EX-10.56 4 dex1056.htm MASTER RELATIONSHIP AGREEMENT MASTER RELATIONSHIP AGREEMENT
Exhibit 10.56
This Master Relationship Agreement (“MRA”) by and between GLASSHOUSE TECHNOLOGIES, INC. (“GlassHouse”), a Delaware corporation located at 000 Xxxxxxxx Xxxxxxxxx, Xxxxxxxxxx, XX 00000, and DELL MARKETING, L.P. (“Dell Marketing”), a Texas limited partnership located at Xxx Xxxx Xxx, Xxxxx Xxxx, Xxxxx 00000, by and on behalf of Dell, Inc. and their respective subsidiaries and Affiliates (as defined below), is effective as of June 23, 2008 (the “Effective Date”).
SECTION 1. AGREEMENT STRUCTURE
1.2 This MRA, together with all schedules attached hereto (“Schedules”) and Statements of Work shall be collectively referred to as the “Agreement.” The Agreement constitutes the entire agreement between the parties and supersedes all prior discussions, both oral and written, between the parties related to the subject matter of the Agreement that occurred prior to the Effective Date. For the sake of clarity, the Agreement has no impact on the Intellectual Property License Agreement, dated as of March 6, 2008, by and between the parties (the “IP License Agreement”); moreover, the parties acknowledge and agree that nothing in this Agreement shall supersede or amend the IP License Agreement.
1.3 The Agreement constitutes the terms and conditions under which Dell will purchase Services from GlassHouse, including, but not limited to, any Deliverables provided to Dell during the course of providing the Services.
1.4 The terms and conditions of the MRA apply to all Schedules, Dell PO(s), and Statements of Work for the purchase of Services. GlassHouse shall not provide Dell with any Services and Dell shall not be obligated to pay for any Services unless Dell and GlassHouse have executed a Statement of Work and Dell has issued a Dell PO for the applicable Services.
1.5 Unless expressly stated otherwise in a Statement of Work, in the event of conflict between the MRA and any Schedule or Statement of Work, the order of precedence shall be as follows: (i) the MRA, (ii) the Schedule, and then (iii) the Statement of Work. Any additional or conflicting terms contained in a Dell PO shall be void and have no effect. Notwithstanding the order of precedence above, if a Statement of Work explicitly identifies a provision in the MRA(other than those that involve indemnification or limitation of liability which may only be modified or superseded by an amendment to the MRA), that the parties intend to be superseded or modified by a provision in the Statement of Work, the provision in the Statement of Work shall prevail for purposes of that Statement of Work.
1.6 When a Dell entity desires to purchase Services, such Dell entity and GlassHouse will execute Statement of Work. Each Statement of Work shall expressly reference this MRA and all the terms and conditions of this MRA shall govern such Statement of Work. Once the applicable Statement of Work is executed, any other Dell entity may subsequently issue a Dell PO to purchase the Services described in the applicable Statement of Work; provided, however, that GlassHouse may accept or reject any Dell PO in its reasonable discretion. For purchases of
| 1 |
Services outside of the United States, a Statement of Work and/or Dell PO will be issued by the applicable local Dell entity to GlassHouse, or to such other GlassHouse Affiliate designated by GlassHouse. All Dell PO(s) will be governed by the terms and conditions of the MRA and the applicable Statement of Work and collectively shall be deemed a separate agreement between the applicable Dell and Glasshouse Entities. To the extent the parties’ Affiliates require additional or alternative terms and conditions than those contained in this MRA in order to comply with local country law or business practices, such alternative or additional terms shall be set forth in a “Country Unique Terms” section of the applicable Statement of Work.
SECTION 2. TERM AND TERMINATION
| 2 |
resolution. Within thirty (30) days after such written demand, GlassHouse and Dell agree to meet for one day with an impartial mediator and consider dispute resolution alternatives other than litigation. The costs of engaging the mediator shall be shared equally. If an alternative method of dispute resolution is not agreed upon within thirty (30) days after the one-day mediation, either GlassHouse or Dell may begin litigation proceedings.
| 3 |
under any Statement of Work shall be required to sign an acknowledgement in form reasonably acceptable to GlassHouse that provides that although such personnel may work with employees of Dell, (i) they are employees of GlassHouse only and (ii) they are expected to follow the policies, procedures and direction of GlassHouse.
| 4 |
SECTION 5. REPRESENTATIONS AND WARRANTIES
| 5 |
any Dell Pre-existing IP; (b) any Claim that Dell has caused bodily injury including, without limitation, death or has damaged real or tangible personal property; (c) any violation by Dell of any governmental laws, rules, ordinances, or regulations; and/or (d) any Claim by or on behalf of Dell’s other subcontractors, suppliers, or employees for salary, wages, benefits or other compensation.
| 6 |
(a) Promptly after receipt by the Indemnitee of written notice of the assertion or the commencement of any Claim, whether by legal process or otherwise, with respect to any matter within the scope of this SECTION 6, the Indemnitee will give written notice thereof to the Indemnitor and will thereafter keep the Indemnitor reasonably informed with respect thereto; provided, however, that the failure of the Indemnitee to give the Indemnitor such prompt written notice will not relieve the Indemnitor of its obligations hereunder except to the extent such failure results in prejudice to Indemnitor’s defense of such Claim. Within thirty (30) days following receipt of written notice from the Indemnitee relating to any claim, but no later than ten (10) days before the date on which any response to a complaint or summons is due, the Indemnitor will notify the Indemnitee in writing that the Indemnitor will assume control of the defense and settlement of such claim (the “Notice”).
(b) If the Indemnitor delivers the Notice relating to any Claim within the required notice period, the Indemnitor will be entitled to have sole control over the defense and settlement of such Claim; provided, however, that the Indemnitee will be entitled to participate in the defense of such claim and to employ legal advisers at its own expense to assist in the handling of such claim. After the Indemnitor has delivered a Notice relating to any claim in accordance with the preceding paragraph, the Indemnitor will not be liable to the Indemnitee for any legal expenses subsequently incurred by such Indemnitee in connection with the defense of such Claim.
(c) If the Indemnitor fails to assume the defense of any such Claim within the prescribed period of time, then the Indemnitee may assume the defense of any such Claim, the reasonable costs and expenses of which shall be deemed to be Damages. The Indemnitor will not be responsible for any settlement or compromise made without its consent, unless the Indemnitee has tendered notice and the Indemnitor has then failed to provide Notice and it is later determined that the Indemnitor was liable to assume and defend the Claim.
(d) The Indemnitee will provide reasonable assistance to the Indemnitor (at the Indemnitor’s expense), including reasonable assistance from the Indemnitee’s employees, agents, independent contractors and Affiliates, as applicable. Notwithstanding any provision of this Section 6 to the contrary, the Indemnitor will not consent to the entry of any judgment or enter into any settlement that provides for injunctive or other non-monetary relief affecting the Indemnitee without the prior written consent of the Indemnitee, which consent will not be unreasonably withheld or delayed.
| 7 |
SECTION 7. LIMITATION OF LIABILITY
SECTION 8. INTELLECTUAL PROPERTY RIGHTS
8.1 Pre-existing Intellectual Property. GlassHouse and Dell each shall retain ownership of all right, title and interest in its Pre-existing IP, subject to any license grants under the IP License Agreement.
| 8 |
8.6 Disclosure of Dell Work Product. GlassHouse will, as part of the Dell Work Product, disclose promptly in writing to Dell all of the Dell Work Product and document all intellectual property rights as Dell personnel may direct. Furthermore, GlassHouse shall, upon request, provide to Dell all of the Dell Work Product.
| 9 |
| 10 |
10.3 Worker Compensation. Statutory workers compensation insurance in the state(s) or jurisdiction in which GlassHouse’s employees perform services for Dell, and employer’s liability insurance with limits of not less than $500,000: (i) for each accident; and (ii) for each employee for occupational disease (policy limit for disease). GlassHouse hereby waives all claims and causes of action against Dell, its officers, directors and employees for any and all injuries suffered by GlassHouse’s employees.
