™ Software and its proven effective process to complete this Risk Analysis to help Customer identify, value and prioritize all high risks to its in-scope information systems used to create, receive, maintain and/or transmit ePHI and prepare to respond to these exposures with appropriate actions. Clearwater's Software and methodology are based on the explicit Department of Health and Human Services ("HHS ")/Office for Civil Rights ("OCR") "Guidance on Risk Analysis Requirements under the Hf PAA Security Rule"2 and the National Institute of Standards and Technology ("NIST") Special Publications ("SP") describing Risk Assessments, Risk Management and Cantrols 3 • Customer's designated workforce members will be trained in the use of the IRM I Analysis™ Software during and after this Project, the purchase and provision of which is included within the scope of this SOW. During both Work Streams #3 and #4, Clearwater's security and cyber risk management experts will also educate Customer's SM Es on the requirements of the HIPAA Security Rule, the explicit HHS/OCR and the NIST framework and process. Also, during both Work Streams, Clearwater will introduce a repeatable, sustainable methodology to complete and document the activities; provide Customer's Project Team with an understanding of the severity of any deficiencies in controls, and approaches to consider when planning activities to close those gaps. One over-arching objective of the two Work Streams #3 and #4 will be to equip Customer's SM Es and Project Team(s) to become as self-sufficient as Customer wishes to become in operationalizing the maintenance of Customer's cybersecurity risk management program, documenting progress in remediating any gaps in controls and conducting and documenting future risk analysis and risk management activities. Prior to, during and after each Work Stream, Customer's designated "Account Owner(s)" of the IRM I Analysis™ Software will learn how to administer the Software and will receive full training on the functionality of the Software. Clearwater's disciplined, proprietary OCR-Quality Risk Analysis™ process has been developed over the course of conducting hundreds of risk analysis engagements. Designed to educate and equip Customer's own resources while progressing the work, deploying sound project management techniques and tools, the tightly-structured process can be executed over a timeframe as tight as eight (8) weeks, dependent primarily on the availability of Customer's SM Es to provide the requested documentation, commit in advance to schedule, prepare for and fully engage in the discovery interviews, training opportunities and document reviews. The planning, preparation, initial Software training, documentation review, detailed data entry into the Software, analysis and Deliverable preparation will be conducted remotely. The site review(s) and discovery interviews with Customer's SMEs to learn about Customer's in-scope information systems, components, computing environment, operating practices and controls, will be conducted during an on-site discovery visit. The site review(s) and discovery interviews with Customer's SM Es to learn about Customer's in-scope information systems, components, computing environment, operating practices and controls, will be conducted during an on site discovery visit. While Customer's IRM I Analysis™ Software will provide complete documentation and reporting of the risk analysis results and risk response actions, both during the Project and thereafter, a key deliverable of Work Stream #3 will be Clearwater's preparation and presentation of an Executive Summary of the 2 http://clearwatercompliance.com/wp-content/uploads/OCR Risk-Analysis Final guidance.pdf3 https://clearwatercompliance.com/resources/hipaa-resources/ -Links to a full list of the NIST Special Publications can be found under the heading "HIPAA Security Risk Analysis and Risk Management" Page 6 of 16 risk analysis process and results in one comprehensive Findings, Observations and Recommendations report ("FOR Report") first in a draft form ("Draft"), and then in a final form following receipt of Customer feedback ("Final"). Clearwater's FOR Report will also set out prioritized recommendations for next steps Customer should consider in responding to risks identified that exceed its risk threshold. The completion of Work Stream #3 will help Customer identify, rate and prioritize all risks to the in-scope inf o rmation systems that are used to create, receive, maintain and/or transmit its ePHI. Information System Inventory in Scope: The scope of Work Stream #3 will include information systems and components {referenced in the IRM I AnalysisrM Software as "Information Assets"} used by Customer to create, receive, maintain or transmit sensitive information. An inventory of in-scope information systems to be risk-analyzed during the completion of Work Stream #3 was developed by Customer and Clearwater during discussions regarding Customer's current infor mation system environment and needs. The fees set out in this SOW are based on a scope of Up to Twenty-five (25) information