ADDENDUM TO MASTER SERVICES AGREEMENT
Exhibit 10.1
ADDENDUM TO MASTER SERVICES AGREEMENT
Addendum, dated as of September 22, 2011, between Internap Network Services Corporation and SoundBite Communications, Inc. (“SoundBite”), to the Master Services Agreement, dated August 28, 2003 (the “Agreement”).
1. | As the parties wish to add security requirements to the Agreement, the parties agree to add Attachment A attached to this Addendum to the Agreement. |
2. | If there is a conflict between the terms of this Addendum and the terms of the Agreement, this Addendum shall control. Except as modified by this Addendum, the Agreement shall continue to apply. |
INTERNAP NETWORK SERVICES CORPORATION | SOUNDBITE COMMUNICATIONS, INC. | |||||||
By: | By: | |||||||
|
| |||||||
Name: | Xxxxx X. Xxxxxxx |
Name: | Xxxxxx X. Xxxxx | |||||
Title: | Director of Sales |
Title: | COO & CFO | |||||
Date: | 9/21/2011 |
Date: | 9/22/11 |
[Page 1 of 14]
ATTACHMENT A
INFORMATION SECURITY STANDARD
Introduction
This SoundBite Information Security Standard defines the information protection controls used to protect SoundBite Information and applies to any organization (Company) that stores, processes, transmits, or access that information. SoundBite uses these controls internally and, to the degree that a vendor to SoundBite handles SoundBite Information, particularly SoundBite Confidential Information or SoundBite Highly Confidential Information, SoundBite requires that Company meet these security requirements as well.
This standard is based on industry-accepted standards including, but not limited to, the PCI DSS, NIST 800-53, and ISO 27002.
This standard reflects the superset of SoundBite’s information protection requirements which originate from SoundBite’s regulatory requirements, contractual requirements, and internal risk management requirements.
1. | Definitions |
1.1. | Information Security Executive Sponsor – Company executive officer or director with ultimate responsibility for the Information Security Program. |
1.2. | Information Security Officer – Person responsible for the day-to-day management of the Information Security Program. |
1.3. | Information Security Policy – Company policy documents that outlines high-level requirements or rules that define the Information Security Program. Compliance is mandatory. |
1.4. | Information Security Program – The people, processes, and technology required to implement, to operate, to manage, to maintain, and to assure conformance by Company with the Information Security Plan and Information Security Policies. |
1.5. | Malicious Code – Viruses, worms, Trojans, back-doors, root kits, malware and any other software that may disrupt business or compromise data confidentiality or integrity. |
1.6. | Security Incident – Any event including, but not limited to, a hacking attack, system compromise, information mishandling, policy violation, loss of information, theft of information, or fraud that Company knows or suspects might have resulted in a failure to protect the confidentiality of SoundBite Confidential Information. |
1.7. | Service – Any services or work performed on behalf of SoundBite Communications. |
1.8. | SoundBite Confidential Information – Any information or data made available to Company by SoundBite except for information contractually excluded from confidentiality obligations, such as public information. SoundBite Highly Confidential Information is a subset of SoundBite Confidential Information. |
1.9. | SoundBite Highly Confidential Information – Any information or data made available to Company by SoundBite that includes information that could be used to identify a person. This includes but is not limited to consumer names when provided in conjunction with identifying information such as a phone number, Card Holder Data (CHD) as defined by the Payment Card Industry (PCI) Data Security Standard (DSS), Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act of 1996 (P.L.104-191) (HIPAA), Non-Public Personal Information (NPI) as defined by section |
[Page 2 of 14]
501(b) of the Xxxxx-Xxxxx-Xxxxxx Act of 1999 (GLBA), and Personal Information (PI) as defined by the Mass Privacy Act (M.G.L. 93 H, 93 I, and 201 CMR 17.00). SoundBite Highly Confidential Information is a subset of SoundBite Confidential Information. |