| 11 |
11.1 Governing Law; Venue. EACH PARTY IRREVOCABLY SUBMITS AND CONSENTS TO THE EXCLUSIVE JURISDICTION OF THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF DELAWARE AND THE DELAWARE STATE COURTS, AND HEREBY AGREES THAT SUCH COURTS SHALL BE THE EXCLUSIVE PROPER FORUM FOR THE DETERMINATION OF ANY DISPUTE ARISING HEREUNDER. THE AGREEMENT WILL BE GOVERNED BY AND CONSTRUED IN ACCORDANCE WITH THE LAWS OF THE STATE OF DELAWARE, EXCLUSIVE OF ANY PROVISIONS OF THE UNITED NATIONS CONVENTION ON THE INTERNATIONAL SALE OF GOODS AND WITHOUT REGARD TO PRINCIPLES OF CONFLICTS OF LAW. Prior to either party commencing litigation, with respect to disputes under the Agreement, the parties shall have executives on both companies meet to determine resolution to the dispute.
| 12 |
Utilization of Small Business Concerns. If subcontractors are engaged to provide any Services pursuant to this Statement of Work, GlassHouse will use commercially reasonable efforts to engage businesses that are (i) certified as minority or women owned by a third party certification agency acceptable by Dell, (ii) business concerns that are fifty-one percent owned, controlled, operated and managed by women or members of a minority group including African Americans, Hispanic Americans, Native Americans, Asian Indian Americans, Asian-Pacific Americans, or (iii) meets the criteria of a small business as defined by the guidelines of the Small Business Administration this includes, but is not limited to veteran, hubzone, 8(a), disadvantaged and woman owned businesses (“Supplier Diversity”). GlassHouse agrees to maintain accurate records illustrating that they have a Supplier Diversity plan in place, records are being maintained, and as needed will be reported to Dell. GlassHouse agrees to also cooperate in any Dell Supplier Diversity studies or surveys as may be required. In the event GlassHouse is considered a Diverse Supplier, GlassHouse must register with Dell’s Supplier Diversity program at xxx.xxxx.xxx (click About Dell, click Supplier Diversity). GlassHouse must comply with Dell’s Supplier Diversity policies and procedures as well as comply, in a timely manner, with any reasonable request or requirement from Dell’s Supplier Diversity office (for example, second tier reporting). Second tier reports are to be submitted within 15 business days after the close of each calendar period. GlassHouse must comply with the following Supplier Principles which may be changed from time to time by Dell: xxxx://xxx0.xx.xxxx.xxx/xxxxxxx/xxxxxx/xxxxxx.xxxx/xxxx/xxx_xxxxxx/xx/xxxxxx?xxxx&xxxx&xxxxxx).
| 13 |
pre-printed terms and conditions stated thereon, except as specifically set forth in the MRA, are void and of no effect. No amendment or modification to the Agreement will be valid unless set forth in writing and signed by authorized representatives of both parties. The Agreement may not be assigned by GlassHouse in whole or in part, even by operation of law, in a merger or stock or asset sale, without the express written permission of Dell. Any attempt to do so will be null and void.
11.12 Exports. GlassHouse and Dell acknowledge that the Services and/or transactions contemplated by this Agreement, which may include technology and software, are subject to the customs and export control laws and regulations of the United States (“U.S.”) and may also be subject to the customs and export laws and regulations of other countries. Each party agrees to abide by those laws and regulations. Further, under U.S. law, the Services and any products applicable may not be sold, leased or otherwise transferred to restricted end-users or to restricted countries. In addition, the Services may not be sold, leased or otherwise transferred to, or utilized by an end-user engaged in activities related to weapons of mass destruction, including without limitation, activities related to the design, development, production or use of nuclear weapons, materials, or facilities, missiles or the support of missile projects, and chemical or biological weapons.
| 14 |
By signing below, the parties are agreeing to the terms and conditions contained in this Master Relationship Agreement.
| DELL MARKETING L.P. | GLASSHOUSE TECHNOLOGIES, INC. | |||||||
| By: | /s/ X. Xxxxxxx | By: | /s/ Xxxx Xxxxxxx | |||||
| Name: | X. Xxxxxxx | Name: | Xxxx Xxxxxxx | |||||
| Title: | VP GICS | Title: | President / CEO |
| 15 |
SCHEDULE A
DEFINITIONS
“Acquired Party” shall have the meaning set forth in Section 2.3.
“Affiliate(s)” of a party shall mean any and all Entities, now or in the future and for so long as the following ownership and control exists, that: (i) own or control, directly or indirectly, the party; (ii) are owned or controlled by, or under common control with, directly or indirectly, the party; or (iii) are owned or controlled, directly or indirectly, by a Parent Company. For purposes of the preceding sentence, “own or control” shall mean: (A) if the Entity has voting shares or other voting securities, ownership or control (directly or indirectly) of more than fifty percent (50%) of the outstanding shares or securities entitled to vote for the election of directors or other similar managing authority for such Entity; or (B) if the Entity does not have voting shares or other voting securities, ownership or control (directly or indirectly) of more than fifty percent (50%) of the ownership interest representing the right to make decisions for such Entity.
“Agreement” shall have the meaning set forth in Section 1.2.
“Change of Control” shall mean, with respect to a party, a change in Control of such party (or that portion of such party’s business to which the Agreement relates) or, if such party is not the ultimate Parent Company, such party’s ultimate Parent Company, where such Control is acquired, directly or indirectly, in a single transaction or series of related transactions, or all or substantially all of the assets of such party (or that portion of such party’s business to which the Agreement relates) are acquired by any entity that was not previously an Affiliate of such party, or such party (or that portion of such party’s business to which the Agreement relates) merges with another entity and does not constitute the surviving corporation of such merger.
“Claims” shall have the meaning set forth in Section 6.1.
“Confidential Information” shall have the meaning set forth in Section 9.1.
“Control” shall mean (i) the legal or beneficial ownership, directly or indirectly, of (A) at least fifty percent (50%) of the aggregate of all equity securities of an entity or (B) equity securities having the right to at least fifty percent (50%) of the profits of an entity or, in the event of dissolution, to at least fifty percent (50%) of the assets of an entity; (ii) the right to appoint, directly or indirectly, a majority of the board of directors (or other comparable managers); or (iii) the right to control, directly or indirectly, the management or policies of the entity, whether through the ownership of voting securities, by contract or otherwise.
“Copyleft” means a licensing model that permits anyone to use, modify or redistribute software, subject to a condition of use, modification, and/or distribution of such software, whereby such software and/or any other software incorporated into such software, derived from or distributed with such software be (i) disclosed or distributed in source code form to the public, (ii) licensed to the public for the purpose of making derivative works or (iii) re-distributed to anyone at no charge.
“Damages” shall have the meaning set forth in Section 6.1.
| 16 |
“Deliverables” shall mean any software, documentation or other deliverables provided to Dell during the course of providing the Services, excluding any materials provided to GlassHouse by Dell for inclusion in such deliverables.
“Dell” shall mean Dell Marketing and its Affiliates.
“Dell Indemnitees” shall have the meaning set forth in Section 6.2.
“Dell Marketing” shall have the meaning set forth in the preamble.
“Dell PO” shall mean a purchase order issued by Dell pursuant to any Statement of Work.
“Dell Work Product” shall have the meaning set forth in Section 8.3.
“Development Services” shall mean services provided by GlassHouse to Dell whereby GlassHouse is developing certain Dell Work Product for Dell as expressly set forth in a Statement of Work.
“Effective Date” shall have the meaning set forth in the preamble.
“Entity” shall mean a corporation, association, partnership, business trust, joint venture, limited liability company, proprietorship, unincorporated association, individual or other entity that can exercise independent legal standing.
“GlassHouse Indemnitees” shall have the meaning set forth in Section 6.1.
“GlassHouse IP” shall have the meaning set forth in Section 8.2.
“GlassHouse” shall have the meaning set forth in the preamble.