systems based on an initial inventory provided by Customer. During the planning and preparation phase of the Project, Clearwater's Consultants will prepare and provide an Information System Discovery Meeting Planner document to assist Customer to identify the business owner(s} and/or technical SME(s) for each information system included within the inventory, and a suggested discovery meeting duration for each interview. It will be Customer's responsibility to schedule the appropriate interview sessions with the designated business owners and technical SMEs in advance of Clearwater's arrival for the on site discovery sessions, to ensure the participants are prepared and engaged, and that they do attend the interviews, to make the process as time-efficient as possible for all parties. It is very typical to learn during the information system discovery interview sessions with Customer SMEs that additional information systems should be included within the scope of Customer's risk analysis. The quantity of information systems can be increased via the execution of a Change Order to this SOW or Customer may opt to perform its risk analysis utilizing its own SM Es and the IRM I Analysis™ Software. Site Visits in Scope: Clearwater's Consultants will visit and perform a review of the primary physical location from which Customer's in-scope information systems are managed or housed: 333 W. Pontiac Way, Clovis, CA 93612. All administrative, physical and technical security controls currently implemented to safeguard Customer's information will be evaluated at this site. Additionally, based on the schedule set out on the Information System Discovery Meeting Planner, Customer business SME(s) most knowledgeable of the information processed or maintained by each in scope information system and those technical SMEs responsible for the relevant security control areas will be interviewed and applicable procedures, processes and practices will be reviewed within the scope of the discovery. Follow-up interviews may also be conducted via telephone, web meetings, conference calls and email. Clearwater Consultants will visit Customer's location based on a schedule that will be mutually agreed by Clearwater and Customer. Based on the quantity of in-scope information systems, assuming that discovery interviews are effectively-scheduled in advance as set out on the Meeting Planner, it is estimated that discovery visits and interviews can be completed over the course of three {3) to four (4) business days, and will require a total of one (1) trip by two (2) Consultants. Page 7 of 16 Key Work Tasks/Process Phases I.Provision IRM I Analysis ™ Subscription and provide training to Customer Account Owner(s) II.On-site Discovery Ill. Entry of Information Systems and Identification of Components and Properties for Grouping IV.Performance of Risk Determination V.Analysis and Reporting Work Stream #4 -Co-create a Plan to Reduce Risks Identified to a Reasonable and Appropriate Level and Support Services to Execute the Plan Scope Boundaries: Following the completion of the risk analysis under Work Stream #3, Clearwater will utilize the Risk Register (Risk Response List) within Customer's IRM I Analysis™ Software and will facilitate a process to develop Customer's Risk Action Plan for each risk that exceeds Customer's risk threshold (e.g. each risk having a "High" or "Critical" risk rating). Clearwater's methodology will closely follow, in particular, the NIST framework described in SP800-39 4 - Managing Information Risk. All activities during the performance of Work Stream #4 will be executed utilizing Clearwater IRM I Analysis™ Software as the primary documentation, analysis, reporting and risk management tool. It is Customer's responsibility to take ownership of the work; to engage business and technical SME(s) for each information system associated with an in-scope risk; to assign personnel with the appropriate skills, knowledge and experience to undertake the work (for example, IT security, IT management, risk management, network and/or server administration, facilities security, human resources staff, and internal audit teams); and to assign and manage priorities for its assigned SMEs and personnel to ensure the work contemplated by this SOW can be completed within the SOW Term. The Services under Work Stream #4 will involve both remote and on-site delivery of Services. The planning, preparation, Deliverable preparation, and on-going support will take place remotely. After planning and preparation, the first step in the process will be the Principal Consultant's facilitation of discussions with the Project Team to review each in-scope risk during an on-site Clearwater Risk Response Workshop™. Two Clearwater Consultants will visit Customer's site located at: 333 W. Pontiac Way, Clovis, CA 93612. Based on the estimated quantity of in-scope risks, it is estimated that two (2) Clearwater Consultants will be on-site for two to three (2 to 3) days to complete the on-site portion of Work Stream #4. Together, Clearwater and Customer will discuss and document within the IRM I Analysis™ Software the recommended risk treatment type -e.g. accept, avoid, mitigate, share or transfer -and will discuss next steps related to each selection. For those risks the Project Team is recommending should be mitigated, control alternatives will be considered. Clearwater and Customer will rationalize the list of mitigation actions, considering such things as criticality of the system, potential impact to overall risk profile, cost, timing and resource requirements, to co-create a prioritized, high-level "Risk Action Plan" populated within Customer's IRM I Analysis™ Software. The Risk Action Plan will include, for the in-scope risks, the risk owner, recommended treatment type, action items, responsible individual(s) and suggested due dates. 