The URL can be used to link to this page

Home My WebLink AboutAgreement A-24-479 with Commvault Systems Inc..pdf Agreement No. 24-479 1 SERVICE AGREEMENT 2 This Service Agreement ("Agreement") is dated September 10, 2024 and is between 3 Commvault Systems Inc., a Delaware corporation ("Commvault"), and the County of Fresno, a 4 political subdivision of the State of California ("County"). 5 Recitals 6 A. Commvault provides the County with enterprise software used for data backup and 7 recovery, retention, and cloud-based backup storage for select County systems. 8 B. The County desires to establish the integrity, rights, and value of the software and 9 licenses currently deployed by Commvault for the County, and to provide for the purchase of 10 additional capacity licensing, maintenance, annual upgrades, and support services by 11 Commvault for these systems for County departments as needed. 12 C. Commvault desires to confirm that software and licenses previously purchased by the 13 County directly from Commvault, or a software reseller, have the same rights and value and are 14 determined to be licensed in perpetuity or on a subscription basis, as applicable. 15 The parties therefore agree as follows: 16 Article 1 17 Commvault's Responsibilities 18 1.1 Scope of Services. Commvault shall perform all of the services as set forth below. 19 1.2 Support Features and Support Responsibility. 20 (A) Commvault shall provide support pursuant to the specific Standard Tier support 21 plan, as chosen by the County ("Support"). Commvault may perform Support itself or 22 subcontract the performance of the Support, in whole or in part. Support shall be 23 provided in accordance with Commvault's Global Customer Support Service Guide 24 ("Guide"), a current copy of which is found at 25 https://ma.commvault.com/Additionalinfo/Global/TechnicalSupport/GuidF . Should any 26 terms or conditions referenced in the Guide conflict with any provision in the Agreement, 27 the language in the Agreement shall take precedence. 28 1 1 (B) Commvault grants County royalty-free, non-transferable licenses, used in the 2 County's software configuration, as set forth in Exhibit A— Pricing and Licensing 3 Statement ("Licenses"). Commvault Support will only be provided on all, but not less 4 than all, such Licenses. 5 (C)The features and specifications of the Support shall be provided in accordance 6 with Commvault's then-current policies (as of the Effective Date are set forth in the 7 Guide), which may be amended from time to time, at Commvault's discretion, provided 8 however, Commvault shall promptly provide, and no more than 10 days' written notice to 9 County of any such amended policies. As part of maintenance and Support provided by 10 Commvault under this Agreement, the County shall be entitled to ongoing release 11 updates, promptly if and when available, for the Software Products provided by 12 Commvault and utilized during the Term. Software Products provided by Commvault, 13 and covered under Support, are set forth in Exhibit A. 14 1.3 Commvault Warranty. Commvault warrants that the Software Products, support, 15 and maintenance shall be provided and performed in a diligent, prompt and professional 16 manner by personnel with the requisite knowledge, skills expertise and training. Commvault 17 warrants that it will comply with applicable law and the Software Products do not knowingly 18 contain any malicious code or infringe upon any third-party's intellectual property rights. Except 19 as otherwise stated in any product-specific terms, the Software Products are provided "as is" 20 without representation or warranty, whether express, implied or statutory. Commvault 21 specifically disclaims any implied warranties of merchantability, fitness for a particular purpose, 22 non-infringement, title and quiet enjoyment or from a course of dealing, course of performance 23 or usage in trade. Commvault and its licensors do not warrant that the Software Products will 24 run properly in all IT environments, be uninterrupted or error-free, meet the County's needs or 25 requirements, or guarantee compliance with specific law. 26 1.4 Commvault Master Terms & Conditions. Commvault, and the County, agree to 27 abide by additional terms stated in Exhibit E, "Commvault Master Terms and Conditions." 28 2 1 1.5 Representation. Commvault represents that it is qualified, ready, willing, and able to 2 perform all of the services provided in this Agreement. 3 1.6 Compliance with Laws. Commvault shall, at its own cost, comply with all applicable 4 federal, state, and local laws and regulations in the performance of its obligations under this 5 Agreement, including but not limited to workers compensation, labor, and confidentiality laws 6 and regulations. 7 Article 2 8 County's Responsibilities 9 2.1 The County shall perform all of the responsibilities as set forth below. 10 (A) The County shall follow all of Commvault's published instructions, which include 11 administrative documentation and release notes that are provided to the County, with 12 respect to use and operation of the Products. 13 (B) The County shall immediately notify Commvault's service center of any Support 14 need at (877) 780-3077, or at any other telephone number(s) as Commvault may 15 designate from time to time. Support can include, but is not limited to, software update 16 issues, configuration problems, client-server communication errors, and client installation 17 issues. 18 (C)The County shall provide sufficient information at the time the trouble call is 19 placed to identify the product requiring Support. Such information shall include, as 20 applicable: remote dial-in access number, product type, and CommCell identification 21 number. 22 (D)The County shall, to the extent possible, provide Commvault with sufficient 23 information to allow Commvault the opportunity to determine the cause of the problem 24 over the telephone. 25 (E) The County shall properly maintain, at its expense, all network Support and/or 26 third-party equipment required in order to facilitate the product properly functioning and, 27 if applicable, remote dial-in access. 28 3 1 (F) The County shall provide Commvault personnel with full and safe access to the 2 premises and products in connection with Commvault's performance of its obligations. 3 (G)The County shall maintain products at the current generally available product 4 version levels. 5 (H)The County shall otherwise cooperate with Commvault to resolve any trouble 6 report of Support issues. 7 Article 3 8 Compensation, Invoices, and Payments 9 3.1 The County agrees to pay, and Commvault agrees to receive, compensation for the 10 performance of its services as described Exhibit A. 11 3.2 Maximum Compensation. The maximum compensation payable to the Contractor 12 under this Agreement is $354,113.60 for the three-year term of this Agreement, as set forth in 13 Exhibit A. Commvault acknowledges that the County is a local government entity, and does so 14 with notice that the County's powers are limited by the California Constitution and by State law, 15 and with notice that Commvault may receive compensation under this Agreement only for 16 services performed according to the terms of this Agreement and while this Agreement is in 17 effect, and subject to the maximum amount payable under this section. Commvault further 18 acknowledges that County employees have no authority to pay Commvault except as expressly 19 provided in this Agreement. 20 3.3 Invoices. Commvault shall submit annual invoices to 21 ISDBusinessOffice@fresnocountyca.gov or mailed to County of Fresno, ISD, ATW Business 22 Office, 333 W. Pontiac Way, Clovis, CA, 93612. 23 3.4 Payment. The County shall pay each correctly completed and timely submitted 24 invoice within 45 days after receipt. The County shall remit any payment to Commvault's 25 address specified in the invoice. 26 3.5 Incidental Expenses. Commvault is solely responsible for all of its costs and 27 expenses that are not specified as payable by the County under this Agreement. 28 4 1 Article 4 2 Term of Agreement 3 4.1 Term. This Agreement is effective on the date the parties sign this Agreement 4 September 17, 2024, and terminates September 16, 2027 (the "Term"), except as provided in 5 Article 6, "Termination and Suspension," below. 6 Article 5 7 Notices 8 5.1 Contact Information. The persons and their addresses having authority to give and 9 receive notices provided for or permitted under this Agreement include the following: 10 For the County: 11 Chief Information Officer/Director of Internal Services County of Fresno 12 333 W. Pontiac Way Clovis, CA 93612 13 isdcontracts@fresnocoutyca.gov 14 For Commvault: Service Contract Administrator 15 Commvault 1 Commvault Way 16 Tinton Falls, New Jersey 07724 Copy to: VP and General Counsel 17 18 5.2 Change of Contact Information. Either party may change the information in section 19 5.1 by giving notice as provided in section 5.3. 20 5.3 Method of Delivery. Each notice between the County and Commvault provided for 21 or permitted under this Agreement must be in writing, state that it is a notice provided under this 22 Agreement, and be delivered either by personal service, by first-class United States mail, by an 23 overnight commercial courier service, or by Portable Document Format (PDF) document 24 attached to an email. 25 (A) A notice delivered by personal service is effective upon service to the recipient. 26 (B) A notice delivered by first-class United States mail is effective three County 27 business days after deposit in the United States mail, postage prepaid, addressed to the 28 recipient. 5 1 (C)A notice delivered by an overnight commercial courier service is effective one 2 County business day after deposit with the overnight commercial courier service, 3 delivery fees prepaid, with delivery instructions given for next day delivery, addressed to 4 the recipient. 5 (D)A notice delivered by PDF document attached to an email is effective when 6 transmission to the recipient is completed (but, if such transmission is completed outside 7 of County business hours, then such delivery is deemed to be effective at the next 8 beginning of a County business day), provided that the sender maintains a machine 9 record of the completed transmission. 10 5.4 Claims Presentation. For all claims arising from or related to this Agreement, 11 nothing in this Agreement establishes, waives, or modifies any claims presentation 12 requirements or procedures provided by law, including the Government Claims Act (Division 3.6 13 of Title 1 of the Government Code, beginning with section 810). 14 Article 6 15 Termination and Suspension 16 6.1 Termination for Non-Allocation of Funds. The terms of this Agreement are 17 contingent on the approval of funds by the appropriating government agency. If sufficient funds 18 are not allocated, then the County, upon at least 30 days' advance written notice to Commvault, 19 may: 20 (A) Modify the services provided by Commvault under this Agreement; or 21 (B) Terminate this Agreement. 22 6.2 Termination for Breach. 23 (A) Upon determining that a breach (as defined in paragraph (C) below) has 24 occurred, the County may give written notice of the breach to Commvault. The written 25 notice may suspend performance under this Agreement, and must provide at least 30 26 days for Commvault to cure the breach. 27 (B) If Commvault fails to cure the breach to the County's satisfaction within the time 28 stated in the written notice, the County may terminate this Agreement immediately. 6 1 (C) For purposes of this section, a breach occurs when, in the determination of the 2 County, Commvault has: 3 (1) Obtained or used funds illegally or improperly; 4 (2) Failed to comply with any part of this Agreement; 5 (3) Submitted a substantially incorrect or incomplete report to the County; or 6 (4) Improperly performed any of its obligations under this Agreement. 7 6.3 Termination without Cause. In circumstances other than those set forth above, the 8 County may terminate this Agreement by giving at least 30 days advance written notice to 9 Commvault. 10 6.4 Force Majeure. The Parties shall not be liable for any failure or delay in the 11 performance of their respective obligations hereunder caused by forces beyond its reasonable 12 control, including, but not limited to the following, acts of God, nature or war; riots; pandemics; 13 (each an event of"force majeure"), provided however, (a) as soon as commercially practicable 14 after the occurrence of any such event of force majeure, the party claiming an event of force 15 majeure shall promptly provide written notice thereof to the other party and in such notice shall 16 give reasonably full particulars concerning the nature, scope and anticipated duration of the 17 event of force majeure, and unless such party gives notice of the cessation, or extension, of the 18 occurrence of the event of force majeure, the event of force majeure shall be deemed to have 19 ceased as of the date in such notice, or subsequent notice for the same event, of force majeure, 20 and (b) an event of force majeure will in no event include economic hardship, or acts, 21 omissions, circumstances, or events caused by, or through, a third party that is under contract 22 with a party where and to the extent that the acts, omissions, circumstances, or events caused 23 by, or through, the third party could have been avoided by commercially-reasonable, timely, and 24 diligent management or administration of the third party's performance of its contractual 25 obligations and duties under its contract by the party to such contract. 26 6.4 No Penalty or Further Obligation. Any termination of this Agreement by the County 27 under this Article 6 is without penalty to or further obligation of the County. 28 7 1 6.5 County's Rights upon Termination. Upon termination for breach under this Article 2 6, the County may demand repayment by Commvault of any monies disbursed to Commvault 3 under this Agreement that, in the County's sole judgment, were not expended in compliance 4 with this Agreement. Commvault shall promptly refund all such monies upon demand. This 5 section survives the termination of this Agreement. 6 Article 7 7 Independent Contractor 8 7.1 Status. In performing under this Agreement, Commvault, including its officers, 9 agents, employees, and volunteers, is at all times acting and performing as an independent 10 contractor, in an independent capacity, and not as an officer, agent, servant, employee, joint 11 venturer, partner, or associate of the County. 12 7.2 Verifying Performance. The County has no right to control, supervise, or direct the 13 manner or method of Commvault's performance under this Agreement, but the County may 14 verify that Commvault is performing according to the terms of this Agreement. 15 7.3 Benefits. Because of its status as an independent contractor, Commvault has no 16 right to employment rights or benefits available to County employees. Commvault is solely 17 responsible for providing to its own employees all employee benefits required by law. 18 Commvault shall save the County harmless from all matters relating to the payment of 19 Commvault's employees, including compliance with Social Security withholding and all related 20 regulations. 21 7.4 Services to Others. The parties acknowledge that, during the term of this 22 Agreement, Commvault may provide services to others unrelated to the County. 23 Article 8 24 Indemnity and Defense 25 8.1 Indemnity. Commvault shall indemnify and hold harmless and defend the County 26 (including its officers, agents, employees, and volunteers) against all claims, demands, injuries, 27 damages, costs, expenses (including attorney fees and costs), fines, penalties, and liabilities of 28 any kind to the County, Commvault, or any third party that arise from or relate to the 8 1 performance or failure to perform by Commvault (or any of its officers, agents, subcontractors, 2 or employees) under this Agreement. The County may conduct or participate in its own defense 3 without affecting Commvault's obligation to indemnify and hold harmless or defend the County. 