The URL can be used to link to this page

Home My WebLink AboutAgreement A-24-668 with ReliaStar Life Insurance Company.pdf Agreement No. 24-668 1 SERVICE AGREEMENT 2 This Service Agreement ("Agreement") is dated December 17, 2024 and is between 3 ReliaStar Life Insurance Company, a Minnesota Corporation, ("Contractor"), and the County of 4 Fresno, a political subdivision of the State of California ("County"). 5 Recitals 6 WHEREAS, the County wishes to provide Life Insurance, Accidental Death and 7 Dismemberment (hereafter, "AD&D") Insurance, as well as an Employee Assistance Program 8 (hereafter, "EAP") to its employees and their eligible family and/or household members; and 9 WHEREAS, Department of Human Resources staff, with assistance from County's 10 broker of record, HUB International, solicited bids for Life Insurance, AD&D Insurance, and EAP 11 services from qualified vendors and Contractor submitted the most responsive bid; and 12 WHEREAS, This Agreement will provide Life Insurance, AD&D Insurance, and EAP 13 services to County employees and their eligible family and/or household members; 14 NOW, THEREFORE, in consideration of the mutual covenants, terms and conditions 15 herein contained, the parties hereto agree as follows: 16 Article 1 17 Contractor's Services 18 1.1 Scope of Services. The Contractor shall perform all of the services provided in 19 Exhibit A to this Agreement, titled "Scope of Services." 20 1.2 Representation. The Contractor represents that it is qualified, ready, willing, and 21 able to perform all of the services provided in this Agreement. 22 1.3 Compliance with Laws. The Contractor shall, at its own cost, comply with all 23 applicable federal, state, and local laws and regulations in the performance of its obligations 24 under this Agreement, including but not limited to workers compensation, labor, and 25 confidentiality laws and regulations. 26 Article 2 27 County's Responsibilities 28 2.1 The County shall provide the administrative services, as set forth in the 1 1 Administration Agreement, attached as Exhibit E ("Administration Agreement") and incorporated 2 herein by this reference, for the policies and services set forth in Exhibit A of this Agreement. 3 Article 3 4 Compensation, Invoices, and Payments 5 3.1 The County agrees to pay, and the Contractor agrees to receive, compensation for 6 the performance of its services under this Agreement as described in Exhibit B to this 7 Agreement, titled "Compensation." 8 3.2 Maximum Compensation. The maximum compensation payable to the Contractor 9 by County under this Agreement for Basic Life Insurance, AD&D Insurance and EAP services, 10 as described in Paragraphs A.1 through A.3, Paragraphs A.7 through A.8, and Paragraphs A.11 11 through A.15 in Exhibit A to this Agreement, is $1,700,000, including extension if approved by 12 the parties under section 4.2, "Extension". There is no aggregate limit on the amount that 13 Contractor may receive from employees who purchase optional life insurance from Contractor 14 as described in Paragraphs A.4 through A.6 of Exhibit A to this Agreement. The Contractor 15 acknowledges that the County is a local government entity, and does so with notice that the 16 County's powers are limited by the California Constitution and by State law, and with notice that 17 the Contractor may receive compensation under this Agreement only for services performed 18 according to the terms of this Agreement and while this Agreement is in effect, and subject to 19 the maximum amount payable under this section. The Contractor further acknowledges that 20 County employees have no authority to pay the Contractor except as expressly provided in this 21 Agreement. 22 3.3 Invoices. An invoice is not required of the Contractor under this Agreement. 23 3.4 Payment. Premiums for life insurance and AD&D insurance shall be remitted by 24 County to Contractor no later than 45 days after the last calendar day of the month in which 25 premiums are collected. 26 3.5 Incidental Expenses. The Contractor is solely responsible for all of its costs and 27 expenses that are not specified as payable by the County under this Agreement. 28 2 1 Article 4 2 Term of Agreement 3 4.1 Term. This Agreement is effective on January 1, 2025 and terminates on December 4 31, 2026, except as provided in section 4.2, "Extension," or Article 6, "Termination and 5 Suspension," below. 6 4.2 Extension. The term of this Agreement may be extended for no more than three (3), 7 one-year periods only upon written approval of both parties at least 30 days before the first day 8 of the next one-year extension period. The Director of Human Resources or his or her designee 9 is authorized to sign the written approval on behalf of the County based on the Contractor's 10 satisfactory performance. The extension of this Agreement by the County is not a waiver or 11 compromise of any default or breach of this Agreement by the Contractor existing at the time of 12 the extension whether or not known to the County. 13 Article 5 14 Notices 15 5.1 Contact Information. The persons and their addresses having authority to give and 16 receive notices provided for or permitted under this Agreement include the following: 17 For the County: 18 Director of Human Resources County of Fresno 19 2220 Tulare Street, 1411 Floor Fresno, CA 93721 20 Email: HRBenefits@FresnoCountyCA.gov Fax: (559) 455-4787 21 For the Contractor: 22 Mona Zielke ReliaStar Life Insurance 23 250 Marquette Avenue, Suite 900 Minneapolis, MN 55401 24 25 5.2 Change of Contact Information. Either party may change the information in section 26 5.1 by giving notice as provided in section 5.3. 27 5.3 Method of Delivery. Each notice between the County and the Contractor provided 28 for or permitted under this Agreement must be in writing, state that it is a notice provided under 3 1 this Agreement, and be delivered either by personal service, by first-class United States mail, by 2 an overnight commercial courier service, by telephonic facsimile transmission, or by Portable 3 Document Format (PDF) document attached to an email. 4 (A) A notice delivered by personal service is effective upon service to the recipient. 5 (B) A notice delivered by first-class United States mail is effective three County 6 business days after deposit in the United States mail, postage prepaid, addressed to the 7 recipient. 8 (C)A notice delivered by an overnight commercial courier service is effective one 9 County business day after deposit with the overnight commercial courier service, delivery fees 10 prepaid, with delivery instructions given for next day delivery, addressed to the recipient. 11 (D)A notice delivered by telephonic facsimile transmission or by PDF document 12 attached to an email is effective when transmission to the recipient is completed (but, if such 13 transmission is completed outside of County business hours, then such delivery is deemed to 14 be effective at the next beginning of a County business day), provided that the sender maintains 15 a machine record of the completed transmission. 16 5.4 Claims Presentation. For all claims arising from or related to this Agreement, 17 nothing in this Agreement establishes, waives, or modifies any claims presentation 18 requirements or procedures provided by law, including the Government Claims Act (Division 3.6 19 of Title 1 of the Government Code, beginning with section 810). 20 Article 6 21 Termination and Suspension 22 6.1 Termination for Non-Allocation of Funds. The terms of this Agreement and the 23 services to be provided in accordance with the issued insurance policies are contingent on the 24 approval of funds by the appropriating government agency. If sufficient funds are not allocated, 25 the services provided may be modified, or this Agreement terminated, at any time by giving the 26 Contractor 30 days' advance written notice. 27 28 4 1 6.2 Termination for Breach. 2 (A) Upon determining that a breach (as defined in paragraph (C) below) has 3 occurred, the County may give written notice of the breach to the Contractor. The written notice 4 may suspend performance under this Agreement, and must provide at least 30 days for the 5 Contractor to cure the breach. 6 (B) If the Contractor fails to cure the breach to the County's satisfaction within the 7 time stated in the written notice, the County may terminate this Agreement immediately. 8 (C) For purposes of this section, a breach occurs when, in the determination of the 9 County, the Contractor has: 10 (1) Obtained or used funds illegally or improperly; 11 (2) Failed to comply with any part of this Agreement; 12 (3) Submitted a substantially incorrect or incomplete report to the County; or 13 (4) Improperly performed any of its obligations under this Agreement. 14 6.3 Termination without Cause. In circumstances other than those set forth above, the 15 County may terminate this Agreement by giving at least 30 days advance written notice of the 16 intent to terminate to the Contractor. 17 6.4 No Penalty or Further Obligation. Any termination of this Agreement by the County 18 under this Article 6 is without penalty to or further obligation of the County. 19 Article 7 20 Independent Contractor 21 7.1 Status. In performing under this Agreement, the Contractor, including its officers, 22 agents, employees, and volunteers, is at all times acting and performing as an independent 23 contractor, in an independent capacity, and not as an officer, agent, servant, employee,joint 24 venturer, partner, or associate of the County. 25 7.2 Verifying Performance. The County has no right to control, supervise, or direct the 26 manner or method of the Contractor's performance under this Agreement, but the County may 27 verify that the Contractor is performing according to the terms of this Agreement. 28 5 1 7.3 Benefits. Because of its status as an independent contractor, the Contractor has no 2 right to employment rights or benefits available to County employees. The Contractor is solely 3 responsible for providing to its own employees all employee benefits required by law. The 4 Contractor shall save the County harmless from all matters relating to the payment of 5 Contractor's employees, including compliance with Social Security withholding and all related 6 regulations. 7 7.4 Services to Others. The parties acknowledge that, during the term of this 8 Agreement, the Contractor may provide services to others unrelated to the County. 9 Article 8 10 Protected Health Information 11 8.1 The parties to this Agreement shall be in strict conformance with all applicable 12 Federal and State of California laws and regulations as further described in Exhibit G, 13 "Protected Health Information Confidentiality Agreement", attached hereto and incorporated 14 herein by this reference. 15 8.2 Safeguards. Contractor shall implement administrative, physical, and technical 16 safeguards as required by applicable law and as further described in the provisions of Exhibit H 17 "Data Security Agreement," attached hereto and incorporated herein by this reference. 18 8.3 Survival. The respective rights and obligations of the parties as stated in this Section 19 shall survive the termination or expiration of this Agreement. 20 8.4 No Waiver of Obligations. No change, waiver or discharge of any liability or 21 obligation hereunder on any one or more occasions shall be deemed a waiver of performance of 22 any continuing or other obligation, or shall prohibit enforcement of any obligation on any other 23 occasion. 24 Article 9 25 Indemnity and Defense 26 9.1 Indemnity. The Contractor agrees to indemnify, save, hold harmless, and at 27 County's request, defend the County, its officers, agents, and employees from any and all costs 28 and expenses (including attorney's fees and costs), damages, liabilities, claims, and losses 6 1 occurring or resulting to County in connection with any negligence, including but not limited to 2 any error or omission, or wrongful conduct, by Contractor, its officers, agents, or employees 3 under this Agreement, and from any and all costs and expenses (including attorney's fees and 4 costs), damages, liabilities, claims, and losses occurring or resulting to any person, firm, or 5 corporation who may be injured or damaged by any negligence, including but not limited to any 6 error or omission, of Contractor, its officers, agents, or employees under this Agreement, except 7 to the extent COUNTY has directly caused or significantly contributed to the error or omission. 8 The County may conduct or participate in its own defense without affecting the Contractor's 9 obligation to indemnify and hold harmless or defend the County. 10 9.2 Survival. This Article 9 survives the termination of this Agreement. 11 Article 10 12 Insurance 13 10.1 The Contractor shall comply with all the insurance requirements in Exhibit D to this 14 Agreement. 15 Article 11 16 Inspections, Audits, and Public Records 17 11.1 Inspection of Documents. The Contractor shall make available to the County, all of 18 the Contractor's records and data with respect to the matters covered by this Agreement, 19 excluding attorney-client privileged communications. The Contractor shall, upon request by the 20 County, and shall not occur more than once annually, permit the County to audit and inspect 21 such records and data to ensure the Contractor's compliance with the terms of this Agreement. 