4 http:// clea rwate rcom pl ia nee .com/wp-conte nt/uploads/SP800-39-fi na l.pdf Page 8 of 16 Together, Clearwater's Principal Consultant and Customer's Project Team will prepare an executive level summary presentation of the process undertaken and of the resultant Risk Action Plan, to facilitate management/governance body approval of the recommended Risk Action Plan. Once the high-level Risk Action Plan is approved, the Project Team will move to the development of a more detailed Risk Action Plan and execution of that plan, supported by Clearwater, as further described below. In Scope Risks Identified for Risk Response/Risk Management: Customer's risks that are in scope for Work Stream #4 are those risks identified in the IRM I Analysis™ Software during the conduct of Work Stream #3 that have a risk rating value that exceeds Customer's risk threshold and thus are included on the Risk Register (Risk Response List). The fees set out in this SOW for Work Stream #4 are based on a scope estimated to be comprised of Up to thirty-two (32) risks having a "High" or "Critical" risk rating. This estimate is based on Clearwater's experience with other Customers, where the initial risk analysis results in an average of 1.25 risks per information asset analyzed, will require a response. All parties acknowledge and recognize that the level of effort and the Professional Services Fees to complete Work Stream #4 are dependent on the actual quantity of risks rated as "High" or "Critical" during the completion of Work Stream #3. If the actual quantity of risks having a risk rating value of "High" or "Critical" and that require a response is greater than five percent (5%) higher than the estimated quantity of in-scope risks, additional fees will be required via the execution of a Change Order between the parties. The Detailed Risk Action Plan Following Customer's executives' or governance body's approval of the high-level Risk Action Plan, Clearwater will facilitate and support Customer remotely during the creation of the Detail Risk Action Plan. Customer's SM Es will be responsible for research into alternative controls; gathering cost and budget information; investigating time constraints and feasibility of alternatives; presenting alternatives to management to obtain guidance in relation to business priorities; selection of alternative control solutions to be considered; and the ultimate implementation of the approved controls. This is often the lengthiest process and Clearwater's Consultant(s) will remain engaged and provide expertise and support while Customer's SM Es perform the research to facilitate keeping all activities on track. Both parties acknowledge and recognize that priorities and tasks associated with the actual Services performed under Work Stream #4 may change over time as activities are completed and business requirements potentially change. The Services provided by Clearwater's Consultant might include tasks such as: •Assist Customer with recommendations to improve its Risk Management Strategy, Framing or governance processes to facilitate decision-making •Assist Customer with identifying next steps and responsibilities for all risks for which the risk treatment type approved is "avoid", "transfer", or "share" •For in-scope risks for which the risk treatment type selected is "mitigate", facilitate or engage with Project Team in discussion of control alternatives that might be appropriate to reduce the risk to an acceptable level •Assist, as requested, with facilitating discussions of research required and considerations of budget, time constraints and feasibility of controls alternatives •Assist, as requested, in presenting alternatives to appropriate executives to obtain guidance in relation to business priorities •Assist, as requested, with discussions toward establishing mitigation actions and control alternatives priorities in relation to business priorities Page 9 of 16 •Provide support in documenting alternatives considered, decisions, activities and tasks required to complete next steps, and assigning tasks within the IRM I Analysis™ Software •Provide support in documenting the planning of control implementation in the IRM I Analysis ™ Software •Provide support in documenting the implemented controls in the IRM I Analysis™ Software •Provide assistance in reconciling projected residual risk with actual current risk in the