The URL can be used to link to this page

Home My WebLink AboutP-24-528 Proofpoint Inc.pdf Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 proofpoint MASTER SUBSCRIPTION AGREEMENT This Master Subscription Agreement("Subscription Agreement")is made as of the last signature date listed below("Effective Date") between Proofpoint, Inc.,a Delaware corporation,with offices at 925 W. Maude Ave, Sunnyvale,CA 94085 USA("Proofpoint")and the County of Fresno with offices at 333 W. Pontiac Way, Clovis, CA 93612 ("County"). Proofpoint is a leading cybersecurity company that helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyberattacks. Organizations of all sizes rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. The purpose of this Subscription Agreement is to create a single mechanism under which governs how the County may license Proofpoint's products. Table of Contents—This Subscription Agreement is organized into the following sections: Procurement Legal Privacy and Security IT/Business 1. License Terms 11icense Terms 4. Data Security and Privacy 2. Customer Responsibilities 5. Financial Terms 3.Confidentiality 7.Term,Termination and Expiration 6. Support and 8. Intellectual Property Indemnity Professional Services 9. Intellectual Property Rights, Licenses and Authorizations 10. Limitation of Liability 11. General 12. Definitions 1. License Terms 1.1. Customer License. Subject to the terms of this Subscription Agreement,w,grants to the County a worldwide(subject to Sections 11.2 and 11.9), non-exclusive,time-limited, non-sublicensable, non-transferable (except as otherwise set forth herein), limited license to access and/or use (as applicable) the Proofpoint Products during the Term in the quantities of Licenses specified in the applicable Purchase Order and subject to any limitations set forth in the corresponding applicable quote, solely for the County's own internal business purposes. 1.2. Warranties, Remedies and Disclaimers. 1.2.1 Each party warrants that(i) it has the legal power to enter, and perform under, this Subscription Agreement and (ii) it shall comply with all applicable laws in its performance hereunder. 1.2.2. Warranties and Remedies. (a) Performance Warranties. Proofpoint warrants that during the Subscription Term the applicable Service ("SaaS Warranty") and Software("Software Warranty")will substantially conform in all material respects to the Documentation.The County will provide prompt written notice of any non-conformity. Proofpoint may modify the Documentation in its sole discretion, provided the functionality of the Service or Software, as applicable, will not be materially decreased during the Term. The Software Warranty does not apply to: (a) Software that has been modified by any party other than Proofpoint;or(b)Software that has been improperly installed or used in a manner other than as authorized under the Subscription Agreement. The following shall be applicable in the event that the County purchases an Appliance: https://www.proofpoint.com/us/support/email-appliance-warranty-eol. (b) SaaS and Software Warranty Remedy. As the County's sole and exclusive remedy and Proofpoint's entire liability for any breach of the SaaS Warranty or the Software Warranty, Proofpoint will (a) use reasonable efforts to fix, provide a work around, or otherwise repair or replace the Service or Software,as applicable,or if Proofpoint is unable to do so, (b)terminate the license to use such component of the Service or the applicable Software and return the Subscription Fees paid to Proofpoint for such allegedly defective Service or Software, as applicable, for the period commencing from the County's notice of nonconformity through the remainder of the Initial Term or Extension Term, as applicable. 1.2.3.Warranty Disclaimers. (a) EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH ABOVE, PROOFPOINT AND PROOFPOINT LICENSORS DISCLAIM ANY AND ALL OTHER WARRANTIES,WHETHER EXPRESS, IMPLIED,OR STATUTORY, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AS WELL AS ANY WARRANTIES OF REGULATORY COMPLIANCE, PERFORMANCE,ACCURACY, RELIABILITY,AND NONINFRINGEMENT,TO THE EXTENT PERMITTED BY APPLICABLE LAW. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THE SUBSCRIPTION AGREEMENT. (b) PROOFPOINT DOES NOT WARRANT: (1) THE ACCURACY OF THE INTENDED EMAIL BLOCKING OF ANY MAIL MESSAGE; (11) THAT EMAIL WILL NOT BE LOST; (111) THAT THE OPERATION OF THE PROOFPOINT PRODUCTS WILL BE UNINTERRUPTED OR ERROR-FREE; (IV) THAT ALL SOFTWARE ERRORS WILL BE CORRECTED; OR (V) THAT THE PROOFPOINT PRODUCTS WILL PROTECT AGAINST ALL POSSIBLE THREATS OR ATTACKS. Proofpoint Agreement and Conditions(ver.June 2023) Page 1 of Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 1.3. Service Level Agreement. Proofpoint provides a Service Level Agreement ("SLA") for the applicable Proofpoint Service. The SLA is posted on Proofpoint's website at http://www.proofpoint.com/license. In the event of a breach of an SLA,as The County's sole and exclusive remedy, Proofpoint shall provide the remedy set forth in the applicable SLA as represented in Exhibit B to this Subscription Agreement. 2. County Use and Responsibilities 2.1. County Use. The County will use the Proofpoint Products in accordance with this Subscription Agreement and License restrictions and will not make the Proofpoint Products available to third parties without the express written consent of Proofpoint, except for Affiliates, consultants and advisors using Proofpoint Products solely for the benefit of the County. The County is liable for all acts and omissions of the third parties and/or Affiliates.The County may use the Documentation in connection with the License granted hereunder. The County may not use or access the Proofpoint Products for the purposes of product evaluation, benchmarking or other comparative analysis intended for publication outside the County's organization without Proofpoint's prior written consent. Restrictions.The County specifically agrees not to: (i)infringe or violate the intellectual property rights of any third party or any rights of publicity or privacy; (ii)violate any law,statute, ordinance, or regulation (including, but not limited to,the laws and regulations unfair competition, anti-discrimination, and/or false advertising or misuse of Proofpoint Products in violation of this subsection); (iii)propagate any virus,worms,Trojan horses,or other programming routine intended to damage any system or data; (iv)resell,sublicense, lease, time-share or otherwise make a Proofpoint Product(including the Documentation)available to any third party; (v)attempt to gain unauthorized access to, or disrupt the integrity or performance of, a Proofpoint Product or the data contained therein (including but not limited to hacking or penetration testing Proofpoint's systems); (vi)modify,copy or create derivative works based on a Proofpoint Product; (vii)decompile,disassemble, reverse engineer or otherwise attempt to derive source code from a Proofpoint Product,in whole or in part; (viii)access a Proofpoint Product for the purpose of building or using in connection with a competitive product or service or copying its features or user interface;and/or(ix)file copyright or patent applications that include the Proofpoint Products and/or Documentation or any portion thereof. 3. Confidentiality 3.1. Receiving Party shall not(i)disclose any Confidential Information of the Disclosing Party to any third party, except as otherwise expressly permitted herein,or(ii)use any Confidential Information of Disclosing Party for any purpose outside the scope of the Subscription Agreement,except with Disclosing Party's prior written consent.The Receiving Party shall not make Confidential Information available to any of its employees or consultants except those that have agreed to obligations of confidentiality at least as restrictive as those set forth herein and have a"need to know"such Confidential Information. The Receiving Party agrees to hold the Disclosing Party's Confidential Information in confidence and to take all precautions to protect such Confidential Information that the Receiving Party employs with respect to its own Confidential Information of a like nature, but in no case shall the Receiving Party employ less than reasonable precautions. The Subscription Agreement will not be construed to prohibit disclosure of Confidential Information to the extent that such disclosure is required to by law or valid order of a court or other governmental authority; provided, however, to the extent permitted by law,the responding party shall give prompt written notice to the other party to enable the other party to seek a protective order or otherwise prevent or restrict such disclosure and, if disclosed,the scope of such disclosure is limited to the extent possible. 3.2. The Receiving Party will return all copies of the Disclosing Party's Confidential Information upon the earlier of(i)the Disclosing Party's request, or(ii)the termination or expiration of the Subscription Agreement. Instead of returning such Confidential Information,the Receiving Party may destroy all copies of such Confidential Information in its possession; provided, however, the Receiving Party may retain a copy of any Confidential Information disclosed to it solely for archival purposes, provided that such copy is retained in secure storage and held in the strictest confidence for so long as the Confidential Information remains in the possession of the Receiving Party. 3.3. The parties acknowledge and agree that the confidentiality obligations set forth in this Subscription Agreement are reasonable and necessary for the protection of the parties' business interests,that irreparable injury may result if such obligations are breached, and that, in the event of any actual or potential breach of this Confidentiality provision,the non-breaching party may have no adequate remedy at law and shall be entitled to seek injunctive and/or other equitable relief as may be deemed proper by a court of competent jurisdiction. 4. Data Security& Privacy 4.1. Limited Use of Personal Data. Proofpoint and its subsidiaries are authorized to access and process Personal Data solely in accordance with the terms of the Subscription Agreement. Proofpoint and its subsidiaries shall take reasonable steps to ensure the reliability of any employee, agent or subcontractor who may have access to the Personal Data and will ensure access is strictly limited to those individuals who need to access the relevant Personal Data in the performance of Proofpoint's obligations under the Subscription Agreement. 4.2. Data Safeguards. Proofpoint will maintain reasonable administrative, physical, and technical safeguards for protection of the security and confidentiality of County Data and Personal Data, including, but not be limited to, measures for preventing unauthorized access, use,modification or disclosure of County Data and Personal Data. Proofpoint will comply with its Data Security, Protection,Audit and Compliance Policy at https://www.proofpoint.com/us/legal/license when processing any Customer Data and Personal Data. Proofpoint will comply with the County's data security terms outlined in Exhibit A, County Data Security Terms, attached hereto. 5. Financial Terms 5.1. Fees. Fees for the Proofpoint Products will be the Subscription Fees and other fees set forth in the Purchase Orders(collectively, the "Fees"). The Fees stated in each Purchase Order shall be effective during the Initial Term specified in that Purchase Order; the Subscription Fees and other fees for each Extension Term shall be defined in the applicable Purchase Order. 