4 8.2 Patent Indemnity. In the event of a claim of alleged infringement of patent rights, 5 copyright, trade secret rights, or intellectual property rights, to the fullest extent permitted by law, 6 the Commvault agrees to and shall indemnify, save, hold harmless, and at County's request, 7 defend County (including its officers, officials, agents, employees and volunteers) from and 8 against any and all demands, costs and expenses, penalties, attorney's fees and court costs, 9 damages of any nature whatsoever (including, without limitation, injury or damage to or loss or 10 destruction of property), judgments (including, without limitation, amounts paid in settlement and 11 amounts paid to discharge judgments), liabilities, claims and losses, suits, actions or 12 proceedings of every name, kind and description occurring or resulting to County, out of or in 13 connection with any claim that is based on the infringement (or assertions of infringement) of 14 any of patent rights, copyright, trade secret rights, or intellectual property rights with respect to 15 Commvault's Products and/or Services or Support, including, but not limited to, their materials, 16 designs, techniques, processes and information supplied or used by Commvault performing or 17 providing any portion of its Products and/or Services or Support. If, in any suit, action, 18 proceeding or claim relating to the foregoing, a temporary restraining order or preliminary 19 injunction is granted, Commvault shall make every reasonable effort to secure the suspension 20 of the injunction or restraining order. If, in any such suit, action proceeding or claim, 21 Commvault's Products and/or Services or Support and any part, combination or process 22 thereof, is held to constitute an infringement and its use is enjoined, Commvault shall 23 immediately (a) pay the reasonable direct out-of-pocket costs and expenses to secure for the 24 County a license, at no cost to the County, to use such infringing work, replace the infringing 25 work or modify the same so that it becomes non-infringing, and (b) make every reasonable 26 effort to secure for the County a license, at no cost to County, authorizing County's continued 27 use of the infringing work. If Commvault is unable to secure such license within a reasonable 28 time, Commvault at its own expense and without impairing performance requirements of the 9 1 Commvault Products and/or Services or Support, shall either replace the affected Products 2 and/or Services or Support, or part, combination or process thereof, with non-infringing 3 components or parts or modify the same so that they become non-infringing. 4 8.3 Survival. This entire Article 8 survives the termination of this Agreement. 5 Article 9 6 Insurance 7 9.1 Commvault shall comply with all the insurance requirements in Exhibit D to this 8 Agreement. 9 Article 10 10 Inspections, Audits, and Public Records 11 10.1 Inspection of Documents. Commvault shall make available to the County, and the 12 County may examine at any time during business hours and as often as the County deems 13 necessary, all of Commvault's records and data with respect to the matters covered by this 14 Agreement, excluding attorney-client privileged communications. Commvault shall, upon 15 request by the County, permit the County to audit and inspect all of such records and data to 16 ensure Commvault's compliance with the terms of this Agreement. 17 10.2 State Audit Requirements. If the compensation to be paid by the County under this 18 Agreement exceeds $10,000, Commvault is subject to the examination and audit of the 19 California State Auditor, as provided in Government Code section 8546.7, for a period of three 20 years after final payment under this Agreement. This section survives the termination of this 21 Agreement. 22 10.3 Public Records. The County is not limited in any manner with respect to its public 23 disclosure of this Agreement or any record or data that Commvault may provide to the County. 24 The County's public disclosure of this Agreement or any record or data that Commvault may 25 provide to the County may include but is not limited to the following: 26 (A) The County may voluntarily, or upon request by any member of the public or 27 governmental agency, disclose this Agreement to the public or such governmental 28 agency. 10 1 (B) The County may voluntarily, or upon request by any member of the public or 2 governmental agency, disclose to the public or such governmental agency any record or 3 data that Commvault may provide to the County, unless such disclosure is prohibited by 4 court order. 5 (C)This Agreement, and any record or data that Commvault may provide to the 6 County, is subject to public disclosure under the Ralph M. Brown Act (California 7 Government Code, Title 5, Division 2, Part 1, Chapter 9, beginning with section 54950). 8 (D)This Agreement, and any record or data that Commvault may provide to the 9 County, is subject to public disclosure as a public record under the California Public 10 Records Act (California Government Code, Title 1, Division 10, Chapter 3, beginning 11 with section 7920.200) ("CPRA"). 12 (E) This Agreement, and any record or data that Commvault may provide to the 13 County, is subject to public disclosure as information concerning the conduct of the 14 people's business of the State of California under California Constitution, Article 1, 15 section 3, subdivision (b). 16 (F) Any marking of confidentiality or restricted access upon or otherwise made with 17 respect to any record or data that Commvault may provide to the County shall be 18 disregarded and have no effect on the County's right or duty to disclose to the public or 19 governmental agency any such record or data. 20 10.4 Public Records Act Requests. If the County receives a written or oral request 21 under the CPRA to publicly disclose any record that is in Commvault's possession or control, 22 and which the County has a right, under any provision of this Agreement or applicable law, to 23 possess or control, then the County may demand, in writing, that Commvault deliver to the 24 County, for purposes of public disclosure, the requested records that may be in the possession 25 or control of Commvault. Within five business days after the County's demand, Commvault shall 26 (a) deliver to the County all of the requested records that are in Commvault's possession or 27 control, together with a written statement that Commvault, after conducting a diligent search, 28 has produced all requested records that are in Commvault's possession or control, or (b) 11 1 provide to the County a written statement that Commvault, after conducting a diligent search, 2 does not possess or control any of the requested records. Commvault shall cooperate with the 3 County with respect to any County demand for such records. If Commvault wishes to assert that 4 any specific record or data is exempt from disclosure under the CPRA or other applicable law, it 5 must deliver the record or data to the County and assert the exemption by citation to specific 6 legal authority within the written statement that it provides to the County under this section. 7 Commvault's assertion of any exemption from disclosure is not binding on the County, but the 8 County will give at least 10 days' advance written notice to Commvault before disclosing any 9 record subject to Commvault's assertion of exemption from disclosure. Commvault shall 10 indemnify the County for any court-ordered award of costs or attorney's fees under the CPRA 11 that results from Commvault's delay, claim of exemption, failure to produce any such records, or 12 failure to cooperate with the County with respect to any County demand for any such records. 13 Article 11 14 Disclosure of Self-Dealing Transactions 15 11.1 Applicability. This Article 11 applies if Commvault is operating as a corporation, or 16 changes its status to operate as a corporation. 17 11.2 Duty to Disclose. If any member of Commvault's board of directors is party to a self- 18 dealing transaction, he or she shall disclose the transaction by completing and signing a "Self- 19 Dealing Transaction Disclosure Form" (Exhibit C to this Agreement) and submitting it to the 20 County before commencing the transaction or immediately after. 21 11.3 Definition. "Self-dealing transaction" means a transaction to which Commvault is a 22 party and in which one or more of its directors, as an individual, has a material financial interest. 23 Article 12 24 General Terms 25 12.1 Modification. Except as provided in Article 6, "Termination and Suspension," this 26 Agreement may not be modified, and no waiver is effective, except by written agreement signed 27 by both parties. Commvault acknowledges that County employees have no authority to modify 28 this Agreement except as expressly provided in this Agreement. 12 1 12.2 Non-Assignment. Neither party may assign its rights or delegate its obligations 2 under this Agreement without the prior written consent of the other party. 3 12.3 Governing Law. The laws of the State of California govern all matters arising from 4 or related to this Agreement. 5 12.4 Jurisdiction and Venue. This Agreement is signed and performed in Fresno 6 County, California. Commvault consents to California jurisdiction for actions arising from or 7 related to this Agreement, and, subject to the Government Claims Act, all such actions must be 8 brought and maintained in Fresno County. 9 12.5 Days. Unless otherwise specified, "days" means calendar days. 10 12.6 Headings. The headings and section titles in this Agreement are for convenience 11 only and are not part of this Agreement. 12 12.7 Severability. If anything in this Agreement is found by a court of competent 13 jurisdiction to be unlawful or otherwise unenforceable, the balance of this Agreement remains in 14 effect, and the parties shall make best efforts to replace the unlawful or unenforceable part of 15 this Agreement with lawful and enforceable terms intended to accomplish the parties' original 16 intent. 17 12.8 Nondiscrimination. During the performance of this Agreement, Commvault shall not 18 unlawfully discriminate against any employee or applicant for employment, or recipient of 19 services, because of race, religious creed, color, national origin, ancestry, physical disability, 20 mental disability, medical condition, genetic information, marital status, sex, gender, gender 21 identity, gender expression, age, sexual orientation, military status or veteran status pursuant to 22 all applicable State of California and federal statutes and regulation. 23 12.9 No Waiver. Payment, waiver, or discharge by the County of any liability or obligation 24 of Commvault under this Agreement on any one or more occasions is not a waiver of 25 performance of any continuing or other obligation of Commvault and does not prohibit 26 enforcement by the County of any obligation on any other occasion. 27 12.10 Data Security. Commvault shall comply with all the Data Security requirements set 28 forth in Exhibit B to this Agreement. 13 1 12.11 Intellectual Property. The County agrees that Commvault-owned or licensed 2 hardware, software, code, trademarks, trade secrets, proprietary methods and systems used to 3 provide the Software Products (collectively, the "Commvault Technology") and the content made 4 available or displayed by Commvault through the Software Products, including all text, graphics, 5 images, trade names, service marks, product names, and the look and feel of the Software 6 Products (collectively, the "Commvault Content") are owned by or licensed to Commvault. Other 7 than the authorizations or licenses expressly granted by Commvault to the County in these 8 Terms, no assignment or other transfer of ownership shall be conferred or vest in and to the 9 Commvault Technology or the Commvault Content to Customer, either by implication, estoppel, 10 or otherwise. 11 12.12 Confidentiality. By the nature of Commvault's services, Commvault and the County 12 regularly share confidential or proprietary information with each other. "Confidential Information" 13 means any and all information and material disclosed by one party (the "Discloser") to the other 14 party (the "Recipient") that is customer data or trade secrets (as defined in Government Code 15 Section 7924.510(f)), such as formulas and processes, as well as know-how, inventions, 16 techniques, programs, ideas, algorithms, schematics, testing procedures, software design and 17 architecture, computer code, internal documentation, design and functional specifications, 18 product requirements, problem reports, performance information. Recipient shall hold all 19 Confidential Information in strict confidence and take the same degree of care that it uses to 20 protect its own confidential information (but in no event less than reasonable care) to protect the 21 confidentiality thereof. Confidential Information does not include information that (i) is or 22 becomes generally known by the public, (ii) was or becomes available to a party on a non- 23 confidential basis from a person not otherwise bound by the terms of this Agreement or is not 24 otherwise known to be prohibited from transmitting the information, (iii) disclosure is required by 25 law or (iv) is independently developed by the parties, provided that the party claiming an 26 exception shall have the burden of establishing such exception. 27 12.13 Upon termination of the Agreement, or upon a Party's request, each Party shall 28 return to the other all Information of the other in its possession. All provisions of the Agreement 14 1 relating to confidentiality, ownership, and limitations of liability shall survive the termination of 2 the Agreement. 3 12.14 All services performed by Commvault shall be in strict conformance with all 4 applicable Federal, State of California, and/or local laws and regulations relating to 5 confidentiality, including but not limited to, California Civil Code, California Welfare and 6 Institutions Code, California Health and Safety Code, California Code of Regulations, and the 7 Code of Federal Regulations. 8 12.15 U.S. Government End User Provisions. Commvault provides the Software 9 Products to federal government end users. Government technical data and software rights 10 related to the Software Products include only those rights customarily provided to the public as 11 defined this Agreement. This customary commercial license is provided in accordance with FAR 12 12.211 (Technical Data), FAR 12.212 (Software), and FAR 52.227-14 (Rights in Data) and, for 13 Department of Defense transactions, DFAR 252.227-7013 (Technical Data —Commercial Items) 14 and DFAR 227.7202-3 (Rights in Commercial Computer Software or Computer Software 15 Documentation), as applicable. 16 12.16 No Third-Party Beneficiaries. This Agreement does not and is not intended to 17 create any rights or obligations for any person or entity except for the parties. 18 12.17 Authorized Signature. Commvault represents and warrants to the County that: 19 (A) Commvault is duly authorized and empowered to sign and perform its obligations 20 under this Agreement. 21 (B) The individual signing this Agreement on behalf of Commvault is duly authorized 22 to do so and his or her signature on this Agreement legally binds Commvault to the 23 terms of this Agreement. 24 12.18 Electronic Signatures. The parties agree that this Agreement may be executed by 25 electronic signature as provided in this section. 26 (A) An "electronic signature" means any symbol or process intended by an individual 27 signing this Agreement to represent their signature, including but not limited to (1) a 28 digital signature; (2) a faxed version of an original handwritten signature; or (3) an 15 1 electronically scanned and transmitted (for example by PDF document) version of an 2 original handwritten signature. 3 (B) Each electronic signature affixed or attached to this Agreement (1) is deemed 4 equivalent to a valid original handwritten signature of the person signing this Agreement 5 for all purposes, including but not limited to evidentiary proof in any administrative or 6 judicial proceeding, and (2) has the same force and effect as the valid original 7 handwritten signature of that person. 8 (C)The provisions of this section satisfy the requirements of Civil Code section 9 1633.5, subdivision (b), in the Uniform Electronic Transaction Act (Civil Code, Division 3, 10 Part 2, Title 2.5, beginning with section 1633.1). 11 (D) Each party using a digital signature represents that it has undertaken and 12 satisfied the requirements of Government Code section 16.5, subdivision (a), 13 paragraphs (1) through (5), and agrees that each other party may rely upon that 14 representation. 