22 11.2 State Audit Requirements. If the compensation to be paid by the County under this 23 Agreement exceeds $10,000, the Contractor is subject to the examination and audit of the 24 California State Auditor, as provided in Government Code section 8546.7, for a period of three 25 years after final payment under this Agreement. This section survives the termination of this 26 Agreement. 27 11.3 Public Records. The County is not limited in any manner with respect to its public 28 disclosure of this Agreement or any record or data that the Contractor may provide to the 7 1 County. The County's public disclosure of this Agreement or any record or data that the 2 Contractor may provide to the County may include but is not limited to the following: 3 (A) The County may voluntarily, or upon request by any member of the public or 4 governmental agency, disclose this Agreement to the public or such governmental agency. 5 (B) The County may voluntarily, or upon request by any member of the public or 6 governmental agency, disclose to the public or such governmental agency any record or data 7 that the Contractor may provide to the County, unless such disclosure is prohibited by court 8 order. 9 (C)This Agreement, and any record or data that the Contractor may provide to the 10 County, is subject to public disclosure under the Ralph M. Brown Act (California Government 11 Code, Title 5, Division 2, Part 1, Chapter 9, beginning with section 54950). 12 (D)This Agreement, and any record or data that the Contractor may provide to the 13 County, is subject to public disclosure as a public record under the California Public Records 14 Act (California Government Code, Title 1, Division 7, Chapter 3.5, beginning with section 6250) 15 ("CPRA"). 16 (E) This Agreement, and any record or data that the Contractor may provide to the 17 County, is subject to public disclosure as information concerning the conduct of the people's 18 business of the State of California under California Constitution, Article 1, section 3, subdivision 19 (b). 20 (F) Any marking of confidentiality or restricted access upon or otherwise made with 21 respect to any record or data that the Contractor may provide to the County shall be 22 disregarded and have no effect on the County's right or duty to disclose to the public or 23 governmental agency any such record or data. 24 11.4 Public Records Act Requests. If the County receives a written or oral request 25 under the CPRA to publicly disclose any record that is in the Contractor's possession or control, 26 and which the County has a right, under any provision of this Agreement or applicable law, to 27 possess or control, then the County may demand, in writing, that the Contractor deliver to the 28 County, for purposes of public disclosure, the requested records that may be in the possession 8 1 or control of the Contractor. Within five business days after the County's demand, the 2 Contractor shall (a) deliver to the County all of the requested records that are in the Contractor's 3 possession or control, together with a written statement that the Contractor, after conducting a 4 diligent search, has produced all requested records that are in the Contractor's possession or 5 control, or (b) provide to the County a written statement that the Contractor, after conducting a 6 diligent search, does not possess or control any of the requested records. The Contractor shall 7 cooperate with the County with respect to any County demand for such records. If the 8 Contractor wishes to assert that any specific record or data is exempt from disclosure under the 9 CPRA or other applicable law, it must deliver the record or data to the County and assert the 10 exemption by citation to specific legal authority within the written statement that it provides to 11 the County under this section. The Contractor's assertion of any exemption from disclosure is 12 not binding on the County, but the County will give at least 10 days' advance written notice to 13 the Contractor before disclosing any record subject to the Contractor's assertion of exemption 14 from disclosure. The Contractor shall indemnify the County for any court-ordered award of costs 15 or attorney's fees under the CPRA that results from the Contractor's delay, claim of exemption, 16 failure to produce any such records, or failure to cooperate with the County with respect to any 17 County demand for any such records. 18 Article 12 19 Disclosure of Self-Dealing Transactions 20 12.1 Applicability. This Article 12 applies if the Contractor is operating as a corporation 21 or changes its status to operate as a corporation. 22 12.2 Duty to Disclose. If any member of the Contractor's board of directors is party to a 23 self-dealing transaction, he or she shall disclose the transaction by completing and signing a 24 "Self-Dealing Transaction Disclosure Form" (Exhibit C to this Agreement) and submitting it to 25 the County before commencing the transaction or immediately after. 26 12.3 Definition. "Self-dealing transaction" means a transaction to which the Contractor is 27 a party and in which one or more of its directors, as an individual, has a material financial 28 interest. 9 1 Article 13 2 General Terms 3 13.1 Modification. Subject to approval by the County's Board of Supervisors, any matter 4 of this Agreement may be modified from time to time by the written consent of all parties 5 without, in any way, affecting the remainder. The Contractor acknowledges that County 6 employees have no authority to modify this Agreement except as expressly provided in this 7 Agreement. 8 13.2 Non-Assignment. Neither party may assign its rights or delegate its obligations 9 under this Agreement without the prior written consent of the other party. Notwithstanding the 10 foregoing, Contractor may subcontract with its subcontractor ComPsych Corporation for the 11 services set forth in Exhibit A, Paragraphs A.11 through A.15, which are to be provided by 12 subcontractor ComPsych Corporation, an Illinois corporation, and Contractor shall be solely 13 responsible for ComPsych Corporation's performance under Exhibit A, Paragraphs A.11 14 through A.15, and for compensating ComPyych Corporation for such performance. 15 13.3 Governing Law. The laws of the State of California govern all matters arising from 16 or related to this Agreement. 17 13.4 Jurisdiction and Venue. This Agreement is signed and performed in Fresno 18 County, California. Contractor consents to California jurisdiction for actions arising from or 19 related to this Agreement, and, subject to the Government Claims Act, all such actions must be 20 brought and maintained in Fresno County. 21 13.5 Construction. The final form of this Agreement is the result of the parties' combined 22 efforts. If anything in this Agreement is found by a court of competent jurisdiction to be 23 ambiguous, that ambiguity shall not be resolved by construing the terms of this Agreement 24 against either party. 25 13.6 Days. Unless otherwise specified, "days" means calendar days. 26 13.7 Headings. The headings and section titles in this Agreement are for convenience 27 only and are not part of this Agreement. 28 10 1 13.8 Severability. If anything in this Agreement is found by a court of competent 2 jurisdiction to be unlawful or otherwise unenforceable, the balance of this Agreement remains in 3 effect, and the parties shall make best efforts to replace the unlawful or unenforceable part of 4 this Agreement with lawful and enforceable terms intended to accomplish the parties' original 5 intent. 6 13.9 Nondiscrimination. During the performance of this Agreement, the Contractor shall 7 not unlawfully discriminate against any employee or applicant for employment, or recipient of 8 services, because of race, religious creed, color, national origin, ancestry, physical disability, 9 mental disability, medical condition, genetic information, marital status, sex, gender, gender 10 identity, gender expression, age, sexual orientation, military status or veteran status pursuant to 11 all applicable State of California and federal statutes and regulation. 12 13.10 No Waiver. Payment, waiver, or discharge by the County of any liability or obligation 13 of the Contractor under this Agreement on any one or more occasions is not a waiver of 14 performance of any continuing or other obligation of the Contractor and does not prohibit 15 enforcement by the County of any obligation on any other occasion. 16 13.11 Entire Agreement. This Agreement, including its exhibits, is the entire agreement 17 between the Contractor and the County with respect to the subject matter of this Agreement, 18 and it supersedes all previous negotiations, proposals, commitments, writings, advertisements, 19 publications, and understandings of any nature unless those things are expressly included in 20 this Agreement. If there is any inconsistency between the terms of this Agreement without its 21 exhibits and the terms of the exhibits, then the inconsistency will be resolved by giving 22 precedence first to the terms of this Agreement without its exhibits, and then to the terms of the 23 exhibits. Notwithstanding the foregoing, the parties understand and acknowledge that any 24 insurance obligations owed to the County or its employees will be governed solely by the terms 25 of the insurance policies issued by the Contractor under the terms of this Agreement. 26 13.12 No Third-Party Beneficiaries. This Agreement does not and is not intended to 27 create any rights or obligations for any person or entity except for the parties. 28 13.13 Authorized Signature. The Contractor represents and warrants to the County that: 11 1 (A) The Contractor is duly authorized and empowered to sign and perform its 2 obligations under this Agreement. 3 (B) The individual signing this Agreement on behalf of the Contractor is duly 4 authorized to do so and his or her signature on this Agreement legally binds the Contractor to 5 the terms of this Agreement. 6 13.14 Electronic Signatures. The parties agree that this Agreement may be executed by 7 electronic signature as provided in this section. 8 (A) An "electronic signature" means any symbol or process intended by an individual 9 signing this Agreement to represent their signature, including but not limited to (1) a digital 10 signature; (2) a faxed version of an original handwritten signature; or (3) an electronically 11 scanned and transmitted (for example by PDF document) version of an original handwritten 12 signature. 13 (B) Each electronic signature affixed or attached to this Agreement (1) is deemed 14 equivalent to a valid original handwritten signature of the person signing this Agreement for all 15 purposes, including but not limited to evidentiary proof in any administrative or judicial 16 proceeding, and (2) has the same force and effect as the valid original handwritten signature of 17 that person. 18 (C)The provisions of this section satisfy the requirements of Civil Code section 19 1633.5, subdivision (b), in the Uniform Electronic Transaction Act (Civil Code, Division 3, Part 2, 20 Title 2.5, beginning with section 1633.1). 21 (D) Each party using a digital signature represents that it has undertaken and 22 satisfied the requirements of Government Code section 16.5, subdivision (a), paragraphs (1) 23 through (5), and agrees that each other party may rely upon that representation. 24 (E) This Agreement is not conditioned upon the parties conducting the transactions 25 under it by electronic means and either party may sign this Agreement with an original 26 handwritten signature. 27 13.15 Counterparts. This Agreement may be signed in counterparts, each of which is an 28 original, and all of which together constitute this Agreement. 12 1 [SIGNATURE PAGE FOLLOWS] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 13 1 The parties are signing this Agreement on the date stated in the introductory clause. 2 ReliaStar Life Insurance Company COUNTY OF FRESNO 3 4 �• . 5 Mona Ziell , SVP Nathan Magsig, Chairman of the Board of Supervisors of the County of Fresno 6 250 Marquette Avenue Suite 900 Attest: 7 Minneapolis, MN 55401 Bernice E. Seidel Clerk of the Board of Supervisors 8 County of Fresno, State of California 9 By: 10 Deputy 11 For accounting use only: 12 Org No.: 89250200 Account No.: 7295 13 Fund No.: 1060 Subclass No.: 10000 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 14 Exhibit A 1 Scope of Services 2 A.1 Contractor shall provide Class 1 Employees with $10,000 of Life Insurance coverage 3 and $10,000 Accidental Death and Dismemberment (hereafter, "AD&D") Insurance coverage, 4 with premiums paid by County. Class 1 Employees include all active County employees who are 5 not in one of the following employee groups: Management, Senior Management Supervisors, 6 Senior Management, Assistant Department Heads, Department Heads, or Elected Officials. 