5.2. Taxes. The County will be liable for payment of all Taxes that are levied upon and related to the performance of obligations or exercise of rights under the Agreement and Subscription Agreement. Proofpoint may be required to collect and remit Taxes from the County unless the County provides Proofpoint with a valid tax exemption certificate. The amounts received by Proofpoint, after the provision for any Tax or withholding required by any country,will be equal to the amounts specified on the Purchase Order.In no event will either party be responsible for any taxes levied against the other party's net income. Proofpoint Agreement and Conditions(ver.June 2023) Page 2 of Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 5.3. Payment. Reserved. 1.1. License True-Up. Customer shall monitor and report its actual usage of the subscription-based Proofpoint Products ("License Count")as set forth herein. A"Base License" is the number of Licenses for which Customer has paid Subscription Fees. Customer will provide Proofpoint with a License Count on or before the date on which the then-current License Count exceeds the Base License Count by ten percent (10%)or more (if applicable) by email at accountsreceivable6d�proofpoint.com. Proofpoint may also at any time produce an actual license count for verification by Customer. If,in either case,the License Count is greater than the Base License, Customer shall pay Reseller for each License beyond the Base License from the time such Licenses were activated through the remainder of the Initial Term or Extension Term, as applicable. 6. Support, Managed Services and Professional Services 6.1. Proofpoint shall provide support and/or Managed Services provided the County is current in payment of the applicable Subscription Fees, and any additional fees for support and/or Managed Services, if applicable. Proofpoint's current support terms are described on Proofpoint's website at https://www.proofpoint.com/us/legal/license. 6.2. Proofpoint shall provide the Professional Services and/or Managed Services, if any, specified in a purchase order . All Professional Services shall be billed as stated in the applicable purchase order and the County agrees that,if the County has not used the Professional Services within one (1) year of paying for such Professional Services, then Proofpoint has no further obligations and the County shall not be entitled to a refund except as set forth expressly in the applicable. 6.3. Proofpoint warrants it will provide Managed Services and/or Professional Services in a professional and workmanlike manner consistent with reasonable industry standards and practices. As the County's sole and exclusive remedy and Proofpoint's entire liability for any breach of the foregoing warranty, Proofpoint will use reasonable efforts to re-perform the Managed Services and/or Professional Services,as applicable,or, if Proofpoint is unable to do so,terminate the applicable Managed Services and/or purchase order and refund that portion of any fees paid to Proofpoint that correspond to the allegedly defective Managed Services and/or Professional Services. 7. Term,Termination and Expiration 1.2. Unless otherwise set forth in the applicable Product Terms or Purchase Order, the Initial Term applicable to each Purchase Order(including follow-on orders) commences on the later of: (i)the date Proofpoint ships a production Appliance to Customer, (ii)the date Proofpoint processes the applicable Purchase Order for a Proofpoint Product evaluated by the Customer, or (iii) for all other Proofpoint Product orders, the date Proofpoint sends to Customer an email indicating that the Proofpoint Products are available for use (to the extent each of the foregoing applies to Customer's engagement). Upon expiration of the Initial Term and any Extension Term(s) under each Purchase Order, the Subscription Term applicable to such Purchase Order shall automatically renew for subsequent Extension Terms unless otherwise agreed by the parties or either party gives the other notice of non-renewal at least ninety (90) days prior to the end of the relevant Subscription Term. 7.1. Either party may terminate the Subscription Agreement, or Purchase Order(i)immediately upon written notice if the other party commits a non-remediable material breach; or(ii)if the other party fails to cure any remediable material breach within thirty(30)days of being of notified in writing of such breach. 7.2. Either party may terminate the Subscription Agreement immediately by written notice if no Purchase Order is in effect. The County's liability for fees arising under a Purchase Order under the terms of this Subscription Agreement are contingent on the approval of funds by the appropriating government agency. If sufficient funds are not allocated, then the County, upon at least 30 days' advance written notice to Proofpoint or the Reseller(as applicable)may terminate for convenience such applicable Purchase Order placed under this Subscription Agreement. Proofpoint may discontinue the delivery of services under any terminated Purchase Order for which there are a lack of appropriated funds. 7.3. On termination or expiration of the Subscription Agreement, all Software licenses, Service access, Managed Services access and/or Professional Services fulfillment granted under the Subscription Agreement shall automatically terminate with immediate effect. In the event of the termination or expiration of the Subscription Agreement, the provisions of the Subscription Agreement which by their nature extend beyond the expiration or termination of the Subscription Agreement shall survive, including but not limited to Section 2 ("County Responsibilities"); Section 3 ("Confidentiality"); Section 5 ("Financial Terms"); Section 7 ("Term, Termination and Expiration"); Section 9 ("Intellectual Property Rights, Licenses and Authorizations"); Section 10 ("Limitation of Liability"); Section 11 ("General"); and Section 12("Definitions");and any accrued rights to payment shall remain in effect beyond such termination or expiration until fulfilled. 8. Intellectual Property Indemnity 8.1. Proofpoint's Duty to Indemnify. Subject to the subsections below within this Section 8,Proofpoint agrees to defend and indemnify the County from and against any third-party claim filed against the County alleging that the Proofpoint Product(s), as sold and delivered to the County (the "Indemnified Products"), directly infringe the valid intellectual property rights of a third party (a "Claim"). Proofpoint agrees to pay and hold the County harmless against any amounts finally awarded by a court of law in respect of such Claim or pursuant to its signed settlement. Proofpoint may, at its sole election and expense: (i) procure sufficient rights to allow the County continued use and exploitation of the Indemnified Products under the terms of the Subscription Agreement; (ii) replace or modify the Indemnified Products to avoid the alleged infringement; or(iii)if the foregoing options are not reasonably practicable,terminate the County's rights to use the Indemnified Products and refund all amounts paid by the County to Proofpoint attributable to the County's future usage or access to the Indemnified Products. 8.2. Exclusions. Proofpoint shall have no obligation or any liability to the County for any Claim arising out of or related to: (i) modifications or adaptations to the Indemnified Products made by the County or the County's agents;(ii)the use of the Indemnified Products in combination with any other product, service or device, if the Claim would have been avoided by the use of the Indemnified Products without such other product, service or device not provided by Proofpoint to The County or the County's agents; (iii)compliance with the County's specific instructions for customization of an Indemnified Product made solely for or on behalf of the County; (iv) use or exploitation of the Indemnified Products other than as set forth in the Subscription Agreement or applicable Documentation; or (v) the County being given an update,modification,or replacement to an Indemnified Product by Proofpoint and failing to implement such update, modification, or replacement within a reasonable period of time. 8.3. Process. Proofpoint's obligations under this Section 8 are conditioned upon the following: (i)the County first providing written notice of the Claim to Proofpoint within thirty(30)days after the County becomes aware of or reasonably should have been aware of the Proofpoint Agreement and Conditions(ver.June 2023) Page 3 of Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 Claim(provided, however,the failure to provide such notice will only relieve Proofpoint of its indemnity obligations hereunder to the extent Proofpoint is prejudiced thereby); (ii)the County tendering sole and exclusive control of the Claim to Proofpoint at the time the County provides written notice of such Claim to Proofpoint; and (iii) the County providing reasonable assistance, cooperation and required information with respect to defense and/or settlement of the Claim, including the County providing Proofpoint with access to documents and personnel at Proofpoint's request and expense. The County may at its sole expense participate in the Claim, except that Proofpoint will retain sole control of the defense and/or settlement. Proofpoint shall not agree to any settlement of a Claim that includes an injunction against the County or admits County liability without the County's prior written consent,which consent shall not be unreasonably withheld, conditioned or delayed. 8.4. Exclusive Remedv. Subsection 8.1 of this Section 8 describes the sole and exclusive remedy of the County and the entire liability of Proofpoint with respect to any Claim. 9. Intellectual Property Rights, Licenses and Authorizations 9.1. Ownership. The County retains all title, intellectual property, and other ownership rights in all County Confidential Information, County Data, County Personal Data, and all data that County makes available for processing by the Proofpoint Products. The County warrants and covenants that the County has the right to provide County Confidential Information, County Data,and County Personal Data to Proofpoint for the business purposes of this Subscription Agreement. Proofpoint retains all title, intellectual property, and other ownership rights throughout the world in and to the Proofpoint Products, Documentation, Threat Analytics, Professional Services, Managed Services,Work Product,and any modifications to,and derivative works of,the foregoing. Proofpoint hereby grants to the County a non-exclusive,non-transferable,fully paid-up license to use the Work Product in connection with the Proofpoint Products licensed under this Subscription Agreement and solely for the County's internal business purposes. Professional Services and/or Managed Services(and any resulting Work Product from either offering)are not provided on a "work made for hire"basis. 9.2. No Implied Rights. There are no implied rights and all rights not expressly granted herein are reserved. No license, right or interest in any Proofpoint trademark, copyright, patent, trade name or service mark is granted hereunder. The County shall not remove from any full or partial copies made by the County of the Software,Software Updates and Documentation any copyright or other proprietary notice contained in or on the original, as delivered to the County. 9.3. Iniunctive Relief. Each party acknowledges that the Proofpoint Products contain valuable trade secrets and proprietary information of Proofpoint,that in the event of any actual or threatened breach of the scope of any of the licenses granted hereunder,such breach shall constitute immediate, irreparable harm to Proofpoint for which monetary damages would be an inadequate remedy, and that injunctive relief is an appropriate remedy for such breach in addition to whatever remedies Proofpoint might have at law or under the Subscription Agreement. 