1.10. | Staff – All Company employees, contractors, sub-contractors, consultants, or other parties who may use Company’s information systems or access SoundBite’s information systems or SoundBite Confidential Information. |
1.11. | Standard – This document: The SoundBite Communications Information Security Standard. |
1.12. | Strong Encryption – Encryption performed using industry-standard cryptographic algorithms such as AES, 3DES, SHA, RSA, and RC4 where a minimum key length of 128 bits is used for symmetric ciphers and a minimum key length of 1024 bits is used for asymmetric ciphers. |
1.13. | Un-trusted Networks – The Internet and any network not operated by Company alone or by Company in exclusive collaboration with SoundBite. |
1.14. | Written Information Security Plan – A formal document that defines the objectives of the Information Security Program, assigns responsibility for the Information Security Program, and describes how the responsible parties either do or will achieve the objectives of the Information Security Program. |
2. | SoundBite Information Security Standard |
2.1. | Information Security Program Governance |
2.1.1. | Information Security Program Ownership |
2.1.2. | Risk Management |
2.1.2.1. | Company must have a formal risk analysis and management process that documents the organization’s assets, the threats against those assets, the inherent vulnerability of the assets to those threats, and the controls designed to protect the assets from the threats. |
2.1.2.2. | Company must conduct an annual risk assessment so as to evaluate the effectiveness of the controls and ultimately determine the residual risk to the assets. |
2.2. | Information Security Policy |
2.2.1. | Company must have, maintain and follow a Written Information Security Plan |
2.2.2. | Company must have and adhere to a written and comprehensive set of Information Security Policy documents. The Information Security Policy documents must, at a minimum, include the following content: |
2.2.2.1. | The following, overarching content shall either be included in all policy documents or in an overarching policy document that governs all other security policy documents: |
2.2.2.1.1. | A definition of information security or information security mission statement, including, but not limited to, the policy’s overall objective and scope. |
[Page 3 of 14]
2.2.2.1.2. | A statement of management intent to support the goals and principals of information security in line with business strategy and objectives, |
2.2.2.1.3. | Control objectives, including, but not limited to, risk assessment and risk management. |
2.2.2.1.4. | A brief overview of security policies, principles, and standards. |
2.2.2.1.5. | Regulatory and industry standards compliance requirements. |
2.2.2.1.6. | Policy maintenance requirements. |
2.2.2.1.7. | Penalties for policy violations, which must include actions up to and including termination. |
2.2.2.2. | The following specific security policy topics must be addressed by one or more Information Security Policy documents: |
2.2.2.2.1. | Asset Management, including, but not limited to, hardware, software, and information |
2.2.2.2.2. | Third Party Service Provider Security |
2.2.2.2.3. | Access Control |
2.2.2.2.4. | Acceptable Use, including, but not limited to, email usage, computer and communications systems access and use, and Internet/ intranet access and use |
2.2.2.2.5. | Anti-Virus |
2.2.2.2.6. | Authentication and Identity Management |
2.2.2.2.7. | Background Check |
2.2.2.2.8. | Change Management |
2.2.2.2.9. | Incident Response |
2.2.2.2.10. | Information Classification |
2.2.2.2.11. | Logging and Security Monitoring |
2.2.2.2.12. | Passwords |
2.2.2.2.13. | Physical and Environmental Security |
2.2.2.2.14. | Risk Assessment |
2.2.2.2.15. | System and Network Device Configuration and Hardening |
2.2.2.2.16. | Security Awareness |
2.2.2.2.17. | New Hire, Role Change, and Termination |
2.2.2.2.18. | Vulnerability Management |
2.2.2.2.19. | Equipment Installation and Removal |
2.2.2.2.20. | Segregation of Duties |