“IP License Agreement” shall have the meaning set forth in Section 1.2.
“Licensed Materials” shall have the meaning set forth in Section 8.4.
“Managed Services” shall mean the management and support by GlassHouse of Dell’s day to day administrative, information technology or management functions as detailed in any Statement of Work.
“MRA” shall have the meaning set forth in the preamble.
“Notice” shall have the meaning set forth in Section 6.6(a).
“Other Services” shall mean all services provided by GlassHouse to Dell as set forth in any Statement of Work other than Managed Services or Development Services.
“Parent Company” shall mean any Entity that owns or controls (directly or indirectly) more than fifty percent (50%) of the outstanding shares or securities representing the right to vote for the election of directors or other managing authority of a party.
| 17 |
“Pre-existing IP” means, with respect to each of GlassHouse and Dell, any intellectual property (i) owned by GlassHouse or Dell, respectively, prior to entering into this MRA; (ii) developed or acquired by GlassHouse or Dell, respectively, other than in the course of performing services under this MRA; and (iii) derivatives, improvements or modifications of the foregoing.
“Schedule” shall have the meaning set forth in Section 1.2.
“Services” shall mean Development Services, Managed Services and Other Services, collectively.
“Statement of Work” shall mean a written statement of work specifically referencing this MRA that is mutually agreed between the parties and executed by the authorized representatives of both parties.
“Supplier Diversity” shall have the meaning set forth in Section 11.3.
“Transition Plan” shall have the meaning set forth in Section 2.5.
| 18 |
SCHEDULE B
U.S. Site Security and Environmental, Health, and Safety Addendum
UNITED STATES SITE SECURITY
AND ENVIRONMENTAL, HEALTH, AND SAFETY ADDENDUM
Contract Name: Master Relationship Agreement
Effective Date: June 23, 2008
This Site Security and Environmental, Health, and Safety Addendum (this “Addendum”) is subject to the terms and conditions of the Master Relationship Agreement (the “Agreement”) dated June 23, 2008 between GlassHouse Technologies, Inc. (“Provider”) and Dell Marketing, L.P. (“Dell”). Capitalized terms not specifically defined herein shall have the meaning set forth in the Agreement.
Compliance Requirements:
Strict compliance with the requirements stated within this Addendum shall be required. Dell may terminate the Agreement with Provider based on any non-compliance with this Addendum. Provider agrees to adhere to and comply with the terms of this Addendum and to require all of Provider’s agents and employees and all of the agents and employees of Provider’s contractors who will be involved in any way with the rendition of Services (“Representatives”) to adhere to and comply with the terms of this Addendum. If Dell requests Provider to replace one or more of Provider’s personnel, agents, or subcontractors for any reason, Provider shall immediately replace that individual after notice is given to Provider by Dell and not reassign that person to perform any Services or any other Dell-related project absent Dell’s specific written consent. The fact that Dell makes any such request shall not require Provider to take any employment or other action against any of Provider’s personnel, agents, or subcontractors.
Provider shall provide each Representative a copy of this Addendum (together with its Exhibits and Attachments) and ensure that each Representative carefully reads this Addendum and agrees to comply with the terms and conditions of this Addendum prior to commencing any work for, on behalf of, or otherwise related to Dell. Provider shall also obtain a certification (in the form set forth in Exhibit “A” to this Addendum) from each Representative prior to the Representative providing any Services and then again each time an individual is assigned to perform Services (other than standard warranty break/fix dispatches) at a new customer site. Additionally, each year, on the anniversary month of the Effective Date of this Addendum, Provider shall provide Dell with Provider’s Certification of Compliance (in the form set forth in Exhibit “A-1” to this Addendum). Provider shall retain all signed Certifications (Exhibit “A”) for at least four years past the termination date of the Agreement.
Site Requirements:
Provider shall personally ensure that (1) a criminal background check and drug screen is conducted on each Representative who will enter onto any Dell property or any Dell customer site (2) using ProMesa or such other third-party service provider as Dell may otherwise designate in writing from time to time referencing this Addendum (“Dell’s Check and Screen Service Provider”) (3) within the 30 day period immediately preceding the Representative’s first entry upon any Dell property or any customer site and (4) no Representative subsequently enters onto any Dell property or customer site unless a criminal background check has been conducted within the 12 months preceding the entry.
Provider understands and agrees that Dell’s Check and Screen Service Provider shall apply the standards Dell applies to Dell’s new hires (the “Dell Standards”) in conducting the criminal background checks and drug screens described above and shall determine whether Representative is identified as a sex offender using an available sex offender database selected by Dell’s Check and Screen Service Provider. Provider understands and agrees that Dell may change the Dell Standards at any time, for any reason, with or without notice to Provider. Provider may request a copy of the current Dell Standards at any time. Provider agrees the Dell Standards constitute Confidential Information.
| 19 |
Representations and Warranties:
Provider represents and warrants that neither it nor any of its contractors or subcontractors will allow any Representative to enter onto any Dell property or any Dell customer site unless and until Dell’s Check and Screen Service Provider has affirmatively indicated that the Representative has successfully passed the criminal background check and drug screen described above. By allowing any Representative to enter onto Dell property or any customer site, Provider represents and warrants that:
| • | The Representative has successfully passed the criminal background check and drug screen described above (as evidenced by an affirmative indication of same by Dell’s Check and Screen Provider) within the 30 day period preceding the Representative’s first entry onto any Dell property or any customer site; |
| • | The Representative has successfully passed the criminal background check within the 12 month period preceding any subsequent entry onto any Dell property or any customer site (i.e., annual certification of criminal background required); |
| • | The Representative is drug and alcohol free; |
| • | The Representative is authorized to work for Provider or its contractor or subcontractor in the U.S. as required by law; |
| • | The Representative does not have any weapons in his or her possession or in his or her vehicle; and |
| • | The Representative shall comply with all applicable Dell and Dell customer Rules of Conduct (available upon request). |
Upon request, Provider shall provide Dell with any and all information and documents reasonably requested by Dell to ensure that Provider and Provider’s contractors and subcontractors are complying with the requirements of this Addendum. Provider’s refusal to provide Dell with any information or document requested by Dell shall give Dell the right to terminate the Agreement.
If during an audit of technician-pass/fail status, or any other time, Dell discovers that a technician which has responded to a Dell dispatch has either not completed or failed the criminal background check or drug screen as described above, Dell has the right to require Provider to pay an amount between $1,000 and $10,000 per occurrence, which amount shall be determined on a case-by-case basis based upon the severity of the violation and the actual or potential harm caused to Dell’s business and customers.
Notice:
If Provider receives any information suggesting that any Representative has been charged with or arrested for any criminal offense (other than a minor traffic violation) or is or may be violating any of the terms of this Addendum or the Rules of Conduct of Dell or a Dell Customer, Provider shall immediately provide written notice of same to Provider’s primary Dell contact and shall ensure the Representative does not enter onto any Dell property or any customer site absent the specific written approval of Provider’s primary Dell contact following such written notice.
Compliance with Applicable Law:
If compliance with any portion of this Addendum (including this provision) would require Provider to violate an applicable law, Provider shall notify Provider’s primary Dell contact of same in writing immediately. Pending Dell’s written response to Provider’s written notice, Provider shall ensure that a Representative who has not complied with all of the requirements of this Addendum is not permitted to enter onto any Dell property or any Dell customer site.
2
Provider shall indemnify, defend, and hold harmless Dell and its subsidiaries and affiliates and their respective officers, directors, employees, representatives, and agents from and against any and all claims, legal proceedings, demands, damages, losses, liabilities, judgment, settlements, costs and expenses, including without limitation reasonable attorneys’ fees that are related to any alleged or actual failure by Provider (including any failure by Provider’s agents or employees) or Provider’s contractors or subcontractors (including any failure by the agents or employees of Provider’s contractors and subcontractors) to comply with any of the requirements of this Addendum. The Indemnification Procedures identified in the Agreement shall apply to Dell’s indemnity right under this paragraph.