15 (E) This Agreement is not conditioned upon the parties conducting the transactions 16 under it by electronic means and either party may sign this Agreement with an original 17 handwritten signature. 18 12.19 Counterparts. This Agreement may be signed in counterparts, each of which is an 19 original, and all of which together constitute this Agreement. 20 12.20 Agent for Service of Process. Commvault represents to County that Commvault's 21 agent for service of process in California, and that such agent's address for receiving such 22 service of process in California, which information Commvault shall maintain with the office of 23 the California Secretary of State, is as follows: 24 CSC— Lawyers Incorporating Service 25 2710 Gateway Oaks Drive 26 Sacramento, CA 95833 27 28 16 1 Commvault further represents to the County that if Commvault changes its agent for service 2 of process in California, or Commvault's agent for service of process in California changes its 3 address for receiving such service of process in California, which changed information 4 Commvault shall maintain with the office of the California Secretary of State, Commvault shall 5 give the County written notice thereof within five (5) calendar days thereof pursuant to Article 5 6 of this Agreement. 7 12.21 Entire Agreement. This Agreement, including its exhibits, is the entire agreement 8 between Commvault and the County with respect to the subject matter of this Agreement, and it 9 supersedes all previous negotiations, proposals, commitments, writings, advertisements, 10 publications, and understandings of any nature unless those things are expressly included in 11 this Agreement. This Agreement supersedes all pre-printed terms, hyperlinks, and conditions 12 contained in any purchase order or other business form submitted hereafter by either party or 13 the other. If there is any inconsistency between the terms of this Agreement without its exhibits 14 and the terms of the exhibits, then the inconsistency will be resolved by giving precedence first 15 to the term of this Agreement without its exhibits, and then to Exhibits A, C, D, and E, then 16 Exhibit B. 17 [SIGNATURE PAGE FOLLOWS] 18 19 20 21 22 23 24 25 26 27 28 17 1 The parties are signing this Agreement on the date stated in the introductory clause. 2 COMMVAULT SYSTEMS, INC. COUNTY OF FRESNO 3 4 �1Gt'�G�I�/S� G>~YGl'8 f 5 Andrew Scamardella Director,Dea(Desk&Bid Desk Nathan Magsig, Chairman of the Board of Supervisors of the County of Fresno 6 1 Commvault Way Tinton Falls, New Jersey 07724 Attest: 7 Bernice E. Seidel Clerk of the Board of Supervisors 8 County of Fresno, State of California 9 By: A'-.j"- 10 Deputy 11 For accounting use only: 12 Org No.: 8905 Account No.: 7309 13 Fund No.: 1020 Subclass No.: 10000 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 18 Exhibit A — Pricing and Licensing The County will receive licensing, maintenance, and support for the following software, in the specified quantities. Software List SKU Description Quantity Term Price Per Year 1 Year 2 Year 3 Length/Dates Month Commvault Cloud Cyber 33-months CV-DPP-FT-33 Resilience Software, per 4C (12/28/24 - 9/16/27) $2,336.60 $21,029.40 $28,039.20 $28,039.20 Front-End Terabyte Commvault Cloud Cyber 33-months CV-DPP-VM10-33 Resilience Software for Virtual 80 (12/28/24 - 9/16/27) $2,972.60 $26,753.40 $35,671.20 $35, 671.20 Machines, per VM (10-Pack) CV-MCS-AC-TB Commvault Cloud Air Gap 250 36-months $3,997.50 $47,970.00 $47,970.00 $47,970.00 Protect, Per Terabyte (9/17/24 - 9/16/27) Subtotals $95,752.80 $111,680.40 $111,680.40 Annual Licensing Sub-Total $319,113.60 Additional Services $35,000.00 Maximum Compensation $354,113.60 A-1 Exhibit B — Data Security 1 A. Definitions. 2 Capitalized terms used in this Exhibit B have the meanings set forth in this section A. 3 "Authorized Employees" means Commvault's employees who have access to Personal 4 Information. 5 "Authorized Persons" means: (i) any and all Authorized Employees; and (ii) any and all of 6 Commvault's subcontractors, representatives, agents, outsourcers, and consultants, and providers 7 of professional services to Commvault, who have access to Personal Information and are bound by 8 law or in writing by confidentiality obligations sufficient to protect Personal Information in 9 accordance with the terms of this Exhibit B. 10 "Director" means the County's Director of Internal Services-Chief Information Officer or his 11 or her designee. 12 "Disclose" or any derivative of that word means to disclose, release, transfer, disseminate, 13 or otherwise provide access to or communicate all or any part of any Personal Information orally, in 14 writing, or by electronic or any other means to any person. 15 "Person" means any natural person, corporation, partnership, limited liability company, 16 firm, or association. 17 "Personal Information" means any and all information, including any data provided, or to 18 which access is provided, to Commvault by or upon the authorization of the County, including but 19 not limited to vital records, that: (i) identifies, describes, or relates to, or is associated with, or is 20 capable of being used to identify, describe, or relate to, or associate with, a person (including, 21 without limitation, names, physical descriptions, signatures, addresses, telephone numbers, e-mail 22 addresses, education, financial matters, employment history, and other unique identifiers, as well 23 as statements made by or attributable to the person); (ii) is used or is capable of being used to 24 authenticate a person (including, without limitation, employee identification numbers, government- 25 issued identification numbers, passwords or personal identification numbers (PINs), financial 26 account numbers, credit report information, answers to security questions, and other personal 27 identifiers); or is personal information within the meaning of California Civil Code section 1798.3, 28 subdivision (a), or 1798.80, subdivision (e). Personal Information does not include publicly B-1 Exhibit B — Data Security 1 available information that is lawfully made available to the general public from federal, state, or 2 local government records. 3 "Privacy Practices Complaint" means a complaint received by the County relating to 4 Commvault's (or any Authorized Person's) privacy practices, or alleging a Security Breach. Such 5 complaint shall have sufficient detail to enable Commvault to promptly investigate and take 6 remedial action under this Exhibit B. 7 "Security Safeguards" means physical, technical, administrative, or organizational 8 security procedures and practices put in place by Commvault(or any Authorized Persons)that 9 relate to the protection of the security, confidentiality, value, or integrity of Personal Information. 10 Security Safeguards shall satisfy the minimal requirements set forth in subsection C.(5) of this 11 Exhibit B. 12 "Security Breach" means (i) any act or omission that compromises either the security, 13 confidentiality, value, or integrity of any Personal Information or the Security Safeguards, or(ii) any 14 unauthorized Use, Disclosure, or modification of, or any loss or destruction of, or any corruption of 15 or damage to, any Personal Information. 16 "Use" or any derivative thereof means to receive, acquire, collect, apply, manipulate, 17 employ, process, transmit, disseminate, access, store, disclose, or dispose of Personal 18 Information. 19 B. Standard of Care. 20 (1) Commvault acknowledges that, in the course of its engagement by the County under 21 this Agreement, Commvault, or any Authorized Persons, may Use Personal Information only as 22 permitted in this Agreement. 23 (2) Commvault acknowledges that Personal Information is deemed to be confidential 24 information of, or owned by, the County (or persons from whom the County receives or has 25 received Personal Information) and is not confidential information of, or owned or by, Commvault, 26 or any Authorized Persons. Commvault further acknowledges that all right, title, and interest in or to 27 the Personal Information remains in the County (or persons from whom the County receives or has 28 received Personal Information) regardless of Commvault's, or any Authorized Person's, Use of that B-2 Exhibit B — Data Security 1 Personal Information. 2 (3) Commvault agrees and covenants in favor of the County that Commvault shall: (i) keep 3 and maintain all Personal Information in strict confidence, using such degree of care under this 4 Subsection B as is reasonable and appropriate to avoid a Security Breach; (ii) Use Personal 5 Information exclusively for the purposes for which the Personal Information is made accessible to 6 Commvault pursuant to the terms of this Exhibit B; (iii) not Use, Disclose, sell, rent, license, or 7 otherwise make available Personal Information for Commvault's own purposes or for the benefit of 8 anyone other than the County, without the County's express prior written consent, which the 9 County may give or withhold in its sole and absolute discretion; and (iv) not, directly or indirectly, 10 Disclose Personal Information to any person (an "Unauthorized Third Party") other than Authorized 11 Persons pursuant to this Agreement, without the Director's express prior written consent. 12 Notwithstanding the foregoing paragraph, in any case in which Commvault believes it, or 13 any Authorized Person, is required to disclose Personal Information to government regulatory 14 authorities, or pursuant to a legal proceeding, or otherwise as may be required by applicable law, 15 Commvault shall (a) immediately notify the County of the specific demand for, and legal authority 16 for the disclosure, including providing the County with a copy of any notice, discovery demand, 17 subpoena, or order, as applicable, received by Commvault, or any Authorized Person, from any 18 government regulatory authorities, or in relation to any legal proceeding, and (b) promptly notify the 19 County before such Personal Information is offered by Commvault for such disclosure so that the 20 County may have sufficient time to obtain a court order or take any other action the County may 21 deem necessary to protect the Personal Information from such disclosure, and Commvault shall 22 cooperate with the County to minimize the scope of such disclosure of such Personal Information. 23 Commvault shall remain liable to the County for the actions and omissions of any 24 Unauthorized Third Party concerning its Use of such Personal Information as if they were 25 Commvault's own actions and omissions. 26 C. Information Security. 27 (1) Commvault covenants, represents and warrants to the County that Commvault's Use of 28 Personal Information under this Agreement does and shall at all times comply with all federal, B-3 Exhibit B — Data Security 1 state, and local, privacy and data protection laws, as well as all other applicable regulations and 2 directives, including but not limited to California Civil Code, Division 3, Part 4, Title 1.81 (beginning 3 with section 1798.80), and the Song-Beverly Credit Card Act of 1971 (California Civil Code, 4 Division 3, Part 4, Title 1.3, beginning with section 1747). If Commvault Uses credit, debit, or other 5 payment cardholder information, Commvault shall at all times remain in compliance with the 6 Payment Card Industry Data Security Standard ("PCI DSS") requirements, including remaining 7 aware at all times of changes to the PCI DSS and promptly implementing and maintaining all 8 procedures and practices as may be necessary to remain in compliance with the PCI DSS, in each 9 case, at Commvault's sole cost and expense. 10 (2) Commvault covenants, represents and warrants to the County that, as of the Effective 11 Date, Commvault has not received notice of any violation of any privacy or data protection laws, as 12 well as any other applicable regulations or directives, and is not the subject of any pending legal 13 action or investigation by, any government regulatory authority regarding same. 14 (3) Without limiting Commvault's obligations under subsection C.(1) of this Exhibit B, 15 Commvault's (or Authorized Person's) Security Safeguards shall be no less rigorous than 16 accepted industry practices and, at a minimum, include the following: (i) limiting Use of Personal 17 Information strictly to Commvault's and Authorized Persons' technical and administrative personnel 18 who are necessary for Commvault's, or Authorized Persons', Use of the Personal Information 19 pursuant to this Agreement; (ii) ensuring that all of Commvault's connectivity to the County 20 computing systems will only be through the County's security gateways and firewalls, and only 21 through security procedures approved upon the express prior written consent of the Director; (iii) to 22 the extent that they contain or provide access to Personal Information, (a) securing Commvault's 23 business facilities, data centers, paper files, servers, back-up systems and computing equipment, 24 operating systems, and software applications, including, but not limited to, all mobile devices and 25 other equipment, operating systems, and software applications with information storage capability; 26 (b) employing adequate controls and data security measures with respect to Commvault Facilities 27 and Equipment), both internally and externally, to protect(1)the Personal Information from 28 potential loss or misappropriation, or unauthorized Use, and (2)the County's operations from B-4 Exhibit B — Data Security 1 disruption and abuse; (c) having and maintaining network, device application, database and 2 platform security; (d) maintaining authentication and access controls within media, computing 3 equipment, operating systems, and software applications; and (e) installing and maintaining in all 4 mobile, wireless, or handheld devices a secure internet connection, having continuously updated 5 anti-virus software protection and a remote wipe feature always enabled, all of which is subject to 6 express prior written consent of the Director; (iv) encrypting all Personal Information at advance 7 encryption standards of Advanced Encryption Standards (AES) of 128 bit or higher(a) stored on 8 any mobile devices, including but not limited to hard disks, portable storage devices, or remote 9 installation, or(b)transmitted over public or wireless networks (the encrypted Personal Information 10 must be subject to password or pass phrase, and be stored on a secure server and transferred by 11 means of a Virtual Private Network (VPN) connection, or another type of secure connection, all of 12 which is subject to express prior written consent of the Director); (v) strictly segregating Personal 13 Information from all other information of Commvault, including any Authorized Person, or anyone 14 with whom Commvault or any Authorized Person deals so that Personal Information is not 15 commingled with any other types of information; (vi) having a patch management process including 16 installation of all operating system/software vendor security patches; (vii) maintaining appropriate 17 personnel security and integrity procedures and practices, including, but not limited to, conducting 18 background checks of Authorized Employees consistent with applicable law; and (viii) providing 19 appropriate privacy and information security training to Authorized Employees. 20 (4) During the term of each Authorized Employee's employment by Commvault, 21 Commvault shall cause such Authorized Employees to abide strictly by Commvault's obligations 22 under this Exhibit B. Commvault further agrees that it shall maintain a disciplinary process to 23 address any unauthorized Use of Personal Information by any Authorized Employees. 24 (5) Commvault shall, in a secure manner, backup daily, or more frequently if it is 25 Commvault's practice to do so more frequently, Personal Information received from the County, 26 and the County shall have immediate, real time access, at all times, to such backups via a secure, 27 remote access connection provided by Commvault, through the Internet. 