2.2.2.2.21. | Third Party Connectivity |
[Page 4 of 14]
2.2.2.2.22. | Incident Reporting |
2.2.2.2.23. | Emergency Operations Plan |
2.2.2.2.24. | Testing and Revision Procedures |
2.2.3. | All policies must be communicated to staff and staff must acknowledge that they will comply with the policies. |
2.2.4. | Company must have in place a disciplinarily process for non-compliance with the Information Security Policy. |
2.3. | Background Checks |
2.3.1. | Prior to assigning any individual to perform the Services in the United States, or, if Services are to be performed outside of the United States, to the maximum extent permitted under local law, Company shall perform background checks consisting of the following: |
2.3.1.1. | SSN Verification – Search of the individual’s Social Security number, tax ID number or other applicable government-issued identifier to verify the accuracy of the individual’s identity and current and previous addresses. |
2.3.1.2. | Criminal Checks – A criminal background search performed by an independent, professional search firm of all court records (at least National and County within the US) in each jurisdiction of the individual’s current and previous addresses over the past seven (7) years. |
2.3.1.3. | Reference Checks – Verification of previous employers and a minimum of at least two (2) confirmed work references. |
2.3.1.4. | Education – Verification of education listed on the candidates resume or otherwise noted by the candidate. |
2.3.1.5. | Credit Checks – Credit Report for Finance and Senior Level Executives |
2.3.1.6. | DMV Checks Department of Motor Vehicles for all employees in Sales positions. |
2.3.1.7. | Citizenship – Validation of citizenship or certification to work in the country in which the individual is assigned. |
2.3.2. | Where an individual has ended his/her employment with Company and has been re-hired by Company, irrespective of the amount of time that has elapsed, a new background check must be performed. |
2.3.3. | Company shall utilize a specialist vetting company for the performance of background checks. The Company is wholly accountable for compliance with this Standard. |
2.3.3.1. | Company shall retain evidence of all background checks performed for a period of at least two years. These records shall document the checks performed and their outcome. |
2.3.4. | In the event that any staff is found to have been convicted of and/or have any active/pending charges for any Disqualifying Offense listed below, that person shall be prevented from accessing any SoundBite Confidential Information and |
[Page 5 of 14]
that person shall be prevented from entering SoundBite’s facilities. Additionally, in the event that the person has already had access to any SoundBite Confidential Information, Company must notify SoundBite immediately and in no event later than the next business day. |
2.3.4.1. | Disqualifying Offenses |
2.3.4.1.1. | Dishonesty including, but not limited to felony convictions in the following categories: |
2.3.4.1.1.1. | Fraud Offenses |
2.3.4.1.1.1.1. | Credit Card Fraud |
2.3.4.1.1.1.2. | Credit Card Fraud |
2.3.4.1.1.1.3. | Embezzlement |
2.3.4.1.1.1.4. | Bad/Worthless Checks |
2.3.4.1.1.2. | Fraudulent Trading |
2.3.4.1.1.3. | Possession of Stolen Property |
2.3.4.1.1.4. | Forgery and Counterfeiting |
2.3.4.1.1.5. | Proceeds of Criminal Offenses |
2.3.4.1.1.6. | Theft |
2.3.4.1.1.7. | Bribery and/or Corruption |
2.3.4.1.1.8. | Money Laundering |
2.3.4.1.1.9. | Concealment of Property |
2.3.4.1.1.10. | Trespassing with Intent to Steal (Burglary) |
2.3.4.1.1.11. | Blackmail/Extortion |
2.3.4.1.2. | Business Offenses |
2.3.4.1.2.1. | Any offense involving computer misuse |
2.3.4.1.2.2. | Organizing or engaging in illegal work |
2.3.4.1.2.3. | Economic, Corporate, or Business Espionage |
2.3.4.1.3. | Crimes Against Persons |
2.3.4.1.3.1. | Serious sexual offenses or offenses against children |
2.3.4.1.3.2. | Racially motivated or discrimination offenses |
2.3.4.1.3.3. | Murder or manslaughter |
2.3.4.1.3.4. | Crimes involving assault, violence, or threatening behavior |
2.3.4.1.3.5. | Human trafficking |
2.3.4.1.4. | Other |