General Environmental, Health & Safety (EHS) Requirements:
Provider and all sub-contractors working for Provider on Dell’s premises or customer site must conduct work in a manner that minimizes the risk of injury to themselves, Dell employees or other employees at the customer site, and damage to property. Work must be conducted in accordance with all Federal, State, and local Environmental, Health & Safety regulations, policies and procedures, and all site-specific requirements (as applicable). The framework for the baseline requirements is outlined below. Adherence to these requirements is a condition of the Agreement between the parties.
| 1. | Provider will maintain a clean and safe work site at all times. Removal of trash, debris, scrap, and waste materials from the work area will occur in accordance with the terms of the applicable Statement of Work (SOW). All waste materials must be removed from Dell or a customer site by the Provider in accordance with Federal, State, and local regulations. |
| 2. | Provider will enforce all environmental, health, and safety rules and requirements for their employees and all sub-Contractors. |
| 3. | Provider will maintain records of all injuries and incidents in accordance with OSHA Recordkeeping requirements. Provider will submit incident information including but not limited to OSHA 300 logs (or similar records) to Dell upon request. |
| 4. | Dell reserves the right to review Provider’s site activities. Deficiencies in Provider’s activities on site as identified by Dell (or its agents) will be corrected to Dell’s satisfaction within an agreed upon timeframe. |
| 5. | Unless otherwise provided in the Agreement, Provider and/or its subcontractors agree that each will not use Dell provided equipment to perform Services and that the Provider and/or its subcontractors are solely responsible for the maintenance and repair of their own equipment used to perform such Services. |
Notwithstanding anything contrary in the terms of any applicable Non-Disclosure Agreement, any trade secrets or other proprietary information of Dell or Dell’s customer, whether oral, visual or written, shall constitute confidential information of Dell or Dell’s Customer even if not marked as such. Further, Provider’s obligation to preserve the confidentiality of such trade secrets or proprietary information shall continue in perpetuity. The terms and conditions of the attached Exhibit B to this Addendum shall not be disclosed by Provider without prior written approval of the authorized Dell representative.
3
Strict compliance with the above requirements in this Addendum is a material term of the Agreement. Dell reserves the right to terminate the Agreement based on any non-compliance with the terms of this Addendum.
The parties hereto have caused this Addendum to be executed by their duly authorized representatives.
| Agreed and Accepted: | Agreed and Accepted: | |||||||
| DELL MARKETING, L.P. | GLASSHOUSE TECHNOLOGIES, INC. | |||||||
| By: | By: | |||||||
| Printed Name: | Printed Name: | |||||||
| Title: | Title: |
4
Exhibit A to Site Security Addendum
Certification of Provider’s Personnel, Agents, and Subcontractors:
Signed Certifications must be kept on record with Provider’s Human Resources Department for a period of four years after the termination of the Agreement.
My signature below confirms my acknowledgement that I have read the Site Security and Environmental, Health, and Safety Addendum; that I fully understand the requirements stated therein; and that I agree to comply with the requirements stated therein while on Dell property, Dell business, or any customer site.
| Printed Name: | ||
| Signature: | ||
| Date: |
Exhibit A
Page 1
Exhibit A-1 to Site Security Addendum
Annual Certification of Provider’s Compliance:
Signed Certifications must be kept on record with Provider’s Human Resources Department for a
period of four years after the termination of the Agreement.
My signature below confirms Provider’s acknowledgement of compliance with the Site Security and Environmental, Health, and Safety Addendum terms; that Provider fully understands the requirements stated therein; and that Provider agrees to comply with the requirements stated therein while any of Provider’s personnel, agents or subcontractors are at Dell or any customer site.
| Printed Name: |
| Signature: |
| Title: |
| Date: |
Exhibit B
Page 2
Exhibit B to Site Security Addendum
Confidentiality Agreement
_______________________________ (insert name of Contractor or Subcontractor here) (“Contractor”) acknowledges that Provider has provided the undersigned with this Confidentiality Agreement and the undersigned has read and understands the terms of this Confidentiality Agreement. This Confidentiality Agreement applies to the following project (the “Project”): Confidentiality agreement is to be signed by ALL sub-contractors as they are not covered under Dell’s NDA. (Please delete these instructions upon execution).
___________________________________ (insert description of Project here)
___________________________________
By its signature below, the undersigned (the “Contractor”) agrees that:
The Contractor is entering upon the Project, which is owned or leased by Dell Inc. (or a subsidiary and/or affiliate of Dell Inc.) or is owned or leased by Dell’s Customer. Dell Inc. and/or each such subsidiary and/or affiliate of Dell Inc. and Dell’s Customer are referred to herein as an “Owner Party” and referred to collectively as the “Owner Parties.”
The Contractor agrees that any and all information relating to the business of any Owner Party and all Owner Parties and all information relating to, belonging to, or pertaining to any product, supplier, creditor, customer or prospect of any Owner Party and all Owner Parties, including but not limited to, information relating to products, customer and prospect lists, concepts for marketing computer hardware and software, data processing, programming, software, documentation, research and development processes, inventions, services or the internal operations of any Owner Party and all Owner Parties or any supplier, creditor, customer or prospect of any Owner Party and all Owner Parties is and shall be treated by the Contractor as confidential and proprietary at all times (including, without limitation, at all times after the Contractor is no longer performing work or providing labor, material or other services at the Project).
The Contractor agrees that, except for the purpose of any Owner Party’s right to enforce the terms of this Confidentiality Agreement, this Confidentiality Agreement does not create any privity of contract between the Contractor and any Owner, and the Contractor hereby waives any and all claims, demands, suits and causes of action against any Owner Party and all Owner Parties and releases all Owner Parties from any liability, whether any such claim, demand, suit, cause of action or liability is known or unknown, present or future.
In addition to any other remedies available to any Owner Party, any Owner Party shall have the right to seek equitable relief, including, without limitation, injunctive relief or specific performance, against the Contractor or its representatives, employees or agents in order to enforce the provisions of this Confidentiality Agreement.
| Contractor | ||
| By: | ||
| (Signature) | ||
| (Printed Name) | ||
| Its: | ||
| (Title) | ||
| Date: |
Exhibit A
Page 2
SCHEDULE C
INFORMATION PRIVACY AND SECURITY SCHEDULE ADDENDUM
This Information Privacy and Security Schedule Addendum (this “IPSS”), dated June 23, 2008, is subject to the terms and conditions of the GlassHouse Technologies, Inc. Master Relationship Agreement (“MRA”) dated June 23, 2008 between GlassHouse Technologies, Inc. (“Provider”) and Dell Marketing, L.P. and the terms of the Non Disclosure Agreement (#0511012) between Provider and Dell Marketing, L.P. (“NDA”). This IPSS shall be considered a Schedule under the MRA and shall be deemed part of the Agreement. “Dell” shall mean Dell Marketing, L.P. and its worldwide subsidiaries and affiliates including, but not limited to, Dell Inc. and all subsidiaries of Dell Inc. In the event of a conflict between the NDA, MRA, or any other portion of the Agreement and this IPSS, this IPSS shall prevail. Provider’s failure to comply with any of the provisions of this IPSS shall be deemed a material breach of the Agreement.
Provider shall access and use all Data exclusively for the purpose of performing its obligations under the Agreement. Provider shall not sell, rent, transfer, distribute or otherwise disclose the Data to any third party (including subcontractors and outsourcers), without prior written permission from Dell unless required by law enforcement or government bodies or as otherwise required by law. In the event Dell provides such consent, Provider shall remain liable for the actions of the third party and shall ensure that any such third party complies with the terms in the NDA and the Agreement including without limitation, this IPSS. Provider will defend and indemnify Dell for any claims arising in connection with its own failure or the failure of the third party to comply with the NDA and the Agreement including, without limitation, this IPSS. Such claims shall be deemed covered claims under the terms of the “Indemnification” section of the MRA.