IRM I Analysis ™ Software •Provide guidance and consulting to support Customer's intermediate steps as Customer performs its own remediation analysis and implementation work If Customer requests on-site support Services during this portion of completing Work Stream #4 and approves travel expenses, Clearwater will perform on-site Services as requested and mutually agreed. Customer Responsibilities: •Assign a management level Project Owner to provide leadership of Customer's Project Team and to liaise with Clearwater during the performance of this SOW •Assign appropriate, knowledgeable SM Es to fully-engage in completing all activities described within each of the Work Streams and ensure the assigned SM Es have sufficient capacity to engage with Clearwater's Consultant to complete the activities as described in this SOW within the SOW Term •Collaborate with Clearwater's Consultant to develop an agreed Project plan, and subsequently adhere to this plan •Upload requested Customer documentation to the secure Project file-sharing platform hosted by Clearwater •Identify one or more individuals to become the Account Owner for each of the IRM I Analysis™, IRM I Privacy™ and IRM I Security™ Software. The Account Owner(s) will be responsible for attending training sessions, mastering the administration of the Software and use of the functionality provided by the Software, authorizing/de-authorizing Users and permissions, and training all other Users and Account Owners •In relation to Work Stream #2, provide information regarding Customer's business practices, culture, mission/vision, current privacy and security policy and procedure documentation, organization charts and other documentation that might enable Clearwater's Consultant to deliver informed draft documents during the process •Review all draft policy and procedure documents delivered by Clearwater during Work Stream #2 and provide timely input and feedback toward finalizing the final draft policies and procedures within not more than twenty-one (21) calendar days of receiving the initial draft. Should Customer not provide feedback or approval within twenty-one (21) calendar days of receiving draft documents, the latest draft will be considered accepted, a final version will be issued, and the Services in Work Stream #2 will be deemed to have been completed •In relation to Work Stream #2, exercise ownership over obtaining legal counsel review and input, in accordance with Customer's typical practices, and in obtaining final approval of Customer's HIPAA and/or policy and procedure governance body; taking steps to implement the policies and procedures; communicating the existence of the policy and procedure documents to its workforce; and planning and executing training of its workforce on relevant policies and procedures •In relation to Work Streams #3 and #4, provide clear governance and oversight to guide decisions made with respect to the risk determination and risk management processes Page 10 of 16 •Assign to participate in the completion of both Work Streams #3 and #4, business and technology SM Es for each in scope information system/application, as well as pertinent management and technology infrastructure experts, that will meet with Clearwater Consultants during the on-site discovery/risk response planning meetings and interviews •Provide meeting rooms and arrange logistics for the conduct of all on-site interviews/meetings described in Work Streams #3 and #4 •Based on the Information System Discovery Meeting Plonner prepared during Work Stream #3, schedule and engage appropriate SMEs to prepare for and timely attend all relevant discovery meetings, site reviews, and interviews as scheduled on the Information System Meeting Planner. Should designated SM Es who are scheduled to attend any scheduled discovery meeting fail to attend, and as a result remote interviews are required, additional fees may apply •Collaborate with Clearwater during the preparation of the Draft FOR Report described in Work Stream #3, as reasonably requested •Review Draft FOR Report described in Work Stream #3 and provide timely input and feedback toward finalizing the FOR Report within not more than twenty-one (21) calendar days of receiving the initial Draft FOR Report. Should Customer not provide feedback or approval within twenty-one (21) calendar days of receiving a Draft FOR Report, the latest Draft FOR Report will be considered accepted, a Final FOR Report will be issued and the Services and Work Stream #3 will be deemed to have been completed •Ensure appropriate SMEs participate fully in the co-creation of the high-level and detailed risk response/risk management action plans as described in Work Stream #4. •Organize presentations of the Final FOR Report Deliverable from Work Stream #3, the high-level Risk Action Plan Presentation Deliverable from Work Stream #4 and the Clearwater proposal(s) concerning next steps with appropriate Customer Executives /governance body •Customer will be responsible for reimbursing Clearwater for all costs related to additional Consultant time, Consultant travel time, and related travel