7 A.2 Contractor shall provide Class 2 Employees with $260,000 of Life Insurance 8 coverage and $260,000 of AD&D Insurance coverage, with premiums paid by County. Class 2 9 Employees include all active County employees who are in one of the following employee 10 groups: Senior Management Supervisors, Senior Management, Assistant Department Heads, 11 Department Heads, or Elected Officials. 12 A.3 Contractor shall provide Class 3 Employees with $61,000 of Life Insurance coverage 13 and $61,000 of AD&D Insurance coverage, with premiums paid by County. Class 3 Employees 14 include all active County employees in the Management employee group. 15 A.4 Contractor shall provide optional life insurance coverage to all active County 16 employees in the amount of$100,000; premiums to be paid by the covered employee. 17 A.5 Contractor shall provide optional life insurance to the spouses of covered employees 18 in the amount of$50,000. Spousal eligibility is contingent upon participation by the employee in 19 optional life insurance coverage as provided in Paragraph A4, above; premiums to be paid by 20 the covered employee. 21 A.6 Contractor shall provide optional life insurance to the children of active County 22 employees in the amount of$10,000. A child's eligibility is contingent upon the child being 23 twenty-six (26) years of age or younger, and participation by the employee in optional life 24 insurance coverage as provided in Paragraph A.4, above; premiums to be paid by the covered 25 employee. 26 A.7 Contractor shall provide Level 1 Funeral Planning & Concierge Services, as well as 27 Travel Assistance Services, as set forth in Exhibit F, to all active County employees who receive 28 A-1 Exhibit A 1 life insurance coverage under this Agreement. There will be no additional charge to the County 2 or its employees for these Services. 3 A.8 Contractor shall conduct biweekly live webinar orientation sessions to introduce and 4 promote the benefits described in Paragraphs A.1 through A.7, above, to new employees. 5 Alternatively, Contractor shall produce a recorded orientation session, which should be no more 6 than 5 minutes. 7 A.9 With regards to eligibility of coverage, in the event of a discrepancy between the 8 foregoing provisions and the terms of the Contractor's Insurance Policies, the terms of the 9 Policies will govern. 10 A.10 Contractor shall provide Employee Assistance Program (EAP) services, as set forth 11 in Paragraphs A.11 through A.15, below, through its subcontractor ComPsych Corporation. 12 These EAP services shall be provided pursuant to the terms of this Agreement. The County 13 shall look to the Contractor for compliance with this Agreement and not deal directly with any 14 subcontractor, except as specifically provided herein. 15 A.11 EAP Counseling Services 16 (A) Provide up to three (3) face to face counseling sessions per person per issue per 17 rolling 6-month period for the County's employees and their family/household members. 18 (B) Provide unlimited telephonic consulting for the County's employees and their 19 family/household members. 20 (C) Upon request, provide or make a referral to a bilingual counselor according to the 21 language needs of the employee or family/household member. Languages needed include 22 English, Spanish, Hmong, and Laotian. 23 (D) Maintain a toll-free telephone number accessible on a 24-hour, 7 days per week 24 basis, where Professional EAP counselors shall provide live, immediate crisis telephone 25 counseling. These services should be provided in multiple languages, including English, 26 Spanish, and Hmong. 27 (E) Maintain a website where employees may access services, information, 28 webinars, etc. A-2 Exhibit A 1 (F) Provide substance abuse case management and support for return-to-work 2 transition. 3 (G)Provide direct supervisory referrals for work performance problems. 4 A.12 EAP —Work Life Services 5 (A) Provide personalized attention and resources that cover all aspects of work-life 6 needs including, but not limited to: childcare, education, adoption, pet care, elder care, and 7 personal convenience services. 8 (B) Provide legal information, assistance, which includes: 9 i. Immediate, confidential access to staff attorneys 10 ii. Unlimited telephonic and online access to legal information from licensed 11 attorneys 12 iii. Access to a credentialed national network of lawyers for in-person 13 consultation 14 iv. Referral to lawyers in the community at discounted fees 15 v. Comprehensive legal resource database 16 vi. Wide variety of no-cost legal options 17 (C) Provide access to financial experts in many areas of money management and 18 planning with: 19 vii. Unlimited telephonic and online access 20 viii. On-staff CPAs and other financial experts 21 ix. Nationwide network of Certified Financial Planners 22 x. User-friendly online financial planning tools 23 A. Recommended books and articles 24 xii. Student Loan resources and guidance 25 A.13 EAP — On-Site and/or Live Services 26 (A) Provide a bank of 110 hours of on-site and/or live service as described below. 27 ComPsych agrees that the aforementioned bank shall not be reduced by the travel time of the 28 professionals providing the services described below. A-3 Exhibit A 1 (B) Conduct critical incident stress debriefings for traumatic events, including death 2 of an employee, workplace accidents, natural disasters and violence in the workplace within 24 3 hours of urgent requests or within five (5) days for non-urgent requests. A minimum of two (2) 4 hours per incident for each debriefing shall be provided. 5 (C)At minimum, one (1) representative shall attend the County's annual Open 6 Enrollment fairs to assist with explanation of services and to provide promotional materials. 7 Typically, the County has one (1) major health and wellness fair and several satellite fairs over 8 the course of a one-week period during the Open Enrollment period. 9 (D) Provide customized on-site and/or webinar training on a variety of subjects 10 including, but not limited to, mental health, financial, legal, emotional and wellness topics. 11 (E) Provide on-site and/or web-based training to supervisors and managers on 12 employment related issues. 13 (F) Conduct biweekly live webinar orientation sessions to introduce and promote the 14 benefits described in Paragraphs A.1 through A.7, above, to new employees. Alternatively, 15 produce a recorded orientation session, which should be no more than five (5) minutes. 16 A.14 EAP —Administration/Transition 17 (A) Provide a designated account manager, who will report to the Director of Human 18 Resources or their designee. The account manager shall return emergency calls/emails within 19 30 minutes and routine calls/emails within 24 hours. 20 (B) Provide quarterly utilization reports with executive overview; annual cost analysis 21 availability upon request, and full color graphs and charts that display key metrics and 22 demographic data. 23 (C) If applicable, a transition plan for services that are in progress at the time of 24 change-over from the existing employee assistance provider to the new service provider shall 25 be provided. 26 A.15 EAP — Program Promotion 27 (A) Consult with and make recommendations to, County staff regarding the 28 implementation, promotion, and administration of EAP services. A-4 Exhibit A 1 (B) Provide, at Contractor's expense, printed, color promotional materials as well as 2 online access to all marketing materials for electronic distribution. Such materials shall include, 3 but are not limited to, posters, brochures, flyers, and wallet cards. 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 A-5 Exhibit B 1 Compensation 2 The Contractor will be compensated for performance of its services under this 3 Agreement as provided in this Exhibit B and subject to the Maximum Compensation described 4 in Article 3, above. The Contractor is not entitled to any compensation except as expressly 5 provided in this Exhibit B. 6 B.1 Basic Life Insurance, Accidental Death & Dismemberment Insurance, and EAP 7 Services. County shall compensate Contractor as follows: 8 (A) For each Class 1 Employee, Contractor shall receive $0.60 per covered 9 employee per biweekly pay period. 10 (B) For each Class 2 Employee, Contractor shall receive $15.60 per covered 11 employee per biweekly pay period. 12 (C) For each Class 3 Employee, Contractor shall receive $3.66 per covered 13 employee per biweekly pay period. 14 The compensation per covered employee per biweekly pay period is based on a monthly 15 cost of$0.115 per $1,000.00 of Basic Life Insurance coverage and $0.015 per $1,000.00 of 16 Accidental Death & Dismemberment Insurance coverage. The cost of EAP Services is included 17 in the compensation referenced in this Paragraph B.1. 18 B.2 Supplemental Life Insurance. Employees and their spouse and/or eligible children 19 who choose to enroll in a supplemental life insurance policy shall pay the insurance premium 20 subject to the following monthly rates per $1,000 of coverage, based on their age: 21 a. Under 25 years of age: $0.06; 22 b. 25-29 years of age: $0.07; 23 c. 30-34 years of age: $0.08; 24 d. 35-39 years of age: $0.11; 25 e. 40-44 years of age: $0.16; 26 f. 45-49 years of age: $0.23; 27 g. 50-54 years of age: $0.37; 28 h. 55-59 years of age: $0.60; B-1 Exhibit B 1 i. 60-64 years of age: $0.94; 2 j. 65-69 years of age: $1.76; and 3 k. 70 years of age and older: $2.85. 4 I. All children of the employee: $0.14 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 B-2 Exhibit C Self-Dealing Transaction Disclosure Form In order to conduct business with the County of Fresno ("County"), members of a contractor's board of directors ("County Contractor"), must disclose any self-dealing transactions that they are a party to while providing goods, performing services, or both for the County. A self-dealing transaction is defined below: "A self-dealing transaction means a transaction to which the corporation is a party and in which one or more of its directors has a material financial interest." The definition above will be used for purposes of completing this disclosure form. Instructions (1) Enter board member's name, job title (if applicable), and date this disclosure is being made. (2) Enter the board member's company/agency name and address. (3) Describe in detail the nature of the self-dealing transaction that is being disclosed to the County. At a minimum, include a description of the following: a. The name of the agency/company with which the corporation has the transaction; and b. The nature of the material financial interest in the Corporation's transaction that the board member has. (4) Describe in detail why the self-dealing transaction is appropriate based on applicable provisions of the Corporations Code. The form must be signed by the board member that is involved in the self-dealing transaction described in Sections (3) and (4). C-1 Exhibit C (1) Company Board Member Information: Name: Date: Job Title: (2) Company/Agency Name and Address: (3) Disclosure (Please describe the nature of the self-dealing transaction you are a party to) (4) Explain why this self-dealing transaction is consistent with the requirements of Corporations Code § 5233 (a) (5) Authorized Signature Signature: Date: C-2 Exhibit D Insurance Requirements 1. Required Policies Without limiting the County's right to obtain indemnification from the Contractor or any third parties, Contractor, at its sole expense, shall maintain in full force and effect the following insurance policies throughout the term of this Agreement. (A) Commercial General Liability. Commercial general liability insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence and an annual aggregate of Four Million Dollars ($4,000,000). This policy must be issued on a per occurrence basis. Coverage must include products, completed operations, property damage, bodily injury, personal injury, and advertising injury. The Contractor shall obtain an endorsement to this policy naming the County of Fresno, its officers, agents, employees, and volunteers, individually and collectively, as additional insureds, but only insofar as the operations under this Agreement are concerned. Such coverage for additional insureds will apply as primary insurance and any other insurance, or self-insurance, maintained by the County is excess only and not contributing with insurance provided under the Contractor's policy. (B) Automobile Liability. Automobile liability insurance with limits of not less than One Million Dollars ($1,000,000) combined single limit each accident. Coverage must include any auto used in connection with this Agreement. (C)Workers Compensation. Workers compensation insurance as required by the laws of the State of California with statutory limits. (D) Employer's Liability. Employer's liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence for bodily injury and for disease. (E) Professional Liability. Professional liability insurance with limits of not less than One Million Dollars ($1,000,000) per claim and an annual aggregate of Three Million Dollars ($3,000,000). If this is a claims-made policy,; (2) the Contractor shall maintain the policy and provide to the County annual evidence of insurance for not less than five years after completion of services under this Agreement; and (3) if the policy is canceled or not renewed, and not replaced with another claims-made policy with a retroactive date prior to the date on which services begin under this Agreement, then the Contractor shall purchase extended reporting coverage on its claims-made policy for a minimum of one year after completion of services under this Agreement. (F) Cyber Liability. Cyber liability insurance with limits of not less than Two Million Dollars ($2,000,000) per claim. Coverage must include claims involving Cyber Risks. The cyber liability policy must be endorsed to cover the full replacement value of damage to, alteration of, loss of, or destruction of intangible property (including but not limited to information or data) that is in the care, custody, or control of the Contractor. Definition of Cyber Risks. "Cyber Risks" include but are not limited to (i) Security Breach, which may include Disclosure of Personal Information to an Unauthorized Third Party; (ii) data breach; (iii) breach of any of the Contractor's obligations under Exhibit G of this Agreement; (iv) system failure; (v) data recovery; (vi) failure to timely disclose data breach or Security Breach; (vii) failure to comply with privacy policy; (viii) payment D-1 Exhibit D card liabilities and costs; (x) invasion of privacy, including release of private information; (xi) information theft; (xii) damage to or destruction or alteration of electronic information; (xiii) cyber extortion; (xiv) extortion related to the Contractor's obligations under this Agreement regarding electronic information, including Personal Information; (xv) fraudulent instruction; (xvi) funds transfer fraud; (xvii) telephone fraud; (xviii) network security; (xix) data breach response costs, including Security Breach response costs; (xx) regulatory fines and penalties related to the Contractor's obligations under this Agreement regarding electronic information, including Personal Information; and (xxi) credit monitoring expenses. 