If through the course of business between Dell and Provider the scope of the Agreement or geographic reach change beyond what was agreed to initially, the terms of this IPSS must be revisited. In order to ensure proper compliance with Dell policy, industry standards and applicable regional laws and regulations, Dell may propose additional or updated terms to this IPSS and will negotiate in good faith with Provider to reach agreement on such additional terms. If the parties are unable to reach agreement, Dell may terminate the Agreement.
In addition to and without limiting the provisions regarding confidentiality and the definition of confidential information set forth in the Agreement and/or NDA, the term “Confidential Information” will also include: (1) all Dell non public, or proprietary information and data accessed by Provider through Dell’s network or provided to or accessed by Provider for hosting or outsourcing services whether or not it is marked or identified as such (“Electronic Data”); and (2) any information accessed, collected, retained, stored, shared, transferred, used or disclosed by Provider that relates to an identified or identifiable natural person (“Personally Identifying Information” or “PII” or “Personal Data”), whether or not it is marked or identified as such (Electronic Data and PII/Personal Data are collectively “Data”). Provider agrees to treat the Data as Dell confidential information in accordance with the NDA and the Agreement including, without limitation, this IPSS.
Notwithstanding the above, or any contrary terms in the NDA or other parts of the Agreement, any exclusion in the NDA or the Agreement to the definition of confidential information shall not apply to PII/Personal Data disclosed to Provider pursuant to the NDA and this Agreement. Provider’s obligation to protect Data shall survive the termination or expiration of the NDA and/ or the Agreement and Provider shall treat Data as Dell confidential in perpetuity. As between Provider and Dell, Dell is the exclusive owner of the Data.
Privacy Obligations
Provider agrees all access to, collection, retention, transfer, disclosure and use of PII/Personal Data will comply in all respects with Dell’s commitments to its customers set forth in Dell’s Global Privacy Policy and applicable regional privacy policies and local national laws based on the source of the data. Dell’s global and regional privacy policies are updated from time to time and are available at xxx.xxxx.xxx/xxxxxxx. Provider shall check the applicable privacy policies every quarter to ensure that it is complying with the most current version.
Provider shall not use PII/Personal Data to contact, solicit or target (for example by means of advertising, telemarketing or emailing) any individual (including but not limited to Dell customers or employees), without the express written permission of Dell.
Where Provider is providing services to Dell’s business customers as Dell’s subcontractor, Provider understands and accepts and agrees to comply in all respects with Dell’s customers’ privacy policies, practices and requirements as they may be communicated to Provider by Dell or Dell’s customers from time to time.
If Provider will be hosting a website, Provider must:
(1) For websites that are not clearly branded as Dell, ensure (a) that it is clearly and conspicuously communicated to users that they are no longer on a Dell site; and (b) clearly and conspicuously communicate Provider’s privacy policy to the users and (c) ensure that Provider’s privacy policy complies with all applicable laws and is consistent with the representations set forth in Dell’s applicable privacy policies.
(2) Post any informational language reasonably required by Dell;
(3) Prominently notify European Union users if their data will be hosted, transferred or processed outside the European Union.
Information Security Obligations
Provider will implement commercially reasonable safeguards to protect the Data that are no less rigorous than accepted industry practices (such as ISO 17799/27001, ITIL or COBIT) and will ensure that all such safeguards, including, how the Data is handled, processed, stored, and disposed of, are in compliance with all applicable data protection and privacy laws and in accordance with the terms of the NDA and Agreement. If Provider will have access to or will be handling, processing, storing or transmitting credit or debit card information Provider warrants that it will at all times remain in compliance with the Payment Card Industry “PCI” Data Security Standard requirements. Prior to accessing any such data and on each anniversary of the Agreement thereafter, Provider must submit a summary of the PCI DSS assessment results and remediation efforts, if any.
At a minimum, Provider shall implement physical, technical and administrative safeguards that provide for: (a) protection of business facilities, paper files, servers, computing equipment, including all mobile devices and other equipment with information storage capability, and backup systems containing the Data; (b) network, application (including databases) and platform security; (c) business systems designed to optimize security; (d) secure transmission and storage of Data (whether by encryption or other equally protective measures); (e) authentication and access control mechanisms; (f) personnel security and integrity; and (g) annual training to Provider’s employees, personnel, and/or subcontractors on how to comply with the Provider’s physical, technical, and administrative information security safeguards.
Data will be stored on servers in data centers which comply with industry standard data center security controls. Data files will not be placed on any notebook hard drive or removable media, such as compact disc or flash drives, unless encrypted. Provider will ensure that Highly Restricted PII/Personal Data and sensitive Dell data may not be co-located with information of a competitor.
Provider shall regularly test and monitor the effectiveness of its security practices and procedures relating to the Data and will evaluate and adjust its information security program in light of the results of the testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that Provider knows or reasonably should know may have a material effect on its information security program. In addition, at any point during the term of the Agreement, upon Dell’s request, Provider shall provide Dell a copy of Provider’s security standards, policies and guidelines related to the Data.
Upon request, Provider shall grant Dell or a third party on Dell’s behalf permission to perform an assessment of controls in Provider’s, or Provider’s subcontractors’ environment in relation to the services being provided to ensure compliance with the Agreement, as well as any applicable laws, regulations, directives, ordinances, or industry standards. This audit shall be performed at Dell’s expense. Provider shall fully cooperate with such assessment by providing access to knowledgeable personnel, physical premises, documentation, infrastructure and application software that processes, stores or transports Data for Dell pursuant to the Agreement.
Call Recordings
Unless not technically feasible, call recording data shall be encrypted. If not technically feasible, Provider shall comply with the following guidelines with respect to call recording data:
(1) Provider shall establish strong control processes for collection, review, distribution and removal of call recording data.
(2) Call recordings shall only be used for internal quality review and training purposes. Provider shall delete call recordings immediately after completing the quality review process, which shall in no case be longer than 60 days after the original recording was made, except for special situations involving specific identified recordings provided the recording is encrypted or highly sensitive customer information is removed.
(3) Provider shall ensure that access to the call recording data shall be highly controlled and limited to only those involved in the quality monitoring process. Logging and monitoring shall be performed by Provider to verify who has accessed these files. Prior to using a call recording for training purposes, all PII/Personal Data and must be removed from the recording or otherwise rendered in audible.
In the event that Provider experiences an actual or suspected security breach (e.g., physical trespass on a secure facility, computing systems intrusion/hacking, loss/theft of a computer [notebook, desktop, other mobile device, hard drive, or any information storage device], loss/theft of printed materials, exploitation of a vulnerability in the deliverables, or other unauthorized access), that resulted in (or is reasonably believed to have resulted in or may potentially result in) the misuse, compromise, or unauthorized release of Data (collectively, a “Security Breach”), Provider will notify Dell of the Security Breach with in 12 hours after it becomes aware of a Security Breach. A Security Breach also applies to a reported privacy complaint that Provider may receive in relation to the Data or services provided in the Agreement.
| • | Provider will provide Dell with the name and contact information for a primary security contact within Provider. Provider shall notify Dell of any Security Breaches by e-mailing with a read receipt xxxxxxx@xxxx.xxx with a copy to Provider’s primary business contact within Dell. |
| • | Immediately following such discovery and notification to Dell, the parties will coordinate with each other to investigate the Security Breach. |
| • | Provider also shall take immediate steps to remedy the Security Breach at Provider’s expense in accordance with local individual privacy rights and laws. Provider shall reimburse Dell for actual costs incurred in responding to and/or mitigating damages caused by a Security Breach. |
| • | Except as may be strictly required by applicable law, Provider agrees that it will not inform any third party of any Security Breach without first obtaining Dell’s prior written consent, other than to inform a complainant that the matter has been forwarded to Dell’s privacy office. |
Provider shall immediately notify Dell of any investigations of its information use or security practices by a government, regulatory, or self-regulatory organization.
