MASTER SERVICES AGREEMENT BETWEEN VIRGIN MOBILE USA, L.P. AND INTERNATIONAL BUSINESS MACHINES CORPORATION EFFECTIVE: May 15, 2008
Exhibit 10.3
BETWEEN
VIRGIN MOBILE USA, L.P.
AND
INTERNATIONAL BUSINESS MACHINES CORPORATION
EFFECTIVE: May 15, 2008
This document contains confidential and proprietary information of Virgin Mobile USA, L.P. and/or International Business Machines Corporation.
TABLE OF CONTENTS
| SCHEDULE LIST |
iii | |||
| 1 | ||||
| RECITALS |
1 | |||
| AGREEMENT |
1 | |||
| 1. |
Definitions |
1 | ||
| 2. |
Term |
17 | ||
| 3. |
Services |
18 | ||
| 4. |
Unapproved Work |
25 | ||
| 5. |
Service Levels |
27 | ||
| 6. |
Strategic Relationship Management |
28 | ||
| 7. |
Service Locations |
30 | ||
| 8. |
Data Backup and Disaster Plan |
35 | ||
| 9. |
Communications Systems and Access to Information |
37 | ||
| 10. |
Non-Exclusive Relationship |
37 | ||
| 11. |
Human Resources |
38 | ||
| 12. |
Statements of Work |
38 | ||
| 13. |
VMU Authorized User Satisfaction |
38 | ||
| 14. |
VMU Responsibilities |
39 | ||
| 15. |
Services Team |
40 | ||
| 16. |
Management And Control |
43 | ||
| 17. |
Data and Reports |
45 | ||
| 18. |
Consents |
47 | ||
| 19. |
Software, Documentation and Intellectual Property |
48 | ||
| 20. |
Authority to License, Quiet Enjoyment, Proprietary Rights and Indemnity |
52 | ||
| 21. |
Documentation |
57 | ||
| 22. |
Installation and Acceptance Tests |
57 | ||
| 23. |
Pricing |
59 | ||
| 24. |
Invoices and Payments |
62 | ||
| 25. |
Limitations of Liability and Damages |
63 | ||
i
| 26. |
Representations, Warranties, and Covenants |
65 | ||
| 27. |
Internal Dispute Resolution |
69 | ||
| 28. |
Termination |
70 | ||
| 29. |
Termination Assistance Services |
73 | ||
| 30. |
Insurance and Indemnity |
77 | ||
| 31. |
Confidentiality |
81 | ||
| 32. |
Audit, Inspection, and Examination of Records |
84 | ||
| 33. |
Assignment and Merger |
86 | ||
| 34. |
Extraordinary Events |
87 | ||
| 35. |
Amendment of Agreement |
88 | ||
| 36. |
Waiver |
88 | ||
| 37. |
Independent Contractor |
88 | ||
| 38. |
Subcontractors |
89 | ||
| 39. |
Interpretation of Agreement |
90 | ||
| 40. |
Notices |
91 | ||
| 41. |
Entire Agreement |
92 | ||
| 42. |
Severability |
92 | ||
| 43. |
Electronic Transfer of Intellectual Property |
92 | ||
| 44. |
Force Majeure |
92 | ||
| 45. |
Liens |
93 | ||
| 46. |
No Publicity |
93 | ||
ii
SCHEDULE LIST
| Schedules | ||
| Schedule |
Title | |
| A | Services / Statement of Work | |
| B | Service Levels | |
| C | Charges | |
| D | Transition | |
| E | Strategic Management Suppliers | |
| F | Software | |
| G | Equipment | |
| H | Standards | |
| I | Facilities | |
| J | CAPEX Projects | |
| K | Key Employees | |
| L | Employees | |
| M | VMU Xxxxxxxx-Xxxxx Requirements | |
| N | VMU Payment Card Industry Requirements | |
| O | Subcontractors | |
iii
This Master Services Agreement, effective as of May 15, 2008 (“Reference Date”), is entered into between Virgin Mobile USA, L.P. (“VMU”), a Delaware limited partnership, and International Business Machines Corporation, a New York corporation.
RECITALS
| A. | VMU desires to contract with IBM, and IBM desires to contract with VMU, to provide the Services (as defined below) in accordance with the Service Levels (as defined below), the Business Objectives (as defined below), and the other requirements of this Agreement. |
| B. | VMU’s strategic and business objectives, to be accomplished through this Agreement, include: (1) obtaining a reduction in VMU’s overall operating expense; (2) supporting the VMU IT infrastructures during migration; (3) receiving reliable & flexible Services from IBM; (4) reducing complexity as compared to VMU’s current IT infrastructure; (5) improving overall management of VMU’s IT infrastructure; (6) achieving flexibility to quickly expand and contract the Services and the VMU IT infrastructure to meet VMU’s business requirements, address changes in the global marketplace and/or facilitate moving toward a strategic architecture; (7) defining and implementing key statistics, metrics, and monitoring for the VMU IT infrastructure to facilitate proactive IT management rather than reactive IT management; (8) VMU retention of overall strategic responsibility for the IT infrastructure; (9) increasing the level of customer service and satisfaction; and (10) proactive management of the Services to improve overall business value, performance, availability, and reliability ((1) – (10) are collectively referred to herein as the “Business Objectives”). |
| C. | Both Parties acknowledge that a principal objective of VMU in entering into this Agreement is to insure that the Services enable VMU to achieve the Business Objectives stated above. |
| D. | The Parties also intend for this Agreement to provide a contractual infrastructure to facilitate the acquisition of new sourcing service lines by VMU from IBM as its business needs may warrant; it being understood that VMU’s decisions to introduce such services are in its sole discretion. |
AGREEMENT
In consideration of the foregoing Recitals (which are incorporated herein) and the mutual covenants and agreements contained herein, the Parties hereto agree as follows:
| 1. | Definitions |
The following terms, when used in this Agreement, shall have the following meanings:
1.1 “Acceptance Test” and “Acceptance Tests”
“Acceptance Test” and “Acceptance Tests” shall have the meaning specified in Section 22.3.
1.2 “Additional Resource Charge” or “ARC”
“Additional Resource Charge” or “ARC” shall have the meaning specified in Schedule C.
1.3 “Affected Employees”
“Affected Employees” shall have the meaning specified in Schedule L.
1.4 “Affiliate”
“Affiliate” as to IBM or VMU, shall mean any corporation, partnership, limited liability company, or other domestic or foreign entity (a) of which a Controlling interest is owned directly or indirectly by a Party, or (b) Controlled by, or under common Control with, a Party.
1.5 “Agreement”
“Agreement” shall mean this Master Services Agreement, together with the Exhibits, Schedules, future VMU-approved Statements of Work and all other documents incorporated herein by reference.
1.6 “Annual Services Charge”
“Annual Services Charge” shall have the meaning specified in Schedule C.
1.7 “Applications”
“Applications” shall mean those items of Software owned, licensed, leased, or otherwise obtained by VMU as are identified in Schedule F as amended from time to time by VMU in its sole discretion.
1.8 “Approved Reassignments”
“Approved Reassignments” shall have the meaning specified in Section 15.2.
1.9 “Authorized Users” or “VMU Authorized Users”
“Authorized Users” or “VMU Authorized Users” shall mean any individual or entity authorized by VMU to use or receive the Services under this Agreement, whether on-site or accessing remotely.
2
1.10 “Best Practices”
“Best Practices” shall mean (whether or not capitalized) established procedures or processes developed or used by IBM, utilizing its accumulated knowledge as a world class technology service provider, to deliver Services in a high quality, effective and efficient manner.
1.11 “Business Day(s)”
“Business Day(s)” shall mean Monday through Friday, excluding U.S. National holidays.
1.12 “Business Objectives”
“Business Objectives” shall have the meaning specified in the Recitals.
1.13 “Change Control Procedures”
“Change Control Procedures” shall have the meaning specified in Section 3.2.
1.14 “Consents”
“Consents” shall have the meaning specified in Section 18.1.
1.15 “Contract Year”
“Contract Year” shall mean a period of time beginning on the Reference Date or an anniversary of the Reference Date and ending twelve months later, provided that last Contract Year will end on the last day of the Term.
1.16 “Control”
“Control” and its derivatives shall mean possessing, directly or indirectly, the power to direct or cause the direction of the management, policies and operations of an entity, whether through ownership of the voting securities of that entity, by contract or otherwise.
1.17 “Covered IBM Rights”
“Covered IBM Rights” shall have the meaning specified in Section 20.3A.
1.18 “Covered VMU Rights”
“Covered VMU Rights” shall have the meaning specified in Section 20.4A.
1.19 “Days”
“Days” shall mean (whether or not capitalized) calendar days.
3
1.20 “Deficiencies”
“Deficiencies” or “Deficiency” shall mean and include: (1) defect(s) in design, materials, services, or workmanship; (2) Incidents (as defined in Schedule A) and Problems (as defined in Schedule A); and (3) error(s), omission(s), or deviation(s) from any of the Specifications which result in the Services not performing, or the Services not being performed, in accordance with the provisions of this Agreement.
1.21 “Deliverable”
“Deliverable” shall mean (whether or not capitalized) any output in written or electronic form including as the result of a service to be provided by IBM to VMU pursuant to a requirement of this Agreement or identified as a deliverable in a Statement of Work or Schedule.
1.22 “Developed Software”
“Developed Software” shall have the meaning specified in Section 19.4A.
1.23 “Disabling Device(s)”
“Disabling Device(s)” shall have the meaning specified in Section 26.9.
1.24 “Disclosing Party”
“Disclosing Party” shall have the meaning specified in Section 31.2B.
1.25 “Documentation”
“Documentation” shall mean all written or electronic policies and procedures relating to Services, training course materials (including computer-based training programs or modules), technical manuals, logical and physical designs, application overviews, functional diagrams, data models, production job run documents, specifications, reports, or other written materials (whether in hard or soft copy).
1.26 “Equipment”
“Equipment” shall mean the IBM Equipment and VMU Equipment.
1.27 “Extended Term”
“Extended Term” shall have the meaning specified in Section 2.2.
1.28 “Extraordinary Event”
“Extraordinary Event” shall have the meaning specified in Section 34.1.
4
1.29 “Finally Determined”
“Finally Determined” shall mean when a claim or dispute has been finally determined (with no right of appeal or with the appeal period expired without filing by the losing party) by a court of competent jurisdiction, arbitration, or other agreed-upon governing party.
1.30 “Full-Time”
“Full-Time” shall mean at least a forty (40) hour work week providing services solely and exclusively for VMU.
1.31 “Generally Available”
“Generally Available” shall mean available as a non-development product and licensed, distributed or available for purchase, in the general commercial marketplace (e.g., Microsoft Word, SAP, OS/390, DB2).
1.32 “HVAC”
“HVAC” shall have the meaning specified in Section 7.7.
1.33 “IBM”
“IBM” shall mean International Business Machines Corporation, a New York corporation.
1.34 “IBM Data Center”
“IBM Data Center” shall mean the IBM Service Location operations monitoring and data centers specified in Schedule A or as otherwise agreed in writing by the Parties.
1.35 “IBM Equipment”
“IBM Equipment” shall mean the hardware, machines, circuits, computer, networking and other equipment owned or leased by IBM and used by IBM to perform the Services.
1.36 “IBM Infringement Claims”
“IBM Infringement Claims” shall have the meaning specified in Section 20.3A.
1.37 “IBM Infringement Exclusions”
“IBM Infringement Exclusions” shall have the meaning specified in Section 20.3D.
5
1.38 “IBM Intellectual Property”
“IBM Intellectual Property” shall mean IBM Proprietary Intellectual Property and IBM Third Party Intellectual Property.
1.39 “IBM Key Employees”
“IBM Key Employees” shall have the meaning specified in Section 15.2.
1.40 “IBM Modified Items”
“IBM Modified Items” shall have the meaning specified in Section 19.4C.
1.41 “IBM’s Project Executive”
“IBM’s Project Executive” shall have the meaning specified in Section 15.1.
1.42 “IBM Personnel”
“IBM Personnel” shall mean IBM’s Subcontractors, and the employees, agents, contractors, subcontractors or representatives of IBM and its Subcontractors who perform any Services under this Agreement.
1.43 “IBM Proprietary Intellectual Property”
“IBM Proprietary Intellectual Property” shall mean all Intellectual Property: (1) developed and owned by IBM, or (2) developed by a third party for, and owned by IBM, which is used in the performance of the Services.
1.44 “IBM Proprietary Software”
“IBM Proprietary Software” shall mean Software and related Documentation: (1) developed and owned by IBM, or (2) developed by a third party for, and owned by IBM, which is used for the performance of the Services.
1.45 “IBM Regulatory Requirements”
“IBM Regulatory Requirements” shall have the meaning specified in Section 26.11.
1.46 “IBM Service Locations”
“IBM Service Locations” shall mean the premises occupied (other than VMU Sites), owned, operated, or leased by IBM to provide the Services, including, for clarity, any IBM Shared Service Centers and IBM Data Center.
6
1.47 “IBM Shared Service Center”
“IBM Shared Service Center” shall mean a IBM Service Location from which IBM performs, for other customers, services the same as or similar to any of the Services.
1.48 “IBM Software”
“IBM Software” shall mean IBM Proprietary Software and IBM Third Party Software.
1.49 “IBM Systems”
“IBM Systems” shall mean IBM Equipment, IBM Intellectual Property, and IBM Software.
1.50 “IBM Third Party Claim(s)”
“IBM Third Party Claim(s)” shall have the meaning specified in Section 30.6A.
1.51 “IBM’s Remedial Acts”
“IBM’s Remedial Acts” shall have the meaning specified in Section 20.4C.
1.52 “IBM Third Party Intellectual Property”
“IBM Third Party Intellectual Property” shall mean Intellectual Property licensed, leased, or otherwise obtained (unless it is otherwise Provisioned by IBM for VMU, in which case it will be deemed VMU Intellectual Property) from a Third Party Vendor by IBM which is used in the performance of the Services.
1.53 “IBM Third Party Software”
“IBM Third Party Software” shall mean all Software licensed, leased, or otherwise obtained (unless it is otherwise Provisioned by IBM for VMU, in which case it will be deemed VMU Software) from a Third Party Vendor by IBM which is used for the performance of the Services.
1.54 “Including”
“Including,” and its derivatives (such as “include” and “includes”), shall mean “including without limitation.” This term is as defined, whether or not capitalized in the Agreement.
1.55 “Income Tax”
“Income Tax” shall have the meaning specified in Section 23.5A.
7
1.56 “Initial Term”
“Initial Term” shall have the meaning specified in Section 2.1.
1.57 “Infringe”
“Infringe” shall mean infringe, misappropriate, violate or constitute the unauthorized use of the subject matter. “Infringement” shall have the corresponding meaning.
1.58 “Intellectual Property”
“Intellectual Property” shall mean all intellectual, industrial and proprietary rights, including all (i) patents, inventions, discoveries, processes, technology and know-how; (ii) copyrights, copyrightable works and works of authorship in any media (including Software and Documentation); (iii) trade secrets, methodologies, formulae, techniques and Proprietary or Confidential Information; (iv) trademarks, service marks, trade dress and related rights; and (v) registrations, applications, renewals, continuations, continuations-in-part, divisionals, reissues, re-examinations, extensions and similar rights and privileges relating thereto.
1.59 “Managed Strategic Supplier”
“Managed Strategic Supplier” shall have the meaning specified in Section 6.1.
1.60 “Material Move”
“Material Move” shall have the meaning specified in Section 7.11.
1.61 “Migrated Service(s)”
“Migrated Service(s)” shall have the meaning specified in Section 10.1.
1.62 “Monthly Baseline”
“Monthly Baseline” shall have the meaning specified in Schedule C.
1.63 “New Services”
“New Services” shall mean those services that are materially different in purpose from, and are in addition to, the Services.
1.64 “New Sourcing Line(s)”
“New Sourcing Line(s)” shall have the meaning specified in Section 3.12C.
8
1.65 “Non-Recurring Initiatives”
“Non-Recurring Initiatives” shall mean a discrete unit of non-recurring work that (1) is not an inherent, necessary, or customary part of the day-to-day Services, (2) is not required to be performed by IBM to meet the existing Service Levels (other than Service Levels related to Non-Recurring Initiative performance); and/or (3) cannot be provided with the then-current level of IBM Personnel dedicated to providing the Services.
1.66 “Notice of Failure”
“Notice of Failure” shall have the meaning specified in Section 22.4.
1.67 “Object Code”
“Object Code” shall mean the form of computer software resulting from the compiling, assembly, or other translation or processing of the Source Materials of such software by a computer into machine language or intermediate code, which is not convenient to human understanding of the program logic, but which is appropriate for execution or interpretation by a computer.
1.68 “Open Source Software”
“Open Source Software” shall mean any Intellectual Property that is subject to any version of the GNU General Public License, GNU Library General Public License, Artistic License, BSD License, Mozilla Public License, or a copyleft, freeware or other similar license, including, those licenses listed at xxx.xxxxxxxxxx.xxx/xxxxxxxx.
1.69 “Parties” or “Party”
“Parties” or “Party” shall mean VMU and IBM in the plural and VMU or IBM, as the case may be, in the singular.
1.70 “Permitted Auditors”
“Permitted Auditors” shall have the meaning as specified in Section 32.2.
1.71 “Primary Event”
“Primary Event” shall mean (whether or not capitalized) an event upon which a cause of action, claim or other liability can be based.
1.72 “Process Interface Manual”
“Process Interface Manual” shall have the meaning set forth in Section 3.14.
9
1.73 “Proprietary or Confidential Information”
“Proprietary or Confidential Information” shall have the meaning set forth in Section 31.1.
1.74 “Provisioned”
“Provisioned” shall mean items licensed, leased, or otherwise obtained by IBM at the request of and on behalf of VMU for which VMU is financially responsible as set forth on the Financial Responsibility Matrix in Schedule C.
1.75 “Receiving Party”
“Receiving Party” shall have the meaning specified in Section 31.2B.
1.76 “Reduced Resource Credit” or “RRC”
“Reduced Resource Credit” or “RRC” shall have the meaning specified in Schedule C.
1.77 “Reference Date”
“Reference Date” shall have the meaning set forth in the introductory paragraph.
1.78 “Release”
“Release” shall mean a redistribution of Software that contains new features, new functionality, and/or performance improvements.
1.79 “Resource Baseline”
“Resource Baseline” shall have the meaning specified in Schedule C.
1.80 “Resource Charge”
“Resource Charge” shall have the meaning specified in Schedule C.
1.81 “Resource Unit”
“Resource Unit” shall have the meaning specified in Schedule C.
1.82 “Revisions”
“Revisions” shall mean Updates, Releases, and Versions.
1.83 “Sarbanes Oxley Reporting Requirements and Process”
“Sarbanes Oxley Internal Control and Testing Requirements shall be attached hereto as Schedule M.
10
1.84 “Service Levels”
“Service Levels” shall mean those IBM performance criteria as set forth in the Service Level Agreement.
1.85 “Service Level Agreement(s)”
“Service Level Agreement(s)” shall mean the service level agreement(s) attached hereto as Schedule B.
1.86 “Service Locations”
“Service Locations” shall have the meaning specified in Section 7.1.
1.87 “Service Taxes”
“Service Taxes” shall have the meaning specified in Section 23.5A.
1.88 “Services”
“Services” shall mean all functions, responsibilities, tasks, subtasks, Deliverables, goods, and other services: (1) identified in the Statements of Work or Specifications; (2) identified in this Agreement as being part of the required services; (3) identified in the Transition Plan; (4) the information technology related functions and responsibilities routinely performed during the twelve (12) month period prior to the Reference Date by the VMU personnel and third party contractors transitioned to IBM, displaced, or whose functions were displaced, as a result of this Agreement who are set forth on Schedule L, provided however, such services, functions or responsibilities shall not include services, functions and responsibilities that were discontinued by VMU prior to the Reference Date, other than in anticipation of this Agreement; and (5) otherwise necessary to comply with the terms of this Agreement. Without increasing the scope of the Services, if any component, task, subtask, service or function is an inherent or necessary part of the Services defined in subparts (1) through (5) of this Section, and not in conflict with IBM’s established methods of providing services, then such service or function shall be deemed to be part of the Services whether or not specifically described in this Agreement.
1.89 “Signature Date”
“Signature Date” shall mean the actual date signed by the last of the Parties to sign the Agreement.
11
1.90 “Software”
“Software” shall mean individually each, and collectively all, computer programs and/or software, including any interfaces, Source Materials, and/or Object Code. Software shall include any and all Revisions thereto.
1.91 “Source Materials”
“Source Materials” shall mean, with respect to Software, the source code of such Software and all related compiler command files, build scripts, scripts relating to the operation and maintenance of such Software, application programming interface (API), graphical user interface (GUI), object libraries, all relevant instructions on building the Object Code of such Software, and all Documentation relating to the foregoing.
1.92 “Specifications”
“Specifications” shall mean (1) the Statements of Work, as attached and as modified and appended, including all documents incorporated therein; (2) all other performance requirements included or incorporated by reference into this Agreement, including: the Service Level Agreement (Schedule B); and (3) to the extent it is not inconsistent with the above, the Documentation.
1.93 “Statement(s) of Work”
“Statement(s) of Work” shall mean the Statement(s) of Work attached hereto as Schedule A and such other statements of work that VMU and IBM may enter into from time to time to document and authorize additional Services (including Non-Recurring Initiatives) and/or New Services (each of which as amended from time to time in accordance with this Agreement).
1.94 “Subcontractor”
“Subcontractor(s)” shall mean any person, entity, or organization (including any Affiliates of IBM) to which IBM has delegated any of its obligations hereunder in accordance with Section 16.
1.95 “Term”
“Term” shall mean the Initial Term, the Extended Term, if any, and any Termination Assistance Period.
1.96 “Termination Assistance Services”
“Termination Assistance Services” shall mean those transition, information technology, and related services provided by IBM to VMU upon the termination or expiration of this Agreement for any reason as set forth in the Termination Assistance Plan or in Section 7 (as applicable). The Termination Assistance Services shall be deemed part of the Services.
12
1.97 “Termination Assistance Period”
“Termination Assistance Period” shall have the meaning specified in Section 29.3.
1.98 “Termination Assistance Plan”
“Termination Assistance Plan” shall mean an integrated plan developed by VMU and IBM to effectuate a seamless transition of the Services from IBM to VMU (or another vendor) in the event of termination or expiration of this Agreement for any reason and as further set forth in Section 29.1.
1.99 “Termination Charges” shall mean the charges set forth in Table 4 of Schedule C-1.
1.100 “Third Party Vendor”
“Third Party Vendor” shall mean any person or entity (excluding VMU or IBM) contracting directly or indirectly with VMU or IBM to provide Equipment, Intellectual Property, Services or other products or services that are used or provided under this Agreement.
1.101 “Transfer of Control”
“Transfer of Control” means the date on which IBM begins providing a specific Service following completion of Transition relating to that Service pursuant to Schedule D and the Transition Plan.
1.102 “Transition”
“Transition” means the transition services described in Section 3.4 and in the Transition Plan.
1.103 “Transitioned Employees”
“Transitioned Employees” shall have the meaning specified in Schedule L.
1.104 “Transition Plan”
“Transition Plan” shall have the meaning set forth in Section 3.4.
1.105 “Transition Plan Critical Deliverable”
“Transition Plan Critical Deliverable” shall mean any Deliverable identified in the Transition Plan as being a critical Deliverable.
13
1.106 “Unrecovered Startup Charges” shall mean the charges set forth in Table 5 of Schedule C-1.
1.107 “Update”
“Update” shall mean a redistribution of Software that corrects an error as well as addressing common functional and performance issues.
1.108 “Version”
“Version” shall mean any delivery of Software that is a Release and/or a collection of Updates.
1.109 “Virus(es)”
“Virus(es)” shall mean: (i) program code, programming instruction or set of instructions intentionally constructed with the ability to damage, interfere with or otherwise adversely affect computer programs, data files or operations; or (ii) other code typically designated to be a virus. Virus(es) shall include Trojan horses, system monitors/keyloggers, dialers, adware, and adware cookies.
1.110 “VMU”
“VMU” shall mean Virgin Mobile USA, L.P., a Delaware limited partnership.
1.111 “VMU Data”
“VMU Data” shall mean all of the data, records, and information of VMU, its Affiliates and designees (including Authorized Users) and customers to which IBM has access, or otherwise is provided to IBM, that is entered into, is transmitted by, or is transmitted through the VMU IT Environment (including any modifications to any such data, records and information, and any derivative works created therefrom) under this Agreement. VMU Data shall exclude IBM Proprietary or Confidential Information, IBM Software or IBM Intellectual Property.
1.112 “VMU Data Center”
“VMU Data Center” shall mean VMU’s data centers specified in Schedule I or as otherwise agreed in writing by the Parties.
1.113 “VMU Delay Claim”
“VMU Delay Claim” shall have the meaning specified in Section 3.4C.
1.114 “VMU Equipment”
“VMU Equipment” shall mean the hardware, machines, and other equipment owned, leased or otherwise obtained by or on behalf of VMU (except for equipment provided from or through IBM) and utilized by IBM to provide the Services. The initial list of VMU Equipment that is necessary for the IBM to use to perform the Services shall be identified in Schedule G and updated as needed.
14
1.115 “VMU Existing Projects”
“VMU Existing Projects” shall mean the projects as set forth on Schedule J currently being undertaken by VMU as of the Reference Date.
1.116 “VMU Infringement Claim(s)”
“VMU Infringement Claim(s)” shall have the meaning specified in Section 20.4A.
1.117 “VMU Infringement Exclusions”
“VMU Infringement Exclusions” shall have the meaning specified in Section 20.4D.
1.118 “VMU Intellectual Property”
“VMU Intellectual Property” shall mean VMU Proprietary Intellectual Property and VMU Third Party Intellectual Property.
1.119 “VMU IT Environment”
“VMU IT Environment” shall mean IBM Systems used to deliver the Services and VMU Systems.
1.120 “VMU Modifications”
“VMU Modifications” shall have the meaning specified in Section 19.3B.
1.121 “VMU Policies and Procedures”
“VMU Policies and Procedures” shall mean the VMU policies, procedures, and guidelines as, and such VMU Documentation, policies, procedures, and guidelines as of the Reference Date and made available to IBM or as amended in accordance with Section 3.2
1.122 “VMU Program Director”
“VMU Program Director” shall have the meaning specified in Section 16.3.
1.123 “VMU Proprietary Intellectual Property”
“VMU Proprietary Intellectual Property” shall mean Intellectual Property (1) developed and owned by VMU, or (2) developed by a third party for, and owned by, VMU, and which is used by IBM in connection with providing the Services.
15
1.124 “VMU Proprietary Software”
“VMU Proprietary Software” shall mean Software (1) developed and owned by VMU, or (2) developed by a third party for, and owned by, VMU, and which is used by IBM in connection with providing the Services.
1.125 “VMU Regulatory Requirements”
“VMU Regulatory Requirements” shall have the meaning specified in Section 26.11.
1.126 “VMU Service Locations”
“VMU Service Locations” shall mean the premises that are occupied, owned, operated, or leased by VMU from which IBM is authorized to provide Services.
1.127 “VMU Sites”
“VMU Sites” shall mean the VMU Service Locations, and any premises occupied, owned, operated or leased by VMU to which IBM provides the Services, as set forth in Schedule I as may be amended from time to time pursuant to Section 3.2.
1.128 “VMU Software”
“VMU Software” shall mean the VMU Proprietary Software and the VMU Third Party Software. The initial list of VMU Software that is necessary for the IBM to use to perform the Services shall be identified in Schedule F and updated as needed.
1.129 “VMU Systems”
“VMU Systems” shall mean the VMU Equipment, VMU Software, and VMU Intellectual Property.
1.130 “VMU Third Party Claim(s)”
“VMU Third Party Claim(s)” shall have the meaning specified in Section 30.6B.
1.131 “VMU Third Party Intellectual Property”
“VMU Third Party Intellectual Property” shall mean all Intellectual Property licensed, leased, or otherwise obtained from a Third Party Vendor by VMU and which is used by IBM in connection with providing the Services.
1.132 “VMU Third Party Software”
“VMU Third Party Software” shall mean all Software licensed, leased, or otherwise obtained from a Third Party Vendor by VMU and which is used by IBM in connection with providing the Services (including the Generally Available IBM proprietary software listed on Schedule F), excluding, the Applications.
16
1.133 “VMU Third Party Vendor”
“VMU Third Party Vendor” shall mean any Third Party Vendor (other than IBM or any IBM Third Party Vendor) contracting directly or indirectly with VMU to provide any products or services.
1.134 “Wind-Down Charges”
“Wind-Down Charges” shall mean reasonable expenses that are incurred by IBM as a result of a termination of this Agreement that are not otherwise subject to payment or reimbursement by VMU under this Agreement including: (i) non-cancelable lease payments, lease termination fees, or other non-cancelable charges for IBM leased Equipment used solely for the provision of the Services; (ii) salaries and associated employee benefit and relocation costs for the IBM Personnel who were VMU employees immediately prior to the Reference Date and hired by IBM on or subsequent to the Reference Date and were primarily providing the Services as of the time of termination of this Agreement for up to sixty (60) days pending the redeployment or separation of such personnel; (iii) severance payments due and payable to IBM personnel who were VMU employees immediately prior to the Reference Date and hired by IBM on or subsequent to the Reference Date and were primarily providing the Services under the applicable written IBM severance plans; (iv) Unrecovered Startup Charges and (v) termination charges, minimum charges or other non-cancelable charges, or charges similar to the other Wind-Down Charges described in this definition for Third Party Contracts. In those circumstances in which IBM is entitled to recover Wind-Down Charges under this Agreement, IBM shall submit an estimate of the anticipated Wind-Down Charges, together with ways in which such expenses may be mitigated or reduced, within 30 days after the event triggering such Wind-Down Charges. Wind-Down Charges to be recovered by IBM shall be reduced to the extent VMU or its designees assume financial obligations that IBM would otherwise have incurred as a result of such termination.
| 2. | Term |
2.1 Initial Term
This Agreement shall be effective as of the Reference Date and shall continue in effect for five years after the Reference Date (the “Initial Term”), unless earlier terminated as provided herein.
2.2 Options to Extend
VMU may, at VMU’s sole discretion, elect to extend the Initial Term of this Agreement for up to one (1) additional term of one (1) year (“Extended Term”). If VMU does not exercise its option to extend at the end of the Initial Term, the extension option shall automatically lapse. VMU shall exercise its extension option by providing IBM written notice no later than one hundred twenty (120) days prior to the expiration of the Initial Term.
17
2.3 Fees During Extended Term
The fees to be paid by VMU during the Extended Term(s) of this Agreement shall be the applicable fees set forth in Section 23, adjusted for ECA in accordance with Schedule C.
| 3. | Services |
3.1 Services Overview
As of the Reference Date, IBM shall provide the Services set forth in Schedule D and the Transition Plan, and as of each Transfer of Control date and continuing throughout the Term, IBM shall provide the applicable Services set forth in Schedule A and any Statement of Work to VMU, VMU Affiliates and the Authorized Users, as such Services may evolve or are otherwise supplemented, enhanced, modified or replaced in accordance with this Agreement. Except for the VMU Systems as of the Reference Date and as specifically set forth in this Agreement, IBM shall obtain, subject to VMU’s issuance of a purchase order and payment as recommended by IBM for those items for which it has financial responsibility pursuant to the Agreement, all other resources (including shared resources) necessary for IBM to provide the Services in accordance with the Service Levels and other performance requirements of this Agreement. IBM shall provide the Services to VMU as an integrated service offering in accordance with this Agreement and without regard to the lines of business, intra-Affiliate relationships, or geographic locations within IBM’s organization from which such Services are offered, or the internal profit center within IBM’s organization to which the financial accounting for a Service is ultimately attributed. IBM acknowledges that the VMU Existing Projects are included in the definition of “Services” and that during Transition the Affected Employees shall continue to support VMU Existing Projects under the technical direction of VMU and as of the applicable Transfer of Control IBM shall have full responsibility for the VMU Existing Projects. IBM agrees that, for the Term, as and when any VMU Existing Project or other in-scope project is completed or when resources allocated for any VMU Existing Project or other in-scope project are no longer required to perform such VMU Existing Project or other in-scope project, IBM shall reallocate such resources to other VMU in-scope projects, or, if IBM determines that such resources are no longer necessary, then the fees for the Services shall be adjusted using a RRC as provided in Schedule C.
3.2 Change Control Procedures
In the event that (a) IBM determines that resources are no longer necessary to perform the Services; (b) IBM determines that additional resources are necessary to perform the Services; (c) IBM or VMU determines that a change in a Deliverable or Services timeline is necessary; (d) VMU requests changes in the scope of Services due to its then-current business needs; or (e) VMU institutes a change to the VMU Policies and Procedures that affects IBM’s provision of the Services; then the IBM Project Executive and VMU Program Director shall meet to discuss the effect of the foregoing on the Services and resources and associated charges and terms and conditions. If the request is for a New Service it shall be handled in accordance with Section 3.12 of this Agreement and otherwise as set forth below. Promptly following such meeting(s), IBM shall prepare a written change request proposal for VMU’s consideration at no additional charge to VMU, and shall deliver such proposal to VMU within a timeframe that is reasonable
18
based on the nature and scope of the proposed changes. A change request proposal shall include (i) a reasonably detailed plan that defines the proposed changes and the associated ARCs or RRCs, Hourly Services Rates, equitable adjustments to the charges or other fees to compensate IBM for the costs of implementing the change and increased costs in the delivery of Services, if any; (ii) a reasonably detailed description of any anticipated changes in the applicable Service Levels or other terms and conditions of the Agreement, if any; (iii) a schedule for implementing the additional Services, if any; (iv) a description of the Equipment or Software no longer needed, if applicable; (v) a description of the Software, Equipment, Applications and other resources, including Resource Unit utilization, necessary to provide the additional or changed Services, if applicable; and (vi) additional facilities, hardware, software or labor resources to be provided by VMU, if any. VMU will review the change request proposal and either approve and sign the change request proposal, or give IBM a written rejection of the change request proposal. In the event that IBM and VMU are unable to agree to a change request proposal, the Parties may submit such change request proposal for resolution pursuant to the dispute resolution process described in Section 27. All change request proposals must be approved in writing and signed by VMU prior to any change in the scope of the Services, change in the resources for the Services, and/or invoicing of any ARC, Hourly Services Rates or other charges and IBM shall not begin performing any additional or changed Services or stop performing any Services without VMU’s written approval.
3.3 Documentation
IBM shall provide the Services in accordance with the applicable Documentation, Schedule A, any applicable Statements of Work, and as otherwise required under this Agreement. In addition, at no additional charge to VMU, IBM shall provide VMU with at least three (3) copies of Documentation developed for VMU under this Agreement (or otherwise required to be provided to VMU under this Agreement) to enable VMU to fully utilize as permitted under this Agreement the Services, Equipment, and Software.
3.4 Transition
A. Transition Plan
Within thirty (30) days after the Signature Date, IBM shall deliver to VMU for review and comment a draft of a Transition plan (the “Transition Plan”) describing in detail the timeline and Services relating to the transition of responsibility for the Services from VMU or VMU’s current Third Party Vendors to IBM. The Transition Plan shall be based on the initial high level transition plan set forth in Schedule D, and shall include, at a minimum: (a) all of the Transition tasks required to be performed by IBM, (b) all of the tasks required to be performed by VMU (any responsibility not explicitly allocated to VMU is deemed to be a Transition task to be performed by IBM), (c) the specific resources to be provided by VMU, (d) the completion date for each Transition task, (e) the acceptance criteria (and, if appropriate, testing) to be applied by VMU in evaluating Transition Deliverables, (f) a complete description of any one-time or other charges to VMU which are associated with the Transition Plan, including Deliverable criteria and timing for payment(s), other than the Charges, (g) IBM’s proposed migration strategy for Transitioned Employees and the VMU IT Environment, (h) evaluation and description of VMU Equipment and VMU Software that will no longer be necessary for IBM to provide the Services
19
after Transition, (i) a list of VMU Existing Projects that will be completed during the Transition by VMU and/or IBM, (j) a list of Transition Plan Critical Deliverables and the date by which such Deliverables must be completed, and (k) all other pertinent details. IBM shall incorporate any reasonable comments and suggestions made by VMU and shall deliver a revised Transition Plan within fifteen (15) days after receipt of VMU’s comments. The final Transition Plan shall be subject to VMU’s approval. The Transition Plan and all reports or other Documentation developed by IBM pursuant to the Transition Plan shall automatically become a part of this Agreement immediately upon their creation or delivery, as the case may be. IBM shall perform all Transition Services described in the Transition Plan to transition the provision of the Services from VMU to IBM. IBM shall provide the Transition Services without materially (i) disrupting or adversely impacting the business or operations of VMU, VMU Affiliates or VMU Authorized Users, (ii) degrading the Services being provided, or (iii) interfering with the ability of VMU, VMU Affiliates or VMU Authorized Users to obtain the benefit of the Services, except as may be otherwise provided in the Transition Plan. Unless otherwise stated in the Transition Plan, the Transition Services shall not defer any obligations or liabilities of IBM under this Agreement. VMU and IBM may mutually agree to extend Transition.
B. Transition Acceptance Tests
VMU and IBM shall perform Transition acceptance testing based on the acceptance criteria and procedures set forth in the Transition Plan.
C. Failure to Comply with the Transition Plan
(1) With respect to the Transition Plan Critical Deliverables as set forth in Schedule D, IBM agrees to provide Transition Milestone Credits as set forth in Schedule D if IBM’s failure to fulfill its responsibilities as set forth in the Agreement causes a delay in the delivery of a Transition Plan Critical Deliverable beyond the date set forth in Schedule D unless such failure is cured by delivery of the such Transition Plan Critical Deliverable no later than thirty (30) days after the date set forth in Schedule D for such Transition Plan Critical Deliverable. If IBM materially breaches its obligations to provide Transition and does not cure such breach within *** days upon receipt of written notice form VMU, then VMU may terminate the Agreement without payment of ***.
(2) IBM shall, upon the occurrence of acts or omissions by VMU which have been determined by IBM to, or are likely to, directly adversely impact its ability to deliver or meet a Transition Plan Critical Deliverable by the date set forth in the Transition Plan (“VMU Delay Claim”), advise the VMU Program Director of such VMU Delay Claim in writing promptly, but in no event longer than five (5) business days of IBM having knowledge of such occurrence, of the facts surrounding such claim and time impact, and VMU shall provide a response and/or resolution plan to IBM within five (5) business days thereafter. If VMU determines that the VMU Delay Claim was a primary cause for a delay of IBM in delivering a Transition Plan Critical Deliverable, the time for IBM to meet that Transition Plan Critical Deliverable shall be equitably extended to adjust for the impact of such occurrence as well as those Transition Plan Critical Deliverables directly dependent upon the extended Transition Plan Critical Deliverable. If IBM does not agree with VMU’s decision, IBM shall submit the VMU Delay Claim to
20
the dispute resolution process described in Section 27. If, at the conclusion of the dispute resolution process, it is determined that the delay was caused by VMU’s acts or omissions, the time for IBM to deliver or meet the Transition Plan Critical Deliverable will be equitably extended to account for the VMU delay. IBM’s failure to timely advise VMU of a VMU Delay Claim as provided above shall preclude it from raising such acts or omissions as a basis for avoiding liability under this Section 3.4 (Transition).
3.5 Equipment
IBM shall provide the Services using, or through access to, the Equipment. As part of the Services, IBM shall make available to VMU the Equipment as may be necessary for VMU to use the Services and for VMU’s Third Party Vendors to maintain the VMU Equipment. VMU shall be responsible for the risk of loss of, and damage to VMU Equipment unless such loss or damage is caused by the acts or omissions of IBM Personnel (including IBM’s failure to comply with its maintenance obligations as set forth in this Agreement and applicable Schedules) or such VMU Equipment is in the custody of IBM or its designees, either permanently or during the removal and moving process from VMU’s premises. IBM shall be responsible for the risk of loss of, and damage to, IBM Equipment.
3.6 Technology Refresh
A. IBM shall provide all Services required to implement this Section 3.6 in accordance with Schedule C (Fees and Resource Baseline). VMU will replace, upgrade, refresh and provide the additional Equipment and Software as provided in this Agreement, including Schedules A and H.
B. The refresh schedule shall be determined in accordance with the timeframe and/or events specified in Schedules A and H, or as otherwise approved by VMU. Refresh shall be performed in accordance with the technical architecture standards specified in Schedule H. VMU reserves the right to approve and modify the refresh schedule based on its business requirements, subject to the Change Control Procedures.
C. IBM shall be responsible for configuring, installing, testing, and implementing, all replacement, upgraded, refreshed and additional Equipment. VMU will be financially responsible for providing maintenance on all VMU Equipment and IBM will manage such Third Party Vendors in accordance with Section 6.
3.7 Software Services
Except for the VMU Systems as of the Reference Date or as otherwise provided in the Agreement, IBM shall obtain, subject to VMU’s issuance of a purchase order and payment as recommended by IBM for those items for which it has financial responsibility pursuant to the Agreement, any additional Software required by IBM to provide the Services, meet Service Levels, or otherwise comply with this Agreement.
21
3.8 Licenses and Permits
IBM is responsible for obtaining all licenses, approvals, permits and authorizations required by applicable U.S. federal, foreign, multinational, state, or local laws, regulations, rules, directives and court orders (together with subpoenas, discovery requests or legal process, “Applicable Laws”) to perform the Services. Except as otherwise agreed to in writing by the Parties or as otherwise provided in this Agreement, IBM is financially responsible for all fees, costs and taxes associated with such licenses, approvals, permits and authorizations. IBM shall provide to VMU all such licenses, approvals, permits and authorizations within three (3) Business Days after IBM’s receipt of VMU’s request.
3.9 Knowledge Transfer and Best Practices
IBM shall implement an adequate knowledge transfer process to ensure that IBM Personnel share, at no additional cost, the knowledge they have gained while performing the Services with VMU and, to the extent needed to receive the Services, the VMU Authorized Users. The knowledge transfer process shall ensure that important knowledge, information, and practices pass from IBM and IBM Personnel to VMU and to the extent needed to receive the Services, VMU Authorized Users. At a minimum, such knowledge transfer processes will include IBM meeting with VMU at least once every year (or more frequently as reasonably requested by VMU) to (a) review and explain the Process Interface Manual, (b) explain how the VMU IT Environment operates in connection with the provision of the Services, and (c) provide such reasonable training as VMU may require for VMU to understand and operate the VMU IT Environment and provide the Services after the expiration or termination of the Agreement.
As part of the monthly meetings established by the Contract Governance Plan, IBM shall report to the VMU Program Director on IBM observed opportunities for the introduction of best practices into VMU’s information technology processes. Beginning on the commencement of the second contract year of the Agreement, and annually thereafter, IBM shall work with the VMU Program Director to develop and present a yearly forum/briefing to VMU (1) to recommend best practice improvements to the Services, (2) to assist VMU in understanding how the use of such best practices is intended to align VMU’s technology investments with its Business Objectives, and (3) to assist VMU in analyzing return on its technology investments related to the Services.
3.10 Strategic / Business Planning and Process Implementation; IBM Technology
A. IBM shall provide strategic planning and other business planning and process implementation services as required pursuant to Schedule A and any Statements of Work. In addition, IBM will provide business and technology intelligence and recommendations to support optimization of the Equipment and Software refresh strategy. IBM shall provide VMU with prioritized availability (for VMU’s evaluation and testing in connection with the Services) and knowledge of IBM’s new technology developments, including new software and hardware developments, that have been discussed publicly or made Generally Available at no additional cost (for avoidance of doubt, the reference to ‘no additional cost’ refers only to the prioritized availability and knowledge, not provision of the actual technology).
22
B. If, after such evaluation and testing, VMU requests that IBM provide any such new technology developments to VMU or its Affiliates for VMU’s or its Affiliates’ use, IBM shall provide such new technology developments to IBM at an amount consistent with reasonable market rates, and agreed upon by the Parties, subject to the Change Control Procedures.
3.11 Reporting Services
In order to monitor the status, performance, and quality of the Services provided to VMU, IBM shall provide VMU with the various written reports described in Schedule A and any Statements of Work, as such reports may be amended from time to time pursuant to Section 16.2. The nature and time frame of the reports shall be set forth in Schedule A and the applicable Statements of Work. Unless stated otherwise in Schedule A or a Statement of Work, or as reasonably requested by VMU, each of such reports shall be comprised of three (3) hard copies and (1) electronic copy to be delivered to the VMU Program Director, together with a formal transmittal letter executed by IBM’s Project Executive. If no time period is designated by VMU in Schedule A or a Statement of Work, reports are due five (5) days from the end of the reporting period or the date of the occurrence that warrants a report.
3.12 New Services
A. New Services Proposal
If VMU requests that IBM perform any New Services, IBM shall promptly prepare a New Services proposal for VMU’s consideration. IBM shall prepare New Services proposals at no additional charge to VMU and shall deliver such proposal to VMU within a timeframe that is reasonable based on the nature and scope of the proposed New Services and, in event the proposed New Services are being competitively bid, in compliance with VMU’s competitive bidding requirements. A New Services proposal shall include (i) a reasonably detailed project plan and a price for the New Service; (ii) a reasonably detailed breakdown of such price, which price shall be stated in the pricing methodology specified by VMU (e.g., time and materials, fixed price, “not to exceed”), (iii) a reasonably detailed description of the service levels to be associated with such New Service; (iv) a schedule for commencing and completing the New Service; (v) a description of the new hardware or software required in connection with the New Service; (vi) a description of the software, hardware and other resources, including Resource Unit utilization, necessary to provide the New Service; (vii) additional facilities, hardware, software or labor resources to be provided by VMU in connection with the proposed New Service; and (viii) acceptance test criteria and procedures. If VMU accepts IBM’s proposal, the Parties will negotiate a mutually agreed to Statement of Work. Upon execution of the applicable Statement of Work, the scope of the Services included in the Charges will be expanded and the definition of “Services” in this Agreement will be modified to include such New Services. All New Services must be approved by VMU in accordance with Section 4.1, and IBM shall not begin performing any New Service, and VMU shall not be obligated to pay for any New Service, until such approval has been given.
23
B. Competing Bids
VMU may elect to solicit and receive bids from third parties to perform any New Services; provided, however, that VMU shall not disclose any Proprietary or Confidential Information provided by IBM to VMU in any proposal for New Services. If VMU elects to use third parties to perform New Services, (i) such New Services shall not be deemed “Services” under the provisions of this Agreement and (ii) IBM shall cooperate with such third parties as provided in Section 6.
C. New Sourcing Lines
In the event VMU elects to utilize IBM to provide a new line of sourcing services (individually and collectively referred to as “New Sourcing Line(s)”), such services will be treated as New Services under this Agreement, provided that each New Sourcing Line will include in the proposal a unique Exhibit to Schedule C (Fees and Resource Baselines); Statement(s) of Work; Service Level Agreement attachments, and as applicable, supporting exhibits. To the extent any provisions of this Agreement are deemed by the Parties to be inapplicable to such New Sourcing Line(s) or it is agreed that new provisions are required, such modifications will be addressed through an amendment to this Agreement, unless the Parties otherwise agree that a stand alone agreement that leverages the terms agreed to herein as applicable will facilitate the provision or management of the services.
3.13 Sale, Transfer or Acquisition
A. Sale or Transfer
If at any time during any Term, VMU sells, divests or otherwise transfers ownership of a department, business unit or an Affiliate (each, a “Transferred Entity”), IBM shall continue to provide the Services to any such Transferred Entity if requested by VMU, on the terms and conditions set forth in this Agreement for the period requested by VMU, which period shall not exceed twelve (12) months after the completion of such sale, divestiture or transfer. IBM shall cooperate with VMU, such Transferred Entity and any new service provider to ensure the timely transition of the Services so that the Services are uninterrupted. Additionally, all licenses granted under this Agreement to or for the benefit of VMU shall continue in full force and effect for each Transferred Entity as a license under such licenses, with each Transferred Entity having all rights as if granted in its own name and on its own behalf upon becoming a Transferred Entity.
B. Acquisitions
In the event that VMU or one of its Affiliates acquires an unrelated entity (an “Acquisition”), then, at VMU’s election, such entity’s applicable operations will become subject to this Agreement, with all rights and benefits hereunder, on the date specified by VMU. In the event of any such Acquisition, subject to Section 34 (Extraordinary Events), the Parties will renegotiate in good faith all affected charges to account for the increased volume, all in accordance with the Change Control Procedures and, if applicable, the procedures set forth in Section 34. In the case of any such Acquisition, IBM will have a reasonable period of time (commensurate with the complexity of the applicable Services to be provided to such entity) in
24
which to develop a mutually agreeable transition plan to provide the applicable Services, and VMU will pay IBM for any pre-approved, reasonable, and actual start-up or implementation costs incurred by IBM that are necessary for IBM to provide the applicable Services to such entity in accordance with this Agreement.
3.14 Process Interface Manual
A. Within ninety (90) days after the Signature Date, IBM shall deliver to VMU for review and comment a draft of a manual (the “Process Interface Manual”) describing in detail how IBM shall perform the Services, the Equipment and Software used to provide the Services, and the Documentation (such as, for example, operations manuals, user guides, forms of Service Level reports, call lists, escalation procedures, emergency procedures, and requests for approvals or information) which provides further information regarding the Services. The Process Interface Manual shall describe the activities IBM proposes to undertake in order to provide the Services, including, where appropriate, those direction, supervision, monitoring, quality assurance, staffing, reporting, planning and overseeing activities normally undertaken at facilities that provide services of the type IBM shall provide under this Agreement, and further including acceptance testing and quality assurance procedures approved by VMU. The Process Interface Manual shall be based on the form of process interface manual set forth in Schedule A. IBM shall incorporate any reasonable comments and suggestions made by VMU and shall deliver a revised Process Interface Manual within fifteen (15) days after receipt of VMU’s comments. The final Process Interface Manual shall be subject to VMU’s approval.
B. IBM shall update the Process Interface Manual throughout the Term to reflect changes in the Services and the procedures and resources used to provide the Services. Updates to the Process Interface Manual shall also be provided to VMU for review, comment and approval. IBM shall update and deliver to VMU for approval portions of the Process Interface Manual relating to any material operational change in the Services within fifteen (15) days of such change.
C. IBM shall perform the Services in accordance with the then-current version of the Process Interface Manual. The Process Interface Manual shall be for operational purposes only, and shall not constitute a contractual document. Accordingly, in the event of a conflict between the provisions of this Agreement and the Process Interface Manual, the provisions of this Agreement shall control, and VMU’s acceptance of the Process Interface Manual shall not be deemed a waiver of any rights of VMU.
| 4. | Unapproved Work |
4.1 VMU Approval
A. When VMU’s consent, authorization, amendment, and/or other approval is expressly required under this Agreement, such consent, authorization, amendment, and/or other approval must be obtained by IBM in advance and in writing from the VMU Program Director (or their designee).
25
B. After IBM has obtained the consent, authorization, amendment, and/or other approval as set forth in this Section 4.1, IBM is not required to obtain a consent, authorization, amendment, and/or other approval for the tasks related to the day to day execution of the applicable matter, unless additional consents, authorizations, amendments, and/or other approvals are specifically provided for in such approval.
C. For purposes of this Agreement, the writings constituting any consent, authorization, amendment, and/or other approval shall be (i) as to New Services, a signed and numbered Statement of Work; (ii) as to Non-Recurring Initiatives, a signed and numbered Statement of Work; and (iii) as to all other activities requiring VMU’s consent, authorization, amendment, and/or other approval, a signed writing or exchange of electronic documents indicating agreement. IBM’s monthly invoices shall identify separately Charges for New Services, with reference to the specific numbered Statement of Work constituting the consent, authorization, amendment, and/or other approval. Each calendar month, the VMU Program Director and IBM’s Project Executive shall meet to review the Services invoiced to VMU in the previous calendar month, including the status of issues, if any, relating to the New Services. VMU will make a good faith attempt to raise any disputes relating to any consent, authorization, amendment, and/or other approval of the Services performed promptly upon discovery of such dispute.
4.2 Right to Reject
VMU reserves the right to reject any Services and/or ARCs not approved by VMU pursuant to Section 4.3 or other provisions of this Agreement, unless a specific provision of the Agreement or Schedules allows IBM to provide ARC’s without prior approval.
4.3 Failure to Obtain Approval
A. If IBM provides Services (or services other than those specified in this Agreement) to VMU without obtaining VMU approvals in writing, as set forth in Section 4.1, such Services (or other services) may be deemed to be a gratuitous effort on the part of IBM and IBM shall have no claim whatsoever against VMU therefor (it being understood by the Parties that IBM shall have no obligation to continue to provide such gratuitous Services (or other services) unless approved by VMU, in its sole discretion, in which case VMU shall, upon obtaining such from VMU, compensate IBM going forward in accordance with this Agreement). Any services other than those specified under this Agreement that are approved by VMU under the preceding sentence shall be included in the definition of “Services” and shall be subject to the terms and conditions of this Agreement.
B. If IBM provides Services (or services other than those specified in this Agreement) that are deemed to be a gratuitous effort pursuant to subparagraph A above, constituting Equipment, IBM Proprietary Software or commercially available off-the-shelf IBM Third Party Software (e.g., Microsoft NT, Sun Solaris, HP Open View), unless otherwise approved by VMU, VMU shall permit IBM to remove such Equipment, IBM Proprietary Software or commercially available off-the-shelf IBM Third Party Software at IBM’s sole cost and expense and at VMU’s reasonable convenience.
26
C. If IBM provides Services (or services other than those specified in this Agreement) that are deemed to be a gratuitous effort pursuant to subparagraph A above, constituting Software, VMU shall be entitled to retain and use such Software free of Charge, except that, absent a later agreement by the parties, such Software shall not be deemed to be included in the definition of “Services” and shall be provided to VMU by IBM on an “AS IS” basis.
| 5. | Service Levels |
5.1 Service Level Agreements
IBM shall provide all Services in accordance with the applicable Service Levels as described in Schedule B.
5.2 Reports
IBM shall collect all data and maintain all records and documentation required by this Agreement or any Statements of Work and to comply with the Service Levels. IBM shall provide regular performance reports to VMU in accordance with Section 3.11 and Section 16.
5.3 Root-Cause Analysis and Resolution
Within ten (10) days (or as otherwise agreed to by the Parties in writing) of IBM’s failure to provide the Services in accordance with the Service Levels, IBM shall (a) perform root cause analysis to identify the cause of such failure, (b) provide VMU with a written report detailing the cause of, and procedures for correcting, such failure, (c) provide VMU with reasonable evidence that applicable corrective steps have been taken; and (d) provide VMU with assurance satisfactory to VMU that such failure will not recur after the procedure has been completed. The foregoing does not limit other remedies available to VMU or otherwise excuse IBM from its Service Level obligations under this Agreement for such Service Level failures.