2. Additional Requirements (A) Verification of Coverage. Within 30 days after the Contractor signs this Agreement, and at any time during the term of this Agreement as requested by the County's Risk Manager or the County Administrative Office, the Contractor shall deliver, or cause its broker or producer to deliver, to the County Risk Manager, at 2220 Tulare Street, 16th Floor, Fresno, California 93721, or HRRiskManagement@fresnocountyca.gov, and by mail or email to the person identified to receive notices under this Agreement, certificates of insurance and endorsements for all of the coverages required under this Agreement. (i) Each insurance certificate must state that: (1) the insurance coverage has been obtained and is in full force; (2) the County, its officers, agents, employees, and volunteers are not responsible for any premiums on the policy; and (3) the Contractor has waived its right to recover from the County, its officers, agents, employees, and volunteers any amounts paid under any insurance policy required by this Agreement and that waiver does not invalidate the insurance policy. (ii) The commercial general liability insurance certificate must also state, and include an endorsement, that the County of Fresno, its officers, agents, employees, and volunteers, individually and collectively, are additional insureds insofar as the operations under this Agreement are concerned. The commercial general liability insurance certificate must also state that the coverage shall apply as primary insurance and any other insurance, or self-insurance, maintained by the County shall be excess only and not contributing with insurance provided under the Contractor's policy. (iii) The automobile liability insurance certificate must state that the policy covers any auto used in connection with this Agreement. (iv) The technology professional liability insurance certificate must also state that coverage encompasses all of the Contractor's obligations under this Agreement, including but not limited to claims involving Cyber Risks, as that term is defined in this Agreement. (v) The cyber liability insurance certificate must also state that it is endorsed, and include an endorsement, to cover the full replacement value of damage to, D-2 Exhibit D alteration of, loss of, or destruction of intangible property (including but not limited to information or data) that is in the care, custody, or control of the Contractor. (B) Acceptability of Insurers. All insurance policies required under this Agreement must be issued by admitted insurers licensed to do business in the State of California and possessing at all times during the term of this Agreement an A.M. Best, Inc. rating of no less than A-: VI I. (C) Notice of Cancellation or Change. For each insurance policy required under this Agreement, the Contractor shall provide to the County, or ensure that the policy requires the insurer to provide to the County, written notice of any cancellation or change in the policy as required in this paragraph. For cancellation of the policy for nonpayment of premium, the Contractor shall, or shall cause the insurer to, provide written notice to the County not less than 10 days in advance of cancellation. For cancellation of the policy for any other reason, and for any other change to the policy, the Contractor shall, or shall cause the insurer to, provide written notice to the County not less than 30 days in advance of cancellation or change. The County in its sole discretion may determine that the failure of the Contractor or its insurer to timely provide a written notice required by this paragraph is a breach of this Agreement. (D)Waiver of Subrogation. The Contractor waives any right to recover from the County, its officers, agents, employees, and volunteers any amounts paid under the policy of worker's compensation insurance required by this Agreement. The Contractor is solely responsible to obtain any policy endorsement that may be necessary to accomplish that waiver, but the Contractor's waiver of subrogation under this paragraph is effective whether or not the Contractor obtains such an endorsement. (E) County's Remedy for Contractor's Failure to Maintain. If the Contractor fails to keep in effect at all times any insurance coverage required under this Agreement, the County may, in addition to any other remedies it may have, suspend or terminate this Agreement upon the occurrence of that failure, or purchase such insurance coverage, and charge the cost of that coverage to the Contractor. The County may offset such charges against any amounts owed by the County to the Contractor under this Agreement. (F) Subcontractors. The Contractor shall require and verify that all subcontractors used by the Contractor to provide services under this Agreement maintain insurance meeting all insurance requirements provided in this Agreement. This paragraph does not authorize the Contractor to provide services under this Agreement using subcontractors. D-3 EXHIBIT E i ADMINISTRATION AGREEMENT ReliaStar Life Insurance Company, Minneapolis, MN VOVA. ReliaStar Life Insurance Company of New York,Woodbury, NY Members of the Voya°family of companies ff FINANCIAL (the "Company") Policyholder Name(the"Policyholder)County of Fresno Policy Effective Date 12/31/2 018 Insurance Contracts.The Company issues insurance policies and certificates based on your application and our state approved products(the"Policies"). Our obligations are determined solely by the terms of the policies we issue. EXCESS RISK COVERAGE Claim Administration.Upon determination of a potential claim under the Policy,you will confirm employees'eligibility for coverage and provide required eligibility and claim documentation to the Company,either directly or through your health claim administrator.The Company shall be responsible for all claim reviews,determinations and payments under the Policy. Confidentiality.We will keep confidential all information provided to us byyou or your health claims administrator in connection with the Policy,in compliance with applicable law.You authorize your health claims administrator,if any,to release to the Company information and data regarding claims paid to be used in connection with the Policy. GROUP ANNUAL TERM LIFE, PERSONAL ACCIDENT INSURANCE, DISABILITY, CRITICAL ILLNESS, ACCIDENT AND/OR HOSPITAL CONFINEMENT INDEMNITY COVERAGE Policy Administration.Your group policywill be"Self-Administered".This means thatyou or a third partythat you engage will be responsible to maintain all enrollment,beneficiary,and billing records for the Policies(as applicable).The records you keep must provide the ability for you and/or your employees to: •appropriately apply Policy limits and rules • know how much coverage the employee has at all times • provide the employee with the appropriate"Conversion"and/or"Portability"documentation(as applicable) •set up any payroll deductions correctly • pay premium to the insurance company with supporting documentation •file a claim The parties agree that the Policies will be self-administered by Policyholder and that the insurance charges reflect that arrangement. Communications.All forms and other materials we provide to you must be presented to employees without alteration.Any benefit and eligibility descriptions you or your third party service provider communicates to employees must be consistent with the materials and guidelines we provide to you.We will work carefully with you to make corrections in the case of any inadvertent error in communications. However, you are responsible for any costs incurred in correcting errors caused by incorrect data you provide to employees or to Company,including incorrect benefit descriptions and eligibility determinations. Evidence of Insurability. If evidence of insurability is required in connection with an application for coverage under the terms of a Policy,you will apply the evidence of insurability rules appropriately,obtain the necessary forms from any applicant for such coverage and provide those forms to the Company. Claim Administration.Upon receipt of notice of a potential claim under a Policy,you will confirm employees'eligibility for coverage and provide required claim documentation at the Company's request.The Company shall be responsible for all claim reviews,determinations and payments. Certificates of Insurance and Summary Plan Description. If you request that we provide Summary Plan Description(s)("SPD")for distribution to ERISA plan participants, we will provide the SPD using our standard language and format unless otherwise directed by you. If we agree to electronically post certificates of insurance and/or SPDs for access by your employees, you are responsible for assuring that each covered employee is informed how the documents can be accessed and that each employee has access or otherwise receives a copy(ies) of these documents.Any legal advice as to the style, format,content or distribution of the SPD or distribution of the certificate of insurance must be provided by your legal counsel.We are unable to provide legal advice to your plan and assume no responsibility for meeting ERISA's disclosure requirements. Self-Administered Page 1 of 2-Incomplete without all pages. Order#173385 County of Fresno 11/16/2018 GENERAL ADMINISTRATION —ALL PRODUCTS: Record Keeping.You agree to maintain accurate books and records documenting the administration of the Policies, including employee demographics, eligibility records,dependent data,coverage amounts,enrollment history,payroll deductions,benefit elections and beneficiary designations(as applicable). Such records must be maintained for a period of seven(7)years following termination of the Policies to which they relate.Upon reasonable notice,we shall have the right to review,inspect and audit,at our expense,the books, records,data files or other information maintained by you or your vendor related to the Policies. Transmission of Data.You are responsible for the accuracy and security of data transmitted to us, including data transmitted by any third party service provideryou engage to assist in administration of your benefit plans.Each partywill establish and maintain(1)administrative,technical and physical safeguards against the destruction, loss or alteration of data,and (2)appropriate security measures to protect data,which measures are consistent with all state and federal regulations relating to personal information security,including,without limitation,the Gramm-Leach-Bliley Act. Premium payment.If you engage a third party to submit premium to us,we will not consider the premium paid until it is received in our Home Office. General terms.This Agreement will remain in effect during the duration of the Policy and will terminate automatically upon termination of all Policies.This Agreement may be amended only in writing signed by both parties. In the event of any conflict or inconsistency between the terms of this Agreement and the terms of any Policy,the terms of the Policy shall control. Governing law.This Agreement shall be governed in all respects,including validity,interpretation and effect,without regard to principles of conflict of laws, by the law of the state where the Policy is issued. Accepted and Agreed to: Policyholder Name(Please print.)County of Fresno 6* Policyholder Authorized