Infrastructure Security and Connectivity
Upon request for the term of the Agreement, Provider shall provide a summary of the results of a controls audit, such as a SAS 70 Type II or information security audit as applicable to the services being provided, which has been performed within the past year. The audit will include an assessment of Provider’s general controls and security practices and procedures relating to the Data shared, accessed, and/or stored through this Agreement to ensure compliance with applicable national laws, regulations and industry standards. The audit should be performed as part of Provider’s ongoing information security program to evaluate Provider’s general security controls on a regular basis and at Provider’s expense. All such audits shall be performed by: (1) a qualified, objective, independent qualified third-party professional, such as a Certified Information System Security Professional or as a Certified Information Systems Auditor; (2) a person holding Global Information Assurance Certification from the SysAdmin, Audit, Network, Security Institute; or (3) a similarly qualified person or organization who is able to demonstrate experience in performing the required type of assessment. Provider and Dell will come to agreement on the timeframe and remediation of any gaps between the audit results and Dell’s expectations.
Dell, or a third party chosen by Dell, may evaluate the security of Provider’s I/T network and associated services, and Provider agrees to work cooperatively with Dell to determine whether additional or different security measures are required to protect the network or Data placed or proposed to be placed or transmitted on the network.
Product Security
Provider shall have processes in place to identify and to notify Dell in a timely manner of any security vulnerabilities identified in the Provider’s product, software, website or other similar item (hereafter “Product”), or in any third party component used in the Provider’s Product. Provider commits to remediate vulnerabilities identified in the Provider’s Product at the Provider’s expense and as a top priority or in a timeframe otherwise agreed upon by Dell.
Provider confirms that it uses, and that Product was designed based upon industry secure coding practices (such as OWASP or SANS Top 10 as applicable), and that information security is addressed throughout the development life-cycle, including without limitations, security development requirements, test plans, code reviews, security testing and quality assurance. The Product’s processes, direct capabilities, and other necessary actions comply with all applicable laws and payment card industry standards, where applicable, including but not limited to laws addressing privacy and information security obligations.
Upon request, Provider will submit the results and remediation efforts of an independent security assessment. The assessment scope must be agreed upon by Dell. Such an assessment is required for all products that will: (a) be customer facing, including shipped with or installed on customer systems; or (b) access, collect, store, transmit, disclose or process Highly-Restricted PII/Personal Data. Remediation efforts must be agreed upon by Dell and addressed to Dell’s satisfaction prior to acceptance of the final Product.
Data Retention
Provider will retain and delete Data in accordance with any retention schedule agreed upon between Dell and Provider. If Provider cannot retain this data for the stated amount of time, Provider will regularly provide the data to Dell for Dell to retain. If the Agreement between Dell and Provider expires prior to the agreed upon retention schedule, all Dell data hosted and maintained by Provider will be returned to Dell.
In the absence of such agreed schedule, in a manner consistent with applicable law, Provider will dispose of Data that is no longer needed throughout the term of the Agreement. Provider will provide Dell details on how the data will be disposed. In any event, no later than 30 days after the termination or expiration of the Agreement, or portion thereof, at Dell’s option Provider shall either: (1) dispose of all Data in a manner consistent with applicable law, (2) return all Data related to such terminated or expired services. Upon request, Provider shall present to Dell with a written and signed certification of such return and/or disposal. If Dell has a reasonable basis to be concerned about the continued retention of Data by the Provider after termination or expiration of the Agreement, promptly upon Dell’s written request, Provider shall obtain and fund an external audit to ensure total removal of Data from Provider’s systems. Dell has the right to oversee the audit and obtain the audit results.
In no event, however, will Provider dispose of data, which Provider has been notified that Provider must retain in response to a Dell “Legal Hold.” Provider’s obligation to retain such “Legal Hold” data exceeds any agreed-to retention policies or internal policies of Provider. If Provider cannot retain the “Legal Hold” data, Provider will provide the data to Dell for Dell to retain.
Disaster Recovery
Provider will maintain a disaster recovery plan for restoring its current and off-site data files. Provider will at all times be responsible for daily backup and preservation of any Data within its control. All backup copies of Data shall be treated as Dell confidential information. Provider will maintain a business continuity plan for restoring its critical business functions. Upon request, Provider will give Dell a copy of each plan.
| DELL MARKETING, L.P. | GLASSHOUSE TECHNOLOGIES, INC. | |||||||
| By: | By: | |||||||
| Printed Name: | Printed Name: | |||||||
| Title: | Title: |
Addendum 1 to Schedule 4
CANADA PRIVACY ADDENDUM
to Information Privacy and Security Schedule
This Canada Privacy Addendum is attached to and made part of the Information Privacy and Security Schedule (“IPSS”) between GlassHouse Technologies, Inc. (“Provider”) and Dell Marketing, L.P. and its worldwide subsidiaries and affiliates including but not limited to Dell Inc. and all subsidiaries of Dell Inc. (“Dell”). The terms of this Canada Privacy Addendum (this “Addendum”) govern Provider’s obligations related to its handling of PII concerning Canadian residents or persons located in Canada which it receives, collects, processes, transfers, discloses, uses and/or otherwise accesses in the course of providing services to Dell (the “Services”) pursuant to the Agreement and any applicable SOW(s). Capitalized terms not specifically defined in this Addendum shall have the meaning set forth in the IPSS or the MRA.
To the extent there are any inconsistencies between the terms of this Addendum and the terms of the IPSS, or the NDA, the terms of this Addendum will prevail. To the extent there are standards to be achieved by Supplier in this Addendum that are higher than the standards to be achieved by Provider in the IPSS, or the NDA, Supplier will comply with the higher standards set out in this Addendum.
Reference to Provider’s adherence to Dell’ Global Privacy Policy in the IPSS: (i) shall mean that Provider shall not take any action that will cause Dell to be in contravention of such policy; and (ii) is not intended to expand Provider’s rights with respect to any PII related obligations or activities.