2.3.4.1.4.1. | Felony (US) or host country equivalent serious crime |
[Page 6 of 14]
2.3.4.1.4.2. | Producing, supplying, importing, or trafficking controlled drugs/substances |
2.3.4.1.4.3. | Firearms and explosives offenses |
2.3.4.1.4.4. | Terrorism |
2.3.4.1.4.5. | Pretrial Diversions (US) for disqualifying crimes |
2.3.4.1.4.6. | Deferred Adjudication for disqualifying crimes |
2.3.4.1.4.7. | More than 2 misdemeanor convictions (US) or host country equivalent minor crimes relating to fraud, ethics, or other topics covered in this section, , within past 5 years. |
2.3.4.1.4.8. | Convictions (US) involving imprisonment for terms of six months or greater (whether or not all of that term was served) |
2.4. | Access Control |
2.4.1. | Company must have a user identification process in place that validates the identity of each user. For example, in the United States, using the process defined by the Form I-9, Employment Eligibility Verification, as published by the Department of Homeland Security U.S. Citizenship and Immigration Services, (This is the standard employment verification process required in the U.S. wherein an employee presents certain government issued IDs to the employer to prove their identity and right to work.) |
2.4.2. | Company shall have appropriate new-hire, role-change, and terminations processes that ensure that: |
2.4.2.1. | User accounts are appropriately created and disabled or removed |
2.4.2.2. | Information access privileges for all user accounts are appropriately enabled and disabled |
2.4.3. | Company must have an access control process that: |
2.4.3.1. | Assigns access rights based on roles |
2.4.3.2. | Provides for segregation of duties between information owners (who approve access changes) and information custodians (who implement access changes) |
2.4.3.3. | Updates access rights based on personnel or system changes |
2.4.3.4. | Requires the periodic review of access rights for all systems that store, process, transmit, or access SoundBite Confidential Information. These reviews must be conducted on at least a quarterly basis. More frequent reviews may be required based on the risk to the application or system. |
2.4.4. | Access to Company system components and SoundBite Confidential Data must be restricted based on a user’s need to know and be set to “deny all” unless specifically allowed. |
[Page 7 of 14]
2.4.5. | All Company users must have BOTH: |
2.4.5.1. | A unique User ID |
2.4.5.2. | Either a password/passphrase or two-factor authentication |
2.4.5.2.1. | Company must have an appropriate password policy in place: |
2.4.5.2.1.1. | Passwords must contain a minimum of 8 characters |
2.4.5.2.1.2. | Passwords must contain 3 out of 4 of the following character types: |
2.4.5.2.1.2.1. | Uppercase letters |
2.4.5.2.1.2.2. | Lowercase letters |
2.4.5.2.1.2.3. | Numbers |
2.4.5.2.1.2.4. | Special characters, for example, |
~, !, @, #, $, %, ^, &, *, (, ), _, +, |
-, =, [, ], \, ;, ‘, ,, ., /, :, “ |
2.4.5.2.1.3. | Passwords are changed after a maximum of 60 days |
2.4.5.2.1.4. | Previous 10 passwords are not allowed to be reused |
2.4.5.2.1.5. | User is locked out after not more than 5 failed login attempts |
2.4.5.2.1.6. | User is automatically logged out after not more than 15 minutes of inactivity |
2.4.5.2.2. | Passwords/passphrases are to be encrypted with strong encryption in transit and at rest. |
2.4.5.2.3. | Two-factor authentication is defined as the use of two of the following authentication types: |
2.4.5.2.3.1. | Something the user knows, like a password |
2.4.5.2.3.2. | Something the user has, like a SecurID token or digital certificate |
2.4.5.2.3.3. | Something the user is, like a fingerprint |
2.5. | Operational Security |
2.5.1. | Company must have operating procedures that are documented, reviewed and maintained by an owner, and made available to all users who need them. |
2.5.2. | Company must have a formal, documented change management and change control process. |
2.5.3. | Changes managed according to the change management process must be documented, for example, using a change control ticketing system. |