Signature Date Print signer's name and title Nathan Magsig, Chairperson of the County of Fresno Board of Supervisors RELIASTAR LIFE INSURANCE COMPANY RELIASTAR LIFE INSURANCE COMPANY OF NEW YORK Company Authorized Signature Date Print signer's name and title Mona Zielke,Vice President Self-Administered Page 2 of 2-Incomplete without all pages. Order#173385 County of Fresno 11/16/2018 EXHIBIT F Bereavement Support, including Funeral Planning & Will Preparation We work with Empathy to offer employer groups concierge Bereavement Support, including Funeral Planning &Will Preparation. Combining technology and human care, Empathy helps families prepare for the future and navigate the emotional and practical challenges associated with loss. From preparing a will to making decisions about funeral plans, Empathy offers an impactful solution for your employees and their families, providing meaningful ways to help relieve families' burden in the weeks and months after losing a loved one. Employees will have access to the following benefits: Bereavement Support Services o On-demand dedicated bereavement concierge, to include: o Custom Care Plan tailored to the family's most urgent needs. o For each family, a dedicated Care Manager, working with them step-by-step. o On-demand assistance and access to the entire Care Team. o Curated bereavement tools, such as: o Obituary creator. A beautifully written o Account closing. Closing unneeded obituary, crafted in minutes. financial accounts, subscriptions, and o Grief resources. Guided meditations, memberships. audio companions, and a journaling tool. o Family collaboration system. Intuitive o Benefits claims tool. Benefits claims for dashboard for family members to other benefits (e.g., non-life insurance share tasks, resources, and progress. policy claims such as Social Security, o Secure, scanned document storage. Veteran's Administration). Storage for important papers in one o Probate & estate administration. State- secured location. specific guidance and resources on probate process. Bereavement Support,including Funeral Planning&Will Preparation services are provided by The Empathy Project,Inc.,New York,NY. Provisions and availabilityof each service may vary by state. PLAN Issued by ReliaStar Life Insurance Company INVESTVOVA. A member of the Voya°family of companies PROTECT FINANCIAL Travel Assistance Services About Voya Travel Assistance Travel assistance services have become increasingly important for employers looking to provide employees and their dependents a sense of security when traveling away from home or the office. For this reason, Voya Employee Benefits is pleased to announce its collaboration with Europ Assistance USA,to provide the Voya Travel Assistance Program. Voya Travel Assistance Services are provided by Europ Assistance USA, Bethesda, MD. Availability may vary by state. Services When traveling more than 100 miles from home,whether domestic or international travel, Voya Travel Assistance provides eligible participants four types of services: Emergency Transportation Services, Medical Assistance Services, Emergency Personal Services, and Pre-trip Information. These services are described in further detail below. Eligible participants will have toll-free access to the Voya Travel Assistance customer service center 24 hours a day from anywhere in the world. Emergency Transportation Services This service offers the following features: Emergency Evacuation/Medically Necessary Repatriation: In the event of a medical emergency where it is determined medically necessary for an eligible participant to be transported under medical supervision to the nearest hospital or treatment facility or to be returned to his/her place of residence for treatment,Voya Travel Assistance will arrange and pay for the transport under proper medical supervision. All decisions as to the medical need for evacuation and/or return home,the means and/or timing of any evacuation, the medical equipment and escort to be used, and the final destination are decisions which will be made by physicians designated by Voya Travel Assistance in consultation with a local attending physician based on medical factors. Visit by a Family Member or Friend: If an eligible participant is traveling alone and is likely to be hospitalized for seven (7) consecutive days, or is in critical condition, Voya Travel Assistance will arrange and pay for economy class round trip transportation for one(1)member of the eligible participant's immediate family or one(1)friend designated by the eligible participant from his or her home to the place where he or she is hospitalized. Traveling Companion Transportation: If a travel companion loses previously made travel arrangements due to an eligible participant's medical emergency, Voya Travel Assistance will arrange and pay for the traveling companion's return home by the most direct and economical route. Return of Dependent Children: If an eligible participant is traveling alone and is likely to be hospitalized for seven (7)consecutive days, or is in critical condition and dependent children traveling with the eligible participant are left unattended because the eligible participant is in the hospital, Voya Travel Assistance will arrange and pay for their economy class transportation home with a qualified escort if necessary. Return of Mortal Remains: In case of death while traveling, Voya Travel Assistance will arrange and pay for the proper return of remains to the deceased's place of residence for burial, including all necessary government authorizations and transportation. Medical Assistance Services If medical care is required while abroad, Voya Travel Assistance can assist in the following ways: Medical Referrals: Voya Travel Assistance will assist eligible participants in finding physicians, dentists, and medical facilities. Medical Monitoring: During the course of a medical emergency, professional case managers, including physicians and nurses, will make sure the appropriate level of care is maintained or determine if further intervention, medical transportation, or possible repatriation (return to U.S.) is needed. Page 37 PLAN ReliaStar Life Insurance Company INVESTVOVA. A member of the Voya®family of companies PROTECT FINANCIAL Emergency Medical Payments: When it is necessary for an eligible participant to obtain medical services, Voya Travel Assistance, upon request,will advance up to$10,000 to cover on-site medical expenses. The advance of funds will be made to the medical provider after Voya Travel Assistance has secured funds from the eligible participant or the eligible participant's family. Replacement of Medication and Eyeglasses: Voya Travel Assistance will arrange to fill a prescription that has been lost, stolen, or requires a refill, subject to local law,whenever possible. Voya Travel Assistance will also arrange for shipment of replacement eyeglasses. Costs for shipping of medication or eyeglasses, or a prescription refill, etc.are the eligible participant's responsibility. Emergency Personal Services To prepare for unexpected situations of a non-medical nature,Voya Travel Assistance offers these services: Urgent Messages: Voya Travel Assistance can send urgent messages and keep messages for eligible participants in its offices for up to 15 days. Emergency Travel Arrangements: If appropriate, Voya Travel Assistance will make new travel arrangements or change airline, hotel, and car rental reservations. Emergency Cash: Voya Travel Assistance will advance up to$500 after satisfactory guarantee of reimbursement from an eligible participant. Any fees associated with the transfer or the delivery of funds are the eligible participant's responsibility. Location Lost/Stolen Luggage/Personal Possessions: Voya Travel Assistance will assist in locating and replacing lost or stolen luggage, documents, and personal possessions. Legal Assistance/Bail: Voya Travel Assistance will locate an attorney and advance bail funds, where permitted by law,with satisfactory guarantee of reimbursement (the eligible participant must pay attorney fees). Interpretation/Translation: Voya Travel Assistance will assist with the telephone interpretation in all major languages or will refer a eligible participant to an interpretation or translation service for written documents. PreTrip Information Voya Travel Assistance offers a wide range of information services before an eligible participant leaves home, including: Visa, Passport, Inoculation and Immunization Requirements Foreign Exchange Rates Cultural Information Travel Advisors Temperature and Weather Conditions International "Hot Spots" Embassy and Consular Referrals Plan Administration In the event of an Emergency Medical situation involving an employee or their dependent, Voya Travel Assistance will need to contact the Group Policyholder to verify coverage. Voya Travel Assistance will contact in this order: The Billing Contact as identified by Voya Employee Benefits The Case Contact as identified by Voya Employee Benefits It is the responsibility of the Group Policyholder to notify both Voya Employee Benefits and Voya Travel Assistance if you change your contact person. The Contact will be required to provide verification that(a)the Group Policyholder has current coverage with ReliaStar Life Insurance Company, and (b)the employee is individually covered under the Group Policy. Payment for Services After coverage has been verified, Voya Travel Assistance will arrange and pay for the following within the guidelines previously described: Emergency Evacuation Medically Necessary Repatriation Return of Dependent Children Visit by a Family Member or Friend Return of Mortal Remains Traveling Companion Transportation These services are only eligible for payment by Voya Travel Assistance if Voya Travel Assistance is contacted at the time of service and arranged for the service. Page 38 PLAN ReliaStar Life Insurance Company INVESTVOVA. A member of the Voya®family of companies PROTECT FINANCIAL Terminations Europ Assistance USA will provide Travel Assistance services under the Voya Travel Assistance Program until the Group Policyholder's expiration or cancellation date,whichever comes first, or if Voya Employee Benefits terminates its Travel Assistance Program with Europ Assistance USA. Exclusions and Limitations A. Voya Travel Assistance shall not evacuate or repatriate an eligible participant if the individual has a)infections that are under treatment that have not yet healed or b)if the individual is pregnant and is either in or passed her sixth month of pregnancy or c) if the Voya Travel Assistance designated physician determines that such transport is not medically advisable or necessary. B. Voya Travel Assistance shall not provide benefits and/or services enumerated if the coverage is sought as a result of: Suicide or attempted suicide; Spelunking or caving, heliskiing, extreme skiing; Intentionally self-inflicted injuries; Pregnancy or childbirth (except for complications of War, invasion, acts of foreign enemies, hostilities between pregnancy); nations (whether declared or not),civil war; Curtailments or delayed return for other than medical Participation in any military maneuver or training exercise; reasons; Being under the influence of alcohol; Traveling for the purpose of securing medical treatment; Being under the influence of drugs or intoxicants unless Injury or illness which can be treated locally and does not prescribed by a physician; prevent the continuing of the trip; Commission or the attempt to commit a criminal act; Travel undertaken against the advice of a physician; Participation in bodily contact sports, skydiving, Service not shown as covered. hang-gliding, parachuting, mountaineering, any race, bungee cord jumping, or speed contest; C. The services described above currently are available in every country except Afghanistan, Somalia, Eritrea, Yemen and Eastern Timor. Voya Travel Assistance reserves the right to update the list of countries in which its services are not available. It is the responsibility of the eligible participant to inquire whether a country is"open"for assistance prior to his or her departure and during his or her stay. Voya Travel Assistance also reserves the right to suspend, curtail or limit its services in any area in the event of rebellion, riot, military uprising, war,terrorism, labor disturbance, strikes, nuclear accidents, acts of god or refusal of authorities to permit Voya Travel Assistance to fully provide services. If an eligible participant requests transport related to a condition for which a transport has not been deemed medically necessary by a physician designated by Voya Travel Assistance in consultation with a local attending physician or to any condition excluded hereunder, and the Group Policyholder agrees to be financially responsible for all expenses related to that transport, Voya Travel Assistance will arrange but not pay for such transport to a medical facility or to the eligible participant's residence and will make such arrangements using the same degree of care and completeness as if Voya Travel Assistance was providing service under this agreement. Voya Travel Assistance shall not be responsible for any