Common use of Rights in Contract and Proprietary Information; Confidentiality Clause in Contracts

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-002) available at xxxxx://xxx.xx.xxx/policies. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public, confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard2 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary The Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractoryou, Contractor’s your agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020023) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: a. Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based permissions, authentication, authorization, and accepted behaviors password policy; b. Network Security, i.e., isolation of Information, secure V-LANS, Firewalls; c. Patch Management, i.e., formal patch cycles and maintenance process; d. Malware Prevention, i.e., anti-virus, anti-spyware, vulnerability assessments, penetration testing, audits; e. Encryption of Information in transit and Information in storage on desktops, backups, and removable media; f. Change Control to establish ensure that new and maintain a secure environment modified system software are authorized, tested, and achieve the State's information implemented accurately; g. Security Event Logging/Monitoring that provides real time alerting of security objectivesevents h. IDS, WS, Website Monitoring of websites for compromise indicators which indicates website defacements, compromises or inappropriate content (Application/Host/Network IDS and IPS); i. Web Application scanning that is performed on code and application in compliance with Open Web Application Security project (OWASP) and SANS (SysAdmin, Audit, Network, and Security) Institute standards. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policies. In additional and the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and supersededNew York State Information Security Controls Standard2. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, 002 which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. In addition to this umbrella policy, the following standards establish specific minimum information security requirements: • Vulnerability Scanning Standard (NYS-S15-002) • Security Logging Standard (NYS-S14-005) • Patch Management Standard (NYS-S15-001) • Encryption Standard (NYS-S14-007) A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policiesxxxxx://xxx.xx.xxx/tables/technologypolicyindex. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 1 xxxxx://xxx.xx.xxx/document/information-classification-standard‌ 2 Type 2 Assessment Report and provide to NYSERDA upon request. xxxxx://xxx.xx.xxx/document/information-security-controls-standard Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. Additional information on the above can be found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing-Business-with- NYSERDA, as amended and superseded. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public, confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard2 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary The Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020023) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: a. Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based permissions, authentication, authorization, and accepted behaviors password policy; b. Network Security, i.e., isolation of Information, secure V-LANS, Firewalls; c. Patch Management, i.e., formal patch cycles and maintenance process; d. Malware Prevention, i.e., anti-virus, anti-spyware, vulnerability assessments, penetration testing, audits; e. Encryption of Information in transit and Information in storage on desktops, backups, and removable media; f. Change Control to establish ensure that new and maintain a secure environment modified system software are authorized, tested, and achieve the State's information implemented accurately; g. Security Event Logging/Monitoring that provides real time alerting of security objectivesevents h. IDS, WS, Website Monitoring of websites for compromise indicators which indicates website defacements, compromises or inappropriate content (Application/Host/Network IDS and IPS); i. Web Application scanning that is performed on code and application in compliance with Open Web Application Security project (OWASP) and SANS (SysAdmin, Audit, Network, and Security) Institute standards. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policies. In additional and the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and supersededNew York State Information Security Controls Standard2. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, 002 which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. In addition to this umbrella policy, the following standards establish specific minimum information security requirements: • Vulnerability Scanning Standard (NYS-S15-002) • Security Logging Standard (NYS-S14-005) • Patch Management Standard (NYS-S15-001) • Encryption Standard (NYS-S14-007) A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon requestxxxxx://xxx.xx.xxx/tables/technologypolicyindex. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. Additional information on the above can be found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing-Business-with- NYSERDA, as amended and superseded. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-002) available at xxxxx://xxx.xx.xxx/policies. In additional addition, the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public, confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard2 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary The Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020023) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: a. Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based permissions, authentication, authorization, and accepted behaviors password policy; b. Network Security, i.e., isolation of Information, secure V-LANS, Firewalls; c. Patch Management, i.e., formal patch cycles and maintenance process; d. Malware Prevention, i.e., anti-virus, anti-spyware, vulnerability assessments, penetration testing, audits; e. Encryption of Information in transit and Information in storage on desktops, backups, and removable media; f. Change Control to establish ensure that new and maintain a secure environment modified system software are authorized, tested, and achieve the State's information implemented accurately; g. Security Event Logging/Monitoring that provides real time alerting of 1 xxxxx://xxx.xx.xxx/document/information-classification-standard 2 xxxxx://xxx.xx.xxx/document/information-security-controls-standard 3 xxxxx://xxx.xx.xxx/sites/default/files/documents/nys-p03-002_information_security_0.pdf security objectivesevents h. IDS, WS, Website Monitoring of websites for compromise indicators which indicates website defacements, compromises or inappropriate content (Application/Host/Network IDS and IPS); i. Web Application scanning that is performed on code and application in compliance with Open Web Application Security project (OWASP) and SANS (SysAdmin, Audit, Network, and Security) Institute standards. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policies. In additional and the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and supersededNew York State Information Security Controls Standard2. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, 002 which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. In addition to this umbrella policy, the following standards establish specific minimum information security requirements: • Vulnerability Scanning Standard (NYS-S15-002) • Security Logging Standard (NYS-S14-005) • Patch Management Standard (NYS-S15-001) • Encryption Standard (NYS-S14-007) A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policiesxxxxx://xxx.xx.xxx/tables/technologypolicyindex. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) 1 xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. xxxxx://xxx.xx.xxx/document/information-security-controls-standard Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. Additional information on the above can be found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing-Business-with- NYSERDA, as amended and superseded. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s The use, public performance, reproduction, distribution, or modification of any materials used by Contractor in the performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-002) available at xxxxx://xxx.xx.xxx/policies. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, this Agreement does not and will not be used by Contractorviolate the rights of any third parties, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application developmentcopyrights, web developmenttrademarks, hostingservice marks, publicity, or managing NYSERDA’s sensitive data are required to comply with the NYS requirementsprivacy. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. The Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYSbe responsible for obtaining and paying for any necessary licenses to use any third-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreementparty content. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public, confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020027) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard8 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary The Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020029) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based permissions, authentication, authorization, and accepted behaviors password policy; Network Security, i.e., isolation of Information, secure V-LANS, Firewalls; Patch Management, i.e., formal patch cycles and maintenance process; Malware Prevention, i.e., anti-virus, anti-spyware, vulnerability assessments, penetration testing, audits; Encryption of Information in transit and Information in storage on desktops, backups, and removable media; Change Control to establish ensure that new and maintain a secure environment modified system software are authorized, tested, and achieve the State's information implemented accurately; Security Event Logging/Monitoring that provides real time alerting of security objectivesevents IDS, WS, Website Monitoring of websites for compromise indicators which indicates website defacements, compromises or inappropriate content (Application/Host/Network IDS and IPS); Web Application scanning that is performed on code and application in compliance with Open Web Application Security project (OWASP) and SANS (SysAdmin, Audit, Network, and Security) Institute standards. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public, confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard2 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary The Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractoryou, Contractor’s your agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020023) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: a. Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based permissions, authentication, authorization, and accepted behaviors password policy; b. Network Security, i.e., isolation of Information, secure V-LANS, Firewalls; c. Patch Management, i.e., formal patch cycles and maintenance process; d. Malware Prevention, i.e., anti-virus, anti-spyware, vulnerability assessments, penetration testing, audits; e. Encryption of Information in transit and Information in storage on desktops, backups, and removable media; f. Change Control to establish ensure that new and maintain a secure environment modified system software are authorized, tested, and achieve the State's information implemented accurately; g. Security Event Logging/Monitoring that provides real time alerting of security objectivesevents h. IDS, WS, Website Monitoring of websites for compromise indicators which indicates website defacements, compromises or inappropriate content (Application/Host/Network IDS and IPS); i. Web Application scanning that is performed on code and application in compliance with Open Web Application Security project (OWASP) and SANS (SysAdmin, Audit, Network, and Security) Institute standards. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policies. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.the