9.4. Proofpoint Authorization.The County acknowledges and agrees that Proofpoint Products are designed to protect its customers against cybersecurity threats, data loss, and compliance risks, and it is critical for Proofpoint to maintain and continue developing its products and services to protect its customers from such threats, loss, and risks. In accordance with Recital 49 of the GDPR and in support of the business purposes of this Subscription Agreement,the County hereby authorizes Proofpoint and its subprocessors to collect and process County Data and County Personal Data to provide the Proofpoint Products in accordance with the Subscription Agreement and to use County Data and County Personal Data in connection with Threat Analytics. 10. Limitation of Liability 10.1. EXCEPT FOR (i) INTELLECTUAL PROPERTY INDEMNIFICATION OBLIGATIONS, (ii) DAMAGES RESULTING FROM EITHER PARTY'S GROSS NEGLIGENCE, FRAUD OR WILLFUL MISCONDUCT, (iii) DAMAGES RESULTING FROM EITHER PARTY'S MATERIAL BREACH OF THE CONFIDENTIALITY SECTION, OR (iv) THE COUNTY'S BREACH OF THE COUNTY RESPONSIBILITIES SECTION, EACH PARTY'S AGGREGATE LIABILITY UNDER THE SUBSCRIPTION AGREEMENT SHALL IN NO EVENT EXCEED THE ANNUALIZED SUBSCRIPTION FEES PAID FOR THE APPLICABLE PROOFPOINT PRODUCT.EXCEPT FOR (i) DAMAGES RESULTING FROM EITHER PARTY'S MATERIAL BREACH OF THE CONFIDENTIALITY SECTION, OR (ii) THE COUNTY'S BREACH OF THE COUNTY RESPONSIBILITIES SECTION, IN NO EVENT SHALL EITHER PARTY OR ITS LICENSORS OR SUPPLIERS HAVE ANY LIABILITY TO THE OTHER OR ANY THIRD PARTY FOR ANY INDIRECT, SPECIAL , INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION, OR COVER DAMAGES OR LOSSES, ARISING OUT OF OR IN CONNECTION WITH THE SUBSCRIPTION AGREEMENT, HOWEVER CAUSED AND WHETHER IN CONTRACT,TORT OR UNDER ANY OTHER THEORY OF LIABILITY AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 10.2. THE LIMITATION OF LIABILITY AND EXCLUSION OF CERTAIN DAMAGES STATED HEREIN WILL APPLY REGARDLESS OF THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY. BOTH PARTIES HEREUNDER SPECIFICALLY ACKNOWLEDGE THAT THESE LIMITATIONS OF LIABILITY ARE REFLECTED IN THE PRICING. 11. General 11.1. Entire Agreement; Integration. The Subscription Agreement constitutes the entire agreement of the parties and supersedes all prior or contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. No amendment or waiver of any provision of the Subscription Agreement shall be effective unless in writing and signed by the party against whom the amendment or waiver is to be asserted. Notwithstanding any language to the contrary therein,any Purchase Order issued by the County or Reseller shall be deemed a convenient order and payment device only and no terms(other than product name, license quantity, price, Subscription Term,and billing contact)stated in any Purchase Order shall be incorporated into the Subscription Agreement,and all such other terms shall be void and of no effect. In the event of any conflict between this Subscription Agreement,the Product Terms, a SOW (if applicable),and/or the applicable Purchase Order,the order of precedence will be the following:the applicable Product Terms,SOW(s), this Subscription Agreement,and then the applicable Purchase Order(s). 11.2. U.S. Government Users. Product and SaaS includes "Commercial Computer Software" and "Commercial Computer Software Documentation." In accordance with Section 12.212 of the Federal Acquisition Regulations (FAR) and Sections 227.7202-1 through 227.7202-4 of the Defense FAR Supplement (DFARS), any use, duplication, modification, distribution, disclosure and all other license rights of Product or SaaS by the U.S. Government or any of its agencies shall be governed by and subject to all of the terms,conditions, Proofpoint Agreement and Conditions(ver.June 2023) Page 4 of Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 restrictions, and limitations of the Proofpoint license agreement. Use of Product or SaaS constitutes agreement by the U.S. Government that Product or SaaS includes"commercial computer software"and "commercial computer software documentation"per the FAR/DFAR; and renders the Proofpoint license agreement enforceable. If for any reason Product or SaaS is not considered `commercial' per the FAR; or, the Proofpoint license agreement otherwise is deemed not to apply, the Product or SaaS will be deemed to be provided with "Restricted Rights" as defined in FAR 52.227-14(a) and FAR 52.227-14(g)(4) (Alt III), or DFARS 252.227-7014(a)(15) and DFARS 252.227-7014(b)(3), as applicable. For U.S. Government Users, the Government shall have the right to use, duplicate or disclose Technical Data which is accessed,developed,or delivered under the contract,for the acquiring agency's internal purposes only, per FAR 12.211 Technical data. For contracts governed by the DFARS, the Government shall have the license rights for Technical Data as provided under DFAR 252.227-7015(b)(Technical Data—Commercial Items). 11.3. Publicity. Neither party may issue press releases or otherwise publicize the parties' relationship without the other party's prior written consent. 11.4. Independent Contractors. The parties are independent contractors, and no partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties is created hereby. 11.5. Notices. All notices shall be in writing to the General Counsel of each party's address on the first page of the Subscription Agreement(or as updated by a party in writing to the other)and effective upon receipt. 11.6. Waiver. No failure or delay in exercising any right hereunder shall constitute a waiver of such right.Except as otherwise provided, remedies provided herein are in addition to, and not exclusive of, any other remedies of a party at law or in equity. If any provision of the Subscription Agreement is held by a court of competent jurisdiction to be contrary to law,such provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions shall remain in effect. 11.7. Force Majeure. Neither party shall be liable to the other for any delay or failure to perform hereunder (excluding payment obligations) due to circumstances beyond such party's reasonable control, including acts of God, acts of government, flood, fire, earthquakes, civil unrest, acts of terror, strikes or other labor problems (excluding those involving such party's employees), service disruptions involving hardware,software or power systems not within such party's possession or reasonable control,and denial of service attacks. 11.8. Assignment. Each party may not assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other(not to be unreasonably withheld). Notwithstanding the foregoing, either party may assign the Subscription Agreement in its entirety upon written notice,without consent of the other party,to its successor in interest in connection with a merger, reorganization, or sale of all or substantially all assets or equity not involving a direct competitor of the other party. 11.9. Anti-corruption Laws, Export Controls. Each party will comply with applicable (i)anti-corruption and anti-bribery laws including the United States (US) Foreign Corrupt Practices Act, and (ii) all applicable export / import laws and regulations (collectively "Export Law")to ensure that the Proofpoint Products, support, Professional Services, and/or Managed Services are not(a)directly or indirectly violating Export Law or (b) used for any purposes prohibited by Export Law. The parties represent and warrant that no government agency has suspended, revoked, or denied its export privileges and are not subject to sanctions, are not designated on any list of prohibited or restricted parties(including the lists maintained by the United Nations, US Government,the European Union or its member states,or other applicable government authority),and do not maintain its operations in any country subject to such sanctions.The County agrees that it will not export, re-export, or transfer the Proofpoint Products, support, Professional Services,and/or Managed Services or their related documentation, in whole or in part, to any person, entity, or country subject to applicable export restrictions or otherwise prohibited by Proofpoint in its sole discretion. 11.10. Severability. If any clause of the Subscription Agreement shall be adjudged by any board, court or tribunal of competent jurisdiction to be invalid or unenforceable,such judgment shall not affect,impair or invalidate the remainder of the Subscription Agreement, which shall remain enforceable by the parties. For the avoidance of doubt, with respect to any Federal prime contract, subcontract, or end-user licensing agreement which incorporates Proofpoint's terms and conditions, those clauses that are specifically declared by Federal regulation not to be enforceable,shall be deemed deleted from the Subscription Agreement to the extent they are determined to be unenforceable. 11.11. Applicable Law. If the County is in any country on the American continents,the Subscription Agreement will be governed by the laws of the State of California and the United States of America,without regard to conflict of law principles.The parties hereby irrevocably consent to the exclusive jurisdiction and venue of the state and federal courts located in Fresno County, California,for resolution of any disputes arising out of the Subscription Agreement. If the County is in any country outside the American continents, the Subscription Agreement will be governed by the laws of England and Wales, without regard to conflict of law principles. In such case, the parties hereby irrevocably consent to the exclusive jurisdiction and venue of the of the courts of England and Wales,for resolution of any disputes arising out of the Subscription Agreement. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to the Subscription Agreement. 11.12. Third-Party Beneficiaries. There are no third-party beneficiaries under the Agreement. 11.13. Insurance. Proofpoint shall comply with all insurance requirements in Exhibit D to this Subscription Agreement. 11.14. Disclosure of Self-Dealing Transactions.This Section 11.14 applies if Proofpoint is operating as a corporation or changes its status to operate as a corporation. If any member of Proofpoint's board of directors is party to a self-dealing transaction, he or she shall disclose the transaction by completing and signing a "Self-Dealing Transaction Disclosure Form" (Exhibit C to this Subscription Agreement) and submitting it to the County before commencing the transaction or immediately after. "Self-dealing transaction" means a transaction to which County and the Contractor are parties and in which one or more of its directors,as an individual, has a material financial interest. 12. DEFINITIONS 12.1. "Affiliate"means,with respect to a party,any entity which is directly or indirectly controlled by such party."Control,"for purposes of this definition, means ownership or control, directly or indirectly, of more than 50%of the voting interests of the subject entity. 12.2. "Agreement" means the Agreement, the Product Terms, the commercial terms of each Purchase Order or SOW(if any), and any other document executed by the parties. 