claim, damage, loss, costs, liability or expense which arises in whole or in part as a result of Voya Travel Assistance's inability to contact the Group Policyholder's authorized Contact for any reason beyond Voya Travel Assistance's control or as a result of the failure and/or refusal of the Group Policyholder to authorize services proposed by Voya Travel Assistance. Page 39 PLAN ReliaStar Life Insurance Company INVESTVOVA. A member of the Voya®family of companies PROTECT FINANCIAL EXHIBIT G PROTECTED HEALTH INFORMATION CONFIDENTIALITY AGREEMENT This Protected Health Information Confidentiality Agreement (the "Agreement") is entered into as of May 1, 2020 (the "Agreement Effective Date") by and between ReliaStar Life Insurance Company or its affiliate ReliaStar Life Insurance Company of New York (the "Company"), and the County of Fresno (the "Employer"). Employer shall be referred to herein as a "Disclosing Party". RECITALS A. The Employer is seeking to purchase or has purchased compass critical illness, accident, and hospital confinement indemnity policies (collectively, the "Policy") from the Company to cover employees. B. The Disclosing Party may provide or disclose Protected Health Information (as defined below)to the Company in connection with the underwriting or payment of claims under the Policy. C. The purpose of this agreement is to limit the use and disclosure of PHI by the Company to the purposes provided for herein and to provide reasonable assurances to Disclosing Party that the Company will maintain appropriate safeguards to protect PHI from any use or disclosure contrary to this Agreement and the Privacy Rule and Security Rule to the extent applicable (each as defined below). SECTION 1: DEFINITIONS (a) Breach. "Breach"shall have the same meaning given to such term in 45 C.F.R. § 164.402, as may be amended from time to time. (b) Data Aggregation. "Data Aggregation" shall mean, with respect to Protected Health Information received by the Company, the combining of such Protected Health Information with Protected health information received by the Company under other stop-loss policy or policies, to permit data analyses as they relate to Health Care Operations. (c) Designated Record Set. "Designated Record Set" shall have the same meaning as the term "designated record set"in 45 C.F.R§ 164.501, as may be amended from time to time. (d) Electronic Protected Health Information. "Electronic Protected Health Information" shall have the same meaning as "electronic protected health information" in 45 C.F.R. § 160.103, as may be amended from time to time. (e) Health Care. "Health Care" shall have the same meaning as the term "health care" in 45 C.F.R. § 160.103, as may be amended from time to time. (f) Health Care Operations. "Health Care Operations" shall have the same meaning as the term "health care operations" in 45 C.F.R. § 164.501, as may be amended from time to time and shall include, but not be limited to, underwriting of the Policy including activities of the Company for the reinsurance of the Policy. (g) Individual. "Individual" shall have the same meaning as the term "individual" in 45 C.F.R § 160.103 and shall include a person's personal representative who is treated as the Individual in accordance with 45 C.F.R§ 164.502(g), as each may be amended from time to time. (h) Limited Data Set."Limited Data Set"shall have the same meaning as the term "limited data set" in 45 C.F.R. § 164.514(e), as may be amended from time to time. 1 I Page (i) Payment. "Payment" shall mean the same meaning as payment in 45 C.F.R. § 164.501, as may be amended from time to time, and shall include activities for the purpose of obtaining payment under the Policy and shall include, but not be limited to, Policy claim review, assessing primary and secondary coverage as between the Policy and the Group Health Plan under coordination of benefit provisions, pursuing subrogation claims and rights and submission of claim information under reinsurance policies or treaties between the Company and an insurance company that provides reinsurance benefits to the Company with respect to the Policy. (j) Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R part 160 and part 164, subparts A and E, as may be amended from time to time, as applied to the Company's use and disclosure of PHI provided for in this Agreement. (k) Protected Health Information ("PHI"). "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 C.F.R § 160.103, as may be amended from time to time, limited to the information received by the Company from any Disclosing Party. (1) Required By Law. "Required By Law" shall have the same meaning as the term "required by law" in 45 C.F.R § 164.103, as many be amended from time to time. (m) Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her designee. (n) Security Rule. "Security Rule" shall mean the Security Standards at 45 C.F.R. Parts 160 and Part 164, Subparts A and C, as may be amended from time to time, as applied to the Company's use and disclosure of PHI provided for in this Agreement. (o) Transactions. "Transactions" shall have the same meaning as the term "transactions" in 45 C.F.R. § 164.103, as may be amended from time to time. (p) Unsecured PHI. "Unsecured PHI" shall have the same meaning given to such term under 45 C.F.R. § 402), as may be amended from time to time. SECTION 2: LIMITED DATA SET - PERMITTED USES AND DISCLOSURES 2.1 Permitted Uses and Disclosures. The Company may use PHI provided to it in the form of a Limited Data Set solely for the underwriting of the Policy. Except as provided for in Section 3 of this Agreement, the Company shall not use or disclose PHI under this Section for any other purpose. 2.2 Identification. The Company agrees not to undertake any action during the underwriting process and the placement of the Policy which may cause the PHI, including the Limited Data Set, to identify any Individual, nor shall the Company knowingly contact any Individual whose PHI is included in the Limited Data Set. 2.3 Policy Not Issued. Upon conclusion or termination of the underwriting process in which the Policy is not issued by the Company, the Company shall destroy any property received from any party which may be in the Company's possession including all PHI, confidential information, products, materials, memoranda, notes, records, reports, or other documents or photocopies of the same, including without limitation any of the foregoing recorded on any computer or any machine readable medium. 2 1 P a g e SECTION 3: PHI — PERMITTED USES AND DISCLOSURES 3.1 Purpose of PHI Disclosure. The Disclosing Party may provide and disclose PHI to the Company for underwriting of the Policy. 3.2 Permitted Uses. The Company may use PHI received from the Disclosing Party solely for the purpose for which it is provided as specified in Section 3.1 of this Agreement. 3.3 Permitted Disclosures. The Company may disclose PHI for underwriting and the payment of claims under the Policy provided that the Company obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person (which purpose must be consistent with the limitations imposed upon the Company pursuant to this Agreement)and the person agrees to notify the Company of any use or disclosure of PHI of which it becomes aware in which the confidentiality of the information has been breached. 3.4 Required by Law. The Company may disclose the PHI if and to the extent that such disclosure is Required by Law. 3.5 Data Aggregation. The Company may use PHI to provide Data Aggregation services, including use of PHI for statistical compilations, reports, research and all other purposes allowed under applicable law. 3.6 De-identified Data. The Company may create de-identified PHI in accordance with the standards set forth in 45 C.F.R. § 164.514(b), as may be amended from time to time, and may use or disclose such de-identified data for any purpose. SECTION 4: OBLIGATIONS OF THE COMPANY 4.1 Privacy of PHI. The Company will maintain appropriate safeguards to reasonably protect PHI from any intentional or unintentional use or disclosure contrary to this Agreement and the Privacy Rule. 4.2 Security of PHI. The Company shall ensure that its information security programs include appropriate administrative, physical and technical safeguards designed to prevent the use or disclosure of confidential information, such as the PHI received by the Company, contrary to this Agreement and the Security Rule. 4.3 Notification of Disclosures. The Company will report to the Disclosing Party any use or disclosure of PHI not provided for by this Agreement of which it becomes aware. 4.4 Notification of Breach. The Company will notify the Disclosing Party of any Breach of Unsecured PHI as soon as practicable, and no later than 30 days after discovery of such Breach. The Company's notification of a Breach will include: (a)the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by the Company to have been, accessed, acquired or disclosed during the Breach; and (b) any particulars regarding the Breach that the Employer would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404,as may be amended from time to time. 4.5 Mitigation. To the extent practicable,the Company will cooperate with the Disclosing Party's efforts to mitigate a harmful effect that is known to the Company of a use or disclosure of PHI not provided for in this Agreement. 4.6 HIPAA Compliance Support. The Company agrees to make internal practices, books,and records, including policies and procedures of its information security program, relating to the use and disclosure of confidential information,such as the PHI received by the Company,available to the Secretary,as requested by the Employer, or designated by the Secretary,for purposes of the Secretary determining the Employer's compliance with the Privacy Rule. 3 1 P a g e SECTION 5: OBLIGATIONS OF THE DISCLOSING PARTIES 5.1 Privacy Practices. The Employer will notify the Company of any changes to the limitation(s) in the Employer's notice of privacy practices in accordance with 45 C.F.R. § 164.520, as amended from time to time, to the extent that such a limitation may affect the Company's use or disclosure of PHI under this Agreement. The Employer will provide such notice no later than 15 days prior to the effective date of the limitation. The Employer confirms that the it's privacy notice discloses the use and disclosure of PHI for Health Care Operations and Payments as permitted by this Agreement. 5.2. Minimum Necessary. Disclosing Party shall limit PHI to the minimum necessary to accomplish the permitted uses and disclosures of the Company provided for in this Agreement when providing or disclosing PHI to the Company in accordance with 45 C.F.R. § 164.502(b) and 45 C.F.R. § 164.514(d), as each may be amended from time to time. 5.3. Payment and Health Care Operations Standards. Disclosing Party shall ensure that the use and disclosure of PHI by the Company complies with the standards of 45 C.F.R. § 164.506,as may be amended from time to time. 5.4 Electronic PHI. Disclosing Party shall not provide Electronic PHI to the Company in the form of "unsecured protected health information"as defined in 45 C.F.R. § 164.402, as may be amended from time to time. 6. TERM AND TERMINATION 6.1 Term. This Agreement will commence as of the Agreement Effective Date and will terminate in accordance with Section 2.3 or upon the termination of the Policy. 6.2 Termination for Cause. Upon either party's knowledge of a material breach by the other party of this Agreement, such party will provide written notice to the breaching party detailing the nature of the breach and providing an opportunity to cure the breach within 30 business days. Upon the expiration of such 30 day cure period, the non-breaching party may terminate this Agreement and, at its election, the Policy, if cure is not possible. 6.3 Effect of Termination. Upon termination of this Agreement or the Policy, the Company will: (a) extend the protections of this Agreement to all PHI retained by Company; (b) limit further uses and disclosures of such PHI to those purposes provided for in this Agreement for so long as the Company maintains such PHI; and (c) where possible, only disclose such PHI to a third party if the information has been de-identified in accordance with the standards set forth in 45 C.F.R. § 164.514(b),as may be amended from time to time. The parties acknowledge and agree that it is not feasible for the Company to return or destroy all PHI received by the Company under this Agreement; provided, however, that the Company's retention of PHI upon the termination of the Agreement or the Policy shall be solely for the purposes of complying with state record retention and insurance regulatory requirements applicable to the Policy and the Company as a licensed insurance company and for the Company's reinsurance obligations under reinsurance policies or treaties covering the Policy. SECTION 7: SURVIVAL The respective rights and obligations of the parties under Section 6.3 of this Agreement will survive the termination of this Agreement and the Policy. 