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020025) available at xxxxx://xxx.xx.xxx/policies. In additional and the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and supersededNew York State Information Security Controls Standard6. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, 002 which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. In addition to this umbrella policy, the following standards establish specific minimum information security requirements: A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon requestxxxxx://xxx.xx.xxx/tables/technologypolicyindex. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. Additional information on the above can be found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing-Business-with-NYSERDA, as amended and superseded. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public, confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard2 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary The Information will be kept confidential and will not, without NYSERDA’s prior 1 xxxxx://xxx.xx.xxx/document/information-classification-standard 2 xxxxx://xxx.xx.xxx/document/information-security-controls-standard written consent, be disclosed by Contractoryou, Contractor’s your agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020023) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: a. Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based permissions, authentication, authorization, and accepted behaviors password policy; b. Network Security, i.e., isolation of Information, secure V-LANS, Firewalls; c. Patch Management, i.e., formal patch cycles and maintenance process; d. Malware Prevention, i.e., anti-virus, anti-spyware, vulnerability assessments, penetration testing, audits; e. Encryption of Information in transit and Information in storage on desktops, backups, and removable media; f. Change Control to establish ensure that new and maintain a secure environment modified system software are authorized, tested, and achieve the State's information implemented accurately; g. Security Event Logging/Monitoring that provides real time alerting of security objectivesevents h. IDS, WS, Website Monitoring of websites for compromise indicators which indicates website defacements, compromises or inappropriate content (Application/Host/Network IDS and IPS); i. Web Application scanning that is performed on code and application in compliance with Open Web Application Security project (OWASP) and SANS (SysAdmin, Audit, Network, and Security) Institute standards. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative 3 xxxxx://xxx.xx.xxx/sites/default/files/documents/nys-p03-002_information_security_0.pdf during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public, confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard2 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary The Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractoryou, Contractor’s your agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020023) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: a. Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based permissions, authentication, authorization, and accepted behaviors password policy; b. Network Security, i.e., isolation of Information, secure V-LANS, Firewalls; c. Patch Management, i.e., formal patch cycles and maintenance process; d. Malware Prevention, i.e., anti-virus, anti-spyware, vulnerability assessments, penetration testing, audits; e. Encryption of Information in transit and Information in storage on desktops, backups, and removable media; f. Change Control to establish ensure that new and maintain a secure environment modified system software are authorized, tested, and achieve the State's information implemented accurately; g. Security Event Logging/Monitoring that provides real time alerting of security objectivesevents h. IDS, WS, Website Monitoring of websites for compromise indicators which indicates website defacements, compromises or inappropriate content (Application/Host/Network IDS and IPS); i. Web Application scanning that is performed on code and application in compliance with Open Web Application Security project (OWASP) and 1 xxxxx://xxx.xx.xxx/document/information-classification-standard 2 xxxxx://xxx.xx.xxx/document/information-security-controls-standard 3 xxxxx://xxx.xx.xxx/sites/default/files/documents/nys-p03-002_information_security_0.pdf SANS (SysAdmin, Audit, Network, and Security) Institute standards. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public, confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard2 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary The Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractoryou, Contractor’s your agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020023) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: a. Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based b. Network Security, i.e., isolation of Information, secure V-LANS, Firewalls; c. Patch Management, i.e., formal patch cycles and maintenance process; d. Malware Prevention, i.e., anti-virus, anti-spyware, vulnerability assessments, penetration testing, audits; e. Encryption of Information in transit and Information in storage on desktops, backups, and accepted behaviors removable media; f. Change Control to establish ensure that new and maintain a secure environment modified system software are authorized, tested, and achieve the State's information implemented accurately; g. Security Event Logging/Monitoring that provides real time alerting of security objectivesevents h. IDS, WS, Website Monitoring of websites for compromise indicators which indicates website defacements, compromises or inappropriate content (Application/Host/Network IDS and IPS); i. Web Application scanning that is performed on code and application in compliance with Open Web Application Security project (OWASP) and SANS (SysAdmin, Audit, Network, and Security) Institute standards. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-NYS- S14-002) available at xxxxx://xxx.xx.xxx/policies. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDAxxxxx://xxx.xxxxxxx.xx.xxx/About/Doing-Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020025) available at xxxxx://xxx.xx.xxx/policies. In additional and the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and supersededNew York State Information Security Controls Standard6. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, 002 which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. In addition to this umbrella policy, the following standards establish specific minimum information security requirements: 5 xxxxx://xxx.xx.xxx/document/information-classification-standard 6 xxxxx://xxx.xx.xxx/document/information-security-controls-standard • Vulnerability Scanning Standard (NYS-S15-002) • Security Logging Standard (NYS-S14-005) • Patch Management Standard (NYS-S15-001) • Encryption Standard (NYS-S14-007) A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon requestxxxxx://xxx.xx.xxx/tables/technologypolicyindex. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. Additional information on the above can be found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing-Business-with- NYSERDA, as amended and superseded. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public, confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard2 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary The Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractoryou, Contractor’s your agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020023) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: a. Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based permissions, authentication, authorization, and accepted behaviors password policy; b. Network Security, i.e., isolation of Information, secure V-LANS, Firewalls; c. Patch Management, i.e., formal patch cycles and maintenance process; d. Malware Prevention, i.e., anti-virus, anti-spyware, vulnerability assessments, penetration testing, audits; e. Encryption of Information in transit and Information in storage on desktops, backups, and removable media; 1 xxxxx://xxx.xx.xxx/document/information-classification-standard 2 xxxxx://xxx.xx.xxx/document/information-security-controls-standard 3 xxxxx://xxx.xx.xxx/sites/default/files/documents/nys-p03-002_information_security_0.pdf f. Change Control to establish ensure that new and maintain a secure environment modified system software are authorized, tested, and achieve the State's information implemented accurately; g. Security Event Logging/Monitoring that provides real time alerting of security objectivesevents h. IDS, WS, Website Monitoring of websites for compromise indicators which indicates website defacements, compromises or inappropriate content (Application/Host/Network IDS and IPS); i. Web Application scanning that is performed on code and application in compliance with Open Web Application Security project (OWASP) and SANS (SysAdmin, Audit, Network, and Security) Institute standards. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-002) available at xxxxx://xxx.xx.xxx/policies. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, identified as amended and superseded. Any non-public, confidential, or proprietary Information confidential will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractoryou, Contractor’s your agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policies. In additional and the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and supersededNew York State Information Security Controls Standard2. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, 002 which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. In addition to this umbrella policy, the following standards establish specific minimum information security requirements: • Vulnerability Scanning Standard (NYS-S15-002) • Security Logging Standard (NYS-S14-005) • Patch Management Standard (NYS-S15-001) 1 xxxxx://xxx.xx.xxx/document/information-classification-standard 2 xxxxx://xxx.xx.xxx/document/information-security-controls-standard • Encryption Standard (NYS-S14-007) A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon requestxxxxx://xxx.xx.xxx/tables/technologypolicyindex. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. Additional information on the above can be found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing-Business-with- NYSERDA, as amended and superseded. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020025) available at xxxxx://xxx.xx.xxx/policies. In additional and the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and supersededNew York State Information Security Controls Standard6. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner 5 xxxxx://xxx.xx.xxx/document/information-classification-standard 6 xxxxx://xxx.xx.xxx/document/information-security-controls-standard whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, 002 which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. In addition to this umbrella policy, the following standards establish specific minimum information security requirements: • Vulnerability Scanning Standard (NYS-S15-002) • Security Logging Standard (NYS-S14-005) • Patch Management Standard (NYS-S15-001) • Encryption Standard (NYS-S14-007) A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon requestxxxxx://xxx.xx.xxx/tables/technologypolicyindex. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. Additional information on the above can be found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing-Business-with- NYSERDA, as amended and superseded. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public , confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard2 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary The Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020023) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: a. Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based permissions, authentication, authorization, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.password policy;