5.4 Cost and Efficiency Reviews
IBM shall perform, on an annual basis, cost and efficiency reviews of the Services it provides and make recommendations to VMU for reducing the cost to VMU of the Services and improving the Service Levels. IBM’s recommendations shall include:
A. Tuning or optimizing the VMU IT Environment used to perform the Services;
B. Analysis and isolation of Application and infrastructure design, configuration, and implementation flaws;
C. Recommendations for aligning technology processes, tools, skills and organizational changes with VMU’s business requirements; and
D. Recommendations for new technologies in general use by IBM in delivering similar services to other customers at no cost to such other customers to replace existing technologies provided by IBM to provide the Services at no cost to VMU, even if the use of
27
such new technologies will result in a reduction in monthly revenues to IBM under the Agreement. Implementation of new technologies will be in accordance with the Change Control Procedure.
| 6. | Strategic Relationship Management |
6.1 Definitions
For purposes of this Section 6, the term “Managed Strategic Supplier” shall mean those Third Party Vendors identified by VMU as having responsibility under a separate agreement with VMU for the delivery of a service segment that must integrate with the Services. As of the Signature Date, Schedule E lists the Managed Strategic Suppliers, which list shall be updated from time to time by the written agreement of the Parties either through the Contract Governance Plan pursuant to Section 16.3, through Change Control pursuant to Section 3.2, or by a signed amendment to the Agreement.
6.2 Managed Strategic Supplier Services
A. IBM’s obligations with regard to Managed Strategic Suppliers shall be as set forth in this Agreement, Schedule A or the applicable Statements of Work and include the following as it relates to the Services provided by IBM in this Agreement:
(1) work with VMU to plan the scope, requirements and specifications as to all Managed Strategic Suppliers for any particular project or engagement; provided, however, VMU will provide IBM with a copy of the applicable agreements with its Managed Strategic Suppliers as needed to identify IBM’s obligations under this Section;
(2) assume primary responsibility for properly fulfilling VMU’s operational, management, and administrative obligations under any agreement with a Managed Strategic Supplier; provided, however, except as set forth in this Section 6, nothing under this subpart obligates IBM to accept financial or other liability as between it and the Managed Strategic Supplier;
(3) work with VMU to identify its information technology needs and assume primary responsibility for incorporating those needs in the design and development of specifications for the Managed Strategic Supplier’s services;
(4) act as VMU’s limited agent to coordinate the implementation of all information technology projects and information technology performance;
(5) assume responsibility for managing the relationship and monitoring the Managed Strategic Supplier’s continuing performance under the terms of the agreement with the Managed Strategic Supplier and bring all performance issues under the applicable service levels to resolution in accordance with the terms of the agreement with the Managed Strategic Supplier, including managing the Managed Strategic Supplier’s development and implementation of corrective action plans;
28
(6) monitor the Managed Strategic Supplier’s timely performance of the terms of its agreement with VMU, including managing the Managed Strategic Supplier’s development and implementation of corrective action plans;
(7) monitor and assess the Managed Strategic Supplier’s ability to efficiently and effectively deliver the agreed services under the terms of its agreement with VMU;
(8) review and verify the accuracy of the Managed Strategic Supplier’s compliance with the terms of the agreement with VMU, including applicable statements of work and project agreements, and pursue all credits to which VMU may be entitled;
(9) provide VMU with reasonable notice of any renewal, termination or cancellation dates and fees with respect to any agreement with a Managed Strategic Supplier. IBM shall not renew, modify, terminate or cancel any such agreements without VMU’s consent. Any modification, termination or cancellation fees or charges imposed upon VMU in connection with any such modification, termination or cancellation shall be paid by VMU;
(10) (a) receive all invoices received by VMU from Managed Strategic Suppliers, (b) review and correct any errors in any such invoices in a timely manner and (c) use commercially reasonable efforts to submit such invoices to VMU for payment within a reasonable period of time prior to the due date or, if a discount for such payment is given, the date on which VMU may pay such invoice with a discount. VMU shall pay such invoices received and approved by IBM. VMU shall be responsible for any late fees in respect of such invoices; provided, however, that IBM submits such invoices to VMU for payment within a reasonable period of time prior to the date any such invoice is due. If IBM fails to submit an invoice to VMU for payment in a timely manner due to its fault or the fault of a party under its control, IBM shall be responsible for any discount not received or any late fees in respect of such invoice;
(11) monitor usage traffic, capacity or other defined metrics set forth in agreements with Managed Strategic Suppliers and notify Managed Strategic Suppliers and VMU due to any increase or decrease in those metrics; and
(12) provide VMU and the Managed Strategic Suppliers with any reporting requirements as defined in any agreement with the Managed Strategic Supplier.
B. In the event of any failure of a Managed Strategic Supplier to achieve the service levels under the applicable service level agreement or any other material failure under such agreement, IBM shall promptly advise the VMU Program Director. In addition to providing the Services set forth in Section 6.2A, within ten (10) days of receipt of a corrective action plan and/or a root cause analysis of a service level failure from the Managed Strategic Supplier, IBM shall provide VMU with a written analysis of the Managed Strategic Supplier’s corrective action plan and root cause analysis and an identification of measures that are determined by IBM to minimize the likelihood of a recurrence of the failure. If further investigation into the root cause of the failure is required, then IBM shall, as applicable, manage the Managed Strategic Supplier’s efforts with regard to such further
29
investigation and/or perform such investigation. IBM shall provide a report to VMU of relevant information discovered in the further investigation and such other information regarding the failure as VMU may reasonably request. Upon becoming aware of acts or omissions of a Managed Strategic Supplier that IBM reasonably believes are likely to cause a failure to achieve a service level under the applicable Service Levels, IBM will provide VMU with prompt written notice of such acts or omissions.
C. Any changes to any agreement with a Managed Strategic Supplier which would materially change or increase the level of Services provided by IBM under this Section 6 shall be subject to the Change Control Procedures.
D. VMU agrees to cooperate with IBM in its role as VMU’s limited agent with respect to a Managed Strategic Supplier. As of the Signature Date, VMU is not aware of any material breach under any Managed Strategic Supplier agreement nor are there any disputes pending in dispute resolution.
| 7. | Service Locations |
7.1 Service Locations
On the Reference Date, the Services shall be provided from (1) the VMU Sites set forth on Schedule I, (2) the IBM Service Locations set forth on Schedule I; and/or (3) any other data center or location designated by VMU or IBM; provided, however, that any such other IBM designated data center or location must be approved by VMU, which approval shall not be unreasonably withheld ((1), (2), and (3) collectively, the “Service Locations”). Any request by IBM to relocate the Services to any other data center or location shall designate the proposed location for performance of such Services in a written notice to VMU. IBM shall remain responsible for compliance with all of its obligations under this Agreement with respect to the relocated Services, and shall ensure that any such relocation does not adversely affect VMU. Any such relocation shall be at IBM’s sole expense, and VMU shall not be responsible for any such expenses incurred, including increased operational costs of IBM. In no event shall VMU be responsible for increases in Charges based upon any such relocation. IBM shall be responsible for complying with all IBM Regulatory Requirements with respect to its relocation effort and the provision of Services from the data center or location to which such Services are relocated. Notwithstanding the foregoing, all Services provided hereunder shall be performed in the United States unless specifically stated otherwise in the Statements of Work.
If IBM elects to provide Services from outside of the United States, without limitation of this Section 7.1, IBM shall be responsible for compliance with all United States export laws or the applicable country of origin and import laws of the location from which Services will be performed. VMU will cooperate and provide information in its possession reasonably requested by IBM that is necessary for IBM’s compliance with export laws. IBM shall demonstrate to VMU, as part of its request for approval of relocation of Services to an IBM Service Location outside of the United States, the safeguards established by IBM to ensure that VMU will not be adversely affected by such relocation, including representations regarding availability and competency of IBM Personnel at such IBM Service Location and that IBM has otherwise complied with this Section 7.1. IBM shall take appropriate actions so that VMU’s Intellectual Property rights will not be jeopardized and can be protected under local Applicable Laws.
30
7.2 Shared Environment
Prior to migrating or relocating any of the Services to a IBM Shared Service Center (other than those contemplated as of the Signature Date) or to any shared hardware or software environment, IBM shall provide to VMU, for VMU’s approval (which shall not be unreasonably withheld), a proposal for the migration or relocation of such Services, including benefits, savings, or risks to VMU during the Term and upon the expiration or termination of this Agreement. VMU agrees to evaluate such migration or relocation proposals in good faith, acknowledging the potential that such relocation, while achieved at no additional cost or savings to VMU, may enable IBM to optimize its financial and delivery commitments under this Agreement. If (a) IBM provides the Services to VMU from a IBM Shared Service Center or any other IBM Service Location that is shared with a third party or third parties and any part of the business of VMU or any such third party is now or in the future competitive with VMU’s business, then IBM, at VMU’s request, shall develop a process, to restrict access in any such shared environment to VMU’s Proprietary or Confidential Information so that IBM or IBM Personnel providing services to such competitive business shall have no access to VMU’s Proprietary or Confidential Information.
7.3 Safety Procedures
A. At all times IBM shall maintain and enforce at the IBM Service Locations safety procedures that are at least (1) equal to industry standards applicable to such IBM Service Locations and (2) as rigorous as those procedures in effect at such IBM Service Locations as of the Reference Date.
B. At all VMU Service Locations, IBM shall comply with VMU’s safety procedures provided in writing to IBM or generally posted at a VMU Service Location. IBM shall observe and comply with all Applicable Laws and VMU rules (disclosed to IBM or IBM Personnel in writing or by other means generally used by VMU to disseminate such information to employees or contractors) with respect to safety, health, facility security, and the environment and shall take all action necessary to avoid injury, property damage, spills or emissions of hazardous substances, materials or waste, and other dangers to persons, property or the environment. To the extent required by VMU, IBM Personnel shall receive prescribed training from VMU without charge prior to entering certain VMU Sites.
7.4 Security Procedures
As more specifically required pursuant to Schedule A, IBM shall adopt security measures for itself and all IBM Personnel which shall include:
A. Prohibition of the disclosure of VMU Proprietary or Confidential Information within IBM’s organization except to IBM Personnel requiring access to such information to perform IBM’s obligations or exercise its rights under this Agreement;
31
B. Precluding access to VMU Proprietary and Confidential Information by any IBM Personnel until each such individual has been trained with regard to the handling of the VMU Proprietary or Confidential Information, use of security measures identified herein and (1) with respect to IBM’s employees, has completed IBM’s applicable Business Conduct Guidelines (or its successors) (provided, however, for purposes of this Agreement and with respect to IBM’s employees providing Services under this Agreement, IBM’s Business Conduct Guidelines (or its successors) shall be deemed to apply to and include all of the VMU Systems), and (2) with respect to all other IBM Personnel, IBM has included provisions comparable to the IBM Business Conduct Guidelines and IBM retains liability hereunder for any breaches by same;
C. Requiring all (1) new IBM employees to certify to IBM’s applicable Business Conduct Guidelines (or its successors) (provided, however, for purposes of this Agreement and with respect to IBM’s employees providing Services under this Agreement, IBM’s Business Conduct Guidelines (or its successors) shall be deemed to apply to and include all of the VMU Systems), and (2) other IBM Personnel to execute agreements with provisions comparable to IBM’s Business Conduct Guidelines prior to working on the VMU Account
D. Providing each individual authorized to electronically access VMU Proprietary or Confidential Information with a unique access code and notifying such individual that disclosure or sharing of any password, access code, or security device shall result in disciplinary action, including termination and enforcing such policies;
E. Promptly canceling any password or security access code when an individual is terminated, transferred, or on a leave of absence and providing prompt notice of such event to VMU and consistent with VMU System security requirements and promptly acquiring possession of any VMU Proprietary or Confidential Information possessed by such individual;
F. In the event employment is terminated involuntarily, ensuring that the individual’s access to VMU Proprietary or Confidential Information is blocked prior to notifying the individual of the involuntary termination and promptly acquiring possession of any VMU Proprietary or Confidential Information possessed by such individual;
G. Requiring that VMU procedures (provided in writing to IBM or generally posted at the VMU Sites) are followed by IBM Personnel to physically safeguard all telecommunication switches, computer rooms, and tape libraries, as well as restricting access to such sites to authorized personnel through card access system badges where such systems are utilized;
H. Requiring, to the extent consistent with VMU Policies and Procedures, that the Equipment and the VMU IT Environment have the firewalls, segmentation, encryption, or other safeguards designed to (1) protect the transmission of VMU Data and VMU Proprietary or Confidential Information, (2) properly authenticate users, and (3) prohibit the unauthorized access to VMU Data or Confidential or Proprietary Information or the VMU IT Environment, all as set forth in Schedule A.
32
7.5 Access To VMU Sites
VMU shall provide IBM with access to and use of the VMU Sites (or equivalent space) as necessary for IBM to comply with the terms of this Agreement. All VMU owned or leased assets provided for the use of IBM under this Agreement shall remain in VMU Sites unless set forth on Schedule G or VMU otherwise agrees in writing. IBM shall have no tenancy, or any other property or other rights, in VMU Sites. In addition, all leasehold improvements made by or for IBM during the Term shall be and remain part of the VMU Site. All such improvements shall be made: (i) only with VMU’s prior written approval; and (ii) at IBM’s sole cost and expense. IBM acknowledges and agrees that, as of the Reference Date, the VMU Sites are sufficient, together with IBM Service Locations, to enable IBM to provide the Services as required by this Agreement. All VMU Sites are provided hereunder on an “as is, where is” basis.
7.6 Furniture, Fixtures and Equipment
The physical space provided by VMU for the use of IBM at the VMU Service Locations will be generally comparable to the standard space then occupied by similarly-situated VMU employees. VMU shall provide, for the use of IBM Personnel occupying space at VMU Service Locations, office furniture and fixtures generally comparable to the furniture and fixtures provided to similarly-situated VMU employees. IBM Personnel using the facilities provided by VMU will be accorded reasonable access to the communications wiring in such facilities (including fiber, copper, and wall jacks) and the use of, certain shared office equipment and services such as photocopiers, local and long distance telephone service for VMU-related calls, mail service, office support service (e.g., janitorial), heat, light, and air conditioning. IBM shall be responsible for providing all other office, data processing and computing equipment, and services needed by IBM or IBM Personnel to provide the Services from the VMU Service Locations, and for upgrades, improvements, replacements, and additions to such equipment or services.
7.7 VMU’s Responsibilities Regarding Utilities
VMU shall provide, or shall cause IBM to be provided with, site maintenance, site management, site administration and similar services for VMU Service Locations and shall maintain at historical levels: (1) the building and property electrical systems; water, sewer, lights, heating, ventilation, and air conditioning (“HVAC”) systems; (2) physical security services and general custodial services. Subject to Section 7.11, VMU shall pay for electrical power, water, natural gas used or consumed by IBM or IBM Personnel at such VMU Service Locations and shall maintain its account relationship with power utility, the water utility, and the natural gas utility companies.
7.8 IBM’s Responsibilities Regarding Facilities
Except as provided in Sections 7.5, 7.6, and 7.7, IBM shall be responsible for providing all furniture, fixtures, equipment, space, tools, vehicles and other facilities required to perform the Services and all upgrades, improvements, replacements and additions to such furniture, fixtures, equipment, space, tools, and facilities. Without limiting the foregoing, IBM shall: (i) provide all site maintenance, site management, site administration and similar services at IBM
33
Service Locations; and (ii) provide all necessary emergency power supply and UPS services at IBM Service Locations, other than VMU Sites; and (iii) provide such other services as required pursuant to VMU’s Policies and Procedures. To the extent IBM identifies methods of optimizing use of VMU facilities with regard to IBM’s use of such facilities for delivering the Services (e.g., more efficient use of floor space, more efficient usage of power and air conditioning) it will advise VMU of such recommendations.
7.9 Physical Security
VMU is responsible for the physical security of the VMU Sites; provided, that IBM will be responsible for access and control of the areas that IBM is using in performance of this Agreement and as more specifically required pursuant to Section 7.4 and the VMU Policies and Procedures. IBM shall not authorize any person to have access to, or control of, any such area unless such access or control is permitted in accordance with control procedures approved by VMU.
7.10 Employee Services
Subject to applicable security requirements that are provided in writing to IBM or posted at a VMU Site, VMU will permit IBM Personnel to use all employee facilities (e.g., parking and common facilities) at the VMU Sites that are generally made available to the employees of VMU or VMU Authorized Users. IBM Personnel will not be permitted to use such employee facilities designated by VMU for the exclusive use of certain VMU or VMU Authorized Users.
7.11 Use of VMU Resources
Unless IBM obtains VMU’s prior written agreement, which may be withheld by VMU in its sole discretion, IBM shall use the VMU Sites, the VMU Equipment, the VMU Software and related resources (collectively “VMU Resources”), only to provide the Services. IBM shall use the VMU Resources in an efficient manner and in a manner that is coordinated, and does not interfere, with VMU’s other business operations. To the extent that IBM operates any VMU Resources in a manner that unnecessarily or unreasonably increases facility or other costs incurred by VMU, VMU may deduct such costs from any amounts due to IBM from VMU under this Agreement. IBM shall keep the VMU Resources in good order, not commit or permit waste or damage to such VMU Resources, not use such VMU Resources for any unlawful purpose or act and comply with all of VMU’s standard policies and procedures regarding access to and use of such VMU Resources, including procedures for the physical security of the VMU Sites and procedures for the security of computer network.
VMU reserves the right in its sole discretion to relocate a VMU Service Location (or the space within a VMU Service Location) to another location; provided that, in such event, VMU will provide IBM with ninety (90) days advance written notice and with comparable space in the new location. In advance of a Material Move, IBM and VMU shall identify one-time or recurring additional or reduced costs or expenses associated with such relocation, and agree upon methods of mitigating and equitably allocating such cost and/or expenses. The Parties agree that a “Material Move” for purposes of this Section 7.11 (Use of VMU Sites) is one where the new location is more than fifty (50) miles from the current location of the applicable VMU Service Location.
34
When a VMU Resource is no longer required for the performance of the Services, IBM shall return such VMU Resource to VMU or leave such VMU Resource in substantially the same conditions as when IBM began use of such VMU Resource, subject to reasonable wear and tear.
VMU also reserves the right to direct IBM to cease using all or part of the space in a VMU Service Location and to thereafter use such space for its own purposes. In such event, VMU shall reimburse IBM for any reasonable incremental costs incurred by IBM as a result of such direction; provided that such direction is not expressly contemplated in this Agreement and that IBM notifies VMU of such additional incremental costs and uses commercially reasonable efforts to minimize such costs.
7.12 Damage to VMU Resources
IBM shall repair, or cause to be repaired, at its own cost, any and all damage to VMU Resources caused by IBM or IBM Personnel. Such repairs shall be made immediately after IBM has become aware of such damage, but in no event later than thirty (30) days after the occurrence. If IBM fails to make reasonable timely repairs, all reasonable costs incurred by VMU for such repairs shall be repaid by IBM as a credit on the monthly invoice or VMU may deduct such costs from any amounts due to IBM from VMU under this Agreement.
7.13 Use of IBM Service Locations
During the Term, IBM will provide to VMU at no charge (i) temporary access to IBM Service Locations, and (ii) temporary access to reasonable work/conference space at IBM Service Locations for VMU to exercise its rights under this Agreement, subject to VMU’s compliance with IBM’s posted security policies and procedures while at such facilities. The facilities provided by IBM for the use of VMU will be generally comparable to the standard space then occupied by similarly-situated IBM employees.
| 8. | Data Backup and Disaster Plan |
8.1 Data Backup
IBM shall back-up all VMU Data as provided in Schedule A or the applicable Statements of Work. While in the authorized possession of IBM, any archival tapes containing VMU Data shall be used by IBM solely for back-up purposes or as otherwise required to provide the Services.
8.2 Disaster Plan
IBM shall maintain and implement Disaster avoidance procedures as required pursuant to Section 8.3 below. The Disaster and Recovery Plan for IBM Service Locations shall be reviewed and updated during the Term to conform with ISO 9000 standards. IBM shall notify VMU of the completion of the ISO 9000 annual compliance certification or audit, and make such certification or audit available to VMU or its designee for review. Recommendations of new technology by IBM’s or VMU’s communications, equipment, and power supply vendors shall also be reviewed on a regular basis and be included in IBM’s planning process as appropriate.
35
8.3 Disaster Avoidance
As to IBM Service Locations, IBM shall maintain Disaster avoidance procedures designed to safeguard the VMU Data and the availability of the Services, throughout the Term. Such Disaster avoidance procedures include the following:
A. Physical Security
Access to IBM Service Locations shall be strictly controlled by IBM. An electronic badge system or other appropriate systems will be maintained and utilized by IBM to control access to IBM Service Locations. In addition, IBM shall, on a twenty-four (24) hours a day, seven (7) days a week basis, monitor IBM Service Locations access. IBM shall also (to the extent such acts do not violate any union agreement) maintain, to the extent IBM deems necessary, operational video cameras to monitor the main entrance, parking facilities, and critical areas within IBM Service Locations twenty-four (24) hours a day, seven (7) days a week.
B. Fire Protection
As to IBM Service Locations, fire detection, containment, and fire suppression systems and processes shall meet VMU, IBM, Industrial Risk Insurers (IRI), and National Fire Protection Association (NFPA) requirements and shall be regularly reviewed and updated.
C. Power Supply
As to IBM Service Locations, IBM shall maintain two levels of power backup designed to provide uninterrupted operation of same and equipment located in same in the event of a loss of power. IBM Service Locations will also have EPS generation as a second source of backup power.
D. Equipment/Air Conditioning
As to IBM Service Locations, IBM shall maintain two (2) levels of protection against loss of cooling, including a primary backup system and a secondary backup system that shall be capable of providing continuous cooling during a power outage.
E. Hardware and Software Changes
IBM shall strictly comply with the Change Control Procedures, and shall ensure that IBM Personnel are familiar with such procedures and that such procedures are used for both hardware and software changes.
As to the VMU Sites occupied by IBM, IBM shall be vigilant of the Disaster avoidance services and systems provided by VMU or third party IBM’s on behalf of VMU; and report in writing to VMU issues known by IBM to create a physical risk to any such facility or the personnel or Equipment therein or a risk to the preservation of any data processed therein.
36
8.4 Public Telecommunications Facilities
Except as to the obligations of IBM contained in this Agreement, IBM shall not be responsible for corruption, damage, loss or mistransmission of data during transmission via a network transport carrier, nor shall it be responsible for the security of data during transmissions via a network transport carrier.
| 9. | Communications Systems and Access to Information |
IBM understands that IBM may receive access to VMU’s computers and electronic communications systems, including voicemail, email, customer databases, and internet and intranet systems (for purposes of this paragraph, “systems”). Such systems are intended for legitimate business use related to VMU’s business. IBM acknowledges that IBM does not have any expectation of privacy as between IBM and VMU in the use of or access to VMU’s systems and that all communications made with such systems by or on behalf of IBM are subject to VMU’s scrutiny, use and disclosure (subject to the protections of Proprietary or Confidential Information herein), in VMU’s sole discretion. VMU reserves the right, for business purposes, to monitor, review, audit, interpret, access, archive and/or disclose (subject to the protections of IBM Proprietary or Confidential Information herein) materials sent over, received by or from, or stored in any of its systems. This includes email communications sent by users across the internet and intranet from and to any and all domain names maintained by VMU. VMU reserves the right to override any security passwords to obtain access to VMU’s Systems. Subject to the Process Interface Manual provisions regarding coordination of investigations, IBM also acknowledges that VMU reserves the right, for legitimate business purposes related to investigations of wrongful use of VMU’s systems, to search all work areas at VMU Sites (for example, offices, cubicles, desks, drawers, cabinets, computers, computer disks and files), or in cooperation with IBM and subject to IBM’s consent, at IBM’s sites, and all personal items brought onto VMU property.
| 10. | Non-Exclusive Relationship |
10.1 Non-Exclusivity
Notwithstanding anything to the contrary set forth in this Agreement, this Agreement shall be non-exclusive in nature, and VMU shall at all times have the right to perform any of the Services itself or to contract with a third party to perform any service included in the Services or other obligations of IBM in this Agreement (“Migrated Service(s)”). In the event VMU contracts with a third party to perform any Migrated Service or performs such Migrated Service itself, IBM shall reasonably cooperate with VMU, for no additional consideration, and any such third party, including providing: (1) the necessary information related to the Migrated Services that VMU reasonably requests to enable VMU to draft a request for proposal(s) relating to the Migrated Services and to provide existing information to support due diligence for recipients of such request for proposal; (2) access to IBM Service Locations as necessary for VMU or a third party to survey the current environment being used to deliver the Migrated Service(s); (3) existing written requirements, standards, and policies for systems operations so that any developments of such third party may be operated by IBM; (4) assistance and support services to VMU or such third party to the extent related to the Services; (5) to the extent permitted by the
37
applicable third party agreements, access to the VMU IT Environment in connection with such Migrated Service; and (6) such information regarding the operating environment, system constraints and other operating parameters related to the Services as a person with reasonable commercial skills and expertise would find reasonably necessary for VMU or a third party to perform the Migrated Service. VMU shall require any such third party to comply with IBM’s reasonable requirements regarding operations, confidentiality, and security and IBM shall not be required to disclose any confidential information other than as necessary to comply with the obligations of this Section, but in no event shall IBM be required to disclose information of a IBM customer (other than VMU) or any IBM cost data.
10.2 Multi-Vendor Environment
IBM acknowledges that it will be delivering the Services in a multi-vendor environment with VMU and VMU Third Party Vendor(s) and will cooperate with all VMU Third Party Vendors, including VMU, including by (1) providing access to the Equipment and Software and any data center or other facilities being used to provide the Services, as necessary for such VMU Third Party Vendors to perform the work assigned to them; and (2) responding to information requests, supplying technical or project-related information, coordinating the delivery of services, and otherwise promoting efficient and timely provision of services to VMU. IBM will also collaborate with VMU and VMU Third Party Vendors in addressing service-related issues that may cross over from one service area or provider to another and related to the Services (“Cross-Over Issues”). As part of the Services, IBM will actively provide and support tasks associated with operating and maintaining a collaborative approach to Cross-Over Issues in the same manner as if the IBM Service relevant to the Cross-Over Issue was being provided in-house by VMU rather than by IBM.
IBM shall use commercially reasonable efforts to identify all work efforts and deliverables of which IBM has knowledge, whether performed by IBM, Subcontractors, IBM Third Party Vendors, VMU, or the VMU Third Party Vendor(s) that may impact the delivery of the Services.
| 11. | Human Resources |
The terms and conditions relating to human resources and Transitioned Employees are as set forth in Schedule L.
| 12. | Statements of Work |
IBM and VMU shall execute a Statement of Work containing, at a minimum, the level of detail of information set forth on Schedule J, for all New Services and Non-Recurring Initiatives.
| 13. | VMU Authorized User Satisfaction |
13.1 Baseline VMU Authorized User Satisfaction Survey
An independent third party selected by VMU shall conduct a baseline VMU Authorized User satisfaction survey for affected users at each VMU Site approved by VMU measuring their satisfaction with their receipt of the Services. This VMU Authorized User Satisfaction Survey
38
shall be mutually agreed upon by the Parties, and shall be administered as determined by the selected organization and shall be the initial baseline for measurement of user satisfaction improvement described in Section 13.2.
13.2 VMU Authorized User Satisfaction Survey
Following the completion of Transition, annually (unless otherwise agreed in writing by the Parties), an independent third party selected by the Parties shall conduct a VMU Authorized User Satisfaction Survey for each VMU Site. The survey shall, at a minimum, cover at least the following classes of users: (1) sample of end users of the Services and (2) all senior management of VMU. The content, scope, and method of the survey shall be consistent with the baseline VMU Authorized User Satisfaction Survey conducted pursuant to Section 13.1 and the timing of the above surveys are subject to VMU’s approval. It is the goal of IBM to increase VMU Authorized User satisfaction for each class of VMU Authorized Users. The baseline for determining the initial gap shall be the results of the surveys conducted pursuant to Section 13.1. The baseline for determining subsequent gaps will be the results of the VMU Authorized User Satisfaction Survey compared to the immediately prior VMU Authorized User Satisfaction Survey. IBM agrees that VMU Authorized User Satisfaction Surveys shall be a key performance incentive for merit-based compensation for the Project Executive and Delivery Project Executives assigned to VMU’s account.
| 14. | VMU Responsibilities |
14.1 Obligations
During the Term, VMU shall on a timely basis and at no charge to IBM:
A. Comply with its obligations regarding the VMU Program Director in accordance with Section 16.3.
B. Cooperate with IBM to the extent reasonably necessary in the performance by IBM of IBM’s obligations to offer employment to and hire the Transitioned Employees.
14.2 Interfering Acts
IBM shall be excused from its responsibility to perform a specific obligation under this Agreement if and only to the extent such non-performance of the specific obligation is caused by VMU’s breach of its performance obligation(s) under the Agreement; provided that upon the occurrence of acts or omissions by VMU in breach of VMU’s performance obligation(s) under the Agreement which have been determined by IBM to be likely to adversely impact its ability to deliver or meet such specific obligation, IBM shall advise the VMU Program Director of such occurrence in writing promptly and identify the reason for IBM’s inability to perform its obligation as a result of VMU’s failure to perform its obligation(s) under this Agreement. Nothing in the forgoing shall (1) relieve IBM of any portion of liability Finally Determined by a court to be IBM’s arising from a breach of contract claim as to such failure to perform, (2) preclude VMU from asserting such failure by IBM to perform an obligation under this Agreement as a basis for VMU to terminate the Agreement for cause if subsequently discovered facts demonstrate the failure was not caused by VMU’s failure to perform its obligations under
39
this Agreement, or (3) preclude VMU from asserting such failure by IBM to perform an obligation under this Agreement as a basis for VMU to terminate the Agreement for cause if IBM conduct, not caused by VMU’s failure to perform its obligation(s) under this Agreement, contributing to the failure is determined to be one of numerous breaches of its duties or obligations under the Agreement which in the aggregate are material as provided in Section 28.2.
14.3 Strategic Control
VMU shall retain strategic control of all aspects of the services, products and processes used in VMU’s business, including strategic decisions concerning the Services, VMU IT Environment, architecture, and technical standards. In connection with implementing such strategic control, VMU shall: (i) establish processes and designate decision-makers to exercise strategic control over the Services; and (ii) establish procedures to consult with IBM and other suppliers when and to the extent VMU determines it to be appropriate. As part of the Services, IBM shall provide business intelligence and analysis to VMU in connection with strategy development, assessment, and implementation strategy. All final decisions on matters relating to strategic control over the Services shall be made by VMU.
| 15. | Services Team |
15.1 IBM Project Executive
IBM shall appoint an individual who will serve, on a Full-Time basis, as the “IBM Project Executive”. The IBM Project Executive shall (1) have overall responsibility for managing and coordinating the performance of IBM under this Agreement; and (2) be authorized to act for and on behalf of IBM under this Agreement. The IBM Project Executive is a Key IBM Employee. IBM’s appointment (or removal, except as otherwise provided herein) of any IBM Project Executive shall be subject to VMU’s prior written consent. The initial IBM Project Executive is identified in Schedule K. Unless otherwise agreed by the Parties, the IBM Project Executive shall be located at VMU’s offices in Xxxxxx, NJ.
15.2 IBM Key Employees
As of the Signature Date and from time to time as VMU and IBM may agree during the Term, but no less frequently than annually, VMU and IBM shall designate certain employees of IBM as key employees (collectively the “IBM Key Employees,” and individually, each a “IBM Key Employee”). The initial IBM Key Employees are those individuals listed in Schedule K. IBM shall not reassign or replace (A) any such initial IBM Key Employees for two (2) years from the Signature Date, or (B) any other IBM Key Employee for one (1) year from the date that such employee has been assigned to VMU’s account, unless, with respect to each of (A) or (B) above: (1) IBM obtains VMU’s prior consent in writing (which consent with respect to IBM Key Employees other than the IBM Project Executive shall not be unreasonably withheld) to such reassignment or replacement; or (2) the individual (a) voluntarily resigns from IBM, or (b) is dismissed by IBM for (i) misconduct (e.g., fraud, drug abuse, theft) or (ii) unsatisfactory performance in respect of his or her duties and responsibilities to VMU or IBM, or (c) is removed from IBM Personnel pursuant to Section 15.3, or (d) is unable to work due to his or her death or disability, or (e) as to IBM Key Employees (excluding IBM Project Executive) the
40
individual requests reassignment under compassionate circumstances (e.g. relocation of a spouse) (subparts (1) and (2) are collectively referred to as “Approved Reassignments”); provided, however, that even for Approved Reassignments, IBM shall not reassign or replace any IBM Key Employee if such reassignment or replacement would materially disrupt VMU’s operation, until the completion or VMU approved transition of any Services to which such IBM Key Employee is assigned. No approved reassignment shall occur without at least thirty (30) days (or reasonably practical under the circumstances) prior written notice to VMU.
15.3 Conduct of IBM Personnel
While at the VMU Service Locations, IBM Personnel shall (1) comply with reasonable requests, standard rules, and regulations of VMU communicated to IBM regarding personal and professional conduct (including the wearing of a particular uniform or identification badge and adhering to VMU regulations and general safety practices or procedures) generally applicable to such VMU Service Locations, and (2) otherwise conduct themselves in a businesslike manner.
VMU shall have the right to approve or request the removal of any member of IBM’s Personnel. Should VMU, in its sole discretion, be dissatisfied with the performance, competence, responsiveness, capabilities, cooperativeness, or fitness for a particular task of any IBM Personnel, VMU may request the replacement of that person; provided, however, absent circumstances justifying immediate action, before IBM shall be required to remove such individual, IBM shall have a reasonable period of time, not to exceed five (5) days, to investigate the matters relating to such request and attempt to resolve such matters to VMU’s satisfaction, including the permanent removal of such IBM Personnel upon continued VMU objection. IBM shall furnish a qualified replacement within ten (10) business days. Subject to and in accordance with IBM’s obligations under Section 15.2, in the event IBM should initiate the removal of any member of IBM Personnel from performing services under this Agreement, IBM shall provide VMU with adequate prior notice, except in circumstances in which such notice is not possible, and shall provide VMU a mutually agreeable transition plan so as to provide an acceptable replacement and ensure project continuity. Notwithstanding the foregoing review process, IBM shall immediately remove from VMU’s premises and replace any IBM Personnel if, in VMU’s sole judgment, such IBM Personnel pose(s) a threat of harm to VMU, any VMU employee or any VMU invitee.
IBM represents and warrants that all IBM Personnel assigned to performing this Agreement will have experience or suitable training and skills in the areas in which they are responsible for performing the tasks to which they will be assigned under this Agreement. In the event that the actions or inactions of IBM Personnel create additional work in connection with the performance of the Services that would have otherwise been unnecessary in the absence of such action or inaction, IBM shall perform all such additional work at no additional charge to VMU, unless such action or inaction was at the direction of the VMU Program Director. In addition, IBM agrees that it will take all commercially reasonable steps to assure continuity over time of the membership of the group constituting IBM Personnel. IBM shall promptly fill any vacancy on a Non-Recurring Initiative for which VMU is paying on a time and materials basis with personnel having qualifications comparable in the area of the Non-Recurring Initiative to those of IBM Personnel being replaced.
41
With respect to replacements of IBM Personnel in accordance with this Section 15.3 or Section 15.4, VMU shall not be obligated to make any payment on account of the Services of such replacement personnel for the number of hours required to train, educate, and provide orientation to such replacement personnel, at the same or greater level of proficiency as had been reached by the replaced IBM Personnel, and perform such Services to VMU’s satisfaction.
15.4 Substance Abuse
IBM agrees to immediately remove any IBM Personnel who engage in substance abuse while on VMU Service Locations, in a VMU vehicle, or while performing Services. Substance abuse includes the sale, attempted sale, possession or use of illegal drugs, drug paraphernalia, or alcohol, or the misuse of prescription or non-prescription drugs. IBM shall adhere strictly to its own substance abuse policy in the event of any suspected substance abuse by any IBM Personnel. IBM represents and warrants that IBM have and will maintain a substance abuse policy and that such policy will be applicable to all IBM Personnel performing Services under this Agreement. IBM also represents and warrants that each of its Subcontractors has and will maintain a substance abuse policy and that such policy will be applicable to all employees of such Subcontractor performing Services under this Agreement.
15.5 Union Agreements and WARN Act
IBM shall provide VMU not less than ninety (90) days written notice of the expiration of any collective bargaining agreement with unionized IBM Personnel if the expiration of such agreement or any resulting labor dispute could potentially interfere with or disrupt the business or operations of VMU or an Authorized User or impact IBM’s ability to timely perform its duties and obligations under this Agreement, and shall meet with VMU on a weekly basis (or such other timeframe as designated by VMU) thereafter to jointly develop an appropriate contingency/risk mitigation plan.
IBM shall not, for a period of sixty (60) days after the Signature Date, cause any of the Transitioned Employees to suffer “employment loss” as that term is construed pursuant to the WARN Act, if such employment loss could create any liability for VMU or the VMU Authorized Users, unless IBM delivers notices under the WARN Act in a manner and at a time such that VMU or the VMU Authorized Users bear no liability with respect thereto.
IBM shall be responsible for any liability, cost, claim, expense, obligation or sanction attributable to any breach by IBM of this Section that results in VMU being in violation of the WARN Act or the regulations promulgated thereunder.
15.6 Turnover
The Parties agree that it is in their best interests to keep the turnover rate of IBM Key Personnel and Full-Time IBM Personnel to a low level. IBM shall provide VMU with a semi-annual turnover report regarding the turnover rate of such personnel during the applicable period in a form reasonably acceptable to VMU, and IBM shall meet with VMU promptly after the provision of each such report to discuss the reasons for, and impact of, such turnover rate. If appropriate, IBM shall submit to VMU its proposals for reducing the turnover rate, and the Parties shall mutually agree on a program to bring the turnover rate down to an acceptable level.
42
In any event, IBM shall keep the turnover rate to a low level, and notwithstanding transfer or turnover of IBM Key Personnel and Full-Time IBM Personnel, IBM remains obligated to perform the Services without degradation and in accordance with this Agreement.
15.7 Employment Eligibility
IBM will maintain at IBM’s expense all of the necessary certification and documentation such as Employment Eligibility Verification form I 9s, as well as all necessary insurance for its employees, including but not limited to workers’ compensation, disability, and unemployment insurance, and that, with respect to subcontractors, IBM has a written agreement with each and every IBM Personnel which specifically provides that the IBM Personnel shall not be entitled to any benefits or payments from any company such as VMU for which IBM will provide consulting services, and that each and every subcontractor shall maintain current and necessary certification and documentation and insurance for all its employees provided under this Agreement. IBM will be solely responsible for the withholding and payment, if any, of employment taxes, all benefits and Workers’ Compensation Insurance.
15.8 Immigration
With respect to IBM’s employment of any IBM Personnel, IBM shall comply fully with all applicable requirements of U.S. immigration laws, including verification of the employment eligibility of each of its employees who work in the United States. For those employees of IBM needing a visa to enter the United States, or otherwise needing immigration status in the United States, in order to carry out activities in connection with this Agreement, IBM will take all steps necessary to obtain and maintain appropriate immigration classifications or status for such employees. IBM will ensure that its employees comply fully with the terms and conditions of any immigration classification or status. With respect to all IBM Personnel who are not employees of IBM, IBM will ensure that such IBM Personnel and all subcontractors that IBM uses to perform Services under this Agreement likewise comply fully with the requirements of U.S. immigration laws, to the same extent as this Section requires of IBM. In addition, Services shall not be performed by any IBM Personnel who are nationals, citizens or lawful permanent residents of countries designated by the U.S. Government as state sponsors of terrorism – currently Cuba, Iran, Libya, North Korea, Sudan or Syria.
| 16. | Management And Control |
16.1 Contract Governance Plan
A. The Plan. VMU and IBM will develop, approve and implement a Contract Governance Plan within sixty (60) days following the Signature Date. Such plan will:
(1) specify the formal organizations, processes, and practices for managing VMU’s and IBM’s relationship under the Agreement;
43
(2) establish organizational interfaces for management and operations to implement the Agreement including:
(a) organization charts for VMU and IBM;
(b) roles and authorities matrix for IBM and VMU;
(c) framework for reports and meetings calendars; and
(d) operational authority and delegation;
(3) provide a high level overview of the business governance processes requiring VMU’s involvement and will identify the process interfaces; and
(4) establish a strategy for communicating and planning for major organization changes (i.e., people, processes, functions).
B. Meetings. Unless otherwise agreed by the Parties in the Contract Governance Plan, the IBM Project Executive and VMU Program Director (and such other representatives that the Parties deem necessary) shall participate in the following types of meetings:
(a) a weekly operations meeting to discuss daily performance, issues and planned or anticipated activities and changes;
(b) a monthly contract performance review of the monthly reports, charges, contract performance, changes, deliverables and other matters as appropriate;
(c) a quarterly meeting to review appropriate contractual, business, planning, or performance issues;
(d) a semi-annual meeting to discuss the evolving business agenda, review contract strategy and goals and to assess performance against such goals; and
(e) an annual meeting to review of all outsourcing program documentation, to include the Program Interface Manual (PIM), the Contract Governance Plan, the transformation projects list, and a strategic partnership plan.
Unless otherwise agreed by the Parties, IBM will prepare and circulate an agenda for each meeting.
16.2 IBM’s Best Practices
IBM shall provide all Services under this Agreement in accordance, IBM’s Best Practices; provided, however, that to the extent that such practices are inconsistent with the VMU Policies and Procedures, the VMU Program Manager and the IBM Project Executive shall in good faith jointly agree on the appropriate course of action to resolve such inconsistency.
44
16.3 VMU Program Director
A. The initial “VMU Program Director” for this Agreement shall be provided to IBM within ten (10) days of the Signature Date, and VMU will promptly notify IBM if the VMU Program Director changes.
B. VMU shall notify IBM in writing of any change in the name or address of the VMU Program Director.
C. The VMU Program Director shall (1) have overall responsibility for managing and coordinating the performance of VMU under this Agreement; and (2) be authorized to act for and on behalf of VMU under this Agreement.
D. The VMU Program Director shall meet or confer with IBM Project Executive on a regular basis.
E. The VMU Program Director shall have the right to inspect any and all Services provided by or on behalf of IBM.
16.4 VMU Personnel
Unless otherwise stated in this Agreement, all VMU personnel assigned to this Agreement shall be under the exclusive supervision of VMU. IBM understands and agrees that all such VMU personnel are assigned to this Agreement only for the convenience of VMU. IBM hereby represents that its price and performance hereunder are based solely on the work of IBM Personnel, except as otherwise expressly provided by this Agreement; provided, however, that nothing in this Section 16.4 shall relieve IBM of its obligations under this Agreement.
| 17. | Data and Reports |
17.1 Provision of Data
VMU shall supply to IBM, in connection with the Services required, VMU Data in the form and on such time schedules as may be agreed upon by VMU and IBM from time to time in order to permit IBM to perform the Services in accordance with the Service Levels and perform all critical services.
17.2 Ownership of VMU Data
As between VMU and IBM, all of the VMU Data is and shall remain the property of VMU and shall be deemed to be VMU Proprietary or Confidential Information, and VMU shall retain exclusive rights and ownership of the VMU Data. In addition to and without limiting any other rights and obligations set forth in Section 31, the VMU Data or any part of such data shall not be (1) used by IBM for any purpose other than as required under this Agreement in connection with providing the Services, or (2) disclosed, sold, assigned, rented or otherwise provided to third parties by IBM or IBM Personnel; or (3) commercially exploited or otherwise used by or on behalf of IBM, its officers, directors, or IBM Personnel, other than in accordance with this Agreement. IBM shall (a) adequately xxxx or otherwise identify VMU Data as VMU’s
45
property, and (b) store VMU Data separately from IBM’s or any third party property or data. IBM will not modify, delete or destroy any VMU Data or media on which VMU Data resides without prior authorization from VMU. IBM will maintain and provide to VMU one or more reports that identify VMU Data or media that have been modified or destroyed.
17.3 Destroyed or Lost Data
In the event any VMU Data is destroyed, lost or altered due to any act or omission of IBM or any IBM Personnel, including any breach of the security procedures described in this Agreement, IBM shall be responsible for Restoration. IBM shall prioritize this effort in a manner designed to minimize any adverse effect upon VMU’s business or the Services due to the destruction, loss or alteration of the VMU Data. “Restoration” shall mean (1) restoring such date or information to the most recently available electronic back-up copy; and (2) upon VMU’s request, restoring or reconstructing the data utilizing electronic means, provided that such restoration or reconstruction is reasonable, as determined by the VMU Program Director after consultation with the VMU Project Executive (if such restoration or reconstruction activity is material in nature). VMU shall cooperate with IBM by providing any available information, files or raw data needed for the regeneration of VMU Data. In the event it is determined that VMU Data has been modified, lost or destroyed as a result of the tortious willful misconduct of IBM Personnel which has a material adverse impact on VMU, VMU Affiliate(s), the Services, or VMU’s business or operations or that of a VMU Affiliate, in an aggregate amount over and above the limitation of liability amount set forth in Section 25.2, VMU may, in addition to and not in lieu of any other remedies afforded to it hereunder or by law, terminate the Agreement in whole or in part (without any cure period) with VMU having no liability for any termination fees or payments, including any Unrecovered Startup Charges or Wind-Down Charges. In the event that VMU elects not to terminate the Agreement, then IBM shall ensure that the IBM Personnel who caused or were otherwise involved in the modification, loss or destruction of VMU Data are permanently removed from performing any Services and denied access to any VMU Data.
17.4 Data Protection and Privacy
IBM shall comply with the Data Protection and Privacy Procedures as set forth in Schedule A. In addition, subject to mandatory compliance with Applicable Law, IBM shall perform a reference and criminal background investigation on all Full-Time IBM Personnel with access to VMU Data and/or the VMU IT Environment. IBM shall not permit any IBM Personnel who IBM knows has been convicted of a crime of dishonesty, breach of trust, or money laundering to provide Services under this Agreement, or to have access to any VMU Proprietary or Confidential Information.
17.5 Safeguarding Client Data
IBM shall develop security policies and procedures as provided in Sections 7.3, 7.4 and 8 and Schedule A designed to protect VMU against the destruction, loss, or alteration of VMU Data. A “Security Breach” includes any actual, attempted, potential or threatened (i) breach of physical security at any IBM Service Location or any systems maintained by IBM or IBM Personnel in connection with the Services; or (ii) unauthorized acquisition of computerized data that compromises the confidentiality, integrity or availability of any such systems, VMU Data, VMU Software, or any VMU Confidential or Proprietary Information maintained, processed or transmitted by IBM.
46
17.6 Data Retention
Without limiting or modifying IBM’s other obligations herein with respect to VMU Data, IBM shall adhere to all established VMU Data retention policies provided to IBM by VMU. The VMU Data retention policies applicable as of the Reference Date are attached as Schedule A, Exhibit A-2. IBM shall not destroy any VMU Data in violation of a VMU Record Retention Policy without VMU’s prior written authorization.
17.7 Remediation
In the event IBM becomes aware of any Security Breach, IBM shall, at its own expense, (1) immediately notify VMU of such Security Breach and perform a root cause analysis thereon, (2) investigate such Security Breach, (3) provide VMU with a remediation plan, acceptable to VMU, to address the Security Breach and prevent any further incidents, (4) remediate such Security Breach if caused by the acts or omissions of IBM or IBM Personnel; otherwise assist VMU in mitigating the effects of such Security Breach in accordance with such remediation plan, and (5) cooperate with VMU and any law enforcement, regulatory official, credit reporting company, and credit card association investigating such Security Breach. Without limiting the foregoing, VMU shall make the final decision on notifying VMU customers, employees, service providers and/or the general public of such Security Breach, and the implementation of the remediation plan. If a notification to a customer is required under Applicable Law, then notifications to all customers who are affected by the same event (as reasonably determined by VMU) shall be considered legally required. IBM shall reimburse VMU for all reasonable “Notification Related Costs” incurred by VMU arising out of or in connection with any such Security Breach resulting in a requirement for legally required notifications (as determined in accordance with the previous sentence). ***.
| 18. | Consents |
18.1 Obtaining Consents
VMU shall, with the assistance of IBM, obtain all consents, assignments, amendments, modifications, and/or approvals necessary (1) to effectuate the proper use and/or transfer of the Intellectual Property, Equipment, Services, or any other documents, technology, assets, or instruments contemplated under this Agreement by IBM and (2) to ensure the transactions contemplated by this Agreement shall not result in any default with respect to any license, agreement, contract, commitment or instrument to which VMU or IBM is a party or by which VMU or IBM is bound ((1) and (2) collectively the “Consents”). IBM will use commercially reasonable efforts to cooperate with VMU in obtaining required Consents and performing the administrative activities associated with obtaining such Consents. Nothing in this Section 18.1 is intended to alter the indemnity obligations of the Parties under Sections 20.3 or 20.4.
47
18.2 Consent Remedy
If, despite commercially reasonable efforts, either Party is unable to obtain a Consent, then, unless and until such Consent is obtained, IBM shall use commercially reasonable efforts to identify and implement, subject to VMU approval, such alternative approaches as are necessary and sufficient to provide the Services without such Consent. If such alternative approaches are required for a period longer than ninety (90) days following the Signature Date, the Parties will adjust the charges (1) to reflect any additional expenses incurred by IBM from a third party in connection with Consent issues arising from such failure and (2) to reflect any changes in Services or the impact of such Service being provided by IBM in an alternative fashion. Except as otherwise expressly provided herein, failure to obtain any Consent shall not relieve IBM of its obligations under this Agreement.
| 19. | Software, Documentation and Intellectual Property |
19.1 VMU Materials
Notwithstanding anything to the contrary in this Agreement, all materials, works and property for which Intellectual Property is owned, developed or licensed by or on behalf of VMU or any VMU Affiliate, including all VMU Software, (i) prior to the Reference Date or (ii) subsequent to the Reference Date but independent of and separate from this Agreement, and all derivative works, enhancements and modifications to the materials, works and property under items (i) and (ii) by any person or entity, shall be included in VMU Proprietary Intellectual Property or VMU Third Party Intellectual Property as applicable. Notwithstanding anything to the contrary in this Agreement, VMU or its licensor is and shall remain the sole owner of all right, title and interest in and to VMU Proprietary Intellectual Property or VMU Third Party Intellectual Property as applicable, including all Intellectual Property therein.
19.2 VMU Software
VMU hereby grants to IBM a non-exclusive, non-transferable and fully paid-up license during the Term for IBM and IBM Personnel to use, maintain, modify and enhance, as applicable, the VMU Proprietary Software for the sole purpose of providing the Services as required under this Agreement. Subject to obtaining any Consents pursuant to Section 18 above, VMU grants to IBM, for the sole purpose of providing the Services, the rights for IBM and IBM Personnel to use VMU Third Party Software under the terms and scope of the license granted to VMU by the supplier thereof. IBM shall comply with the duties, including use and non-disclosure restrictions imposed on VMU by the licenses for such VMU Third Party Software.
19.3 IBM Materials
A. Notwithstanding anything to the contrary in this Agreement, all materials, works and property for which the Intellectual Property is owned, developed or licensed by or on behalf of IBM (i) prior to the Reference Date or (ii) subsequent to the Reference Date but independent of and separate from this Agreement, and all derivative works, enhancements and modifications to the materials, works and property under items (i) and (ii) by any person or entity independent of and separate from this Agreement (other than VMU Modifications as further described below in this Section) shall collectively be included in the IBM
48
Intellectual Property. Notwithstanding anything to the contrary in this Agreement, IBM is and shall remain the sole owner of all right, title and interests in and to IBM Intellectual Property, including all Intellectual Property therein.
B. Schedule F shall list, as of the Signature Date, the IBM Proprietary Software, IBM Third Party Software and IBM Intellectual Property, if any, that will be incorporated into any Deliverable or that will be necessary to be used by VMU or any VMU Affiliate in order to access or use the Services and access, maintain, modify or use the Deliverables. Any IBM Intellectual Property incorporated into any Deliverable shall remain the property of IBM. During the Term, IBM shall be solely responsible for obtaining, installing, operating and maintaining at its expense any IBM Software (except for the Generally Available IBM Proprietary Software listed on Schedule F as VMU’s financial responsibility which shall be treated as VMU Third Party Software), or IBM Intellectual Property needed to provide the Services or the Deliverables or necessary for VMU to access or use the Services and access, maintain, modify or use the Deliverables including the payment of all applicable fees. Without VMU’s prior written consent, IBM shall not incorporate into any Deliverable any IBM Intellectual Property or IBM Software, even if such software is Generally Available. IBM hereby grants to VMU (for the benefit of itself and VMU Affiliates and Authorized Users) a nonexclusive, irrevocable, fully paid, perpetual and worldwide license to (i) use the IBM Intellectual Property in order to access and use the Services and use, execute, reproduce, display, perform, distribute, create derivative works, and make modifications and improvements to any IBM Intellectual Property (including any IBM Software) that are incorporated into any Deliverables to the extent necessary for VMU or any VMU Affiliate to access and use the Services and access, modify, maintain or use the Deliverables (such modifications and enhancements, “VMU Modifications”) and (ii) authorize others to do any, some or all of the foregoing solely for the benefit of VMU or VMU Affiliates. VMU shall own all right, title and interest in and to any VMU modifications, including all Intellectual Property in and to such VMU modifications.
19.4 Ownership of Work Product
A. Subject to the remainder of this Section, all Deliverables created or developed by IBM, by itself or jointly with VMU or others (including IBM Personnel), including the Developed Software, programs, computer programs, operating instructions, specifications, drawings, works of authorship, and designs (collectively, the “Work Product”) are, shall be and shall remain the property of VMU, and, except as explicitly set forth herein, may not be used by IBM or IBM Personnel for any other purpose other than for the benefit of VMU. “Developed Software” shall mean any Software developed pursuant to this Agreement by IBM, or by IBM jointly with VMU or others (including IBM Personnel).
B. VMU shall own all right, title and interest, including worldwide ownership of all Intellectual Property in and to the Work Product. To the extent any of the Work Product is not deemed a “work for hire” by operation of law, IBM hereby irrevocably assigns, transfers and conveys to VMU, and shall cause the IBM Personnel to assign, transfer and convey to VMU, without further consideration, all of its and their right, title and interest in and to such Work Product, including all Intellectual Property in and to such Work Product. IBM acknowledges, and shall cause the IBM Personnel to acknowledge, that VMU and its
49
successors and permitted assigns shall have the right to obtain and hold in their own name any Intellectual Property in and to such Work Product, unencumbered by any claim by IBM or any IBM Personnel. IBM agrees to execute, and shall cause the IBM Personnel to execute, any documents or take any other actions as may reasonably be necessary, or as VMU may reasonably request, to evidence, perfect, maintain and enforce VMU’s ownership of any such Work Product, whether during the Term or thereafter. The territorial extent of the rights in the Work Product assigned to VMU by IBM and/or the IBM Personnel under this Agreement shall extend to all the countries in the world. The assignment of the Intellectual Property in the Work Product by IBM and/or the IBM Personnel to VMU shall be royalty-free absolute, irrevocable and perpetual.