41 SECTION 8: GENERAL 8.1 Relationship of the Parties under HIPAA. Disclosing Party agrees and acknowledges that the Company does not perform any function or service on behalf of any Group Health Plan and this Agreement should not be construed and does not establish any contractual relationship for services. The Company is not an agent or sub-contractor of any Disclosing Party or any Group Health Plan. Each Disclosing Party acknowledges and agrees that the Company does not provide Health Care to or for any Individual either directly or indirectly on behalf of any Group Health Plan. The Company does not conduct Transactions with any Group Health Plan or any Disclosing Party on behalf of any Group Health Plan and any Electronic PHI provided to the Company for the purposes of this Agreement shall not be subject to the administrative requirements of 45 C.F.R. § 162, as may be amended from time to time. Disclosing Party does not intend for the Company to maintain any PHI in a Designated Record Set. 8.2. Governing Law.This Agreement is governed by, and will be construed in accordance with,the laws of the State of California. 8.3 Successors and Assigns. This Agreement and each party's obligations hereunder will be binding on the representatives, assigns, and successors of such party and will inure to the benefit of the assigns and successors of such party. No party may assign this Agreement without the prior written consent of Company, which will not be unreasonably withheld. 8.4 Severability. If any part of a provision of this Agreement is found illegal or unenforceable, it will be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this Agreement will not be affected. 8.5 Notices. All notices relating to the parties' legal rights and remedies under this Agreement will be provided in writing to a party, will be sent to its address set forth in the Policy, or to such other address as may be designated by that party by notice to the sending party, and will reference this Agreement. 8.6 Amendment and Waiver. This Agreement may be modified, or any rights under it waived, only by a written document executed by the authorized representatives of the parties. Nothing in this Agreement will confer any right, remedy, or obligation upon anyone other than the Disclosing Parties and the Company. 8.7 Entire Agreement. This Agreement is the complete and exclusive agreement between the parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications, and understandings (written and oral) regarding its subject matter. 8.8 Headings and Captions. The headings and captions of the various subdivisions of this Agreement are for convenience of reference only and will in no way modify, or affect the meaning or construction of any of the terms or provisions hereof. 8.9 Counterparts. This Agreement may be signed in counterparts, which together will constitute one agreement. 5 1 P a g e IN WITNESS WHEREOF, the parties have caused this Agreement to be signed by their duly authorized representatives or officers, effective as of the Agreement Effective Date. ReliaStar Life Insurance Company and its County of Fresno affiliate ReliaStar Life Insurance Company of New York Address: Address: 20 Washington Avenue South 2220 Tulare Street, 14t" Floor Minneapolis, Minnesota 55401 Fresno, CA 93721 Signed: Signed: NAME Nathan Magsig Title Chairman of the Board of Supervisors of the County of Fresno Date: Date: 6 1 P a g e EXHIBIT H. DATA SECURITY ADDENDUM This Data Security Addendum("Addendum")is an addendum to the Agreement between Voya and Client (together "Parties") and sets forth the obligations of the Parties regarding the Data Security pursuant to such Agreement. 1. Definitions. "Agreement" means one or more contracts between Voya, or its affiliates, and Client, including any exhibits or attachments thereto,that are applicable to the Services. "Affected Persons" means Client's and its Affiliate's former and current employees whose Personal Information ("PI") may have been disclosed or compromised as a result of an Information Security Incident. "Affiliates"means any entities that, now or in the future, control, are controlled by, or are under common control with Client.An entity will be deemed to control another entity if it has the power to direct or cause the direction of the management or policies of such entity, whether through ownership, voting securities, contract,or otherwise. "Confidential Information" means (a) non-public information concerning the Disclosing Party, its affiliates,and their respective businesses,products,processes,and services, including technical,marketing, agent, customer, financial,personnel, and planning information; (b) PI; (c)trade secrets; and(d) any other information that is marked confidential or which,under the circumstances surrounding disclosure,the Non- Disclosing Party should know is treated as confidential by the Disclosing Party. Except with respect to PI, which will be treated as Confidential Information under all circumstances, Confidential Information will not include(A)information lawfully obtained or developed by the Non-Disclosing Party independently of the Disclosing Party's Confidential Information and without breach of any obligation of confidentiality; or (B) information that enters the public domain without breach of any obligation of confidentiality. All Confidential Information will remain the property of the Disclosing Party. "Information Security Incident" means any breach of security or cyber security incident impacting Voya that has a reasonable likelihood of(a) resulting in the loss or unauthorized access, use or disclosure of Client PI; or (b) materially affecting Voya's ability to provide the Services to Client as defined in the underlying Agreement. "Law" means all U.S. and non-U.S. laws, ordinances, rules, regulations, declarations, decrees, directives, legislative enactments and governmental authority orders and subpoenas. "Personal Information (Pl)" means any information or data processed by Voya in performing the Services that is considered"Personally Identifiable Information,""Personal Information,""Personal Data," or like terms under applicable Law, including, but not limited to, information regarding or reasonably capable of being associated with an identified or identifiable individual, device, or household, or information(including sensitive information)that can directly or indirectly identify a natural person or data subject. For the avoidance of doubt,Personal Information shall not include anonymous, aggregated, or de- identified data to the extent such data is exempt or excluded from regulation under applicable Law. "Services"means the services that Voya provides to Client pursuant to an Agreement. "Voya Personnel"means Voya's employees and subcontractors engaged in the performance of Services. PLAN I INVEST I PROTECT VOVA ff FINANCIAL 2. Data Security. 2.1. Security Standards and Controls. (a) Voya will establish and maintain: (i) administrative, technical, and physical safeguards against the destruction, loss, or alteration of confidential Information;and (ii) Appropriate security measures to protect Confidential Information, which measures meet or exceed the requirements of all applicable Laws relating to PI security. (b) In addition,Voya will implement and maintain the following information security controls: (i) Privileged access rights will be restricted and controlled; (ii) An inventory of assets relevant to the lifecycle of information will be maintained; (iii) Network security controls will include, at a minimum, firewall, intrusion detection,and intrusion prevention Services; (iv) Detection, prevention and recovery controls to protect against malware will be implemented; (v) Information about technical vulnerabilities of Voya's information systems will be obtained and evaluated in a timely fashion and appropriate measures taken to address the risk; (vi) Detailed event logs recording user activities, exceptions, faults, access attempts, operating system logs, and information security events will be produced, retained and regularly reviewed as needed;and (vii) Development, testing and operational environments will be separated to reduce the risks of unauthorized access or changes to the operational environment. 2.2. Information Security Policies. Voya will implement and maintain written policies, standards or procedures that address the following areas: (a) Information security; (b) Data governance and classification; (c) Access controls and identity management; (d) Asset management; (e) Business continuity and disaster recovery planning andresources; (f) Capacity and performance planning; (g) Systems operations and availability concerns; (h) Systems and network security; (i) Systems and application development,quality assurance and change management; 0) Physical security and environmental controls; (k) Customer data privacy; (1) Patch management; (m) Maintenance,monitoring and analysis of security audit logs; (n) Vendor and third-party service provider management;and (o) Incident response,including clearly defined roles and decision-making authority and a logging and monitoring framework to allow the isolation of an incident;and (p) Data Loss Prevention 2.3. Subcontractors. Voya will implement and maintain policies and procedures to ensure the security of Confidential Information and related systems that are accessible to, or held by, third party service providers. Voya will not allow any third parties to access Voya's systems or store or process sensitive data, unless such third parties have entered into written contracts with Voya that require,at a minimum,the following: (a) The use of encryption to protect sensitive PI in transit, and the use of encryption or other mitigating controls to protect sensitive PI at rest; (b) Prompt notice to be provided in the event of an Information Security Incident; PLAN I INVEST I PROTECT VOVA ff FINANCIAL (c) The ability of Voya or its agents to perform information security assessments;and (d) Representations and warranties concerning adequate information security. 2.4. Encryption Standards,Multifactor Authentication and Protection of Confidential Information. (a) Voya will implement and maintain cryptographic controls for the protection of Confidential Information,including the following: (i) Use of an encryption standard equal to or better than the industry standards included in applicable National Institute for Standards and Technology Special Publications (or such higher encryption standard required by applicable Law) to protect Confidential Information at rest and in transit over un-trusted networks; (ii) Use of cryptographic techniques to provide evidence of the occurrence or nonoccurrence of an event or action; (iii) Use of cryptographic techniques to authenticate users and other system entities requesting access to or transacting with system users,entities and resources;and (iv) Development and implementation of policies on the use,protection and lifetime of cryptographic keys through their entire lifecycle. (b) In addition to the controls described in clause(a)above,Voyawill: (i) Implement multi-factor authentication for all remote access to Voya'snetworks; (ii) Ensure that no Client PI is (A) placed on unencrypted removable media, mobile devices, computing equipment or laptops or (B) stored outside the United States; and (iii) Ensure that media containing Confidential Information is protected against unauthorized access,misuse or corruption during transport. 2.5. Information Security Roles and Responsibilities. Voya will employ personnel adequate to manage Voya's information security risks and perform the core cyber security functions of identify, protect,detect,respond and recover.Voya will designate a qualified employee to serve as its Chief Information Security Officer ("CISO") responsible for overseeing and implementing its information security program and enforcing its information security policies. Voya will define roles and responsibilities with respect to information security, including by identifying responsibilities for the protection of individual assets,for carrying out specific information security processes, and for information security risk management activities, including acceptance of residual risks. These responsibilities should be supplemented, where appropriate, with more detailed guidance for specific sites and information processing facilities. 2.6. Segregation of Duties. Voya must segregate duties and areas of responsibility in order to reduce opportunities for unauthorized modification or misuse of Voya's assets and ensure that no single person can access, modify or use assets without authorization or detection. Controls should be designed to separate the initiation of an event from its authorization. If segregation is not reasonably possible, other controls such as monitoring of activities, audit trails and management supervision should be utilized. Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment. 2.7. Information Security Awareness, Education and Training. Voya will provide regular information security education and training to all Voya Personnel,as relevant for their job function.In addition, Voya will provide mandatory training to information security personnel and require key information security personnel to stay abreast of changing cyber security threats and countermeasures. 