2.5.4. | Company must prohibit Staff from connecting to networks, systems, databases, or applications that contain SoundBite Confidential Information from any system not exclusively managed by Company according to this Information Security Standard. For example, Staff would typically not be able to access SoundBite Confidential Information from their personally-owned computers. |
[Page 8 of 14]
2.5.5. | Company must have processes and mechanisms established for the security hardening and maintenance of servers, workstations, network devices, and off-the-shelf applications, including, but not limited to, Web server software, application server software, and database server software. |
2.5.5.1. | Implement only one primary function per server |
2.5.5.2. | Disable all unnecessary services and insecure protocols (e.g. telnet) |
2.5.5.3. | Configure system security parameters to prevent misuse |
2.5.5.4. | Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems and unnecessary web servers |
2.5.6. | Company must use industry-standard anti-virus software on all applicable systems. Applicable systems shall include, at a minimum, all systems that run any version of the Microsoft Windows operating system, inbound and outbound e-mail systems, and any other systems that Company identifies, during its risk assessment process, as potentially being susceptible to Malicious Code. This antivirus requirement shall not apply to e-mail solutions the sole function of which is the sending of system-generated e-mail content. |
2.5.6.1. | Anti-virus solutions [or combination of solutions] must address all types of Malicious Code. |
2.5.6.2. | Systems must be maintained with daily anti-virus signature updates. |
2.5.6.3. | Systems must use a current and supported versions of the Anti-Virus solution utilized. |
2.5.7. | Company must utilize a reasonable process to monitor its systems for vulnerabilities. Options include vulnerability scanning and monitoring information sources for advisory and/or patch publications. |
2.5.7.1. | In the event that Company becomes aware of a vulnerability, they will endeavor to remediate the vulnerability within 30 days. |
2.5.8. | Company must implement an appropriate logging solution or solutions for all physical security systems. The logging solution or solutions must be appropriately secured to prevent tampering. |
2.5.8.1. | At a minimum, the following event types must be logged: |
2.5.8.1.1. | Individual access to SoundBite cage |
2.5.8.1.2. | Actions taken by any individual with administrative access to physical security systems |
2.5.8.1.3. | Access to all audit trails |
2.5.8.1.4. | Invalid login access attempts |
2.5.8.1.5. | Use of identification and authentication mechanisms |
2.5.8.1.6. | Initialization of the audit logs |
2.5.8.1.7. | Creation and deletion of system-level objects |
2.5.8.2. | When logging events, the following information must be logged: |
2.5.8.2.1. | User ID |
[Page 9 of 14]
2.5.8.2.2. | Type of event |
2.5.8.2.3. | Data and time of event |
2.5.8.2.4. | Event success or failure |
2.5.8.2.5. | Origination of event (for example, source IP or TTY) |
2.5.8.2.6. | Identity or name of affected data, system component, or resource |
2.5.8.3. | Logs must be reviewed for Security Incidents daily or generate applicable alerts which are reviewed daily. |
2.5.8.4. | Electronic access logs must be maintained on a rolling 90 day basis and paper based sign in logs must be retained for at least one year. |
2.6. | Network Security |
2.6.1. | Company will put appropriate network access controls in place, including, but not limited to, the segregation of network segments by use of a firewall capable of stateful packet inspection. Application layer packet inspection (sometimes referred to as “deep packet inspection”) is also encouraged. |
2.6.2. | Company must not allow direct wireless network access to systems storing SoundBite data. |
2.7. | Physical Security |
2.7.1. | Company must use appropriate facility entry controls to limit, monitor, and log physical access to systems storing, processing, transmitting, or accessing SoundBite data. |
2.7.2. | Company will only grant access to authorized personnel. |
2.7.3. | Company must have appropriate procedures to track visitors and to help all personnel easily distinguish between Staff and visitors. |