expenses, which costs are due to extended time on-site or other delays in the provision of the Services due to causes under the sole control of Customer. Such delays may include, but are not limited to missed discovery meetings, interviews, or site reviews that require rescheduling and/or conduct of a remote interview as a result of Customer SM E's failure to attend, or lack of preparation for, such meetings Clearwater Deliverables: •Written Project Status Reports at a frequency mutually agreed between Clearwater and Customer •Selected Clearwater HIPAA Policies and Procedures ToolKits™ •Draft HIPAA Security Rule Policies and Procedures approved by Project Owner and ready for Customer's legal and governance approval •Customer's fully populated Clearwater IRM I Analysis™ Software with all data and activities completed during the performance of Work Streams #3 and #4 •In relation to Work Stream #3, up to two (2) Drafts and a Final FOR Report •Development and presentation to Customer's executive team of an Executive Summary of the high-level Risk Action Plan in PowerPoint© format, after the completion of the on-site Risk response Workshop under Work Stream #3 where a risk treatment type and risk owner have been selected •In collaboration with Customer SM Es, co-creation of a Detailed Risk Action Plan during the completion of Work Stream #4 •A written Clearwater proposal for additional services Clearwater can provide to assist Customer in addressing recommended next steps Page 11 of 16 Ongoing support and training of Customer's Account Owner(s) on the functionality and administration of each of the IRM I Pro™ Software products during the term of each of the Subscriptions Out of Scope Work Items Activities specifically excluded from the scope of work are the following: •In relation to Work Streams #1 and #2, any on-site meetings or travel by Clearwater unless expressly requested and approved by Customer •In relation to Work Stream #2, creation of more than two draft versions of any policy and procedure leading up to the final version, except to the extent that corrections or amendments are necessary to correct errors or omissions of Clearwater •Completion of a complete HIPAA Privacy Rule, Breach Notification or Security Rule compliance gap assessment •Facilitation of management, legal counsel or governance approval of the resultant policies and procedures delivered in Work Stream #2 •Development of or conduct of workforce training on the resultant policies and procedures delivered in Work Stream #2 •Implementation of the policies and procedures delivered during Work Stream #2 •An audit of Customer's implementation of policies and procedures or the efficacy of Customer's processes, audit logs; or testing of workforce training and knowledge of the final, approved policies and procedures delivered during Work Stream #2 •Completion of Data Discovery Scans •Information systems in excess of the quantity set out in the Scope Boundaries section of Work Stream #3 of this SOW. Customer may execute a Change Order to increase the quantity of information systems to be included in the scope of Work Stream #3 •More on-site visits or any visits to or risk analysis/risk management for locations not listed in the Scope Boundaries section of Work Stream #3 or Work Stream #4 of this SOW •More than one summary FOR Report unless additional reports are provided for in the Scope Boundaries section of Work Stream #3. Customer may execute a Change Order to increase or decrease the number of FOR Reports to be included in the scope of Work Stream #3 •In relation to Work Stream #1, creation of more than two Draft FOR Reports leading up to the Final FOR Report, except to the extent that corrections or amendments are necessary to correct errors or omissions of Clearwater •Response/Management of a quantity of risks in excess of 5% of the estimated quantity of risks set out in Work Stream #2. Customer may execute a Change Order to increase the quantity of information systems to be included in the scope of Work Stream #2 •Completion of compliance gap assessments of HIPAA Privacy, Security and Breach Notification Rules •Completion of a HIPAA Security Rule Technical Evaluation (a.k.a. technical testing) •Engagement in Risk Management Strategy Development or Framing or establishment of governance processes to guide the Project •Clearwater's direct "hands on" involvement in the implementation of any new controls during execution of the Detail Risk Action Plan described in Work Stream #4 •Validation that vulnerabilities and risks that are identified during the risk analysis in Work Stream #3 have been sufficiently mitigated by actions taken during the course of Work Stream #4 Page 12 of 16 •Revisions to any Draft or Final Deliverable to reflect completion of remediation/mitigation activitiesinitiated by Customer in response to any findings or actions taken in response to such findings.Deliverable content will be limited solely to Clearwater's findings before and during the completion ofthe relevant Work Stream Fees, Costs and Payment Schedule Below are Clearwater's fees for the performance of