2.8. Vulnerability Assessments. Voya will conduct monthly vulnerability assessments that meet the following criteria: (a) All production servers and network devices must be scanned at least monthly; (b) All vulnerabilities must be rated; PLAN I INVEST I PROTECT VOVA ff FINANCIAL (c) All vulnerability remediation must be prioritized based on risk; (d) All tools used for scanning must have signatures updated at least monthly with the latest vulnerability data;and, (e) Voya will implement and maintain a formal process for tracking and resolving issues in a timely fashion. 2.9. Penetration Tel t . If any Services to be provided by Voya include the hosting or support of one or more externally facing applications that can be used to access systems that store or process Client data,the terms of this Section will apply. (a) At least once every 12 months during the Term and prior to any major changes being moved into production, Voya will conduct a Valid Penetration Test (as defined below)on each internet facing application described above.As used herein,a"Valid Penetration Test" means a series of tests performed by a team of certified professionals, which tests mimic real-world attack scenarios on the information system under test and include,without limitation,thefollowing: (i) Information-gathering steps and scanning forvulnerabilities; (ii) Manual testing of the system for logical flaws, configuration flaws, or programming flaws that impact the system's ability to ensure the confidentiality, integrity,or availability of Client's information assets; (iii) System-compromise steps; (iv) Escalation-of-privilege steps;and (v) Assignment of a rating for each issue based on the level of potential risk exposure to Client's brand or information assets. (b) Upon Client's request, Voya will provide to Client an executive summary of any material issues or vulnerabilities identified by the most recent Valid Penetration Test along with the scope of systems tested. The report may be redacted to ensure confidentiality. 2.10. Physical and Environmental Security. Voya will ensure that all sites are physically secure, including the following: (a) Sound perimeters with no gaps where a break-in could easily occur; (b) Exterior roof,walls and flooring of solid construction and all external doors suitable protected against unauthorized access with control mechanisms such as locks, bars, alarms,etc.; (c) All doors and windows to operational areas locked whenunattended; (d) Equipment protected from power failures and other disruptions caused by failures in supporting utilities; (e) Closed-circuit television cameras at site entry/exit points; badge readings at all site entry points,or other means to prevent unauthorized access;and (f) Visitor sign-in/mandatory escort at site;and (g) With respect to remote work environments, if the foregoing controls are not present, then Voya will use commercially reasonable efforts to mitigate any increased risk associated with such remote work environments,by,for example,limiting the types of access and functional roles eligible for a remote work environment, restricting access to a virtual private network (VPN) or virtual desktop infrastructure (VDI), providing formal guidance and standards for workspace security, and enhancing data protection controls such as data masking, logging and monitoring. PLAN I INVEST I PROTECT VOVA ff FINANCIAL 2.11. Information Security Incident Notification. (a) In the event of any Information Security Incident,Voya will,at its sole expense promptly (and in any event within 72 hours after Voya confirms an Information Security Incident) report such Information Security Incident to Client by sending an email to Client Contact Information, summarizing in reasonable detail the effect on Client,if known,and designating a single point of contact at Voya who will be: (i) Available to Client for information and assistance related to the Information Security Incident; investigate such Information Security Incident, perform a root cause analysis, develop a corrective action plan and take all necessary corrective actions; (ii) Mitigate, as expeditiously as possible, any harmful effect of such Information Security Incident and cooperate with Client in any reasonable and lawful efforts to prevent, mitigate, rectify and remediate the effects of the Information Security Incident; (iii) Provide a written report to Client containing all information necessary for Client to determine compliance with all applicable Laws, including the extent to which notification to Affected Persons or to government or regulatory authorities is required;and (iv) Cooperate with Client in providing any filings, communications, notices, press releases or reports related to such Information Security Incident. (b) In addition to the other indemnification obligations of Voya set forth in this Agreement,Voya will indemnify, defend and hold harmless Client from and against any and all claims, suits, causes of action, liability, loss, costs and damages, including reasonable attorneys' fees, arising out of or relating to any Information Security Incident,which may include,without limitation: (i) Expenses incurred to provide notice to Affected Persons and to law-enforcement agencies,regulatory bodies or other third parties as required to comply with Law; (ii) Expenses related to any reasonably anticipated and commercially recognized consumer data breach mitigation efforts, including, but not limited to, costs associated with the offering of credit monitoring or a similar identify theft protection or mitigation product for a period of at least twelve (12) months or such longer time as is required by applicable Laws or any other similar protective measures designed to mitigate any damages to the Affected Persons; and (iii) Fines or penalties that Client pays to any governmental or regulatory authority under legal or regulatory order as a result of the Information Security Incident. 2.12. Risk Assessments. Upon Client's request no more than once per year, Voya will complete an industry standard information security questionnaire and provide relevant Service Organization Control("SOC")audit reports,when available. 2.13. Data Loss Prevention. Voya will use commercially available data loss prevention technology designed to detect and prevent unauthorized transmission of electronic data obtained or created in connection with the Services through various methods, including but not limited to email, network traffic, USB devices, CDs/DVDs, and print. Voya will implement features of such technology that are designed to both detect and prevent unauthorized transmission using rules within the technology that are reasonably related to the specific type of data handled by Voya. Voya will: (a) Investigate any evidence of a potential or actual unauthorized transmission detected by such technology; (b) Identify,prevent,and mitigate the effects of any such potential or unauthorized transmission; (c) Carry out any action necessary to remedy the cause of the potential or unauthorized PLAN I INVEST I PROTECT VOVA FINANCIAL transmission and prevent a recurrence;and (d) Notify Client of the progress and results of the foregoing. Voya's obligations under this section shall be in addition to any other obligations Voya may have under the Agreement with respect to an Information Security Incident. 3. Confidential Information. 3.1. Confidential Information.Either Party("Disclosing Party")may disclose Confidential Information to the other Party("Non-Disclosing Party")in connection with this Agreement. 3.2. Use and Disclosure of Confidential Information. The Non-Disclosing Party agrees that it will disclose the Disclosing Party's Confidential Information only to its employees, agents, consultants, and contractors who have a need to know and are bound by obligations of confidentiality no less restrictive than those contained in this Agreement. In addition,Voya agrees that it will use the Disclosing Party's Confidential Information only for the purposes of performing its obligations under this Agreement. The Non-Disclosing Party will use all reasonable care in handling and securing the Disclosing Party's Confidential Information and will employ all security measures used for its own proprietary information of similar nature. These confidentiality obligations will not restrict any disclosure of Confidential Information required by Law or by order of a court, regulatory authority or governmental agency; provided, that the Non-Disclosing Party will limit any such disclosure to the information actually required to be disclosed. Notwithstanding anything to the contrary, Client may fully comply with requests for information from regulators of Client and the ClientAffiliates. 3.3. Treatment of Confidential Information Following Termination. Promptly following the termination or expiration of this Agreement, or earlier if requested by the Disclosing Party, the Non-Disclosing Party will return to the Disclosing Party any and all physical and electronic materials in the Non-Disclosing Party's possession or control containing the Disclosing Party's Confidential Information. The materials must be delivered via a secure method and upon such media as may be reasonably required by the Disclosing Party. Alternatively, with the Disclosing Party's prior written consent, the Non-Disclosing Party may permanently destroy or delete the Disclosing Party's Confidential Information and, if requested, will promptly certify the destruction or deletion in writing to the Disclosing Party. Notwithstanding the foregoing, if the Non-Disclosing Party, due to requirements of applicable Law, must retain any of the Disclosing Party's Confidential Information, or is unable to permanently destroy or delete the Disclosing Party's Confidential Information as permitted above within 60 days after termination of this Agreement, the Non-Disclosing Party will so notify the Disclosing Party in writing, and the Parties will confirm any extended period needed for permanent destruction or deletion of the Disclosing Party's Confidential Information. All Confidential Information in the Non-Disclosing Party's possession or control will continue to be subject to the confidentiality provisions of this Agreement. The methods used to destroy and delete the Confidential Information must ensure that no Confidential Information remains readable and cannot be reconstructed so to be readable. Destruction and deletion must also comply with the following specific requirements: MEDIUM DESTRUCTION METHOD Hard copy Shredding, pulverizing, burning, or other permanent destruction method Electronic tangible media, such as disks Destruction or erasure of the media and tapes PLAN I INVEST I PROTECT VOVA ff FINANCIAL Hard drive or similar storage device Storage frame metadata removal to hide the organizational structure that combines disks into usable volumes and physical destruction of the media with a Certificate of Destruction COD 3.4. Period of Confidentiality. The restrictions on use, disclosure, and reproduction of Confidential Information set forth in this Section will, with respect to PI and Confidential Information that constitutes a"trade secret" (as that term is defined under applicable Law),be perpetual, and will, with respect to other Confidential Information, remain in full force and effect during the term of this Agreement and for three years following the termination or expiration of this Agreement. 3.5. Injunctive Relief. The Parties agree that the breach, or threatened breach, of any of the confidentiality provisions of this Agreement may cause irreparable harm without adequate remedy at law. Upon any such breach or threatened breach, the Disclosing Party will be entitled to injunctive relief to prevent the Non-Disclosing Party from commencing or continuing any action constituting such breach, without having to post a bond or other security and without having to prove the inadequacy of other available remedies. Nothing in this Section will limit any other remedy available to either Party. 4. Cyber Liability Insurance. During the Term, Voya will, at its own cost and expense, obtain and maintain in full force and effect, with financially sound and reputable insurers, cyber liability insurance to cover Voya's obligations under this Addendum. Upon execution of the Agreement, Voya will provide Client with a certificate of insurance evidencing the following coverage and amount with such insurer: Risk Covered: Network Security(a.k.a.Cyber/IT) Limits: $50,000,000 5. Disaster Recovery and Business Continuity Plan. Voya maintains, and will continue to maintain throughout the Term, (a) a written disaster recovery plan ("Disaster Recovery Plan"), which Disaster Recovery Plan is designed to maintain Client's access to Services and prevent the unintended loss or destruction of Client data; and (b) a written business continuity plan ("BCP") that permits Voya to recover from a disaster and continue providing Services to customers, including Client, within the recovery time objectives set forth in the BCP. Upon Client's reasonable request,Voya will provide Client with evidence of disaster recovery test date and result outcome. PLAN I INVEST I PROTECT VOVA FINANCIAL