C. Notwithstanding anything to the contrary in this Section, unless otherwise agreed by the Parties, with respect to any Work Product which constitutes derivative works, enhancements and modifications to IBM Intellectual Property (“IBM Modified Items”), (i) IBM shall own all right, title and interest, including worldwide ownership of all Intellectual Property in and to the IBM Modified Items, and (ii) IBM grants, and VMU shall have, the same license rights with respect to IBM Modified Items as granted in Section 19.3 with respect to IBM Intellectual Property including VMU having the same ownership rights of derivative works, enhancements and modifications of IBM Modified Items by or for VMU as it has under Section 19.3 with respect to VMU Modifications.
D. Notwithstanding VMU’s ownership of Work Product as set forth in this Section, IBM Personnel providing Services shall have the right to enhance and use in the future their knowledge and skills based upon, but not disclose to any third party, the tangible Work Product resulting from the Services that such IBM Personnel perform; provided, however that all such rights of IBM Personnel to enhance their skills: (i) shall not apply with respect to any VMU Proprietary or Confidential Information (other than the particular Work Product of such IBM Personnel to which this Section applies); (ii) shall not limit or otherwise modify IBM’s confidentiality obligations set forth in this Agreement (other than the particular Work Product of such IBM Personnel to which this Section applies, but subject to the terms of this Section); (iii) shall not apply with respect to any subject matter protected or protectable by Intellectual Property rights (other than trade secret rights in the particular Work Product of such IBM Personnel to which this paragraph applies, provided that IBM Personnel do no disclose such tangible Work Product to any third party in any manner which compromises VMU’s trade secret rights); (iv) shall only apply if accomplished by the use of the unaided memory of such IBM Personnel; and (v) shall not apply (including with respect to items (i) – (iv) above) with respect to any information, ideas, concepts, know-how or techniques to the extent that such information, ideas, concepts, know-how or techniques are important part(s) of any products or services of VMU, including the provision thereof (including in the particular Work Product of such IBM Personnel to which this paragraph applies). For avoidance of doubt, the unaided memory of a person shall not include circumstances whereby a person has intentionally memorized the information, idea, concept, know-how or technique, or made recourse to the information, idea, concept, know-how or technique in written or electronic form, for the purpose of using or disclosing it, or for retaining and subsequently using or disclosing it.
50
19.5 Source Materials
A. Unless otherwise expressly agreed upon by the Parties, all software Deliverables will be provided to VMU in Object Code form and Source Material including any IBM Software embedded in a Deliverable in which event Source Material will be provided in sufficient detail to enable a trained programmer through study of such materials to maintain or modify the Deliverables without undue experimentation.
B. Section 19.5A shall not apply to (i) IBM products not embedded in a Deliverable and for which Source Materials are not generally licensed by IBM or (ii) Third Party Software for which IBM does not have access to Source Materials, or distribution of such source code is prohibited by IBM’s contractual obligations to third parties.
19.6 Changes and Upgrades to Software
Except as may be pre-approved by VMU in writing or as specifically provided in a Statement of Work, IBM shall not make any changes, upgrades or modifications to VMU Software or non-commercially available IBM Software that would alter the provision or degrade the performance of the Services or materially affect the day-to-day operations of VMU’s business. IBM shall be responsible, at no cost to VMU, for any modification or enhancement to, or substitution for, VMU Software, the IBM Software, and the Developed Software, and any other equipment or software used in connection with the Services, necessitated by: (i) unauthorized changes by IBM to VMU Software or the Developed Software or (ii) unauthorized changes by IBM to the non-commercially available IBM Software or related operating environments. During the applicable Term, IBM shall, at VMU’s election, install for VMU in connection with, and as part of, the Services, any upgrade, modification or enhancement to the Software at the then current level at the time such upgrade, modification or enhancement is available.
19.7 Patents
During the Term and other than modifications to the IBM Software, IBM shall disclose promptly to VMU any inventions or improvements made or conceived by IBM for which an IBM Employee has properly entered an invention disclosure into IBM’s Worldwide Patent Tracking System, or any similar replacement systems and where such invention is owned by VMU pursuant to the terms of this Agreement. At VMU’s request, IBM shall assign, and shall cause IBM Personnel to assign, all right, title, and interest in and to any and all such inventions and improvements and to execute such documents as may be required to file applications and to obtain patents in the name of VMU or its nominees, in any countries, covering such inventions or improvements. IBM represents it does not have any commitments to others under which IBM is obligated to assign to such others inventions or improvements or rights therein in conflict with IBM’s obligations to VMU pursuant to this Agreement.
51
| 20. | Authority to License, Quiet Enjoyment, Proprietary Rights and Indemnity |
20.1 Authority and Non-Infringement
A. Each Party represents and warrants that it has full power and authority to enter into this Agreement and perform its obligations hereunder, and subject to obtaining all applicable Consents, grant the rights granted by this Agreement to the other Party.
B. Each Party further represents and warrants that neither its performance of this Agreement, nor its grant of a license to, or the use by, the other Party of any license granted herein will in any way violate any non-disclosure and/or non-use agreement, nor constitute an Infringement of any Intellectual Property or other rights of any person or third party; provided, however, the warranty obligations set forth in this subpart B of this Section 20.1 shall: (1) as to IBM, be subject to IBM Infringement Exclusions set forth in Section 20.3D and, (2) as to VMU, be subject to the VMU Infringement Exclusions set forth in Section 20.4.
C. Neither Party’s representations and warranties set forth in subpart B of this Section 20.1 nor its Infringement indemnity obligations set forth in Sections 20.3 and 20.4 shall apply to Generally Available software purchased from a third party and subject to a separate license agreement (e.g., Microsoft NT, Sun Solaris, HP Open View) or Generally Available equipment purchased from a third party pursuant to a separate purchase agreement.
20.2 Quiet Enjoyment
IBM represents and warrants that this Agreement is neither subject nor subordinate to any right or claim of any other person or third party, including IBM’s creditors. Further, IBM represents and warrants that during the Term (including in connection with any assignment permitted under Section 33.1), it will not subordinate this Agreement or any rights hereunder to any person or third party without the prior written consent of VMU.
52
20.3 IBM’s Proprietary Rights Indemnity
A. Indemnification
(1) At IBM’s expense and as described herein, IBM agrees to defend, hold harmless and indemnify (as set forth in (2) below) VMU, its Affiliates and its and their subcontractors (and their respective directors, officers, agents, representatives and employees) (collectively, the “VMU Related Parties”) from and against any claims, actions, suits, proceedings, liabilities, losses, awards, obligations, settlement, fines, penalties, fees, and damages costs or expenses (including reasonable attorneys’ fees and costs of suit) (“Claims”), arising out of or relating to any allegation by a third party that the (i) Services, (ii) IBM Software, (iii) IBM Intellectual Property, (iv) IBM Modified Items, (v) Work Product, (vi) IBM Equipment, (vii) the modifications made by IBM to the Applications (to the extent such modifications caused such Infringement) (individually each, and collectively all, of the items listed in (i) through (vii) above are referred to in this Section as “Covered IBM Rights”): (i) Infringes upon any Intellectual Property of such third party or (ii) that VMU’s use (as permitted by this Agreement) of the Covered IBM Rights Infringes any Intellectual Property of such third party (collectively referred to for purposes of this Section 20 as “IBM Infringement Claim(s)”).
(2) After IBM assumes the defense against any IBM Infringement Claim in accordance with this Section, VMU shall cooperate fully in such defense. IBM shall not be responsible for the payment of expenses or charges incurred by VMU in connection with such cooperation, except
(a) to the extent IBM pre-approves any such charge or expense after IBM assumes control of the defense of such IBM Infringement Claim, provided such approval by IBM is not to be unreasonably withheld; or
(b) actual charges or expenses incurred by VMU in connection with the cooperation by any VMU employee with IBM’s defense and, to the extent such cooperation materially disrupts or interferes with the performance of any VMU employee’s job, IBM shall reimburse VMU for the employee’s actual expenses and time at a rate to be agreed to by the Parties in advance.
B. Continued Right to Use
Without limiting IBM’s obligations in Sections 20.3A, VMU also agrees that, if its use of Covered IBM Rights, or any part thereof becomes, or in IBM’s reasonable opinion is likely to become, the subject of a IBM Infringement Claim(s), VMU will permit IBM, at IBM’s option and expense for all associated costs, either to timely procure the right for VMU to continue to use Covered IBM Rights, or part thereof, or to timely replace or modify the Covered IBM Rights with another item of comparable quality and performance capabilities to become non-infringing, provided such replacement or modification allows IBM to provide the Services in accordance with this Agreement, including the Service Levels. If such replacement causes an increase in VMU’s expenditure of time or resources in connection with the Services, the Charges will be equitably adjusted. If IBM is unable, after exercising diligent efforts, to procure the above
53
referenced rights, or modify or replace the Covered IBM Rights, IBM shall discontinue use of the Covered IBM Rights and shall be excused from its obligations hereunder reasonably affected by such discontinuance, but shall not be excused from any of its obligations under this Agreement not so affected, nor shall VMU waive any of its rights (including termination rights) hereunder.
C. Remedial Acts
In the event (i) VMU’s ongoing use of Covered IBM Rights, or any part thereof, is the subject of any Claim that would preclude or impair VMU’s use of Covered IBM Rights as provided for under this Agreement, or any part thereof, (e.g., an injunction prohibiting or limiting use), or (ii) if VMU’s continued use of Covered IBM Rights as provided for under this Agreement, or any part thereof, may subject it to damages or statutory penalties, VMU shall give prompt written notice to IBM of such fact(s). Upon notice of such facts, IBM shall, at its expense, use commercially reasonable efforts to: (i) procure the right for VMU to continue to use Covered IBM Rights, or part thereof, or (ii) replace or modify Covered IBM Rights, with another system or components of comparable quality and performance capabilities to become non-infringing. If IBM fails to complete the remedial acts set forth above within sixty (60) days of the date of the written notice from VMU and VMU’s ongoing use of Covered IBM Rights remains impaired, VMU shall have the right to take such remedial acts that are commercially reasonable to mitigate any impairment of its use of Covered IBM Rights (hereafter referred to as “VMU’s Remedial Acts”). IBM shall credit VMU for all commercially reasonable amounts paid by VMU to implement VMU’s Remedial Acts. All such amounts shall be credited to VMU on the monthly invoice immediately following VMU’s demand for such credit. Failure by IBM to credit such amounts as set forth above shall, in addition to, and cumulative to all other remedies available to VMU under this Agreement, entitle VMU to immediately withhold payments due to IBM under this Agreement up to the amount to be credited under this Section. In the case where there will be no further invoices, IBM will pay the amount of the credits to VMU within forty-five (45) days after (1) the end of the last month of the Term or (2) the effective date of termination or expiration of this Agreement for any reason. The above credit shall not limit any of VMU’s other rights or remedies under this Agreement.
D. IBM Infringement Exclusions
IBM shall have no obligation under this Section 20 with respect to any IBM Infringement Claim to the extent such IBM Infringement Claim is Finally Determined to be caused by: (i) modifications to Covered IBM Rights, or any part thereof, made by VMU, its Affiliates, or their respective agents (except as directed, authorized, or approved by IBM); (ii) VMU’s combination or use of Covered IBM Rights, or any part thereof, with products, data, equipment or software not provided, directed, authorized or approved by IBM; (iii) IBM’s compliance with Specifications or written direction provided by VMU, including VMU’s business processes, that IBM utilizes in connection with the performance of the Services if no non-infringing course of action was possible to achieve such compliance; (iv) use by VMU of Covered IBM Rights, or any part thereof, after IBM has provided modifications to VMU (at no cost to VMU) that would
54
have avoided the allegedly infringing activity, or (v) the VMU Software other than IBM General Available Software, or VMU Intellectual Property in which the basis of IBM Infringement Claim(s) existed prior to the Reference Date ((i), (ii), (iii), (iv) and (v) above are collectively referred to herein as the “IBM Infringement Exclusions”).
20.4 VMU’s Proprietary Rights Indemnity
A. Indemnification
(1) At VMU’s expense and as described herein, VMU agrees to defend, hold harmless and indemnify (as set forth in (2) below) IBM, its Affiliates, and its approved Subcontractors (and their respective directors, officers, agents, representatives and employees) (collectively, the “IBM Related Parties”) from and against any Claims, arising out of or relating to any allegation by a third party that the (i) VMU Software (except for the Generally Available IBM Proprietary Software listed on Schedule F as VMU’s financial responsibility), (ii) VMU Intellectual Property, or (iii) VMU Equipment (individually each, and collectively all, of the items listed in (i) through (iii) above are referred to in this Section as “Covered VMU Rights”): (i) Infringes upon any Intellectual Property of such third party; or (ii) that IBM’s use (as permitted by this Agreement) of the Covered VMU Rights Infringes upon any Intellectual Property of such third party (collectively referred to for purposes of this Section 20.4 as “VMU Infringement Claim(s)”).
(2) After VMU assumes the defense against any VMU Infringement Claim in accordance with this Section, IBM shall cooperate fully in such defense. VMU shall not be responsible for the payment of expenses or charges incurred by IBM in connection with such cooperation, except
(a) to the extent VMU pre-approves any such charge or expense after VMU assumes control of the defense of such VMU Infringement Claim, provided such approval by VMU is not to be unreasonably withheld; or
(b) actual charges or expenses incurred by IBM in connection with the cooperation by any IBM employee with VMU’s defense, and to the extent such cooperation materially disrupts or interferes with the performance of any IBM employee’s job, VMU shall reimburse IBM for the employee’s actual expenses and time at a rate to be agreed to by the Parties in advance.
B. Continued Right to Use
Without limiting VMU’s obligations in Sections 20.4A, IBM also agrees that, if its use of the Covered VMU Rights, or any part thereof becomes, or in VMU’s reasonable opinion is likely to become, the subject of a VMU Infringement Claim(s), IBM will permit VMU, at VMU’s option and expense for all associated costs, either to timely procure the right for IBM to continue to use the Covered VMU Rights, or part thereof, or to timely replace or modify the Covered VMU Rights with another item of comparable quality and performance capabilities to become non-infringing, provided such replacement or modification allows VMU to continue meeting its obligations under this Agreement. If such replacement causes an increase in IBM’s expenditure
55
of time or resources to deliver the Services, the Charges will be equitably adjusted. If VMU is unable, after exercising diligent efforts, to procure the above referenced rights, or modify or replace the Covered VMU Rights, VMU may discontinue use of the Covered VMU Rights but shall not be excused from any of its obligations under this Agreement, nor shall IBM waive any of its rights (including termination rights) hereunder.
C. Remedial Acts
In the event (i) IBM’s ongoing use of the Covered VMU Rights, or any part thereof, is the subject of any Claim that would preclude or impair IBM’s use of the Covered VMU Rights as provided for under this Agreement, or any part thereof, (e.g., an injunction prohibiting or limiting use), or (ii) if IBM’s continued use of the Covered VMU Rights as provided for under this Agreement, or any part thereof, may subject it to damages or statutory penalties, IBM shall give prompt written notice to VMU of such fact(s). Upon notice of such facts, VMU shall, at its expense, use commercially reasonable efforts to: (i) procure the right for IBM to continue to use the Covered VMU Rights, or part thereof, or (ii) replace or modify the Covered VMU Rights, with another system or components of comparable quality and performance capabilities to become non-infringing. If VMU fails to complete the remedial acts set forth above within sixty (60) days of the date of the written notice from IBM, and IBM’s ongoing use of the Covered VMU Rights remains impaired, IBM shall have the right to take such remedial acts that are commercially reasonable to mitigate any impairment of its use of the Covered VMU Rights (hereafter referred to as “IBM’s Remedial Acts”). VMU shall pay IBM for all commercially reasonable amounts paid by IBM to implement IBM’s Remedial Acts. Failure by VMU to pay such amounts within forty-five (45) days of invoice by IBM shall, in addition to, and cumulative to all other remedies available to IBM under this Agreement, entitle IBM to exercise the payment escalation rights under Section 27.2.
D. VMU Infringement Exclusions
VMU shall have no obligation under this Section 20 with respect to any VMU Infringement Claim to the extent such VMU Infringement Claim is Finally Determined to be caused by: (i) modifications to the Covered VMU Rights, or any part thereof, made by IBM, its Affiliates, IBM Personnel, or their respective agents (except as directed, authorized, or approved by VMU); (ii) IBM’s, its Affiliates’, IBM Personnel’s, or their respective agents’ combination or use of the Covered VMU Rights, or any part thereof, with products, data, equipment or software not provided, directed, authorized or approved by VMU; (iii) VMU’s compliance with Specifications or written direction provided by IBM or IBM Personnel, including IBM’s business processes, if no non-infringing course of action was possible to achieve such compliance; or (iv) use by IBM of the Covered VMU Rights, or any part thereof, after VMU has provided modifications to IBM or IBM Personnel (at no cost to IBM) that would have avoided the allegedly infringing activity ((i), (ii), (iii), and (iv) above are collectively referred to herein as the “VMU Infringement Exclusions”).
20.5 Conditions to Indemnity Obligations
The indemnitor’s obligation to defend and indemnify the indemnitees, as applicable, pursuant to this Agreement shall be subject to indemnitee having given the indemnitor prompt
56
written notice of the claim or of the commencement of the related action, as the case may be (provided that the indemnitor’s obligations will be excused only to the extent it is prejudiced by any delay in such notice) and information and reasonable assistance, at the indemnitor expense, for the defense or settlement thereof. The indemnitor shall have sole control of the defense and settlement of such claim or related action, provided that the indemnitor shall not settle such claim or related action in a manner which imposes any obligation on or adversely affects the indemnitee without the prior written consent of the indemnitee. The indemnitee shall be entitled to engage counsel at its sole expense to consult with the indemnitor with respect to the defense of the claim and related action.
| 21. | Documentation |
IBM will have access to all existing Documentation on the VMU Systems, all of which shall be deemed to be Proprietary or Confidential Information of VMU. As requested by VMU from time to time, and at no additional charge to VMU, IBM shall provide VMU with at least three (3) copies of all Documentation developed for VMU under this Agreement or required to enable VMU to fully utilize as permitted under this Agreement, the Services, Equipment, IBM Intellectual Property, IBM Software, and IBM Third Party Intellectual Property, at least one (1) copy of which shall be in a VMU standard electronic form. VMU’s standard electronic form shall utilize Generally Available commercial software products. IBM shall update and maintain all Documentation on a regular basis as appropriate to the item of Documentation. When such Documentation is revised or supplemented, IBM shall deliver a copy of such revised or supplemental Documentation to VMU within ten (10) days of its general availability, at no cost to VMU. VMU may, at any time, reproduce copies of all Documentation provided by IBM under this Section, distribute such copies to its Affiliates, Third Party Vendors and the Authorized Users (subject to the confidentiality and non-use provisions contained herein), and incorporate such copies into its own technical manuals and subject to Section 31, provided that such reproduction, use and incorporation relates solely to VMU’s use of the Services or the VMU IT Environment, and copyright notices of IBM and its licensors, if any, are reproduced thereon. VMU will be responsible for the failure of any Authorized User to comply with the confidentiality and non-use provisions contained herein with respect to any such Documentation.
| 22. | Installation and Acceptance Tests |
22.1 General
For purposes of this Section 22 the reference to Statements of Work shall apply only to the Deliverables pursuant to New Services and Non-Recurring Initiatives.
As to New Services and Non-Recurring Initiatives, unless otherwise agreed pursuant to a Statement of Work, IBM shall comply with the following installation and acceptance test criteria for all Statements of Work in order to confirm that the Statement of Work components satisfy the specifications set forth in a Statement of Work in all material respects. Each component of the installation and acceptance tests may not apply in all circumstances.
22.2 Installation Tests
IBM will confirm that the installation tests have been completed.
57
22.3 Additional Testing
After IBM delivers a notice of completion of the installation test to VMU, (1) IBM shall perform for VMU those acceptance tests as set forth in a Statement of Work for a New Service or Non-Recurring Initiative or (2) if no such tests are set forth in a Statement of Work for a New Service or Non-Recurring Initiative, then IBM shall perform for VMU such tests as are reasonable, timely, and appropriate, including, as applicable, the following tests (individually, an “Acceptance Test” and collectively, the “Acceptance Tests”):
A. “Initial Component Testing” to determine whether the Statement of Work components have been properly installed and are operating in accordance with applicable Specifications;
B. “Integrated Test” to determine whether the Statement of Work components interface and integrate with the VMU IT Environment, and whether each such Statement of Work components operate in the approved operating configuration and in accordance with applicable specifications; and
C. “Final Test” to test the same functionality as the Integrated Test using actual data from VMU’s day-to-day operations.
22.4 Failed Acceptance Testing
As to an individual Statement of Work for New Services or Non-Recurring Initiatives, if VMU makes a good faith determination that a tested component and/or module has not successfully completed an Acceptance Test, VMU shall promptly notify IBM in writing of such failure (hereinafter “Notice of Failure”), specifying with as much detail as possible the manner in which the component and/or module failed to pass an applicable Acceptance Test. IBM shall immediately commence all reasonable efforts to complete, as quickly as possible (and in no event later than thirty (30) days thereafter, unless otherwise provided in the applicable Statement of Work), such necessary corrections, repairs and modifications to the applicable component and/or module as will permit the component and/or module to be ready for retesting. IBM shall notify VMU when such corrections have been completed, and the Acceptance Tests shall begin again. If, after applicable Acceptance Tests are completed for a second time, VMU makes a good faith determination that the tested component and/or module again fails to pass the applicable Acceptance Test, VMU shall promptly notify IBM in writing specifying in the Notice of Failure its election either to: (1) afford IBM the opportunity to repeat the correction and modification process as set forth above, or (2) depending on the nature and extent of the failure, and the parts of the Statement of Work impacted by such failure, in VMU’s sole judgment, (a) terminate that portion of the tested component and/or module associated with the Statement of Work in accordance with Section 28.2 as a non-curable default, or (b) if the failure to pass the applicable Acceptance Test materially impacts the function to VMU of the Statement of Work as a whole, terminate the Statement of Work in accordance with Section 28.2 as a non-curable default. The foregoing correct and modify procedure shall be repeated until IBM, based on VMU’s good faith determination, passes the applicable Acceptance Test, VMU elects to terminate the tested component and/or module or Statement of Work as set forth above, or the Parties agree otherwise. In the event of a termination under this Section 22.4, without limiting
58
VMU’s other rights and remedies hereunder, IBM shall credit to VMU, within thirty (30) days of written notice of termination, all amounts paid by VMU to IBM for the terminated tested component and/or module or Statement of Work (as applicable); provided, however, that in the event VMU retains any portion of a tested component and/or module associated with the Statement of Work, such credit shall be equitably reduced to take into account those portions of the retained tested component and/or module.
| 23. | Pricing |
23.1 General
During the Term of this Agreement, VMU shall pay IBM the fees and charges as set forth in Schedule C for the Services.
23.2 Non-Recurring Initiatives Pricing
All Non-Recurring Initiatives require VMU approval in accordance with Section 4.
23.3 Economic Change Adjustment
The Economic Change Adjustment to account for cost of living adjustments (“ECA”) shall be as provided in Schedule C.
23.4 All Fees Stated
Except as provided in this Section 23 and Schedule C or as otherwise approved in advance by VMU in its sole discretion, there are no other rates or charges applicable to the Services provided under this Agreement.
23.5 Taxes
A. Definitions
(1) “Income Tax” means any (i) tax on or measured by the net income of a Party (including franchise taxes, gross receipts taxes, taxes on capital or net worth that are imposed as an alternative to a tax based on net or gross income and the Michigan Single Business Tax), or (ii) taxes which are of the nature of excess profits tax, minimum tax on tax preferences, alternative minimum tax, accumulated earnings tax, personal holding company tax, capital gains tax, withholding tax or franchise tax for the privilege of doing business, to the extent such taxes as set forth in (i) and/or (ii) above are imposed on such Party by any federal, state, or local government of or in the United States, any taxing authority of any possession of the United States, or any government of a foreign country, including subdivisions thereof.
(2) “Service Taxes” means all sales, lease, service, value-added, use, personal property, excise, consumption, goods and services, provincial sales, retail sales and other taxes or duties that are assessed on the provision of the Services to VMU as a whole, or on any particular Service received by VMU from IBM; excluding, however, state and local business and occupation tax, Income Tax and other similar taxes.
59
B. Taxes
The Parties’ respective responsibilities for taxes arising under or in connection with this Agreement shall be as follows:
(1) Income Tax.
(a) Each Party shall be responsible for its Income Taxes.
(b) As between IBM and VMU under this Agreement, (i) VMU shall be responsible for the employment tax withholding, employer payroll taxes, and related reporting responsibilities with respect to its employees and VMU Affiliate employees, and (ii) IBM shall be responsible for the employment tax withholding, employer payroll taxes, and related reporting responsibilities with respect to its employees, and IBM Affiliate employees.
| (2) | Service Taxes. |
(a) Except as set forth in Sections 23.5B(2)(b) and 23.5B(2)(d) below, VMU shall be responsible for the payment of all Service Taxes and new Service Taxes. In the event there is a new Service Tax that is not clearly allocated to VMU or IBM under this Section 23.5B(2), VMU shall be responsible for such new Service Tax. IBM shall correctly invoice all applicable taxes. IBM shall not provide tax-only invoices.
(b) IBM shall be responsible for any Service Taxes and new Service Taxes on real property and/or other tangible or intangible property, it owns (or leases or rents from a third party).
(c) Prior to agreeing to any new Service Tax assessment, IBM shall work with the VMU Tax Department in order to ensure that the proposed tax assessment is properly allocated and accurately determined. IBM shall also ensure that all taxable and nontaxable components are separately stated, with an adequate description for tax purposes as to the taxable nature of the items purchased. In the event that a Service Tax is assessed on the receipt of any of the Services, the Parties shall work together to segregate the payments under this Agreement into four (4) payment streams on the invoice:
(i) those for taxable Services;
(ii) those for other nontaxable Services;
(iii) those for exempt Services; or
60
(iv) in respect of goods, Services, or supplies where Service Tax has already been paid by VMU or IBM;
(d) IBM shall be responsible for all current and any new Service Taxes payable by IBM on any goods or third party services acquired, used, or consumed by IBM in providing the Services where such tax is imposed on IBM’s acquisition or use of such goods or services.
(e) IBM shall make purchases of goods and services that are delivered or provisioned to VMU on a sale for resale basis, when applicable, so that double taxation of goods and services does not occur.
(f) VMU shall be responsible for telecommunication surcharges or user fees imposed by government authorities and mandated by law or regulation that are applicable to end users.
C. Cooperation; Invoices
The Parties agree to reasonably cooperate with each other to enable each to more accurately determine its own tax liability and to minimize such liability to the extent legally permissible. IBM invoices shall separately state the amounts of any taxes (by taxing jurisdiction) IBM is properly collecting from VMU pursuant to the terms hereof. Each Party will make available to the other Party any resale certificates, information regarding out-of-state or out-of-country sales or use of equipment, materials, or services, and other exemption certificates or information reasonably requested by the other Party. Specifically, VMU requires the following:
The total amount invoiced for Services will include any and all freight, duty, and taxes, with the exception of the following items, which, if applicable, must be identified and listed separately on IBM invoice: any U.S. state or local sales or use tax imposed on the transaction.
23.6 Payment Does Not Imply Approval
The making of any payment or payments by VMU, or the receipt thereof by IBM, shall not imply approval by VMU of any Services or the waiver of any warranties or requirements of this Agreement.
23.7 Gainsharing
Each Party may identify potential savings opportunities with respect to the Services and/or potential opportunities for improving the quality of the Services (each, an “Opportunity”). If either Party identifies an Opportunity, the Parties shall discuss such Opportunity, including the likelihood that such Opportunity will result in savings to VMU and/or improved quality as to the Services and, if approved by VMU, IBM shall further research the Opportunity and present a written proposal to VMU within a mutually agreed time frame. IBM’s proposal shall include, as applicable, the estimated current costs, the recommended changes, the anticipated savings and/or improvements in the Services that will be achieved by VMU and a proposed Statement of Work (including a project plan) setting forth each Party’s responsibilities if the Opportunity is to be
61
realized. In the case of improved quality of Services, a mutually agreed value shall be ascribed to such improved Services and used as the basis for any gain sharing as hereinafter described. If VMU agrees with IBM’s proposal, the Parties shall execute the Statement of Work, and the Parties thereafter shall proceed to implement the Opportunity. The Parties shall specify in the Statement of Work the gain sharing formula (if any) that will be applicable in order to compensate IBM with respect to the Opportunity; however, the Parties anticipate that such gain sharing formula shall be consistent with the following: (i) for any Opportunity initiated by IBM resulting in savings or improvements to the Services benefiting VMU, IBM shall be entitled to forty percent (40%) of the net savings or value in improved Services for a period of twelve (12) months, after which all further savings or enhanced value shall be realized solely by VMU; or (ii) for any Opportunity initiated by VMU but as to which IBM provided substantial assistance in terms of developing such Opportunity, at VMU’s option, either: (a) VMU shall retain one hundred percent (100%) of the savings or enhanced value and IBM will be compensated directly through fees for its implementation services; or (b) IBM shall retain twenty-five percent (25%) of the net savings or enhanced value for a period of twelve (12) months, after which all further savings or enhanced value shall be realized solely by VMU. This Section 23.7 shall not apply in circumstances where savings are achieved by IBM in performing its other obligations set forth in this Agreement.
| 24. | Invoices and Payments |
24.1 General
A. IBM shall invoice VMU monthly in two separate invoices, one for the baseline Services and the second for the appropriate variable adjustments for the Services that have been provided by IBM pursuant to the terms of Schedule C of this Agreement.
B. All invoices under this Agreement shall be submitted to the following address:
Virgin Mobile USA, L.P.
Account Payable Dep’t.
00 Xxxxxxxxxxxx Xxxx.
Xxxxxx, XX 00000
24.2 Invoice Summary
IBM shall render, by means of an electronic file, a single consolidated invoice for all charges incurred each month. Except as otherwise directed by VMU in writing, each invoice submitted by IBM shall be substantially similar to the invoice attached hereto as Schedule C, and shall include a summary section that includes, at minimum, the following information:
A. Period of time covered by the invoice;
B. Total invoice amount for VMU according to Service type;
C. Current month payments;
D. Balance due;
62
E. Calculations utilized to establish the charges, as applicable;
F. Credit and debit adjustments, including all ARCs and RRCs approved by VMU and the calculations utilized to establish all such adjustments;
G. Identification of all pass-through expenses for the month to which the invoice corresponds;
H. Identification of the amounts of any taxes IBM is collecting from VMU in accordance with Section 23.5; and
I. Such other billing information as is necessary to satisfy VMU’s internal accounting or as specified by VMU to meet its Xxxxxxxx-Xxxxx Corporate Reform Act requirements, including as necessary to allow VMU to accurately allocate charges by legal entity, business unit, department, VMU Site, Statement of Work, and/or any client, including details of staff time allocation on a project by project basis in order to allow VMU to allocate charges to capital expenditure projects.
| 25. | Limitations of Liability and Damages |
25.1 Damage Recovery Exclusion
SUBJECT TO SECTIONS 25.3 AND 25.4, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR INDIRECT, INCIDENTAL, COLLATERAL, PUNITIVE, CONSEQUENTIAL OR SPECIAL DAMAGES, INCLUDING LOST PROFITS (“CONSEQUENTIAL DAMAGES”) ARISING OUT OF OR RELATING TO THIS AGREEMENT, REGARDLESS OF THE FORM OF THE ACTION OR THE THEORY OF RECOVERY, WHETHER IN CONTRACT OR IN TORT (INCLUDING BREACH OF WARRANTY, NEGLIGENCE AND STRICT LIABILITY IN TORT) EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
25.2 Limitation of Liability Amount
SUBJECT TO SECTIONS 25.3 AND 25.4, IN NO EVENT VMU’S OR ITS AFFILIATES’ AGGREGATE LIABILITY TO IBM EXCEED THE AMOUNTS DUE AND OWING (INCLUDING ANY PROFIT COMPONENT THEREOF) TO IBM UNDER THIS AGREEMENT. SUBJECT TO SECTIONS 25.3 AND 25.4, IN NO EVENT SHALL IBM’S OR ITS AFFILIATES’ AGGREGATE LIABILITY TO VMU ARISING OUT OF OR RELATING TO THIS AGREEMENT EXCEED THE AMOUNT ACTUALLY PAID BY VMU TO IBM FOR THE SERVICES UNDER THIS AGREEMENT DURING THE *** PRIOR TO THE FIRST EVENT WHICH IS THE SUBJECT OF THE FIRST CLAIM OR CAUSE OF ACTION; PROVIDED THAT WHERE LESS THAN TWELVE (12) MONTHS OF THE TERM HAVE ELAPSED AT THE TIME OF THE FIRST EVENT WHICH IS THE SUBJECT OF THE FIRST CLAIM OR CAUSE OF ACTION, IBM’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE MONTHLY AVERAGE OF FEES FOR ALL MONTHS PRIOR TO THE ACCRUAL OF THE FIRST SUCH ACTION OR CLAIM MULTIPLIED BY ***.
63
25.3 Exclusions to Section 25.1
A. THE EXCLUSIONS OF CERTAIN DAMAGES SET FORTH IN SECTION 25.1 SHALL NOT APPLY, BUT THE LIMITATIONS OF LIABILITY SET FORTH IN SECTION 25.2 SHALL APPLY, TO CLAIMS OR LIABILITY ARISING FROM:
(1) ***
(2) ***
B. ***
25.4 Exclusions to Sections 25.1 and 25.2
THE LIMITATIONS OF LIABILITY AND EXCLUSIONS OF CERTAIN DAMAGES SET FORTH IN THIS SECTION 25 SHALL NOT APPLY TO CLAIMS OR LIABILITY ARISING FROM:
A. A PARTY’S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS UNDER THIS AGREEMENT;
B. CLAIMS THAT ARE THE SUBJECT OF A PARTY’S INDEMNIFICATION OBLIGATIONS UNDER THIS AGREEMENT; AND
C. AMOUNTS DUE AND OWING TO VMU FOR NOTIFICATION RELATED COSTS AND THE INDEMNITY GRANTED IN SECTION 17.7.
25.5 Direct Damages
The Parties agree that the following costs and damages, if incurred by either Party, shall be deemed direct damages and neither Party shall assert, and each is estopped from asserting that they are Consequential Damages, for which recovery may be limited or excluded:
A. Costs of reloading data from last available back-up or recreating lost or damaged data utilizing electronic means;
B. Costs of performing work-arounds regarding a Service Failure;
C. Costs of replacing lost, stolen or damaged equipment, software or other materials;
D. Costs payable to an alternate source to procure replacement services from that alternate source as a result of a failure to perform, to the extent in excess of the applicable charges;
E. Amounts due and owing (including any profit component thereof) to IBM under this Agreement and
64
F. Overtime, straight time and related expenses and allocated overhead (including travel, lodging and wages) as a result of a failure to perform or provide all or a portion of the Services incurred in connection with (A) through (D) above.
The Parties acknowledge that by defining the foregoing as direct damages, they are not precluding the recovery of other damages that may be determined by a court to be direct.
| 26. | Representations, Warranties, and Covenants |
26.1 General
A. Each Party represents and warrants to the other Party that the execution, delivery and performance of this Agreement and the consummation of the transactions contemplated by this Agreement have been duly authorized by the requisite corporate action on the part of such Party.
B. Each Party represents and warrants to the other Party that the execution, delivery, and performance of this Agreement by it will not constitute (i) a violation of, with respect to IBM, the IBM Regulatory Requirements, and with respect to VMU, the VMU Regulatory Requirements; (ii) a violation of any judgment, order, or decree; (iii) a default under any contract by which it is bound; or (iv) an event that would, with notice or lapse of time, or both, constitute such a default.
26.2 Performance Warranty
IBM represents, warrants and agrees that during the Term of this Agreement, IBM will provide the Services in accordance with the Service Levels and the Specifications.
26.3 Service
IBM represents, warrants and agrees that all Services to be provided under this Agreement shall be performed in a professional, competent, and timely manner by appropriately qualified IBM Personnel in accordance with this Agreement and consistent with IBM’s best practices.
26.4 Litigation Warranty
The parties represents, warrants and agrees that as of the Reference Date there are no existing or threatened legal proceedings against the other party that would have a material adverse effect upon its ability to perform its obligations under this Agreement or its financial condition or operations.
26.5 Licensed Users and Rights to Use Software
IBM represents and warrants that it shall acquire, maintain, and continuously update (as applicable) the type and number of license(s) required to grant VMU the right to use the Software provided by IBM as contemplated herein, and otherwise comply with the terms of this Agreement. All third party license fees for such Software provided by IBM shall be at no
65
additional cost to VMU. To the extent that a third party license imposes a limit or restriction on VMU’s right to use the Software provided by IBM as permitted in this Agreement and such limit or restriction has not been identified in this Agreement, IBM shall take commercially reasonable actions and pay the license fees required to provide VMU with all the rights to use the Software provided by IBM afforded by this Agreement to the extent permitted.
26.6 Support Not to be Withheld
Subject to Section 2.6 of the Schedule C, each Party agrees to continue performing its obligations under this Agreement while any dispute between the Parties is being resolved except only to the extent the issue in dispute directly precludes such performance (dispute over payment is one type of dispute that shall not be deemed to preclude performance) unless and until such obligations are terminated by the termination or expiration of this Agreement.
26.7 Assignment of Warranties and Indemnities
IBM represents, warrants and agrees that it shall assign and deliver, and agrees to assign and deliver, to VMU all representations, warranties and indemnities received by IBM from IBM Third Party Vendors, to the extent they are assignable or sublicensable and directly relate to the Services, including rights to recovery. IBM shall, upon VMU’s request and at VMU’s cost, enforce such representations, warranties and indemnities that are not assignable or sublicensable and track and notify VMU of same, and deliver to VMU any documentation issued by a Third Party Vendor evidencing such representation, warranty or indemnity. Nothing in this Section 26.7 shall require IBM to initiate litigation against any such Third Party Vendors.
26.8 Viruses
IBM represents, warrants and agrees that it shall use its Best Practices to prevent any forms of Viruses from being introduced into the VMU IT Environment. If a Virus is found to have been introduced into the VMU IT Environment by IBM or IBM Personnel, IBM shall promptly notify VMU in writing in accordance with VMU’s security incident response procedures and at no additional charge to VMU, shall use its Best Practices to reduce the effects of, and mitigate the losses and restore any Deficiencies resulting from, the Virus. If a Virus is found to have been introduced into the VMU IT Environment by VMU, IBM shall upon learning of any such Virus promptly notify VMU in writing in accordance with VMU’s security incident response procedures and, at no additional charge to VMU, shall provide commercially reasonable assistance to VMU in reducing the effects of, and mitigating the losses from, the Virus to the extent it can do so with its resources then currently dedicated to the delivery of the Services and without impacting its ability to deliver the Services in accordance with this Agreement.
26.9 Disabling Devices
IBM represents, warrants and agrees that it shall not cause any unplanned interruption of the operations of, or accessibility to the VMU IT Environment through any device, method or means including, the use of any “virus,” “lockup,” “time bomb,” “key lock” device program, or disabling code, for which a purpose is to: (1) cause any unplanned interruption of the operations of (other than devices that are necessary to safeguard the device or the VMU IT Environment),
66
or prevent the accessibility of, the Services or the VMU IT Environment to VMU or any Authorized User, (2) alter, destroy, or inhibit the use of the Services or VMU IT Environment, or (3) block access to, or prevent the use/accessibility of, the Services or VMU IT Environment by VMU or Authorized Users (collectively referred to for purposes of this Section as “Disabling Device(s)”). IBM agrees that it has not, and will not, place any Disabling Device in the VMU IT Environment (other than licensing limitation controls (e.g., keys) that are incorporated into commercially available Software), nor shall it invoke any Disabling Devices contained on the VMU IT Environment at any time (including upon expiration or termination of this Agreement for any reason). In the event of a breach of this Section (Disabling Devices) by IBM, IBM shall remove the Disabling Device and restore such data or information to the most recently available electronic back-up copy and supporting transaction logs at no cost to VMU.
26.10 Insurance Premiums
IBM represents, warrants and agrees that it will pay all premiums, deductible amounts, and other costs required to maintain all insurance policies in accordance with Section 30 herein.
26.11 Compliance with Laws
IBM represents, warrants and agrees that it shall comply with all Applicable Laws relating to IBM’s capacity as an information technology service provider and/or data processor) and in its delivery of the Services (collectively “IBM Regulatory Requirements”). IBM shall identify, obtain and pay for permits, certificates, approvals, and inspections required under such IBM Regulatory Requirements. IBM agrees to provide all information and assistance regarding the Services, and the Charges relating to the Services, that VMU identifies as necessary or reasonably desirable for VMU to comply with the Xxxxxxxx-Xxxxx Corporate Reform Act. For the avoidance of doubt, unless specifically otherwise mandated by the Xxxxxxxx-Xxxxx Corporate Reform Act, the above does not include IBM’s cost data (unless such cost data is an element in determining the Charges) or confidential or proprietary information of any of IBM’s other customers. VMU shall comply, and shall require its subcontractors to comply, as applicable, with all Applicable Law relating to VMU’s business and its receipt and use of the Services (collectively “VMU Regulatory Requirements”).
26.12 Changes in Law and Regulations
IBM represents, warrants and agrees that it shall identify the impact of changes in IBM Regulatory Requirements on its ability to deliver the Services and perform its obligations under the Agreement. IBM shall notify VMU of such changes within ten (10) days after it learns that any such change is likely to be enactments and shall work with VMU to identify the impact of such changes on how VMU uses the Services or on how IBM delivers the Services. IBM shall comply with changes to all IBM Regulatory Requirements and shall, subject to the Change Control Procedures, implement any necessary modifications to the Services as reasonably necessary as a result of changes in such IBM Regulatory Requirements prior to the deadline imposed, or extensions authorized by, the regulatory or other governmental body having jurisdiction for such IBM Regulatory Requirements. All costs associated with identification and compliance with IBM Regulatory Requirements and any changes thereto shall be borne by IBM. Upon approval by VMU of an applicable change request pursuant to the Change Control
67
Procedures, IBM shall (i) implement VMU Regulatory Requirements, and (ii) shall implement any necessary modifications to the Services as agreed, in accordance with VMU Policies and Procedures and/or an applicable Statement of Work, as applicable.
26.13 Inducements
IBM represents, warrants and agrees that it has not and will not violate Applicable Laws or any VMU policies of which IBM has been given advance notice, regarding the offering or receiving of unlawful inducements in connection with the Agreement.
26.14 Technical Architecture and Product Standards
IBM represents, warrants and agrees that it will provide the Services using proven, current technology that will enable, within the allocation of financial responsibility between the parties as set forth in this Agreement, VMU to take advantage of technological advancements in its industry and support VMU’s efforts to maintain competitiveness in the mobile virtual network operator field.
26.15 Open Source Warranty
IBM represents, warrants, and agrees that it will not introduce or integrate any Open Source Software into the VMU Systems (or derive any components of the VMU Systems from any Open Source Software) or any Deliverable without VMU’s prior written consent. In the event of a breach of this Section 26.15, IBM shall provide a replacement to such Open Source Software product at no extra cost and expense to VMU, and fully install and implement such replacement Software product into the VMU Systems or Deliverable, as applicable, without interference to VMU’s information technology environment and operations.
26.16 Maintenance
In accordance with the allocation of financial responsibilities set forth in this Agreement, IBM represents and warrants that it will fulfill its responsibilities related to maintenance as set forth in the Agreement in order that Software and the Equipment remain in good operating condition, repairs and preventive maintenance are provided on Equipment in accordance with applicable manufacturer’s recommendations, and maintenance is provided with respect to Software in accordance with applicable documentation and the applicable Third Party Vendor’s recommendations. Specifically (i) IBM will provide maintenance with respect to the Applications as set forth in Section 8 of Part 9 of Schedule A and Section 5.7 of Schedule C, (ii) with respect to other Software and Equipment, IBM will provide maintenance as specifically set forth in Schedule A, and (iii) IBM will fulfill its responsibilities related to maintenance as set forth in the Agreement including dispatching and problem management as set forth in Schedule A and managing the Managed Strategic Suppliers as set forth in Section 6.2 of this Agreement. Notwithstanding the foregoing, IBM shall not be liable for the failure of any Software or Equipment where a root cause analysis identifies the applicable Third Party Vendor as the at-fault party, provided IBM has fulfilled its maintenance obligations set forth in this Agreement with respect to such Software or Equipment.
68
26.17 Representations and Warranties Throughout Agreement
It is understood and agreed by the Parties that IBM’s representations and warranties are set forth throughout this Agreement and are not confined to this Section 26.17.
26.18 Warranty Disclaimer
THE WARRANTIES SET FORTH IN THIS AGREEMENT ARE MADE TO, AND FOR THE BENEFIT OF, VMU AND IBM EXCLUSIVELY AND ARE IN LIEU OF ALL OTHER WARRANTIES. EXCEPT AS SPECIFICALLY PROVIDED IN THIS AGREEMENT, NEITHER PARTY MAKES AND NEITHER PARTY RECEIVES ANY WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
IBM does not warrant uninterrupted or error free operations of a Service or that IBM will find or correct all defects.
| 27. | Internal Dispute Resolution |
27.1 Intent
The Parties shall resolve their disputes informally to the maximum extent possible. The Parties shall negotiate all matters of joint concern in good faith, with the intention of resolving issues between them in a mutually satisfactory manner. Only disputes within the scope of this Agreement are subject to this Section. However, nothing in this Section shall preclude the Parties from exercising their termination rights pursuant to Section 28. Each Party shall bear its own attorney’s fees and costs in connection with the internal dispute resolution process; except, to the extent the Parties otherwise agree in writing to incur certain costs to support the internal dispute resolution process, such costs shall be shared equally by the Parties. The Parties agree that all statements made in connection with internal dispute resolution efforts shall not be considered admissions or statements against interest by either Party. The Parties further agree that they will not attempt to introduce such statements at any later trial, arbitration, or mediation between the Parties.
27.2 Informal Resolution
If a dispute arises under this Agreement, then within seven (7) Business Days after a written request by either Party, the VMU Program Director and IBM Project Executive shall promptly confer to resolve the dispute. If these representatives cannot resolve the dispute or either of them determines they are not making progress toward the resolution of the dispute within seven (7) Business Days after their initial conference, then the dispute shall be submitted to the VMU Chief Information Officer (or equivalent) and IBM Industry Vice President (or equivalent), who shall promptly confer to resolve the dispute.
27.3 Fact Finding Report
The VMU Program Director and IBM Project Executive shall provide the VMU Chief Information Officer (or equivalent) and IBM Industry Vice President (or equivalent) with a written description of the dispute, including the particular issues on which the Parties seek recommendations.
69
A. Fact Finding
The VMU Chief Information Officer and IBM Industry Vice President shall engage in fact finding as required by the dispute and recommend how best to resolve the dispute. The VMU Chief Information Officer and IBM Industry Vice President may submit written questions to the Parties, may request oral statements, and may review relevant documents.
B. Report
Within thirty (30) days after the VMU Chief Information Officer and IBM Industry Vice President have convened to resolve the dispute, the VMU Chief Information Officer and IBM Industry Vice President shall cause a joint written report to be prepared, including their findings of fact and recommendations for resolution.
27.4 Applicability To Disputes With Suppliers Other than IBM
IBM agrees that on VMU’s written request and as part of the Services, it will reasonably participate in dispute resolution with VMU and VMU’s Third Party Vendors to resolve any disputes between and/or among such vendors, including IBM and VMU, as to responsibility by any particular vendor for issues arising from warranty and other information system performance obligations to the extent related to the Services. Neither Party shall be required to submit Proprietary or Confidential Information to such Third Party Vendor(s) unless the Third Party Vendor(s) has executed an appropriate confidentiality or non-disclosure agreement as to the information that will be disclosed to it in connection with the dispute resolution process.
| 28. | Termination |
28.1 Change of Control
VMU may terminate this Agreement on one hundred eighty (180) days written notice in the event of (i) a change in Control of IBM where such control is acquired, directly or indirectly, in a single transaction or series of related transactions; (ii) the acquisition of all or substantially all of IBM’s business performing the Services, or (iii) any merger by or with IBM in which IBM is not the surviving entity or in which IBM’s principals do not remain in control of the surviving entity; provided, however, that VMU must deliver any notice of termination pursuant to this Section 28.1 within twelve (12) months of the effective date of any such transaction and pay Wind-Down Charges to IBM and 50% of the Termination Charges as set forth in Exhibit C.
28.2 Termination for Cause by VMU
VMU may terminate this Agreement, in whole or in part, without payment of any Termination Charges, Wind-Down Charges or Unrecovered Startup Charges, effective upon notice to IBM, if IBM: (i) materially breaches this Agreement; and fails to cure such breach within thirty (30) days after written notice from the VMU; provided, however, if a material breach of this Agreement by IBM occurs such that IBM, using best efforts, is unable to cure in
70
such thirty (30) day period but IBM submits a written plan to VMU within such thirty (30) day period to cure such breach at the earliest date practicable (but no later than within sixty (60) days of the date on which VMU provides written notice of such breach) and IBM’s plan (including the timing of the cure set forth in the plan) is accepted by VMU in writing, the cure period for such breach shall be extended to the date set forth in the plan, or (ii) commits multiple breaches of its duties or obligations under the Agreement, which in the aggregate are material, and fails to cure such breaches within thirty (30) days after written notice. VMU’s notice shall specify the acts, omissions or events alleged to constitute such material breach and shall state that the notice is being provided in accordance with this Section 28.2.
28.3 Termination for Cause by IBM
IBM shall have the right to terminate this Agreement solely in the event of a failure by VMU to make timely payment of any fees due and payable under this Agreement (and not subject to withholding or payment into escrow for a good faith dispute as provided in Section 2.6 of Schedule C so long as VMU complies with its obligation under Section 2.6 of Schedule C) which failure is not cured within ten (10) days of written notice thereof. Due to the impact any termination of this Agreement would have on VMU’s business, VMU’s failure to perform its responsibilities set forth in this Agreement (other than as provided in this Section 28.3) shall not be deemed to be grounds for termination by IBM. IBM ACKNOWLEDGES THAT VMU WOULD NOT BE WILLING TO ENTER INTO THIS AGREEMENT WITHOUT ASSURANCE THAT IT MAY NOT BE TERMINATED BY IBM AND THAT IBM MAY NOT SUSPEND PERFORMANCE EXCEPT, AND ONLY TO THE EXTENT, IBM TERMINATES PURSUANT TO THIS SECTION 28.3. VMU’s failure to perform any of its responsibilities set forth in this Agreement (other than as provided above in this Section 28.3) shall not be deemed to be grounds for termination by IBM.
28.4 Termination for Insolvency
VMU may terminate this Agreement, in whole or in part, on ten (10) days notice to IBM if IBM (i) becomes insolvent or is unable to meet its debts as they mature; (ii) files a voluntary petition in bankruptcy or seeks reorganization or to effect a plan or other arrangement with creditors; (iii) files an answer or other pleading admitting, or fails to deny or contest, the material allegations of an involuntary petition filed against it pursuant to any applicable statute relating to bankruptcy, arrangement or reorganization; (iv) shall be adjudicated a bankrupt or shall make an assignment for the benefit of its creditors generally; (v) shall apply for, consent to, or acquiesce in the appointment of any receiver or trustee for all or a substantial part of its property, and any such receiver or trustee shall be appointed and shall not be discharged within thirty (30) days after the date of such appointment; or (vi) generally is unable to pay its debts as such debts become due.
28.5 Termination for Convenience
VMU may at any time, elect to terminate this Agreement or a Statement of Work as to New Services at its convenience provided it shall, at the time of such election, provide IBM with one-hundred eighty (180) days’ prior written notice. In the event of such termination, VMU shall pay the Termination Charges, Wind-Down Charges and Unrecovered Startup Charges specified in Schedule C or the applicable Statement of Work, as applicable.
71
VMU may terminate any Non-Recurring Initiative for convenience upon providing IBM with fifteen (15) business days’ prior written notice. Upon any such termination, VMU shall only be liable for any charges incurred though the effective date of termination, and immediately upon receipt of notice of termination, IBM shall take commercially reasonable measures to reduce any costs for which VMU would be liable.
28.6 Termination for Excessive Claims
If, at any time, the aggregate of all judgments awarded to VMU and claims paid by IBM to VMU arising out of or relating to this Agreement equals or exceeds eighty percent (80%) of the amount of IBM’s limitation of liability under Section 25.2 (as adjusted in accordance with the next sentence), VMU may elect to give written notice to IBM of such circumstance. If IBM does not, within thirty (30) days of receipt of VMU’s notice, agree to increase the then current limitation on the amount of damages under Section 25.2 by fifty percent (50%), VMU shall be entitled to terminate this Agreement, without liability or the payment of additional charges (including Unrecovered Startup Charges and Wind-Down Charges), by giving IBM further written notice; provided, however, such termination will not entitle VMU to additional damages in excess of the amount under Section 25.2. If IBM does, within thirty (30) days of receipt of VMU’s notice, agree to increase the then current amount of damages under Section 25.2 by fifty percent (50%), VMU shall not be entitled to terminate this Agreement pursuant to this Section 28.6, and the Parties will amend Section 25.2 to reflect the increased limitation of liability amount.
28.7 Termination for Service Level Failures
VMU may terminate this Agreement, in whole or in part, on thirty (30) days’ prior written notice to IBM in the event of any Service Level termination event set forth in Schedule B. In the event of such termination, VMU shall pay Unrecovered Startup Charges to IBM and VMU shall make offers to re-hire all Transitioned Employees who are employees of IBM and Full-Time IBM Personnel as of the date such notice is provided.
28.8 Termination Assistance
After the effective date of any termination of this Agreement, IBM shall continue to provide Services in accordance with Section 29 for which it shall be compensated by VMU as provided in Section 29.2.
28.9 Payment of Fees
In the event of termination under this Section 28, VMU agrees to pay to IBM the charges for the Services satisfactorily performed by IBM under this Agreement through the date of actual termination, but shall not pay other charges or fees related to such termination, unless specifically described in this Section 28.
72
28.10 Cumulative Remedies
The Parties understand and agree that the rights and remedies available to either Party at law, in equity and/or under this Section 28 and this Agreement shall be cumulative and nonexclusive in nature.
| 29. | Termination Assistance Services |
29.1 Termination Assistance Plan
IBM understands and agrees that VMU’s business operations are dependent on the Services, and that VMU’s inability to receive the Services would result in irreparable damages to VMU; provided however, that if IBM terminates this Agreement pursuant to Section 28.3, IBM will provide VMU with Termination Assistance Services only if VMU pays for such Termination Assistance Services (in accordance with Section 29.2 below) monthly in advance. Therefore, upon the expiration of this Agreement or its termination by either Party for any reason, including the breach of this Agreement by the other Party, Termination Assistance Services shall be provided as set forth in this Section 29. If no Termination Assistance Plan has yet been agreed to at the time of termination, the rights of VMU upon any expiration or termination of this Agreement shall be as set forth in this Section 29. If a Termination Assistance Plan has been agreed to, then the rights of VMU upon any expiration or termination of this Agreement shall be as set forth in the most recent approved Termination Assistance Plan, and also as set forth in this Section 29. In the event of any inconsistency between this Section 29 and the applicable Termination Assistance Plan, this Section shall govern.