12.3. "Appliance(s)" means a virtual or hardware device containing the Software. Proofpoint Agreement and Conditions(ver.June 2023) Page 5 of Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 12.4. "Confidential Information" means all confidential and proprietary information of a party ("Disclosing Party") disclosed to the other party ("Receiving Party"), whether orally or in writing, that is designated as "confidential" or the like, or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including the terms and conditions of the Subscription Agreement(including pricing and other terms reflected in a Purchase Order), the Proofpoint Products business and marketing plans, technology and technical information, product designs, and business processes. "Confidential Information" shall not include information that(i) is or becomes a matter of public knowledge through no act or omission of the Receiving Party; (ii) was in the Receiving Party's lawful possession prior to the disclosure without restriction on disclosure; (iii)is lawfully disclosed to the Receiving Party by a third party that lawfully and rightfully possesses such information without restriction on disclosure; (iv) the Receiving Party can document resulted from its own research and development, independent of receipt of the disclosure from the Disclosing Party; or(v) is disclosed with the prior written approval of the Disclosing Party. 12.5. "County Data"means the County specific configurations and rules implemented in the Proofpoint Products,and any The County content processed by the Proofpoint Products(e.g., email text and attachments)that is not Personal Data. Proofpoint's protection of The County Data is described in Section 4. 12.6. "County Equipment"means the County's computer hardware,software and network infrastructure used to access Software. 12.7. "Documentation"means the technical description of the Proofpoint Product(s)contained in the then-current Product Terms. 12.8. "Extension Term(s)" means each additional one-year (or other agreed upon period) Subscription Term for which the Subscription Term for a Proofpoint Product is extended pursuant to Section 7. 12.9. "Initial Term"means the initial Subscription Term for a Proofpoint Product that is defined on the applicable Purchase Order. 12.10. "License(s)" means the license metric(e.g., type and quantity)identified in the Proofpoint sales quote and/or in the applicable Product Terms(which in turn may be referenced in the Purchase Order). The County needs a License in order to legally use a Proofpoint Product. 12.11. "Managed Services" means ongoing active management provided by Proofpoint to the County on a subscription basis to manage either Proofpoint Products or third-party products licensed separately by the County, as specifically set forth in an applicable Proofpoint managed services brief corresponding to such Managed Services. 12.12. "Personal Data" means data about an identifiable individual that is protected by privacy laws where the individual resides. Examples of personal data include name, religion, gender, financial information, national identifier numbers, health information, email addresses, IP addresses,online identifiers,and location data. Proofpoint's protection of the County Personal Data is described in Section 4. 12.13. "Product Terms" means the descriptions of Proofpoint Products and related terms contained at www.proofpoint.com/license/product-exhibit that are hereby incorporated herein. 12.14. "Professional Services" means installation, implementation, data migration, configuration, or advisory services provided by Proofpoint to The County. 12.15. "Proofpoint Product(s)"means the Appliance,Service or Software licensed and/or purchased by the County under a Purchase Order. 12.16. "Purchase Order(s)" means an ordering document for a Proofpoint Product issued by the County or Reseller that contains at least the following information: product name, license quantity, Subscription Term, price, and billing contact, all corresponding to the Proofpoint or reseller quote. 12.17. "Reseller"means a third-party authorized by Proofpoint to resell Proofpoint Products directly to the County. 12.18. "Service"means any Proofpoint Product licensed on a hosted basis as software-as-a-service. 12.19. "Software"means any Proofpoint binary software programs licensed by Proofpoint to the County,together with all the Software Updates. 12.20. "Software Update(s)" means each Software update and enhancement that Proofpoint generally makes available at no additional charge to its customers who are current in payment of applicable Subscription Fees,or otherwise provides to the County under the Subscription Agreement. 12.21. "SOW" means each statement of work, engagement letter or other writing signed by Proofpoint and the County that describes the Professional Services and/or Managed Services provided by Proofpoint.Each SOW shall reference the Subscription Agreement and will be subject to the terms and conditions hereof.Additionally, a Proofpoint service brief identified in a Purchase Order is also considered a SOW but does not require a separate signature. 12.22. "Subscription Fees" mean the fees paid by the County for the right to use(and receive applicable Updates to)the applicable subscription-based Proofpoint Products for the Initial Term or Extension Term, as applicable. 12.23. "Subscription Term"means the term during which the County receives a license to use the applicable Proofpoint Products. 12.24. "Taxes"means any direct or indirect local,state,federal or foreign taxes, levies, duties or similar governmental assessments of any nature, including value-added, sales, use or withholding taxes. 12.25. "Term" means the Initial Term and any Extension Term applicable to each Purchase Order. 12.26. "Threat Analytics" means the output and/or derivatives from the collection, analysis, combination, generation, and/or aggregation of the data (including County Data and County Personal Data) processed by Proofpoint for the purpose of identifying, detecting, preventing, and/or remediating actual or potential compromise(s)to the security, availability, integrity, and/or confidentiality of its customers'data and the environments in which this data resides. 12.27. "User" means the County's and its Affiliates' employees, agents, subcontractors, consultants, or other individuals authorized hereunder to use the Proofpoint Product. 12.28. "Work Product" means all work product developed or created by Proofpoint during the course of providing support, Managed Services or Professional Services to the County. Notwithstanding anything herein to the contrary, Work Product shall not include any County Confidential Information, County Data, or Personal Data. COUNTY OF FRESNO: PROOFPOINT, INC.: Proofpoint Agreement and Conditions(ver.June 2023) Page 6 of Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 Signature: Digitally signed by Riley Signature: DocuSigned by: Riley Blackburn Blackburn Date:2024.09.27 15:50:03-07'00' Individual Signing: Individual Signin FD71D6FA9FC243E... [print name] Riley Blackburn [print name] Keith Barney Title:Purchasing Manager Title: VP, Associate General counsel , COTIm Signing Date:9/27/2^ Signing Date: 9/26/2024 Proofpoint Agreement and Conditions(ver.June 2023) Page 7 of Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 County Data Security Terms Exhibit A A. Definitions. Capitalized terms used in this Exhibit A have the meanings set forth in this section A. "Authorized Employees" means the Contractor's employees who have access to Personal Information. "Authorized Persons" means: (i) any and all Authorized Employees; and (ii) any and all of the Contractor's subcontractors, representatives, agents, outsourcers, and consultants, and providers of professional services to the Contractor, who have access to Personal Information and are bound by law or in writing by confidentiality obligations sufficient to protect Personal Information in accordance with the terms of this Exhibit A. "Director" means the County's Director of Internal Services/Chief Information Officer or his or her designee. "Disclose" or any derivative of that word means to disclose, release, transfer, disseminate, or otherwise provide access to or communicate all or any part of any Personal Information orally, in writing, or by electronic or any other means to any person. "Person" means any natural person, corporation, partnership, limited liability company, firm, or association. "Personal Information" means any and all information, directed to the Services, to the Contractor by or upon the authorization of the County, including but not limited to vital records, that: (i) identifies, describes, or relates to, or is associated with, or is capable of being used to identify, describe, or relate to, or associate with, a person (including, without limitation, names, physical descriptions, signatures, addresses, telephone numbers, e-mail addresses, education, financial matters, employment history, and other unique identifiers, as well as statements made by or attributable to the person); (ii) is used or is capable of being used to authenticate a person (including, without limitation, employee identification numbers, government-issued identification numbers, passwords or personal identification numbers (PINs), financial account numbers, credit report information, answers to security questions, and other personal identifiers); or is personal information within the meaning of California Civil Code section 1798.3, subdivision (a), or 1798.80, subdivision (e). Personal Information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. "Privacy Practices Complaint" means a complaint received by the County relating to the Contractor's (or any Authorized Person's) privacy practices, or alleging a Security Breach. Such complaint shall have sufficient detail to enable the Contractor to promptly investigate and take remedial action under this Exhibit A. "Security Safeguards" means physical, technical, administrative or organizational security procedures and practices put in place by the Contractor(or any Authorized Persons)that relate to the protection of the security, confidentiality, value, or integrity of Personal Information. Security Safeguards shall satisfy the minimal requirements set forth in subsection C.(5) of this Exhibit A. "Security Breach" means (i) any act or omission that compromises either the security, confidentiality, value, or integrity of any Personal Information or the Security Safeguards, or(ii) any unauthorized Use, Disclosure, or modification of, or any loss or destruction of, or any corruption of or damage to, any Personal Information. "Use" or any derivative thereof means to receive, acquire, collect, apply, manipulate, employ, process, transmit, disseminate, access, store, disclose, or dispose of Personal Information that results in unauthorized access to County Personal Information. B. Standard of Care. (1)The Contractor acknowledges that, in the course of its engagement by the County under this Agreement, the Contractor, or any Authorized Persons, may Use Personal Information only as permitted in this Agreement. (2)With the exclusion of threat analytics data, the Contractor acknowledges that Personal Information is deemed to be confidential information of, or owned by, the County (or persons from whom the County receives or has received Personal Information) and is not confidential information of, or owned or by, the Contractor, or any Authorized Persons. The Contractor further acknowledges that all right, title, and interest in or to the Personal Information remains in the County (or persons from whom the County receives or has received Personal Information) regardless of the Contractor's, or any Authorized Person's, Use of that Personal Information. (3)The Contractor agrees and covenants in favor of the County that the Contractor shall: (i) keep and maintain all Personal Information in strict confidence, using such degree of care under this Subsection B as is reasonable and appropriate to avoid a Security Breach; (ii) Use Personal Information exclusively for the purposes for which the Personal Information is made accessible to the Contractor pursuant to the terms of this Exhibit A; (iii) (excluding threat analytics data) not Use, Disclose, sell, rent, license, or otherwise make available Personal Information for the Contractor's own purposes or for the benefit of anyone other than the County, without the County's