28 (6) Commvault shall provide the County with the name and contact information for each B-5 Exhibit B — Data Security 1 Authorized Employee (including such Authorized Employee's work shift, and at least one alternate 2 Authorized Employee for each Authorized Employee during such work shift)who shall serve as the 3 County's primary security contact with Commvault and shall be available to assist the County 4 twenty-four(24) hours per day, seven (7) days per week as a contact in resolving Commvault's and 5 any Authorized Persons' obligations associated with a Security Breach or a Privacy Practices 6 Complaint. 7 D. Security Breach Procedures. 8 (1) Promptly, and without undue delay, upon Commvault's confirmation of a Security 9 Breach, Commvault shall (a) notify the Director of the Security Breach, such notice to be given first 10 by telephone at the following telephone number, followed promptly by email at the following email 11 address: (559) 600-6200/servicedesk(a�fresnocountyca.gov (which telephone number and email 12 address the County may update by providing notice to Commvault), and (b) preserve all relevant 13 evidence (and cause any affected Authorized Person to preserve all relevant evidence) relating to 14 the Security Breach. The notification shall include, to the extent reasonably possible, the 15 identification of each type and the extent of Personal Information that has been, or is reasonably 16 believed to have been, breached, including but not limited to, compromised, or subjected to 17 unauthorized Use, Disclosure, or modification, or any loss or destruction, corruption, or damage. 18 (2) Immediately following Commvault's notification to the County of a Security Breach, as 19 provided pursuant to subsection D.(1) of this Exhibit B, the Parties shall coordinate with each other 20 to investigate the Security Breach. Commvault agrees to fully cooperate with the County, including, 21 without limitation: (i) assisting the County in conducting any investigation; (ii) providing the County 22 with physical access to the facilities and operations affected; (iii)facilitating interviews with 23 Authorized Persons and any of Commvault's other employees knowledgeable of the matter; and 24 (iv) making available all relevant records, logs, files, data reporting and other materials required to 25 comply with applicable law, regulation, industry standards, or as otherwise reasonably required by 26 the County. To that end, Commvault shall, with respect to a Security Breach, be solely responsible, 27 at its cost, for all notifications required by law and regulation, and Commvault shall provide a 28 written report of the investigation and reporting required to the Director within thirty (30) days after B-6 Exhibit B — Data Security 1 Commvault's discovery of the Security Breach. 2 (3) The County shall promptly notify Commvault of the Director's knowledge, or reasonable 3 belief, of any Privacy Practices Complaint, and upon Commvault's receipt of notification thereof, 4 Commvault shall promptly address such Privacy Practices Complaint, including taking any 5 corrective action under this Exhibit B, all at Commvault's sole expense, in accordance with 6 applicable privacy rights, laws, regulations and standards. In the event Commvault discovers a 7 Security Breach, Commvault shall treat the Privacy Practices Complaint as a Security Breach. 8 Within 24 hours of Commvault's receipt of notification of such Privacy Practices Complaint, 9 Commvault shall notify the County whether the matter is a Security Breach, or otherwise has been 10 corrected and the manner of correction, or determined not to require corrective action and the 11 reason therefor. 12 (4) Commvault shall take prompt corrective action to respond to and remedy any Security 13 Breach and take reasonable mitigating actions, including but not limiting to, preventing any 14 reoccurrence of the Security Breach and correcting any deficiency in Security Safeguards as a 15 result of such incident, all at Commvault's sole expense, in accordance with applicable privacy 16 rights, laws, regulations and standards. Commvault shall reimburse the County for all reasonable 17 costs incurred by the County in responding to, and mitigating damages caused by, any Security 18 Breach, including all costs of the County incurred in relation to any litigation or other action 19 described in subsection D. (5) of this Exhibit B. to the extent applicable: (1)the cost of providing 20 affected individuals with credit monitoring services for a specific period not to exceed twelve (12) 21 months, to the extent the incident could lead to a compromise of the data subject's credit or credit 22 standing; (2) call center support for such affected individuals for a specific period not to exceed 23 thirty (30) days; and (3)the cost of any measures required under applicable laws. 24 E. Oversight of Security Compliance. 25 (1) Commvault shall have and maintain a written information security policy that specifies 26 Security Safeguards appropriate to the size and complexity of Commvault's operations and the 27 nature and scope of its activities. 28 (2) Upon the County's written request, to confirm Commvault's compliance with this Exhibit B-7 Exhibit B — Data Security 1 B, as well as any applicable laws, regulations and industry standards, Commvault grants the 2 County or, upon the County's election, a third party on the County's behalf, permission to perform 3 an assessment, audit, examination or review of all controls in Commvault's physical and technical 4 environment in relation to all Personal Information that is Used by Commvault pursuant to this 5 Agreement. Commvault shall fully cooperate with such assessment, audit or examination, as 6 applicable, by providing the County or the third party on the County's behalf, access to all 7 Authorized Employees and other knowledgeable personnel, physical premises, documentation, 8 infrastructure and application software that is used by Commvault for Personal Information 9 pursuant to this Agreement. In addition, Commvault shall provide the County with the results of any 10 audit by or on behalf of Commvault that assesses the effectiveness of Commvault's information 11 security program as relevant to the security and confidentiality of Personal Information Used by 12 Commvault or Authorized Persons during the course of this Agreement under this Exhibit B. 13 (3) Commvault shall ensure that all Authorized Persons who Use Personal Information 14 agree to the same restrictions and conditions in this Exhibit B. that apply to Commvault with 15 respect to such Personal Information by incorporating the relevant provisions of these provisions 16 into a valid and binding written agreement between Commvault and such Authorized Persons, or 17 amending any written agreements to provide same. 18 F. Return or Destruction of Personal Information. 19 Upon the termination of this Agreement, Commvault shall, and shall instruct all Authorized 20 Persons to, promptly return to the County all Personal Information, whether in written, electronic or 21 other form or media, in its possession or the possession of such Authorized Persons, in a machine 22 readable form used by the County at the time of such return, or upon the express prior written 23 consent of the Director, securely destroy all such Personal Information, and certify in writing to the 24 County that such Personal Information have been returned to the County or disposed of securely, 25 as applicable. If Commvault is authorized to dispose of any such Personal Information, as provided 26 in this Exhibit B, such certification shall state the date, time, and manner(including standard) of 27 disposal and by whom, specifying the title of the individual. Commvault shall comply with all 28 reasonable directions provided by the Director with respect to the return or disposal of Personal B-8 Exhibit B — Data Security 1 Information and copies thereof. If return or disposal of such Personal Information or copies of 2 Personal Information is not feasible, Commvault shall notify the County accordingly, specifying the 3 reason, and continue to extend the protections of this Exhibit B to all such Personal Information 4 and copies of Personal Information. Commvault shall not retain any copy of any Personal 5 Information after returning or disposing of Personal Information as required by this section F. 6 Commvault's obligations under this section F survive the termination of this Agreement and apply 7 to all Personal Information that Commvault retains if return or disposal is not feasible and to all 8 Personal Information that Commvault may later discover. 9 G. Equitable Relief. 10 Commvault acknowledges that any breach of its covenants or obligations set forth in this 11 Exhibit B may cause the County irreparable harm for which monetary damages would not be 12 adequate compensation and agrees that, in the event of such breach or threatened breach, the 13 County is entitled to seek equitable relief, including a restraining order, injunctive relief, specific 14 performance and any other relief that may be available from any court, in addition to any other 15 remedy to which the County may be entitled at law or in equity. Such remedies shall not be 16 deemed to be exclusive but shall be in addition to all other remedies available to the County at law 17 or in equity or under this Agreement. 18 H. Indemnification. 19 Commvault shall defend, indemnify and hold harmless the County, its officers, employees, 20 and agents, (each, a "County Indemnitee")from and against any and all infringement of 21 intellectual property including, but not limited to infringement of copyright, trademark, and trade 22 dress, invasion of privacy, information theft, and extortion, unauthorized Use, Disclosure, or 23 modification of, or any loss or destruction of, or any corruption of or damage to, Personal 24 Information, Security Breach response and remedy costs, credit monitoring expenses, forfeitures, 25 losses, damages, liabilities, deficiencies, actions,judgments, interest, awards, fines, and penalties 26 (including regulatory fines and penalties), costs or expenses of whatever kind, including attorney's 27 fees and costs, the cost of enforcing any right to indemnification or defense under this Attachment 28 "A" and the cost of pursuing any insurance providers, arising out of or resulting from any third party B-9 Exhibit B — Data Security 1 claim or action against any County Indemnitee in relation to Commvault's, its officers, employees, 2 or agents, or any Authorized Employee's or Authorized Person's, performance or failure to perform 3 under this Attachment "A" or arising out of or resulting from Commvault's failure to comply with any 4 of its obligations under this section H. The provisions of this section H do not apply to the acts or 5 omissions of the County. The provisions of this section H are cumulative to any other obligation of 6 Commvault to, defend, indemnify, or hold harmless any County Indemnity under this Agreement. 7 The provisions of this section H shall survive the termination of this Agreement. 8 I. Survival. 9 The respective rights and obligations of Commvault and the County as stated in this Exhibit 10 B shall survive the termination of this Agreement. 11 J. No Third Party Beneficiary. 12 Nothing express or implied in the provisions of in this Exhibit B is intended to confer, nor 13 shall anything herein confer, upon any person other than the County or Commvault and their 14 respective successors or assignees, any rights, remedies, obligations or liabilities whatsoever. 15 L. No County Warranty. 16 The County does not make any warranty or representation whether any Personal Information in 17 Commvault's (or any Authorized Person's) possession or control, or Use by Commvault (or any 18 Authorized Person), pursuant to the terms of this Agreement is or will be secure from unauthorized 19 Use, or a Security Breach or Privacy Practices Complaint. 20 21 22 23 24 25 26 27 28 B-10 Exhibit C Scope of Work Self-Dealing Transaction Disclosure Form In order to conduct business with the County of Fresno ("County"), members of a contractor's board of directors ("County Contractor"), must disclose any self-dealing transactions that they are a party to while providing goods, performing services, or both for the County. A self-dealing transaction is defined below: "A self-dealing transaction means a transaction to which the corporation is a party and in which one or more of its directors has a material financial interest." The definition above will be used for purposes of completing this disclosure form. Instructions (1) Enter board member's name, job title (if applicable), and date this disclosure is being made. (2) Enter the board member's company/agency name and address. (3) Describe in detail the nature of the self-dealing transaction that is being disclosed to the County. At a minimum, include a description of the following: a. The name of the agency/company with which the corporation has the transaction; and b. The nature of the material financial interest in the Corporation's transaction that the board member has. (4) Describe in detail why the self-dealing transaction is appropriate based on applicable provisions of the Corporations Code. The form must be signed by the board member that is involved in the self-dealing transaction described in Sections (3) and (4). C-1 Exhibit C (1) Company Board Member Information: Name: Date: Job Title: (2) Company/Agency Name and Address: (3) Disclosure (Please describe the nature of the self-dealing transaction you are a party to) (4) Explain why this self-dealing transaction is consistent with the requirements of Corporations Code § 5233 (a) (5)Authorized Signature Signature: Date: C-2 Exhibit D Insurance Requirements 1. Required Policies Without limiting the County's right to obtain indemnification from Commvault or any third parties, Commvault, at its sole expense, shall maintain in full force and effect the following insurance policies throughout the term of this Agreement. (A) Commercial General Liability. Commercial general liability insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence and an annual aggregate of Four Million Dollars ($4,000,000). This policy must be issued on a per occurrence basis. Coverage must include products, completed operations, property damage, bodily injury, personal injury, and advertising injury. Commvault shall obtain an endorsement to this policy naming the County of Fresno, its officers, agents, employees, and volunteers, individually and collectively, as additional insureds, but only insofar as the operations under this Agreement are concerned. Such coverage for additional insureds will apply as primary insurance and any other insurance, or self-insurance, maintained by the County is excess only and not contributing with insurance provided under Commvault's policy. (B) Automobile Liability. Automobile liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence for bodily injury and for property damages. Coverage must include any auto used in connection with this Agreement. (C)Workers Compensation. Workers compensation insurance as required by the laws of the State of California with statutory limits. (D) Employer's Liability. Employer's liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence for bodily injury and for disease. (E) Technology Professional Liability (Errors and Omissions). Technology professional liability (errors and omissions) insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence and in the aggregate. Coverage must encompass all of Commvault's obligations under this Agreement, including but not limited to claims involving Cyber Risks. (F) Cyber Liability. Cyber liability insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence. Coverage must include claims involving Cyber Risks. The cyber liability policy must be endorsed to cover the full replacement value of damage to, alteration of, loss of, or destruction of intangible property (including but not limited to information or data) that is in the care, custody, or control of Commvault. Definition of Cyber Risks. "Cyber Risks" include but are not limited to (i) Security Breach, which may include Disclosure of Personal Information to an Unauthorized Third Party; (ii) data breach; (iii) breach of any of Commvault's obligations under Exhibit B of this Agreement; (iv) system failure; (v) data recovery; (vi) failure to timely disclose data breach or Security Breach; (vii) failure to comply with privacy policy; (viii) payment card liabilities and costs; (ix) infringement of intellectual property, including but not limited to infringement of copyright, trademark, and trade dress; (x) invasion of privacy, including release of private information; (xi) information theft; (xii) damage to or destruction or alteration of electronic information; (xiii) cyber extortion; (xiv) extortion related to Commvault's obligations under this Agreement regarding electronic information, D-1 Exhibit D including Personal Information; (xv) fraudulent instruction; (xvi) funds transfer fraud; (xvii) telephone fraud; (xviii) network security; (xix) data breach response costs, including Security Breach response costs; (xx) regulatory fines and penalties related to Commvault's obligations under this Agreement regarding electronic information, including Personal Information; and (xxi) credit monitoring expenses. 