| 1) | Compliance with Applicable Privacy Laws. For the purposes of this Addendum, “Applicable Privacy Laws” means the Personal Information Protection and Electronic Documents Act (Canada), as amended or supplemented from time to time, and any other Canadian federal or provincial legislation now in force or that may in the future come into force governing the collection, use, disclosure and protection of PII in the private sector or public sector applicable to either party or to the Services. In all cases and without limiting any of the other provisions in this Addendum, Provider shall comply at all times with Applicable Privacy Laws in carrying out the Services. |
| 2) | PII Protection/Safeguards. To the extent that Dell provides access or transfers to Provider any PII in connection with the Services, or to the extent that Provider otherwise collects, uses, discloses, stores, processes or otherwise handles PII on behalf of Dell in connection with providing the Services, Provider shall: |
| (a) | not use such PII for any purpose other than as necessary for the performance of its obligations with respect to the Services; |
| (b) | not disclose such PII or otherwise permit access to or make such PII available to any person except: |
| (i) | as expressly permitted or instructed by Dell; or |
| (ii) | as required to comply with applicable law or regulation or a valid court order or other binding requirement of a competent governmental authority, provided that in any such case: (A) Dell is immediately notified in writing of any such requirement (and in any event prior to disclosure of the PII), and (B) Provider provides all reasonable assistance to Dell in any attempt by Dell to limit or prevent the disclosure of the PII; |
| (c) | so long as Provider remains in possession, custody or control of such PII, use reasonable physical, organizational and technological security measures that are appropriate having regard to the sensitivity of the information to protect such PII against loss, theft and unauthorized access, disclosure, copying, use, modification or disposal; and, without limiting the foregoing, Provider shall: |
| (i) | restrict logical and physical access to PII to only those authorized employees and permitted agents and subcontractors that require access to such information to fulfill their job requirements and that are subject to binding obligations of confidentiality and data protection no less stringent than those of the Agreement (including the IPSS and this Addendum); |
| (ii) | not print, save, copy or store any PII, whether on removable, mobile or other media, in printed, electronic or optical form or otherwise, except temporarily within a secure location within Provider’s facilities and only to the extent necessary in connection with providing the Services, and immediately and securely destroy or delete any such temporary copies or saved or stored versions upon conclusion of the activity giving rise to the necessity of saving, copying or storing such PII; |
| (iii) | not move, remove, relocate or transmit any PII from Provider’s facilities without the express consent of Dell and/or without using appropriately secure encryption technology to protect such information while in transit; |
| (iv) | comply with any additional security measures, processes and procedures set out in the IPSS. |
| (d) | upon termination of the Services or upon request of Dell, whichever comes first, immediately cease all use of and return to Dell or, at the direction of Dell, dispose of, destroy, or render permanently anonymous all such PII, in each case using the security measures set out in paragraph (c) above; |
| (e) | immediately inform Dell of any actual or suspected loss, theft or accidental or unauthorized access, disclosure, copying, use, or modification of PII or other breach of Provider’s obligations in this Section 2; and |
| (f) | ensure at all times that PII and all data, databases or other records containing PII that are stored, handled or processed for Dell in connection with the Services are kept logically isolated and separate from any information, data, databases or other records stored, handled or processed by Provider for itself or for third parties. |
| 3) | Requests, Inquiries and Complaints. Provider shall: (a) immediately refer to Dell any individual who contacts Provider seeking access or correction to or with any inquiries or complaints about his or her PII in connection with or otherwise relating to the Services; (b) immediately notify Dell regarding any such request, inquiry or complaint; and (c) provide, in a timely manner, all reasonable co-operation, assistance, information and access to PII in its possession, custody or control as is necessary for Dell to promptly (and, in any event, within any timeframe required by Applicable Privacy Laws) respond to such request, inquiry or complaint. |
| 4) | Audits. On reasonable notice and during normal business hours, Provider shall: (a) permit Dell or its designee to inspect any PII in the custody or possession of Provider in connection with the Services and to audit Provider’s compliance with its obligations described in the IPSS (including, this Addendum) including, without limitation, the security measures used to protect PII; (b) permit Dell to enter onto Provider’s premises for such purposes; and (c) otherwise promptly and properly respond to all reasonable inquiries from Dell with respect to Provider’s handling of PII in connection with the Services or Provider’s compliance with the IPSS (including this Addendum). |
| 5) | Privacy Regulators. Provider shall provide, in a timely manner, all necessary and reasonable information and co-operation to Dell and to any regulatory or other governmental bodies or authorities with jurisdiction or oversight over Applicable Privacy Laws (each, a “Privacy Regulator”) in connection with any investigations, audits or inquiries made by any such Privacy Regulator under such legislation. Provider acknowledges that Dell may be required to disclose confidential information of Provider, without Provider’s consent, to such Privacy Regulators in connection with any investigation, audit or inquiry that pertains to or involves the Services. |
| 6) | Designated Individual. Provider shall designate and identify to Dell an individual to handle all aspects of the Services that relate to the handling of PII. |
| 7) | Subcontracting. Provider shall not subcontract, assign or delegate to any third party its obligations with respect to the collection, use, disclosure, storage, handling or processing of PII in connection with the Services without the express consent of Dell and without obtaining written contractual commitments of such third party substantially the same as those of the Agreement (including the IPSS and this Addendum). |
| 8) | Governing Law. This Addendum shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein. |
| DELL MARKETING, L.P. | GLASSHOUSE TECHNOLOGIES, INC. | |||||||
| By: | By: | |||||||
| Printed Name: | Printed Name: | |||||||
| Title: | Title: |
Addendum 2 to Schedule 4
HIPAA ADDENDUM
This HIPAA Addendum (the “HIPAA Addendum”) to the Information Privacy and Security Schedule (“IPSS”) shall apply to any Provider that, in the course of performing its obligations under the Agreement on behalf of Dell, may use and/or disclose Protected Health Information (as that term is defined in the Health Insurance Portability and Accountability Act of 1996 and its related regulations, 45 CFR Parts 160 and 164 (“HIPAA”)). “Protected Health Information” is “Data,” as that term is defined in the IPSS. Provider fully and unconditionally agrees to the terms and conditions of the HIPAA Addendum. Terms not defined in this HIPAA Addendum shall have the meaning ascribed to them in the Agreement. The terms set forth in this HIPAA Addendum are in addition to, and not a substitute for, any privacy and security obligations and restrictions set forth in the IPSS.
| 1. | Responsibilities of the Provider with Respect to Protected Health Information. With regard to its use and/or disclosure of Protected Health Information, the Provider hereby agrees to do the following: |
| 1.1. | Use and Disclosure. Use and/or disclose the Protected Health Information only as permitted or required by this HIPAA Addendum or as expressly required or permitted by law. |
| 1.2. | Reporting. Immediately report in writing to Dell any use and/or disclosure of the Protected Health Information that is not permitted by this HIPAA Addendum or any actual or suspected breach of security of electronic Protected Health Information of which Provider becomes aware. More detail as to such notice, reporting, and related obligations is set forth in the IPSS. |
| 1.3. | Safeguards. Maintain the security of the Protected Health Information and prevent unauthorized use and/or disclosure of such Protected Health Information; and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic Protected Health Information that it creates, receives, maintains or transmits pursuant to the Agreement. More detail as to the minimum level of such safeguards is set forth in the IPSS. |
| 1.4. | Subcontractors and Agents. Require all of its subcontractors and agents that receive or use, or have access to, Protected Health Information pursuant to the Agreement to agree, in writing, to adhere to the same restrictions and conditions on the use, access to, and/or disclosure of Protected Health Information that apply to the Provider pursuant to this HIPAA Addendum. Provider will remain liable and indemnify Dell for any claims arising in connection with the failure of the third party to comply. |
| 1.5. | Audit and Inspection. Make available all records, books, schedules, policies and procedures relating to the use, disclosure, and safeguarding of Protected Health Information to the Secretary of Health and Human Services for purposes of determining Dell or Dell’s customers compliance with the Privacy and Security Regulations, provided that Provider will notify Dell in writing promptly upon receiving any requests for such documents and information from the Secretary of Health and Human Services or his/her representative. |
| 1.6. | Maintenance of Disclosure Records. Maintain sufficient information (including date of disclosure, name of receiver and address, if known, and description of Protected Health Information disclosed by Provider to any third-party and the purpose of disclosure) to permit Dell to provide a complete accounting to its customers of all disclosures of Protected Health Information within the previous six (6) years (and subsequent to April 14, 2003); and provide to Dell complete information regarding any such disclosure promptly, in order to permit the Dell to respond to requests by its customers for an accounting of the disclosures of the individuals’ Protected Health Information in accordance with 45 C.F.R. Sections 164.528 and 164.314. |
| 1.7. | Access for Inspection and Amendment. Promptly upon receiving a written request from Dell, provide to Dell such records and information as is requested to permit Dell to timely respond to a customer’s request to (i) inspect and/or copy Protected Health Information within a designated record set held by Provider in accordance with 45 C.F.R. Section 164.124; and/or (ii) amend Protected Health Information in accordance with 45 C.F.R. Section 164.526. |
| 1.8. | Return or Destruction. To the extent feasible, at Dell’s request, return or destroy the Protected Health Information within its possession (including, without limitation, any Protected Health Information in the possession of any subcontractor retained by it) upon termination of the Agreement. If it is not feasible to immediately return or destroy the Protected Health Information because of other obligations or legal requirements, the protections of this HIPAA Addendum shall apply until the Protected Health Information is returned or destroyed, and no other uses or disclosures may be made except for the purposes that prevented the return or destruction of the Protected Health Information. If Provider destroys the Protected Health Information, Provider will properly dispose of and certify such disposal of the HIPAA Information in accordance with the IPSS. Upon Dell’s request, Provider will provide Dell with a copy of its information disposal policies and procedures. |
| 1.9. | Mitigation and Injunction. Cooperate with Dell to mitigate, to the extent possible, any deleterious effects from any improper use and/or disclosure of Protected Health Information, regardless of its cause. |
| 2. | Term and Termination. This HIPAA Addendum shall become effective when executed and shall continue in effect until all obligations of the Parties have been met. The terms and conditions of this HIPAA Addendum shall survive the expiration or termination of the Agreement. Dell may immediately terminate the Agreement if Dell, in its sole discretion, makes the determination that the Provider has breached a material term of this HIPAA Addendum or the IPSS. |
| 3. | Miscellaneous. The Parties agree to enter into a mutually acceptable amendment to this HIPAA Addendum as necessary to comply with applicable federal laws and regulations governing the use and/or disclosure of Data. Dell may terminate the Agreement upon thirty (30) days’ written notice in the event that the parties cannot reach mutual agreement on an amendment. To the extent that there is any conflict between the terms of the Agreement, the IPSS, and the terms of this HIPAA Addendum with respect to Protected Health Information, the terms of this HIPAA Addendum shall prevail. |
Addendum 3 to Schedule 4
DELL EMEA
PROCESSING OF PERSONAL DATA
DEFINITIONS and INTERPRETATION
“Customer Data” means customers of Dell;
“Data Protection Law” means the Data Protection Directive 95/46/EC and the Directive on Privacy and Electronic Communications 2002/58/EC, as implemented in the jurisdiction of the relevant customer and all other applicable laws and regulations relating to processing of the Personal Data;
“Dell” means Dell Inc. and all Dell entities taking part and subject to the Agreement;
“Employee” means an employee, consultant, sub-contractor, agent or officer of a person;
“European Economic Area” means the member states of the European Union together with Norway, Iceland and Liechtenstein;
“National Regulatory Authority” means the supervisory authority established under the applicable Data Protection Law for the purposes of monitoring within its territory the provisions adopted by that territory pursuant to its Data Protection Law;
“Party” means Dell or Provider, and “Parties” means Dell and Provider;
“Personal Data” means the Personal Data of Dell’s customers processed by the Provider;
“Person” includes any individual, firm, company, corporation, body corporate, government, state or agency of state, trust or foundation, or any association, partnership or unincorporated body of two (2) or more of the foregoing (whether or not having separate legal personality and wherever incorporated or established); and
“Personal data”, processing”, “data subject”, “controller” and “processor” have the same meaning as in the Data Protection Law applicable to the relevant data subject and other parts of the verb “to process” shall be construed accordingly.