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public, confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard2 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary 1 xxxxx://xxx.xx.xxx/document/information-classification-standard‌ 2 xxxxx://xxx.xx.xxx/document/information-security-controls-standard The Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractoryou, Contractor’s your agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020023) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: a. Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based permissions, authentication, authorization, and accepted behaviors password policy; b. Network Security, i.e., isolation of Information, secure V-LANS, Firewalls; c. Patch Management, i.e., formal patch cycles and maintenance process; d. Malware Prevention, i.e., anti-virus, anti-spyware, vulnerability assessments, penetration testing, audits; e. Encryption of Information in transit and Information in storage on desktops, backups, and removable media; f. Change Control to establish ensure that new and maintain a secure environment modified system software are authorized, tested, and achieve the State's information implemented accurately; g. Security Event Logging/Monitoring that provides real time alerting of security objectivesevents h. IDS, WS, Website Monitoring of websites for compromise indicators which indicates website defacements, compromises or inappropriate content (Application/Host/Network IDS and IPS); i. Web Application scanning that is performed on code and application in compliance with Open Web Application Security project (OWASP) and SANS (SysAdmin, Audit, Network, and Security) Institute standards. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit 3 xxxxx://xxx.xx.xxx/sites/default/files/documents/nys-p03-002_information_security_0.pdf to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public, confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard2 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary The Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractoryou, Contractor’s your agents, employees, contractors or professional 2 xxxxx://xxx.xx.xxx/document/information-security-controls-standard advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020023) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: a. Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based permissions, authentication, authorization, and accepted behaviors password policy; b. Network Security, i.e., isolation of Information, secure V-LANS, Firewalls; c. Patch Management, i.e., formal patch cycles and maintenance process; d. Malware Prevention, i.e., anti-virus, anti-spyware, vulnerability assessments, penetration testing, audits; e. Encryption of Information in transit and Information in storage on desktops, backups, and removable media; f. Change Control to establish ensure that new and maintain a secure environment modified system software are authorized, tested, and achieve the State's information implemented accurately; g. Security Event Logging/Monitoring that provides real time alerting of security objectivesevents h. IDS, WS, Website Monitoring of websites for compromise indicators which indicates website defacements, compromises or inappropriate content (Application/Host/Network IDS and IPS); i. Web Application scanning that is performed on code and application in compliance with Open Web Application Security project (OWASP) and SANS (SysAdmin, Audit, Network, and Security) Institute standards. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020025) available at xxxxx://xxx.xx.xxx/policies. In additional and the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and supersededNew York State Information Security Controls Standard6. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when 5 xxxxx://xxx.xx.xxx/document/information-classification-standard 6 xxxxx://xxx.xx.xxx/document/information-security-controls-standard conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, 002 which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. In addition to this umbrella policy, the following standards establish specific minimum information security requirements:  Vulnerability Scanning Standard (NYS-S15-002)  Security Logging Standard (NYS-S14-005)  Patch Management Standard (NYS-S15-001)  Encryption Standard (NYS-S14-007) A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon requestxxxxx://xxx.xx.xxx/tables/technologypolicyindex. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: •  xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx •  (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. Additional information on the above can be found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing-Business-with- NYSERDA, as amended and superseded. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-002) available at xxxxx://xxx.xx.xxx/policies. In additional addition, the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDAxxxxx://xxx.xxxxxxx.xx.xxx/About/Doing-Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public, confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard2 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary 1 xxxxx://xxx.xx.xxx/document/information-classification-standard 2 xxxxx://xxx.xx.xxx/document/information-security-controls-standard The Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractoryou, Contractor’s your agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020023) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: a. Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based permissions, authentication, authorization, and accepted behaviors password policy; b. Network Security, i.e., isolation of Information, secure V-LANS, Firewalls; c. Patch Management, i.e., formal patch cycles and maintenance process; d. Malware Prevention, i.e., anti-virus, anti-spyware, vulnerability assessments, penetration testing, audits; e. Encryption of Information in transit and Information in storage on desktops, backups, and removable media; f. Change Control to establish ensure that new and maintain a secure environment modified system software are authorized, tested, and achieve the State's information implemented accurately; g. Security Event Logging/Monitoring that provides real time alerting of security objectivesevents h. IDS, WS, Website Monitoring of websites for compromise indicators which indicates website defacements, compromises or inappropriate content (Application/Host/Network IDS and IPS); i. Web Application scanning that is performed on code and application in compliance with Open Web Application Security project (OWASP) and SANS (SysAdmin, Audit, Network, and Security) Institute standards. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit 3 xxxxx://xxx.xx.xxx/sites/default/files/documents/nys-p03-002_information_security_0.pdf to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public, confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard2 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary The Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020023) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based permissions, authentication, authorization, and accepted behaviors password policy; Network Security, i.e., isolation of Information, secure V-LANS, Firewalls; Patch Management, i.e., formal patch cycles and maintenance process; Malware Prevention, i.e., anti-virus, anti-spyware, vulnerability assessments, penetration testing, audits; Encryption of Information in transit and Information in storage on desktops, backups, and removable media; Change Control to establish ensure that new and maintain a secure environment modified system software are authorized, tested, and achieve the State's information implemented accurately; Security Event Logging/Monitoring that provides real time alerting of security objectivesevents IDS, WS, Website Monitoring of websites for compromise indicators which indicates website defacements, compromises or inappropriate content (Application/Host/Network IDS and IPS); Web Application scanning that is performed on code and application in compliance with Open Web Application Security project (OWASP) and SANS (SysAdmin, Audit, Network, and Security) Institute standards. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public, confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard2 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary The Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractoryou, Contractor’s your agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020023) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: a. Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based 1 xxxxx://xxx.xx.xxx/document/information-classification-standard 2 xxxxx://xxx.xx.xxx/document/information-security-controls-standard 3 xxxxx://xxx.xx.xxx/sites/default/files/documents/nys-p03-002_information_security_0.pdf b. Network Security, i.e., isolation of Information, secure V-LANS, Firewalls; c. Patch Management, i.e., formal patch cycles and maintenance process; d. Malware Prevention, i.e., anti-virus, anti-spyware, vulnerability assessments, penetration testing, audits; e. Encryption of Information in transit and Information in storage on desktops, backups, and accepted behaviors removable media; f. Change Control to establish ensure that new and maintain a secure environment modified system software are authorized, tested, and achieve the State's information implemented accurately; g. Security Event Logging/Monitoring that provides real time alerting of security objectivesevents h. IDS, WS, Website Monitoring of websites for compromise indicators which indicates website defacements, compromises or inappropriate content (Application/Host/Network IDS and IPS); i. Web Application scanning that is performed on code and application in compliance with Open Web Application Security project (OWASP) and SANS (SysAdmin, Audit, Network, and Security) Institute standards. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public, confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard2 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary The Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractoryou, Contractor’s your agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020023) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: a. Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based permissions, authentication, authorization, and accepted behaviors password policy; b. Network Security, i.e., isolation of Information, secure V-LANS, Firewalls; c. Patch Management, i.e., formal patch cycles and maintenance process; d. Malware Prevention, i.e., anti-virus, anti-spyware, vulnerability assessments, penetration testing, audits; e. Encryption of Information in transit and Information in storage on desktops, backups, and removable media; f. Change Control to establish ensure that new and maintain a secure environment modified system software are authorized, tested, and achieve the State's information implemented accurately; 3 xxxxx://xxx.xx.xxx/sites/default/files/documents/nys-p03-002_information_security_0.pdf g. Security Event Logging/Monitoring that provides real time alerting of security objectivesevents h. IDS, WS, Website Monitoring of websites for compromise indicators which indicates website defacements, compromises or inappropriate content (Application/Host/Network IDS and IPS); i. Web Application scanning that is performed on code and application in compliance with Open Web Application Security project (OWASP) and SANS (SysAdmin, Audit, Network, and Security) Institute standards. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policies. In additional and the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and supersededNew York State Information Security Controls Standard2. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, 002 which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. In addition to this umbrella policy, the following standards establish specific minimum information security requirements: A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon requestxxxxx://xxx.xx.xxx/tables/technologypolicyindex. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. Additional information on the above can be found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing-Business-with-NYSERDA, as amended and superseded. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with certain information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow and is either non-public, confidential or proprietary in nature as classified per the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policiesand the New York State Information Security Controls Standard2 (the “Information”), identified as such by the Project Manager in writing. In additional the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and superseded. Any non-public, confidential, or proprietary The Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office Contractor shall conform to requirements of the New York State Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy (NYS-P03-0020023) and any amendments thereto, as amended to maintain the security of and supersededto prevent unauthorized access to Information that is maintained in electronic form on your systems. Such measures shall include: a. Access Control on Servers, which sets forth the minimum requirementsSystems, responsibilitiesApps, Databases, i.e., role-based permissions, authentication, authorization, and accepted behaviors password policy; b. Network Security, i.e., isolation of Information, secure V-LANS, Firewalls; c. Patch Management, i.e., formal patch cycles and maintenance process; d. Malware Prevention, i.e., anti-virus, anti-spyware, vulnerability assessments, penetration testing, audits; e. Encryption of Information in transit and Information in storage on desktops, backups, and removable media; f. Change Control to establish ensure that new and maintain a secure environment modified system software are authorized, tested, and achieve the State's information implemented accurately; g. Security Event Logging/Monitoring that provides real time alerting of security objectivesevents h. IDS, WS, Website Monitoring of websites for compromise indicators which indicates website defacements, compromises or inappropriate content (Application/Host/Network IDS and IPS); i. Web Application scanning that is performed on code and application in compliance with Open Web Application Security project (OWASP) and SANS (SysAdmin, Audit, Network, and Security) Institute standards. A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon request. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policies. In additional and the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and supersededNew York State Information Security Controls Standard2. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, 002 which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. In addition to this umbrella policy, the following standards establish specific minimum information security requirements: • Vulnerability Scanning Standard (NYS-S15-002) • Security Logging Standard (NYS-S14-005) 1 xxxxx://xxx.xx.xxx/document/information-classification-standard 2 xxxxx://xxx.xx.xxx/document/information-security-controls-standard • Patch Management Standard (NYS-S15-001) • Encryption Standard (NYS-S14-007) A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon requestxxxxx://xxx.xx.xxx/tables/technologypolicyindex. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. Additional information on the above can be found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing-Business-with- NYSERDA, as amended and superseded. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-002S14- 0021) available at xxxxx://xxx.xx.xxx/policies. In additional and the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and supersededNew York State Information Security Controls Standard2. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s 1 xxxxx://xxx.xx.xxx/document/information-classification-standard 2 xxxxx://xxx.xx.xxx/document/information-security-controls-standard sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, 002 which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. In addition to this umbrella policy, the following standards establish specific minimum information security requirements: • Vulnerability Scanning Standard (NYS-S15-002) • Security Logging Standard (NYS-S14-005) • Patch Management Standard (NYS-S15-001) • Encryption Standard (NYS-S14-007) A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon requestxxxxx://xxx.xx.xxx/tables/technologypolicyindex. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. Additional information on the above can be found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing-Business-with-NYSERDA, as amended and superseded. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020025) available at xxxxx://xxx.xx.xxx/policies. In additional and the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and supersededNew York State Information Security Controls Standard6. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, 002 which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. In addition to this umbrella policy, the following standards establish specific minimum information 5 xxxxx://xxx.xx.xxx/document/information-classification-standard 6 xxxxx://xxx.xx.xxx/document/information-security-controls-standard security requirements: • Vulnerability Scanning Standard (NYS-S15-002) • Security Logging Standard (NYS-S14-005) • Patch Management Standard (NYS-S15-001) • Encryption Standard (NYS-S14-007) A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon requestxxxxx://xxx.xx.xxx/tables/technologypolicyindex. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. Additional information on the above can be found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing-Business-with- NYSERDA, as amended and superseded. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.