2. Additional Requirements (A) Verification of Coverage. Within 30 days after Commvault signs this Agreement, and at any time during the term of this Agreement as requested by the County's Risk Manager or the County Administrative Office, Commvault shall deliver, or cause its broker or producer to deliver, to the County Risk Manager, at 2220 Tulare Street, 16th Floor, Fresno, California 93721, or HRRiskManagement@fresnocountyca.gov, and by mail or email to the person identified to receive notices under this Agreement, certificates of insurance and endorsements for all of the coverages required under this Agreement. (i) Each insurance certificate must state that: (1) the insurance coverage has been obtained and is in full force; (2) the County, its officers, agents, employees, and volunteers are not responsible for any premiums on the policy; and (3) Commvault has waived its right to recover from the County, its officers, agents, employees, and volunteers any amounts paid under any insurance policy required by this Agreement and that waiver does not invalidate the insurance policy. (ii) The commercial general liability insurance certificate must also state, and include an endorsement, that the County of Fresno, its officers, agents, employees, and volunteers, individually and collectively, are additional insureds insofar as the operations under this Agreement are concerned. The commercial general liability insurance certificate must also state that the coverage shall apply as primary insurance and any other insurance, or self-insurance, maintained by the County shall be excess only and not contributing with insurance provided under Commvault's policy. (iii) The automobile liability insurance certificate must state that the policy covers any auto used in connection with this Agreement. (iv) The technology professional liability insurance certificate must also state that coverage encompasses all of Commvault's obligations under this Agreement, including but not limited to claims involving Cyber Risks, as that term is defined in this Agreement. (v) The cyber liability insurance certificate must also state that it is endorsed, and include an endorsement, to cover the full replacement value of damage to, alteration of, loss of, or destruction of intangible property (including but not limited to information or data) that is in the care, custody, or control of Commvault. (B) Acceptability of Insurers. All insurance policies required under this Agreement must be issued by admitted insurers licensed to do business in the State of California and possessing at all times during the term of this Agreement an A.M. Best, Inc. rating of no less than A: VII. D-2 Exhibit D (C) Notice of Cancellation or Change. For each insurance policy required under this Agreement, Commvault shall provide to the County, or ensure that the policy requires the insurer to provide to the County, written notice of any cancellation or change in the policy as required in this paragraph. For cancellation of the policy for nonpayment of premium, Commvault shall, or shall cause the insurer to, provide written notice to the County not less than 10 days in advance of cancellation. For cancellation of the policy for any other reason, and for any other change to the policy, Commvault shall, or shall cause the insurer to, provide written notice to the County not less than 30 days in advance of cancellation or change. The County in its sole discretion may determine that the failure of Commvault or its insurer to timely provide a written notice required by this paragraph is a breach of this Agreement. (D) County's Entitlement to Greater Coverage. If Commvault has or obtains insurance with broader coverage, higher limits, or both, than what is required under this Agreement, then the County requires and is entitled to the broader coverage, higher limits, or both. To that end, Commvault shall deliver, or cause its broker or producer to deliver, to the County's Risk Manager certificates of insurance and endorsements for all of the coverages that have such broader coverage, higher limits, or both, as required under this Agreement. (E) Waiver of Subrogation. Commvault waives any right to recover from the County, its officers, agents, employees, and volunteers any amounts paid under the policy of worker's compensation insurance required by this Agreement. Commvault is solely responsible to obtain any policy endorsement that may be necessary to accomplish that waiver, but Commvault's waiver of subrogation under this paragraph is effective whether or not Commvault obtains such an endorsement. (F) County's Remedy for Contractor's Failure to Maintain. If Commvault fails to keep in effect at all times any insurance coverage required under this Agreement, the County may, in addition to any other remedies it may have, suspend or terminate this Agreement upon the occurrence of that failure, or purchase such insurance coverage, and charge the cost of that coverage to Commvault. The County may offset such charges against any amounts owed by the County to Commvault under this Agreement. (G)Subcontractors. Commvault shall require and verify that all subcontractors used by Commvault to provide services under this Agreement maintain insurance meeting all insurance requirements provided in this Agreement. This paragraph does not authorize Commvault to provide services under this Agreement using subcontractors. D-3 Exhibit E Commvault Master Terms & Conditions Should there be any inconsistency between these Master Terms and Conditions and the Agreement and its Exhibits A through D, the Agreement and its Exhibits A, C and D shall take precedence. Should there be inconsistency between the terms and conditions between this Exhibit E and Exhibit B of the Agreement, this Exhibit E shall take presence.. 1. Solutions. These Master Terms and Conditions (the "Terms") apply to the County's use of Commvault's software or software-as-a-service and any related product documentation (together, the "Solutions)." • Software. These terms apply to Commvault's on-premise software ("Software)." • Software-as-a-Service. These terms apply to Commvault's "SaaS Solution." 2. County Use. The County is responsible for ensuring that it maintains and operates the information technology infrastructure from which the Solutions copy, back up, maintain, and transfer the County's data including databases, applications, files, software, computers, servers, network hardware, or any other device (collectively, the "County Environment") and determining whether the Solutions meet the County's technical, business or regulatory requirements. Commvault will cooperate with the County's efforts to determine whether use of the Solutions is consistent with those requirements. If the County elects to use either of the Solutions for archiving purposes, the County shall create, and maintain backups of, a secondary copy of all archived data. The County's shall not: (i) interfere with the proper working of the Solutions or, if applicable, impose an unreasonably large load on Commvault's infrastructure; (ii) copy, modify, disassemble, decompile or reverse engineer any part of the Solutions or apply any other process or procedure to derive source code or functionality of any software included in the Solutions; (iii) violate or infringe upon any third-party right, including any intellectual property right or right of privacy; (iv) initiate a denial of service attack, software viruses or other harmful or deleterious computer code, files or programs; (v) use the Solutions in order to build a similar or competitive application or service; or (vi) violate any applicable laws. 3. County Acknowledgments. The County acknowledges and agrees (i) effective security is dependent on multi-layered, multi-faceted combination of solutions, deployed and managed in accordance with appropriate policies and procedures consistently applied, (ii) the quality of data, other output and strength of the County's threat detection program are dependent on the configuration and deployment of the deceptive environment by the County and its Authorized Users, (iii) no individual element alone is sufficient to detect and prevent all security threats, as a result Commvault does not warrant and disclaims liability that all security threats will be detected and prevented by the Solutions and (iv) the County is solely responsible for maintaining, including without limitation, implementing updates and patches, all software and hardware which is utilized by or integrated with the Solutions. 4. Intellectual Property. The County agrees that Commvault-owned or licensed hardware, software, code, trademarks, trade secrets, proprietary methods and systems used to provide the Solutions (collectively, the "Commvault Technology") and the content made available or displayed by Commvault through the Solutions, including all text, graphics, images, trade names, service E-1 Exhibit E marks, product names, and the look and feel of the Solutions (collectively, the "Commvault Content") are owned by or licensed to Commvault. Other than the authorizations or licenses expressly granted by Commvault to the County in these Terms, no assignment or other transfer of ownership or any other rights shall be conferred or vest in and to the Commvault Technology or the Commvault Content to the County, either by implication, estoppel, or otherwise. 5. Professional Services. Commvault may provide "Professional Services" which may be further described in a separate document. The County acknowledges that all right, title and interest to any and all work or work products developed or produced during the performance of Professional Services are the sole property of Commvault. "Work or work product" means all ideas, concepts, know-how, techniques, inventions, discoveries, improvements, secret processes, trade secrets, trademarks, patentable, copyrightable subject matter or any other work developed or produced during the performance of the Professional Services, whether individually by Commvault or jointly with the County. The County is solely responsible for the protection of its legacy data during any Professional Services engagement. Commvault shall, at its own expense, purchase and maintain insurance for the duration of any Professional Services engagement. To the extent permitted by law and except for general employment solicitation practices, the County agrees that it will not solicit for employment, or employ directly or indirectly, any employee of Commvault involved in a Professional Services engagement during such engagement, or for a period of twelve (12) months thereafter, without Commvault's consent. the County acknowledges that the Professional Services will not customize or alter the value or functionality of any Software and no development activity will be included as part of Professional Services. Acceptance of any Software is not contingent upon the performance of the Professional Services. If the County purchases Commvault's remote managed services these terms shall apply. 6. Free Solutions. Commvault may provide the County with a thirty (30)-day free trial or evaluation of the Solutions for non-production purposes (a "Trial"). Commvault may deactivate the Trial upon written notice. The Trial and related solutions are provided "as is" and without representation, warranty, liability or indemnification obligations. Commvault is under no obligation to retain the County data during a Trial. The County will uninstall and destroy or return any solution upon expiration of a Trial. To the extent a Trial includes hardware and hard drives (together, the "Hardware"), the County agrees to return the entirety of the Hardware in the same working condition upon expiration of the Trial or pay Commvault's then-current fees for the Hardware or any damage thereto. Additionally, and to the extent a Trial is a "Try and Buy," the County shall issue acceptance and a purchase order for the Solution prior to shipment of the Hardware for the Trial. If the County has good reason to reject the Solution during the Trial, the County shall arrange for the return of the Solutions within five (5) days of expiration of Trial (the "Return Period"). If the County has not returned the Solutions during the Trial or Return Period, the Solutions and/or Hardware shall be deemed accepted and purchased. 7. Diagnostics & Feedback. Commvault may collect or receive: (i)technical data, such as logs, reports and error messages, (ii) limited personal data, such as names and business contact details, (iii) reports and surveys regarding the County's use of the Solutions which may include geolocation data ("Reporting"), and (iv) network architecture or security threat data (collectively, "Diagnostic Data") through the Solutions. Reporting may be disabled by the County at any time via the dashboard. Further, the County may provide Commvault with reports, comments, suggestions or ideas relating to the Solutions ("Feedback"). The County agrees Commvault is free to disclose and use any Feedback, and derivatives thereto, and the County does not obtain any intellectual property or any other right, title or interest in or to any aspects of the Solutions. The County grants Commvault a worldwide, non-exclusive, royalty-free, fully-paid up, transferable and E-2 Exhibit E sublicensable right to use, reproduce, and modify Diagnostic Data in an anonymized manner. 8. Confidentiality. By the nature of Commvault's services, Commvault and its the County regularly share confidential, proprietary information with each other. "Confidential Information" means any and all information and material disclosed by one party (the "Discloser") to the other party (the "Recipient") including but not limited to the County Data, trade secrets, know-how, inventions, techniques, processes, programs, ideas, algorithms, formulas, schematics, testing procedures, software design and architecture, computer code, internal documentation, product documentation design and functional specifications, product requirements, problem reports, performance information, documents, and other technical, business, product, marketing, customer, financial information, or any other information the Recipient knows or ought to is confidential due to its nature. Recipient shall hold all Confidential Information in strict confidence and take the same degree of care that it uses to protect its own confidential information (but in no event less than reasonable care) to protect the confidentiality thereof. Confidential Information does not include information that (i) is or becomes generally known by the public, (ii) was or becomes available to a party on a non-confidential basis from a person not otherwise bound by the Terms or is not otherwise known to be prohibited from transmitting the information, or(iii) is independently developed by the parties, provided that the party claiming an exception shall have the burden of establishing such exception. Should there be any inconsistency between these Master Terms and the Agreement and its Data Security Exhibit, the Agreement and Data Security Exhibit shall take precedence. 