express prior written consent, which the County may give or withhold in its sole and absolute discretion; and (iv) not, directly or A-1 Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 indirectly, Disclose Personal Information to any person (an "Unauthorized Third Party") other than Authorized Persons pursuant to this Agreement, without the Director's express prior written consent. Notwithstanding the foregoing paragraph, in any case in which the Contractor believes it, or any Authorized Person, is required to disclose Personal Information to government regulatory authorities, or pursuant to a legal proceeding, or otherwise as may be required by applicable law, the Contractor shall (a) immediately notify the County of the specific demand for, and legal authority for the disclosure, including providing the County with a copy of any notice, discovery demand, subpoena, or order, as applicable, received by the Contractor, or any Authorized Person, from any government regulatory authorities, or in relation to any legal proceeding, unless prohibited by law, and (b) promptly notify the County before such Personal Information is offered by the Contractor for such disclosure so that the County may have sufficient time to obtain a court order or take any other action the County may deem necessary to protect the Personal Information from such disclosure, and the Contractor shall cooperate with the County to minimize the scope of such disclosure of such Personal Information unless prohibited by law. The Contractor, to the extent of its comparative fault, shall remain liable to the County for the actions and omissions of any Unauthorized Third Party concerning its Use of such Personal Information as if they were the Contractor's own actions and omissions. C. Information Security. (1)To the extent applicable, the Contractor covenants, represents and warrants to the County that the Contractor's Use of Personal Information under this Agreement does and shall at all times comply with all federal, state, and local, privacy and data protection laws, as well as all other applicable regulations and directives, including but not limited to California Civil Code, Division 3, Part 4, Title 1.81 (beginning with section 1798.80), and the Song- Beverly Credit Card Act of 1971 (California Civil Code, Division 3, Part 4, Title 1.3, beginning with section 1747). If the Contractor Uses credit, debit, or other payment cardholder information, the Contractor shall at all times remain in compliance with the Payment Card Industry Data Security Standard ("PCI DSS") requirements, including remaining aware at all times of changes to the PCI DSS and promptly implementing and maintaining all procedures and practices as may be necessary to remain in compliance with the PCI DSS, in each case, at the Contractor's sole cost and expense. (2)To the extent of its knowledge, the Contractor covenants, represents and warrants to the County that, as of the Effective Date, the Contractor has not received notice of any violation of any privacy or data protection laws, as well as any other applicable regulations or directives, and is not the subject of any pending legal action or investigation by, any government regulatory authority regarding same. (3)Without limiting the Contractor's obligations under subsection C.(1) of this Exhibit A, the Contractor's (or Authorized Person's) Security Safeguards shall be no less rigorous than accepted industry practices and, at a minimum, include the following: (i) limiting Use of Personal Information strictly to the Contractor's and Authorized Persons' technical and administrative personnel who are necessary for the Contractor's, or Authorized Persons', Use of the Personal Information pursuant to this Agreement; (ii) ensuring that all of the Contractor's connectivity to the County computing systems will only be through the County's security gateways and firewalls, and only through security procedures approved upon the express prior written consent of the Director; (iii) to the extent that they contain or provide access to Personal Information, (a)securing the Contractor's business facilities, data centers, paper files, servers, back-up systems and computing equipment, operating systems, and software applications, including, but not limited to, all mobile devices and other equipment, operating systems, and software applications with information storage capability; (b) employing adequate controls and data security measures with respect to the Contractor Facilities and Equipment), both internally and externally, designed to protect (1)the Personal Information from potential loss or misappropriation, or unauthorized Use,; (c) having and maintaining network, device application, database and platform security; (d) maintaining authentication and access controls within media, computing equipment, operating systems, and software applications; and (e) installing and maintaining in all mobile, wireless, or handheld devices a secure internet connection, having continuously updated anti-virus software protection and a remote wipe feature always enabled,; (iv) encrypting all Personal Information at advance encryption standards of Advanced Encryption Standards (AES) of 128 bit or higher stored on any mobile devices, including but not limited to hard disks, portable storage devices, or remote installation, or provided it is enabled by County where not automatically enabled by the Service, enable TLS to protect Personal Information transmitted over public or wireless networks (v) mplementing logical separation of Personal Information from all other information of the Contractor, including any Authorized Person, or anyone with whom the Contractor or any Authorized Person deals so that Personal Information is not commingled with any other types of information; (vi) having a patch management process including installation of all applicable critical, high or medium-risk operating system/software vendor security patches; (vii) maintaining appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks of Authorized Employees consistent with applicable law; and (viii) providing A-2 Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 appropriate privacy and information security training to Authorized Employees. (4) During the term of each Authorized Employee's employment by the Contractor, the Contractor shall cause such Authorized Employees to abide strictly by the Contractor's information security program .. The Contractor further agrees that it shall maintain a disciplinary process to address any unauthorized Use of Personal Information by any Authorized Employees. (5)The Contractor shall perform daily full backups of customer configuration data. , D. Security Breach Procedures. (1) Promptly, and without undue delay, upon the Contractor's confirmation of a Security Breach, the Contractor shall within 48 hours (a) notify the Director of the Security Breach, such notice to be given first by telephone at the following telephone number, followed promptly by email at the following email address: (559) 600-5900/ incidents(aNresnocountyca.gov (which telephone number and email address the County may update by providing notice to the Contractor), and (b) preserve all relevant evidence (and cause any affected Authorized Person to preserve all relevant evidence) relating to the Security Breach. The notification shall include, to the extent reasonably possible, the identification of each type and the extent of Personal Information that has been, or is reasonably believed to have been, breached. (2) Once Contractor has provided County with its final report regarding the Security Breach,. the Contractor agrees to fully cooperate with the County, which may include: (i) assisting the County in conducting any investigation; (ii) providing the County with physical access to the facilities and operations affected provided it is permitted by the facility owner; (iii)facilitating interviews with Authorized Persons and any of the Contractor's other employees knowledgeable of the matter; and (iv) making available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards, or as otherwise reasonably required by the County. To that end, the Contractor shall, with respect to a Security Breach, be solely responsible, at its cost, for all notifications required by law and regulation. (3)The County shall promptly notify the Contractor of the Director's knowledge, or reasonable belief, of any Privacy Practices Complaint, and upon the Contractor's receipt of notification thereof, the Contractor shall promptly address such Privacy Practices Complaint, including taking any corrective action under this Exhibit A, all at the Contractor's sole expense, in accordance with applicable privacy rights, laws, regulations and standards. In the event the Contractor discovers a Security Breach, the Contractor shall treat the Privacy Practices Complaint as a Security Breach. Within ten business days of the Contractor's receipt of notification of such Privacy Practices Complaint, the Contractor shall notify the County whether the matter is a Security Breach, or otherwise has been corrected and the manner of correction, or determined not to require corrective action and the reason therefor. (4)The Contractor shall take prompt corrective action to respond to and remedy any Security Breach and take reasonable mitigating actions, including but not limiting to, implementing controls designed to prevent any reoccurrence of the Security Breach and correcting any deficiency in Security Safeguards as a result of such incident, all at the Contractor's sole expense, in accordance with applicable privacy rights, laws, regulations and standards. Subject to the limitations in this Agreement, the Contractor shall reimburse the County for all reasonable costs incurred by the County in responding to, and mitigating damages caused by, any Security Breach, including all costs of the County incurred in relation to any litigation or other action described in subsection D.(5) of this Exhibit A to the extent applicable: (1)the cost of providing affected individuals with credit monitoring services for a specific period not to exceed 12 months, to the extent the incident could lead to a compromise of the data subject's credit or credit standing; (2) call center support for such affected individuals for a specific period not to exceed 30 days; and (3)the cost of any measures required under applicable laws. E. Oversight of Security Compliance. (1)The Contractor shall have and maintain a written information security policy that specifies Security Safeguards appropriate to the size and complexity of the Contractor's operations and the nature and scope of its activities. (2) Upon the County's written request, to confirm the Contractor's compliance with this Exhibit A, as well as any applicable laws, regulations and industry standards, the Contractor grants the County or, upon the County's election, a third party on the County's behalf, with appropriate confidentiality terms in place, permission to perform an assessment, in the form of an annual questionnaire, to assess controls in the Contractor's physical and technical environment in relation to all Personal Information that is Used by the Contractor pursuant to this Agreement. The Contractor shall fully cooperate with such assessment by providing the County or the third party on the County's behalf, access to Authorized Employees and documentation that is Used by the Contractor for Personal Information pursuant to this Agreement. In addition, the Contractor shall provide the County upon request the results of the Contractor's most recent SOC 2 Type II audit report (or equivalent). A-3 Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 (3)The Contractor shall ensure that all Authorized Persons who Use Personal Information agree to