29.2 Performance of Services
IBM and VMU acknowledge and agree that their mutual cooperation is important to an effective transition of technology services provided by IBM to VMU or its designated provider(s). As requested by VMU in accordance with Section 29.3, IBM shall provide VMU with all of the Services, including all of the Termination Assistance Services set forth in this Section 34 and in the then most recent version of the Termination Assistance Plan. IBM shall have no right to withhold or limit any of the Termination Assistance Services on the basis of an alleged breach by VMU so long as VMU has paid in advance for such Services as required by Section 29.1 and is otherwise not in default of its payment obligations. Without limiting VMU’s right to seek specific performance of other sections of this Agreement, VMU shall have the right to seek specific performance of this Section 29. In addition to the Services as set forth in this Agreement, the Termination Assistance Services shall include, at a minimum, (i) meeting with VMU as soon as practicable after a notice of termination or notice of a decision to not extend this Agreement has been given, to discuss any potential modifications to the then most current Termination Assistance Plan; (ii) using all commercially reasonable efforts to assist VMU in effecting a transition of the Services to VMU or another vendor chosen by VMU; (iii) providing the number and types of resources necessary to complete the transition[; and (iv) such other services as shall be necessary or appropriate to facilitate, without interruption of the Services, the orderly transition of the Services to VMU or its new provider of services. If IBM is providing any Services hereunder at the time of such transition utilizing any software license from a Third Party Vendor, the responsibility for obtaining and paying for the transfer of such licenses shall be
73
in accordance with Section 18. Notwithstanding anything in this Agreement to the contrary, VMU shall be entitled to increase and/or decrease the scope of the Services and Termination Assistance Services in its sole discretion during any Termination Assistance Period. If IBM is unable to provide such Termination Assistance Services with its then-existing resources used to provide the affected Services, VMU shall only be required to pay IBM for any incremental resources required by IBM to provide such Termination Assistance Services, which resources shall be charged, with respect to time and materials charges, in accordance with the rates set forth in this Agreement or, if applicable rates for time and materials charges are not contained in this Agreement and for all fixed fee charges, at commercially reasonable rates. Nothing herein shall preclude VMU from recovering the cost of such incremental resources as a damage in the event of a Termination by VMU pursuant to Section 28.2.
29.3 Termination Assistance Period
Unless otherwise directed by VMU, commencing: (i) six (6) months prior to the expiration of the Agreement; (ii) upon any notice of termination or non-renewal of the Agreement; or (iii) six (6) months prior to any other ceasing of Service under the Agreement, and continuing for a period defined in the Termination Assistance Plan but in no event less than twelve (12) months following the expiration or termination of this Agreement (unless a shorter time period is requested by VMU), IBM will continue to provide the Services (including the Termination Assistance Services) as requested by VMU. After such twelve (12) month period (or such shorter time period as requested by VMU), IBM shall provide extensions of the Services (including the Termination Assistance Services) as requested by VMU for up to an additional three (3) months (such period, collectively, the “Termination Assistance Period”). Unless otherwise agreed by the parties, the total Termination Assistance Period shall not exceed fifteen (15) months.
In addition to the Services as set forth in this Agreement, the Termination Assistance Services shall include, at a minimum, converting data, providing parallel services until transition to a new system, providing on-site technical support, cooperating with VMU or its designated vendor in developing required interfaces, and such other services as shall be necessary or appropriate to facilitate, without material or extended interruption to the Services, the orderly transition of the Services to VMU or its new provider of services. VMU shall have the same rights to Software and such other Intellectual Property as provided in Section 19.3 during the Termination Assistance Period as it does during the Term.
29.4 Transition Services
IBM will provide the following Termination Assistance Services at VMU’s request:
A. IBM shall (i) assist VMU in developing a written transition plan for the transition of the Services to VMU or VMU’s designee, which plan shall include capacity planning, facilities planning, human resources planning, and data transport/telecommunications planning necessary to effect the transition, (ii) perform programming and consulting services as requested to assist in implementing the transition plan, (iii) train personnel designated by VMU in the use of any Equipment, Software, materials or processes to be transferred, (iv) catalog all Software, VMU Data and Equipment
74
used to provide the Services, provide machine readable and printed listings of source code for Software and assist in its reconfiguration, (v) analyze and report on the space required for the VMU Data and the Software needed to provide the Services, (vi) assist in the execution of a parallel operation, data migration and testing process until the transition to VMU or VMU’s designee has been successfully completed, (vii) create and provide copies of the VMU Data in the format and on the media reasonably requested by VMU, (viii) provide a complete and up-to-date, electronic copy of the Process Interface Manual, in the format and on the media reasonably requested by VMU, (ix) provide other technical assistance as requested by VMU and (x) identify, and assist VMU in provisioning, suitable functionality equivalent replacement for any shared hardware or software then used by IBM to provide the Services.
B. VMU or VMU’s designee shall be permitted to undertake, without interference from IBM (including counter-offers), to hire, effective after the later of the termination of the Term or completion of any Termination Assistance Services, any dedicated (including Full-Time) employees of IBM performing Services within the twelve (12) month period prior to the expiration or termination date by providing IBM with written notice of its intent to hire any such employees no later than the latter of (i) forty-five (45) days prior to the expiration of the Term or (ii) forty-five (45) days prior to the completion of any Termination Assistance Period. IBM shall waive its rights, if any, under contracts with such personnel restricting the ability of such personnel to be recruited or hired by VMU or its designee. VMU or its designee shall have reasonable access to such employees of IBM for interviews, evaluations and recruitment. VMU shall conduct the above-described hiring activity in a manner that is not unnecessarily disruptive of the performance by IBM of its obligations under this Agreement. In addition, VMU will not be precluded from soliciting or hiring any employees of Subcontractor that respond to a general employment announcement by VMU.
C. To the extent VMU or its designee is entitled under Section 19 to a license, sublicense or other right to use any Software or other Intellectual Property utilized in performing the Services, IBM shall provide VMU or its designee with such license, sublicense or other right, including, Source Materials, Object Code and Documentation related to Software (where VMU has the right to such Documentation), in IBM’s possession or control in a form reasonably requested by VMU.
D. VMU or its designee shall have the right, upon reasonable notice, to purchase any Equipment owned by IBM and which, on the date of expiration or termination of this Agreement, IBM is using on a dedicated basis to perform the Services. In addition, at VMU’s request, IBM shall use commercially reasonable efforts to provide VMU with the right to either (i) lease directly from the applicable third party lessor (other than an IBM Affiliate) any leased Equipment that on the date of expiration or termination of this Agreement IBM is using on a dedicated basis to perform the Services, or (ii) assume IBM’s lease for any such Equipment (other than as to Equipment provided by a IBM Affiliate); provided that IBM shall use commercially reasonable efforts to minimize any costs associated with the exercise of any such right by VMU and any transfer, assumption or termination fees or expenses associated with the exercise of any such right shall be the responsibility of, and paid for by, VMU. VMU shall execute such documents as necessary for IBM to be relieved of IBM’s
75
obligations under such assumed leases after the transfer date. In the case of leases entered into specifically to provide the Services, IBM shall use commercially reasonable efforts to obtain such rights in advance and shall not enter into any such lease not offering such rights without VMU’s prior written consent, which shall not be unreasonably withheld or delayed (provided that the withholding of consent shall not preclude IBM from then using a lease not entered into specifically for this engagement to acquire such Equipment). In all cases, such owned or leased Equipment shall be transferred in good working condition, reasonable wear and tear excepted, as of the expiration or termination date or the completion of any Services associated with such Equipment requested by VMU under this Agreement, whichever is later. In the case of IBM-owned equipment, IBM shall grant to VMU a warranty of title and a warranty that such Equipment is free and clear of all liens and encumbrances. Such conveyance by IBM to VMU shall be at fair market value. In the case of leased Equipment, IBM shall represent and warrant that the lease is not in default and that all payments thereunder have been made through the date of transfer.
E. IBM shall return to VMU, if not previously returned, all VMU Equipment, in condition at least as good as the condition thereof on the Reference Date, ordinary wear and tear excepted. Such Equipment shall be returned at the expiration or termination date or the completion of any Services or Termination Assistance Services associated with such Equipment requested by VMU under this Agreement, whichever is later.
F. IBM shall inform VMU of Subcontractor or Third Party Vendor contracts primarily dedicated by IBM or its Subcontractors or to perform the Services. VMU shall retain the right to contract directly with any such Subcontractor or Third Party Vendor. In addition, IBM shall use commercially reasonable efforts to provide VMU with the right to contract directly with any Subcontractor or Third Party Vendor previously utilized by IBM to perform any Services or to assume IBM’s contract with such Subcontractor or Third Party Vendor.
G. In the event that IBM is able to obtain the right for VMU to assume such Subcontractor and Third Party Vendor contracts in accordance with the Subsection (F) above, IBM shall assign the designated Subcontractor and Third Party Vendor contracts to VMU or its designee as of the expiration or termination date or the completion of any Services associated with such Subcontractor or Third Party Vendor contracts, whichever is later. There shall be no charge or fee imposed by IBM on VMU related to such assignment and IBM shall use commercially reasonable efforts to minimize or eliminate any such charges or fees imposed by any Subcontractors or Third Party Vendor. To the extent charges or fees are imposed by any Subcontractors or Third Party Vendors, such costs shall be paid by VMU. IBM shall (i) represent and warrant that it is not in default of such Subcontractor and Third Party Vendor contracts; (ii) represent and warrant that all payments have been made thereunder through the date of assignment; and (iii) notify VMU of any defaults by Subcontractors or Third Party Vendor contractors with respect to such Subcontractor and Third Party Vendor contracts of which IBM is then aware. Subject to IBM’s compliance with the requirements of this subsection, VMU shall represent and warrant to IBM that, from the date of assumption, it will assume all contractual responsibilities and liability associated with such Subcontractor and Third Party Vendor contract assigned to VMU hereunder.
76
| 30. | Insurance and Indemnity |
30.1 Required Insurance Coverage
IBM shall obtain, pay for, and maintain in full force and effect during the Term insurance of the type and in the amounts set forth below:
A. Workers’ compensation and employers’ liability insurance with limits as required by law or $1,000,000 for each accident, including occupational disease coverage, with a limit of $1,000,000 per person subject to an aggregate limit of $1,000,000 per annum. These policies will contain waivers of the insurer’s subrogation rights against VMU where permitted by law;
B. Commercial general liability insurance, and excess liability insurance coverage, with limits of $10,000,000 combined single limit for bodily injury, death, and property damage, including personal injury, contractual liability, independent contractors, broad-form property damage, and products and completed operations coverage;
C. Commercial automobile liability insurance with limits of not less than $1,000,000 for each occurrence combined single limit of liability for bodily injury, death, and property damage, including owned and non-owned and hired automobile coverages, as applicable;
D. Professional Liability Insurance (Errors and Omissions) with limits of $10,000,000 annual aggregate for all claims each policy year for technology errors and omissions. This coverage should not exclude Virus Liability, Intellectual Property Liability, Denial of Electronic Access Liability, Electronic Information Damage Liability, liabilities assumed under contract, and direct damages; and
E. All Risk Property Liability Insurance with limits not less than the full replacement cost value of VMU’s Equipment situated at the IBM Data Center during the Term of the Agreement.
30.2 Claims Made Coverages
To the extent any insurance coverage required under this Section 30 is purchased on a “claims-made” basis, such insurance shall cover the Term of this Agreement and at least two (2) years after the Term of the Agreement.
30.3 Certificates Of Insurance
Certificates of insurance evidencing all coverages described in this Section 30 shall be furnished to VMU within two (2) weeks of the Signature Date with the following endorsements:
A. In the name of Virgin Mobile USA, L.P. and the VMU Related Parties as additional insureds limited to coverage B (Commercial General Liability Insurance) and C (Commercial Automobile Liability Insurance) in Section 30.1 above where allowable by country law;
77
B. To provide that each of the policies is primary insurance, not contributing, with respect to any other insurance available to VMU as to any claim for which coverage is afforded under the policy, except for coverage D (Professional Liability Insurance) in Section 30.1 above and will be limited in other areas of coverage to the acts omissions of IBM in the performance of this agreement;
C. To provide that the policy shall apply separately to each insured against whom a claim is made or suit is brought (required for Comprehensive General Liability, and Automobile Liability only where allowable by country law); and
D. VMU and the VMU Related Parties shall be named as a “Loss Payee” under All Risk Property Insurance, as respects their interest in the property insured.
None of the requirements contained herein as to types, limits and approval of insurance coverage to be maintained by IBM are intended to and shall not in any manner limit or qualify the liabilities and obligations assumed by IBM under this Agreement. Receipt of any certificate showing less coverage than requested is not a waiver of IBM’s obligation to fulfill its requirements. IBM may utilize reasonable deductibles given its size and financial stability. IBM will be responsible to pay any loss amount that lie within its deductible, up to the maximum amount of the deductible.
30.4 Cancellation Or Lapse Of Insurance
IBM shall give thirty (30) days prior written notice to VMU of cancellation, non-renewal, or material change in coverage, scope, or amount of any policy, except it shall provide timely written notice of cancellation, non-renewal, or material change in coverage, scope, or amount of any policy for Professional Liability insurance policies referenced above.
30.5 Other Insurance Requirements
Whenever commercially reasonable or possible, insurance policies required hereunder shall be issued by insurance companies: (i) authorized to do business in the States of New York and New Jersey; and (ii) with a financial rating of at least an A10 status as rated in the most recent edition of Best’s Insurance Reports except for “All-Risk” property insurance above which IBM can self insure; provided that VMU shall be afforded protection in the same manner and to the same extent it would have been covered had IBM obtained such coverage through a third party insurer. Should IBM decide to purchase coverage that is at the time self insured by IBM, it is agreed that this Agreement shall be considered an insured contract under such policy.
30.6 General Indemnity
A. IBM’s Indemnity
(1) At IBM’s expense and as described herein, IBM agrees to defend, hold harmless and indemnify (as set forth in (2) below) the VMU Related Parties from and against any third party Claims arising out of, or in connection with any of the following: (i) any injury (including bodily injury or death) to any person or persons or damage or loss to tangible property to the extent caused by the acts or omissions of IBM or IBM
78
Personnel, (ii) a breach by IBM or IBM Personnel of its confidentiality obligations in this Agreement, (iii) IBM’s or IBM Personnel’s breach of the IBM Regulatory Requirement obligations set forth in this Agreement, (iv) IBM’s selection, employment, offers of employment, transfer or termination of employment of IBM Personnel (including Transitioned Employees), (v) IBM’s or its Subcontractors’ acts or omissions in its capacity as an employer of a person (including Transitioned Employees), including any claims of harassment, discrimination, or wrongful discharge, payment of compensation, benefits or salary, non-payment of taxes, failure to withhold, or claims arising under workers compensation laws, unemployment compensation laws, occupational health and safety laws, disability laws, ERISA, or any other Applicable Law, (vi) any payment of compensation (including without limitation benefits) or salary asserted by any employee or agent of IBM or IBM Personnel associated with a determination by any federal, provincial, state or local governmental agency, any court or any other applicable entity that the employees or agents of IBM or IBM Personnel are employees of VMU or any VMU Affiliate for any purpose or that VMU or any VMU Affiliate is a co-employer of such personnel, (vii) any taxes for which IBM is responsible under Section 23.5, and (viii) any claims initiated by a third party to which IBM has assigned its right to receive payment under this Agreement pursuant to Section 33.1 except for any claims for the collection of undisputed payments owed to IBM ((i) through (viii) above are individually each, and collectively all, referred to for purposes of this Section 30.6A (IBM’s Indemnity) as “IBM Third Party Claim(s)”). For avoidance of doubt, if a VMU employee suffers personal injury because of IBM and brings a claim in his or her individual capacity, then such claims shall be deemed a third party claim.
(2) After IBM assumes the defense against any IBM Third Party Claim in accordance with this Section, VMU shall cooperate fully in such defense. IBM shall not be responsible for the payment of expenses or charges incurred by VMU in connection with such IBM Third Party Claim, except:
(a) to the extent IBM pre-approves any such charge or expense after IBM assumes control of the defense of such IBM Third Party Claim, provided such approval by IBM is not to be unreasonably withheld; or
(b) actual charges or expenses incurred by VMU in connection with the cooperation by any VMU employee with IBM’s defense, and to the extent such cooperation materially disrupts or interferes with the performance of any VMU employee’s job, IBM shall reimburse VMU for the employee’s actual expenses and time at a rate to be agreed to by the Parties in advance.
(3) IBM’s obligation to defend and indemnify the VMU Related Parties, as applicable, pursuant to this Agreement shall be subject to VMU having given IBM prompt written notice of the claim or of the commencement of the related action, as the case may be (provided that IBM’s obligations will be excused only to the extent it is prejudiced by any delay in such notice), and information and reasonable assistance, at IBM’s expense, for the defense or settlement thereof. IBM shall have sole control of the defense and settlement of such claim or related action, provided that IBM shall not settle such claim or related action in a manner which imposes any obligation on or adversely
79
affects the VMU Related Parties without the prior written consent of VMU. VMU shall be entitled to engage counsel at its sole expense to consult with IBM with respect to the defense of the claim and related action.
B. VMU’s Indemnity
(1) At VMU’s expense and as described herein, VMU agrees to defend, hold harmless and indemnify (as set forth in (2) below) the IBM Related Parties from and against any third party Claims arising out of, or in connection with any of the following: (i) any injury (including bodily injury or death) to any person or persons or damage or loss to tangible property to the extent cause by the acts or omissions of VMU or its employees, agents or subcontractors, (ii) a breach by VMU or its employees, agents or subcontractors of its confidentiality obligations set forth in this Agreement, (iii) VMU’s breach of the VMU Regulatory Requirement obligations set forth in this Agreement and (iv) any taxes for which VMU is responsible under Section 23.5 ((i), through (iv) above are individually each, and collectively all, referred to for purposes of this Section 30.6B as “VMU Third Party Claim(s)”). For avoidance of doubt, if a IBM employee suffers personal injury because of VMU and brings a claim in his or her individual capacity, then such claims shall be deemed a third party claim.
(2) After VMU assumes the defense against any VMU Third Party Claim in accordance with this Section, IBM shall cooperate fully in such defense. VMU shall not be responsible for the payment of expenses or charges incurred by IBM in connection with such VMU Third Party Claim, except:
(a) to the extent VMU pre-approves any such charge or expense after VMU assumes control of the defense of such VMU Third Party Claim, provided such approval by VMU is not to be unreasonably withheld; or
(b) actual charges or expenses incurred by IBM in connection with the cooperation by any IBM employee with VMU’s defense, and to the extent such cooperation materially disrupts or interferes with the performance of any IBM employee’s job, in which case VMU shall reimburse IBM for the employee’s actual expenses and time at a rate to be agreed to by the Parties in advance.
(3) VMU’s obligation to defend and indemnify the IBM Related Third Parties, as applicable, pursuant to this Agreement shall be subject to IBM having given VMU prompt written notice of the claim or of the commencement of the related action, as the case may be (provided that VMU’s obligations will be excused only to the extent it is prejudiced by any delay in such notice), and information and reasonable assistance, at VMU’s expense, for the defense or settlement thereof. VMU shall have sole control of the defense and settlement of such claim or related action, provided that VMU shall not settle such claim or related action in a manner which imposes any obligation on or adversely affects the IBM Related Third Parties without the prior written consent of IBM. IBM shall be entitled to engage counsel at its sole expense to consult with VMU with respect to the defense of the claim and related action.
80
30.7 Indemnities Throughout Agreement
It is understood and agreed by the Parties that IBM’s and VMU’s indemnification obligations are set forth throughout this Agreement and are not confined to this Section 30.
| 31. | Confidentiality |
31.1 Definition of Proprietary or Confidential Information
“Proprietary or Confidential Information” shall mean, with respect to a Party hereto, all information or material, in any form, furnished or made available, directly or indirectly, by such Party that is either (i)(a) marked “Confidential,” “Restricted,” “Proprietary,” or with some other, similar, marking, (b) known by the Receiving Party to be considered confidential and proprietary, or (c) from all the relevant circumstances should reasonably be assumed (1) to be confidential and proprietary; (2) to give the Disclosing Party a competitive business advantage, or (3) to be detrimental to the interest of the Disclosing Party if disclosed; or (ii) without limiting Section 31.1, information concerning the business activities or a Party or its Affiliates, including research activities and plans, customers, marketing, business plans, or sales plans, product development or time to market, sales forecasts or results of marketing efforts, pricing or pricing strategies, costs, operational techniques, strategic plans, and unpublished financial information, including information concerning revenues, profits and profit margins. This Agreement shall be the Proprietary or Confidential Information of both Parties, and the Proprietary or Confidential Information of VMU Affiliates shall be VMU Proprietary or Confidential Information.
31.2 Exclusions
The confidentiality obligations set forth in this Agreement shall not apply to any information to the extent it:
A. has previously become or is generally known, unless it has become generally known through a breach of this Agreement or a similar confidentiality or non-disclosure agreement;
B. was already rightfully known to the Party receiving such information (the “Receiving Party”) prior to being disclosed by or obtained from the Party disclosing such information (the “Disclosing Party”);
C. has been or is hereafter rightfully received by the Receiving Party from a third person (other than the Disclosing Party) without restriction or disclosure and without breach of a duty of confidentiality to the Disclosing Party; or
D. has been independently developed by the Receiving Party without access to Proprietary or Confidential Information of the Disclosing Party.
It will be presumed that any Proprietary or Confidential Information of a Disclosing Party in a Receiving Party’s possession is not within exceptions (b), (c) or (d) above, and the burden will be upon the Receiving Party to prove otherwise by records and documentation.
81
31.3 Non-Disclosure and Non-Use
Each Party agree, both during the Term of this Agreement and for a period of two (2) years thereafter, to hold the other Party’s Proprietary or Confidential Information in strict confidence; provided, however, that as to any portion of the Disclosing Party’s Confidential Information that constitutes a trade secret under applicable law, the obligations of this Section will continue for as long as the information continues to constitute a trade secret under applicable law. Each Party recognizes the importance of the other’s Proprietary or Confidential Information. In particular, each Party recognizes and agrees that the Proprietary or Confidential Information of the other is critical to their respective businesses and that neither Party would enter into this Agreement without assurance that such information and the value thereof will be protected as provided in this Section 31 and elsewhere in this Agreement. Accordingly, each Party agrees as follows:
A. The Receiving Party will hold any and all Proprietary or Confidential Information it obtains in accordance with the standards it employs with respect to its own confidential information (but in no event less than a reasonable standard) and will use and permit use of Proprietary or Confidential Information solely for the purposes of this Agreement; and
B. The Receiving Party may disclose or provide access solely to its responsible employees who have a need to know and may make copies of Proprietary or Confidential Information only to the extent reasonably necessary to carry out its obligations hereunder.
The Receiving Party will notify the Disclosing Party immediately of any unauthorized disclosure or use, and will cooperate with the Disclosing Party to protect all proprietary rights in and ownership of its Proprietary or Confidential Information.
31.4 Treatment of VMU Data
The VMU Data constitutes Proprietary and Confidential Information and is and shall remain the property and Intellectual Property of VMU and VMU shall retain exclusive rights and ownership of the VMU Data. Without limiting any other warranty or obligation specified in this Agreement, and in particular the confidentiality provisions of this Section 31, during the Term, IBM will not gather, store, log, archive, use or otherwise retain (with the exception of Service Level Agreement information and as otherwise required to meet the audit obligations of this Agreement) any VMU Data in any manner and will not disclose, distribute, sell, share, rent or otherwise transfer any VMU Data to any third party, except as expressly provided in this Agreement or as IBM may be expressly directed in advance in writing by VMU. IBM represents, covenants, and warrants that IBM will use VMU Data only in compliance with (i) this Agreement, (ii) VMU’s then current privacy policies and (iii) all Applicable Laws (including applicable policies and laws related to spamming, privacy, and consumer protection). Notwithstanding anything to the contrary in this Section 31, with respect to safeguarding VMU Data, IBM’s obligations are set forth in Section 17 of this Agreement and IBM’s failure to implement or adhere to such safeguards including VMU’s Data Protection and Privacy Procedures as set forth in Attachment A shall be deemed a breach of Section 17 of this Agreement and shall not be a breach of this Section 31, including for purposes of Sections 25 and 30 of this Agreement.
82
31.5 Compelled Disclosures
Solely to the extent required by Applicable Law, the Receiving Party may disclose Proprietary or Confidential Information, subject to the following conditions: as soon as possible after becoming aware of such Applicable Law, and (if possible) prior to disclosing Proprietary or Confidential Information, the Receiving Party will so notify the Disclosing Party in writing. The Receiving Party will use reasonable efforts not to disclose Proprietary or Confidential Information pending the outcome of any measures taken by the Disclosing Party to contest, otherwise oppose or seek to limit such disclosure and shall disclose no more information than is required. The Receiving Party will cooperate with and provide assistance to the Disclosing Party, at the Disclosing Party’s expense, regarding such measures. Notwithstanding any such compelled disclosure by the Receiving Party, such compelled disclosure will not otherwise affect the Receiving Party’s obligations hereunder with respect to Proprietary or Confidential Information so disclosed.
31.6 Return of Proprietary or Confidential Information
At the Disclosing Party’s written request at any time during the Term or thereafter, or upon expiration or termination of this Agreement for any reason, the Receiving Party will, at the Disclosing Party’s option promptly return to the Disclosing Party and/or erase or destroy all originals and copies of all documents and materials in any media in its (and with respect to IBM, the IBM Personnel’s) possession or control containing the Disclosing Party’s Proprietary or Confidential Information.
31.7 Solicitation of VMU Customers
During the Term and thereafter in perpetuity, IBM agrees not to use the VMU Data, whether directly or indirectly: to target or solicit VMU customers and business partners, as such, on behalf of itself or any third party, including, on behalf of entities in direct competition with VMU or commit any other act or assist others to commit any other act which might injure the business of VMU. IBM agrees that it will not use, disclose, rent, share or sell to others lists containing information obtained in connection with this Agreement about any VMU customers. Nothing contained herein shall preclude IBM from providing services to any VMU customers or business partners who independently contact IBM, who are responding to a general solicitation of IBM, or are contacted by IBM based on information independently derived by IBM.
31.8 Nonexclusive Equitable Remedy
Each Party acknowledges and agrees that due to the unique nature of Proprietary or Confidential Information, there can be no adequate remedy at law for any breach of its obligations hereunder, that any such breach or threatened breach may result in irreparable harm to such Party, and therefore, that upon any such breach or any threat thereof, each Party will be entitled to seek appropriate equitable and injunctive relief from a court of competent jurisdiction without the necessity of posting any undertaking or bond and without first utilizing the procedures in Section 27.
83
| 32. | Audit, Inspection, and Examination of Records |
32.1 Maintenance of Books and Records
IBM shall maintain accurate and complete (i) financial records of its activities and operations relating to this Agreement in accordance with generally accepted accounting principles; and (ii) corporate documents, contractual agreements, employment agreements, and all other documents, agreements, and records relating to this Agreement; sufficient to permit the audits contemplated by this Section 32.
32.2 Audits Authorized by VMU
IBM agrees that VMU, (i) VMU’s regulators, (ii) VMU’s internal auditors; or (iii) VMU’s external auditors or (iv) VMU’s authorized agents which in the case of (iii) and (iv) are not direct competitors of IBM in the IT outsourcing business and have been retained on a non-contingent basis (which such direct competitors shall not be deemed to include the accounting division of accounting firms) (collectively, the “Permitted Auditors”) shall have access to any IBM Service Locations and IBM’s Subcontractors’ locations, and any of IBM’s or IBM’s Subcontractors’ agents, employees or representatives, and the right to examine and audit such IBM Service Locations and IBM’s Subcontractors’ locations, and to examine and audit any and all pertinent materials, including all documents, records, agreements, financial records, time cards and other employment records, relating to the provision of Services under this Agreement for the purpose of: (a) verifying the accuracy of charges and invoices; (b) cooperating with audits and examinations by VMU’s regulatory authorities; (c) validating performance by IBM of its obligations as required by this Agreement; (d) the conduct of IBM operations and procedures; (e) validating compliance with Section 26.11; (f) validating compliance with VMU’s Policies and Procedures; (g) assisting VMU with its compliance with the Xxxxxxxx-Xxxxx Corporate Reform Act, including VMU’s validation and testing of key general computing controls defined in Schedule M; (h) the functionality of the VMU IT Environment; (i) validating IBM’s compliance with IBM’s security obligations under this Agreement; (j) validating that VMU is in compliance with all requirements with any VMU Third Party Vendors and (k) assisting VMU with its compliance with Payment Card Industry reviews and certification, the current requirements for which are set forth in Schedule N, as Schedule N may be changed from time to time pursuant to Section 3.2, including implementation of such requirements applicable to IBM’s scope of work as set forth in Schedule A. IBM shall provide to such auditors and agents any assistance they may reasonably require in connection with such audits and inspections. Except for copies or images of physical evidence required for audit work papers which have been identified by VMU to IBM in writing, all such materials shall be kept and maintained by IBM and IBM’s contractors and shall be made available to VMU during the Term and for a period of two (2) years thereafter unless VMU’s written permission is given to dispose of any such material prior to such time. Any non-regulatory Permitted Auditors shall execute a confidentiality agreement with VMU with provisions which allow VMU to comply with its obligations to IBM hereunder prior to commencing any audit or examination, and shall comply with IBM’s reasonable security requirements. Except as set forth in Section 32.3 below, VMU shall pay any costs and expenses which are payable to the Permitted Auditors. As necessary to conduct the audit, the Permitted Auditors shall have the right to excerpt, copy, or transcribe any and all pertinent documents, agreements, transaction activity, or records relating to the provision of the Services under this Agreement.
84
IBM shall provide to VMU, or individuals or entities authorized by VMU, reasonable office facilities at IBM’s, IBM’s Affiliate’s, or IBM’s Subcontractor’s locations adequate for VMU to exercise its rights under this Section. Neither VMU nor its Permitted Auditors shall have access to IBM’s cost data (unless the Charges are based directly on such cost data) or to confidential or proprietary information of any of IBM’s other customers.
Audits will be conducted (1) expeditiously, efficiently, and at reasonable business hours; and (2) upon reasonable prior written notice, excepting physical security audits, which may be conducted without notice.
32.3 Audit Settlements
If any audit reveals that IBM is not in compliance with any generally accepted accounting principle, insufficient performance of IBM’s obligations under this Agreement relating to the key general computing controls set forth in Schedule M or other requirement of this Agreement, IBM and VMU shall promptly meet to review the audit report, and shall mutually agree upon an appropriate and effective manner in which to respond to identified deficiencies, and implement changes suggested by the audit at IBM’s cost and expense. If corrective action is suggested by an auditor or regulatory authority, and mutually agreed to by the Parties in accordance with the preceding sentence as a IBM responsibility, IBM shall implement such corrective action (at its cost and expense) within the period of time specified by such auditor or regulatory authority. If, at any time during or after the Term, a Permitted Auditor conducts an audit of IBM regarding the work performed under this Agreement, and if the results of such audit find that VMU’s dollar liability for any such work is less than payments made by VMU to IBM for the work that is the subject of the audit then the difference plus the net present value of the difference as incurred calculated using an interest rate equal to 2 percent at the time of audit finding (“Cost of Funds”), which amounts shall be repaid by IBM to VMU by deducting from any amounts due to IBM from VMU, whether under this Agreement or otherwise. If the results of two or more such audits find that VMU’s dollar liability for any such work is less than payments made by VMU to IBM for the work that is the subject of the audit by five percent (5%) or more, then IBM shall also pay VMU’s reasonable costs of audit associated with discovering such difference as provided above for the second such audit and subsequent such audits.
32.4 Internal Audits
Except with respect to the AD/M Services set forth in Part 9 of Schedule A, after transitions/transformation completes and there is a minimum of six months of data under both IBM’s design and operation of controls, at IBM’s sole cost and expense, IBM shall provide a multi-client SAS 70 Type II covering the common processes performed by IBM in delivering, controlling and governing client accounts from the shared IBM delivery centers from an independent third party auditor. IBM shall have these SAS 70 Type II audits performed on an annual basis. IBM shall provide VMU with a written copy of the SAS 70 Type II audit opinion within a reasonable time after the completion of the annual SAS 70 Type II audit). VMU may also request that IBM conduct a SAS70 Type II audit specific to VMU or for a service location
85
or service type for which IBM does not in the normal course of business conduct SAS 70 Type II audits. Any VMU requested audit will be conducted at VMU’s expense in accordance with VMU’s reasonable audit plan and guidelines.
If a SAS 70 Type II audit reveals exceptions in IBM’s design or implementation of a control specified in the Xxxxxxxx-Xxxxx Internal Control Requirements and Process, IBM shall notify VMU promptly upon being advised of such exception, provide the audit report to VMU within the time provided above, and within fifteen (15) days of receipt by IBM of the audit, initiate such corrective action (at its cost and expense) as necessary to remediate the subject control(s) by December 31st of the applicable Contract Year, and with respect to a SAS 70 Type II audit specific to VMU, have the control(s) re-audited and validated by the auditor as functioning effectively in a timeframe sufficient to obtain a clean audit opinion by December 31st, provided that in both the case of multi-client SAS 70 Type II audit and a SAS 70 Type II audit specific to VMU, VMU provides IBM with the necessary consents and reasonable cooperation in accordance with the mutually agreed remediation plan.
| 33. | Assignment and Merger |
33.1 Assignment
Neither Party may assign, voluntarily or by operation of law, any of its rights or obligations under this Agreement without the prior written consent of the other Party and any such assignment not so approved shall be null and void; provided, that VMU may at all times assign any or all of its rights and obligations under this Agreement to any VMU Affiliate or any successor-in-interest to VMU (by merger, operation of law or otherwise) without the prior written consent of the IBM. The Parties understand and agree that the other Party’s consent to any assignment (other than as provided above) may be conditioned upon the proposed assignee’s agreeing in writing to be bound by all the terms and conditions of this Agreement. Subject to the foregoing, this Agreement shall be binding on the Parties and their respective successors and assigns. This Section 33.1 shall not affect VMU’s right to terminate for IBM’s Change in Control as set forth in Section 28.1. IBM may at any time without the consent of VMU assign it rights to receive payment from VMU (“Accounts Receivable”) to any third party on notice to VMU, provided that (i) no such assignment shall relieve IBM of any of its duties or obligations hereunder, including its obligations, if any, to invoice or periodically account for any and all Accounts Receivable or other payments hereunder by VMU, (ii) no Accounts Receivable may be assigned in such a manner as could require VMU to make any periodic or other payments hereunder to more than one payee or to any payee in a jurisdiction or in any manner that could subject VMU or such payment to any tax, or require any payments by VMU (in respect of taxes or otherwise) greater than would be payable by VMU had such Accounts Receivable not been so assigned, (iii) nothing herein shall waive or abrogate any right or remedy of VMU hereunder or at law or in equity to claim any right of offset or recoupment, make any defense (including any defense of payment or failure of consideration), or assert any counterclaim with respect to any Accounts Receivable so assigned, all of which may be asserted by or on behalf of VMU against IBM and/or any assignee, and (iv) payment by VMU to any assignee of which it has been notified with respect to any Accounts Receivable, shall constitute payment in full of such amounts to IBM hereunder.
86
| 34. | Extraordinary Events |
34.1 Defined
As used in this Agreement, an “Extraordinary Event” shall mean a circumstance in which an event or discrete set of events has occurred or is planned with respect to the business of VMU that results or will result in a change in the scope, nature or volume of the Services that VMU will require from IBM, and which is expected to cause the average monthly amount of chargeable resource usage in the Services to increase or decrease by more than thirty-five percent (35%) for the foreseeable future.
Examples of the kinds of events that might cause such substantial increases or decreases include:
A. changes in locations where VMU operates;
B. changes in products of, or in markets served by, VMU;
C. mergers, acquisitions or divestitures by VMU;
D. changes in the method of service delivery, or changes in operational priorities;
E. changes in VMU’s market priorities;
F. unplanned changes in business conditions affecting VMU’s or its Affiliates’ business that materially and negatively impact its or their need for the level of Services provided hereunder; or
G. changes in the number of business units being serviced by IBM that were not anticipated as of the Reference Date.
34.2 Extraordinary Event Pricing
Either Party may notify the other of any event or discrete set of events that it believes constitutes an Extraordinary Event. In the case of an Extraordinary Event, IBM’s fees shall be adjusted in accordance with the following:
A. IBM and VMU will mutually determine on a reasonable basis those resources no longer required by IBM to provide the Services (“Targeted Resource Reductions”) and the costs that can be eliminated or reduced as and when the Targeted Resource Reductions are eliminated (the “Targeted Cost Reductions”).
B. IBM and VMU will mutually determine on a reasonable basis those new or modified resources now required by IBM to provide the Services (“Targeted Resource Additions”) and the costs that would be incurred as and when the Targeted Resource Additions are placed in service (the “Targeted Cost Increases”).
87
C. Immediately upon determination of the Targeted Resource Reductions, IBM will proceed to eliminate the Targeted Resource Reductions as quickly as feasible. Immediately upon determination of the Targeted Resource Additions, IBM will proceed to deploy the Targeted Resource Additions as necessary.
D. As the Targeted Resource Reductions are eliminated, the fees payable will be reduced by the full amount of the Targeted Cost Reductions applicable to the Targeted Resource Reductions as such Targeted Resource Reductions are eliminated, and the fees will be equitably adjusted. As the Targeted Resource Additions are placed into service, the fees payable will be increased by the full amount of the Targeted Cost Increases applicable to the Targeted Resource Additions as such Targeted Resource Increases are added.
34.3 Disputes
If within sixty (60) days following notice under this Agreement, the Parties have not agreed upon an appropriate adjustment to the fees, then VMU shall have the right to terminate the Agreement pursuant to Section 28.5; provided VMU pays any applicable ***.
| 35. | Amendment of Agreement |
No alteration, amendment, or modification of the terms of this Agreement shall be valid or effective unless in writing and signed by IBM and VMU.
| 36. | Waiver |
All waivers under this Agreement shall be in writing in order to be effective. No waiver by a Party of any breach of this Agreement or waiver of any warranty, representation, or other provision hereunder shall be deemed to be a waiver of any other breach, warranty, representation, or provision (whether preceding or succeeding, and whether or not of the same or similar nature), and no acceptance of performance by a Party after any breach by the other Party shall be deemed to be a waiver of any breach of this Agreement or of any representation, warranty, or other provision, whether or not the Party accepting performance knows of such breach at the time of acceptance. No failure or delay by a Party to exercise any right it may have by reason of the default of the other Party shall operate as a waiver of default or modification of this Agreement or shall prevent the exercise of any right of the non-defaulting Party under this Agreement.
| 37. | Independent Contractor |
IBM acknowledges that it is at all times acting as an independent contractor under this Agreement and except as specifically provided herein, not as an agent, employee, or partner of VMU. Each Party covenants and agrees to be solely responsible for all matters relating to compensation of its employees, and to comply with Applicable Laws governing its personnel, including, workers’ compensation, Social Security, withholding and payment of any and all federal, state and local personal income taxes, disability insurance, unemployment, and any other taxes for such persons, including any related employer assessment or contributions required by Applicable Law, and all other regulations governing such matters, and the payment of all salary, vacation and other employee benefits.
88
| 38. | Subcontractors |
38.1 Subcontractors
VMU has relied, in entering into this Agreement, on the reputation of, and on obtaining the personal performance of, IBM itself and IBM approved Subcontractors listed in Schedule O. Consequently, except as provided herein, no performance of this Agreement, or any additional portion thereof, shall be subcontracted by IBM without the prior written consent of VMU in its reasonable discretion. Any attempt by IBM to subcontract any performance, obligation, or responsibility under this Agreement, without such prior written consent of VMU, shall be null and void ab initio and shall constitute a material breach of this Agreement. Notwithstanding the foregoing, IBM may, upon reasonable advance notice to VMU, enter into subcontracts for administrative and back-office tasks without the prior written consent of VMU.
38.2 Request for Approval
If IBM desires to subcontract any portion of its performance, obligations, or responsibilities under this Agreement, IBM shall make a prior written request to VMU for written approval to enter into the particular subcontract. IBM’s request to VMU shall include:
A. The reason(s) for the particular subcontract;
B. A detailed description of the work to be performed by the proposed Subcontractor;
C. Identification of the proposed Subcontractor and an explanation of why and how the proposed Subcontractor was selected; and
D. Any other information reasonably requested by VMU.
38.3 Review of Request
VMU will review IBM’s request to subcontract and determine, in its sole and absolute discretion, whether or not to consent to such request on a case-by-case basis.
38.4 IBM Obligations Remain Unchanged
IBM shall remain responsible to VMU for any and all performance required under this Agreement by IBM or IBM Personnel, including, the obligation to properly supervise, coordinate, and perform all work required under the Services, and no subcontract shall bind or purport to bind VMU or excuse IBM of performance. IBM shall be solely liable and responsible for any and all payments and other compensation to, and the performance of, all Subcontractors and their officers, employees, agents, and independent contractors.
38.5 Approval and Removal of Subcontractor Personnel
In the event VMU consents to any subcontracting, such consent shall be subject to VMU’s right to give prior and continuing approval of any and all Subcontractor personnel
89
providing services under such subcontract. IBM shall assure that any Subcontractor personnel not approved in writing by VMU shall be immediately removed from the provision of any services under the particular subcontract or that other action is taken as requested by VMU.
VMU may revoke approval of a Subcontractor previously approved, if (i) a Subcontractor is acquired by or otherwise becomes affiliated with a competitor of VMU; (ii) the Subcontractor’s performance has been materially deficient; (iii) good faith doubt exists concerning the Subcontractor’s ability to render future performance; (iv) there have been material misrepresentations by or concerning the Subcontractor; or (v) VMU determines, in its reasonable discretion, that any such Subcontractor poses a threat or harm to VMU or any of VMU’s employees. Upon such revocation or objection, IBM shall remove such subcontractor from performing the Services.
| 39. | Interpretation of Agreement |
39.1 Conflict Between Agreement and Schedules
Schedules A through N are attached to, incorporated herein by reference, and form a part of this Agreement. Schedules A through N are referred to individually and collectively below as the “Schedules”. The Schedules attached to the Schedules are also incorporated herein by reference, and form a part of this Agreement.
In the event of any conflict or inconsistency in the definition or interpretation of any word, responsibility, schedule, or the contents or description of any task, subtask, deliverable, goods, service, or other work, or otherwise, between the body of this Agreement, the Schedules, and/or Schedules, between Schedules, or between Schedules such conflict or inconsistency shall be resolved by giving precedence first to the body of this Agreement, and then to the Schedules.
39.2 Choice of Law
This Agreement and performance under it shall be governed by and construed in accordance with the laws of the State of New York, without the application of its conflict of laws provisions.
39.3 Venue and Jurisdiction
The Parties agree that all actions or proceedings arising in connection with this Agreement shall be tried and litigated exclusively in the state or federal (if permitted by law and a Party elects to file an action in federal court) courts located in New York City, New York. This choice of venue is intended by the Parties to be mandatory and not permissive in nature, and to preclude the possibility of litigation between the Parties with respect to, or arising out of, this Agreement in any jurisdiction other than that specified in this Section 39.3. Each Party waives any right it may have to assert the doctrine of forum non conveniens or similar doctrine or to object to venue with respect to any proceeding brought in accordance with this Section 39.3. Notwithstanding the foregoing, if any action or proceeding outside of the state or federal courts in New York City, is necessary to collect or enforce any order, injunction, award or judgment of the United States court, there shall be no contractual restriction on the jurisdiction or venue for such action or proceeding. Each Party waives any right it may have to a trial by jury.
90
39.4 Agreement Drafted by All Parties
This Agreement is the result of arm’s length negotiations between the Parties and shall be construed to have been drafted by all parties such that any ambiguities in this Agreement shall not be construed against either Party.
39.5 Terminology
All personal pronouns used herein, whether used in the feminine, masculine, or neuter gender, shall include all other genders, and the singular shall include the plural and vice versa. Unless otherwise expressly stated, the words “herein,” “hereof,” and “hereunder” and other words of similar import refer to this Agreement as a whole and not to any particular Section, subsection or other subpart.
39.6 Section Headings
The section headings contained herein are for convenience in reference and are not intended to define or limit the scope of any provision of this Agreement.
39.7 Counterparts
This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, and will become binding upon the Parties as of the Signature Date at such time as all the signatories hereto have signed a counterpart of this Agreement.
39.8 Appointment of Agent for Service of Process
During the Term of this Agreement and for a period of two (2) years thereafter, IBM shall maintain, for each Affiliate rendering Services under this Agreement, registered agents authorized to receive service of process within the State of New York, and shall provide the name and street address of such registered agents to VMU within thirty (30) days of the Signature Date and any change during the Term.
| 40. | Notices |
Any notices required or permitted to be given hereunder by either Party to the other shall be given in writing: (1) by personal delivery; (2) by electronic facsimile with confirmation sent by United States first class registered or certified mail, postage prepaid, return receipt requested; (3) by bonded courier or by a nationally recognized overnight delivery company; or (4) by United States first class registered or certified mail, postage prepaid, return receipt requested, in each case, addressed to the Parties as follows (or to such other addresses as the Parties may request in writing by notice given pursuant to this Section):
| If to IBM, to: |
|
|||||
|
|
||||||
| Attn: [IBM Project Executive] | ||||||
91
| with a copy to: | IBM-GTS | |||||
| 000 Xxxxx 000 | ||||||
| Xxxxxx, XX 00000-0000 | ||||||
| Attn: VP and Assistant General Counsel | ||||||
| If to VMU, to: | Virgin Mobile USA, L.P. | |||||
| 00 Xxxxxxxxxxxx Xxxx. | ||||||
| Xxxxxx, XX 00000 | ||||||
| Attn: General Counsel | ||||||
Notices shall be deemed received on the earliest of personal delivery, upon delivery by electronic facsimile with confirmation from the transmitting machine that the transmission was completed, twenty-four (24) hours following deposit with a bonded courier or overnight delivery company; or seventy-two (72) hours following deposit in the U.S. Mail as required herein.
| 41. | Entire Agreement |
This Agreement contains the entire agreement between IBM and VMU with respect to the subject matter of this Agreement, and it supersedes all other prior and contemporary agreements, understandings, and commitments between IBM and VMU with respect to the subject matter of this Agreement.
| 42. | Severability |
If any provision of this Agreement is found to be invalid or unenforceable by any court, such provision shall be ineffective only to the extent that it is in contravention of applicable laws without invalidating the remaining provisions hereof.
| 43. | Electronic Transfer of Intellectual Property |
Whenever practical, IBM agrees to deliver Software deliverable under this Agreement including any updates or patches, via download, File Transfer Protocol (FTP), or through the use of IBM’s copy of the tangible software media. Notwithstanding anything to the contrary in Section 3.3 (Documentation), upon completion of such delivery, IBM shall remove the tangible software media and not provide any of the tangible software media to VMU.
| 44. | Force Majeure |
Neither Party shall be liable for any delay or failure to perform (i) if and to the extent such delay or failure arises from an act of God or of the public enemy, act of civil disobedience, epidemic, war, or insurrection; and (ii) provided the non-performing Party is without fault and the delay or failure could not have been prevented by reasonable precautions. In such event, the non-performing Party is excused from further performance for as long as such circumstances prevail and the Party continues to use commercially reasonable efforts to recommence performance and mitigate the impact of its non-performance. Any Party so delayed shall promptly notify the other Party and describe the circumstances causing the delay. If an event substantially prevents or delays performance of any Services necessary for the performance of any critical VMU functions for more than five (5) consecutive days, VMU, at its sole discretion,
92
may procure such Services from an alternate source, and IBM will pay to VMU the amount, if any, in which payment of fees to the alternate source exceed the charges VMU would have to pay to IBM under this Agreement for a period not to exceed six (6) months. If an event substantially prevents or delays performance of a Service for more than five (5) consecutive days, and such prevention or delay materially adversely impacts VMU’s business and IBM fails to provide a temporary alternative reasonably acceptable to VMU, VMU, at its sole discretion, may (i) terminate the portion of the Agreement affected by the nonperformance and the charges shall be equitably adjusted; or (ii) if a material portion of the Services are prevented or delayed then VMU may terminate the entire Agreement as of the date specified by VMU in a written notice to IBM without payment of Termination Charges as set forth in Schedule C but VMU shall pay only the Unrecovered Startup Charges and the severance charges set forth in section (iii) of the definition of Wind Down Charges. IBM shall not have the right to any additional payments from VMU as a result of any force majeure occurrence. The existence of a force majeure event shall not relieve IBM of its obligation to execute VMU’s business continuity plan and disaster and recovery plan for VMU, or to pursue its best practice processes, except to the extent that execution of the business continuity plan, disaster and recovery plan, or operation restoration activity is itself prevented by the force majeure event.
| 45. | Liens |
IBM agrees to keep VMU, all of the real and personal property of VMU, and the Services free and clear of all liens or lien claims. Should any lien or lien claim be asserted for any reason, VMU may, at its sole discretion (i) pay the amount of such lien or lien claim; (ii) deduct such amounts from payments due to IBM; and/or (iii) require IBM to obtain a properly executed release of lien satisfactory to VMU.
| 46. | No Publicity |
IBM shall not refer to the existence of this Agreement nor use the name or trademarks of VMU or any of its Affiliates in any press release, advertising, publicity, or any materials distributed to prospective customers or its current customers, without the prior written consent of VMU in each instance.