9. Commvault Warranty. Commvault warrants that the Solutions, Professional Services, support and maintenance shall be provisioned and performed in a diligent, prompt and professional manner by personnel with the requisite knowledge, skills expertise and training. Any Professional Services that are not of a professional quality shall be corrected by Commvault without charge, provided the County gives Commvault written notice within fifteen (15) days upon completion. Commvault shall have a reasonable period of time, based on the severity and complexity of the defect, to correct the Professional Services. Commvault shall not be obligated to correct Professional Services if such defect is the result of the County's actions or omissions. If Commvault is unable to correct the defect to the County's reasonable satisfaction, the County shall have no obligation to pay for the defective Professional Services. Commvault further warrants that it will comply with applicable law and the Solutions do not knowingly contain any malicious code or infringe upon any third-party's except as otherwise stated in any product- specific terms, the Solutions are provided "as is" without representation or warranty, whether express, implied or statutory. Commvault specifically disclaims any implied warranties of merchantability, fitness for a particular purpose, non-infringement, title and quiet enjoyment or from a course of dealing, course of performance or usage in trade. Commvault and its licensors do not warrant that the Solutions will run properly in all IT environments, be uninterrupted or error- free, meet the County's needs or requirements, or guarantee compliance with specific law. 10. Limitation of Liability, Indemnification and Remedies • 10.1. Commvault Intellectual Property Indemnification. Commvault will indemnify, defend and hold the County harmless against third-party claims that Commvault's Solutions infringe any validly issued and enforceable patent, trademark or copyright, provided the County shall give Commvault prompt written notice of any such claim and Commvault shall have the sole authority to control the defense and settlement of the claim with counsel of its choice. Notwithstanding the foregoing, Commvault shall have no E-3 Exhibit E duty to indemnify the County or other liability to the County for any claim arising wholly or in part from: (i) any modification to the Solutions other than as approved and implemented by Commvault; (ii) implementation or use of outdated or discontinued versions of the Solutions; (iii) implementation or use of the Solutions in combination with any products or services not provided or authorized by Commvault; (iv) implementation or use of the Solutions based in any way upon compliance with an industry standard or communication protocol; (v) implementation or use of the Solutions which the County was previously aware of as being subject to a claim of infringement; (vi) the County's negligence or a more culpable act or omission, including recklessness or willful misconduct; (vii) implementation or use of Solutions which the County has not paid for; (viii) use of the Solutions in violation of these Terms; (ix) Commvault's compliance with the County's designs, specifications, or instructions; or (x) any claim for which the County is obligated to indemnify Commvault. In the event the Solutions or any portion thereof, becomes, or, in Commvault's opinion, is likely to become, subject to a claim of infringement of a third-party's intellectual property rights, Commvault may, in its sole discretion: (i) procure for the County the right to continue use of the Solutions; (ii) replace or modify the Solutions with a version that does not infringe; or (iii) if Commvault cannot accomplish (i) or(ii) using commercially reasonable efforts, terminate these Terms and the applicable ordering documents. • 10.2. Commvault Data Privacy and Security Indemnification. The Solutions may access and transfer information over the internet, and Commvault does not operate or control the internet. Viruses, worms, trojan horses and other undesirable data or components or unauthorized users (e.g., hackers) may attempt to obtain access to and damage the County data, devices and networks. Commvault is not responsible for any such activities. Commvault will indemnify, defend and hold the County harmless against third-party claims arising out of, or related to, any unauthorized, third-party access that results in compromise of unencrypted the County data backed up by the Solutions to the extent such access or compromise was caused by Commvault, provided the County shall give Commvault prompt written notice of such claim and Commvault shall have the authority to control the defense of the claim by counsel of its choice. In the event the County seeks indemnification from Commvault pursuant to this provision, the County's remedies shall be limited to actual and direct damages, excluding fines. This indemnification is conditioned on the County partnering with Commvault during any investigation of potential or actual data compromises or breaches, including remediation efforts. • 10.3. County Indemnification. The County shall indemnify, defend and hold harmless Commvault, its officers, directors, employees and agents, from and against claims, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees), awards, fines, or settlements arising from or relating to the County's: (i) misuse of the Solutions, (ii) failure to meet reasonable privacy and security obligations; (iii) misappropriation or infringement of a third-party's intellectual property rights; or(iv) violation of applicable law or regulation, including without limitation, data protection laws. the County's indemnification obligations include claims arising out of the acts or omissions of its contractors, employees, customers or end users, any person to whom the County grants access to the Solutions or its data, and any person who gains access to the Solutions or its data other than as a result of Commvault's actions. • 10.4. Limitation. Except as otherwise provided for herein or by applicable law, the aggregate liability of each party for all claims under these Terms is limited to direct damages up to the amount paid for the Solutions or Professional Services during the E-4 Exhibit E twelve (12) months before the cause of action arose; provided, that in no event will a party's aggregate liability exceed the amount paid for the Solutions during the Term. • 10.5. No Special or Punitive Damages. Neither party will be liable for loss of revenue or indirect, special, incidental, consequential, punitive, or exemplary damages, or damages for lost profits, revenues, business interruption, or loss of business information, even if the party knew they were possible or reasonably foreseeable. 11. General Provisions • 11.1. Export Controls and Trade Sanctions Compliance. The County's use of the Solutions is subject to compliance with U.S. and other applicable export control and trade sanctions laws, rules and regulations, including without limitation, the U.S. Export Administration Regulations, administered by the U.S. Department of Commerce's Bureau of Industry and Security ("BIS") and U.S. trade sanctions, administered by the U.S. Department of the Treasury's Office of Foreign Assets Control ("OFAC") (collectively, "Export Control Laws"). The County acknowledges that the Solutions may not be available in all jurisdictions and that the County is solely responsible for complying with applicable Export Control Laws related to the manner in which the County chooses to use the Solutions, including the County's transfer and processing of its data (if applicable) and the region in which any of the foregoing occur. 11.2. U.S. Government End User Provisions. Commvault provides the Solutions to federal government end users. Government technical data and software rights related to the Solutions include only those rights customarily provided to the public as defined in these Terms. This customary commercial license is provided in accordance with FAR 12.211 (Technical Data), FAR 12.212 (Software), and FAR 52.227-14 (Rights in Data) and, for Department of Defense transactions, DFAR 252.227-7013 (Technical Data — Commercial Items) and DFAR 227.7202-3 (Rights in Commercial Computer Software or Computer Software Documentation), as applicable. 11.3. Data Privacy. If The County is subject to: (i) GDPR, or (ii) other applicable data protection laws requiring that processing be governed by a contract, or (iii) HIPAA, the County agrees to Commvault's Data Agreements and Business Associate Agreement, as applicable. • 11.4. Third-Party Products & Services. Commvault may use third parties to assist in the provision of the Solutions and such third parties are intended beneficiaries of these Terms. As such, the Solutions may include third-party software, applications, platforms, hosted storage, messaging or communication services or API's (collectively, the "Third- Party Services"). These Third-Party Services are not offered, controlled or provided by Commvault, and may be changed, modified or discontinued by the third-party without notice. Commvault and its Third-Party Service Providers expressly disclaim any and all liability related to, or arising from, the Third-Party Services, including the County's use thereof, or any updates, modifications, outages, delivery failures, corruptions, discontinuance or termination of services by the Third-Party Service. Commvault is not responsible or liable for the manner in which Third-Party Services transmits, accesses, processes, stores, uses or provides data to Commvault. For a list of open source and third party licensing notices, please navigate here. • 11.5. Publicity. The County grants Commvault the limited right to use its company name and logo as a reference for marketing and promotional purposes on Commvault's website and in other public and private communications. If the County does not wish to E-5 Exhibit E grant these limited rights, the County may opt-out by emailing custom erchampionsCabcommvau It.com. • 11.6. Modifications. Commvault may, from time to time, upgrade, update, or discontinue the Solutions, or portions or versions thereof, to provide ongoing innovation in the form of new services, features and functionality. Upon Commvault's notification, the County may be responsible for installation of certain upgrades or updates. In the event of any material modifications, Commvault will notify the County of such change by emailing the e-mail address the County provides to Commvault or sending a message through Commvault's platforms. 11.7. Assignment. Neither party may assign these Terms, in whole or in part, without the other party's prior written consent. Any attempt to assign these Terms other than as permitted herein will be null and void. The County's right to use the Solutions, including any allotment of storage capacity or end users, shall not extend to acquired entities, in whole or in part, or new entities established as a result of an acquisition. In such event, the fees set forth in the order form shall be adjusted. Without limiting the foregoing, these Terms will inure to the benefit of and bind the parties' respective successors and permitted assigns. • 11.8. Audits. Commvault may, upon forty-five (45) days notice and no more than once every twelve (12) months, audit the County's installation and use of the Solutions to ensure the County is in compliance with these Term and the applicable order form. Any such audit shall not unreasonably interfere with the County's normal business operations. The County agrees to cooperate with Commvault's audit and to provide reasonable assistance and access to information reasonably requested by Commvault. The performance of the audit and any non-public the County data obtained during the audit (including findings or reports that result from the audit) shall be considered confidential information. If the audit identifies non-compliance, the County agrees to remedy such non-compliance within thirty (30) days of written notification of that non- compliance (which may include, without limitation, the payment of any fees for additional Solutions). the County agrees that Commvault shall not be responsible for any of the County's costs incurred in cooperating with the audit. • 11.9. Force Maieure. Except for the County's obligation to pay fees, the parties shall not be liable for any failure or delay in the performance of its obligations hereunder caused by forces beyond its control, including, but not limited to the following, acts of God, nature or war; acts, rules, regulations or orders of or issued by any governmental authority; riots, strikes or lockouts; utility or telecommunication failures; pandemics; or failure or outages of third-party service providers, it being understood that the parties shall use reasonable efforts to resume performance as soon as practical under the circumstances. • 11.10. Other Provisions. These Terms, Commvault's Privacy Policy, and the applicable order forms are an agreement between the County on behalf of its affiliates and subsidiaries, as identified in the applicable order forms or as an end user of the Solutions, and Commvault Systems, Inc., including its affiliates and subsidiaries. Each party represents and warrants they have the authority to enter into this agreement. Any preprinted terms in a purchase order are of no force and effect. The parties are independent contractors and will have no authority to assume or create any obligation or responsibility on behalf of each other. If any provision of these Terms is invalid or unenforceable under applicable law, then such terms will be changed, interpreted or severed, as appropriate to accomplish the objectives of such provision to the greatest extent possible under applicable law in order to protect the drafter, and the remaining provisions continue in full force and effect. No waiver of any term herein shall be E-6 Exhibit E deemed a further or continuing waiver. The sections of these Terms that ought to survive due to their nature shall survive any termination or expiration of these Terms and remain in full force and effect. SAAS Solution Terms & Conditions 1. Getting Started. The County will register a Commvault account and provide Commvault with accurate and complete information (the "County Account"). The County may authorize one or more of its employees, consultants, vendors or agents (collectively, "Authorized Users") to access and use the SaaS Solution on the County's behalf. Each Authorized User will establish or be provided a username and password, and may also establish or be provided other access credentials, such as an encryption key (the "Access Credentials"). The County acknowledges that its Authorized Users have full access to and management privileges of its the County Account(s) and the County Data. The term "County" is intended to include its Authorized Users for the purposes of the Terms. 2. SaaS Solution Agent. The County may be required to download or install a software agent to support the SaaS Solution. Commvault grants the County a limited, non-exclusive, non sub- licensable, non-transferable and revocable license to install, execute and use the agent solely in binary code form during the SaaS Solution Term, and access the SaaS Solution in accordance with the Privacy Policy, FAQs, website, user manuals and other information provided to assist the County in its use and operation of the SaaS Solution (the "SaaS Documentation"). During the term of the County's subscription, Commvault warrants that the SaaS Solutions shall conform with such SaaS Documentation. The County's license to the agent is co-terminus with the County's right to access and use the SaaS Solution for which the agent is required. "County Data" means the data transmitted by the County to Commvault in connection with the provision of the SaaS Solution. 