Services under this SOW. Additional services to complete activities out of scope for this SOW (including additional identified information systems) are available upon execution of a Change Order to this SOW or the completion of a separate statement of work. ! Work Stream/Item Description Professional Services Fees WS#2 Professional Services Block-of-Time for Tailoring HIPAA Policies and Procedures to Customer's Needs -Ninety-one (91) Hours WS#3 Professional Services to perform a Clearwater OCR-Quality Risk Analysis™ for up to twenty-five (25) information systems WS#4 Professional Services to Co-create a Plan to Reduce Risks Identified to a Reasonable and Appropriate Level and Execution Support Services for up to thirty-two (32) risks Subtotal Professional Services Fees less 10% discount on professional services fees Total Professional Services Fees Software Fees Annual Subscription Fees ("ASF") for a Five-year Subscription to Silver Edition Clearwater IRM !Analysis ™ Software* ASF for a Five-year Subscription to Single-Entity Clearwater IRM I Security'M Software ASF for a Five-year Subscription to Single-Entity Clearwater IRM I Privacy™ Software WS#l Clearwater's HIPAA Security Policies and Procedures ToolKir -One-time Download Subscription Fees WS #1 Clearwater's HIPAA Privacy Policies and Procedures ToolKit'M -One-time Download Subscription Fees WS #1 Clearwater's HIPAA Breach Notification Policies and Procedures Tool Kit ™ -One-time Download Subscription Fees Subtotal Software Fees Less discount on Clearwater IRM/Pro'"' ASF (year l only): Total Software Fees Total All Fees Total Fees Yearl $29,575 $58,200 $35,700 $123,475 ($12,348) $111,127 $19,300 $7,200 $7,200 $2,495 $2,495 $595 $39,285 ($2 ,506.50) $36,778.50 $147,905.50 I Total Fees I Total Fees for Years 2-Committed 5** to This SOW NA $29,575 NA $58,200 NA $35,700 NA $123,475 NA ($12,348) NA $111,127 $52,475 $71,775 $19,575 $26,775 $19,575 $26,775 NA $2,495 NA $2,495 NA $595 $91,625 $130,910 N/A ($2,506.50) $91,625 $128,403.50 $91,625 $239,530.50 *Multiple Entity Subscription ASF pricing is available upon request. Page 13 of 16 I Total Fees I Total Fees I Total Fees Work Stream/Item Description Year 1 for Years 2-Committed 5** to This SOW **ASF amounts below assume Customer is able to retain the Subscription for the entire five-year Subscription Term. ASF for the second through fifth years of the Five-year Subscription Term will be invoiced thirty (30) -forty-five (45) days prior to the anniversary date of Customer's receipt of access to the Subscription. Above fees are valid until midnight on August 15, 2019 Customary reasonable and appropriate travel ond other direct out-of-packet expenses are not included in the amounts above and will be invoiced separately Travel and Other Expenses: All travel will be approved by Customer in advance and will be invoiced at actual expense, accompanied by appropriate receipts. Clearwater will minimize any travel expenses by following these travel guidelines: •Economy best available airfare (7 /14-day advance purchase whenever possible) •3 star or better hotel at best price •Mid-size rental car. Clearwater staff will carpool whenever practical •Meal expenses at a maximum of $75 per day, per Consultant Payment Terms and Schedule: •All invoices will be emailed to Customer on the date they are eligible to be invoiced ("Invoice Date") to isdbusinessoff ice@fresnocountyca .gov. •Payment is due for all undisputed invoices within forty-five (45) calendar days following the Invoice Date ("Payment Due Date") •Software Fees: o $3 6,778.50 first year Software Fees will be invoiced upon execution of this SOW o Subsequent year IRM I Pro™ ASFs in the amounts listed below will be invoiced yearly, thirty (30) -forty-five (45) days prior to the anniversary of the beginning of the Subscription Term, as set out in the SSA. •$27,876.S0 for year two ASF •$22,558.50 for year three ASF •$22,448.500 for year four ASF ■$19,605.00 for year five ASF •$111,127.00 Total Professional Services Fees: o Thirty percent (30%), or $33,338.10 will be invoiced upon execution of this SOW o Ten percent {10%), or $11,112.70 will be invoiced upon delivery of the final draft HIPAA policies and procedures for governance/legal approval o Twenty-five percent (25%), or $27,781.75 will be invoiced upon completion of the on-site discovery visit set out in Work Stream #3 o Ten percent (10%), or $11,112.70 will be invoiced upon the earlier of, Clearwater's delivery of Final FOR Report for Work Stream #3 to Customer or, twenty-one (21) days following Clearwater's delivery of a Draft FOR Report o Ten percent (10%), or $11,1 12.70 will be invoiced upon completion of the on-site Risk Response WorkShop ™ set out in Work Stream #4 o Five percent (5%), or $5,556.35 will be invoiced upon approval of the high-level Risk Action Plan set out in Work Stream #3 o Five percent (5%), or $5,556.35 will be invoiced upon approval of the Detail Risk Action Plan set out in Work Stream #4 Page 14 of 16 o Five percent (5%) balance, or $5,556.35 will be invoiced upon the earlier of the substantial completion of execution of the Detail Risk