2.7.3.1. | Visitors are to be escorted at all times. |
2.7.3.2. | All Staff and visitors must wear ID badges visible at all times. |
2.7.4. | Company shall have in place monitoring controls appropriate to the facility, including, but not limited to, staffing all unlocked entries with guards or equivalent; video surveillance at entry points, access points, and sensitive areas; and glass-break detectors. |
2.7.5. | Company shall establish (and implement as needed) procedures that allow facility access in support of restoration of lost data in the event of an emergency. |
2.7.6. | Company shall document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors and locks), if the facility is used to store SoundBite data. |
2.7.7. | Data centers housing SoundBite data must have environmental controls and redundant power (UPS and Generator or equivalent). |
[Page 10 of 14]
2.7.8. | Company shall have an asset management policy and associated processes that apply to all assets that process, store, transmit, or access SoundBite data. |
2.7.8.1. | Company shall maintain an accurate inventory of its assets. |
2.8. | Incident Response |
2.8.1. | The Company shall maintain an Incident Response process to address incidents, including, but not limited to, Security Incidents, the loss of SoundBite Information, and significant service disruptions. The Incident Response process shall include steps for: |
2.8.1.1. | Incident identification |
2.8.1.2. | Incident escalation |
2.8.1.3. | Incident containment |
2.8.1.4. | Incident investigation, including, but not limited to, the collection of forensic evidence appropriate for law enforcement purposes |
2.8.1.5. | Incident remediation and recovery |
2.8.1.5.1. | Company shall document responsive actions taken in connection with any incident involving a Security Incident or other breach of security. |
2.8.1.6. | Following any Security Incident or breach of security, Company shall review events and take actions, if applicable, to make changes in business practices relating to protection of personal information. |
2.8.1.7. | The Company shall communicate the Incident Response process to all Staff. First responders with direct responsibility for execution of the Incident Response process shall be trained on that process. |
2.9. | Notification |
2.9.1. | Without undue delay and in any event not later than 24 hours following the occurrence of a business interruption, or disaster affecting the Services, Company shall notify SoundBite, and implement Company’s BC/DR Plan. Company must use best efforts to reinstate the Services as soon as practicable. |
2.9.2. | Without undue delay and in any event not later than 24 hours following the occurrence of a Security Incident or other use or disclosure of SoundBite Confidential Information in violation of this Standard by Company or any of its officers, directors, employees, contractors, agents or other Staff, Company shall notify SoundBite, and implement Company’s Incident Response process. Company must use best efforts to prevent further breach of confidentiality of SoundBite Confidential Information and to recover or otherwise prevent abuse or fraud using lost or compromised SoundBite Confidential Information. |
2.9.3. | Company shall notify and report to SoundBite any use or disclosure of SoundBite Confidential Information in violation of this Agreement by Company or any of its officers, directors, employees, contractors, agents or other Staff without undue delay and in any event not later than 24 hours following the disclosure. |
[Page 11 of 14]
2.9.4. | All notifications shall be via any expedient means, followed directly by written notice, to be sent in to both of the following addresses: |
2.9.4.1. | Xxxx Xxx |
Information Security Officer
SoundBite Communications
00 Xxxxxx Xxxxx
Xxxxxxx, XX 00000
2.9.4.2. | Xxxxxx X. Xxxxx |
CFO/COO
SoundBite Communications
00 Xxxxxx Xxxxx
Xxxxxxx, XX 00000
2.9.5. | The Company shall ensure that if there are material changes to the way that SoundBite data is processed (e.g. Company engages a third Party Vendor for storing, processing, transmitting, or accessing SoundBite Information), then: |