Rights in Contract and Proprietary Information; Confidentiality. (a) NYSERDA shall have the right to use, duplicate, or disclose Contract Information, in whole or in part, in any manner and for any purpose whatsoever, and to permit others to do so. (b) The Contractor shall have the right to use Contract Information for its private purposes, subject to the provisions of this Agreement. (c) NYSERDA shall have no rights to any Proprietary Information. (d) No information shall be treated by NYSERDA as confidential unless such information is clearly so marked by Contractor at the time it is disclosed to NYSERDA; see Exhibit C regarding NYSERDA’s obligations under the Freedom of Information Law. Under no circumstances shall any information included in the Final Report delivered by Contractor pursuant to Exhibit A, Statement of Work, be considered confidential or Proprietary Information. (e) The Contractor agrees that to the extent it receives or is given any information from NYSERDA or a NYSERDA contractor or subcontractor, the Contractor shall treat such data in accordance with any restrictive legend contained thereon or instructions given by NYSERDA, unless another use is specifically authorized by prior written approval of the NYSERDA Project Manager. Contractor acknowledges that in the performance of the Work under this Agreement, Contractor may come into possession of personal information as that term is defined in Section 92 of the New York State Public Officers Law. Contractor agrees not to disclose any such information without the consent of NYSERDA. (f) In conjunction with Contractor’s performance of the Project, NYSERDA or other entities may furnish Contractor with information concerning the Work that is collected and stored by, or on behalf of, NYSERDA (the “Information”). The Contractor must follow the policies and procedures outlined in the New York State Information Classification Policy (NYS-S14-0020021) available at xxxxx://xxx.xx.xxx/policies. In additional and the Contractor must follow the policies and procedures found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing- Business-with-NYSERDA, as amended and supersededNew York State Information Security Controls Standard2. Any non-public, confidential, or proprietary Information will be kept confidential and will not, without NYSERDA’s prior written consent, be disclosed by Contractor, Contractor’s agents, employees, contractors or professional advisors, in any manner whatsoever, in whole or in part, and will not be used by Contractor, Contractor’s agents, employees, contractors or professional advisors other than in connection with the Work. Contractor agrees to transmit the Information only to Contractor’s agents, employees, contractors and professional advisors who need to know the Information for that purpose and who are informed by Contractor of the confidential nature of the Information and who will agree in writing to be bound by the terms and conditions of this Agreement. The NYS Office of Information Technology Services (ITS) establishes and regularly updates policies, standards, and guidelines for technology and information security (collectively referred to as “ITS Security Policies”) for State Entities, including NYSERDA. Contractor shall conform to the requirements of ITS Security Policies when conducting work on behalf of NYSERDA including, but not limited to, application development, web development, hosting, or managing NYSERDA’s sensitive data are required to comply with the NYS requirements. These requirements include, but are not limited to, the NYS Information Security Policy NYS-P03-002, as amended and superseded, 002 which sets forth the minimum requirements, responsibilities, and accepted behaviors to establish and maintain a secure environment and achieve the State's information security objectives. In addition to this umbrella policy, the following standards establish specific minimum information security requirements: 1 xxxxx://xxx.xx.xxx/document/information-classification-standard 2 xxxxx://xxx.xx.xxx/document/information-security-controls-standard • Vulnerability Scanning Standard (NYS-S15-002) • Security Logging Standard (NYS-S14-005) • Patch Management Standard (NYS-S15-001) • Encryption Standard (NYS-S14-007) A complete list of ITS Security Policies is available at: xxxxx://xxx.xx.xxx/policies. Contractor shall comply with the requirements below when managing NYSERDA’s data outside NYSERDA’s systems with a Moderate or High rating as per the Information Asset Identification Worksheet found in the New York State Information Classification Policy (NYS-S14-002) xxxxx://xxx.xx.xxx/document/information-classification-standard as follows: • Maintain Cyber Security Insurance at the amount indicated in Section 11.02 • Provide a signed self-attestation on an annual basis for multiyear contracts • For all systems with a High Rating, maintain up-to-date SOC 2 Type 2 Assessment Report and provide to NYSERDA upon requestxxxxx://xxx.xx.xxx/tables/technologypolicyindex. Contractor shall notify NYSERDA’s Information Security Officer immediately upon discovery or notification of any security breaches or vulnerabilities: • xxxxxxxxxxx.xxxxxxxx@xxxxxxx.xx.xxx • (000) 000-0000 x0000 Contractor will keep a record of the location of the Information. At the conclusion of the Project Period, Contractor will return to NYSERDA all the Information and/or provide proof to NYSERDA that the Information was destroyed. Contractor also agrees to submit to an audit of its data security/destruction practices by NYSERDA or its representative during the contract term and for up to two (2) years following the expiration of the Agreement. Additional information on the above can be found on the Doing Business with NYSERDA webpage at xxxxx://xxx.xxxxxxx.xx.xxx/About/Doing-Business-with- NYSERDA, as amended and superseded. (g) If, in the course of performance of the Agreement, Contractor or Subcontractors (if any) encounter any information in NYSERDA’s Salesforce or other database platforms that a reasonable person would identify as unrelated to the Agreement or otherwise inadvertently produced to Contractor or Subcontractors, Contractor shall notify NYSERDA immediately and neither Contractor nor Subcontractor shall use such inadvertently produced information for its own use. Any Contractor access to NYSERDA information shall be used solely for NYSERDA-related matters. This shall include, but not be limited to, access to the Salesforce CRM.