[Signature Page Follows]
93
IN WITNESS WHEREOF, the Parties have executed this Agreement to become effective as of the Reference Date.
| VIRGIN MOBILE USA L.P. | INTERNATIONAL BUSINESS MACHINES CORPORATION | |||||
| By: | /s/ Xxxxxx X. Xxxxxxxx |
By: | /s/ Xxxxx X’Xxxx | |||
| Name: | Xxxxxx X. Xxxxxxxx | Name: | Xxxxx X’Xxxx | |||
| Title: | Chief Executive Officer | Title: | Director | |||
| Date: | 7/2/08 | Date: | ||||
94
between
VMU and IBM
Schedule A
Statement of Work (Services)
Table of Contents
| Part 1: Delivery Management Services | 6 | |||
| 1. | Introduction | 6 | ||
| 1.1 | Definitions | 6 | ||
| 2. | Services Management | 11 | ||
| 2.1 | Process Interface Manual | 11 | ||
| 2.2 | Processes | 13 | ||
| 3. | IBM Environment | 16 | ||
| 4. | Service Hours | 17 | ||
| 5. | Tools | 18 | ||
| Part 2: Asset Services | 20 | |||
| 1. | Introduction | 20 | ||
| 2. | Initial Asset Inventory | 20 | ||
| 3. | Asset Tracking | 23 | ||
| Part 3: Help Desk Services | 25 | |||
| 1. | Introduction | 25 | ||
| 2. | Help Desk Services | 25 | ||
| 2.1 | General | 25 | ||
| 2.2 | Self Help | 27 | ||
| 3. | Data Center, Intel and UNIX Server Services, Data Network Services, and Voice Network Services | 28 | ||
| 4. | End User Services | 29 | ||
| IBM/VMU Confidential | Schedule A (Services) | Page 1 of 109 |
| 5. | AD/M Services | 29 | ||||
| Part 4: Deskside Services | 32 | |||||
| 1. | Introduction | 32 | ||||
| 2. | Desktop Support Services | 32 | ||||
| 2.1 | Deskside Support Services | 32 | ||||
| 2.2 | Hardware Maintenance Services | 33 | ||||
| 3. | Install, Move, Add, Change Services | 35 | ||||
| 4. | Refresh Services | 39 | ||||
| 5. | Electronic Software Distribution (ESD) | 39 | ||||
| 6. | Software Packaging | 43 | ||||
| Part 5: Server Systems Management Services | 44 | |||||
| 1. | General Services | 44 | ||||
| 1.1 | Server Operations | 44 | ||||
| 1.2 | Automated Operations Support | 45 | ||||
| 1.3 | Server Planning Support | 45 | ||||
| 1.3.1 | Hardware and Facilities Planning | 45 | ||||
| 1.3.2 | Configuration Management | 46 | ||||
| 1.3.3 | Change Management | 46 | ||||
| 1.3.4 | Performance Management | 47 | ||||
| 1.3.5 | Capacity Planning | 48 | ||||
| 1.3.6 | Problem Management | 48 | ||||
| 1.3.7 | Installation and Maintenance Services | 49 | ||||
| 1.3.8 | Availability Management | 50 | ||||
| 1.3.9 | Data Management | 50 | ||||
| 1.4 | Database Subsystem Support | 51 | ||||
| 1.4.1 | Database Software Support and Operations | 51 | ||||
| 1.4.2 | Database Administration | 51 | ||||
| 1.5 | Data Communication Software Support and Operations | 52 | ||||
| 1.6 | Middleware Software Support and Operations | 53 | ||||
| 1.7 | Production Batch Operations | 54 | ||||
| 1.7.1 | Production Batch Job Scheduling | 54 | ||||
| 1.7.2 | Production Batch Monitoring and Restart | 54 | ||||
| 1.7.3 | Application Library Management | 55 | ||||
| 2. | Intel and UNIX Server Services | 55 | ||||
| 2.1 | Introduction | 55 | ||||
| 2.2 | Platform Support | 55 | ||||
| 2.3 | Refresh | 56 | ||||
| IBM/VMU Confidential | Schedule A (Services) | Page 2 of 109 |
| Part 6: Storage Management Services | 57 | |||||
| 1. | Managed Storage | 57 | ||||
| 1.1 | File Management | 57 | ||||
| 1.2 | Storage Environment Management | 57 | ||||
| 1.3 | Backup and Restore | 58 | ||||
| 2. | Media Management | 58 | ||||
| 2.1 | Tape Media Management and Operations | 58 | ||||
| 2.2 | Portable Media Handling | 59 | ||||
| 2.3 | Offsite Storage | 59 | ||||
| Part 7: Data Network Services | 61 | |||||
| 1. | Introduction | 61 | ||||
| 2. | IBM’s LAN Responsibilities | 61 | ||||
| 3. | VMU Responsibilities | 62 | ||||
| Part 8: Enterprise Security Management Services | 63 | |||||
| 1. | Introduction | 63 | ||||
| 2. | Security Compliance and Regulatory | 63 | ||||
| 2.1 | Security Policy Management | 63 | ||||
| 2.2 | Security Compliance Support | 64 | ||||
| 2.3 | Security Audit Management | 64 | ||||
| 2.4 | Regulatory Program Management | 65 | ||||
| 3. | Security Management | 65 | ||||
| 4. | Infrastructure Protection | 66 | ||||
| 4.1 | Emergency Response Services | 66 | ||||
| 4.2 | X-Force Threat Analysis Services | 67 | ||||
| 4.3 | Managed Intrusion Detection and Prevention Services | 67 | ||||
| 4.4 | Managed Protection Services | 68 | ||||
| 4.4.1 | Server | 68 | ||||
| 4.4.2 | Desktop | 69 | ||||
| 4.5 | Security Event and Log Management Services | 70 | ||||
| 4.6 | RSA Security | 70 | ||||
| 4.7 | E-mail Security | 71 | ||||
| 5. | System Security Currency | 72 | ||||
| 5.1 | System Security Checking | 72 | ||||
| 5.2 | Security Advisory and Integrity | 72 | ||||
| 5.3 | Malware Defense Management | 73 | ||||
| 5.4 | Vulnerability Management Services | 73 | ||||
| 5.5 | Information Security Assessment | 74 | ||||
| IBM/VMU Confidential | Schedule A (Services) | Page 3 of 109 |
| 6. | Identity and Access | 75 | ||||
| 6.1 | Management of Privileged User IDs and IBM User IDs | 75 | ||||
| 6.2 | Password Management for VMU User IDs | 76 | ||||
| 6.3 | VMU User ID Lifecycle Administration | 76 | ||||
| 6.4 | VMU User ID Administration Compliance Support | 76 | ||||
| 6.5 | Physical Security and Access Management | 77 | ||||
| 7. | Additional Security Terms | 78 | ||||
| 7.1 | General | 78 | ||||
| 7.2 | Permission to Perform Testing | 78 | ||||
| 7.3 | Other Security Services | |||||
| Part 9: AD/M Services | 80 | |||||
| 1. | Introduction | 80 | ||||
| 2. | AD/M Operational Services | 80 | ||||
| 2.1 | General Responsibilities | 80 | ||||
| 2.2 | Allocation of AD/M Resources | 80 | ||||
| 2.3 | Applications Project | 81 | ||||
| 2.3.2 | IBM Responsibilities | 81 | ||||
| 2.3.3 | VMU Responsibilities | 83 | ||||
| 3. | Application Methodologies, Standards and Architecture | 84 | ||||
| 4. | Application Planning and Analysis Services | 85 | ||||
| 5. | Application Development Services | 87 | ||||
| 5.1 | In-Progress Application Development Projects | 87 | ||||
| 5.2 | Other IBM Support | 87 | ||||
| 5.2.2 | Application Release Management | 88 | ||||
| 5.2.3 | Technical Relationship Management | 90 | ||||
| 5.2.4 | Engineering (Voice, Data Services, Messaging) | 91 | ||||
| 5.2.5 | Express Table Management | 92 | ||||
| 5.2.6 | Customer Profile Update (CPU) | 93 | ||||
| 5.2.7 | Database Report Requests | 93 | ||||
| 5.2.8 | Customer Communication Requests | 93 | ||||
| 6. | Application Testing Services | 94 | ||||
| 6.1 | Application Testing | 94 | ||||
| 6.2 | User Acceptance Testing | 94 | ||||
| 7. | Application Implementation Management | 95 | ||||
| 7.2 | Training and Education | 96 | ||||
| 8. | Application Maintenance Services | 96 | ||||
| 8.1 | Corrective Maintenance | 96 | ||||
| IBM/VMU Confidential | Schedule A (Services) | Page 4 of 109 |
| 8.2 | Preventative Maintenance | 97 | ||||
| 8.3 | Adaptive Maintenance | 98 | ||||
| 8.4 | Software Release Packaging | 98 | ||||
| 8.5 | Technical and End User Support | 99 | ||||
| 8.6 | Monitoring and Reporting | 99 | ||||
| 9. | AD/M Management | 99 | ||||
| 9.1 | Application Project Management | 99 | ||||
| 9.2 | Capabilities Management | 100 | ||||
| 9.3 | Application Source Code Security | 101 | ||||
| 9.4 | Data Interfaces | 101 | ||||
| 9.5 | Existing or New Application Integration | 101 | ||||
| 10. | Application Quality Assurance of AD/M Services | 101 | ||||
| Part 10: Intentionally Deleted | 103 | |||||
| Part 11: Voice Network Services | 104 | |||||
| 1. | General Services | 104 | ||||
| 2. | Phone Services | 104 | ||||
| 2.1 | Phone Engineering | 104 | ||||
| 2.2 | ACD | 104 | ||||
| 2.3 | Voice Mail | 105 | ||||
| 2.4 | IVR / Call Processing | 105 | ||||
| Part 12: Network Operating Center | 106 | |||||
| 1. | General Services | 106 | ||||
| 1. | Network Operations Services | 106 | ||||
| Exhibit -1: Tools | 108 | |||||
| Exhibit-2: VMU Data Retention Policy | 109 | |||||
| IBM/VMU Confidential | Schedule A (Services) | Page 5 of 109 |
Part 1: Delivery Management Services
| 1. | INTRODUCTION |
This Schedule describes the duties and responsibilities of IBM and VMU related to IBM’s provision of the Services.
| 1.1 | DEFINITIONS |
| a. | Application Development – means the programming of: 1) any new Applications; 2) version upgrades to Applications; 3) changes or enhancements to existing Applications; and 4) Application Enhancements. Programming effort will include the pre-development and post-development analysis, planning, design, coding, testing, installation, provision of a single set of program and training documentation per Applications program and training necessary to complete the task. |
| b. | Application Development and Maintenance or AD/M – means both Application Development and Application Maintenance. |
| c. | Application Enhancement – means the introduction of change (i.e., regulatory and/or compliance, new capability / requirement) that modifies or adds functionality to an Application. |
| d. | Application Maintenance – means: 1) defect identification and fixes (i.e., software break / fix); and 2) installation of those fixes and updates provided by the Application vendor as part of normal maintenance service for which there is no additional charge to IBM, for the Applications specified in Schedule F (Software). |
| e. | Application Operations – means end to end monitoring of Applications and supported services, detection of incidents impacting such services, detailed root cause analysis and faultfinding, planning and remediation of incidents leading to resolution in a timely and effective manner. |
| f. | Approved Variance – means a deviation from the Standard Products mutually agreed to by VMU and IBM and eligible for the Services. |
| g. | Call Center – means the subscriber/customer call center operated by VMU that is open to the general public to provide assistance for VMU services. |
| h. | Call Service Time – means the time spent by IBM in handling a Help Desk call. It begins when the Help Desk agent answers the call and includes talk time and non-talk and administrative time to log the call. It ends when the Help Desk agent is no longer responding to or logging such call. |
| i. | Critical Function – means a Supported Server, Supported Desktop, LAN Device, Firewall Device, system, network or application that VMU has identified in writing in |
| IBM/VMU Confidential | Schedule A (Services) | Page 6 of 109 |
| advance as having a critical impact on VMU’s business operations and for which appropriate critical recovery plans (for example, uninterruptible power supply, loaners, mirrored disks, on-site hot spares, redundant network connections) are in place to allow restoration of the Critical Function within the established Service Level. The Critical Functions (which could be, for example, those systems for which failure would have aprobability of severely impacting VMU’s business operations and/or a high percentage of End Users or VMU customers) are set forth in Schedule B and will be elaborated and added to in the Process Interface Manual. |
| j. | Current or Currency – means, with respect to a Standard Product, at a minimum, its manufacturer or licensor provides generally available support for such Standard Product. |
| k. | Disaster – means any unplanned interruption of information processing for VMU, whether due to causes beyond the control of VMU or IBM, that significantly impairs the ability of IBM to operate the Critical Functions at the Data Center. Examples are: 1) loss of the building to fire; 2) loss of power to the facility due to hurricane damage; and 3) inability to access the facility due to a chemical spill, and 4) sabotage. |
| l. | Electronic Software Distribution or ESD – means the electronic distribution of a defined set of software Standard Products (but excluding operating system and network operating system software) bundled as a package and distributed to Supported Servers through a single, centralized electronic distribution process. |
| m. | End Users – means users of Services who are employees of VMU and contractors. |
| n. | Firewall Device – means a device to control access across the Data Network to keep VMU’s network secure and used by IBM to provide firewall management Services as set forth in the Part entitled “Data Network Services” of this Schedule A. Firewall Device(s) will be identified in Schedule G (Equipment). |
| o. | First Call Resolution – means the Help Desk representative completes the Help Desk responsibilities as set forth in the Part entitled “Help Desk Services” of this Schedule A while the End User is on the phone with his first call (excluding calls that require order placement, on-site Services, administrative tasks that require VMU’s authorization, and requests for problem assistance or requests for Services received by the Help Desk by means other than telephone, for example, e-mail, fax). |
| p. | Help Desk – means the help desk operated by IBM as specified in Schedule A to provide assistance to VMU employees and contractors. |
| q. | IPT – means Internet protocol telephony. |
| r. | IVR – means interactive voice response. |
| s. | LAN Device – means a network connection device on a LAN such as a bridge, hub, router, or switch located within a Facility for which IBM will provide the Data Network Services and such device will be set forth in Schedule G (Equipment). |
| IBM/VMU Confidential | Schedule A (Services) | Page 7 of 109 |
| t. | Level 0 – means, with respect to Help Desk support responsibilities, a call-taker (can be an operator or a VRU) that takes the call and queues it, but does not attempt to resolve it. |
| u. | Level 1 – means, with respect to Help Desk and NOC support responsibilities: 1) answering the incoming call; 2) recording all calls; 3) gathering the End User information; 4) obtaining resource status; 5) accessing on-line information; 6) responding to End User requests for information; 7) handling routine product usage problems; 8) transferring calls to the appropriate support group; 9) dispatching on-site assistance; 10) opening the call record; 11) informing the End User of the status of a call; 12) calling the End User for further information; and 13) closing the call record. |
| v. | Level 2 – means, with respect to Help Desk and NOC support responsibilities: 1) closing problem calls not closed by Level 1, exclusive of product defects; 2) documenting all actions in the call record; 3) calling the End User for further information; 4) performing root cause analysis, as required; 5) working with vendors (as appropriate) to resolve problems; 6) making recommendations for process and tool improvements; 7) contacting other support groups and organizations, as required; 8) dispatching on-site assistance, if needed; 9) interfacing with other systems, networks and operating system environments personnel; and 10) routing calls to other levels of support, as required. |
| w. | Level 3 – means, with respect to Help Desk and NOC support responsibilities: 1) the on-site diagnosis and repair required to close the problem; 2) documenting all actions in the call record; 3) performing root cause analysis, as required; 4) working with vendors (as appropriate) to attempt to resolve problems; 5) making recommendations for process and tool improvements; and 6) contacting other support groups or organizations, as required. |
| x. | Local Area Network or LAN – means the configuration (hardware components, software, and communications devices) used to transmit and receive data signals within a facility. |
| y. | Maintenance Release – means those Software fixes and updates provided by the Software vendors as part of normal maintenance service for the Software for which there is no charge by such vendors in addition to periodic maintenance charges, if any. |
| z. | Major Incident – means an unplanned situation that impacts critical or essential Services causing severe disruption or extreme impact, resulting in such Services being unavailable. |
| aa. | Nonstandard Product – means hardware or software, which is not a Standard Product. |
| bb. | OEM – means original equipment manufacturer. |
| IBM/VMU Confidential | Schedule A (Services) | Page 8 of 109 |
| cc. | Packet Internet Groper or PING – means the program used to test accessibility of a destination by sending it an echo request and waiting for a reply. |
| dd. | Problem Resolution Time – means the elapsed time measured from the time at which a problem related to the Services is identified, received and recorded by IBM in the problem tracking database and, 1) with respect to Severity Xxxxx 0 and Severity Level 2 problems, until the time at which the affected Critical Function or network is operational (though possibly at reduced functionality) and an action to identify, obtain, or create and schedule implementation of a permanent fix is underway; or 2) with respect to Severity Xxxxx 0 and Severity Level 4 problems, until the time at which an action to identify, obtain, or create and schedule implementation of a permanent fix is underway. |
| ee. | Severity Code – means the severity designation assigned to a problem call (for example, Severity Xxxxx 0, Xxxxxxxx Xxxxx 0). |
| ff. | Severity Level 1 – means that there is a Critical Function or network outage causing severe impact on service delivery and a material adverse impact on VMU’s business operations and no alternative or bypass is available. |
| gg. | Severity Level 2 – means that a Critical Function or network is down, degraded or unusable with a potential severe impact on service delivery and no acceptable alternative or bypass is available. |
| hh. | Severity Level 3 – means that a non-critical function (i.e., system, application) or procedure is down, unusable or difficult to use with some operational impact, but no immediate impact on service delivery and an alternative or bypass is available. Problems that would otherwise be considered Severity Level 1 or Severity Level 2 but that have an acceptable alternative or bypass available will also be designated a Severity Level 3. |
| ii. | Severity Level 4 – means that a personal application or procedure (not critical to VMU) is unusable, and either an alternative is available or deferred maintenance is acceptable. |
| jj. | Stand-alone Machines – means distributed technology equipment that is: 1) in use, but not dedicated to a particular desktop configuration, such as shared printers, hubs, and routers; or 2) in inventory, stored, or otherwise not in use. |
| kk. | Standard Products – means the hardware and software for which IBM will provide the End User Services and Server Systems Management Services and that are set forth in Schedule H (Standards). |
| ll. | Supported Desktop – means an End User free-standing or portable microcomputer, which consists of a system unit, a display monitor, a keyboard, a mouse, and internal fixed disk storage for which IBM will provide the End User Services. Supported Desktops are listed in Schedule H (Standards). |
| IBM/VMU Confidential | Schedule A (Services) | Page 9 of 109 |
| mm. | Supported Desktop Software – means the software residing on a Supported Desktop, including all supporting documentation and media that IBM will support. Supported Desktop Software is listed in Schedule H (Standards). |
| nn. | Supported Server – means a device that provides shared LAN resources (for example, printer, fax, application, mail, data backup, and associated peripheral equipment some of which may be connected to Supported Desktops) for which IBM will provide the Server Systems Management Services. Supported Servers are listed in Schedule H (Standards). |
| oo. | Supported Server Software – means those programs and programming operating on the Supported Servers, including all supporting documentation and media, that perform tasks basic to the functioning of the Supported Servers (including communications with Supported Desktops and the Data Network) or otherwise support the provision of Services by IBM. Supported Server Software is listed in Schedule H (Standards). |
| pp. | Systems Software – means the programs, supporting documentation and media that: 1) perform tasks basic to the functioning of data processing and telecommunication; 2) are required to operate the Applications; and 3) are listed as Systems Software in Schedule F (Software). |
| qq. | User ID – means a string of characters (i.e., a user name or a password) that uniquely identifies a user to a system and enables access to a system or specific data residing on a system. |
| rr. | Voice Network – means all Equipment and associated controllers, multiplexers, modems, channel banks, carrier services, lines and cabling, together with all software related thereto, used to transmit voice traffic, but does not include the Data Network. |
| ss. | VoIP – means voice over Internet protocol. |
| tt. | VMU Focal Point – means the individual designated by VMU to act as the single point of contact within a specified Services area or VMU Service Location to whom IBM may direct all communications related to such Services area. |
| uu. | VPN – means virtual private network. |
| vv. | VRU – means voice response unit. |
| ww. | WAN Device – means a set of hardware components controlled by software (for example, switches, routers, gateways) that allows a number of devices to connect to each other or to be connected to other LANs via routers and communicate using various data types, formats and communications protocols. Typically, a WAN Device connects devices such as client workstations, servers, printers, or communications controllers across a telecommunications provider facility. WAN Devices will be set forth in Schedule G (Equipment). |
| IBM/VMU Confidential | Schedule A (Services) | Page 10 of 109 |
| xx. | Wide Area Network or WAN – means the configuration (hardware components, software, and communications devices) used to transmit and receive data signals between Facilities. The WAN configuration for each Facility for which IBM will provide the Services is listed in Schedule I (Facilities). |
| 2. | SERVICES MANAGEMENT |
| 2.1 | PROCESS INTERFACE MANUAL |
| a. | IBM will prepare the Process Interface Manual as follows: |
| (1) | IBM will develop a draft of the Process Interface Manual, reflecting the process interfaces for the Services, and provide such draft to VMU within three (3) months after the Signature Date. Within ten Business Days following VMU’s receipt of the draft Process Interface Manual, VMU will provide to IBM, in writing, VMU’s consolidated comments, questions and proposed changes to the Process Interface Manual and IBM will incorporate any reasonable comments and changes proposed by VMU. |
| (2) | IBM will provide VMU with the final version of the Process Interface Manual by not later than November 14, 2008. |
| (3) | During the Term, VMU and IBM will jointly review the Process Interface Manual on an annual basis or more frequently, as required, and IBM will update and maintain the Process Interface Manual accordingly. |
| (4) | IBM will provide VMU access to the Process Interface Manual during the Term for VMU’s use, review, and comment. |
| b. | The Process Interface Manual will: |
| (1) | provide a high level overview of the processes requiring VMU’s involvement (for example, Change Management, Problem Management); |
| (2) | be used by IBM to provide the Services; |
| (3) | identify the process interfaces; and |
| (4) | describe how VMU and IBM will interact during the Term. |
| c. | Until such time as VMU and IBM complete and approve the Process Interface Manual, IBM will use VMU’s current processes and procedures existing as of, and delivered to IBM prior to, the Reference Date to the extent that such processes and procedures are applicable to the new operating environment. In the event that VMU does not have existing processes and procedures as of the Reference Date or such processes and procedures do not apply to the new operating environment, IBM will |
| IBM/VMU Confidential | Schedule A (Services) | Page 11 of 109 |
| document the processes and procedures required by IBM to perform the Services. The final Process Interface Manual will supersede all prior processes and procedures unless otherwise specified. |
| d. | IBM Responsibilities |
IBM will:
| (1) | assign an individual to be the single point of contact to VMU for the Process Interface Manual development and maintenance; |
| (2) | develop and provide VMU the draft Process Interface Manual, which will be customized by IBM to reflect the process interfaces between VMU and IBM; |
| (3) | review VMU feedback and revise the draft Process Interface Manual to incorporate mutually agreed changes; |
| (4) | upon VMU’s request, communicate IBM’s rationale for not including specific VMU comments or changes in the Process Interface Manual; |
| (5) | provide the final version of the Process Interface Manual to VMU via e-mail; |
| (6) | conduct process maturity assessments, identify process inhibitors, and propose process improvements to VMU, as required; |
| (7) | jointly review the Process Interface Manual on an annual basis or more frequently, as required, and update and maintain the Process Interface Manual accordingly; and |
| (8) | provide appropriate IBM Personnel with access to the Process Interface Manual, as required. |
| e. | VMU Responsibilities |
VMU will:
| (1) | assign an individual to be the single point of contact to IBM for the Process Interface Manual development and maintenance; |
| (2) | review and approve the proposed table of contents and format for the Process Interface Manual; |
| (3) | review and provide to IBM, in writing, VMU’s comments, questions and proposed changes to the draft Process Interface Manual; |
| (4) | request IBM’s rationale for not including specific VMU comments or changes in the Process Interface Manual, as appropriate; |
| IBM/VMU Confidential | Schedule A (Services) | Page 12 of 109 |
| (5) | acknowledge VMU’s receipt of the final version of the Process Interface Manual; |
| (6) | identify process inhibitors and propose process improvements to IBM, as appropriate; |
| (7) | jointly review the Process Interface Manual on an annual basis or more frequently, as required; and |
| (8) | provide appropriate VMU employees with access to the Process Interface Manual, as required. |
| 2.2 | PROCESSES |
IBM will provide to VMU, and the Parties will mutually agree on and use, the following processes for managing the Services. The Service Management Processes and Service Delivery Processes, set forth below and further defined in the Process Interface Manual, will apply, in some combination, to all the Services and will be implemented, as described in this Schedule.
| 2.2.1 | Service Management Processes |
The following Service Management Processes will be used by VMU and IBM for managing the Services:
| a. | Change Management is the process for planning, testing, coordinating, implementing and monitoring changes affecting service delivery and the operating environments without adversely impacting service delivery. |
| b. | Customer Communications Requests is the process for implementing minor enhancements for end users. |
| c. | Customer Profile Update is the process for updating tables. |
| d. | Database Report Requests is the process for specific database reporting. |
| e. | Escalation Management is the process for escalating and resolving issues associated with requests, incidents, and problems (for example, change requests, incident resolution requests). |
| f. | Incident Management is the process for minimizing the impact of Incidents affecting the availability of the Services, which is accomplished through active monitoring, analysis, tracking, and prevention of Incidents. |
| g. | Major Incident Management is the process for minimizing the impact of Major Incidents. This process includes the coordination of service remediation or recovery, notification and escalation, business mitigation planning, and outage review for a Major Incident and applies to all Major Incidents that IBM is responsible to manage (including Major Incidents for which IBM is responsible that are resolved by a Third Party or Subcontractor). |
| IBM/VMU Confidential | Schedule A (Services) | Page 13 of 109 |
| h. | The Measurements and Reporting process provides measurements to management and other service delivery processes to satisfy measurement requirements and comply with strategies, business needs, and key directions (in terms of quality, cost, performance, and resource control). This process is used to deliver contractually required service delivery and support measurements associated with the Service Levels and includes management and control of the computation, storage, and delivery of formatted data, indicators and reports to the users of such measurements. |
| i. | Problem Management is the process for identifying, recording, tracking, correcting and managing problems impacting service delivery, recognizing recurring problems, addressing procedural issues and containing or minimizing the impact of problems that occur. |
| j. | Recovery Management is the process for planning, establishing and testing the recovery procedures required to re-establish the functionality of systems included in the Services in the event of a system failure. This process also addresses the monitoring, assessing, and reporting of the test results to management. The intent of this process is to anticipate and minimize the impact of systems resource failure through the development of predefined, documented procedures and software/hardware recovery capabilities. VMU and IBM will agree on the procedures for recovery. |
| k. | Service Level Management is the process for monitoring and tracking performance against the Service Levels. |
| 2.2.2 | Service Delivery Processes |
The following Service Delivery Processes will be used by VMU and IBM for managing IBM’s delivery of the Services:
| a. | Asset Tracking is the process used to maintain a record of the Equipment for the environment which IBM is providing Services. |
| b. | Availability Management is the process for coordinating the appropriate skills, information, tools and procedures required to manage the availability of interactive networks and their supporting hardware and software components. |
| c. | Backup and Recovery Management is the process for backing up data files and recovering such data to its original location in the event of data loss and includes planning, testing, and implementing procedures and standards required to provide the Services in the event of a failure. |
| d. | Batch Management is the process for controlling production batch applications, including the scheduling of resources and the processing set up for data and transactions. |
| IBM/VMU Confidential | Schedule A (Services) | Page 14 of 109 |
| e. | Capacity Planning is the process for planning for adequate IT resources required to fulfill current and future resource requirements and includes planning for the efficient use of existing IT resources and identifying any change in the type and quantity of IT resources necessary to perform the Services. |
| f. | Configuration Management is the process for designing, planning, and maintaining the physical and logical configuration of midrange, server and desktop hardware and software as well as network components and the way these resources are interrelated in VMU’s environment. |
| g. | Database Management is the process for the design, development, deployment, maintenance, and administration of VMU production databases used to support IBM’s delivery of the Services. |
| h. | Data Center Infrastructure Facilities Planning is the process that defines the activities associated with the planning for and administration of dedicated hardware facilities, including raised floor rooms, server rooms, labs and network closets. |
| i. | Deskside Support is the process for providing technical assistance for End User requests that require an IBM technician to provide on-site services at the End User’s location. |
| j. | E-mail and Collaboration Services is the process that supports requirements for e-mail, chat, BlackBerry and other messaging tools. |
| k. | File and Directory Services is the process used to support requirements for Microsoft Active Directory (AD), profiles and shares. |
| l. | IMAC Coordination is the process used for installation, move, add, change, and removal of End User Equipment and Software, including the coordination of various activities required to facilitate an upgrade or relocation. |
| m. | IT Security Management is the process for providing security protection for logical and physical inventory and assets that are associated with delivery of the Services. |
| n. | Network Management is the process used for the installation, administration, maintenance, monitoring, troubleshooting, restoration, and documentation of in-scope network devices within an IBM-managed network. |
| o. | Operations Management is the process for monitoring the availability and the performance of the Equipment (hardware and software) and Services for those environments for which IBM is providing Services. Monitoring will be accomplished by a variety of active and passive activities, e.g., manual testing of calling, messaging and data services; periodic polling of such equipment and by processing system events that are generated. Performance monitoring will attempt to detect problems before End Users or VMU customers are affected. |
| IBM/VMU Confidential | Schedule A (Services) | Page 15 of 109 |
| p. | Performance Management is the process for monitoring, measuring, analyzing, tuning and reporting systems performance to meet agreed upon Service Levels. |
| q. | Print Management is the process used to manage the print queues. |
| r. | Project Management is the process used to initiate, execute and complete a project in accordance with the defined project scope and completion criteria. |
| s. | Report Management is the process used to manage Database Report Requests (DRR) from implementation through ongoing operation. |
| t. | The Service Desk process is used by the IBM Help Desk to provide a single point of contact to End Users for the Services. The IBM Help Desk receives, fulfills and closes End User requests for service and Incidents. If the IBM Help Desk cannot directly resolve the Incident or fulfill the request (for example, an IMAC request), it is passed to the appropriate support group for resolution or fulfillment, or escalated to the NOC for incident management. |
| u. | Software Distribution is the process for handling software distribution requests and maintaining version repositories that enhance software support and efficient distribution. |
| v. | Software License Tracking is the process for tracking software licenses. |
| w. | Storage Management is the process used for maximizing disk storage and resources, by using tools to migrate unused data and to de-fragment disk volumes. |
| x. | Tape Operations is the process used to control tape resources, including the preparation of and actual shipment to designated IBM offsite storage locations. |
| y. | User ID Administration is the process for administering and handling VMU and IBM User ID requests, including granting, changing, or deleting a user’s access rights, password resets or user group creation, deletion, or modification. |
| 3. | IBM ENVIRONMENT |
| a. | IBM will design and implement the architecture for the IBM environment required to provide the Services. Architecture means the way a system (for example, infrastructure, server, call manager, PBX) is designed and how the components of the system are connected to and operate with another system. VMU will review and provide input, as applicable, to the architecture design. |
| b. | IBM managed systems and infrastructure used to provide the Services will be managed to Information Security Controls Document (as defined in the Part entitled “Enterprise Security Management Services” in this Schedule A.). |
| IBM/VMU Confidential | Schedule A (Services) | Page 16 of 109 |
| 4. | SERVICE HOURS |
IBM will provide each of the Services during the Service Hours specified in the following table. All times are in Mountain Time through May 31, 2009, and thereafter the Services will be provided based upon Eastern Time. Unless specified elsewhere in this Schedule A, all Services are to be provided within the Service Hours.
| IBM/VMU Confidential | Schedule A (Services) | Page 17 of 109 |
| Services |
Service Hours |
Notes | ||
| ASSET SERVICES | ||||
| • Asset and Software Tracking |
8:00 a.m. to 5:00 p.m., Monday through Friday, excluding U.S. National holidays |
|||
| HELP DESK SERVICES | ||||
| • Help Desk |
7x24x365 | |||
| DESKSIDE SERVICES | ||||
| • Desktop Support |
8:00 a.m. to 5:00 p.m., Monday through Friday, excluding U.S. National holidays |
|||
| • IMAC |
8:00 a.m. to 5:00 p.m., Monday through Friday, excluding U.S. National holidays |
|||
| • Refresh |
8:00 a.m. to 5:00 p.m., Monday through Friday, excluding U.S. National holidays |
|||
| • Software Distribution |
8:00 a.m. to 5:00 p.m., Monday through Friday, excluding U.S. National holidays |
|||
| SERVER SYSTEMS MANAGEMENT SERVICES | ||||
| • Intel and UNIX Server Services |
7x24x365 | |||
| STORAGE MANAGEMENT SERVICES | ||||
| • Storage Management |
7x24x365 | |||
| • Media Management |
7x24x365 | |||
| DATA NETWORK SERVICES | ||||
| • LAN management |
7x24x365 | |||
| • Firewall management |
7x24x365 | |||
| VOICE NETWORK SERVICES | ||||
| • IVR Services |
7x24x365 | |||
| ENTERPRISE SECURITY MANAGEMENT SERVICES | ||||
| • Security Compliance and Regulatory |
8:00 a.m. to 5:00 p.m., Monday through Friday, excluding U.S. National holidays |
|||
| AD/M SERVICES | ||||
| • Development interface and support |
8:00 a.m. to 5:00 p.m., Monday through Friday, excluding U.S. National holidays |
|||
| • Maintenance interface and support |
8:00 a.m. to 5:00 p.m., Monday through Friday, excluding U.S. National holidays |
|||
| 5. | TOOLS |
| a. | IBM will provide, install, configure, test, if applicable, and maintain the Tools specified in Exhibit A-1, to enable IBM to provide the Services. |
| b. | VMU will: |
| (1) | allow IBM to install the Tools that may be required by IBM to provide the Services; |
| (2) | provide the system and network capacity and connectivity required to support the Tools; |
| IBM/VMU Confidential | Schedule A (Services) | Page 18 of 109 |
| (3) | sign the appropriate vendor license agreement (including IBM’s), if required, for IBM to install Tools on VMU’s equipment and/or premises; and |
| (4) | on expiration or termination of this Agreement, unless otherwise mutually agreed and stated in this Agreement, return all IBM-owned Tools in working order to IBM. |
| IBM/VMU Confidential | Schedule A (Services) | Page 19 of 109 |
Part 2: Asset Services
| 1. | INTRODUCTION |
IBM will provide the following Asset Services to VMU during the Service Hours, unless otherwise mutually agreed by VMU and IBM. IBM will implement the process for tracking the status, and location of such assets, to be included in the Process Interface Manual. IBM will also establish the asset database, define and support the processes required for the capture of any changes and will incorporate such changes into the asset database.
| 2. | ASSET INVENTORY CAPTURE |
| a. | IBM will: |
| (1) | coordinate and perform the asset inventory to verify the asset database; |
| (2) | conduct a physical inventory of stand-alone Equipment (collected information should consist of a numeric or alphanumeric asset type, and may also include: manufacturer (for example, IBM, HP, Apple); product description (for example, desktop, server); serial number or asset tag number, as applicable; asset location (for example, building address, city and state); and demographic information); |
| (3) | notify the VMU Focal Point of any obstacle that prevents IBM from performing an initial inventory of an asset; |
| (4) | provide asset inventory identification materials (i.e., asset tags or bar code labels, preprinted with VMU’s designated asset identifier (for example, asset type and asset serial number)), as required; |
| (5) | tag inventoried equipment, as required, using VMU-provided asset tags that have been preprinted with VMU’s designated asset number; |
| (6) | prepare mail-in data collection kits and forward the kits to the VMU Focal Point for distribution to the Facilities and End Users identified in the Inventory Plan; |
| (7) | on completion of the inventory, reconcile the collected asset data including identifying and correcting (to the extent within IBM’s control) the following, as applicable: |
| (a) | missing and/or duplicate serial numbers; |
| (b) | missing, duplicate and incorrect length of asset tag numbers; |
| IBM/VMU Confidential | Schedule A (Services) | Page 20 of 109 |
| (c) | missing and/or duplicate demographic information; and |
| (d) | discrepancies resulting from IMAC activity performed during the inventory process, using the data VMU provides; |
| (8) | update and maintain the asset database (i.e., load the asset information obtained during the asset inventory) or validate the asset information provided by VMU using the information obtained during the asset inventory; |
| (9) | act as the contact point for End Users who require assistance in implementing the inventory procedures; |
| (10) | make two (2) total attempts to collect kits from VMU remote Facilities and notify the VMU Focal Point if not received within the stated time frame. For any assets in which the kits have not been collected, such assets will be either: |
| (a) | out of scope for the purposes of these Services; or |
| (b) | additional charges may be incurred by VMU for IBM to collect the required data from these Facilities; |
| (11) | provide standard inventory report(s); |
| (12) | attempt to minimize disruption to the End User when conducting the asset inventory; |
| (13) | upon inventory completion at each Facility, obtain sign-off from the VMU Focal Point that the inventory process has been completed; and |
| (14) | obtain VMU’s approval for the asset inventory results. |
| b. | VMU will: |
| (1) | assist IBM in developing the Inventory Plan and provide final approval of such plan no later than ten days before the first Facility inventory; |
| (2) | at least ten days before each scheduled Facility inventory: |
| (a) | provide a listing of the contacts who will provide administrative and technical responsibilities, including the VMU Focal Point, and ensure their availability, as required, for status meetings during the inventory; |
| (b) | provide an estimate of the number of assets to be inventoried at each Facility; |
| (c) | provide current floor plans for each floor of each Facility to be inventoried; |
| IBM/VMU Confidential | Schedule A (Services) | Page 21 of 109 |
| (d) | provide a soft copy listing (i.e., mailmerge capable file) including the names of and mailing addresses for those End Users at each Facility using mail-in data collection kits; |
| (e) | distribute mail-in data collection kits to the Facilities and End Users identified in the Inventory Plan; |
| (f) | distribute the IBM-supplied inventory worksheets to End Users with instructions to complete the demographic information sections of the worksheet before the scheduled date of the inventory; and |
| (g) | design and implement a process to track and capture any IMACs performed during a Facility inventory; |
| (3) | during a Facility inventory: |
| (a) | ensure the VMU Focal Point is available: |
| (i) | to accompany IBM on a walk-through of the Facility; |
| (ii) | in the event IBM incidentally discovers viruses during the electronic inventory process; |
| (iii) | to review and accept collected data on a daily basis; and |
| (iv) | upon inventory completion at each Facility, provide sign-off that the inventory process has been completed; |
| (b) | provide a temporary work room that is large enough to accommodate the inventory team and provides access to a collection server, a printer on which to generate reports, a telephone with outside capability, and an analog phone line for modem dial out; |
| (c) | provide reasonable and timely access to equipment to be inventoried; |
| (d) | prohibit (or restrict) IMAC activity; |
| (e) | track and capture all IMAC activity performed during each Facility inventory and provide the information to IBM on completion of the inventory process; |
| (f) | disable power-on and screen saver passwords; and |
| (g) | track and collect all mail-in data collection kits and forward all completed kits to IBM before the completion of the inventory at the applicable Facility; |
| IBM/VMU Confidential | Schedule A (Services) | Page 22 of 109 |
| (4) | provide the End User related data and any updates as they occur in an electronic format (i.e., name, phone number, location address, department number, network connection) required to establish End User records; |
| (5) | approve the asset inventory results for loading to the assets database; and |
| (6) | assist IBM in implementing the process and schedule of future asset information collection. |
| 3. | ASSET TRACKING |
IBM will define, per VMU’s requirements, and implement the process for tracking assets throughout their life cycle from acquisition to disposal, including any changes performed for such assets.
| a. | IBM will: |
| (1) | define and implement, with VMU’s assistance, the asset tracking process; |
| (2) | maintain the asset database capturing changes IBM or VMU made as a result of: |
| (a) | receipt of new assets; |
| (b) | data scrubbing and validation (i.e., checking for nomenclature and data entry discrepancies such as validating that the asset type is numeric or alphanumeric); |
| (c) | IMAC, hardware maintenance, and deskside support Services activity; |
| (d) | asset storage, retirement, and disposal; and |
| (e) | changes to End User-related data (for example, name, phone number, location address, department number, network connection); |
| (3) | perform electronic inventory and/or bar code scans on hardware in conjunction with performing on-site Services (for example, deskside support, IMAC, hardware maintenance) and update the asset database; |
| (4) | add assets for which no record is found to the asset database as such assets are located during an inventory or are otherwise discovered, for example, during a Help Desk support call, and notify the VMU Focal Point of such additions; |
| (5) | coordinate and perform periodic physical or electronic asset validations and report the results to VMU; |
| IBM/VMU Confidential | Schedule A (Services) | Page 23 of 109 |
| (6) | maintain responsibility for software license tracking of asset inventory and auditing for compliance to vendor terms and conditions with respect to the number of licensed assets for all software owned by or licensed to VMU; |
| (7) | resolve asset discrepancies and notify VMU of the resolution; |
| (8) | forward information on all asset discrepancies and/or issues to the VMU Focal Point for resolution; |
| (9) | provide reasonable assistance to VMU in resolving asset database discrepancies or issues; and |
| (10) | provide a monthly standard report to VMU. |
| b. | VMU will: |
| (1) | provide reasonable assistance to IBM in the definition and implementation of the asset tracking process; |
| (2) | provide IBM changes VMU made to the assets as a result of: |
| (a) | receipt of new assets; |
| (b) | data scrubbing and validation (i.e., checking for nomenclature and data entry discrepancies such as validating that the asset type is numeric or alphanumeric); |
| (c) | IMAC, hardware maintenance, and deskside support Services activity; |
| (d) | asset storage, retirement, and disposal; and |
| (e) | changes to End User-related data (for example, name, phone number, location address, department number, network connection); |
| (3) | ensure End Users perform their responsibilities in accordance with the established process during an asset validation; |
| (4) | provide IBM with the software licenses and related documentation sufficient to enable IBM to audit compliance with vendor terms and conditions with respect to the asset inventory; |
| (5) | be responsible for all asset disposal including any related costs; and |
| (6) | maintain the asset records VMU deems necessary to meet VMU’s audit requirements and financial obligations. |
| IBM/VMU Confidential | Schedule A (Services) | Page 24 of 109 |
Part 3: Help Desk Services
| 1. | INTRODUCTION |
| a. | IBM will staff an organization to act as the contact point, via a toll free telephone number, for End Users who require assistance in the resolution of problems, concerns, and questions and to request Services (the Help Desk). Calls into the Help Desk will be answered in English. Care2 focal points will contact Level 2. |
| b. | IBM will provide the full scope of Help Desk Services as set forth below during the Service Hours. During all other hours, IBM will provide tracking and logging of problems and requests for Services for dispatch the next Business Day or an electronic vehicle (for example, message recorder, e-mail) for End Users to leave a message to which Help Desk staff will respond the next Business Day and will designate a Help Desk contact person who will provide telephone assistance for a Severity Level 1 problem during such hours. |
| c. | If a problem can not be resolved by telephone, IBM will handle the problem via the escalation management process set forth in the Process Interface Manual. |
| 2. | HELP DESK SERVICES |
| 2.1 | GENERAL |
| a. | IBM will: |
| (1) | provide, program and maintain the automatic call distribution equipment IBM requires to provide the Services; |
| (2) | receive, log, attempt to resolve and dispatch or transfer Calls, as appropriate; |
| (3) | open a Call record to document Calls. A Call record may include information such as End User information, Call record number, date and time opened, service requested, problem description or symptoms, Call assignment (for example, Xxxxx 0, Xxxxx 0), Xxxx xxxxxx, and Call resolution and closure information; |
| (4) | prioritize Calls in accordance with the Severity Codes (Severity Code – means the severity designation assigned to a problem call (for example, Severity Xxxxx 0, Xxxxxxxx Xxxxx 0): |
| (5) | perform problem analysis, including identification of the source of the problem; |
| (6) | provide Call status as the End User requests; |
| IBM/VMU Confidential | Schedule A (Services) | Page 25 of 109 |
| (7) | dispatch or arrange for on-site support, if required, for problem determination and/or resolution; |
| (8) | notify the VMU Focal Point of systems or equipment failures, or of an emergency, according to the Process Interface Manual; |
| (9) | provide a systems status recording for in-scope systems with status information such as known Major Incidents and estimated recovery times; |
| (10) | interface with and coordinate problem determination and resolution with the VMU Focal Point (e.g. designated VMU Program Manager) and/or Third Party service providers, as appropriate; |
| (11) | monitor problem status to facilitate problem closure within defined Service Level criteria or escalate in accordance with the escalation management process; |
| (12) | provide input to VMU on End User training requirements based on problem Call tracking and analysis; |
| (13) | with VMU’s assistance, establish and maintain call prioritization guidelines and escalation procedures; |
| (14) | develop Help Desk operational processes and procedures and provide to VMU for distribution; |
| (15) | maintain a contact list of IBM Focal Points, including names and telephone, pager and fax numbers, and provide to VMU for distribution; |
| (16) | communicate to the VMU Focal Point on available Services and the procedures for accessing such Services; |
| (17) | provide a standard monthly report to VMU summarizing the Calls (by status code) received and handled by the Help Desk for the prior month; and |
| (18) | using the information contained in the standard monthly reports, provide information to VMU on Call trends and make recommendations (for example, additional End User training requirements), where appropriate. |
| b. | VMU will: |
| (1) | maintain and distribute a VMU contact list, including names and telephone, pager and fax numbers, for use by Help Desk staff to contact appropriate VMU personnel for problem determination assistance and escalation and ensure such personnel are available as required; |
| IBM/VMU Confidential | Schedule A (Services) | Page 26 of 109 |
| (2) | assist IBM in establishing Call prioritization guidelines and escalation procedures; |
| (3) | ensure End Users have a basic level of understanding of the Service Delivery Processes and adhere to such processes for accessing the Services; |
| (4) | communicate support responsibilities and procedures to the VMU Focal Point and Third Party service providers (for example, providing Call status and resolution to the Help Desk) and ensure adherence to such procedures; |
| (5) | assist IBM, as requested and in a time frame commensurate with the assigned problem Severity Code and associated Service Level commitment, in the resolution of recurring problems which are the result of End User error; |
| (6) | resolve any VMU Third Party service provider performance problems affecting IBM’s provision of the Services; |
| (7) | be responsible for all VMU Third Party support costs (for example, help lines); |
| (8) | be responsible for the resolution or closure of all Calls related to products and services that are not within the Services; |
| (9) | provide scripts for knowledge base; and |
| (10) | allow IBM to utilize remote access capability to remotely diagnose problems. |
| 2.2 | SELF HELP |
| a. | IBM will provide Tools and processes via a web services portal to enable the End Users to: |
| (1) | perform self help knowledge searches; |
| (2) | submit problem and service request tickets; |
| (3) | view online problem and service request ticket status; |
| (4) | view current system outages; and |
| (5) | manage IDs, including request, approval, creation, revalidation, password reset and ID removal, in accordance with VMU’s security guidelines. |
| b. | VMU will: |
| (1) | provide and maintain an authentication methodology as part of VMU’s security guidelines; |
| IBM/VMU Confidential | Schedule A (Services) | Page 27 of 109 |
| (2) | provide VMU’s existing processes to assist IBM in providing self help Services; and |
| (3) | promote the use of the self help Tools and processes to End Users. |
| 3. | DATA CENTER, INTEL AND UNIX SERVER SERVICES, DATA NETWORK SERVICES, AND VOICE NETWORK SERVICES |
| a. | IBM will: |
| (1) | provide all Xxxxx 0, Xxxxx 0, and Level 3 support for the Equipment and Software; |
| (2) | report on the status of batch jobs upon request; |
| (3) | reset passwords and perform logon ID administration in accordance with VMU-provided security guidelines; and |
| (4) | recycle, start and stop devices. |
| IBM/VMU Confidential | Schedule A (Services) | Page 28 of 109 |
| b. | VMU will: |
| (1) | authorize all system access. |
| 4. | END USER SERVICES |
| a. | IBM will: |
| (1) | provide all Xxxxx 0, Xxxxx 0, and Level 3 support for Standard Products; |
| (2) | perform LAN administration and related security functions (for example, password resets); |
| (3) | with respect to Nonstandard Products: |
| (a) | provide Level 1 support based upon IBM’s available resources; |
| (b) | as appropriate, refer problems or questions to the VMU Focal Point for resolution; and |
| (c) | dispatch service personnel to perform on-site Services (for example, deskside support, hardware maintenance, IMACs) at VMU’s request on a time and materials basis. |
| b. | VMU will: |
| (1) | communicate the defined Standard Products and Services to End Users; |
| (2) | ensure that End Users are authorized to request the Services including the dispatch of service personnel to provide on-site Services; and |
| (3) | with respect to Nonstandard Products: |
| (a) | provide all Level 1 support not designated as an IBM responsibility, and all Xxxxx 0 and Level 3 support; |
| (b) | be responsible for the resolution and closure of any problems or questions referred to VMU by Help Desk staff; and |
| (c) | provide training to IBM-designated staff and documentation (for example, scripts) on Nonstandard Products, as appropriate. |
| 5. | AD/M SERVICES |
| a. | IBM will: |
| (1) | develop, in conjunction with VMU, Level 1 scripts for use in providing Level 1 support for End Users’ problems and questions relating to the Applications; |
| IBM/VMU Confidential | Schedule A (Services) | Page 29 of 109 |
| (2) | respond and resolve all calls requiring Level 2 or Level 3 support relating to the Applications and expeditiously route calls from specified Care2 focal points to appropriate Xxxxx 0 xx Xxxxx 0 AD/M support; and |
| (3) | redirect Calls requiring Xxxxx 0 and Level 3 support to the appropriate VMU application support group for problems and questions relating to out-of-scope applications software. |
| IBM/VMU Confidential | Schedule A (Services) | Page 30 of 109 |
| b. | VMU will: |
| (1) | develop, in conjunction with IBM, Xxxxx 0 scripts for Applications; |
| (2) | provide Xxxxx 0, Xxxxx 0 and Level 3 support for all out-of-scope applications software; and |
| (3) | provide to IBM and maintain the specified Care2 focal points who will directly call Level 2 or Level 3. |
| IBM/VMU Confidential | Schedule A (Services) | Page 31 of 109 |
Part 4: Deskside Services
| 1. | INTRODUCTION |
IBM will provide the following deskside Services to VMU during the Service Hours, unless otherwise mutually agreed by VMU and IBM.
| 2. | DESKTOP SUPPORT SERVICES |
IBM will provide assistance with problem determination and problem resolution at the End User’s work location within a Facility using on-site services which are a combination of deskside support and hardware related support such as break/fix (i.e., hardware maintenance). IBM will use VMU’s SMS tool: (a) for Image Development and software distribution and (b) to perform Remote takeover of Wintel desktops and laptops.
| 2.1 | DESKSIDE SUPPORT SERVICES |
| a. | IBM will: |
| (1) | provide problem source identification, problem impact validation, and problem determination; |
| (2) | with VMU’s assistance, implement the deskside support Services operational procedures including the criteria for deployment of deskside support Services personnel; |
| (3) | provide deskside support Services for Supported Desktop Standard Products at the End User’s work location within a Facility in accordance with the established procedures to be identified in the Process Interface Manual; |
| (4) | manage the problem to resolution or closure, as appropriate, including: |
| (a) | applying emergency software fixes in support of problem resolution; and |
| (b) | performing virus eradication on the desktop device; |
| (5) | update the status of the deskside support Services call to the Help Desk through to completion; |
| (6) | on completion of the deskside support Services: |
| (a) | close the ticket; and |
| (b) | update the asset database; |
| (7) | provide support for up to 60 VIPs located at the Warren, NJ office; |
| IBM/VMU Confidential | Schedule A (Services) | Page 32 of 109 |
| (8) | provide VIP residential service as a pre-planned event on VMU supported equipment, provided an adult is present at the time of the visit and the location is within local proximity of the campus site; tasks include PC software break-fix and networking from the PC to the service providers modem, deskside support will not run/supply cables or perform any drilling; |
| (9) | at VMU’s request, provide deskside support Services for Nonstandard Products on an Hourly Services basis; |
| (10) | refresh supported desktop images once per year; and |
| (11) | provide a monthly standard report using available problem management data to VMU summarizing the deskside support Services IBM provided during the prior month. |
| b. | VMU will: |
| (1) | assist IBM in implementing the deskside support Services operational procedures including the criteria for deployment of deskside support Services personnel; |
| (2) | be responsible for all End User data migration, backup and restore, conversion, and erasure, as required, before and following the provision of deskside support Services; |
| (3) | provide IBM with adequate spare desktops, laptops or spare parts to accommodate refresh activities, new hires, and hot swaps; |
| (4) | provide IBM a secure storage area for spare equipment, ownership of such equipment will remain with VMU; |
| (5) | provide IBM will office space for on-site deskside technicians located in Warren, NJ and install one SMS server into the deskside Xxxxxx office location; and |
| (6) | provide authorization and be responsible for all charges for deskside support Services IBM provides at VMU’s request for Nonstandard Products and out-of-scope services (for example, ad hoc End User training, how to assistance). |
| 2.2 | HARDWARE MAINTENANCE SERVICES |
| a. | IBM will: |
| (1) | perform pre- and post maintenance activities before and following hardware maintenance Services on equipment (for example, backup, remove, protect, and restore programs, data and removable storage media, remove and reload funds); |
| IBM/VMU Confidential | Schedule A (Services) | Page 33 of 109 |
| (2) | provide all hardware upgrades, maintenance parts, or replacement equipment not provided under a warranty or maintenance agreement at VMU expense in accordance with Schedule C, Exhibit C-2; |
| (3) | provide hardware support for Blackberry devices at VMU expense in accordance with Schedule C, Exhibit C-2; |
| (4) | perform vendor coordination with VMU third party vendors on hardware break fix for computers in warranty; and |
| (5) | perform hardware vendor coordination for broken hardware. |
| b. | VMU will: |
| (1) | provide hardware maintenance and support for VMU Equipment including the repair or exchange of such VMU Equipment, as appropriate; |
| (2) | provide Help Desk representatives with the information required for hardware maintenance Services (for example, machine type, serial number), and such other information, as requested, including location address, building and office number and contact name and phone number; |
| (3) | maintain the records necessary to support warranty service of equipment on warranty (for example, serial number, program number, install date, location); |
| (4) | ensure all hardware that is procured by or for VMU after the Reference Date has the maximum warranty available on all parts and labor (i.e., three-year on-site service, parts and labor warranty or equivalent) and warranty services are consistent with the Service Hours; |
| (5) | provide all hardware upgrades, maintenance parts, or replacement equipment not provided under a warranty or maintenance agreement; |
| (6) | provide hardware support for Blackberry devices; |
| (7) | for VMU-owned VMU Equipment, notify IBM in a timely manner of any OEM recall program(s) including the terms and conditions and instructions the manufacturer’s specifies; |
| (8) | provide and maintain the inventory of all End User consumable supplies, such as paper, toner, printer cartridges, diskettes, compact disks, tapes, batteries, and other such items that comply with original equipment manufacturer’s specifications, and distribute or install such supplies as End Users require; |
| IBM/VMU Confidential | Schedule A (Services) | Page 34 of 109 |
| (9) | provide VMU’s existing spare parts inventory to IBM, as required; |
| (10) | update the status of the hardware maintenance Services calls to the Help Desk through to completion; |
| (11) | provide the guidelines relative to and the spare parts inventory for Critical Functions, and the appropriate and secured storage area for such inventory; |
| (12) | provide authorization and be responsible for all charges for hardware maintenance Services IBM provides at VMU’s request to repair or restore VMU Equipment damaged as a result of: |
| (a) | misuse, accident, modification, unsuitable physical environment, or a force majeure event; or |
| (b) | the provision of hardware maintenance services by other than IBM; or |
| (c) | the inappropriate use of, inadequate use of, or failure to use, appropriate supplies; or |
| (d) | other actions not covered under a maintenance agreement or warranty services; and |
| (13) | provide authorization and be responsible for all charges for hardware maintenance Services IBM provides at VMU’s request for Nonstandard Products. |
| 3. | INSTALL, MOVE, ADD, CHANGE SERVICES |
| a. | IBM will: |
| (1) | coordinate and perform IMACs for the Standard Products; |
| (2) | install standard images on desktops (include up to 21 common (core) applications in workstation images for all end users); |
| (3) | with VMU’s assistance, implement the IMAC Services operational procedures including the development of an IMAC checklist that defines the completion criteria for each IMAC Service; |
| (4) | receive requests for IMAC Services via the established procedures and create the required documentation (for example, work order, call record update) as identified in the Process Interface Manual; |
| (5) | schedule the IMAC perform date with the VMU Focal Point and the requesting End User; |
| IBM/VMU Confidential | Schedule A (Services) | Page 35 of 109 |
| (6) | before the scheduled IMAC date, communicate to the VMU Focal Point any IMAC prerequisites and any procedures that need to be followed after the IMAC is completed; |
| (7) | notify the VMU Focal Point of the required IMAC components that need to be available and site preparations (facilities and telecommunications modifications) that need to be completed before the scheduled IMAC date; |
| (8) | before the scheduled IMAC date, verify with the VMU Focal Point that the End User has complied with all IMAC prerequisites, all site modifications are complete, and that the necessary IMAC components have been received and will be available at the End User’s work location on the scheduled IMAC date; |
| (9) | perform the required build for any new systems to be installed, including: |
| (a) | build and configure the system in accordance with VMU-provided configuration specifications; |
| (b) | run diagnostics on all configuration components; |
| (c) | load and configure specified software Standard Products and replicate loading for site-licensed software Standard Products using the VMU-provided master diskette or compact disk; |
| (d) | perform configuration testing, including operating system testing functions; |
| (10) | repackage the fully assembled and tested system, including configuration documentation and any vendor-provided operations manuals or other applicable documentation, in one container or as a banded unit, apply shipping labels, generate appropriate shipping documentation, and ship to the designated Facility; be responsible for all End User data migration, backup and restore, conversion, or erasure, as required, before and after the IMAC Service; |
| (11) | perform the IMAC Services for desktop Standard Products according to the criteria specified in the IMAC checklist; |
| (12) | obtain concurrence from the End User or the VMU Focal Point that the IMAC was completed in accordance with the IMAC checklist; |
| (13) | assist VMU in resolving on a timely basis any issues impacting IMAC activity; |
| (14) | prepare displaced hardware (i.e., wrap cords) and software and, if applicable, move to a designated staging area within the Facility for removal by VMU; |
| IBM/VMU Confidential | Schedule A (Services) | Page 36 of 109 |
| (15) | utilize Impact to update and close tickets; |
| (16) | update the status of the IMAC Services call to the Help Desk through to completion; |
| (17) | on completion of an IMAC: |
| (a) | close the call; and |
| (b) | collect the appropriate configuration data and update the asset database; |
| (18) | implement a mutually agreed process for consolidating IMACs, when possible, into Projects; |
| (19) | coordinate and perform IMACs for servers, at VMU’s request, as a Project; |
| (20) | provide a monthly standard report to VMU summarizing the IMAC Services IBM performed during the prior month, including the current status of any IMAC Services requests that are in progress or pending; |
| (21) | perform a disk wipe using the VMU provided tool DBAN (disk wipes will be accomplished at the Warren, NJ office only); |
| (22) | perform support, on a commercially reasonable basis, for copiers, faxes, scanners, and overhead projectors at the Warren, NJ office; and |
| (23) | assist in toner replacement and basic printer maintenance (these tickets are included in ticket volume). |
| b. | VMU will: |
| (1) | provide reasonable assistance to IBM in implementing the IMAC Services operational procedures including the development of an IMAC checklist that defines the completion criteria for each IMAC Service; |
| (2) | provide to IBM, via the established procedures, an authorized IMAC Services request that clearly defines all IMAC requirements and includes all information reasonably requested by IBM; |
| (3) | provide all required IMAC components (for example, hardware, software and any associated components) necessary to perform an IMAC; |
| (4) | provide all required network capacity and connectivity; |
| (5) | through the VMU Focal Point: |
| (a) | coordinate the activities related to and the completion of all required facilities and telecommunications modifications before the scheduled IMAC date (for example, providing phone number changes); |
| IBM/VMU Confidential | Schedule A (Services) | Page 37 of 109 |
| (b) | at IBM’s request, provide the status on VMU-retained activities (for example, anticipated completion date of site modifications) related to or impacting an IMAC; |
| (c) | ensure End User compliance with all IMAC Services prerequisites, as set forth in the IMAC checklist or as IBM or VMU otherwise communicates, before the scheduled IMAC date; |
| (d) | at IBM’s request, verify the completion of all End User IMAC prerequisites, site readiness, and the availability of all IMAC components; and |
| (e) | ensure all required IMAC components are at the designated staging area within the Facility or at the End User’s work location, as applicable, on the scheduled IMAC date; |
| (6) | define and provide IBM the escalation procedures for situations where End Users have not completed the communicated IMAC prerequisites or where site preparations have not been completed within the defined time frames or in accordance with specifications; |
| (7) | for IMAC activity not directly requested by the End User, notify the affected End User(s) of such planned IMAC activity; |
| (8) | provide necessary End User orientation and education; |
| (9) | provide all transportation of IMAC components to, between, and within Facilities and all transportation associated with the disposal or relocation of displaced hardware and software; |
| (10) | be responsible for all costs and compliance with regulatory requirements for the disposal or relocation of packing materials and displaced or discontinued hardware and software and related materials (for example, batteries, manuals, supplies, cathode ray tubes); |
| (11) | provide the packing materials and prepare all displaced hardware and software for shipping; |
| (12) | provide a secure staging or storage area within the Facility to store IMAC components to be used for a scheduled IMAC and the hardware and software (and associated documentation) displaced by an IMAC; |
| (13) | ensure remote laptops and desktops are returned to the Warren, NJ office for disk wipe, as required; |
| (14) | resolve on a timely basis any issues impacting an IMAC; |
| (15) | ensure End Users follow the defined backup and restore procedures before an IMAC activity is executed; and |
| IBM/VMU Confidential | Schedule A (Services) | Page 38 of 109 |
| (16) | provide authorization and be responsible for all charges for IMAC Services IBM provides at VMU’s request for Nonstandard Products. |
| 4. | REFRESH SERVICES |
| a. | IBM will: |
| (1) | de-install and remove the End User’s existing Supported Desktop and configure, install and test the new system at the mutually agreed location (for example, desk or office); |
| (2) | perform data backup from the End User’s existing Supported Desktop; |
| (3) | perform electronic data migration from End User’s existing Supported Desktop to the new system; |
| (4) | perform data erasure on the End User’s existing Supported Desktop; |
| (5) | update the image(s), as required; and |
| (6) | provide support for up to 2 new hardware models per year based upon VMU’s 3 year refresh cycle. |
| b. | VMU will: |
| (1) | schedule and coordinate the refresh perform date with the IBM Focal Point and the requesting End User, and communicate any End User prerequisites prior to the scheduled refresh date (according to the agreed refresh plan in Schedule H); |
| (2) | ensure the End User is available to IBM during the Refresh process to provide any necessary information (for example, passwords); |
| (3) | define the content of the updated image(s) to deploy to all systems taking into consideration the needs of the various combinations of operating systems, hardware, and business unit applications; |
| (4) | dispose of End User’s existing Supported Desktop after refresh; |
| (5) | retain ownership of hardware/software and hardware/software maintenance; and |
| (6) | perform data conversion, if required. |
| 5. | ELECTRONIC SOFTWARE DISTRIBUTION (ESD) |
| a. | IBM will: |
| (1) | with VMU’s assistance, define the ESD processes and procedures; |
| IBM/VMU Confidential | Schedule A (Services) | Page 39 of 109 |
| (2) | provide the ESD processes and procedures including any VMU support requirements to the VMU Focal Point for distribution to VMU-designated personnel (for example, operators, systems engineers, problem support personnel); |
| (3) | with VMU’s assistance, establish a distribution plan before each ESD including: |
| (a) | the mutually agreed software Standard Products (consistent with the Supported Desktop Software standards) to be distributed; |
| (b) | the schedule for distribution; |
| (c) | any ESD prerequisites and post install procedures that need to be completed by End Users and VMU’s business units; and |
| (d) | any End User training requirements related to the changes that will result from an ESD; |
| (4) | communicate to the VMU Focal Point any ESD prerequisites and post install procedures that need to be completed by End Users and VMU’s business units; |
| (5) | schedule and coordinate ESD activities with the VMU Focal Point; |
| (6) | develop the how-to procedures End Users will follow to download the distributed software Standard Products from a Supported Server to the Supported Desktop and provide an electronic change notice to all End Users regarding upcoming distributions prior to the distribution itself; |
| (7) | before an ESD, configure and test the software Standard Products (new or upgrades) included in the ESD to verify compatibility with existing Supported Server and Supported Desktop hardware and software configurations and directory structures and compliance with VMU policy; |
| (8) | manage and administer the ESD, including: |
| (a) | monitoring the ESD to verify the successful completion of the process; and |
| (b) | taking corrective action, as appropriate, for problems resulting from the ESD to correct error conditions and facilitate application stability; |
| (9) | perform file conversion for Supported Server system files where the software or release-to-release software changes support such conversion; |
| (10) | communicate to the VMU Focal Point any problems that occurred during the distribution and a list of unsuccessful distributions; |
| IBM/VMU Confidential | Schedule A (Services) | Page 40 of 109 |
| (11) | resolve unsuccessful distributions to the Supported Servers attributable to IBM’s error; |
| (12) | provide verification of each completed ESD to the VMU Focal Point; |
| (13) | on completion of the ESD, update the asset database, as appropriate; and |
| (14) | install software Standard Products that cannot be electronically distributed on a Project basis |
| (15) | notify VMU if it knows or has reason to know that any of the Supported Servers do not have sufficient network capacity and/or connectivity (i.e., end-to-end connectivity and telecommunications link with minimum capacity of 256 kb) to allow for centralized electronic software distribution; |
| (16) | before an ESD, resolve configuration conflicts between software products existing on the Supported Servers and Supported Desktops and the software Standard Products included in the scheduled ESD; |
| (17) | provide the necessary system support (for example, scheduling system downtime, if required) during an ESD; |
| (18) | resolve unsuccessful distributions to the Supported Servers or Supported Desktops attributable to IBM’s error or coordinate resolution if not attributable to IBM’s error. |
| b. | VMU will: |
| (1) | provide all software Standard Products (new and upgrades) included in an ESD or distributed on a Project basis; |
| (2) | ensure Supported Servers are equipped with sufficient network capacity and connectivity (i.e., end-to-end connectivity and telecommunications link with minimum capacity of 256 kb) to allow for centralized electronic software distribution; |
| (3) | document and provide to IBM VMU’s standard configuration and policy requirements; |
| (4) | assist IBM in establishing a distribution plan before each ESD; |
| (5) | provide reasonable assistance to IBM in testing the ESD process; |
| (6) | ensure required End User training occurs before the scheduled ESD date; |
| (7) | perform file conversion for application files, VMU proprietary application files, and End User data files; |
| IBM/VMU Confidential | Schedule A (Services) | Page 41 of 109 |
| (8) | provide the necessary system support (for example, scheduling system downtime, if required) during an ESD; |
| (9) | ensure compliance by End Users and VMU’s business units with the communicated ESD prerequisites and post install procedures; |
| (10) | resolve unsuccessful distributions to the Supported Servers or Supported Desktops not attributable to IBM’s error; |
| (11) | provide to IBM any software vendor license terms and conditions and maintenance requirements for newly distributed software Standard Products that could affect the ESD Services; |
| (12) | notify IBM of any distribution time frames specified by any regulatory agency that need to be met to accomplish compliance with VMU Regulatory Requirements; |
| (13) | notify IBM of any software to be deinstalled by IBM (through the IMAC process or on a Project basis) in conjunction with an ESD; and |
| (14) | dispose of all deinstalled software and discontinue the license and maintenance, if applicable, for such software. |
| IBM/VMU Confidential | Schedule A (Services) | Page 42 of 109 |
| 6. | SOFTWARE PACKAGING |
| a. | IBM will: |
| (1) | install standard images on Desktops (include up to 21 common (core) applications in workstation images for all End Users); |
| (2) | package and distribute up to 12 security patch releases a year with each release containing not more than 12 individual patches; |
| (3) | perform service request discovery including requirements definition, and user acceptance testing of newly developed workstation images and software packages and provide appropriate user sign-of; |
| (4) | package 20 software changes per year; and |
| (5) | distribute 11 one-off’s software packages per year to individual users (<10) from one central distribution server using the distribution tool. |
| (6) | provide reasonable assistance to ensure workstations are network connected to support image distribution per VMU’s distribution requirements; |
| b. | VMU will: |
| (1) | provide funding for appropriate and reasonable amount of hardware for testing images built and software packaged on the required model of workstations; |
| (2) | implement policy that all workstations will use the new Common Standard Base Image with LOB/Community Group Add-Ons; |
| (3) | implement policy that all workstations will have a standard Security software installed and use the “Live Update” feature to automatically obtain new virus definition files; |
| (4) | provide any licenses for software to be deployed via images, LOB bundles and/or software distribution, this includes licenses for the Ghost Image software where applicable; and |
| (5) | provide existing image management processes, with all appropriate documentation (including all relevant operational, deployment and support processes), access (data and staff) in order to provide on-going support of images and perform software deployment. |
| IBM/VMU Confidential | Schedule A (Services) | Page 43 of 109 |
Part 5: Server Systems Management Services
| 1. | GENERAL SERVICES |
IBM will provide VMU the following Server Systems Management Services at the IBM Data Center during the Service Hours.