abide by the Contractor information security program F. Return or Destruction of Personal Information. Upon the termination of this Agreement, the Contractor shall, and shall instruct, as applicable to and supported by the services provided, all Authorized Persons to, promptly return to the County all Personal Information, whether in written, electronic or other form or media, in its possession or the possession of such Authorized Persons, in the format directed to the services by the County at the time of such return, or once no longer necessary for the performance of the services (as documented here: https://www.proofpoint.com/us/legal/trust/product-processing- operations), securely destroy all such Personal Information, and certify in writing to the County upon written request that such Personal Information have been returned to the County or disposed of securely, as applicable. If the Contractor is authorized to dispose of any such Personal Information, as provided in this Exhibit A, such certification shall state the date, time, and manner(including standard)of disposal and by whom, specifying the title of the individual. The Contractor shall comply with all reasonable directions provided by the Director, as supported by the services, with respect to the return or disposal of Personal Information and copies thereof. The Contractor's obligations under this section F survive the termination of this Agreement and apply to all Personal Information that the Contractor retains if return or disposal is not feasible and to all Personal Information that the Contractor may later discover. G. Equitable Relief. The Contractor acknowledges that any breach of its covenants or obligations set forth in this Exhibit A may cause the County irreparable harm for which monetary damages would not be adequate compensation and agrees that, in the event of such breach or threatened breach, the County is entitled to seek equitable relief, including a restraining order, injunctive relief, specific performance and any other relief that may be available from any court, in addition to any other remedy to which the County may be entitled at law or in equity. Such remedies shall not be deemed to be exclusive but shall be in addition to all other remedies available to the County at law or in equity or under this Agreement. H. Indemnification. Reserved. I. Survival. The respective rights and obligations of the Contractor and the County as stated in this Exhibit A shall survive the termination of this Agreement. J. No Third Party Beneficiary. Nothing express or implied in the provisions of in this Exhibit A is intended to confer, nor shall anything herein confer, upon any person other than the County or the Contractor and their respective successors or assignees, any rights, remedies, obligations or liabilities whatsoever. L. No County Warranty. The County does not make any warranty or representation whether any Personal Information in the Contractor's (or any Authorized Person's) possession or control, or Use by the Contractor(or any Authorized Person), pursuant to the terms of this Agreement is or will be secure from unauthorized Use, or a Security Breach or Privacy Practices Complaint. A-4 Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 Exhibit B Hosted Services Service Level Agreement 1. Standard Terms Applicable to each SLA: A. Definitions.Except as otherwise modified or defined herein,all capitalized terms in this Hosted Services Service Level Agreement have the same meanings as set forth in the General Terms and Conditions and the applicable Product Exhibit (collectively,"Agreement"). For purposes of this Hosted Services Service Level Agreement the following definitions will apply. A.1 "Scheduled Maintenance Window" means the window during which weekly scheduled maintenance of the Hosted Service may be performed. The Scheduled Maintenance Window is between the hours of Friday 9:00 p.m. to Saturday 5:00 a.m. Pacific time. A.2 "Emergency Maintenance"means any time outside of Scheduled Maintenance Window that Proofpoint is required to apply urgent patches or fixes, or undertake other urgent maintenance activities. If Emergency Maintenance is required, Proofpoint will contact Customer and provide the expected start time and the planned duration of the Emergency Maintenance and if Proofpoint expects the Hosted Service to be unavailable during the Emergency Maintenance. B. Service Credits B.1 "Service Credit"means the percentage of the monthly Subscription Fees paid or payable for the Hosted Service product that is awarded to Customer for a validated claim associated with that portion of the Hosted Service related to breach of the applicable SLA during that month. B.2 In any given month Customer shall in no event be entitled to receive a credit that exceeds 100% of its monthly Subscription Fee for the nonconforming Hosted Service product. B.3 Any Service Credits earned by Customer hereunder will be applied to the Subscription Fees owed by Customer for the next Hosted Service product subscription period for which the Service Credit applies. Service Credits earned by Customer hereunder will be applied against amounts due for an Extension Term. If Service Credits cannot be applied to future Subscription Fees because the Agreement has terminated due to Proofpoint's breach of the Agreement,Proofpoint will promptly pay Customer the amount of the Services Credit. C. SLA Claims CA Customer must notify Proofpoint Customer Support via support ticket within five(5)business days from the occurrence of the SLA incident. Customer's claim ticket must identify which specific SLA applies and the details of the relevant incident. Distributors and channel partners may NOT open SLA tickets on behalf of a Customer. If requested by Proofpoint Customer will provide Proofpoint a live copy of the applicable email with the original Proofpoint headers (complete and untampered with)for analysis.Failure to comply with these reporting requirements may forfeit Customer's right to receive a remedy in connection with an SLA. C.2 For all claims subject to validation by Proofpoint, Proofpoint will use log files, database records, audit logs, and any other information available to validate claims and make a good faith judgment on the applicability of SLAs to said incident. Proofpoint shall make information used to validate a SLA claim available for auditing by Customer at Customer's request. C.3 In the event that more than one aspect of a Hosted Service product is affected by the same root cause,the single SLA applicable to such Hosted Service product of Customer's choosing may be claimed and no other claim will be validated or otherwise allowed for that event. CA Except for gross negligence or willful misconduct, the remedies set forth herein represents Customer's sole and exclusive remedy for Proofpoint's breach of the SLAs defined in this SLA. D. Exclusions D.1 Customer shall not have any remedies under any SLA to the extent any SLA claim is due to: (i) use of the Hosted Service product outside the scope described in the Agreement; (ii)Customer Equipment and/or third party software, hardware or network infrastructure outside of Proofpoint's data center and not under the direct control of Proofpoint;(iii)failure of Customer to meet the configuration requirements for Customer Equipment set forth in the Documentation; or(iv)a Force Majeure Event. These SLAs do not apply to any end of life product or software version. 2. SECURITY SERVICES HOSTED SERVICE SLAs. The following SLAs apply to the Security Services Hosted Service. A. Filtering System Availability SLA. A.1 Proofpoint warrants at least 99.999%System Availability,which is defined as%of total time during which email service connectivity on port 25 is available during each calendar month, excluding Scheduled Maintenance Window and Emergency Maintenance. For purposes of calculating System Availability,only downtime occurrences exceeding 30 seconds will apply. A.2 Customer Responsibilities. Customer must: (a) set up MX records and outbound entries in accordance with the Hosted Service product latest welcome letter provided to Customer;(b)identify the number of impacted users as a subset against the total number of licensed users; (c) if inbound email is impacted provide the timeframes of the Service unavailability; (d) if outbound email is impacted provide copies of impacted email with the original Proofpoint headers complete and unaltered;and (e)provide ping and trace routes. A.3 Remedy. If the email System Availability is less than 99.999%,and if Customer has fulfilled all of its obligations under the Agreement and this SLA, Proofpoint will provide Customer with a Service Credit for the month in which the failure to meet the email System Availability SLA has occurred.The Service Credit will be calculated in accordance with the table below. A-5 Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 %of Email System Availability per Calendar Month Service Credit <99.999% 25% <99.0% 50% <98.0% 100% B. Email Delivery SLA B.1 Proofpoint warrants that the average of Email Delivery (as defined below) times, as measured in minutes over a calendar month,will be one(1)minute or less. B.2 For purposes of this SLA "Email Delivery" is defined as the elapsed time from when a business email enters the Security Services Hosted Service network to when it exits the Security Services Hosted Service network. The Email Delivery average time measurement for a cluster is calculated using simulated or test emails. These test emails are sent at a periodic frequency and the fastest 95%email delivery times are tracked by Proofpoint to calculate the average for that month. B.3 This SLA applies only to legitimate business email (e.g. not to non-solicited bulk email) delivered to valid Mailbox accounts that are contracted for the Security Services Hosted Service. B.4 Exclusions. Customer shall not have any remedies under this SLA to the extent any SLA claim hereunder is due to (i)delivery of email to quarantine; (ii)email in deferral queues; (iii)email loops;(iv)attachments(only if Customer holds a license to Targeted Attack Protection Attachment Defense); (v) suspect spam; (vi) zero hour wait; or (vii) Customer's primary email server is unable to accept email on initial attempt. B.5 Remedy. If in any calendar month the Email Delivery SLA is not met and if Customer has fulfilled all of its obligations under the Agreement and this SLA, Proofpoint will provide Customer with a Service Credit for the month in which the failure to meet this SLA has occurred.The Service Credit will be calculated in accordance with the table below. Average Email Delivery Time Service Credit > 1 minute 25% >5 minutes 50% > 10 minutes 100% C. Virus Filtering SLA CA Proofpoint warrants that the Security Services Hosted Service will Filter(as defined below) 100% of all Viruses (as defined below)contained in an inbound email to a Customer Mailbox for which a Security Services Hosted Service subscription has been purchased. C.1.1 Proofpoint warrants that the Security Services Hosted Service will Filter 100%of all Viruses contained in an outbound email from a Customer Mailbox for which a Security Services Hosted Service subscription has been purchased. C.2 For purposes of this SLA,the following definitions shall apply: C.2.1 "Filter"means to detect and block or quarantine all email messages with Viruses that: (i) match an available virus signature generally available from Customer's selected and licensed anti-virus engine vendor; and (ii)are identifiable by industry standard anti-virus engine heuristics;and (iii) are propagated through registered attachment types that are recognized by Customer's selected and licensed anti-virus engine vendor. C.2.2 "Infection" means if an inbound email to a Customer Mailbox is delivered with a Virus, or