2.9.5.1. | These changes must be communicated to SoundBite and prior approval obtained; and |
2.9.5.2. | These changes must be communicated to appropriate departments within the Company. |
2.9.6. | SoundBite Contact Information: |
2.9.6.1. | Information Security Officer: |
Xxxx Xxx
xxxx@xxxxxxxxx.xxx
0-000-000-0000
2.9.6.2. | SoundBite Support: |
xxxxxxxxx@xxxxxxxxx.xxx
0-000-000-0000
2.9.6.3. | SoundBite Front Desk: |
0-000-000-0000
2.9.6.4. | SoundBite Business Contact: |
Xxxxx Xxxxxx
xxxxxxx@xxxxxxxxx.xxx
000-000-0000
2.10. | Software Licensing |
2.10.1. | Company will maintain appropriate licenses for all software use to provide service to SoundBite. |
2.11. | Data |
2.11.1. | Company must not collect, access, use, maintain, or disclose SoundBite data. |
2.11.1.1. | Company will take appropriate, industry-accepted measures to protect encryption keys, including, but not limited to, ensuring that encryption keys are encrypted during transit. |
2.11.1.2. | Company shall appropriately protect an encrypted communication’s endpoints. |
[Page 12 of 14]
2.11.2. | All data provided by SoundBite to the Company remain the property of SoundBite. |
2.11.3. | Unless explicitly approved by SoundBite, Company may not use any SoundBite data in a testing environment. In the event that such usage is allowed, this Information Security Standard will apply in full effect to the testing environment. |
2.11.4. | Media handling and disposal |
2.11.4.1. | So long as account is active, current, and not in default, Company must not remove SoundBite-owned equipment from data center facilities without prior, written consent from SoundBite in the form of a Statement of Work, Remote Hands service ticket, or other method described elsewhere in an agreement between the two parties. |
2.11.5. | The Company shall only transmit, process and store SoundBite Highly Confidential information at data centers whose location has been approved by SoundBite. |
2.12. | Audit and Assessment |
2.12.1. | Company management must regularly review the compliance of information processing within their area of responsibility with the appropriate security policies, standards, and any other security requirements. |
2.12.2. | On an annual basis, Company shall conduct an internal audit or assessment of all security controls, including, but not limited, to the controls required by this Standard. |
2.12.3. | Company must have an external Information Security audit performed at least annually by an independent, reputable third party which must be provided to SoundBite upon request. This requirement shall be considered satisfied by having an independent audit firm perform procedures under applicable auditing standards such as XXX00, XXXX00, SOC audits (SysTrust), ISO, or other commonly accepted IT governance frameworks. SoundBite may audit solely at their own expense Company to monitor compliance with this Information Security Standard. Such audits will occur during normal business hours and will not occur more than once in any calendar year, unless required by applicable laws and regulations or unless Company experiences a Security Incident, in which case additional audits may be performed. |
2.12.3.1. | SoundBite’s right to audit/inspect Company extends to SoundBite’s authorized representatives or any applicable regulator. |
2.12.3.2. | On-site inspections of Company’s facilities may be conducted by SoundBite or SoundBite’s authorized representatives. |
2.12.3.3. | Company will promptly correct any violation of this Standard found by SoundBite or its agents and will certify in writing that the correction has been made. |
[Page 13 of 14]
2.13. | 3rd Party Vendors |