| 1.1 | Provider undertakes that: |
| (a) | it shall register for, and maintain its Safe Harbor status for the duration of the Agreement or shall otherwise ensure that the provisions of Article 25 of Data Protection Directive 95/46/EC, as implemented in the jurisdiction of the relevant data subjects and any other similar provisions under applicable Data Protection law are met in relation to; |
| (b) | it will process the Personal Data only in accordance with the Data Protection Law applicable to the data subject and in accordance with the terms of this Agreement; |
| (c) | following any notice from Provider to Dell, or following any notice or query to Provider (directly or through Dell) from any National Regulatory Authority or Dell customer, of an actual or reasonably suspected use or disclosure of Personal Data in violation of the Data Protection Law, the auditors of the Dell shall have the right to conduct, with reasonable prior written notice, under reasonable time, place and manner conditions, pursuant to appropriate confidentiality and technical restrictions, and at its own expense, an audit of Provider’s systems, policies and procedures relevant to Provider’s compliance with the Data Protection Law with respect to the Personal Data and the circumstances and extent of such actual or reasonably suspected use or disclosure; |
| (d) | if it shall become necessary to transfer Personal Data from one location to another within its own organisation, that transfer shall be undertaken with appropriate security measures being implemented so as to ensure the integrity of the Personal Data; and |
| (e) | it will assist Dell in responding to all subject access requests which may be received from data subjects of the personal data contained in the Personal Data and to do all reasonable and practicable things necessary to enable the Data Controller to comply with such requests, such assistance to be provided at a cost to be agreed between the Provider and Dell and based upon the Provider’s then-current professional services rates; |
| 1.2 | Provider warrants and undertakes that it has in place and will maintain appropriate operational and technological processes and procedures to safeguard against any unauthorised access, loss, destruction, theft, use or disclosure of the Personal Data. |
| 1.3 | Where the Provider discloses, or makes available any Personal Data to any third party, including, without limitation, any agent, sub-contractor (whether or not an Employee) or supplier then it shall procure the performance by such third party of the provisions set out in clauses 1.1 and 1.2. as if such third party were the Provider, mutatis mutandis. Provider shall hold the Dell harmless from any Claims or Damages, on demand and on an indemnity basis, arising from any breach or alleged breach of this clause 1.3. |
2.0 Provider will defend, indemnify, and hold harmless Dell and their respective directors, officers, employees, representatives, and agents (collectively “Indemnitees”) from and against any and all claims, actions, demands, and legal proceedings (collectively “Claims”) and all liabilities, damages, losses, judgments, authorized settlements, costs and expenses including, without limitation, reasonable attorneys’ fees (collectively “Damages”), arising out of or in connection with: (a) alleged or actual wilful misconduct or grossly negligent acts or omissions of Provider related to the processing of the Personal Data ; and (b) violation by Provider of any data protection laws, rules, ordinances, or regulations applicable to processing of the Personal Data
| DELL MARKETING, L.P. | GLASSHOUSE TECHNOLOGIES, INC. | |||||||
| By: | By: | |||||||
| Printed Name: | Printed Name: | |||||||
| Title: | Title: |
SCHEDULE D
DELL TRAVEL AND EXPENSES POLICY
(As of June 23, 2008)
The Objective
The objective of this Schedule is to set policy for travel and expenses while performing services pursuant to this Agreement. All travel must be authorized by an executed Statement of Work. All travel booked through Dell Travel will be considered to comply with Sections 2, 3 and 4 of this Schedule unless the traveler was advised at the time of booking that their specific requests were not within policy. Any travel not booked through Dell Travel must fully comply with the provisions of this Schedule below. Provider must make payment by credit card for all travel and lodging booked through Dell Travel at the time of booking.
You engage Dell Travel in the U.S. by calling (000) 000-0000 and speaking with an agent. You may reach Dell Travel in the United Kingdom by calling 000 00 (0) 0000 00 0000. In addition, from outside the U.S. you can reach Dell Travel collect at (000) 000-0000.
| 1.0 | Travel and Expenses. |
Dell will reimburse reasonable and appropriate travel and related expenses incurred in the normal course of business as defined by this Schedule subject to the limitations and provisions presented as follows:
1.1 All travel and related expenses must comply with this Schedule, and must be made in conjunction with a legitimate business purpose subject to the approval of a designated Dell representative.
1.2 All requests for reimbursements must be accompanied by support documentation commensurate with normal business practice.
1.3 Dell will not provide reimbursement for items not incurred, or those which are incidental to the normal course of performing work on the engagement.
1.4 All exceptions to these provisions and guidelines must have the approval of a designated Dell representative.
1.5 All expenditures in excess of these provisions and guidelines are the responsibility of the consultant.
1.6 Dell reserves the right to deny reimbursement to any requests that do not conform to the aforementioned requirements.
| 2.0 | Airfare. |
2.1 Dell will provide reimbursement for one coach class round trip airfare for each consultant assigned to the engagement when (a) travel is authorized, (b) required, and (c) air travel is the most effective or only reasonable option available. All air reservations must be made through Dell Travel in the time and manner necessary to achieve the lowest possible fare.
| 3.0 | Lodging. |
3.1 Dell will provide reimbursement up to $85 per night stay.
| 4.0 | Transportation. |
4.1 Dell will provide reimbursement up to $35 per day for rental car while the consultant is traveling to and from overnight stay accommodations and the engagement business office. Car rentals will be arranged through Dell Travel. Dell will provide reimbursement up to $10 per day for parking car while the consultant is traveling to and from overnight stay accommodations and the engagement business office.
| 5.0 | Meals. |
5.1 Dell will provide reimbursement up to $35 per day for customary meals (breakfast, lunch and dinner) while the consultant is on an overnight or extended consulting engagement.
| 6.0 | Living Expenses. |
6.1 Maximum costs payable per day for Lodging, meals, transportation, or other expenses (excluding airfare) will not exceed one-hundred and sixty-five dollars ($165.00).
Schedule 2
2