if an outbound email from a Customer Mailbox is processed through the Security Services Hosted Service with a Virus without being quarantined. C.2.3 "Virus" means a binary or executable code whose purpose is to gather information from the infected host (such as trojans),change or destroy data on the infected host,use inordinate system resources in the form of memory,disk space,network bandwidth or CPU cycles on the infected host,use the infected host to replicate itself to other hosts,or provide control or access to any of the infected host's system resources. C.3 This SLA does not apply to (i)text messages that use fraudulent claims to deceive the Customer and/or prompt the Customer to action (such as phishing); (ii)a binary or executable code installed or run by an end user that gathers informat ion for sales and marketing purposes (such as spyware); (iii)a virus that has been detected and has been cleaned by other virus scanning products;(iv)an ineffective or inactive virus contained in a bounced email;(v)a Virus-infected email that is quarantined by the Hosted Services but is subsequently delivered to an end user or administrator by such end user or administrator; (vi) emails containing attachments that are password protected,encrypted or otherwise under an end user's control;(vii)any action by a Customer end user or administrator that results in deliberate self-infection; or(viii)any Infection occurring within the first thirty(30)minutes of the anti-virus engine vendor's new general release of a virus's applicable signature. CA Customer will not be eligible to receive a remedy under this SLA if Customer (i) is not subscribing to all anti-virus Security Services Hosted Service modules for all Customer Mailboxes for which a Security Services Hosted Service subscription has been purchased; (ii)has not enabled full virus protection for all Customer Mailboxes for which a Security Services Hosted Service subscription has been purchased; (iii) does not provide Proofpoint with conclusive written evidence (including the full Virus attachment for each email experiencing the Infection) that the Virus was caused by an email that passed through the Security Services Hosted Service network; and(iv)emails exceeding the applicable anti-virus engine's maximum scanning size limit identified in the vendor's documentation. C.5 Remedy. If a validated Infection occurs in any calendar month,and if Customer has fulfilled all of its obligations under the Agreement and this SLA, Proofpoint will provide Customer with a Service Credit for the month in which the failure to meet this SLA has occurred.The Service Credit will be calculated in accordance with the table below. Hosted Service SLA 2 March 2016 Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 Number of validated infections that occurred during a month Service Credit 1 to 3 Validated Occurrences 25% 4 or more Validated Occurrences 50% D. Spam Inbound Effectiveness SLA DA Proofpoint warrants that the Security Services Hosted Service will detect 99%of inbound spam in each calendar month. D.2 This SLA does not apply to false negatives to invalid Mailboxes. Additionally,this SLA applies only to spam messages processed through Proofpoint's Security Services Hosted Services and does not apply to email sent from users or domains that have been safelisted or whitelisted by Customer within the Security Services Hosted Service. D.3 Proofpoint will make a good faith estimation of the spam capture rate based on the regular and prompt submission to the Security Services Hosted Service support center of all false negatives to report spam missed by Security Services Hosted Service. DA Proofpoint will estimate the percentage of spam detected by the Security Services Hosted Service by dividing the number of spam emails identified by the Security Services Hosted Service as recorded in the Security Services Hosted Service report logs by all spam emails sent to Customer.Proofpoint will estimate all spam emails sent to Customer by adding the number of spam messages (false negatives) missed by the Security Services Hosted Service and reported to the Security Services Hosted Service support team to the number of spam emails detected by the Security Services Hosted Service. D.5 Remedy. If the Security Services Hosted Service detects less than 99%of inbound spam in any calendar month, and if Customer has fulfilled all of its obligations under the Agreement and this SLA, Proofpoint will provide Customer with a Service Credit for the month in which the failure to meet this SLA has occurred.The Service Credit will be calculated in accordance with the table below. If monthly average spam capture rate is Service Credit <99% 25% <98% 50% <95% 100% E. Spam Outbound Effectiveness SLA EA Proofpoint warrants that the Security Services Hosted Service will detect 95% of outbound spam in each calendar month. E.2 This SLA does not apply to false negatives to invalid Mailboxes. Additionally,this SLA applies only to spam messages processed through Proofpoint's Security Services Hosted Services and does not apply to email sent from users or domains that have been safelisted or whitelisted by Customer within the Security Services Hosted Service. E.3 Proofpoint will make a good faith estimation of the spam capture rate based on the regular and prompt submission to the Security Services Hosted Service support center of all false negatives to report spam missed by Security Services Hosted Service. EA Proofpoint will estimate the percentage of spam detected by the Security Services Hosted Service by dividing the number of outbound spam emails identified by the Security Services Hosted Service as recorded in the Security Services Hosted Service report logs by all outbound emails sent from the Customer through the Security Services Hosted Service. Proofpoint will calculate the total number of emails sent from the Customer through the Security Services Hosted Service in each calendar month. E.5 Remedy.If the Security Services Hosted Service detects less than 95%of outbound spam in any calendar month,and if Customer has fulfilled all of its obligations under the Agreement and this SLA, Proofpoint will provide Customer with a Service Credit for the month in which the failure to meet this SLA has occurred.The Service Credit will be calculated in accordance with the table below. If monthly average spam capture rate is Service Credit <95% 25% <93% 50% <90% 100% F. False Positive SLA F.1 Proofpoint warrants that the ratio of legitimate business email incorrectly identified as spam by the Security Services Hosted Service to all email (inbound and outbound) processed by the Security Services Hosted Service for Customer in any calendar month will not be greater than 1:350,000. F.2 Proofpoint will make a good faith estimation of the false positive ratio based on evidence timely supplied by Customer. F.3 This SLA does not apply to (i) bulk, personal, or pornographic email; (ii)emails containing a majority of non-English language content;or(iii)emails blocked by a policy rule, reputation filtering,or SMTP connection filtering FA Remedy. If Proofpoint does not meet this SLA in any calendar month,and if Customer has fulfilled all of its obligations under the Agreement and this SLA, Proofpoint will provide Customer with a Service Credit for the month in which the failure to meet this SLA has occurred.The Service Credit will be calculated in accordance with the table below. False Positive Ratio in a Calendar Month Service Credit Hosted Service SLA 3 March 2016 Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 > 1:350,000 250 > 1:50,000 50% > 1:1,000 100% G. Proofpoint Key Service("PKS")System Availability SLA G.1 Proofpoint warrants at least 99.999% PKS System Availability to Customer to access existing encryption keys (e.g. PKS shall not be unavailable more than 26 seconds per month)during each calendar month,excluding Scheduled Maintenance Window and Emergency Maintenance). "System Availability"means the percentage of total time during which PKS is available to Customer, excluding Scheduled Maintenance Window and Emergency Maintenance." G.2 Remedy. If PKS System Availability is less than 99.999%, and if Customer has fulfilled all of its obligations under the Agreement and this SLA, Proofpoint will provide Customer with a Service Credit for the month in which the failure to meet this PKS System Availability SLA has occurred. The Service Credit will be calculated in accordance with the table below. %of PKS System Availability per Calendar Month Service Credit <99.999% 25% <99.0% 50% <98.0% 100% 3. PKS HOSTED SERVICE SLAs. The following SLAs apply if PKS is used in conjunction with the Security Appliance Software: A. PKS System Availability SLA A.1 Proofpoint warrants at least 99.999% PKS System Availability to Customer to access existing encryption keys (e.g. PKS shall not be unavailable more than 26 seconds per month)during each calendar month,excluding Scheduled Maintenance Window and Emergency Maintenance). "System Availability"means the percentage of total time during which PKS is available to Customer, excluding Scheduled Maintenance Window and Emergency Maintenance. A.2 Remedy. If PKS System Availability is less than 99.999%, and if Customer has fulfilled all of its obligations under the Agreement and this SLA, Proofpoint will provide Customer with a Service Credit for the month in which the failure to meet this PKS System Availability SLA has occurred. The Service Credit will be calculated in accordance with the table below. %of PKS System Availability per Calendar Month Service Credit <99.999% 25% <99.0% 50% <98.0% 100% 4. EMAIL ARCHIVING HOSTED SERVICE SLAs. The following SLAB apply to the Email Archiving Hosted Service. A. SYSTEM AVAILABILITY SLA A.1 Proofpoint warrants at least 99.9% Email Archiving Hosted Service System Availability to Customer to access existing archived data(e.g. the Email Archiving Hosted Service shall not be unavailable more than 43 minutes per month)during each calendar month,excluding Scheduled Downtime and Emergency Maintenance). "System Availability"means the percentage of total time during which Email Archiving Hosted Service System is available to Customer, excluding Scheduled Maintenance Window and Emergency Maintenance. A2. Remedy. If the Email Archiving Hosted Service System Availability is less than 99.9%, and if Customer has fulfilled all of its obligations under the Agreement and this SLA, Proofpoint will provide Customer with a Service Credit for the month in which the failure to meet this SLA has occurred.The Service Credit will be calculated in accordance with the table below. %of Email Archiving Hosted Service Availability per Calendar Month Service Credit <99.9% 10% <99.0% 15% <95.0% 25% B. SEARCH PERFORMANCE SLA B.1 Provided Customer has purchased the Email Archiving Hosted Service real-time search option, Proofpoint warrants that the median of Email Archiving Hosted Service search requests executed within a given calendar month will occur within 20 seconds or less. B.2 For purposes of this SLA search time refers to the elapsed time from when the Email Archiving Hosted Service datacenter receives the search request to the time at which the Email Archiving Hosted Service is ready to return result information to the Email Archiving Hosted Service Appliance. B.3 This SLA applies only to end-user driven search activities and not those initiated by automated systems. BA This SLA applies only to calendar months in which the customer has performed greater than 250 searches. B.5 Remedy. If in any calendar month the Search Performance SLA is not met and if Customer has fulfilled all of its obligations under the Agreement and this SLA, Proofpoint will provide Customer with a Service Credit for the month in which the failure to meet this SLA has occurred.The