Action Plan, reducing the majority of in-scope risks to an appropriate level, or the end of the SOW Term •Travel expenses will be invoiced in arrears, as incurred, accompanied by all appropriate receipts •Professional Services for Work Stream #2 o Applied Time for the Professional Services includes time spent performing Services to complete the Clearwater Responsibilities detailed above whether such Services are performed remotely, in transit to Customer's site or at Customer's site and will be logged to the Project in increments of a minimum of 0.25 hours o All Services are estimated based on the assumption that all Services will be delivered remotely. If Customer should request and approve on-site work, Consultant time spent during travel to and from Customer facilities will be applied and/or invoiced at one-half (1/2) the typical Applied Time or Excess Hours hourly rate o Applied Time will be recorded against Customer's initial Block -of-Time or any subsequent time approved to complete the Work Stream o Approved Excess Hours, if any, will be invoiced monthly at $325 per hour on or before the 5th business day of the month for Excess Hours applied to the work during the prior month, if Customer elects not to purchase an additional Block of Time •Change Orders to adjust the quantity of Information Assets; sites to be visited; or risks to be analyzed from those set out in the Scope Boundaries in Work Streams #3 and #4: o Professional Services Fee adjustments for each information asset added to the scope of the Risk Analysis WorkShop in Work Stream #3 will be $1,540 per information asset o Professional Services Fee adjustments for each risk added to the scope of the Risk Response Workshop in Work Stream #4 will be $400 per risk o Professional Services Fee adjustments for each site visit in addition to Customer's primary site added to the scope of Work Streams #3 or #4 will be: •$610 per site that is less than or equal to fifty (SO) miles from Customer's primary site, and •$2,500 per site that is greater than fifty (SO) miles from Customer's primary site o Professional Services Fee adjustments for each FOR Report added to from the scope of any risk analysis will be: •$3,300 per FOR Report o Invoices or credits for Change Orders are issued based on the Payment Terms and Schedule agreed in the Change Order •Clearwater reserves the right to take any of the following actions as a result of deviations from the agreed Project plan due to causes that are under Customer's sole control: o For each interview with business and/or technical SM Es that must be conducted remotely rather than during the scheduled on-site discovery visit during Work Stream #3, to invoice Customer in the amount of $1,000 per remote interview o If Customer cancels or requests that Clearwater reschedule an on-site meeting less than two (2) weeks prior to the planned on-site date, and Clearwater is unable to redeploy the assigned Consultants to other engagements, $13,500 plus any related non-recoverable travel expenses o If the duration of an on-site visit must be extended due to rescheduled SME interviews, additions to Project scope requested by Customer, or other Project delays, to invoice Customer for any non recoverable travel expenses (including any airline change fees), incurred by Clearwater for any Page 15 of 16 Exhibit B SELF-DEALING TRANSACTION DISCLOSURE FORM In order to conduct business with the County of Fresno (hereinafter referred to as "County"), members of a contractor's board of directors (hereinafter referred to as "County Contractor"), must disclose any self-dealing transactions that they are a party to while providing goods, performing services, or both for the County. A self-dealing transaction is defined below: "A self-dealing transaction means a transaction to which the corporation is a party and in which one or more of its directors has a mat erial financial interest" The definition above will be utilized for purposes of completing this disclosure form. INSTRUCTIONS {1) Enter board member's name, job title {if applicable), and date this disclosure is being made. (2)Enter the board member's company/agency name and address. (3)Describe in detail the nature of the self-dealing transaction that is being disclosed to the County. At a minimum, include a description of the following: a.The name of the agency/company with which the corporation has the transaction; and b.The nature of the material financial interest in the Corporation's transaction that the board member has. (4)Describe in detail why the self-dealing transaction is appropriate based on applicable provisions of the Corporations Code. (5)Form must be signed by the board member that is involved in the self-dealing transaction described in Sections (3) and (4). Exhibit B (1)Company Board Member Information: Name: Date: Job Title: (2)Company/Agency Name and Address: (3)Disclosure (Please describe the nature of the self-dealing transaction you are a party to): (4)Explain why this self-dealing transaction is consistent with the requirements of Corporations Code 5233 (a): (5) Authorized Signature Signature: I Date: I