3. Global Availability and Support • 3.1. Global Service and Support. Commvault is proud to administer the SaaS Solution from global geographic locations that best suit our the County's needs. Where applicable and subject to data center availability, County Data will be backed up to a data center located in the County's country of origin, or in a geographic location selected by the County. For additional information, refer to the SaaS Solution configuration portal. Commvault is pleased to provide the County with the support program for the SaaS Solution as set forth at Commvault Support. The support terms are incorporated by reference and may be modified from time to time in Commvault's sole discretion. Communications related to support of the SaaS Solution may be sent to supportCa)commvault.com. • 3.2. Global Availability. The SaaS Solution is available at least 99.9% of the time measured on a monthly basis ("Uptime"). The Uptime does not apply to any downtime due to: (i) any emergency or planned maintenance, repair, or upgrade; (ii) issues or failures with the County's or its service providers' services, applications, software, hardware or other components not supplied by Commvault; (iii) third-party attacks, intrusions, distributed denial of service attacks or force majeure events, including those at the County's site or between the County's site and data centers made available through the SaaS Solution; or (iv) the County's acts or omissions in violation of these Terms. In the event of Commvault's Uptime failure, Commvault shall: (i) use commercially reasonable efforts to provide the County with an error correction or work- E-7 Exhibit E around that corrects the Uptime failure; and (ii) provide the County with a credit as set forth in the table below (a "Service Credit"), provided such Service Credit is approved by Commvault, such approval not to be unreasonably withheld. For the avoidance of doubt, service providers are not eligible for Service Credits. Within thirty (30) days of the downtime incident, the County must submit a Service Credit claim to Commvault with all information necessary for Commvault to validate such claim, including: (i) a detailed description of the incident; (ii) information regarding the time and duration of the downtime; and (iii) a description of the attempts to resolve the incident. Service Credits will be applied to the County's next invoice. the County is not eligible for any Service Credits if the County's use of the SaaS Solution is free of charge. This is the County's sole and exclusive remedy for any Uptime failure. SaaS Solution Availability Service Credit Less than 99.9% 10% Less than 99% 25% 4. Data Privacy & Security • 4.1 Commvault Privacy and Security Program. Commvault represents and warrants that it maintains: (i) network security, business continuity and disaster recovery policies and procedures commensurate with industry best practices; and (ii) administrative, physical and technical safeguards designed to secure County Data from accidental or unauthorized access, use, alteration or disclosure. Commvault's collection, use, processing, storage and disclosure of any personal data included in County Data shall be in accordance with applicable data protection laws and Commvault's Privacy Policy. The County acknowledges that it is the County's responsibility to verify that the SaaS Solution' security and privacy protections are adequate and in compliance with all applicable laws governing the type of data included in the County Data. agrees to, and will ensure that each Authorized User will, notify Commvault. at ITCompliance(a)-commvault.com immediately upon learning of any suspicious access to its the County Account. Commvault's comprehensive privacy and security program is set forth in the Security Terms and incorporated herein by reference. • 4.2. Access. The County data privacy and security is Commvault's priority. At times, Commvault may be required to access or disclose County Data: (i) to provision the SaaS Solution to the County pursuant to these Terms; (ii) to respond to a validly issued subpoena, an investigative demand or warrant; (iii) to investigate or prevent security threats, fraud, or other illegal, malicious, or inappropriate activity; (iv) to enforce or protect Commvault's rights and properties or those of its affiliates or subsidiaries; or(v) with the informed consent of the data subject. In the event Commvault is required to access the County Data, Commvault shall not disclose the County Data to third parties without the County's consent or instruction, unless prohibited by law. 5. Term. Commvault initiates activation of the SaaS Solution upon receipt of a valid purchase order, by providing the County with access to an account (the "Activation Date"). The term of the County's subscription to the SaaS Solution shall begin on the Activation Date and continue as set forth on the applicable purchase order(the "SaaS Solution Term"). The SaaS Solution Term shall renew for an equal term unless either party provides written notice of non-renewal sixty (60) days E-8 Exhibit E prior to the renewal date. 6. County SaaS Acknowledgments. The County agrees: (i) the County is solely responsible for data retention policies and any other policy settings, schedules, and configurable parameters applied to County Data, including implementing its own specific retention policies, (ii) the County and its Authorized Users will keep Access Credentials confidential, and the County remains responsible for the acts and omissions of its Authorized Users and any activity that occurs under its the County Account(s) using the Access Credentials; (iii) the County will use the most current version of the SaaS Solution at all times, unless otherwise agreed in writing; (iv) the County is responsible for the security of its the County Data if the County disables any encryption or other security feature within the SaaS Solution; and (v) the County is responsible for maintaining its own internet and data connections, and components of the SaaS Solution that are accessed or used through internet connections and may be subject to the County's internet service providers fees and downtime. The County acknowledges the County Data may not be available if: (i) the County's initial backup and replication is not properly completed by the County; (ii) the County deletes the County Data and does not restore it after deletion pursuant to the County's data retention policies; (iii) the County selects incorrect or inappropriate retention policies within the SaaS Solution; (iv) the County's IT environment is unable to secure a connection with Commvault's servers or network; or (v) the County fails to follow Commvault's technical requirements and the Documentation for utilizing the SaaS Solution, including installing updates, or failing to periodically test the County's backups and restores, or ensure that the County Data is protected and not otherwise corrupted. Commvault Software Terms & Conditions 1. Getting Started. Commvault grants the County a limited, non-exclusive,non sub-licensable, and non-transferable license to install, execute and use the Software (including Software embedded in any hardware, if applicable) solely in binary code form during the Software Term (defined below), in accordance with the applicable ordering documents, Commvault's Privacy Policy, FAQs, website, user manuals and other information provided to assist the County in its use and operation of the Software (collectively, the "Software Documentation"). The Software is licensed, not sold and except as set forth herein, all sales of Software are final, non-returnable and non-refundable. Acceptance of the Software occurs upon delivery. Software license key(s) are electronically delivered by Commvault. Any Software license acquired by virtue of the County's use or purchase of hardware shall be limited to the hardware upon which the Software was originally installed. The County may be required to periodically reapply Software license keys during the Software Term which Commvault shall provide. The County may make a copy of the Software solely for back-up purposes, provided such back-up copy is used only as a replacement for the original copy on the same hardware upon which the Software was originally installed. The County may use the Software solely for its internal data center operations. 2. Capacity. The County shall activate and maintain the reporting features of any capacity-based Software and provide usage reports to Commvault upon request. In the event the County's use of limited capacity-based Software exceeds capacity, the County shall be obligated to pay Commvault, directly or through its authorized reseller, for all excess usage. Software purchased on a capacity-basis may cease to operate and perform if the County exceeds capacity. If the County purchases unlimited capacity Software for itself and/or its affiliates and subsidiaries: (i) the Software may be used by the County's affiliates and subsidiaries in the territory set forth in the order forms only, (ii) the County assumes all liability for those affiliates and subsidiaries, and (iii) upon acquisition of the County's business by another entity, the unlimited capacity Software E-9 Exhibit E license shall terminate, and the County will retain a limited license for the Software then-deployed in the County's environment for the remainder of the Software Term. 3. Maintenance & Support. Commvault provides support and maintenance for the Software as set forth here at Commvault's then-current pricing. If the County purchases support and maintenance, it must do so for all Software in County's Environment. Maintenance and support commence upon delivery of the Software, if applicable. 4. Commvault Software Warranty. Commvault warrants that the Software shall substantially perform in accordance with the user documentation for a period of ninety (90) days from the date of delivery (the "Warranty Period"). During the Warranty Period, if the Software is defective, the County must immediately notify Commvault in writing, and Commvault, in its discretion, will either: (i) repair or replacement the defective Software; or(ii) return prorated fees paid by the County for the defective Software, in which case the County shall uninstall and return or destroy the defective Software. 5. Term. The term of the County's license to the Software shall begin on the date the Software is delivered and continue as set forth in the applicable order form (the "Software Term"), except where such license is perpetual. Upon expiration of the Software Term, the County may use a limited recovery version of the Software solely for recovering data backed up by the Software during the Software Term. The Commvault Master Terms & Conditions set forth herein are the current terms and conditions governing the use of Commvault's software, services and solutions. These terms, as updated, shall replace and consolidate any prior terms under an End User License Agreement or Terms of Service that a customer may have with Commvault. Last Updated: June 6th 2023 Security Terms 1. Regulatory Compliance Commvault shall ensure compliance with all laws and regulations governing County Data, including without limitation, obtaining consents from, and providing disclosures to, data subjects and end users with respect to data security and privacy. Commvault has implemented reasonable security measures as described herein and in relevant documentation. 2. Confidentiality By the nature of Commvault's services, Commvault and the County regularly share confidential, proprietary information with each other. "Confidential Information" means any and all information and material disclosed by one party (the "Discloser") to the other party (the "Recipient") including but not limited to Customer Data, trade secrets, know-how, inventions, techniques, processes, programs, ideas, algorithms, formulas, schematics, testing procedures, software design and architecture, computer code, internal documentation, design and functional specifications, product requirements, problem reports, performance information, documents, and other technical, business, product, marketing, customer, financial information, or any other information the Recipient knows or ought to is confidential due to its nature. Recipient shall hold all Confidential Information in strict confidence and take the same degree of care that it uses to protect its own confidential information (but in no event less than reasonable care) to protect the confidentiality thereof. Confidential Information does not include information that (i) is or becomes generally E-10 Exhibit E known by the public, (ii) was or becomes available to a party on a non-confidential basis from a person not otherwise bound by the Terms or is not otherwise known to be prohibited from transmitting the information, or (iii) is independently developed by the parties, provided that the party claiming an exception shall have the burden of establishing such exception. 3. Security Compliance 3.1 Security Measures. Commvault has implemented and will maintain a security program that leverages a combination of the ISO/IEC 27000-series of control standards, NIST 800-30/CSF, and Information Security Forum ISF best practices. Commvault represents and warrants that the SaaS Solution is compliant with CJIS controls, FIPS 1401-2, SOC 2 Type II and PCI. Commvault regularly tests, assesses and evaluates the effectiveness of its technical and organizational measures set forth below and performs annual penetration and security incident response testing on the SaaS Solution. Commvault partners with Microsoft Azure and Oracle for hosted storage. The technical and organizational measures set forth by Microsoft Azure can be found here and by Oracle here. 3.2 Physical Security. Commvault's web applications, communications, and database servers are located in secure facilities with security measures including but not limited to: (i) access authorization and documentation for employees and third parties, (ii) regulation and restriction of physical and digital access credentials, (iii) maintaining electronically-locked doors and separate cages within facilities (e.g., production and development), (iv) logging, monitoring, and tracking access to all facilities with electronic and CCTV video surveillance by personnel, and (v) protecting all facilities with security alarm systems and user-related authentication procedures, including biometric authentication in some instances, and electronic access cards. 3.3 Technical Security. Commvault has implemented measures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services. For our security and yours, we do not list these technical security measures publicly. For specific details, please contact us at SOC(o)-commvault.com. 3.4 Organizational Security. Commvault has implemented organizational measures that limit employees' access to data based on the scope of their roles and responsibilities and respective access permissions and authorizations. For our security we do not list these organizational security measures publicly. For specific details, please contact us at SOC(a-)-commvault.com. 3.5 Encryption. The SaaS Solution uses firewalls, zero-trust access controls, and encryption algorithms and keys to protect County Data, both in transit and at rest, and web-based access to account management interfaces by Commvault employees. Commvault uses end-to-end encryption of screen sharing for remote access, support, and real time communication. Integrity checks are conducted to monitor the completeness and correctness of the transfer of County Data. 3.6 Personal Data. Commvault has implemented an authorization policy for the input of personal data into memory, as well as the reading, alteration, and deletion of stored personal data including documentation and logging of material changes to account data and settings; segregation and protection of all stored personal data via database schemas, logical access controls and encryption; utilization of user identification credentials; physical security of data processing facilities; and session time outs. Exhibit E 3.7 Restricted Access. Commvault restricts access to County Data by individual appointment of system administrators; registration of access logs to the infrastructure securely retained; regular audits of system activity to assess compliance with assigned tasks, data controller's instructions, and applicable laws, and maintenance of system administrators' identification details (e.g. name, surname, function or organizational area) and responsibilities. 3.8. Business Continuity & Disaster Recovery Plan. Commvault has implemented measures to ensure County Data is protected from accidental destruction or loss by creating a business continuity and disaster recovery plan, maintaining global and redundant infrastructure, rapid failover capability, and full capacity disaster recovery sites and testing of disaster recovery centers. 