| 1.1 | SERVER OPERATIONS |
| a. | Major Incident Management, per the Process Interface Manual |
| (1) | IBM will: |
| (a) | identify, record, track and manage the incident through service restoration by: |
| (i) | determining the severity classification of the incident and executing the problem management process accordingly; |
| (ii) | determining the scope of the incident; |
| (iii) | assigning the appropriate technical support representatives (other levels of support, across platforms as required); and |
| (iv) | executing the IBM and VMU notification and escalation procedure; |
| (b) | notify VMU that the service has been restored; and |
| (c) | participate in incident review meeting(s), as appropriate. |
| (2) | VMU will review incident severity classifications and, with IBM concurrence, may alter the classification of an incident. |
| b. | System Operations |
| (1) | IBM will: |
| (a) | manage operating system resource availability; |
| (b) | execute recovery procedures, as required, for operating system resources; and |
| (c) | provide operating system status, as requested. |
| (2) | VMU will: |
| (a) | assist IBM in developing procedures for handling all planned and unplanned outages affecting the environment including review, approval, communication and proper documentation; and |
| IBM/VMU Confidential | Schedule A (Services) | Page 44 of 109 |
| (b) | notify IBM of any planned or emergency changes to VMU’s environment affecting IBM’s provision of the Services. |
| c. | IBM will coordinate incident management with AMS per Part 9, Section 8 to support and manage overall Application Operations. |
| 1.2 | AUTOMATED OPERATIONS SUPPORT |
| a. | IBM will perform the following console automation activities: |
| (1) | console monitoring and message filtration; |
| (2) | system and application restart and recovery; and |
| (3) | automated problem reporting and paging. |
| b. | VMU will, with IBM’s assistance, define requirements and schedules for application automated event processing. |
| 1.3 | SERVER PLANNING SUPPORT |
| 1.3.1 | Hardware and Facilities Planning |
| a. | IBM will: |
| (1) | with VMU’s assistance, if required, conduct system space planning; |
| (2) | coordinate with site facilities management to provide specified power to equipment, raised floor space, rack placement, and other physical environmental requirements for the IBM Data Center(s); |
| (3) | coordinate hardware availability for scheduled maintenance (i.e., microcode updates, engineering changes); |
| (4) | at VMU’s request, provide hardware maintenance Services on an time and material basis to repair or restore Equipment; and |
| (5) | maintain physical configuration plan. |
| b. | VMU will |
| (1) | assist IBM in conducting system space planning and in assessing hardware and facility requirements with respect to the Facilities (Schedule I); and |
| IBM/VMU Confidential | Schedule A (Services) | Page 45 of 109 |
| (2) | provide funding for all hardware for: SAN fabric, data storage, tape library and Blackberry handheld hardware and all hardware refreshes. |
| 1.3.2 | Configuration Management |
| a. | IBM will: |
| (1) | design and implement hardware and software configuration changes; and |
| (2) | maintain documentation for operating systems configuration, backup and restore processes, hardware configuration reports, and operations documentation. |
| b. | VMU will provide business requirements that may affect hardware and software configuration changes. |
| 1.3.3 | Change Management |
| a. | IBM will: |
| (1) | with VMU’s assistance, develop the procedures to be followed so that all planned and emergency changes affecting the environment are reviewed, approved, communicated and properly documented; |
| (2) | communicate to the VMU Focal Point, via the change management process set forth in the Process Interface Manual, any changes IBM makes that affect the environment; |
| (3) | record and track approved change requests; |
| (4) | schedule and manage testing and implementation of approved changes; |
| (5) | evaluate planned changes to the environment and advise VMU of any requirements to support such changes; |
| (6) | track change history of managed resources; and |
| (7) | provide standard change management reports. |
| b. | VMU will: |
| (1) | assist IBM in developing the procedures to be followed so that all planned and emergency changes affecting the environment are reviewed, approved, communicated and properly documented; and |
| (2) | notify IBM of any planned or emergency changes to VMU’s environment affecting the Services. |
| IBM/VMU Confidential | Schedule A (Services) | Page 46 of 109 |
| 1.3.4 | Performance Management |
| a. | IBM will: |
| (1) | monitor, measure, analyze and tune system performance to meet agreed upon Service Levels; |
| (2) | recommend changes (i.e., hardware and/or software upgrades) to VMU to maintain agreed upon system performance levels; |
| (3) | define performance indicators and monitor Supported Server performance against such indicators; |
| (4) | install management agents; |
| (5) | review configuration data and usage patterns; |
| (6) | establish performance thresholds and exception reporting procedures; |
| (7) | with VMU’s assistance, establish a schedule for performing Supported Server maintenance (for example, virus detection, backup, disk space cleanup, and testing such as defragmentation) and modifications and enhancements so as to minimally impact End Users and VMU customers; |
| (8) | advise VMU of any required system configurations and modifications necessary to enable IBM to meet the Service Levels; and |
| (9) | provide standard performance reports. |
| b. | VMU will: |
| (1) | evaluate recommendations (i.e., hardware and/or software upgrades) to enable system performance improvement; |
| (2) | approve required system configurations and modifications necessary to enable IBM to meet the Service Levels or relieve IBM of any affected Service Levels until such time as the required system configurations and modifications are completed; |
| (3) | be responsible for costs associated with providing LAN and Supported Server hardware, software and network connectivity required to provide the Services; and |
| (4) | assist IBM in establishing a schedule for performing Supported Server maintenance (for example, virus detection, backup, disk space cleanup, and testing such as defragmentation) and modifications and enhancements so as to minimally impact End Users and VMU customers. |
| IBM/VMU Confidential | Schedule A (Services) | Page 47 of 109 |
| 1.3.5 | Capacity Planning |
| a. | IBM will: |
| (1) | monitor and document VMU’s current workloads and provide the information to VMU for VMU’s use in determining future capacity requirements; |
| (2) | recommend system configurations or modifications necessary to enable IBM to maintain acceptable resource utilization; |
| (3) | notify VMU in advance of when any Supported Server resource reaches the mutually agreed critical usage levels and that additional capacity is required to perform the Services in accordance with the Service Levels; and |
| (4) | provide standard capacity reports. |
| b. | VMU will: |
| (1) | advise IBM of projections of future business volumes that may affect capacity requirements; and |
| (2) | provide funding for purchase of hardware or upgrade necessary to achieve the additional capacity for any Supported Server resource that has reached critical usage levels and is impacting IBM’s ability to provide the Services. |
| 1.3.6 | Problem Management |
| a. | IBM will: |
| (1) | perform problem management tasks including real-time monitoring of Supported Servers, problem identification, reporting, logging, tracking, resolution, communication and escalation for problems; and |
| (2) | with VMU’s assistance: |
| (a) | define problem priority levels and associated escalation procedures; |
| (b) | establish backup and recovery processes and procedures for Supported Servers VMU identifies as Critical Functions; |
| (c) | define alert and paging processes and procedures, including escalation procedures; and |
| (d) | develop and maintain a plan that enables the recovery of data due to unplanned operational types of failures, such as equipment malfunction, temporary power disturbances and abnormal termination. |
| IBM/VMU Confidential | Schedule A (Services) | Page 48 of 109 |
| b. | VMU will: |
| (1) | assist IBM in: |
| (a) | defining problem priority levels and associated escalation procedures; |
| (b) | defining alert and paging processes and procedures, including escalation procedures; and |
| (c) | developing and maintaining a plan that enables the recovery of data due to unplanned operational types of failures such as equipment malfunction, temporary power disturbances and abnormal termination; |
| (2) | identify the Supported Servers (e.g., Critical Functions) requiring backup and recovery and provide funding for the required hardware and software necessary to implement the backup and recovery of such Supported Servers; |
| (3) | provide IBM a list of the VMU Focal Points for purposes of assisting with problem resolution and escalation, if required, including any updates as they occur; and |
| (4) | verify the appropriate VMU personnel are available to interface with IBM to resolve problems affecting the Services. |
| 1.3.7 | Installation and Maintenance Services |
| a. | IBM will: |
| (1) | install, configure, maintain and perform cumulative PTF (program temporary fix) packages to Supported Server Standard Products, including the operating system and operating system utilities; |
| (2) | with VMU’s assistance, establish a test and implementation plan before each operating system version upgrade; |
| (3) | schedule and coordinate operating system testing and implementation with the VMU Focal Point; and |
| (4) | communicate to the VMU Focal Point, via the change management process set forth in the Process Interface Manual, any installation prerequisites (for example, additional disk space and memory) and any post install procedures that need to be followed after the installation is completed. |
| b. | VMU will: |
| (1) | provide IBM with operating system and operating system installation and customization requirements; |
| IBM/VMU Confidential | Schedule A (Services) | Page 49 of 109 |
| (2) | assist IBM in establishing a test and implementation plan before each operating system version upgrade; |
| (3) | ensure compliance by End Users and VMU’s business units, via the change management process set forth in the Process Interface Manual, with any communicated change prerequisites and post change procedures; and |
| (4) | before the operating system maintenance or upgrade scheduled date, or upon IBM’s request, verify to IBM via the VMU Focal Point that all communicated prerequisites have been completed. |
| 1.3.8 | Availability Management |
| a. | IBM will: |
| (1) | assist VMU in defining VMU’s availability requirements; |
| (2) | develop an availability plan; |
| (3) | coordinate hardware maintenance for Supported Servers in accordance with the equipment manufacturer’s specifications in accordance with Schedule C. |
| (4) | track, analyze and report on availability; |
| (5) | provide required support procedures to the VMU Focal Point; and |
| (6) | recommend availability improvements. |
| b. | VMU will: |
| (1) | with IBM’s assistance, define VMU’s availability requirements; |
| (2) | verify that the appropriate VMU personnel are available to interface with IBM, as required, to isolate and resolve problems affecting IBM’s ability to provide the Services; and |
| 1.3.9 | Data Management |
| a. | IBM will: |
| (1) | with VMU’s assistance, define the frequency and types of required data backup as well as the retention periods for the data; |
| (2) | provide the required tape storage facilities; and |
| (3) | perform file Supported Server data backup and recovery including interfacing with VMU-specified tape storage facilities, if any. |
| IBM/VMU Confidential | Schedule A (Services) | Page 50 of 109 |
| b. | VMU will: |
| (1) | assist IBM in defining the frequency and types of required data backup as well as the retention periods for the data. |
| 1.4 | DATABASE SUBSYSTEM SUPPORT |
| 1.4.1 | Database Software Support and Operations |
| a. | IBM will: |
| (1) | install, upgrade and maintain (install patches and fixes) the Systems Software; |
| (2) | manage database subsystem resource availability; |
| (3) | execute recovery procedures, as required, for database subsystem resources; and |
| (4) | provide database subsystem status, as requested. |
| b. | VMU will: |
| (1) | assist IBM in developing procedures for handling all planned and unplanned outages affecting the database environment including review, approval, communication and proper documentation as identified in the Process Interface Manual; |
| (2) | provide existing midrange documentation to IBM in a usable format; and |
| (3) | notify IBM of any planned or emergency changes to VMU’s environment affecting IBM’s provision of the Services. |
| 1.4.2 | Database Administration |
| a. | IBM will: |
| (1) | provide physical support of the production application databases in Schedule G: |
| (a) | creation of physical database objects (i.e. DDL, DBD, ACB, files, etc.); |
| (b) | management and performance of physical production database maintenance, modifications and enhancements in accordance with the mutually agreed schedule as identified in the Process Interface Manual; |
| (c) | maintaining mutually agreed database backup procedures, provided by VMU, to recover from a database outage or corrupted database in accordance with the mutually agreed schedule as identified in the Process Interface Manual; |
| IBM/VMU Confidential | Schedule A (Services) | Page 51 of 109 |
| (d) | maintaining and implementing mutually agreed database archive processes and procedures; |
| (e) | monitoring and reporting of database performance and space utilization; and |
| (f) | recommending modifications for improved performance and implementing as approved by VMU; |
| (2) | setup and retain exclusive use of DBMS system administration IDs and privileges; |
| (3) | assist VMU in planning for production database modifications as a result of changes in VMU’s business environment (i.e., growth, application development projects) and review VMU’s plans on a regular basis; |
| (4) | promote VMU-approved database changes into the production environment; |
| (5) | perform access grants to database objects as requested by VMU; |
| (6) | develop plan(s) for production database modifications as a result of changes in VMU’s business environment (i.e., growth, application development projects) and review such plans with VM on a regular basis; |
| (7) | define database backup and recovery requirements; and |
| (8) | provide physical database maintenance for development and test environments. |
| b. | VMU will: |
| (1) | assist IBM in establishing a schedule for performing production database maintenance, modifications, enhancements and backups; |
| (2) | cooperate with IBM during physical database design and review; and |
| (3) | provide VMU’s access requirements (for example, name and authorization level) for database objects. |
| 1.5 | DATA COMMUNICATION SOFTWARE SUPPORT AND OPERATIONS |
| a. | IBM will: |
| (1) | install, upgrade and maintain the Systems Software; |
| IBM/VMU Confidential | Schedule A (Services) | Page 52 of 109 |
| (2) | manage the data communication subsystem resource availability; |
| (3) | execute recovery procedures, as required, for data communication subsystem resources; and |
| (4) | provide data communication subsystem status, as requested. |
| b. | VMU will: |
| (1) | assist IBM in developing procedures for handling all planned and unplanned outages affecting the data communication environment including review, approval, communication and proper documentation; and |
| (2) | notify IBM of any planned or emergency changes to VMU’s environment affecting IBM’s provision of the Services. |
| 1.6 | CITRIX MIDDLEWARE SOFTWARE SUPPORT AND OPERATIONS |
| a. | IBM will: |
| (1) | install, upgrade and maintain the Systems Software; |
| (2) | manage the middleware subsystem resource availability; |
| (3) | execute recovery procedures, as required, for middleware subsystem resources; |
| (4) | provide middleware subsystem status, as requested; |
| (5) | administer security resource definitions (for example, specific User IDs and group IDs); and |
| (6) | monitor and manage messages remaining in the system dead letter queue after deadline scheduling queue (i.e., DLQ Handler) processing. |
| b. | VMU will: |
| (1) | assist IBM in developing procedures for handling all planned and unplanned outages affecting the middleware environment including review, approval, communication and proper documentation; and |
| (2) | notify IBM of any planned or emergency changes to VMU’s environment affecting IBM’s provision of the Services. |
| IBM/VMU Confidential | Schedule A (Services) | Page 53 of 109 |
| 1.7 | PRODUCTION BATCH OPERATIONS |
| 1.7.1 | Production Batch Job Scheduling |
| a. | IBM will: |
| (1) | perform production batch job set-up and scheduling tasks, such as: |
| (a) | identification of critical paths based on statistics of execution; |
| (b) | identification of jobs eligible for parallel processing (on same CPU or multiple CPUs) and reorganization of normal batch schedules; |
| (c) | support of load balancing across servers when required and applicable; |
| (d) | support of special batch schedules (e.g., for known peak periods); and |
| (e) | recommend scheduling improvements and implement, as approved by VMU; |
| (2) | resolve batch scheduling conflicts; |
| (3) | with VMU’s assistance, develop and maintain standards for job acceptance and implementation; and |
| (4) | schedule batch jobs, as requested by VMU, which require expedited execution, subject to applicable Service Levels attainment relief. |
| b. | VMU will: |
| (1) | provide VMU’s production batch scheduling requirements and procedures and any updates as they occur; |
| (2) | assist IBM in developing standards for job acceptance and implementation; |
| (3) | provide required information (for example, requested time frames and priority sequence) for expedited batch job requests; and |
| (4) | evaluate and approve scheduling improvement recommendations. |
| 1.7.2 | Production Batch Monitoring and Restart |
| a. | IBM will: |
| (1) | monitor scheduled production batch jobs; |
| (2) | resolve batch scheduling conflicts; |
| IBM/VMU Confidential | Schedule A (Services) | Page 54 of 109 |
| (3) | monitor scheduler related incidents and develop and recommend changes to the scheduler database; |
| (4) | schedule batch jobs, as requested by VMU, that require expedited execution; and |
| (5) | perform job restart, as necessary, in accordance with resolution and restart procedures. |
| b. | VMU will provide required information for expedited batch job requests. |
| 1.7.3 | Application Library Management |
| a. | IBM will: |
| (1) | with VMU’s assistance, define and document application code (i.e., JCL and application program elements) promotion standards and acceptance criteria for moving application code from test libraries into production libraries; and |
| (2) | promote application code from development and/or test environments to production. |
| b. | VMU will: |
| (1) | assist IBM in defining application code (i.e., JCL and application program elements) promotion standards and acceptance criteria for moving application code from test libraries into production libraries; and |
| (2) | provide VMU’s application code promotion requirements and procedures. |
| 2. | INTEL AND UNIX SERVER SERVICES |
| 2.1 | INTRODUCTION |
IBM will establish and maintain a properly trained and adequately staffed Data Center population (i.e., management and support staff) to provide the Intel and UNIX Server Services to VMU. Unless otherwise agreed by VMU and IBM, such Services will be provided during the Service Hours, excluding the regularly scheduled maintenance periods.
| 2.2 | PLATFORM SUPPORT |
| a. | IBM will: |
| (1) | provide server operation Services including the management of the Supported Server environment using the appropriate processes set forth in the Process Interface Manual; |
| IBM/VMU Confidential | Schedule A (Services) | Page 55 of 109 |
| (2) | create, maintain and delete volumes and directory structures; |
| (3) | modify file system sizes and permissions; |
| (4) | verify mount point availability; |
| (5) | repair defective file systems; |
| (6) | assign account, work group and print managers; |
| (7) | administer directory distribution and replication; and |
| (8) | define and manage resources and domains. |
| b. | VMU will: |
| (1) | provide the information, as reasonably requested by IBM, required for IBM’s initial evaluation of VMU’s operating system environment, such as an updated inventory of devices and their configuration; |
| (2) | support trusted third party security servers (for example, authentication); and |
| (3) | be responsible for license and maintenance fee costs associated with the operating system and operating system utilities. |
| 2.3 | REFRESH |
| a. | Servers past the refresh date specified in Schedule H will not be subject to SLAs only in the event that VMU has failed to provide funding for the refresh. All hardware must be under maintenance and the OS must be supported. |
| b. | VMU will supply swing hardware for the data center move as set forth in the refresh schedule, and the swing hardware will be used as needed utilizing an asset swap with a third party vendor. |
| c. | VMU will dispose of legacy servers after refresh. |
| IBM/VMU Confidential | Schedule A (Services) | Page 56 of 109 |
Part 6: Storage Management Services
| 1. | MANAGED STORAGE |
| 1.1 | FILE MANAGEMENT |
| a. | IBM will: |
| (1) | manage files on the Equipment, including: |
| (a) | managing non-root application file systems; |
| (b) | modifying file system sizes; |
| (c) | verifying mount point availability; |
| (d) | repairing defective file systems; and |
| (e) | modifying file system permissions; |
| (2) | keep files under IBM’s control, current and available during scheduled access times; |
| (3) | initiate and complete required data processing activities concerning data integrity (for example, handling line transmission errors) of all processed files; |
| (4) | verify the receipt of incoming files and the processing and transmission of outgoing files; |
| (5) | conduct routine monitoring and corrective action according to procedures IBM prepares and VMU approves for intermediate files used for on-line and batch processing; |
| (6) | verify availability of adequate file space for processing; and |
| (7) | report to VMU on VMU’s disk space utilization and requirements for VMU’s capacity planning purposes. |
| b. | VMU will assist IBM in defining the requirements for job recovery management. |
| 1.2 | STORAGE ENVIRONMENT MANAGEMENT |
IBM will:
| a. | perform storage device preparation and initialization; |
| IBM/VMU Confidential | Schedule A (Services) | Page 57 of 109 |
| b. | manage storage space through the implementation and customization of storage management software; |
| c. | manage space and utilization rate of storage hardware; |
| d. | verify availability and sufficient capacity of IBM controlled file systems during scheduled service times; and |
| e. | provide VMU periodic reports of space utilization at a logical disk or DASD level. |
| 1.3 | BACKUP AND RESTORE |
| a. | IBM will: |
| (1) | document, maintain and, as appropriate, update and execute mutually approved file backup and recovery procedures as identified in the Process Interface Manual; |
| (2) | provide a recovery procedure for restoring the data image to a previous level within a mutually agreed time frame; |
| (3) | conduct regularly scheduled backup and recovery processes as specified in the Process Interface Manual and as prioritized by VMU (for example, data set restore), so as to avoid impacting scheduled operations; and |
| (4) | provide recommendations to VMU regarding backup and recovery considerations such as improved levels of protection, efficiencies and cost reductions. |
| b. | VMU will: |
| (1) | define requirements for file backup and recovery procedures; and |
| (2) | provide resources as required to support backups outside of the IBM Data Center, as required. |
| 2. | MEDIA MANAGEMENT |
| 2.1 | TAPE MEDIA MANAGEMENT AND OPERATIONS |
| a. | IBM will: |
| (1) | retain tapes for a mutually agreed retention period for auditing purposes; |
| (2) | rotate tapes, as required, for off-site storage; |
| (3) | log and track physical tapes that are checked in and out of the Data Center by VMU or a Third Party; |
| IBM/VMU Confidential | Schedule A (Services) | Page 58 of 109 |
| (4) | notify the IBM or Third Party tape storage provider when it is time to scratch or return a tape; |
| (5) | complete tape mounts in sufficient time to meet production processing requirements in accordance with the Service Levels; |
| (6) | provide tape specifications to VMU; |
| (7) | maintain adequate supplies for the tape environment and provide a sufficient scratch tape pool to service required processing needs, and notify VMU when additional tapes and other supplies are required; |
| (8) | retrieve archived tapes and restore required files and data sets within mutually agreed time frames; and |
| (9) | report tape utilization to VMU. |
| b. | VMU will |
| (1) | provide funding for purchase of tapes as IBM requests that meet the IBM-provided tape specifications; and |
| (2) | coordinate third party vendor resources as required to support tape backups outside of the IBM Data Center, as reasonably requested by IBM. |
| 2.2 | PORTABLE MEDIA HANDLING |
| a. | IBM will: |
| (1) | develop and implement processes and procedures, as identified in the Process Interface Manual, to control and manage VMU portable media inventory, secure handling and movement of such media, and destruction of residual information; |
| (2) | perform an initial inventory of VMU portable media and annually reconcile, as appropriate; and |
| (3) | provide environmental protection for VMU portable media in accordance with the established procedures. |
| b. | VMU will approve initial inventory of VMU portable media and provide any updates as they occur. |
| 2.3 | OFFSITE STORAGE |
| a. | IBM will: |
| (1) | store tapes and paper documentation, as appropriate, at the off-site storage facility specified by VMU (non-Disaster recovery related); |
| IBM/VMU Confidential | Schedule A (Services) | Page 59 of 109 |
| (2) | manage off-site storage of tape media for vital records, back-up and recovery; |
| (3) | pack, label, scan and track all tape output and distribute to the mutually agreed drop point; |
| (4) | provide the required off-site tape storage facilities and services; |
| (5) | be responsible for the transportation of tapes between the Data Center and an off-site storage facility; and |
| (6) | transport tapes from a non-Disaster recovery off-site storage location to a designated facility. |
| b. | VMU will: |
| (1) | define requirements for off-site tape storage and archiving; and |
| (2) | provide physical tape media. |
| IBM/VMU Confidential | Schedule A (Services) | Page 60 of 109 |
Part 7: Data Network Services
| 1. | INTRODUCTION |
IBM will be responsible for LAN management, and firewall management for the IBM Data Center and the Facilities located at Xxxxxx, NJ and New York, NY. This responsibility includes the LAN Devices, Firewall Devices, network management platforms, and the design required to deliver the Services to VMU.
| 2. | IBM LAN RESPONSIBILITIES |
IBM will:
| a. | develop and maintain physical and logical network topology documentation; |
| b. | define, document and review thresholds, filters, traps and alarm parameters for LAN Devices, and Firewall Devices; |
| c. | provide recommendations and plans to optimize LAN performance; |
| d. | review and execute the back-up and recovery processes for the Data Network environment; |
| e. | procure LAN Devices and Firewall Devices; |
| f. | setup, configure, test, install and maintain the LAN Devices, and Firewall Devices and Software; |
| g. | establish and maintain an inventory of LAN Devices and Firewall Devices as set forth in Schedule G (Equipment); |
| h. | manage and track LAN problem tickets; |
| i. | assign responsibility and priority to LAN problems; |
| j. | perform initial diagnostics to isolate and repair problems; |
| k. | perform root cause analysis, as required; |
| l. | in accordance with the change management process, manage, test and implement approved LAN changes (i.e., planned and emergency); |
| m. | maintain backup and archive of configuration data for LAN Devices, and Firewall Devices; |
| n. | design and document fail-over for redundant network environments; |
| IBM/VMU Confidential | Schedule A (Services) | Page 61 of 109 |
| o. | develop and maintain VMU’s voice and data network architecture; |
| p. | control the network operating system security and administrative User IDs; |
| q. | manage and maintain all Firewall Devices that connect the IBM Data Center Network to the VMU Data Network that IBM requires to provide the Services; |
| r. | manage and maintain security controls for inter enterprise firewalls, gateways and dial-in services; and |
| s. | perform changes to firewall rule base, authentication configuration, user and session levels, routing tables, and network address translation. |
| 3. | VIRGIN MOBILE RESPONSIBILITIES |
VMU will:
| a. | provide the information, as IBM requests, for IBM’s connectivity to VMU’s network environment, such as a current diagram of the network topology; |
| b. | provide IBM with planning information affecting capacity requirements (for example, new applications, new projects, additional volumes, new users, changes in the distributed system physical architecture); |
| c. | notify IBM of any planned or emergency changes to VMU’s environment affecting the Services; |
| d. | assist with revalidation of User IDs; |
| e. | not penetrate or contract with or allow any third party or attempt itself to penetrate the hardware, software, logical environment, and other resources (such as, but not limited to, firewalls, routers, switches) used by IBM to provide the Services without prior notice to IBM; and |
| f. | not access or attempt to access IBM’s secure internal network or the resources or information of other IBM customers. |
| IBM/VMU Confidential | Schedule A (Services) | Page 62 of 109 |
Part 8: Enterprise Security Management Services
| 1. | INTRODUCTION |
IBM will maintain security controls that are consistent with the security controls implemented at VMU as of the Reference Date. IBM will work with VMU to detail VMU’s existing security controls, if necessary, and to develop a draft within the first three months after IBM has access to the servers a detailed document that will define the mutually agreed security policies and technical controls that IBM will implement as reasonably requested by VMU, on IBM managed systems, servers, and networks (the “Information Security Controls Document”). Final version of the Information Security Controls document will be completed within 180 days of the date that IBM has access to the servers. The Information Security Controls Document will include, at a minimum, the security responsibilities listed below and the security measures set forth in Section 10.4 of the Master Services Agreement (Security Measures). Any effort to transform VMU’s existing security controls implemented as of the Reference Date to the mutually agreed security controls, unless specifically and explicitly included in this Agreement, will be considered a New Service.
| 2. | SECURITY COMPLIANCE AND REGULATORY |
| 2.1 | SECURITY POLICY MANAGEMENT |
| a. | IBM will: |
| (1) | with VMU’s assistance, gather information to document the security controls VMU has in place as of the Reference Date to establish VMU’s IT security baseline and to define the technical specifications for the systems managed by IBM; |
| (2) | perform a gap analysis between the security controls VMU has in place as of the Reference Date and the Information Security Controls Document; |
| (3) | provide an initial threat identification summary based on the gap analysis and update the threat identification summary every 18 months thereafter. Such summary will contain: |
| (a) | identified threats organized by the ISO 17799 clauses, and |
| (b) | suggested remediation actions for each identified threat; |
| (4) | with VMU’s assistance, develop and implement the Information Security Controls Document; |
| IBM/VMU Confidential | Schedule A (Services) | Page 63 of 109 |
| (5) | define and document the privileged User IDs in the platform specific technical specifications set forth in the Information Security Controls Document; and |
| (6) | on a periodic basis, review the Information Security Controls Document with VMU and update, as appropriate. |
| b. | VMU will: |
| (1) | assist IBM in documenting the security controls VMU has in place as of the Reference Date; |
| (2) | provide contact, security policies and IT infrastructure information and any updates as they occur; |
| (3) | assist IBM in developing the Information Security Controls Document; |
| (4) | review the threat identification summary and take action, as appropriate; and |
| (5) | on a periodic basis, review the Information Security Controls Document with IBM and provide recommended updates, as appropriate. |
| 2.2 | SECURITY COMPLIANCE SUPPORT |
| a. | IBM will: |
| (1) | perform periodic security reviews to validate compliance (for example, validating access authorization per VMU’s instruction, the correct use of logical control features); and |
| (2) | identify and manage security risks and exposures within IBM’s control as part of the Services. |
| b. | VMU will identify and interpret legal, regulatory or other security requirements applicable to VMU’s business. |
| 2.3 | SECURITY AUDIT MANAGEMENT |
| a. | IBM will: |
| (1) | provide an IBM Focal Point with responsibility for account security audits; |
| (2) | communicate with and respond to auditor’s requests; |
| (3) | facilitate security audits and reviews; |
| (4) | perform non-compliance support audit activities for IBM internal audits, external client reviews and third party reviews; and |
| IBM/VMU Confidential | Schedule A (Services) | Page 64 of 109 |
| (5) | coordinate issues resolution identified during the security audit process and provide recommendations for resolution. |
| b. | VMU will: |
| (1) | provide a VMU Focal Point with responsibility for account security audits; and |
| (2) | provide IBM with VMU’s security audit history (both internal and external) and security policies, standards and practices in effect as of the Reference Date and any updates as they occur. |
| 2.4 | REGULATORY PROGRAM MANAGEMENT |
| a. | IBM will: |
| (1) | assist VMU in the development of testing criteria for VMU-identified regulatory controls and implement, as appropriate; |
| (2) | utilize IBM processes, tools, and infrastructure, as appropriate, and maintain supporting documentation in support of VMU-identified regulatory controls; |
| (3) | in accordance with the VMU-identified regulatory controls, manage regulatory training for IBM and maintain supporting documentation; and |
| b. | VMU will: |
| (1) | provide VMU-identified regulatory controls; and |
| (2) | develop, with IBM’s assistance, testing criteria for VMU-identified regulatory controls. |
| 3. | SECURITY MANAGEMENT |
| a. | IBM will: |
| (1) | provide an IBM Focal Point with responsibility for security management; |
| (2) | review changes made or requested by VMU to its security policies and standards and advise VMU whether or not such changes: |
| (a) | can be implemented; and |
| (b) | if implemented, will be considered a New Service; |
| (3) | perform risk and issue management, including: |
| IBM/VMU Confidential | Schedule A (Services) | Page 65 of 109 |
| (a) | establishing procedures for logging, alarming and reporting of security violations and issues; |
| (b) | managing to resolution security risks identified as a result of reviews and audits, changes in IBM or VMU environment, changes in operating practices, processes or technology; and |
| (c) | notifying relevant parties of the risks, their potential impact and actions to mitigate the impact; and |
| (4) | provide monthly security report. |
| b. | VMU will: |
| (1) | provide a VMU Focal Point with responsibility for day-to-day security management; |
| (2) | communicate the security procedures to End Users (for example, login procedures, password requirements, use of anti virus programs, data and equipment security procedures); |
| (3) | notify IBM of changes VMU plans to make to its security policies and standards before implementation; and |
| (4) | provide any additional or unique resources (for example, hardware, software or other components, personnel) and perform any site modifications required to enable IBM to implement VMU’s security requirements. |
| 4. | INFRASTRUCTURE PROTECTION |
| 4.1 | EMERGENCY RESPONSE SERVICES |
| a. | IBM will: |
| (1) | provide telephone support for remote security incident response; |
| (2) | perform initial security incident consultation; |
| (3) | with VMU’s assistance, develop customized emergency response plans to help minimize the effect of future attacks; and |
| (4) | provide advice and guidance on such topics as Internet security incident assessment, preparedness, management, and response. |
| b. | VMU will: |
| (1) | assist in the development of customized emergency response plans; |
| IBM/VMU Confidential | Schedule A (Services) | Page 66 of 109 |
| (2) | declare a security incident; |
| (3) | determine if a security incident is a commercial privacy breach and implement emergency response plan as identified in the Information Security Controls Document, as appropriate; |
| (4) | escalate declared security incident in the VMU organization, as appropriate; and |
| (5) | provide contact and IT infrastructure information and any updates as they occur. |
| 4.2 | X-FORCE THREAT ANALYSIS SERVICES |
| a. | IBM will: |
| (1) | manage daily security threats through comprehensive evaluation of global online threat conditions and detailed analyses tailored for VMU; |
| (2) | provide daily summaries of current and forecast assessments for active vulnerabilities, viruses, worms and threats, including links to recommended fixes and security advice; |
| (3) | maintain a list of End User notification preferences. |
| (4) | provide customized and configurable notifications and current alert status; and |
| (5) | provide alert trending and attack metrics. |
| b. | VMU will: |
| (1) | provide a list of End User e-mail addresses to be monitored and any updates as they occur; and |
| (2) | provide a list of End User notification preferences as of the Signature Date. |
| 4.3 | MANAGED INTRUSION DETECTION AND PREVENTION SERVICES |
| a. | IBM will: |
| (1) | monitor, manage, configure and support network intrusion detection and intrusion prevention sensors; |
| (2) | in accordance with Section 17.7 of the MSA be responsible for resolving and remediating at its own expense, security events caused by the acts or omissions of IBM Personnel, and for security events not caused by the acts or omissions of IBM Personnel, IBM will coordinate the resolution and remediation of the security event at VMU’s expense; |
| IBM/VMU Confidential | Schedule A (Services) | Page 67 of 109 |
| (3) | actively or passively monitor network traffic and block known malicious activity in accordance with the security policy configuration; and |
| (4) | perform security policy configuration changes needed to resolve network connectivity issues and critical attacks. |
| b. | VMU will: |
| (1) | provide information regarding VMU’s IT infrastructure and notify IBM of changes made to such infrastructure that could impact the Services; and |
| (2) | request policy configuration changes needed to resolve network connectivity issues. |
| 4.4 | MANAGED PROTECTION SERVICES |
| 4.4.1 | Server |
| a. | IBM will: |
| (1) | monitor, manage and configure IBM ISS protection agents; |
| (2) | provide server based protection securing the underlying operating system by preventing attackers from exploiting the operating system and application level vulnerabilities; |
| (3) | monitor all traffic to and from the servers: |
| (a) | to detect and prevent inbound and outbound attacks; and |
| (b) | block new and unknown attacks such as Trojans, brute force attacks, unauthorized access and worms; |
| (4) | escalate security events via e-mail or the web portal, as appropriate; |
| (5) | implement virtual patches which provides active blocking capabilities so VMU is secure until patching of servers; |
| (6) | provide incident report following each escalation; and |
| (7) | provide high level and in-depth reporting via the web portal on the security of VMU’s servers. |
| b. | VMU will: |
| (1) | provide final approval with respect to plans to resolve and remediate security events and be financially responsible for the resolution and remediation of security events not caused by the acts or omissions of IBM Personnel; and |
| IBM/VMU Confidential | Schedule A (Services) | Page 68 of 109 |
| (2) | provide information regarding VMU’s IT infrastructure and notify IBM of changes made to such infrastructure that could impact the Services. |
| 4.4.2 | Desktop |
| a. | IBM will: |
| (1) | monitor, manage and configure IBM ISS protection agents; |
| (2) | provide desktop based protection securing the underlying operating system by preventing attackers from exploiting the operating system and application level vulnerabilities; |
| (3) | implement virus prevention system, except on systems where such virus prevention may cause technical or performance problems, to pre-execute programs in a virtual environment to stop viruses before they have the opportunity to infect or damage data; |
| (4) | provide buffer overflow exploit protection to protect against known and unknown buffer overflow attacks; |
| (5) | monitor all traffic to and from the desktops: |
| (a) | to detect and prevent inbound and outbound attacks; and |
| (b) | block new and unknown attacks such as Trojans, brute force attacks, unauthorized access and worms; |
| (6) | implement adaptive policies used to alter an End User’s access level based on the source of the inbound connection (i.e., internal network, VPN, Internet); |
| (7) | implement virtual patches which provides active blocking capabilities so VMU is secure until patching of desktops; |
| (8) | implement logical policy groups and memberships; and |
| (9) | provide high level and in-depth reporting via the web portal on the security of VMU’s desktops. |
| b. | VMU will: |
| (1) | provide final approval with respect to plans to resolve and remediate security events and be financially responsible for the resolution and remediation of security events not caused by the acts or omissions of IBM Personnel; |
| (2) | provide information regarding VMU’s IT infrastructure and notify IBM of changes made to such infrastructure that could impact the Services; |
| IBM/VMU Confidential | Schedule A (Services) | Page 69 of 109 |
| (3) | retain control over security policy direction and workstation security configurations; and |
| (4) | define logical policy groups and memberships. |
| 4.5 | SECURITY EVENT AND LOG MANAGEMENT SERVICES |
| a. | IBM will: |
| (1) | collect security or log data in a text based format; |
| (2) | archive, analyze, correlate and trend events and logs, while managing response and remediation workflow; |
| (3) | provide security events and log data online for one year; |
| (4) | install universal log agent on data sources, as applicable; |
| (5) | update access control lists (ACL) and firewall rules required for identified devices to communicate with IBM; and |
| (6) | analyze security events from select intrusion detection and intrusion prevention devices and provide alerts via the web portal. |
| (7) | provide a list of devices and other required information (i.e., platform, software revision and version, IP addresses, log retention period per device) for which events and logs will be collected; and |
| (8) | identify access control lists (ACLs) and firewall rules required for identified devices to communicate with IBM. |
| 4.6 | RSA SECURITY |
| a. | IBM will: |
| (1) | Provide authorized VMU employees or contractors with RSA fobs; |
| (2) | Install applicable software on VMU employee or contractor workstation; |
| (3) | Verify current RSA solution is operational and meeting current needs; and |
| (4) | Install RSA upgrades when upgrades are available per the provided maintenance agreement. |
| b. | VMU will be financially responsible to: |
| (1) | provide RSA security FOBs; |
| (2) | provide server software that is current; |
| IBM/VMU Confidential | Schedule A (Services) | Page 70 of 109 |
| (3) | maintain software currency; and |
| (4) | provide current OEM support and maintenance contract. |
| 4.7 | E-MAIL SECURITY |
| a. | IBM will: |
| (1) | for anti-spam: |
| (a) | with VMU’s assistance, develop, implement and maintain the e-mail security policy, including violation reporting procedures; |
| (b) | scan VMU’s inbound e-mail for spam; |
| (c) | provide VMU with the capability to create filters to prevent spam and allow e-mail (i.e., black list, white list); and |
| (d) | using VMU provided black list and white list, identify spam and take action in accordance with the e-mail security policy (i.e., tag, redirect, delete). |
| (2) | for e-mail antivirus: |
| (a) | with VMU’s assistance, develop, implement and maintain the e-mail security policy, including violation reporting procedures; |
| (b) | scan VMU’s Internet level e-mail to detect viruses (i.e., known and unknown); |
| (c) | notify appropriate contact (for example, e-mail sender, intended recipient, e-mail administrator), in accordance with the established procedures, if an e-mail or attachment contains a virus; |
| (d) | handle infected e-mail in accordance with the established procedures; and |
| (e) | notify VMU of any virus infected e-mail that IBM was unable to intercept. |
| b. | VMU will: |
| (1) | provide an anti-spam black list and white list; |
| (2) | provide VMU’s business guidelines for End User e-mail security and any updates as they occur; |
| (3) | assist IBM in developing and implementing the e-mail security policy, including violation reporting procedures; |
| IBM/VMU Confidential | Schedule A (Services) | Page 71 of 109 |
| (4) | address any virus infected e-mail, in accordance with VMU personnel e-mail policies, that IBM was unable to intercept; and MEANING? |
| (5) | provide contact and IT infrastructure information and any updates as they occur. |
| 5. | SYSTEM SECURITY CURRENCY |
| 5.1 | SYSTEM SECURITY CHECKING |
| a. | IBM will: |
| (1) | install, test and maintain security policy verification software; |
| (2) | perform system security checks of mid-range servers, network devices, and system tools to validate compliance with the technical specifications documented in the Information Security Controls Document every 18 months. System security checks will be performed on a sample of systems. Checks will verify that: |
| (a) | anti-virus software is functional and operating on Supported Servers; |
| (b) | technical controls to enforce operating system password policy are in place; |
| (c) | logs of privileged access and log-on/log-off activities are being captured as defined in the Information Security Controls Document technical specifications; and |
| (3) | document identified issues and take corrective action on the findings, as appropriate. |
| b. | VMU will permit IBM to access systems as necessary to perform system security checks, as identified in the Information Security Controls Document. |
| 5.2 | SECURITY ADVISORY AND INTEGRITY |
| a. | IBM will for operating systems, software tools, and network infrastructure systems and devices managed by IBM: |
| (1) | monitor security patches; |
| (2) | notify VMU within 3 Business Days of IBM-rated high severity security patches; |
| (3) | install VMU-approved security patches within the following security change window parameters: |
| (a) | minimum of 8 hours for each scheduled security change window; and |
| IBM/VMU Confidential | Schedule A (Services) | Page 72 of 109 |
| (b) | 24 security change windows are required per 1000 servers and an additional security change window for each range of 1 to 42 servers thereafter. |
| b. | VMU will evaluate advisory notifications from IBM and approve security patches for installation at least one Business Day before scheduled implementation date. |
| 5.3 | MALWARE DEFENSE MANAGEMENT |
| a. | IBM will: |
| (1) | install, test and maintain anti-malware software on Supported Servers and Supported Desktops; |
| (2) | push anti-malware definitions, vendor product updates, and policy and configuration updates to Supported Servers and Supported Desktops, as appropriate; |
| (3) | if malware is detected, take corrective action in accordance with the Information Security Controls Document (i.e., prevent, detect and remove malware infections and respond to malware security incidents); |
| (4) | notify VMU, in accordance with the established procedures, if malware is detected on a Supported Server or Supported Desktop; |
| (5) | perform virus definition, pattern file updates and policy configuration; and |
| (6) | provide monthly malware defense management reports. |
| b. | VMU will provide VMU’s security policy and any updates as they occur. |
| 5.4 | VULNERABILITY MANAGEMENT SERVICES |
| a. | IBM will: |
| (1) | maintain a list of VMU IP addresses to scan; |
| (2) | identify vulnerabilities within the network perimeter using IBM policies; |
| (3) | perform historical trending of vulnerability data; |
| (4) | provide vulnerability scanning reports which include: |
| (a) | scan results reflecting identified vulnerabilities for corrective action to be taken, as appropriate; and |
| (b) | summary reports and trend analysis provided via the web portal. |
| (5) | schedule and perform scans; and |
| IBM/VMU Confidential | Schedule A (Services) | Page 73 of 109 |
| (6) | develop and maintain the scanning profile containing the following: |
| (a) | system and network devices to be scanned; |
| (b) | frequency of scanning; |
| (c) | type of scan; |
| (d) | vulnerabilities that are not security policy violations; and |
| (e) | time frames when scans will be executed. |
| b. | VMU will assist with the development of the scanning profile containing the following: |
| (1) | system and network devices to be scanned; |
| (2) | frequency of scanning; |
| (3) | type of scan; |
| (4) | vulnerabilities that are not security policy violations; and |
| (5) | time frames when scans will be executed. |
| 5.5 | INFORMATION SECURITY ASSESSMENT |
| a. | IBM will: |
| (1) | develop, maintain and implement the applicable processes and procedures for information security assessment; and |
| (2) | escalate attacks on access controls to the extent that full administrative authority may be obtained |
| (3) | in accordance with Section 17.7 of the MSA be responsible for resolving and remediating at its own expense, security events caused by the acts or omissions of IBM Personnel, and for security events not caused by the acts or omissions of IBM Personnel, IBM will coordinate the resolution and remediation of the security event at VMU’s expense. |
| b. | VMU will: |
| (1) | identify the system and network devices to be assessed; |
| (2) | attend a workshop with IBM to develop a detailed strategic plan to mitigate identified risks and to improve overall security posture; and |
| IBM/VMU Confidential | Schedule A (Services) | Page 74 of 109 |
| (3) | provide final approval with respect to plans to resolve and remediate security events and be financially responsible for the resolution and remediation of security events not caused by the acts or omissions of IBM Personnel. |
| 6. | IDENTITY AND ACCESS |
| 6.1 | MANAGEMENT OF PRIVILEGED USER IDS AND IBM USER IDS |
| a. | For the operating systems, software tools and network infrastructure systems and devices under IBM management, IBM will: |
| (1) | with VMU’s assistance, perform a baseline inventory of access IDs; |
| (2) | perform the following provisioning and compliance activities: |
| (a) | provision and manage User IDs for IBM personnel and VMU personnel; |
| (b) | perform quarterly employment verification for IBM personnel and remove IBM User IDs, as appropriate; |
| (c) | administer passwords for IBM User IDs and privileged User IDs; |
| (d) | provision and manage the IBM and VMU privileged User IDs as defined in the platform specific technical specifications set forth in the Information Security Controls Document; |
| (e) | revalidate privileged authorizations annually (one way confirmation – no response required) and remove privileged User IDs, as appropriate; and |
| (f) | provide VMU a list of VMU privileged User IDs for revalidation; |
| (3) | maintain audit records for privileged User ID approvals, verifications and revalidations and retain such records for two years; |
| (4) | provide for VMU’s review and approval, as appropriate, non-expiring passwords and policy exception requests; and |
| (5) | capture system security logs of privileged access and log-on/log-off activities as defined in the Information Security Controls Document and retain log records for 60 days. |
| b. | VMU will: |
| (1) | authorize User IDs and passwords for VMU personnel for the operating systems, software tools and network infrastructure systems and devices under IBM management; and |
| (2) | revalidate VMU privileged User IDs. |
| IBM/VMU Confidential | Schedule A (Services) | Page 75 of 109 |
| 6.2 | PASSWORD MANAGEMENT FOR VMU USER IDS |
| a. | IBM will: |
| (1) | perform password resets for User IDs using VMU provided and maintained employee authentication data; and |
| (2) | investigate VMU User ID password issues, as identified by VMU. |
| b. | VMU will: |
| (1) | provide and maintain employee authentication data for VMU User IDs; and |
| (2) | establish the criteria for resetting passwords and disclosing such passwords to authorized personnel. |
| 6.3 | VMU USER ID LIFECYCLE ADMINISTRATION |
| a. | For the operating systems, software tools and network infrastructure systems and devices under IBM management, IBM will: |
| (1) | provision and manage VMU-identified User IDs for VMU personnel; and |
| (2) | investigate VMU User ID security issues, as identified by VMU. |
| b. | VMU will: |
| (1) | identify VMU User IDs; and |
| (2) | provide approved provisioning requests for User IDs for VMU personnel. |
| 6.4 | VMU USER ID ADMINISTRATION COMPLIANCE SUPPORT |
| a. | For VMU User IDs in-scope for VMU User ID Lifecycle Administration Services, IBM will: |
| (1) | perform annual employment verification (one way confirmation – no response required) and User ID revalidation for VMU personnel and remove User IDs, as appropriate; |
| (2) | perform annual revalidation (one way confirmation – no response required) of privileges and access to shared User IDs and remove such privileges and access, as appropriate; |
| (3) | maintain audit records for User ID and privileged User ID approvals, verifications and revalidations and retain such records for two years; and |
| IBM/VMU Confidential | Schedule A (Services) | Page 76 of 109 |
| (4) | provide for VMU’s review and approval, as appropriate, non-expiring passwords and policy exception requests. |
| b. | VMU will: |
| (1) | revalidate VMU User IDs, privileges and access to shared User IDs; and |
| (2) | approve non-expiring passwords and policy exception requests, as appropriate. |
| 6.5 | PHYSICAL SECURITY AND ACCESS MANAGEMENT |
| a. | IBM will: |
| (1) | provide the following physical security controls at IBM facilities: |
| (a) | define controlled areas, perform a physical security assessment and document and manage closure of any identified control and audit issues; |
| (b) | perform initial access baseline review and execute formal revalidation for new protected and restricted areas; |
| (c) | develop and implement the access authorization processes; |
| (d) | manage the implementation of the physical security environment for the controlled areas; |
| (e) | perform maintenance, testing and daily operations of the physical security environment; and |
| (f) | manage permanent and temporary access authorization devices. |
| b. | VMU will: |
| (1) | provide and manage physical security controls at the Facilities (Schedule I); |
| (2) | manage closure of VMU-owned control and audit issues; and |
| (3) | protect LAN servers and infrastructure devices on VMU premises from unauthorized physical access. |
| IBM/VMU Confidential | Schedule A (Services) | Page 77 of 109 |
| 7. | ADDITIONAL SECURITY TERMS |
| 7.1 | GENERAL |
VMU acknowledges that the Services described herein constitute authorized access to VMU’s networks and computer systems.