Service Credit will be calculated in accordance with the table below. Median of all searches(minimum of 250 searches per Calendar Month) Service Credit Hosted Service SLA 4 March 2016 Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno Exhibit B P-24-528 >20 seconds 10% >25 seconds 15% >30 seconds 25% B-1 Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 Exhibit C Self-Dealing Transaction Disclosure Form In order to conduct business with the County of Fresno ("County"), members of a contractor's board of directors ("County Contractor"), must disclose any self-dealing transactions that they are a party to while providing goods, performing services, or both for the County. A self-dealing transaction is defined below: "A self-dealing transaction means a transaction to which the County and the corporation are parties and in which one or more of its directors has a material financial interest." The definition above will be used for purposes of completing this disclosure form. Instructions (1) Enter board member's name, job title (if applicable), and date this disclosure is being made. (2) Enter the board member's company/agency name and address. (3) Describe in detail the nature of the self-dealing transaction that is being disclosed to the County. At a minimum, include a description of the following: a. The name of the agency/company with which the corporation has the transaction; and b. The nature of the material financial interest in the Corporation's transaction that the board member has. (4) Describe in detail why the self-dealing transaction is appropriate based on applicable provisions of the Corporations Code. The form must be signed by the board member that is involved in the self-dealing transaction described in Sections (3) and (4). C-1 Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 Exhibit C (1) Company Board Member Information: Name: Date: Job Title: (2) Company/Agency Name and Address: (3) Disclosure (Please describe the nature of the self-dealing transaction you are a party to) (4) Explain why this self-dealing transaction is consistent with the requirements of Corporations Code § 5233 (a) (5) Authorized Signature Signature: Date: C-2 Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 Exhibit D Insurance Requirements 1. Required Policies Without limiting the County's right to obtain indemnification from Proofpoint or any third parties, Proofpoint, at its sole expense, shall maintain in full force and effect the following insurance policies throughout the term of this Agreement. (A) Commercial General Liability. Commercial general liability insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence and an annual aggregate of Four Million Dollars ($4,000,000). This policy must be issued on a per occurrence basis. Coverage must include products, completed operations, property damage, bodily injury, personal injury, and advertising injury. Proofpoint shall obtain an endorsement to this policy naming the County of Fresno, its officers, agents, employees, and volunteers, individually and collectively, as additional insureds, but only insofar as the operations under this Subscription Agreement are concerned. Such coverage for additional insureds will apply as primary insurance and any other insurance, or self-insurance, maintained by the County is excess only and not contributing with insurance provided under Proofpoint's policy. (B) Automobile Liability. Automobile liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence for bodily injury and for property damages. Coverage must include any auto used in connection with this Agreement. (C)Workers Compensation. Workers compensation insurance as required by the laws of the State of California with statutory limits. (D) Employer's Liability. Employer's liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence for bodily injury and for disease. (E) Technology Professional Liability (Errors and Omissions). Technology professional liability (errors and omissions) insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence and in the aggregate. Coverage must encompass all of Proofpoint's obligations under this Subscription Agreement, including but not limited to claims involving Cyber Risks. (F) Cyber Liability. Cyber liability insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence. Coverage must include claims involving Cyber Risks. The cyber liability policy must be endorsed to cover the full replacement value of damage to, alteration of, loss of, or destruction of intangible property (including but not limited to information or data) that is in the care, custody, or control of Proofpoint. Definition of Cyber Risks. "Cyber Risks" include but are not limited to(i)Security Breach, which may include Disclosure of Personal Information to an Unauthorized Third Party; (ii) data breach; (iii) breach of any of Proofpoint's obligations under Exhibit A of this Subscription Agreement; (iv)system failure; (v)data recovery; (vi)failure to timely disclose data breach or Security Breach; (vii) failure to comply with privacy policy; (viii) payment card liabilities and costs; (ix) infringement of intellectual property, including but not limited to infringement of copyright, trademark, and trade dress; (x) invasion of privacy, including release of private information; (xi) information theft; (xii) damage to or destruction or alteration of electronic information; (xiii) cyber extortion; (xiv) extortion related to D-1 Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 Exhibit D Proofpoint's obligations under this Subscription Agreement regarding electronic information, including Personal Information; (xv)fraudulent instruction; (xvi)funds transfer fraud; (xvii) telephone fraud; (xviii) network security; (xix) data breach response costs, including Security Breach response costs; (xx) regulatory fines and penalties related to Proofpoint's obligations under this Subscription Agreement regarding electronic information, including Personal Information; and (xxi) credit monitoring expenses. 2. Additional Requirements (A) Verification of Coverage. Within 30 days after Proofpoint signs this Subscription Agreement, and at any time during the term of this Subscription Agreement as requested by the County's Risk Manager or the County Administrative Office, Proofpoint shall deliver, or cause its broker or producer to deliver, to the County Risk Manager, at 2220 Tulare Street, 16th Floor, Fresno, California 93721, or HRRiskMa nag ement(a)fresnocountyca.gov, and by mail or email to the person identified to receive notices under this Subscription Agreement, certificates of insurance and endorsements for all of the coverages required under this Subscription Agreement. (i) Each insurance certificate must state that: (1) the insurance coverage has been obtained and is in full force; (2) the County, its officers, agents, employees, and volunteers are not responsible for any premiums on the policy; and (3) Proofpoint has waived its right to recover from the County, its officers, agents, employees, and volunteers any amounts paid under any insurance policy required by this Subscription Agreement and that waiver does not invalidate the insurance policy. (ii) The commercial general liability insurance certificate must also state, and include an endorsement, that the County of Fresno, its officers, agents, employees, and volunteers, individually and collectively, are additional insureds insofar as the operations under this Subscription Agreement are concerned. The commercial general liability insurance certificate must also state that the coverage shall apply as primary insurance and any other insurance, or self-insurance, maintained by the County shall be excess only and not contributing with insurance provided under Proofpoint's policy. (iii) The automobile liability insurance certificate must state that the policy covers any auto used in connection with this Subscription Agreement. (iv) The technology professional liability insurance certificate must also state that coverage encompasses all of Proofpoint's obligations under this Subscription Agreement, including but not limited to claims involving Cyber Risks, as that term is defined in this Subscription Agreement. (v) The cyber liability insurance certificate must also state that it is endorsed, and include an endorsement, to cover the full replacement value of damage to, alteration of, loss of, or destruction of intangible property (including but not limited to information or data) that is in the care, custody, or control of Proofpoint. (B) Acceptability of Insurers. All insurance policies required under this Subscription Agreement must be issued by admitted insurers licensed to do business in the State of D-2 Docusign Envelope ID:7338665A-4790-4D01-B716-4B7B08D43A03 County of Fresno P-24-528 Exhibit D California and possessing at all times during the term of this Subscription Agreement an A.M. Best, Inc. rating of no less than A: VII. (C) Notice of Cancellation or Change. For each insurance policy required under this Subscription Agreement, Proofpoint shall provide to the County, or ensure that the policy requires the insurer to provide to the County, written notice of any cancellation or change in the policy as required in this paragraph. For cancellation of the policy for nonpayment of premium, Proofpoint shall, or shall cause the insurer to, provide written notice to the County not less than 10 days in advance of cancellation. For cancellation of the policy for any other reason, and for any other change to the policy, Proofpoint shall, or shall cause the insurer to, provide written notice to the County not less than 30 days in advance of cancellation or change. Proofpoint in its sole discretion may determine that the failure of Proofpoint or its insurer to timely provide a written notice required by this paragraph is a breach of this Subscription Agreement. (D) County's Entitlement to Greater Coverage. If Proofpoint has or obtains insurance with broader coverage, higher limits, or both, than what is required under this Subscription Agreement, then the County requires and is entitled to the broader coverage, higher limits, or both. To that end, Proofpoint shall deliver, or cause its broker or producer to deliver, to the County's Risk Manager certificates of insurance and endorsements for all of the coverages that have such broader coverage, higher limits, or both, as required under this Subscription Agreement. (E) Waiver of Subrogation. Proofpoint waives any right to recover from the County, its officers, agents, employees, and volunteers any amounts paid under the policy of worker's compensation insurance required by this Subscription Agreement. Proofpoint is solely responsible to obtain any policy endorsement that may be necessary to accomplish that waiver, but Proofpoint's waiver of subrogation under this paragraph is effective whether or not Proofpoint obtains such an endorsement. (F) County's Remedy for Contractor's Failure to Maintain. If Proofpoint fails to keep in effect at all times any insurance coverage required under this Subscription Agreement, the County may, in addition to any other remedies it may have, suspend or terminate this Subscription Agreement upon the occurrence of that failure, or purchase such insurance coverage, and charge the cost of that coverage to Proofpoint. The County may offset such charges against any amounts owed by the County to Proofpoint under this Subscription Agreement. (G)Subcontractors. Proofpoint shall require and verify that all subcontractors used by Proofpoint to provide services under this Subscription Agreement maintain insurance meeting all insurance requirements provided in this Subscription Agreement. This paragraph does not authorize Proofpoint to provide services under this Subscritpion Agreement using subcontractors. D-3