3.9. Security Notification. Unless otherwise required by law, regulation or law enforcement, Commvault agrees to notify the County of any Security Breach of Customer Data within seventy- two (72) hours following Commvault's discovery thereof. "Security Breach" means an accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to unencrypted personal data. Commvault Privacy Policy What Data We Collect We are provided with data when our products and services (together, the "Solutions") and our websites or portals (either, "Websites" or"Portals") are purchased, used, or accessed. Types of Data Data that identifies, or can reasonably be used to identify, a person or household, either directly or indirectly ("Personal Data") including: • Name and business contacts (email address, physical address, phone number, title, company) • Stored data protected by our Solutions • Transactional data necessary for us to make and receive payments and deliver the Solutions • Information submitted to us by completing forms on our Websites or Portals, entering a promotion or survey, subscribing to, commenting on, or downloading information from our Websites or Portals, or employment candidate applications • Recruitment data, as permitted by law, including civil/marital status, date of birth, personal contact information, national ID number, immigration information, driving E-12 Exhibit E license, languages spoken, next-of-kin/dependent/emergency contact information, details of any disabilities, resumes and CVs, interview and assessment data, vetting and verification information (e.g., credit, education, financial sanction and background checks), the outcome of your application, employment offer details, and other informal data (e.g., opinions generated during the application process) • Online behavior and preferences collected via cookies and other tracking technologies • Technical data including electronic identifiers, license entitlement, IP addresses, type of domain names and operating systems, logs, time stamps of usage activities, account modification and authentication metrics, device identifier, geolocation data, browser type and language, access times, encrypted passwords and security questions, account history, and other unique identifiers • Demographic information such as your age, gender, country, interests, and preferences, including preferences related to marketing and communications • Audio-visual data, where applicable and legally permissible, including CCTV footage of our offices or call recordings Why We Use Data Commvault uses data, including Personal Data, for a variety of purposes, including: • Delivery and optimization of our Solutions • Providing best-in-class support for our Solutions • Optimizing and personalizing the user experience • Security, auditing, and marketing purposes • Processing payments, invoicing and collections • Recruitment and hiring practices • Business analytics • Communications about our Solutions, such as renewal notifications or events • With your consent and if we intend to use your data for purposes outside the scope of this Privacy Policy, or other applicable legal basis, we will seek your consent • Where necessary to perform or enforce a contract or comply with law • Our legitimate business interests, for example, enhancing our Solutions. Prior to taking such actions, we conduct an assessment to ensure our interests do not override your data privacy rights To the extent permitted by applicable law, Commvault may use, process, transfer, and share your data in an anonymous, automated, and aggregated manner. We may combine such data with other information collected, including information from third-party sources. By using the Solutions, you acknowledge that we may collect, use, share and store anonymized and aggregated data for benchmarking, analytics, metrics, research, reporting, machine learning and other legitimate business purposes. How We Use Cookies, Web Beacons, and Other Technologies Our Websites and Portals use cookies, web beacons, and other similar technologies to improve E-13 Exhibit E the user experience. Cookies are small text files placed on a computer by a web server when browsing online and are used to store user preference data so a web server doesn't have to repeatedly request this information. You can review and modify your cookie preferences by clicking on `Cookie Preferences' at the footer of the page. However, you may not be able to access all or parts of our Solutions, Websites, or Portals if you block certain cookies.A web beacon is a small pixel incorporated into a web page or email to keep track of activity on the page or email and helps us manage the content of our Websites by informing us of what content is effective. Do Not Track Commvault does not change its practices in response to Do Not Track signals from web browsers. When & Why We Share Your Personal Data We do not and will not sell Personal Data to marketers or other vendors and we do not access the data protected by our Solutions for marketing or other purposes outside the scope of our Commvault's Master Terms & Conditions and the applicable Data Agreements. For the purposes of the California Consumer Protection Act, the categories of data Commvault may share include identifiers, customer records information, commercial information, internet or other network or device activity, and geolocation data. Commvault may share data or categories of data for the reasons set forth herein with: • Commvault Affiliates. Commvault may share data with its affiliates where necessary for administrative purposes or to deliver our Solutions. • Partners. Partners provide us with theirs and their customers' data as part of marketing, sale and delivery of the Solutions. Partner represents and warrants they have authorization or the required legal basis to obtain and share such data, including Personal Data, with us. • Contractors and Service Providers. Commvault may share data, including Personal Data, with contracted third-party service providers ("Service Providers"). These Service Providers include business partners, payment services, advertising networks, IT and security service providers, auditors and consultants, customer survey companies, staffing and recruiting agencies, and cloud solutions and storage providers. Service Providers with whom we share Personal Data are contractually bound to use and disclose such Personal Data only for the permitted purposes and to provide the same level of protections as required by the relevant Data Privacy Framework (including onward transfer provisions). We require all our Service Providers to use reasonable security measures to protect Personal Data from unauthorized access and use. • Legal Purposes. Commvault may share data, including Personal Data, as necessary to comply with applicable laws, court orders, governmental agencies or other lawful requests by public authorities, including to meet national security or law enforcement requirements as well as to protect our security or integrity and that of our customers and partners, or to take precautions against legal liability. E-14 Exhibit E • Sale. In the event of a merger, consolidation, or acquisition of all, substantially all or a portion of Commvault's business or assets, you acknowledge and agree that data may be securely shared, disclosed, and transferred to such successor or assignee. Retention of Data We may retain data, including Personal Data, for as long as necessary to deliver the Solutions or as needed for other lawful purposes. When your data is no longer required, we ensure it is destroyed in a secure manner. We may retain anonymized or aggregated data indefinitely or to the extent permitted under applicable law. Global Data Management Commvault Systems, Inc. is located in the U.S. and has global offices. We act as: (i) a data controller when we collect and process Personal Data for our legitimate business interests, and (ii) a data processor when we provide certain Solutions to you as the data controller, joint-data controller, or joint-data processor. Commvault Systems International BV located at Papendorpseweg 75-79, 3528 BJ Utrecht, Netherlands serves as our main establishment for the European Union ("E.U."). Commvault manages your data in compliance with the E.U.'s General Data Protection Regulation ("GDPR") and other applicable data privacy and security laws. By using the Solutions, Websites or Portals or by providing Personal Data to us, you acknowledge that Personal Data may be sent to and processed in countries outside your country of residence. For individuals residing in the European Economic Area ("EEA") and for Personal Data subject to GDPR, this may include transfers outside of the EEA. Some of these countries may not have data protection laws that provide an equivalent level of data protection as the laws in your country of residence, however we take steps to ensure Personal Data is handled in accordance with this Privacy Policy and all applicable laws. Commvault transfers data from the EEA pursuant to Standard Contractual Clauses, as approved by the European Commission (Art. 46 GDPR). If you are located in the EEA and would like to execute Standard Contractual Clauses with Commvault, please visit Data Agreements. Data Privacy Framework Compliance Statements Commvault complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Commvault has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Commvault has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss- U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF E-15 Exhibit E Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, please visit https://www.dataprivacyframework.gov. Note that Commvault's certifications to the DPF is currently pending review and acknowledgment by the Department of Commerce. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss- U.S. DPF, Commvault commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner's Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. The Federal Trade Commission has jurisdiction over Commvault's compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss- U.S. DPF, Commvault commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Commvault using contact points indicated in the Commvault Contacts section below. If the County's Data Privacy Framework complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. Further information can be found on the official DPF website. Security Commvault maintains administrative, physical, and technical safeguards and security measures designed to protect data. Details of our data privacy and security program can be found in Annex II of the applicable Data Processing Agreement. However, we cannot, and we do not believe that anyone can, genuinely guarantee or warrant absolute security of Personal Data disclosed or transmitted via the Internet to us or a third party. Opt-Out You can opt-out of receiving marketing and promotional communications from Commvault by following the opt-out instructions set forth in such communication or contacting Commvault Systems, Inc. as set forth below. We will continue to process Personal Data for the purpose of delivering operational and service-related communications relating to our Solutions or policies, and other purposes as permitted by law. Exhibit E Your Rights You may have certain rights with respect to Commvault's handling of Personal Data depending on your geolocation, including without limitation: • Access. You have the right to access your Personal Data held by us. Consumers who reside in California may also request the categories of Personal Data we collect or disclose, the categories of sources of such Personal Data, the business or commercial purpose for collecting that Personal Data, and the categories of third parties with whom we share that Personal Data. • Rectification. You have the right to request correction of your Personal Data that is incomplete, incorrect, unnecessary, or outdated. • Right to be Forgotten. You have the right to request erasure of all your Personal Data that is incomplete, incorrect, unnecessary, or outdated within a reasonable period of time. We will do everything possible to erase your Personal Data if you so request. However, we cannot erase all your Personal Data if it is technically impossible due to limitations of existing technology or for legal reasons, such as legal mandates to retain Personal Data. • Restriction of Processing. You have the right to request restriction of processing your Personal Data for certain reasons, provided we do not have an overriding, legitimate interest to continue processing. • Data Portability. If requested, we will provide your Personal Data in a structured, secure, commonly used, and machine-readable format. • Right to Withdraw Consent. If your Personal Data is processed solely based on consent, and not based on any other legal basis, you can withdraw consent at any time. • Contact Data Protection Regulators. You have the right to contact data protection regulator(s) regarding our handling of Personal Data. Additionally, California law provides California consumer residents with the right to not be discriminated against (as provided for in applicable law) for exercising rights thereunder. Further, under California's "Shine the Light" law California consumer residents have the right, twice in a calendar year, to request and obtain from Commvault information about Personal Data Commvault has shared, if any, with other businesses for their own direct marketing uses. This information, if applicable, would include the categories of Personal Data and the names and addresses of those businesses with which Commvault shared Personal Data for the immediately prior calendar year (e.g., requests made in 2022 will receive information regarding 2021 sharing activities). Third Party Linking & Content The Solutions, Websites and Portals may contain links to third-party websites that Commvault does not control or maintain. We are not responsible for the privacy practices employed by these third-party websites and encourage you to read the privacy statements of such other websites before submitting any Personal Data. Our Website may contain third-party content which may include statements, opinions, advice, criticisms, offers or other information (collectively, "Third- E-17 Exhibit E Party Content").Any Third-Party Content solely reflects the opinion and belief of the respective third party and not that of Commvault. We make no endorsement, guarantee or other statement, express or implied, about Third-Party Content. You must independently evaluate any Third-Party Content if you intend to rely on it in any way. Regarding Children Commvault does not knowingly collect or distribute any Personal Data from children under 13 years old. If a child under 13 has provided Commvault with Personal Data, the parent or guardian of that child should contact Commvault immediately at Privacy(a-)-commvault.com to delete this Personal Data. Changes to Commvault's Privacy Policy As laws and best practices evolve, this Privacy Policy will change.At times we may provide privacy notices within our Solutions, Websites or Portals. By continuing to access our Websites and Portals or use our Solutions, you acknowledge and accept the Privacy Policy as updated. We encourage you to periodically review this Privacy Policy to stay informed about how we manage data. If we update this Privacy Policy, the new Privacy Policy will be posted to the website fifteen (15) days prior to the changes taking effect. If we make a material change to the Privacy Policy, you will be provided with appropriate notice in accordance with legal requirements.At such time, your continued use of the Solutions, or access to our Websites and Portals after notice of posting or notice of such changes, constitutes your agreement to the latest version of this Privacy Policy. Contact Commvault Commvault's Privacy Team can be contacted at privacyCa)-commvault.com. To exercise any of your rights, or for questions or complaints, please contact Commvault at Privacy(a-)commvault.com. We take reasonable steps to verify your identity when you exercise your rights. Please ensure that you keep your contact information up to date and accurate so that we may process your requests in accordance with applicable law and within a reasonable period of time. You may also contact us by mail: U.S. and international regions other than the EEA, U.K. or Switzerland: Commvault Systems, Inc. Attn: Legal Department/Global Data Governance Officer One Commvault Way Tinton Falls, New Jersey 07724 EEA, U.K. and Switzerland: Commvault Systems International BV E-18 Exhibit E Attn: Legal Department/Global Data Governance Officer Papendorpseweg 75-79, 3528 BJ Utrecht, Netherlands. Last Updated: May 2024 E-19