| 7.2 | PERMISSION TO PERFORM TESTING |
Certain laws prohibit any unauthorized attempt to penetrate computer systems. VMU authorizes IBM to perform vulnerability scans and vulnerability assessments, if applicable, as described herein and acknowledges that IBM’s performance of the Services as authorized hereunder constitutes authorized access to VMU’s computer systems. VMU agrees not to disclose the results of the testing(other than as required by applicable laws, regulations and statutes) without IBM’s prior written approval.
| a. | The Services IBM performs entail certain risks. VMU acknowledges and agrees to the following: |
| (1) | VMU authorizes IBM to perform a security review of VMU’s selected IP addresses; |
| (2) | during such security review, excessive amounts of log messages may be generated resulting in excessive log file disk space consumption; |
| (3) | during such security review the performance and throughput of VMU’s system(s) as well as the performance and throughput of associated VMU routers and firewalls may be temporarily degraded; |
| (4) | if included in the scope of the Services, physical access during Service Hours is authorized on VMU’s premises during the attempts to penetrate the selected sites; |
| (5) | during such security review some data may be changed temporarily as a result of probing vulnerabilities; |
| (6) | during such security review VMU computer system(s) may hang or crash resulting in temporary system unavailability; |
| (7) | subject to IBM’s confidential obligations as set forth in the Master Services Agreement, IBM may disclose this grant of authority to a Third Party if deemed necessary; |
| (8) | IBM and VMU will agree on the testing black-out periods in advance of testing (as a Scheduled Outage); |
| (9) | if VMU requests a destructive testing option, and the vulnerability exists and is accessible from the Internet, then the system with the vulnerability will be disrupted by the testing and will probably require manual intervention by VMU to recover the system; and |
| IBM/VMU Confidential | Schedule A (Services) | Page 78 of 109 |
| (10) | the scan may trigger alarms by intrusion detection systems. |
| b. | In the event that IP addresses owned by a Third Party will be subject to scanning hereunder, VMU understands and agrees to the following: |
| (1) | to obtain a signed letter from the owner of each such system authorizing IBM to provide Services on that system and indicating the owner’s acceptance of the conditions set forth above and to provide IBM with a copy of such authorization; |
| (2) | to be solely responsible for communicating any risks, exposures and vulnerabilities, identified on these computer systems by IBM’s remote testing, to the system owner and for ensuring that the system owner takes all appropriate actions; and |
| (3) | to arrange for and facilitate the exchange of information between the system owner and IBM as deemed necessary by IBM. |
| IBM/VMU Confidential | Schedule A (Services) | Page 79 of 109 |
Part 9: AD/M Services
| 1. | INTRODUCTION |
| a. | IBM agrees to perform the following AD/M Services and will work with VMU to prioritize and manage the work requests to be delivered. As of the completion of the AD/M transition, IBM will be responsible for providing AD/M Services for the Applications set forth in Schedule F (Software). The Parties acknowledge and agree that the Applications may be changed, supplemented or replaced during the Term at VMU’s discretion, including changes to or retirement of existing Applications, and development and implementation of new Applications, whether through performance of the Services or otherwise. Changes to, replacement, or retirement of the Application Software which alters the baseline staffing requirements specified in Schedule C will processed using the Change Control Procedure. |
| b. | IBM will use VMU’s current AD/M methodologies, standards, and business and IT architecture processes and procedures existing as of, and delivered to IBM prior to, the Reference Date to the extent that such processes and procedures are applicable to the new operating environment. In the event that VMU does not have existing processes and procedures as of the Reference Date or such processes and procedures do not apply to the new operating environment, IBM will document the processes and procedures for VMU’s environment existing prior to the Reference Date as required by IBM to perform the Services. The final Process Interface Manual will supersede all prior processes and procedures unless otherwise specified. |
| 2. | AD/M OPERATIONAL SERVICES |
IBM shall perform AD/M on the Application Software specified in Schedule F, as required to provide the Services within the scope of this Agreement. IBM and VMU agree to utilize the Change Control Process to assign, manage and prioritize the work request to be delivered across the Application Software listed in Schedule F.
| 2.1 | GENERAL RESPONSIBILITIES |
VMU has divided application areas into categories for purposes of the provision by IBM of its AD/M responsibilities. These areas each have been designated with appropriate resource levels of support to assure timely action for bug fix, small project turnaround and project design and budget estimates.
| 2.2 | ALLOCATION OF AD/M RESOURCES |
| a. | The Parties will participate in a jointly developed process to prioritize AD/M efforts and associated AD/M resources from the AD/M resource pool described in Schedule C to meet VMU business objectives. This process will include assessment of impacts due to AD/M resource reallocation. Final determination of the allocation and prioritization of such AD/M resources shall be made by IBM. If IBM advises VMU that a proposed allocation and /or prioritization of AD/M resources will adversely impact IBM’s ability to meet Service Levels, and VMU elects to proceed, then IBM will be relieved from Service Levels to the extent of such impact. |
| IBM/VMU Confidential | Schedule A (Services) | Page 80 of 109 |
| b. | IBM shall be responsible for maintaining quality assurance procedures, processes and methods including Software testing and acceptance for AD/M projects and New Services within the scope of the Agreement. IBM shall also be responsible for providing and implementing quality assurance processes and procedures that are necessary to ensure that IBM’s AD/M responsibilities within the scope of the Agreement are executed accurately and in a timely manner. |
| 2.3 | APPLICATIONS PROJECTS |
| a. | IBM shall utilize standard project management processes, to the extent appropriate based on the scope of work and the complexity of the deliverables to be provided under such project to ensure that the Applications Development projects are using resources efficiently and that deliverables are generated in a timely and cost effective manner. IBM shall update VMU on the status of each Applications Development project according to a time schedule mutually agreed to by the Parties, depending on the importance, priority, criticality or other factors of the particular Applications Development project, and shall provide VMU with such additional information at a level of detail to be mutually agreed upon. IBM will immediately notify VMU of Applications Development project delays which could impact any established time frames. |
| 2.3.2 | IBM RESPONSIBILITIES |
IBM will perform the following as part of the AD/M Services under the Agreement.
| a. | Project Management |
| (1) | IBM will implement a standard Applications Development project management methodology that will facilitate the planning, tracking, and reporting of activities required for the successful completion of project tasks. |
| (2) | IBM shall provide a single point of contact for project management and tracking. The Project Manager shall report project status weekly to VMU or at such other reasonable time as requested by VMU. |
| (3) | IBM shall develop a project plan, that may include an estimate of budget and resources needed on behalf of VMU. IBM shall present such project plan, budget and resource estimates to VMU for approval and may commence work on such projects only after receiving VMU’s approval in accordance with the Change Control Process. |
| (4) | Project plans will describe the level of staffing expected to be used, the type of staffing, the design, development, testing processes to be undertaken, the deliverables to be produced, the schedule for completion, and the integration and interoperability effect, if any, of the project on Systems and the Services within the scope of the Agreement. |
| IBM/VMU Confidential | Schedule A (Services) | Page 81 of 109 |
| (5) | IBM shall monitor projects to determine whether each project is being performed in accordance with the estimates for cost/budget, use of resources and timeline/schedule in the applicable project plan. IBM shall notify VMU if the actual cost or time schedule or resource availability for the project is expected to exceed or change the estimate, and all such costs shall be subject to the limitations as provided in Schedule C. VMU may cancel a project for any reason and IBM shall stop performing such project. |
| (6) | The Project Manager will provide technical direction and control for all Project personnel. The Project Manager will also create a framework for project communications and project reporting to include review checkpoints by VMU, reporting of measurements against plan, and review of project through the Change Control Process. |
| b. | Procedures |
These procedures shall be further described in detail in the Process Interface Manual but shall include at a minimum those procedures, processes and methods that exist on the Reference Date, including the following as mutually agreed upon:
| (1) | Backlog Management Activities – IBM shall be responsible for collecting, tracking, reporting, and aging work requests and responding to priorities for those requests as established by priority and budget by VMU. |
| (2) | Work Management – IBM shall be responsible for organizing, planning, tracking and reporting tasks associated with projects. These activities include: |
| (a) | Release Management – VMU shall approve the frequency with which IBM implements new releases. IBM shall be responsible for selecting and organizing work requests in logical units and the planning, tracking, and reporting of the work. |
| (b) | Estimating/Planning/Scheduling – IBM shall establish procedures and use supporting tools that will aid members of project teams and owners, users, and members of support staffs to improve the accuracy and consistency of their estimates, plans, and schedules and to compare them with actual results so that the procedures can be refined over time. |
| (c) | Risk Management – IBM shall identify the risks associated with projects and develop detailed plans to manage those in scope dependencies. Coordinate and alert VMU with respect to other projects and software releases whether or not in scope. |
| IBM/VMU Confidential | Schedule A (Services) | Page 82 of 109 |
| (d) | Dependency Management – IBM shall identify other projects and software releases that may have impacts on the current project and develop detailed plans to manage those in scope dependencies and coordinate and alert VMU with respect to other such projects and software releases whether or not in-scope. |
| (3) | Assurance Activities—IBM shall be responsible for establishing and maintaining procedures and standards for project deliverables. Assurance activities may include the following: |
| (a) | Technical reviews that may be formal or informal and are carried out by members of the project or software release team with the assistance of subject matter experts, when appropriate. |
| (b) | Project reviews that are carried out on a schedule, which is appropriate for the project’s scope, complexity, cost, or risk. |
| (c) | Inspections/walk-throughs that are carried out for project deliverables such as requirements and design documents, code, test plans, and test results as well as project plans. |
| (d) | Joint Application Requirements and Joint Application Design sessions (“JARs” and “JADs”) that are carried out by members of the Applications Development team and user representative selected by VMU to ensure the completeness, accuracy, and appropriateness of application requirements and design early in the Applications Development project cycle. |
| (e) | Process assurance that includes periodic assessments of standards and Applications Development project methodologies in terms of their currency and appropriateness in light of what has been learned from completed projects. |
| 2.3.3 | VMU RESPONSIBILITIES |
VMU will be responsible for the business related support activities to Application Development and implementation and support as described in this Section and will maintain appropriate levels of skilled personnel in business functional areas to perform these activities throughout the Term of the Agreement.
| a. | Identify opportunities for business functional improvement within the current Applications set including documenting and prioritizing activities; |
| b. | Make available to IBM existing processes and procedures as required by IBM to fulfill their responsibilities within the scope of the Agreement; |
| c. | Provide list of Authorized Users and periodically review and provide updated authorizations; |
| IBM/VMU Confidential | Schedule A (Services) | Page 83 of 109 |
| d. | Provide documentation of files as required by IBM, including file names, content and purpose/use to IBM; |
| e. | Prioritize work requests, manage the work groups and subcommittees of Authorized Users, align the work requests with the tactical and strategic goals of VMU and its commitments to its customers as well as resource and budget constraints; |
| f. | Provide timely notification of all governmental and regulatory changes to IBM in the form of work requests and include IBM in planning activities for corporate sponsored work requests which may be undertaken in support of VMU or its customers in other plans; |
| g. | Participate in working sessions with IBM to establish task plans for work items which will be carried out by VMU personnel, include those tasks in a master plan, and report progress against the plan in a timely and accurate manner; |
| h. | Participate in the development of detailed requirements and design for Applications during JARs and JADs for all projects; |
| i. | Mutually develop functional test criteria for all projects and changes, and describe in business terms before the project is undertaken so that user acceptance tests can be conducted to ensure the completeness and correctness of the business function provided by the new or changed application; and |
| j. | Mutually, with IBM, participate in reviews of completed projects and releases and in periodic reviews of installed applications and assess the completeness and accuracy of the business function provided, the adherence to established business controls, and the audibility of the Applications. |
| 3. | APPLICATION METHODOLOGIES, STANDARDS AND ARCHITECTURE |
| a. | IBM will: |
| (1) | conform to VMU’s requirements, user interface, machine interface, and programming standards (for example, GUI, EDI and IP) as set forth in the AD/M processes and procedures; |
| (2) | assess the impact of VMU’s application software standards on Third Party agreements and communicate to VMU, as appropriate; |
| (3) | develop and implement processes and procedures to meet application software standards; |
| (4) | conform with VMU’s business and IT architecture; |
| (5) | develop and maintain, with VMU’s direction and approval, Applications architecture; |
| IBM/VMU Confidential | Schedule A (Services) | Page 84 of 109 |
| (6) | with VMU’s assistance, develop, distribute, communicate, use and comply in accordance with VMU’s technical architecture and design guidelines; and |
| (7) | maintain audit compliance with IT design guidelines. |
| b. | VMU will: |
| (1) | provide VMU’s requirements, user interface, machine interface, programming standards, application software standards and VMU’s business and IT architecture and any updates as they occur; |
| (2) | provide direction and approval to IBM for development and maintenance of the Applications architecture; |
| (3) | provide VMU’s technology and data standards and enterprise data model; |
| (4) | provide VMU’s technical architecture and product standards; and |
| (5) | assist IBM in the development, distribution, communication, use and compliance with VMU’s technical architecture and design guidelines. |
| 4. | APPLICATION PLANNING AND ANALYSIS SERVICES |
| a. | IBM will: |
| (1) | analyze the objectives for the overall Applications portfolio and individual Applications programs, and assess the current and planned technical environment; |
| (2) | work with VMU to identify requirements, including online help functionality, as necessary; |
| (3) | develop technical specifications for a proposed application and/or changes to an existing Application, with VMU’s prior approval; |
| (4) | develop initial Applications project plans, quality assurance plans, risk assessment plans, test plans, implementation plans and operations and support plans, as needed; |
| (5) | verify that AD/M plans are consistent with VMU’s technical architecture and product standards; |
| (6) | perform initial technical analysis for Applications Development; |
| (7) | define high-level data requirements for Applications under development; |
| (8) | document and maintain technical Applications requirements; |
| IBM/VMU Confidential | Schedule A (Services) | Page 85 of 109 |
| (9) | develop initial integration requirements for Applications, including legacy environments; |
| (10) | assess the existing infrastructure to support the Applications requirements and provide recommendations to VMU; |
| (11) | perform a make versus reuse versus buy analysis for Application Development; |
| (12) | recommend commercially available Third Party software products requiring little or no customization, as appropriate; |
| (13) | analyze Third Party developed application software, as requested by VMU, and inform VMU when such software does not comply with architecture standards and strategy; |
| (14) | develop an initial Application Development project plan, including proposed Deliverables, and provide to VMU for approval; |
| (15) | perform and maintain a project risk analysis; |
| (16) | integrate quality management, improved productivity and operation, and support management into the Application Development plan, as appropriate; |
| (17) | conduct planning, analysis and progress reviews with VMU; and |
| (18) | provide IBM-related information for Application Development for VMU’s return on investment (ROI) analysis and cost/benefit justification. |
| b. | VMU will: |
| (1) | be responsible for program management (VMU management of internal budgets, priorities, business decisions, etc.); |
| (2) | serve as the primary contact to End Users for requirements gathering and definition; |
| (3) | work with IBM to identify requirements, including online help functionality, as necessary; |
| (4) | provide VMU’s prior approval to IBM for development of functional and technical specifications for a proposed application and/or changes to an existing Application; |
| (5) | review and approve initial Application Development project plan and proposed Deliverables; |
| IBM/VMU Confidential | Schedule A (Services) | Page 86 of 109 |
| (6) | request IBM analyze Third Party developed application software and inform VMU when such software does not comply with architecture standards and strategy; |
| (7) | attend planning, analysis and progress reviews with IBM; |
| (8) | perform return on investment (ROI) analysis and cost/benefit justification for Application Development; and |
| (9) | provide timely response to process level changes presented by IBM. |
| 5. | APPLICATION DEVELOPMENT SERVICES |
| 5.1 | IN-PROGRESS APPLICATION DEVELOPMENT PROJECTS |
| a. | IBM will: |
| (1) | review and verify project schedules and budgets for completeness and viability within 90 days of VMU’s identification of the in-progress Application Development projects; and |
| (2) | perform projects in accordance with VMU’s in-progress Application Development list. |
| b. | VMU will: |
| (1) | within the first 30 days following the Signature Date, provide a prioritized list of VMU’s in-progress Application Development projects to be delivered in the AD/M Baseline; |
| (2) | approve the project schedules and budgets for the in-progress Application Development projects; and |
| (3) | provide any updates to the in-progress Application Development projects list. |
| 5.2 | OTHER IBM SUPPORT |
| a. | IBM will, upon VMU’s request: |
| (1) | provide the following to VMU’s designated Third Party service provider(s): |
| (a) | infrastructure requirements and guidelines for support, standards and methodology; |
| (b) | interface requirements including application source code; |
| (c) | integration standards and guidelines for implementation; |
| IBM/VMU Confidential | Schedule A (Services) | Page 87 of 109 |
| (2) | provide interface testing of Third Party products; |
| (3) | assist Third Party service provider(s) with implementation of application software; and |
| (4) | accept Third Party service provider(s) application software for Application Maintenance, which will be defined by IBM and VMU on a case-by-case basis in accordance with production sign-off, deficiency report and acceptance for maintenance. |
| b. | VMU may engage Third Party service providers to develop and implement application software and will request IBM’s assistance, as required. |
| 5.2.2 | APPLICATION RELEASE MANAGEMENT |
| a. | IBM will: |
| (1) | maintain the existing release process (for interim and core releases) in place at VMU for releases (including IVR secondary releases) and any proposed changes to such process will be approved by VMU which process requires changes to the functionality of the VMU Application suite to be documented with Business Requirements Documents (BRDs) and Business Change Requests (BCRs), and for such BRDs and BCRs to be prioritized and targeted for inclusion in scheduled releases by the VMU Project Steering Committee; |
| (2) | deliver 6 major scheduled application releases per year, the dates to be scheduled by the VMU Project Steering Committee, with advice and consent of IBM; |
| (3) | deliver a performance tuning release in fourth quarter of each year in order to meet the forecast service demand and application load for each year end holiday season, and to optimize the performance of the VMU Applications and infrastructure prior to the start of each holiday season; |
| (4) | ensure that release contains approximately 50 BCRs, each of which that is a specification document is a specification document that describes the requirements for new functionality or changes in application functionality that may be included in a release. VMU will define the content and plan of each release through the Product Steering Committee with involvement and consent from IBM; |
| (5) | ensure that each release contain a combination of BCRs that consist of : (a) 20-40 small BCRs (i.e., those taking less than 100 person hours to design and implement), (b) 5-25 medium BCRs (i.e., those taking between 100-400 person hours to design and implement), and/or (c) up to 2-10 large BCRs (i.e., those taking over 400 person hours to design and implement); |
| IBM/VMU Confidential | Schedule A (Services) | Page 88 of 109 |
| (6) | plan and execute future BCRs for annual releases and schedules similar to the following action plan below which describes the releases that occurred in 2007: |
| Zero | Less than 40 | 40 to 100 | 100 to 200 | 200 to 300 | 300 to 400 | 400 to 500 | greater than 500 | Total | Total Hours | |||||||||||
| Release 6.0 |
25 | 5 | 8 | 6 | 1 | 45 | 1780 | |||||||||||||
| Release 6.1 |
1 | 10 | 15 | 14 | 5 | 2 | 1 | 48 | 5789 | |||||||||||
| Release 6.2 |
11 | 14 | 12 | 9 | 2 | 0 | 0 | 48 | 3014 | |||||||||||
| Release 6.3 |
2 | 13 | 16 | 9 | 3 | 1 | 1 | 45 | 3442 | |||||||||||
| Release 6.4 |
3 | 9 | 15 | 9 | 1 | 1 | 38 | 3021 | ||||||||||||
| Release 6.5 |
2 | 8 | 24 | 9 | 1 | 44 | 3289 | |||||||||||||
| Total |
44 | 59 | 90 | 56 | 11 | 5 | 1 | 2 | 268 | 20335 |
| (7) | execute major application releases (planning, development, testing, documentation, etc.) based upon the BCRs, as appropriate; |
| (8) | jointly with VMU, agree upon content/requirements for each BCR; |
| (9) | execute minor/emergency application releases (planning, development, testing, documentation, etc.), as appropriate and as mutually agreed between VMU and IBM; |
| (10) | assist infrastructure for release to production; |
| (11) | ensure that the overall hours for each year will be reported and prioritized within the baseline hours (by application) as specified in Schedule C. Additional resource requirements will be accommodated as an ARC, or for larger project resources will be accommodated using the Hourly Rates specified in Schedule C; and |
| (12) | IBM will provide at least the equivalent labor effort as provided by the VMU Application Development and Quality Assurance organizations for the year prior to the Reference Date, or a minimum of 41 Development FTE employees and 27 QA FTE employees, with the labor hours provided by an FTE employee as defined in Schedule C. Overall hours for each year will be reported and prioritized within the baseline hours (by application) as specified in Schedule C. Additional resource requirements necessary to perform application development tasks or quality assurance tasks not described in this Schedule A or beyond the baseline resources in Schedule C will be accommodated as an ARC, or for larger projects resources will be accommodated using the Hourly Services Rates specified in Schedule C. |
| b. | VMU will: |
| (1) | manage the master list of BCRs in the backlog; |
| (2) | determine and fully document the scope of all BCRs; |
| (3) | determine the content of each release (number and size of BCRs); and |
| (4) | jointly with IBM, agree upon content/requirements for each BCR. |
| IBM/VMU Confidential | Schedule A (Services) | Page 89 of 109 |
| 5.2.3 | TECHNICAL RELATIONSHIP MANAGEMENT |
| a. | VMU will engage Third Party service providers to develop and implement application software and will request IBM’s assistance, if required; |
| b. | IBM will, upon VMU’s request, provide the following to VMU’s designated Third Party service provider(s): |
| (1) | infrastructure requirements and guidelines for support, standards and methodology; |
| (2) | interface requirements including application source code; |
| (3) | integration standards and guidelines for implementation (engineering, development, implementation); |
| (4) | assist with interface testing; |
| (5) | assist Third Party service provider(s) with implementation of application software; |
| (6) | accept Third Party service provider(s) application software for Application Maintenance, which will be defined by IBM and VMU on a case-by-case basis in accordance with production sign-off, deficiency report and acceptance for maintenance; |
| (7) | provide reporting related to uptime and data integrity; |
| (8) | assist with capacity planning; and |
| (9) | provide change management services via the change management process set forth in the Process Interface Manual. |
| c. | VMU will provide for the following or Third Party service providers: |
| (1) | budget and contract management; |
| (2) | relationship management; and |
| (3) | revenue reconciliation. |
| d. | VMU and IBM will jointly: |
| (1) | develop a roadmap related to Third Party service providers; and |
| (2) | review on a quarterly basis all such Third Party service provider technical relationships. |
| IBM/VMU Confidential | Schedule A (Services) | Page 90 of 109 |
| 5.2.4 | ENGINEERING (VOICE, DATA SERVICES, MESSAGING) |
| a. | IBM will: |
| (1) | Manage development lifecycle for voice messaging and data platforms: |
| (a) | consult with VMU product managers on product evolution; |
| (b) | receive business requirements; identify options for development to meet requirements; |
| (i) | support product managers to assess capabilities and relative merits of outsourced providers, as requested; |
| (ii) | identify platforms/vendors which can be integrated into existing environment to fulfill requirements; and |
| (iii) | establish architecture(s) and supporting data requirements for relevant options; |
| (c) | provide input (cost, timing) to VMU business cases, as requested; |
| (d) | with VMU, establish final budget and project plan for requested feature(s); |
| (e) | manage implementation of requested feature(s): |
| (i) | coordinate delivery and installation of hardware/software/configuration, as required; |
| (ii) | make required network changes; |
| (iii) | perform unit testing of software/systems; |
| (iv) | perform integration testing of new systems/partners; and |
| (v) | support QA, UAT of software/platforms during release cycle; and |
| (f) | install infrastructure, network, code in production environment; |
| (2) | manage operations of rating platform: |
| (a) | manage platform capacity: |
| (i) | translate VMU business metrics to relevant platform metrics; |
| (ii) | measure platforms based on agreed metrics; |
| (iii) | provide quarterly reporting based on these metrics; |
| IBM/VMU Confidential | Schedule A (Services) | Page 91 of 109 |
| (iv) | recommend annual budget for capacity growth based on VMU forecast; and |
| (v) | manage capacity growth/shrinkage by platform on an annual (planned) basis, or if necessary on an ad hoc (emergency) basis; |
| (b) | monitor proper platform operation: |
| (i) | establish appropriate alarms to detect abnormal platform conditions; |
| (ii) | respond to and correct platform malfunctions (including hardware, software, network, partner interfaces, data processing, reporting, etc.); |
| (iii) | provide root cause analysis for service impacting issues; and |
| (iv) | monitor usage/traffic by platform/service, investigate declines/spikes in service traffic |
| b. | VMU will: |
| (1) | manage product/feature development: |
| (a) | provide business requirements for changes (new services, new features, modification of existing services/features); |
| (b) | create and manage business case(s) for product(s)/feature(s); |
| (c) | collaborate with IBM on platform/technology roadmap, release schedule(s); |
| (d) | select product solution(s) when multiple options exist; |
| (e) | perform acceptance testing of new product(s)/feature(s); and |
| (2) | provide actual and forecast business metrics to facilitate platform capacity planning. |
| 5.2.5 | EXPRESS TABLE MANAGEMENT |
| a. | IBM will: |
| (1) | ensure the timely movement of call detail records from the rating platform to the express tables in support of reporting for revenue recognition; |
| (2) | ensure the integrity and reliability of the process of moving call detail records from the rating engine to the express tables; and |
| IBM/VMU Confidential | Schedule A (Services) | Page 92 of 109 |
| (3) | ensure the appropriate levels of security (authentication, authorization and access) to VMU for the express tables for the purposes of revenue recognition reporting. |
| 5.2.6 | CUSTOMER PROFILE UPDATE (CPU) |
| a. | IBM will: |
| (1) | ensure timely processing of CPU requests; and |
| (2) | work with VMU to determine priority of processing of CPU requests with overall workload. |
| b. | VMU will: |
| (1) | ensure the validity of all CPU requests with overall business objectives; and |
| (2) | work with IBM to determine priority of processing of CPU requests with overall workload. |
| 5.2.7 | DATABASE REPORT REQUESTS (DRR) |
| a. | IBM will: |
| (1) | ensure timely processing of DRRs; and |
| (2) | work with VMU to determine priority of processing of DRRs with overall workload. |
| b. | VMU will: |
| (1) | ensure the validity of all DRRs with overall business objectives; and |
| (2) | work with IBM to determine priority of processing of DRRs with overall workload. |
| 5.2.8 | CUSTOMER COMMUNICATION REQUESTS (CCR) |
| a. | IBM will: |
| (1) | ensure timely processing of CCRs; and |
| (2) | work with VMU to determine priority of processing of CCRs with overall workload. |
| b. | VMU will: |
| (1) | ensure the validity of all CCRs with overall business objectives; and |
| IBM/VMU Confidential | Schedule A (Services) | Page 93 of 109 |
| (2) | work with IBM to determine priority of processing of CCRs with overall workload. |
| 6. | APPLICATION TESTING SERVICES |
| 6.1 | APPLICATION TESTING |
| a. | IBM will perform the following test services for Applications developed or modified by IBM or for application software developed or modified by Third Party service provider(s) as set forth in Schedule F (Software): |
| (1) | develop unit, functional, system, performance, load, stress, integration and regression test plans and schedules; |
| (2) | coordinate and conduct tests (i.e., unit, functional, system, performance, load, stress, integration, LAN/WAN connectivity, regression) for compatibility with VMU’s production environment prior to release into production; |
| (3) | develop and maintain test data and repositories in support of Applications set forth in Schedule F (Software); |
| (4) | record and report test results to VMU, as requested; |
| (5) | complete test documentation; |
| (6) | correct defects in Applications developed or maintained by IBM, including interface specifications between such software and Third Party software and use reasonable efforts to coordinate the correction of defects to such Third Party software; and |
| (7) | monitor and review production defects in order to improve test models. |
| b. | VMU will: |
| (1) | provide test business requirements; |
| (2) | request test results, as necessary; perform all handset which is necessary for the release; and |
| (3) | verify compliance with VMU’s testing business requirements. |
| 6.2 | USER ACCEPTANCE TESTING |
| a. | IBM will: |
| (1) | assist VMU in performing user acceptance testing for VMU’s Applications developed or modified by IBM, using VMU’s test environment; |
| IBM/VMU Confidential | Schedule A (Services) | Page 94 of 109 |
| (2) | with VMU’s assistance and approval, develop user acceptance test plans, test cases, and acceptance criteria; |
| (3) | assist VMU with recording and reporting test results as requested by VMU; |
| (4) | complete test documentation; and |
| (5) | correct defects in Applications developed or maintained by IBM, including interface specifications between such software and Third Party software and use reasonable efforts to coordinate the correction of defects to such Third Party software. |
| b. | VMU will: |
| (1) | coordinate and perform user acceptance testing; |
| (2) | record, report and approve end user acceptance test results; and |
| (3) | approve the Applications, developed or maintained by IBM, to be promoted to production. |
| 7. | APPLICATION IMPLEMENTATION MANAGEMENT |
| a. | IBM will: |
| (1) | with VMU’s assistance and approval, develop implementation, transition and data migration strategies and plans; |
| (2) | execute and maintain implementation, transition and data migration strategies and plans; |
| (3) | develop and report business and technical risks and impact analyses; |
| (4) | identify potential implementation conflicts and coordinate resolution with appropriate parties; |
| (5) | with VMU’s assistance and approval, develop a implementation contingency strategy and plan (i.e., back out procedures, notification and escalation lists, work-around plans, affected resources, and risk assessments) and execute such plan, as appropriate; |
| (6) | perform and monitor installation of the Applications developed or modified by IBM; |
| (7) | coordinate the installation of Equipment and Systems Software for the Applications developed or modified by IBM; |
| (8) | migrate VMU’s data, as applicable; |
| IBM/VMU Confidential | Schedule A (Services) | Page 95 of 109 |
| (9) | document and report installation results of the Applications; |
| (10) | conduct post implementation analysis (i.e., technical analysis, effectiveness, cost, and end users satisfaction) of Application Software and report results, including lessons learned and recommendations for continuous improvement, to VMU; and |
| (11) | obtain VMU’s approval of the installation of the Applications. |
| b. | VMU will: |
| (1) | assist IBM with development of and approve implementation, transition, data migration and contingency strategies and plans; and |
| (2) | approve the Applications developed or maintained by IBM. |
| 7.2 | TRAINING AND EDUCATION |
| a. | IBM will: |
| (1) | provide training to the Help Desk personnel providing Xxxxx 0 support before any new Applications or functionality is installed into production; |
| (2) | provide and maintain systems documentation for IBM developed, enhanced, or maintained Applications such that the Help Desk will be able to resolve Level 1 problems for Applications without requiring a transfer to a specialized Applications Help Desk; and |
| (3) | as requested by VMU, provide technical documentation and assistance to VMU for orientation training. |
| b. | VMU will: |
| (1) | with IBM’s assistance if necessary, prepare documentation and provide VMU orientation training; and |
| (2) | provide any functional or business specific training to the Help Desk personnel providing Level 1 and Level 2 support before any new Applications or functionality is installed into production, if necessary to perform the Services. |
| 8. | APPLICATION MAINTENANCE SERVICES |
| 8.1 | CORRECTIVE MAINTENANCE |
| a. | IBM will: |
| (1) | provide Application Operations to fully and expeditiously resolve application incidents; |
| IBM/VMU Confidential | Schedule A (Services) | Page 96 of 109 |
| (2) | prioritize application problems in accordance with the Severity Codes (Severity Code – means the severity designation assigned to a problem (for example, Severity Xxxxx 0, Xxxxxxxx Xxxxx 0): |
| (3) | perform problem analysis, including identification of the source of the problem; |
| (4) | determine appropriate runtime changes to resolve incident and/or repair Applications Software defects to enable such software to provide the functionality that would be provided but for such defect(s) unless otherwise requested by VMU; |
| (5) | perform a root cause analysis for Severity Level 1 problems, as requested by VMU; |
| (6) | prepare and, upon VMU’s approval, implement a plan for Severity Level 1 problems; |
| (7) | prepare and, upon VMU’s approval, implement a plan for Severity Xxxxx 0 and Severity Level 3 problems; and |
| (8) | provide status updates to the Help Desk, and/or an End User, as appropriate, during problem resolution. |
| b. | VMU will: |
| (1) | approve or change, with IBM concurrence, Severity Code assignments; |
| (2) | approve IBM’s plan for Severity Level 1 problems; and |
| (3) | approve IBM’s plan for Severity Xxxxx 0 and Severity Level 3 problems. |
| 8.2 | PREVENTIVE MAINTENANCE |
| a. | IBM will: |
| (1) | provide Application Operations to ensure the effective delivery of services and to provide early detection of potential incidents related to the services; |
| (2) | perform problem analysis on problem history, including identification of the source of the problem; |
| (3) | perform preventive maintenance analysis to address events (for example, changing business volumes, special testing for financial and/or calendar year end, daylight savings time, repetitive problems with like root causes), as identified by IBM and/or VMU, that could adversely impact the Applications; and |
| IBM/VMU Confidential | Schedule A (Services) | Page 97 of 109 |
| (4) | prepare and implement a plan upon VMU’s approval, to proactively address the problems and implement runtime improvements and/or application repair or improvement. |
| b. | VMU will: |
| (1) | identify events (for example, changing business volumes, special testing for financial and/or calendar year end, daylight savings time) that could adversely impact the Applications; and |
| (2) | approve IBM’s plan. |
| 8.3 | ADAPTIVE MAINTENANCE |
| a. | IBM will, as directed by VMU: |
| (1) | perform adaptive maintenance analysis to address Applications performance and End Users usability issues due to the implementation of new Applications and changes to the Applications interfaces or VMU’s environment (existing Applications and Equipment), as identified by IBM and/or VMU, that could adversely impact the Applications; and |
| (2) | prepare and implement a plan upon VMU’s approval. |
| b. | VMU will: |
| (1) | identify Applications performance and End Users usability issues due to the implementation of new Applications and changes to the Applications interfaces or VMU’s environment (existing Applications and Equipment), that could adversely impact the Applications; and |
| (2) | approve IBM’s plan. |
| 8.4 | SOFTWARE RELEASE PACKAGING |
| a. | IBM will: |
| (1) | package software changes into releases by Application; |
| (2) | manage and track software version changes and provide such information upon VMU’s request; and |
| (3) | deploy software release packages upon VMU’s request. |
| b. | VMU will: |
| (1) | request software version change information, as required; and |
| (2) | notify IBM for deployment of software release packages. |
| IBM/VMU Confidential | Schedule A (Services) | Page 98 of 109 |
| c. | IBM and VMU will mutually agree to the regularity of release deployment (e.g., 6 releases per year, month end, quarterly). |
| 8.5 | TECHNICAL AND END USER SUPPORT |
IBM will:
| a. | provide technical assistance regarding Application processes and tools; |
| b. | provide Level 1 assistance via the Help Desk which hands off Application problems to Xxxxx 0, as appropriate; and |
| c. | provide Level 2 and Level 3 technical assistance as designated by VMU (for example, to End Users and/or VMU Subcontractors). |
| 8.6 | MONITORING AND REPORTING |
IBM will:
| a. | provide monitoring, tracking, escalation, resolution, and reporting of Application problems; |
| b. | define and implement a process for reporting Application problems to VMU on a monthly basis; and |
| c. | provide VMU a listing of AD/M Projects under development on a monthly basis. |
| 9. | AD/M MANAGEMENT |
| 9.1 | APPLICATION PROJECT MANAGEMENT |
| a. | IBM will: |
| (1) | upon VMU’s request, propose new Application Development or Application Enhancement services, to include the following: |
| (a) | a project plan describing the approach and project timeline; |
| (b) | cost and resource estimates for each phase of the Application Development or Application Enhancement (i.e., design, programming, testing, training, implementation); |
| (c) | cost estimates for the ongoing maintenance and support resource requirements and costs for the Applications post-implementation; |
| (2) | upon VMU’s approval, implement proposed Application Development or Application Enhancement services; |
| IBM/VMU Confidential | Schedule A (Services) | Page 99 of 109 |
| (3) | integrate new Application Development or Application Enhancement services with VMU’s life cycle methodologies and tools; |
| (4) | utilize IBM’s project management principles that meet the following requirements: |
| (a) | use VMU’s approved project management tools; |
| (b) | recommend, maintain and update a list of IBM’s work activities and projects; |
| (c) | develop, maintain and update project schedules; |
| (d) | monitor, track and report actual results versus forecasted results; |
| (e) | perform variance analysis; |
| (f) | monitor and report progress, and institute corrective action against the plan; |
| (g) | hold status update meetings according to the project plan; |
| (h) | establish a critical employee list for each AD/M project; |
| (i) | provide necessary resources for Applications support and projects; |
| (j) | assess technology risks; and |
| (5) | develop and provide to VMU, on a monthly basis, a summarized project status report, including a project description, red-yellow-green indication for project schedule, project cost to date, and overall project status. |
| b. | VMU will: |
| (1) | request new Application Development or Application Enhancement; and |
| (2) | approve proposed Application Development or Application Enhancement services. |
| 9.2 | CAPABILITIES MANAGEMENT |
IBM will:
| a. | manage skills planning and skills balancing activities; |
| b. | plan education and training of IBM employees for current and anticipated projects and releases and balance those skills across projects; |
| c. | perform technical vitality activities; and |
| IBM/VMU Confidential | Schedule A (Services) | Page 100 of 109 |
| d. | cross-train IBM employees dedicated to the VMU account to the extent such training does not interfere with IBM’s performance of the Services. |
| 9.3 | APPLICATION SOURCE CODE SECURITY |
| a. | IBM will: |
| (1) | implement VMU approved security and password change requirements associated with Application code and executable modules; |
| (2) | monitor and restrict access to Application source code and data; |
| (3) | upon VMU’s request, comply with ad hoc, annual audit and regulatory requests; |
| (4) | perform Application source code and data security audits and provide such results to VMU; and |
| (5) | report security violations. |
| b. | VMU will provide requirements for IBM to comply with ad hoc, annual audit and regulatory requests. |
| 9.4 | DATA INTERFACES |
IBM will provide and document data interfaces to new and existing Applications, Third Party Software packages, end users computing systems, temporary or transitional interfaces between systems and data conversions to provide homogeneous systems in accordance with VMU’s technology and data standards and enterprise data model.
| 9.5 | EXISTING OR NEW APPLICATION INTEGRATION |
| a. | IBM will in accordance with Section 8.1 (Application Project Management): |
| (1) | evaluate compatibility, benefits and risks of the new Applications with the existing Applications and provide an assessment to VMU; |
| (2) | integrate new Applications with the existing Applications; |
| (3) | perform application integration testing; and |
| (4) | track and resolve compatibility issues. |
| b. | VMU will, in accordance with Section 8.1 (Application Project Management), review the assessment and approve integration. |
| 10. | APPLICATION QUALITY ASSURANCE OF AD/M SERVICES |
| a. | IBM will: |
| IBM/VMU Confidential | Schedule A (Services) | Page 101 of 109 |
| (1) | document and implement quality assurance processes and procedures for the delivery of AD/M; |
| (2) | with VMU’s assistance, set baselines for quality measurement in AD/M environments; |
| (3) | document, implement and review with VMU quality assurance metric processes (i.e., measure effort, size, schedule and quality) for the delivery of AD/M; |
| (4) | with VMU’s assistance, define and maintain customer satisfaction scorecards; |
| (5) | conduct annual customer satisfaction survey and provide such results to VMU; and |
| (6) | take corrective actions to address customer satisfaction survey results. |
| b. | VMU will: |
| (1) | assist IBM in setting baselines for quality measurement in all AD/M environments; |
| (2) | assist IBM in defining customer satisfaction scorecards; and |
| (3) | complete annual customer satisfaction survey. |
| IBM/VMU Confidential | Schedule A (Services) | Page 102 of 109 |
Part 10: [Intentionally Deleted]
| IBM/VMU Confidential | Schedule A (Services) | Page 103 of 109 |
Part 11: Voice Network Services
| 1. | GENERAL SERVICES |
IBM will provide the following Voice Network Services to VMU using the processes set forth in the Process Interface Manual. IBM will implement and manage the mutually agreed telecommunications security practices in accordance with the Services set forth in this Agreement. Unless otherwise agreed by VMU and IBM, IBM will provide such Voice Network Services during the Service Hours.
| 2. | PHONE SERVICES |
| 2.1 | Phone Engineering |
IBM will:
| a. | perform PBX management (coordinating third party services requests), including performing related IMAC Services for the Voice Network Equipment specified in Schedule G (Equipment); |
| b. | perform PBX programming, including feature and function software upgrades (provided by the vendor at no additional charge) and changes to support End User requirements; |
| c. | provide logical access security for local PBX, including maintenance passwords and associated administrative support; and |
| d. | provide management statistics, including standard and mutually agreed custom reporting. |
| 2.2 | ACD |
IBM will:
| a. | perform ACD management; |
| b. | coordinating ACD programming with the third party vendor, including changes to support End User and VMU customer requirements; |
| c. | provide logical access security for local ACD, including maintenance passwords and associated administrative support; |
| d. | provide call flow consultation and design; |
| e. | provide management statistics, including standard and mutually agreed custom reporting; and |
| IBM/VMU Confidential | Schedule A (Services) | Page 104 of 109 |
| f. | provide cross functional support for adjunct contact center applications (for example, CTI, IVR) and voice and data capture applications. |
| 2.3 | Voice Mail |
IBM will:
| a. | perform voice mail management (coordinating third party services requests), including performing related IMAC Services for the Voice Network Equipment specified in Schedule G (Equipment); |
| b. | perform voice mail programming, including feature and function software upgrades (provided by the vendor at no additional charge) and changes to support End User requirements; and |
| c. | provide logical access security for local voice mail, including maintenance passwords and associated administrative support. |
| 2.4 | IVR / Call Processing |
IBM will:
| a. | perform IVR / call processing management, including performing related IMAC Services for the Voice Network Equipment specified in Schedule G (Equipment); and |
| b. | perform IVR / call processing programming, including feature and function software upgrades (provided by the vendor at no additional charge) and changes to support End User and VMU customer requirements. |
| c. | Deliver six releases of IVR functionality per year on a schedule similar to that for the VMU applications suite, and containing functional changes as required by the VMU Care organization or changes resulting from application suite functional changes. |
| d. | Configure and maintain the IVR to work with the existing and future VMU Care call centers. |
| e. | Perform IVR performance and call handling assessments in order to ensure a high quality of customer experience and optimal resolution of subscriber issues, while minimizing calls directed to Care agents where possible. |
| IBM/VMU Confidential | Schedule A (Services) | Page 105 of 109 |
Part 12: Network Operations Center Services
| 1. | GENERAL SERVICES |
IBM will provide the following Network Operations Center (“NOC”) Services to VMU using the processes set forth in the Process Interface Manual.
| 2. | NETWORK OPERATIONS SERVICES |
IBM will
| a. | Provide Xxxxx 0 support for VMU Call Center; |
| b. | Handle escalations from Help Desk; |
| c. | Perform monitoring and ticket administration/management; |
| d. | Monitor Corporate customer and subscriber facing production environment for system and service events; |
| e. | Escalate system and service impacting events and effectively communicate symptoms to the delivery support groups and manage problem ticket through resolution; |
| f. | Monitor and track all VMU and partner changes for timeliness and accuracy of service availability; |
| g. | Review and perform scheduled handset tests to validate functionality of key service elements (voice, messaging and data services); |
| h. | Perform problem troubleshooting and systemic problems: |
| (1) | Troubleshoot, resolve and escalate individual customer tickets; and |
| (2) | Work closely with and delivery support teams and partners to insure proper identification and resolution of systemic issues; |
| i. | Perform trending, reporting and escalation of key business indicators; |
| j. | Support development and release efforts and partner initiatives. Activities include provisioning and testing new handsets, 911 services, number management and partner FOB administration; |
| k. | Support supply chain in the creation and delivery of top up pins for retail distribution; and |
| l. | Maintain operational relationships with key partners to maintain and improve quality of service. |
| IBM/VMU Confidential | Schedule A (Services) | Page 106 of 109 |
VMU will:
| a. | Maintain account management and contractual relationship with Managed Strategic Supplier. |
| IBM/VMU Confidential | Schedule A (Services) | Page 107 of 109 |
Exhibit A-1
Tools
***
| IBM/VMU Confidential | Schedule A (Services) | Page 108 of 109 |
Exhibit A-2
VMU Data Retention Policy
***
| IBM/VMU Confidential | Schedule A (Services) | Page 109 of 109 |
Master Services
Agreement
between
VMU and IBM
Schedule B
Service Levels
Table of Contents
| Service Levels | 1 | |||||||
| 1. |
Introduction | 3 | ||||||
| 2. |
Measurement and Validation of Service Levels | 4 | ||||||
| 3. |
Service Levels for a New Service or Additional Services | 5 | ||||||
| 4. |
Service Level Review | 7 | ||||||
| 5. |
Service Level Failures | 8 | ||||||
| 6. |
Service Level Credits | 9 | ||||||
| 6.1 |
Introduction | 9 | ||||||
| 6.2 |
Service Level Credit Calculation | 9 | ||||||
| 6.2.1 Critical Service Level Credit Calculation |
9 | |||||||
| 6.2.2 Key Service Levels |
9 | |||||||
| 7. |
Service Level Limitations | 9 | ||||||
| 8. |
Earnback Credits | 10 | ||||||
| 9. |
Performance management | 11 | ||||||
| 9.1 |
Report Assessment Period | 11 | ||||||
| 9.2 |
Service Outage Reporting | 11 | ||||||
| 9.3 |
Service Outage Severity Levels | 12 | ||||||
| 9.4 |
Service Outage Notifications | 12 | ||||||
| 9.5 |
Service Outage Escalations | 12 | ||||||
| 9.6 |
Service Level Reporting | 12 | ||||||
| 9.7 |
Root Causes | 13 | ||||||
| IBM Confidential | Schedule B (Service Levels) | Page 1 of 26 |
| 10. |
Service Level Catastrophic Event | 13 | ||||||
| 11. |
Excused Service Levels and credits | 15 | ||||||
| 12. |
Reconciliation | 16 | ||||||
| 13. |
Service Level Termination for excessive service level failures | 17 | ||||||
| Exhibit B-1 | 18 | |||||||
| 1. |
Critical Service Levels | 18 | ||||||
| 1.1 |
Critical Service Levels – Performance Measurements | 18 | ||||||
| 1.1.1 *** |
18 | |||||||
| 1.1.2 *** |
19 | |||||||
| 1.1.3 *** |
19 | |||||||
| 1.1.4 *** |
19 | |||||||
| 1.1.5 *** |
20 | |||||||
| 1.1.6 *** |
20 | |||||||
| 1.1.7 *** |
20 | |||||||
| 1.1.8 *** |
21 | |||||||
| 1.1.9 *** |
21 | |||||||
| 1.1.10 *** |
22 | |||||||
| 1.2 |
Key Measures – Measurements | 22 | ||||||
| 1.2.1 *** |
23 | |||||||
| 1.2.2 *** |
23 | |||||||
| 1.2.3 *** |
24 | |||||||
| 1.2.4 *** |
24 | |||||||
| 1.2.5 *** |
25 | |||||||
| 1.2.6 *** |
25 | |||||||
| 1.2.7 *** |
26 | |||||||
| 1.2.8 *** |
26 | |||||||
| 1.2.9 *** |
26 | |||||||
| 1.2.10 *** |
26 | |||||||
| 1.2.11 *** |
26 | |||||||
| 1.2.12 *** |
26 | |||||||
| 1.2.13 *** |
26 | |||||||
| 1.2.14 *** |
26 | |||||||
| 1.2.15 *** |
26 | |||||||
| IBM Confidential | Schedule B (Service Levels) | Page 2 of 26 |
| 1. | INTRODUCTION |
| a. | This Schedule B describes VMU’s and IBM’s responsibilities related to the Service Levels for the defined Services. Exhibit B-1 (Service Level Measurements) to this Schedule reflects those specific Service Level measurements that IBM will provide to VMU. |
| b. | There are two categories of Service Levels: |
| (1) | Critical Service Levels |
| (2) | Key Measurements |
| c. | Upon completion of the Measurement Period or otherwise on the applicable date(s) specified in Exhibit B-1 (Service Level Measurements), IBM will meet or exceed the Service Levels. |
| d. | Definitions: |
| (1) | At Risk Amount – means, for each month during the Term, *** of the Actual Monthly Charge for the Services. |
| (2) | Critical Service Levels – means those Service Levels assigned a weighting factor by VMU and are set forth in Exhibit B-1 to Schedule B (Service Levels). |
| (3) | IBM Service Outage – means a Service Outage for which IBM is the at fault party. |
| (4) | Initial Service Level – the levels of service historically achieved by VMU and which have been measured and reported on a consistent basis (i.e., minimum of previous 12 months’ data) prior to the Signature Date. |
| (5) | Key Service Level – means those Service Levels which VMU wishes IBM to monitor and report and for which neither revenue impact nor service level credit apply and are set forth in Exhibit B-1 to Schedule B (Service Levels). |
| (6) | Expected Service Level or ESL – means a desired level of performance for each Service Level set forth in Exhibit B-1 to Schedule B (Service Levels). An Expected Service Level represents an operational target based on industry standards that typically exceeds current actual VMU performance. |
| (7) | Measurement Period – means the 120 days following Transfer of Control for the applicable Service component. |
| IBM Confidential | Schedule B (Service Levels) | Page 3 of 26 |
| (8) | Minimum Service Level or MSL – means the minimum level of service, as defined for the Services and as set forth in Exhibit B-1 to Schedule B (Service Levels). |
| (9) | Scheduled Hours – means that period of time (days of the week and hours and minutes per day) during which each platform and capability listed in Exhibit B-1 is to be available to End Users and/or VMU subscribers, as applicable, for normal business use, expressed in hours and minutes, not including time during Scheduled Outages. |
| (10) | Scheduled Outage – means of the Scheduled Hours, the aggregate number of hours and minutes in any measurement interval during which each platform and capability listed in Exhibit B-1 is unavailable for use by End Users and/or VMU Subscribers, due to such things as preventative maintenance or upgrades. Scheduled Outages will be mutually agreed to between VMU and IBM. |
| (11) | Service Outage – means of the Scheduled Hours, the aggregate number of hours and minutes in any measurement interval during which a platform or capability listed in Exhibit B-1 is not operational or when VMU notifies IBM that: *** |
| (12) | Steady State – means the date upon which IBM assumes full operational control of the VMU environment. |
| (13) | Transfer of Control – means the date upon which IBM assumes full operational control of the service component of the VMU environment, including completion of knowledge transfer and end-to-end responsibility for the service component. |
| 2. | MEASUREMENT AND VALIDATION OF SERVICE LEVELS |
| a. | During the first 30 days after the Signature Date (the Verification Period), VMU and IBM will verify the data used to document the levels of service achieved by VMU during the 12 months prior to the Signature Date. If, during such Verification Period, VMU or IBM discovers material inaccuracies in the information which formed the basis for measurements within this Schedule B, IBM and VMU will amend this Schedule B to revise the Service Levels and measurements to reflect the verified data. If VMU or IBM disputes the inaccuracy or the equitable adjustment, VMU and IBM will submit the matter to the Dispute Resolution Process. |
| b. | IBM shall use VMU’s measurement and monitoring tools to measure performance of the Service Levels as of the Signature Date, if VMU does not have measurement or monitoring tools, then (1) if there is an automated tool available, IBM will propose such measurement tool and VMU will provide the funding to purchase the tool or (2) if no automated tool is available, the parties will mutually agree upon a measurement or monitoring mechanism for measurement of the Service Level. |
| c. | IBM’s performance of the Services will be measured as follows: |
| (1) | for those Services for which VMU has documented levels of service for Initial Service Levels, which are the levels of service historically achieved by VMU and which have been measured and reported on a consistent basis (i.e., minimum of previous 12 months’ data) prior to the Signature Date, such levels of service will be documented in the tables set forth in Exhibit B-1 (Service Level Measurements) and IBM’s performance of the Services will equal or exceed such Initial Service Levels of service; or |
| IBM Confidential | Schedule B (Service Levels) | Page 4 of 26 |
| (2) | for those Services for which there are insufficient or no existing, documented levels of service, there will not be any Initial Service Levels and IBM and VMU will mutually agree upon and establish Service Levels in accordance with subsection f below. |
| d. | During each month of the Measurement Period, IBM will submit to VMU a standard report assessing (i) IBM’s performance during the previous calendar month, and (ii) IBM’s performance during the previous calendar month against the Service Levels set forth in Exhibit B-1 (Service Level Measurements). |
| e. | Service Level Credits and Earnback Credits will not apply during the Measurement Period, for those Service Levels which are not Initial Service Levels. |
| f. | During the Measurement Period, IBM will use VMU’s standard measurement tools to monitor the performance levels for the Services to serve as input for validating the Initial Services and/or establishing the Service Levels. The Initial Service Levels will be validated and/or the Service Levels will be established by taking into account the levels of performance achieved by VMU prior to the Signature Date, the levels achieved by IBM during the applicable Measurement Period, and the performance levels required by any applicable agreements between VMU and the recipients of the Services (provided that such recipients’ required performance levels are documented). IBM will not be in breach for its failure to meet the Service Levels during the Measurement Period for the Service Levels being measured. |
| g. | Upon completion of the Measurement Period, the Parties will update Exhibit B-1 (Service Level Measurements) to reflect the mutually agreed Service Levels, weighting factor allocation for Critical Service Levels, and Service Level measurement criteria and will amend this Schedule. |
| 3. | SERVICE LEVELS FOR A NEW SERVICE OR ADDITIONAL SERVICES |
| a. | With respect to a New Service or additional services, IBM and VMU will mutually agree upon and establish initial Service Levels following full implementation of such Services, which will apply during the initial 120-day period of IBM providing such New Service or additional services. To the extent appropriate, such initial Service Levels will be the same as or similar to existing Service Levels for the same or similar Services. |
| IBM Confidential | Schedule B (Service Levels) | Page 5 of 26 |
| b. | During such 120 days, IBM and VMU will conduct the process set forth in this Section 3 to validate the initial Service Levels and agree upon the Service Levels for such New Service or additional services: |
| (1) | for those Services for which VMU has documented levels of service, which are the levels of service historically achieved by VMU and which have been measured and reported on a consistent basis (i.e., minimum of previous 12 months’ data), such levels of service will be documented in the tables set forth in Exhibit B-1 (Service Level Measurements) and IBM’s performance of the Services will equal or exceed such levels of service during the 120-day period. The initial Service Levels will be validated during the 120-day period and, following such period, the initial Service Levels will be adjusted, if appropriate, in accordance with this Schedule and promoted to Service Levels; or |
| (2) | for those Services for which there are insufficient or no existing, documented levels of service, there will not be any initial Service Levels and IBM and VMU will mutually agree upon and establish Service Levels in accordance with subsection f. below. |
| c. | During the initial 120-day period, IBM will submit to VMU a standard report assessing (i) IBM’s performance during each of the prior calendar months, and (ii) IBM’s performance during each of the prior calendar months against the initial Service Levels set forth in Exhibit B-1 (Service Level Measurements). |
| d. | Service Level Credits and Earnback Credits will not apply to the New Services or additional services during the initial 120-day period specified in subsection a. above. |
| e. | IBM will not be in breach for its failure to meet the Service Levels for New Services or additional services during the initial 120-day period. |
| f. | During the initial 120-day period, IBM will use standard measurement tools to monitor the performance levels for the Services to serve as input for validating the initial Service Levels and/or establishing the Service Levels. The initial Service Levels will be validated and/or the Service Levels will be established by taking into account the levels of performance achieved by VMU prior to IBM providing the New Service or additional Services, the levels achieved by IBM during the applicable measurement period, and the performance levels required by any applicable agreements between VMU and the recipients of the Services (provided that such recipients’ required performance levels are documented). |
| g. | Upon completion of the measurement period, the Parties will update Exhibit B-1 (Service Level Measurements) to reflect the mutually agreed Service Levels, weighting factor allocation, and Service Level measurement criteria and will amend this Schedule. |
| IBM Confidential | Schedule B (Service Levels) | Page 6 of 26 |
| h. | New software applications will meet the qualification criteria and will be compatible with the system operating environments specified in Schedule H (Standards) in order to qualify for Service Level measurements. |
| 4. | SERVICE LEVEL REVIEW |
| a. | On each 12 month anniversary of last Transfer of Control date VMU and IBM will review the Service Levels set forth in Exhibit B-1 (Service Level Measurements), and mutually agree whether to: |
| (1) | add to, delete or change the Services to be measured and the corresponding Service Levels to reflect changes in VMU’s business operations; |
| (2) | improve the existing Service Levels, where warranted, to reflect operational or technical improvements in IBM’s delivery of the Services; |
| (3) | change weighting factor allocation; and |
| (4) | revise which Service Levels are to be Critical Service Levels or Key Service Levels (i.e., promote any Key Service Levels to Critical Service Levels or demote any Critical Service Levels to Key Service Levels). |
| b. | The Parties agree to the concept of continuous improvement and that the Critical Service Levels should be modified during this Agreement to reflect this concept. To accomplish this, Critical Service Levels will be modified each twelve (12) month period following the commencement of obligations date specific to each Critical Service Level as described below: |
| (1) | Each Expected Service Level will be reset at a minimum, to an improvement over the then-current Expected Service Level equal to *** of the difference between (a) the average of the twelve (12) highest monthly actual Expected Service Level results achieved during the previous year for such Service Level and (b) the then-current Expected Service Level for such Service Level. |
| (2) | Each Minimum Service Level will also be reset at a minimum, to an improvement over the then-current Minimum Service Level equal to *** of the difference between (a) the average of the twelve (12) highest monthly actual Minimum Service Level results achieved during the previous year for such Service Level and (b) the then-current Minimum Service Level for such Service Level. Notwithstanding this Section b., in no event shall any single increase in an Expected Service Level or Minimum Service Level pursuant to this Section b exceed *** of the difference between *** and the then-current Expected Service Level. (For example, if the Expected Service Level being adjusted were ***, the maximum increase for that reset would be *** (i.e., from *** to ***).) |
| (3) | In any event, in the case of very high Service Levels, the cost-benefit of applying these automatic improvement rules may not be present. In such |
| IBM Confidential | Schedule B (Service Levels) | Page 7 of 26 |
| cases, the Parties agree to discuss the Expected Service Levels and Minimum Service Levels and VMU will reasonably consider adjusting or relieving the requirement for continuous improvement on certain service levels for the following twelve (12) month period. |
| (4) | For ease of administration, beginning with the first anniversary of the last Transfer of Control date and continuing with every anniversary of the last Transfer of Control date thereafter, the process described in this Section 4 will be performed as of the anniversary of the last Transfer of Control date, utilizing the previous twelve months’ data, replacing the Critical Service Level unique dates that were based upon the commencement of obligations dates specific to each Critical Service Level. |
| c. | Upon completion of the annual review, the Parties will update Exhibit B-1 (Service Level Measurements) to reflect the agreement reached in subsections a. and b. above and will amend this Schedule. |
| d. | Not withstanding subsections a. and b. above and independently of such annual review, VMU may from time to time, but no more frequently than quarterly and no more than twice annually in addition to the events suggested in subsections a. and b. above: |
| (1) | add to, delete or change the Services to be measured and the corresponding Service Levels to reflect changes in VMU’s business operation upon reasonable notice and subject to, if applicable, Section 3 above; |
| (2) | change weighting factor allocation for Critical Service Levels; |
| (3) | revise which Service Levels are to be Critical Service Levels or Key Service Levels (i.e., promote any Key Service Levels to Critical Service Levels or demote any Critical Service Levels or Key Service Levels); and, |
| (4) | if VMU should choose to perform any of the above, VMU and IBM will mutually agree on appropriate revisions to the Service Levels (if applicable) and will update Exhibit B-1 (Service Level Measurements) and amend this Schedule to reflect such agreement. |
| 5. | SERVICE LEVEL FAILURES |
A Service Level Failure will be deemed to occur whenever IBM’s level of performance for a particular Service Level fails to meet the Minimum Service Level for that Service Level in a given month.
| IBM Confidential | Schedule B (Service Levels) | Page 8 of 26 |
| 6. | SERVICE LEVEL CREDITS |
| 6.1 | Introduction |
If a Service Level Failure occurs, VMU will be entitled to receive a Service Level Credit (SLC). VMU agrees that in the event of a Service Level Failure, VMU will receive a SLC against the charges owing to IBM under this Agreement.
| 6.2 | Service Level Credit Calculation |
| 6.2.1 | Critical Service Level Credit Calculation |
| a. | In the event of a Service Level Failure for a Critical Service Level, IBM will provide, subject to Section 8 (Earnback Credits) and any other applicable terms and conditions of this Agreement, Service Level Credits to VMU. |
| b. | For a Service Level Failure in any Service Level category, the SLC will be determined as follows: |
| (1) | VMU will have previously assigned a weighting factor, as specified in Section 2 (Measurement and Validation of Service Levels), Section 3 (Service Levels for a New Service or additional Services), or Section 4 (Service Level Review) above as appropriate, subject to any other applicable terms and conditions of this Agreement, to the Critical Service Levels. *** |
| (2) | Exhibit B-1 (Service Level Measurements) sets forth the information required to calculate the SLCs that VMU will receive in the event of a Service Level Failure with respect to a Critical Service Level. For each Service Level Failure of a Critical Service Level, IBM will credit VMU a Service Level Credit that will be computed by multiplying the weighting factor for that category and the At Risk Amount. |
***
| 6.2.2 | Key Service Levels |
***
| 7. | SERVICE LEVEL LIMITATIONS |
| a. | In no event will (i) IBM be liable for Service Level Credits in any one month that are in excess of the At Risk Amount, and (ii) any Service Level Credits above the At Risk Amount carry forward to a subsequent period or back to previous periods. |
| b. | The total amount of Service Level Credits that IBM incurred with respect to Service Level Failures of Critical Service Levels occurring as set forth in Section 5 (Service Level Failures), will be reflected in the Service Level report delivered the month immediately after the month in which the Service Level Failures giving rise to such Service Level Credits occurred. Service Level Credits will be payable by IBM to VMU on a Contract Year basis as described in Section 12 (Reconciliation) below. |
| IBM Confidential | Schedule B (Service Levels) | Page 9 of 26 |
| c. | The number of Critical Service Levels and Key Service Levels permitted under the Agreement may not exceed 10 and 15 respectively at any time during the Term. However, the Parties agree that in the event of addition to or deletion of material scope (for example, a New Service) of the Services after the Signature Date, the maximum number of Critical Service Levels and Key Service Levels will be equitably adjusted by mutual agreement to account for such change in scope of the Services. |
| d. | Failure to meet a Service Level in multiple Service Level categories arising out of or related to a single event or a related series of events will be treated as a failure in only one of the Service Level categories affected by the event(s) for the purpose of calculating the Service Level Credit payable by IBM hereunder. VMU will determine which Service Level category and resulting SLC will apply. |
| 8. | EARNBACK CREDITS |
| a. | Earnback Credits will only apply to Service Level Credits arising from Service Level Failures for Critical Service Levels. |
Within 30 days following the end of each Contract Year, IBM will provide a report to VMU that will include, with respect to each Critical Service Level for which there was a Service Level Failure during the preceding Contract Year, the following:
| (1) | statistics on IBM’s average monthly performance for each such Critical Service Level during the preceding Contract Year; and |
| (2) | the total amount of Service Level Credits for Critical Service Levels imposed for Service Level Failures during the preceding Contract Year. |
| b. | Determination |
If, during the preceding Contract Year, IBM achieved a yearly performance average (as calculated by summing the actual Critical Service Level performance data as defined and measured under Exhibit B-1 (Service Level Measurements) from each measurement interval over the applicable Contract Year and dividing by the number of measurement intervals in that Contract Year with applicable data) in a Critical Service Level that was equal to or greater than the Expected Service Level (for example, 99.0%) in effect for that Critical Service Level for that Contract Year, IBM will be entitled to receive a credit (an Earnback Credit) equal to the total of all Service Level Credits assessed for that Contract Year for Service Level Failures with respect to that Critical Service Level.
| IBM Confidential | Schedule B (Service Levels) | Page 10 of 26 |
| c. | Partial Years |
If any Critical Service Level was in effect for less than the entire Contract Year, the foregoing process will be undertaken only with respect to the portion of the Contract Year during which such Critical Service Level was in effect. If the Agreement or any portion thereof is terminated prior to the end of the Term, the foregoing process will be undertaken only with respect to the portion of the contract year during which the Agreement was in effect.
| d. | Service Level Measurement Change |
If any Critical Service Level’s Minimum Service Level is changed at any time during a Contract Year, then IBM’s yearly performance average will be compared against the monthly average of each Minimum Service Level for the period during such Contract Year that each Minimum Service Level for that Critical Service Level was in effect.
| 9. | PERFORMANCE MANAGEMENT |
| 9.1 | Report Assessment Period |
| a. | During the first 30 days after the Signature Date (the Report Assessment Period) with respect to the Service Levels other than the Initial Service Levels, VMU and IBM will verify the report availability and content of the reports being prepared by VMU prior to the Signature Date which form the basis of the reporting requirements specified in this Schedule B. |
| b. | If, during such Report Assessment Period, VMU or IBM discovers that the SLA reports for the Service Levels other than the Initial Service Levels: (1) require application changes to capture metrics or (2) require resources to capture metrics manually, IBM and VMU will either: (x) eliminate or amend the reporting requirements for that Service Level, or (y) agree to an equitable adjustment to the charges in order to provide the required reporting. If VMU or IBM disputes the changed or eliminated reporting requirements or the equitable adjustment, VMU and IBM will submit the matter to the Dispute Resolution Process. |
| 9.2 | Service Outage Reporting |
| a. | Service Outage documentation will include at a minimum: |
| (1) | Severity Code, |
| (2) | Start Time, |
| (3) | End Time, |
| (4) | Duration (in minutes), |
| (5) | Root Cause Analysis (including responsible party), |
| IBM Confidential | Schedule B (Service Levels) | Page 11 of 26 |
| (6) | Service Category, |
| (7) | Impacted subscriber information, and |
| (8) | Identify uniquely any VMU systems involved. |
| b. | A daily status report will contain all Service Outages reported in the past twenty-four hours and will contain any unresolved Service Outages previously reported along with their updated status. |
| 9.3 | Service Outage Severity Levels |
The severity codes contained within Schedule A will be used for Service Outage reporting – Severity Xxxxx 0, Xxxxxxxx Xxxxx 0, Xxxxxxxx Xxxxx 0 and Severity Level 4.
| 9.4 | Service Outage Notifications |
IBM will notify VMU and other affected parties as authorized by VMU (VMU Affiliates, Third Party vendors or suppliers, Managed Strategic Suppliers, and business partners) of impacting Service Outages within the following time frames:
| Severity Xxxxx 0 |
Xxxxxxxx Xxxxx 0 | |
| *** |
*** |
| 9.5 | Service Outage Escalations |
| a. | IBM will use the following escalation table to notify VMU and other affected parties as authorized by VMU (VMU Affiliates, Third Party vendors or suppliers, Managed Strategic Supplier, and business partners) of impacting Service Outages: |
| Escalation Level |
Severity 1 |
Xxxxxxxx 0 | ||
| Xxxxx 0 |
*** | *** | ||
| Xxxxx 0 |
*** | *** | ||
| Level 3 |
*** | *** |
| b. | Escalation will occur to the next level while the Service Outage remains unresolved. Contact points for each level will be identified in the PIM for VMU. |
| 9.6 | Service Level Reporting |
| a. | By the tenth Business Day of the second calendar month following the establishment of the Service Levels pursuant to Section 2 (Measurement and Validation of Service Levels), Section 3 (Service Levels for a New Service or additional Services), or Section 4 (Service Level Review) above, as appropriate, and monthly thereafter, IBM will submit to VMU a standard report assessing IBM’s performance during the previous calendar month against the Service Levels. |
| IBM Confidential | Schedule B (Service Levels) | Page 12 of 26 |
| b. | Notwithstanding operational requirements to report Service Level Failures on a more frequent basis as may be defined in the Process Interface Manual, reporting on the basis of the measurement interval and reporting intervals identified within Exhibit B-1 will be provided by IBM to VMU through regularly scheduled monthly and quarterly reviews as specified in the Agreement. |
| 9.7 | Root Causes |
| a. | IBM will identify root causes related to Service Outages and Service Level Failures and correct causes of problems for which IBM is responsible under this Agreement. In the event that IBM is not responsible for the root cause of the failure, IBM will work with VMU and its Affiliates, Third Party vendors or suppliers, Managed Strategic Supplier, or business partners to correct causes of problems and attempt to minimize the recurrence of such problems that prevent or could reasonably be expected to prevent IBM from meeting the Service Levels and VMU achieving its business goals. |
| b. | IBM will document the root cause analysis in the problem report for each Service Outage and/or Service Level Failure and clearly document the problem and the party at fault, as applicable. Closure of the problem report will not occur without such root cause analysis resulting in identification of the problem and the party at fault. For the avoidance of doubt, identification and correction of the problem is the responsibility of the at fault party. |
| c. | During the process of root cause analysis, an at-fault party will be determined. For the purposes of the Service Level Credit calculations, only Service Level Failures for which IBM is the at-fault party will be used. |
| 10. | SERVICE LEVEL CATASTROPHIC EVENT |
| a. | ***. IBM agrees that a Catastrophic Event would likely have significant adverse impact on VMU’s business, therefore, IBM will, provide, as liquidated damages and not as a penalty, a credit (Catastrophic Event Credit) in the amount described in the following table: |
| *** |
*** | |
| *** |
*** | |
| *** |
*** | |
| *** |
*** |
| IBM Confidential | Schedule B (Service Levels) | Page 13 of 26 |
| b. | The parties agree that a Catastrophic Event resulting from a single Service Outage or related series of Service Outages shall constitute only one Catastrophic Event even if the Service Outage(s) extends longer than a twelve hour period. If an event occurs that causes a Service Outage in one or more of the areas noted above, the Service Outages shall be considered a single event, but the highest applicable Catastrophic Event Credit shall apply to such event. VMU and IBM agree that the Catastrophic Event Credit will constitute VMU’s sole and exclusive monetary remedy with respect to the failure for which the Catastrophic Event Credit is payable. The preceding sentence shall not preclude VMU from recovering damages (other than those Catastrophic Event Credits already paid to VMU in connection with such Catastrophic Event) associated with a valid exercise of its right to terminate the Agreement for cause pursuant to Section 28.2 or for Service Level Failures pursuant to Section 28.7 of the Agreement even if such termination is based in whole or in part on the same Service Level failure or Service Outage for which a Catastrophic Event Credit was paid. *** |
| c. | VMU represents and warrants that it will, during the Verification Period, provide IBM with complete and accurate data with respect to service outages in the twelve (12) months prior to the Signature Date. A VMU Catastrophic Event means a Catastrophic Event which occurred in the 12 months prior to the Signature Date, except in the case of a VMU Catastrophic Event, IBM is not the At Fault party, but rather it is an event where the root cause was one in which IBM would have been the at-fault if it were providing the same scope of services as of the time of such event as the Services described in the Agreement on the Signature Date. In the event that during Verification, IBM determines that a VMU Catastrophic Event occurred in the 12 months prior to the Signature Date, the Parties shall conduct a root cause analysis to determine the cause of such outage. If the Parties determine that the VMU Catastrophic Event would not occur under the same circumstances after Transfer of Control because of the manner in which IBM plans to deliver the Services, then no changes will be made to the provisions of this Section 10. If the Parties determine that the VMU Catastrophic Event would likely occur under the same circumstances after Transfer of Control, then IBM will propose changes to the manner in which it plans to deliver the Services in order to prevent a Catastrophic Event under the same circumstances, and to the extent it can implement those changes without increasing its cost of delivery, it will implement such changes and no changes will be made to the provisions of this Section 10. If in order to reasonably prevent a Catastrophic Event from occurring under the same circumstances as the VMU Catastrophic Event, IBM’s proposed changes to the |
| IBM Confidential | Schedule B (Service Levels) | Page 14 of 26 |
| manner in which it will deliver the Services increases its cost of delivery, requires changes in VMU Systems, then the Parties shall discuss an equitable adjustment to the Agreement. If the Parties mutually agree to an equitable adjustment, then IBM will implement such proposal according to the agreed-upon equitable adjustment and no changes will be made to the provisions of this Section 10. If the Parties cannot mutually agree to an equitable adjustment , then the provisions of the Section 10 will be equitably amended to either change the allowable Service Outage hours in the definition of Catastrophic Events such that it is comparable to the length of the service outage that constituted the VMU Catastrophic Event, or provide IBM a comparable number and/or type of Catastrophic Events as the VMU Catastrophic Event which IBM may incur without liability for Catastrophic Event Credits. Such equitable amendments will remain in effect until the Parties agree upon an equitable adjustment and IBM implements the agreed-upon changes to prevent a Catastrophic Event from occurring under the same circumstances as the VMU Catastrophic Event. Any disputes with respect to VMU Catastrophic Events, equitable adjustments or equitable amendments shall be subject to the Dispute Resolution Process, and pending the resolution of any dispute, any Catastrophic Event Credits for which IBM would be liable if it were not the prevailing party on the dispute shall be considered disputed charges and subject to Section 2.6 of Schedule C. |
| 11. | EXCUSED SERVICE LEVELS AND CREDITS |
IBM will be relieved of responsibility for Service Level Credits and Catastrophic Event Credits, to the extent the root cause of a Service Level Failure or Service Outage is determined to be caused by:
| a. | the actions or inactions of VMU or its Affiliates; |
| b. | the actions or inactions of Third Party vendors and suppliers or Managed Strategic Suppliers, except to the extent of any failure of IBM to perform its responsibilities under the Agreement in connection therewith; |
| c. | design flaws inherent in the VMU Systems as of the Signature Date; |
| d. | VMU’s prioritization of available resources after IBM’s written notice to VMU that such prioritization would have a negative impact on IBM’s ability to meet the Service Levels; |
| IBM Confidential | Schedule B (Service Levels) | Page 15 of 26 |
| e. | VMU’s failure to: |
| (1) | timely provide funding to allow IBM to refresh Equipment as stated in Schedule H, provided IBM provided the applicable invoices to VMU in sufficient time for VMU to make timely payment; |
| (2) | timely provide funding for system maintenance and support, provided IBM provided the applicable invoices to VMU in sufficient time for VMU to make timely payment; and |
| (3) | timely provide funding for hardware configurations, including upgrades and approval of related ARCs, and software currency necessary to meet the Service Levels, provided IBM provided the applicable invoices to VMU in sufficient time for VMU to make timely payment; |
| f. | failure of VMU provided Equipment, except if such VMU provided Equipment was selected by IBM and funded by VMU after the Signature Date, and except to the extent such failure was due to the improper maintenance of any VMU provided Equipment where such maintenance is the responsibility of IBM under the Agreement; |
| g. | changes made to the environment by VMU that were not communicated in accordance with the change control process or Contract Governance Plan; |
| h. | circumstances that constitute a Force Majeure Event; or |
| i. | a material inaccuracy of VMU’s representation contained in Section 10(c) above. |
IBM shall promptly provide written notice to VMU in the event of any of the foregoing circumstances or events, and the Parties agree to work together to promptly resolve the causing event or circumstance. IBM’s failure to meet the applicable Service Levels as a result of any of the foregoing circumstances or events shall not be deemed to be a breach of this Agreement, provided IBM continues to work with VMU to resolve the causing event or circumstance and uses commercially reasonable efforts to perform at the applicable Service Levels notwithstanding such event or circumstance.
| 12. | RECONCILIATION |
| a. | Any Service Level Credits arising from Service Level Failures of the Critical Service Levels set forth in Exhibit B-1 will be credited to VMU on the second monthly invoice delivered to VMU after the end of each Contract Year, subject to being reduced by any available Earnback Credits. In the case where there will be no further invoices, IBM will pay to VMU the amount of any unrelieved Service Level Credits in accordance with the Agreement. |
| b. | Any Catastrophic Event Credits will be credited to VMU within 60 days of the Catastrophic Event. |
| IBM Confidential | Schedule B (Service Levels) | Page 16 of 26 |
| c. | Notwithstanding a. and b. above, the total amount of Service Level Credits and Catastrophic Event Credits payable by IBM in any Contract Year may not exceed *** of the ASC for such Contract Year. |
| 13. | SERVICE LEVEL TERMINATION FOR EXCESSIVE SERVICE LEVEL FAILURES |
In the event of a failure to provide the Services in accordance with the applicable Service Levels, IBM shall incur the Service Level Credits identified in and according to this Schedule B. In the event of any Excessive Service Level Failure, VMU may, upon notice to IBM, terminate this Agreement pursuant to Section 28.7 of the Agreement after VMU’s receipt of the monthly Service Level report from IBM indicating that such Excessive Service Level Failure event has occurred. “Excessive Service Level Failure” means where: (a) Service Level Failures occur for the same Critical SLA for ***; or (b) Service Level Credits have been accrued by IBM for the Minimum Service Levels of Exhibit B-1 in an aggregate amount exceeding *** in any *** period of the sum of all *** for the same *** period. The Parties hereby agree that Catastrophic Event Credits shall not be included in the calculation of an Excessive Service Level Failure. The Parties further agree that nothing contained in this Section 13 shall excuse the payment of Service Level Credits pursuant to Section 12 (Reconciliation).
| IBM Confidential | Schedule B (Service Levels) | Page 17 of 26 |
Exhibit B-1
Service Level Measurements
| 1. | CRITICAL SERVICE LEVELS |
| 1.1 | Critical Service Levels – Performance Measurements |
| 1.1.1 | *** |
| IBM Confidential | Schedule B (Service Levels) | Page 18 of 26 |
| 1.1.2 | *** |
| 1.1.3 | *** |
| 1.1.4 | *** |
| IBM Confidential | Schedule B (Service Levels) | Page 19 of 26 |
| 1.1.5 | *** |
| 1.1.6 | *** |
| 1.1.7 | *** |
| IBM Confidential | Schedule B (Service Levels) | Page 20 of 26 |
| 1.1.8 | *** |
| 1.1.9 | *** |
| IBM Confidential | Schedule B (Service Levels) | Page 21 of 26 |
| 1.1.10 | *** |
| 1.2 | Key Measures – Measurements |
| IBM Confidential | Schedule B (Service Levels) | Page 22 of 26 |
| 1.2.1 | *** |
| 1.2.2 | *** |
| IBM Confidential | Schedule B (Service Levels) | Page 23 of 26 |
| 1.2.3 | *** |
| 1.2.4 | *** |
| IBM Confidential | Schedule B (Service Levels) | Page 24 of 26 |
| 1.2.5 | *** |
| 1.2.6 | *** |
| IBM Confidential | Schedule B (Service Levels) | Page 25 of 26 |
| 1.2.7 | *** |
| 1.2.8 | *** |
| 1.2.9 | *** |
***
| 1.2.10 | *** |
| 1.2.11 | *** |
| 1.2.12 | *** |
| 1.2.13 | [TBD] |
| 1.2.14 | [TBD] |
| IBM Confidential | Schedule B (Service Levels) | Page 26 of 26 |
between
VMU and IBM
Schedule C
Charges
***
Master Services
Agreement
between
VMU and IBM
Schedule D
Transition
***
between
VMU and IBM
Schedule E
Managed Strategic Supplier
***
Master Services Agreement
between
VMU and IBM
Schedule F
Software
***
Master Services Agreement
between
VMU and IBM
Schedule G
Equipment
***
Master Services Agreement
between
VMU and IBM
Schedule H
Standards
***
Master Services
Agreement
between
VMU and IBM
Schedule I
Facilities
| 1. | INTRODUCTION |
This Schedule lists the Facilities and Networks.
| 2. | VMU LOCATIONS (FACILITIES) |
| Item |
Name |
Street Address |
City | State | Zip Code |
Main Phone # |
Site Type (Prime, Remote, Other) | |||||||
| 1. |
Virgin Mobile USA | 0000 X. Xxxxxxxxxx Xxxx., Xxxxx 000, 320 and 520 | Xxxxxx Xxxxx | XX | 00000 | Remote Office | ||||||||
| 2. |
Virgin Mobile USA | 10 Independence Blvd., Floors 2, 3 & 4 | Xxxxxx | XX | 00000 | Corporate | ||||||||
| 3. |
Virgin Mobile USA | 000 0xx Xxxxxx, 00xx Xxxxx | Xxx Xxxx | XX | 00000 | Remote | ||||||||
| 4. |
EDS | 0000 X. Xxxxxxxx | Xxxxx | XX | 00000 | Data Center | ||||||||
| 5. |
EDS | 0000 Xxxx Xxxxx | Xxxxxx, Xxxxxxx | XX | 00000 | Data Center |
| 3. | IBM LOCATIONS |
| Item |
Name |
Street Address |
City | State | Zip Code |
Main Phone # |
Site Type (Prime, Remote, Other) | |||||||
| 1. | IBM Global Services India Pvt. Limited | Embassy Golf Links Business Park Off Koramangala-Indiranagar Ring Road |
Bangalore | India | 560071 | |||||||||
| 2. |
IBM Global Services India Pvt. Limited | Mindspace Cyberabad, Building No 3, Survey No 64, APIIC Software layout, Hitech City, Madhapur, |
Xxxxxxxxx | Xxxxx | 000000 |
IBM / Virgin Mobile Confidential Schedule I (Facilities)
| 3. |
IBM Global Services India Pvt. Limited | 7th Floor, Sterling Towers, 327, Xxxx Salai, Teynampet, |
Xxxxxxx | Xxxxx | 000000 | |||||||
| 4. |
IBM | 0000 Xxxxxxxx Xxx, Xxxx 0 | Xxxxxxx | XX | 00000 | Data Center | ||||||
| 5. |
IBM Xxxxx Business Process Services Private Limited | Infinity Tower B, 5th floor, room 17, DLF Cyber City, XXX Xxxxx 0 | Xxxxxxx | Xxxxx | 000000 | NOC |
| 4. | NETWORKS (VIRGIN MOBILE RETAINED) |
Wide Area Network (Virgin Mobile Retained)
| Item |
Line Origination Address |
Line Termination Address |
Line Capacity |
Additional Information |
Responsibility1 | |||||
| 1. |
To be completed during Transition |
|||||||||
| 2. |
||||||||||
| 3. |
Local Area Network
| Item |
Address |
LAN Configuration |
Additional Information |
Responsibility1 | ||||
| 1. |
To be completed during Transition |
Footnotes:
| 1. | Maintenance – indicates the Party which has (i) problem management responsibility (For example, call dispatching and follow-up) and (ii) financial responsibility for all associated maintenance fees and repair charges. |
I/I means that IBM has both problem management and financial responsibility;
I/VM means that IBM has problem management responsibility, but that Virgin Mobile has financial responsibility;
VM/VM means that Virgin Mobile has both problem management and financial responsibility.
IBM / Virgin Mobile Confidential Schedule I (Facilities)
Master Services
Agreement
between
VMU and IBM
Schedule J
CAPEX Projects
***
Master Services Agreement
between
VMU and IBM
Schedule K
Key Employees
***
Master Services Agreement
between
Virgin Mobile and IBM
Schedule L
Employees
***
Master Services Agreement
between
VMU and IBM
Schedule M
***
Master Services Agreement
between
VMU and IBM
Schedule N
VMU Payment Card Industry Requirements
Payment Card Industry (PCI)
Data Security Standard
|
Version 1.1
Release: September, 2006 |
| Build and Maintain a Secure Network | ||
| Requirement 1: | Install and maintain a firewall configuration to protect cardholder data | |
| Requirement 2: | Do not use vendor-supplied defaults for system passwords and other security parameters | |
| Protect Cardholder Data | ||
| Requirement 3: | Protect stored cardholder data | |
| Requirement 4: | Encrypt transmission of cardholder data across open, public networks | |
| Maintain a Vulnerability Management Program | ||
| Requirement 5: | Use and regularly update anti-virus software | |
| Requirement 6: | Develop and maintain secure systems and applications | |
| Implement Strong Access Control Measures | ||
| Requirement 7: | Restrict access to cardholder data by business need-to-know | |
| Requirement 8: | Assign a unique ID to each person with computer access | |
| Requirement 9: | Restrict physical access to cardholder data | |
| Regularly Monitor and Test Networks | ||
| Requirement 10: | Track and monitor all access to network resources and cardholder data | |
| Requirement 11: | Regularly test security systems and processes | |
| Maintain an Information Security Policy | ||
| Requirement 12: | Maintain a policy that addresses information security | |
|
Payment Card Industry (PCI) Data Security Standard |
1 |
Preface
This document describes the 12 Payment Card Industry (PCI) Data Security Standard (DSS) requirements. These PCI DSS requirements are organized in 6 logically related groups, which are “control objectives.”
The following table illustrates commonly used elements of cardholder and sensitive authentication data; whether storage of each data element is permitted or prohibited; and if each data element must be protected. This table is not exhaustive, but is presented to illustrate the different types of requirements that apply to each data element.
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.
| Data Element | Storage Permitted |
Protection Required |
PCI DSS Req. 3.4 | |||||||
| Cardholder Data |
Primary Account Number (PAN) |
|
YES | YES | YES | |||||
| Cardholder Name | * | YES | YES | * | NO | |||||
| Service Code | * | YES | YES | * | NO | |||||
| Expiration Date | * | YES | YES | * | NO | |||||
| Sensitive Authentication Data** |
Full Magnetic Stripe | NO | N/A | N/A | ||||||
| CVC2/CVV2/CID | NO | N/A | N/A | |||||||
| PIN / PIN Block | NO | N/A | N/A | |||||||
| * | These data elements must be protected if stored in conjunction with the PAN. This protection must be consistent with PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company’s practices if consumer-related personal data is being collected during the course of business. PCI DSS; however, does not apply if PANs are not stored, processed, or transmitted. |
| ** | Sensitive authentication data must not be stored subsequent to authorization (even if encrypted). |
These security requirements apply to all “system components.” System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.
|
Payment Card Industry (PCI) Data Security Standard |
2 |
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Firewalls are computer devices that control computer traffic allowed into and out of a company’s network, as well as traffic into more sensitive areas within a company’s internal network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.
All systems must be protected from unauthorized access from the Internet, whether entering the system as e-commerce, employees’ Internet-based access through desktop browsers, or employees’ e-mail access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.
| 1.1 | Establish firewall configuration standards that include the following: |
| 1.1.1 | A formal process for approving and testing all external network connections and changes to the firewall configuration |
| 1.1.2 | A current network diagram with all connections to cardholder data, including any wireless networks |
| 1.1.3 | Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone |
| 1.1.4 | Description of groups, roles, and responsibilities for logical management of network components |
| 1.1.5 | Documented list of services and ports necessary for business |
| 1.1.6 | Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP), and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN) |
| 1.1.7 | Justification and documentation for any risky protocols allowed (for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented |
| 1.1.8 | Quarterly review of firewall and router rule sets |
| 1.1.9 | Configuration standards for routers. |
| 1.2 | Build a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment. |
| 1.3 | Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration should include the following: |
| 1.3.1 | Restricting inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters) |
| 1.3.2 | Not allowing internal addresses to pass from the Internet into the DMZ |
| 1.3.3 | Implementing stateful inspection, also known as dynamic packet filtering (that is, only “established” connections are allowed into the network) |
| 1.3.4 | Placing the database in an internal network zone, segregated from the DMZ |
| 1.3.5 | Restricting inbound and outbound traffic to that which is necessary for the cardholder data environment |
| 1.3.6 | Securing and synchronizing router configuration files. For example, running configuration files (for normal functioning of the routers), and start-up configuration files (when machines are re-booted) should have the same secure configuration |
|
Payment Card Industry (PCI) Data Security Standard |
3 |
| 1.3.7 | Denying all other inbound and outbound traffic not specifically allowed |
| 1.3.8 | Installing perimeter firewalls between any wireless networks and the cardholder data environment, and configuring these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes) |
| 1.3.9 | Installing personal firewall software on any mobile and employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network. |
| 1.4 | Prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). |
| 1.4.1 | Implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic |
| 1.4.2 | Restrict outbound traffic from payment card applications to IP addresses within the DMZ. |
| 1.5 | Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as port address translation (XXX) or network address translation (NAT). |
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Hackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information.
| 2.1 | Always change vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts). |
| 2.1.1 | For wireless environments, change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable. |
| 2.2 | Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS). |
| 2.2.1 | Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers) |
| 2.2.2 | Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices’ specified function) |
| 2.2.3 | Configure system security parameters to prevent misuse |
| 2.2.4 | Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. |
| 2.3 | Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access. |
| 2.4 | Hosting providers must protect each entity’s hosted environment and data. These providers must meet specific requirements as detailed in Appendix A: “PCI DSS Applicability for Hosting Providers.” |
|
Payment Card Industry (PCI) Data Security Standard |
4 |
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending PAN in unencrypted e-mails.
| 3.1 | Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. |
| 3.2 | Do not store sensitive authentication data subsequent to authorization (even if encrypted). Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 through 3.2.3: |
| 3.2.1 | Do not store the full contents of any track from the magnetic stripe (that is on the back of a card, in a chip or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic stripe data |
In the normal course of business, the following data elements from the magnetic stripe may need to be retained: the accountholder’s name, primary account number (PAN), expiration date, and service code. To minimize risk, store only those data elements needed for business. NEVER store the card verification code or value or PIN verification value data elements. Note: See “Glossary” for additional information.
| 3.2.2 | Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions |
Note: See “Glossary” for additional information.
| 3.2.3 | Do not store the personal identification number (PIN) or the encrypted PIN block. |
| 3.3 | Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). |
Note: This requirement does not apply to employees and other parties with a specific need to see the full PAN; nor does the requirement supersede stricter requirements in place for displays of cardholder data (for example, for point of sale [POS] receipts).
| 3.4 | Render PAN, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches: |
| • | Strong one-way hash functions (hashed indexes) |
| • | Truncation |
| • | Index tokens and pads (pads must be securely stored) |
| • | Strong cryptography with associated key management processes and procedures. |
The MINIMUM account information that must be rendered unreadable is the PAN.
If for some reason, a company is unable to encrypt cardholder data, refer to Appendix B: “Compensating Controls for Encryption of Stored Data.”
| 3.4.1 | If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local system or Active Directory accounts). Decryption keys must not be tied to user accounts. |
|
Payment Card Industry (PCI) Data Security Standard |
5 |
| 3.5 | Protect encryption keys used for encryption of cardholder data against both disclosure and misuse. |
| 3.5.1 | Restrict access to keys to the fewest number of custodians necessary |
| 3.5.2 | Store keys securely in the fewest possible locations and forms. |
| 3.6 | Fully document and implement all key management processes and procedures for keys used for encryption of cardholder data, including the following: |
| 3.6.1 | Generation of strong keys |
| 3.6.2 | Secure key distribution |
| 3.6.3 | Secure key storage |
| 3.6.4 | Periodic changing of keys |
| • | As deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically |
| • | At least annually. |
| 3.6.5 | Destruction of old keys |
| 3.6.6 | Split knowledge and establishment of dual control of keys (so that it requires two or three people, each knowing only their part of the key, to reconstruct the whole key) |
| 3.6.7 | Prevention of unauthorized substitution of keys |
| 3.6.8 | Replacement of known or suspected compromised keys |
| 3.6.9 | Revocation of old or invalid keys |
| 3.6.10 | Requirement for key custodians to sign a form stating that they understand and accept their key-custodian responsibilities. |
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit.
| 4.1 | Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks. |
Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi (IEEE 802.11x), global system for mobile communications (GSM), and general packet radio service (GPRS).
| 4.1.1 | For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following: |
| • | Use with a minimum 104-bit encryption key and 24 bit-initialization value |
| • | Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or SSL/TLS |
| • | Rotate shared WEP keys quarterly (or automatically if the technology permits) |
| • | Rotate shared WEP keys whenever there are changes in personnel with access to keys |
| • | Restrict access based on media access code (MAC) address. |
| 4.2 | Never send unencrypted PANs by e-mail. |
|
Payment Card Industry (PCI) Data Security Standard |
6 |
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software or programs
Many vulnerabilities and malicious viruses enter the network via employees’ e-mail activities. Anti-virus software must be used on all systems commonly affected by viruses to protect systems from malicious software.
| 5.1 | Deploy anti-virus software on all systems commonly affected by viruses (particularly personal computers and servers) |
Note: Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes.
| 5.1.1 | Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. |
| 5.2 | Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. |
Requirement 6: Develop and maintain secure systems and applications
Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches. All systems must have the most recently released, appropriate software patches to protect against exploitation by employees, external hackers, and viruses. Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques.
| 6.1 | Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release. |
| 6.2 | Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update standards to address new vulnerability issues. |
| 6.3 | Develop software applications based on industry best practices and incorporate information security throughout the software development life cycle. |
| 6.3.1 | Testing of all security patches and system and software configuration changes before deployment |
| 6.3.2 | Separate development, test, and production environments |
| 6.3.3 | Separation of duties between development, test, and production environments |
| 6.3.4 | Production data (live PANs) are not used for testing or development |
| 6.3.5 | Removal of test data and accounts before production systems become active |
| 6.3.6 | Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers |
| 6.3.7 | Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability. |
| 6.4 | Follow change control procedures for all system and software configuration changes. The procedures must include the following: |
| 6.4.1 | Documentation of impact |
| 6.4.2 | Management sign-off by appropriate parties |
| 6.4.3 | Testing of operational functionality |
|
Payment Card Industry (PCI) Data Security Standard |
7 |
| 6.4.4 | Back-out procedures |
| 6.5 | Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include the following: |
| 6.5.1 | Unvalidated input |
| 6.5.2 | Broken access control (for example, malicious use of user IDs) |
| 6.5.3 | Broken authentication and session management (use of account credentials and session cookies) |
| 6.5.4 | Cross-site scripting (XSS) attacks |
| 6.5.5 | Buffer overflows |
| 6.5.6 | Injection flaws (for example, structured query language (SQL) injection) |
| 6.5.7 | Improper error handling |
| 6.5.8 | Insecure storage |
| 6.5.9 | Denial of service |
| 6.5.10 | Insecure configuration management |
| 6.6 | Ensure that all web-facing applications are protected against known attacks by applying either of the following methods: |
| • | Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security |
| • | Installing an application layer firewall in front of web-facing applications. |
Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
This requirement ensures critical data can only be accessed by authorized personnel.
| 7.1 | Limit access to computing resources and cardholder information only to those individuals whose job requires such access. |
| 7.2 | Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed. |
|
Payment Card Industry (PCI) Data Security Standard |
8 |
Requirement 8: Assign a unique ID to each person with computer access
Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
| 8.1 | Identify all users with a unique user name before allowing them to access system components or cardholder data. |
| 8.2 | In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: |
| • | Password |
| • | Token devices (e.g., SecureID, certificates, or public key) |
| • | Biometrics. |
| 8.3 | Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. |
| 8.4 | Encrypt all passwords during transmission and storage on all system components. |
| 8.5 | Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows: |
| 8.5.1 | Control addition, deletion, and modification of user IDs, credentials, and other identifier objects |
| 8.5.2 | Verify user identity before performing password resets |
| 8.5.3 | Set first-time passwords to a unique value for each user and change immediately after the first use |
| 8.5.4 | Immediately revoke access for any terminated users |
| 8.5.5 | Remove inactive user accounts at least every 90 days |
| 8.5.6 | Enable accounts used by vendors for remote maintenance only during the time period needed |
| 8.5.7 | Communicate password procedures and policies to all users who have access to cardholder data |
| 8.5.8 | Do not use group, shared, or generic accounts and passwords |
| 8.5.9 | Change user passwords at least every 90 days |
| 8.5.10 | Require a minimum password length of at least seven characters |
| 8.5.11 | Use passwords containing both numeric and alphabetic characters |
| 8.5.12 | Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used |
| 8.5.13 | Limit repeated access attempts by locking out the user ID after not more than six attempts |
| 8.5.14 | Set the lockout duration to thirty minutes or until administrator enables the user ID |
| 8.5.15 | If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal |
| 8.5.16 | Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users |
|
Payment Card Industry (PCI) Data Security Standard |
9 |
Requirement 9: Restrict physical access to cardholder data
Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted.
| 9.1 | Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data. |
| 9.1.1 | Use cameras to monitor sensitive areas. Audit collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law |
| 9.1.2 | Restrict physical access to publicly accessible network jacks |
| 9.1.3 | Restrict physical access to wireless access points, gateways, and handheld devices. |
| 9.2 | Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible. |
“Employee” refers to full-time and part-time employees, temporary employees and personnel, and consultants who are “resident” on the entity’s site. A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to enter the facility for a short duration, usually not more than one day.
| 9.3 | Make sure all visitors are handled as follows: |
| 9.3.1 | Authorized before entering areas where cardholder data is processed or maintained |
| 9.3.2 | Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees |
| 9.3.3 | Asked to surrender the physical token before leaving the facility or at the date of expiration. |
| 9.4 | Use a visitor log to maintain a physical audit trail of visitor activity. Retain this log for a minimum of three months, unless otherwise restricted by law. |
| 9.5 | Store media back-ups in a secure location, preferably in an off-site facility, such as an alternate or backup site, or a commercial storage facility. |
| 9.6 | Physically secure all paper and electronic media (including computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder data. |
| 9.7 | Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data including the following: |
| 9.7.1 | Classify the media so it can be identified as confidential |
| 9.7.2 | Send the media by secured courier or other delivery method that can be accurately tracked. |
| 9.8 | Ensure management approves any and all media that is moved from a secured area (especially when media is distributed to individuals). |
| 9.9 | Maintain strict control over the storage and accessibility of media that contains cardholder data. |
| 9.9.1 | Properly inventory all media and make sure it is securely stored. |
| 9.10 | Destroy media containing cardholder data when it is no longer needed for business or legal reasons as follows: |
| 9.10.1 | Cross-cut shred, incinerate, or pulp hardcopy materials |
| 9.10.2 | Purge, degauss, shred, or otherwise destroy electronic media so that cardholder data cannot be reconstructed. |
|
Payment Card Industry (PCI) Data Security Standard |
10 |
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.
| 10.1 | Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. |
| 10.2 | Implement automated audit trails for all system components to reconstruct the following events: |
| 10.2.1 | All individual user accesses to cardholder data |
| 10.2.2 | All actions taken by any individual with root or administrative privileges |
| 10.2.3 | Access to all audit trails |
| 10.2.4 | Invalid logical access attempts |
| 10.2.5 | Use of identification and authentication mechanisms |
| 10.2.6 | Initialization of the audit logs |
| 10.2.7 | Creation and deletion of system-level objects. |
| 10.3 | Record at least the following audit trail entries for all system components for each event: |
| 10.3.1 | User identification |
| 10.3.2 | Type of event |
| 10.3.3 | Date and time |
| 10.3.4 | Success or failure indication |
| 10.3.5 | Origination of event |
| 10.3.6 | Identity or name of affected data, system component, or resource. |
| 10.4 | Synchronize all critical system clocks and times. |
| 10.5 | Secure audit trails so they cannot be altered. |
| 10.5.1 | Limit viewing of audit trails to those with a job-related need |
| 10.5.2 | Protect audit trail files from unauthorized modifications |
| 10.5.3 | Promptly back-up audit trail files to a centralized log server or media that is difficult to alter |
| 10.5.4 | Copy logs for wireless networks onto a log server on the internal LAN. |
| 10.5.5 | Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). |
| 10.6 | Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). |
Note: Log harvesting, parsing, and alerting tools may be used to achieve compliance with Requirement 10.6.
| 10.7 | Retain audit trail history for at least one year, with a minimum of three months online availability. |
|
Payment Card Industry (PCI) Data Security Standard |
11 |
Requirement 11: Regularly test security systems and processes
Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and with any changes in software.
| 11.1 | Test security controls, limitations, network connections, and restrictions annually to assure the ability to adequately identify and to stop any unauthorized access attempts. Use a wireless analyzer at least quarterly to identify all wireless devices in use. |
| 11.2 | Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). |
Note: Quarterly external vulnerability scans must be performed by a scan vendor qualified by the payment card industry. Scans conducted after network changes may be performed by the company’s internal staff.
| 11.3 | Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following: |
| 11.3.1 | Network-layer penetration tests |
| 11.3.2 | Application-layer penetration tests. |
| 11.4 | Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date. |
| 11.5 | Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files; and configure the software to perform critical file comparisons at least weekly. |
Critical files are not necessarily only those containing cardholder data. For file integrity monitoring purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. File integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is the merchant or service provider).
|
Payment Card Industry (PCI) Data Security Standard |
12 |
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for employees and contractors
A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it.
| 12.1 | Establish, publish, maintain, and disseminate a security policy that accomplishes the following: |
| 12.1.1 | Addresses all requirements in this specification |
| 12.1.2 | Includes an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment |
| 12.1.3 | Includes a review at least once a year and updates when the environment changes. |
| 12.2 | Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures). |
| 12.3 | Develop usage policies for critical employee-facing technologies (such as modems and wireless) to define proper use of these technologies for all employees and contractors. Ensure these usage policies require the following: |
| 12.3.1 | Explicit management approval |
| 12.3.2 | Authentication for use of the technology |
| 12.3.3 | List of all such devices and personnel with access |
| 12.3.4 | Labeling of devices with owner, contact information, and purpose |
| 12.3.5 | Acceptable uses of the technologies |
| 12.3.6 | Acceptable network locations for the technologies |
| 12.3.7 | List of company-approved products |
| 12.3.8 | Automatic disconnect of modem sessions after a specific period of inactivity |
| 12.3.9 | Activation of modems for vendors only when needed by vendors, with immediate deactivation after use |
| 12.3.10 | When accessing cardholder data remotely via modem, prohibition of storage of cardholder data onto local hard drives, floppy disks, or other external media. Prohibition of cut-and-paste and print functions during remote access. |
| 12.4 | Ensure that the security policy and procedures clearly define information security responsibilities for all employees and contractors. |
| 12.5 | Assign to an individual or team the following information security management responsibilities: |
| 12.5.1 | Establish, document, and distribute security policies and procedures |
| 12.5.2 | Monitor and analyze security alerts and information, and distribute to appropriate personnel |
| 12.5.3 | Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations |
| 12.5.4 | Administer user accounts, including additions, deletions, and modifications |
| 12.5.5 | Monitor and control all access to data. |
| 12.6 | Implement a formal security awareness program to make all employees aware of the importance of cardholder data security. |
| 12.6.1 | Educate employees upon hire and at least annually (for example, by letters, posters, memos, meetings, and promotions) |
|
Payment Card Industry (PCI) Data Security Standard |
13 |
| 12.6.2 | Require employees to acknowledge in writing that they have read and understood the company’s security policy and procedures. |
| 12.7 | Screen potential employees to minimize the risk of attacks from internal sources. |
For those employees such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.
| 12.8 | If cardholder data is shared with service providers, then contractually the following is required: |
| 12.8.1 | Service providers must adhere to the PCI DSS requirements |
| 12.8.2 | Agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data the provider possesses. |
| 12.9 | Implement an incident response plan. Be prepared to respond immediately to a system breach. |
| 12.9.1 | Create the incident response plan to be implemented in the event of system compromise. Ensure the plan addresses, at a minimum, specific incident response procedures, business recovery and continuity procedures, data backup processes, roles and responsibilities, and communication and contact strategies (for example, informing the Acquirers and credit card associations) |
| 12.9.2 | Test the plan at least annually |
| 12.9.3 | Designate specific personnel to be available on a 24/7 basis to respond to alerts |
| 12.9.4 | Provide appropriate training to staff with security breach response responsibilities |
| 12.9.5 | Include alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems |
| 12.9.6 | Develop process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments. |
| 12.10 | All processors and service providers must maintain and implement policies and procedures to manage connected entities, to include the following: |
| 12.10.1. | Maintain a list of connected entities |
| 12.10.2. | Ensure proper due diligence is conducted prior to connecting an entity |
| 12.10.3. | Ensure the entity is PCI DSS compliant |
| 12.10.4. | Connect and disconnect entities by following an established process. |
|
Payment Card Industry (PCI) Data Security Standard |
14 |
Appendix A: PCI DSS Applicability for Hosting Providers
Requirement A.1: Hosting providers protect cardholder data environment
As referenced in Requirement 12.8, all service providers with access to cardholder data (including hosting providers) must adhere to the PCI DSS. In addition, Requirement 2.4 states that hosting providers must protect each entity’s hosted environment and data. Therefore, hosting providers must give special consideration to the following:
| A.1 | Protect each entity’s (that is merchant, service provider, or other entity) hosted environment and data, as in A.1.1 through A.1.4: |
| A.1.1 | Ensure that each entity only has access to own cardholder data environment |
| X.0.0 | Xxxxxxxx each entity’s access and privileges to own cardholder data environment only |
| A.1.3 | Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10 |
| A.1.4 | Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider. |
A hosting provider must fulfill these requirements as well as all other relevant sections of the PCI DSS. Note: Even though a hosting provider may meet these requirements, the compliance of the entity that uses the hosting provider is not necessarily guaranteed. Each entity must comply with the PCI DSS and validate compliance as applicable.
|
Payment Card Industry (PCI) Data Security Standard v 1.1 |
15 |
Appendix B: Compensating Controls
Compensating Controls – General
Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a technical specification of a requirement, but has sufficiently mitigated the associated risk. See the PCI DSS Glossary for the full definition of compensating controls.
The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the control. Companies should be aware that a particular compensating control will not be effective in all environments. Each compensating control must be thoroughly evaluated after implementation to ensure effectiveness.
The following guidance provides compensating controls when companies are unable to render cardholder data unreadable per requirement 3.4.
Compensating Controls for Requirement 3.4
For companies unable to render cardholder data unreadable (for example, by encryption) due to technical constraints or business limitations, compensating controls may be considered. Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance.
Companies that consider compensating controls for rendering cardholder data unreadable must understand the risk to the data posed by maintaining readable cardholder data. Generally, the controls must provide additional protection to mitigate any additional risk posed by maintaining readable cardholder data. The controls considered must be in addition to controls required in the PCI DSS, and must satisfy the “Compensating Controls” definition in the PCI DSS Glossary. Compensating controls may consist of either a device or combination of devices, applications, and controls that meet all of the following conditions:
| 1. | Provide additional segmentation/abstraction (for example, at the network-layer) |
| 2. | Provide ability to restrict access to cardholder data or databases based on the following criteria: |
| • | IP address/Mac address |
| • | Application/service |
| • | User accounts/groups |
| • | Data type (packet filtering) |
| 3. | Restrict logical access to the database |
| • | Control logical access to the database independent of Active Directory or Lightweight Directory Access Protocol (LDAP) |
| 4. | Prevent/detect common application or database attacks (for example, SQL injection). |
|
Payment Card Industry (PCI) Data Security Standard v 1.1 |
16 |
Master Services Agreement
between
VMU and IBM
Schedule O
Subcontractors
***