2.13.1. | Where any third-party will have access to SoundBite Information in order to provide its services to Company on behalf of SoundBite, Company will ensure that such entity signs a written contract in which it agrees (i) to restrict its use of SoundBite Information to activities directly required for Company’s performance of its obligations to SoundBite; (ii) to comply with all applicable laws, rules, regulations, security requirements (as defined in this Information Security Standard); and (iii) to implement and maintain appropriate administrative, technical and physical safeguards to protect the security, confidentiality and integrity of all SoundBite Information as provided for by this Standard. Company shall be responsible for any unauthorized use or disclosure of any SoundBite Confidential Information by any entity to whom it discloses or provides access to SoundBite’s Confidential Information, to the same extent as if Company had used or disclosed such information itself. |
2.13.2. | Company must execute a written confidentiality and non-disclosure agreements when dealing with third parties that will store, process, transmit, or access SoundBite Confidential Information. |
2.13.3. | Company must require third parties to demonstrate that their Staff has been adequately screened if they require access to SoundBite Highly Confidential Information. |
2.14. | Regulatory Compliance |
2.14.1. | PCI: In the event that Company stores, processes, or transmits CHD, as defined by the PCI DSS, Company shall maintain compliance with the PCI DSS, but only to the degree that the requirements of the PCI DSS are directly applicable to the services provided under contract to SoundBite. |
2.14.1.1. | Company shall either obtain a PCI Certification or allow SoundBite to include sites that support the services provided under contract to SoundBite in SoundBite’s annual PCI Assessment at SoundBite’s sole expense. |
2.14.1.2. | Company will provide evidence of PCI compliant controls and/or certification to SoundBite upon request. |
[Page 14 of 14]
Internap Sales Order - Summary |
Date: | 2/10/2010 | Valid Thru: | 3/12/2010 | |||||
To: | Soundbite 00 Xxxxxx Xxxxx Xxxxxxx, XX 00000 |
From: | Internap Network Services, Corp. Xxxxx Xxxx / Xxxx Xxxxxx 000 Xxxxxxxx Xxxxxx, Xxxxx X000 Xxxxxxx, XX 00000 | |||||
Subject: | Ashburn Renewal plus IP | TERM: | 2 Years |
Summary of New Services
Services |
Total One-Time |
Total Monthly |
||||||
CDN Services |
$ | — | $ | — | ||||
Colocation Services |
$ | — | $ | 37,055.00 | ||||
IP Services |
$ | — | $ | 15,750.00 | ||||
Managed Server Services |
$ | — | $ | — | ||||
FCP and Value Add Services |
$ | — | $ | — | ||||
|
|
|
|
|||||
TOTAL SOLUTION CHARGES |
$ | — | $ | 52,805.00 | ||||
|
|
|
|
Summary of Retained Services
Services |
Total One-Time |
Total Monthly |
||||||
Renewed and Retained Services |
$ | — | ||||||
|
|
|
|
|||||
TOTAL SERVICES |
$ | — | $ | 52,805.00 | ||||
|
|
|
|
Special Comments
Terms and Conditions
All service implementations are subject to Internap standard installation intervals. While Internap will make reasonable efforts to accommodate customer specific requests, the standard installation intervals apply for all Services being ordered and shall begin upon Internap’s formal acceptance of this Sales Order. Billing for services will commence upon delivery of the contracted services. Specific billing activations dates will be communicated and confirmed during implementation process. Internap’s formal acceptance of this Sales Order occurs when (i) Internap has received a signed Sales Order Form complete with accurate information and signed Agreement for Service, (ii) capacity has been approved, (iii) Customer’s credit has been approved, and (iv) Internap has provided countersigned order form. Changes to an accepted Sales Order, Customer-initiated delays (including those associated with Customer provisioned access), and credit approval issues will place the installation interval on hold.
The initial Term specified above shall start at the Service Commencement Date as set forth in the MSA (defined below).
The Term of this Sales Order shall automatically renew for one year periods absent contrary written notice provided by either party, delivered in accordance with this paragraph at least sixty days in advance of expiration. To be effective, Customer must give any such notice of non-renewal or any notice of disconnection by completing the form located at xxxxx://xxxxxxxxx.Xxxxxxxx.xxx/xxxxxxxx/.
THE PARTIES AGREE TO BE BOUND BY THE TERMS AND CONDITIONS CONTAINED IN THE MASTER SALES AGREEMENT (“MSA”) SIGNED BETWEEN THE PARTIES, WHICH ARE INCORPORATED BY REFERENCE HEREIN, ABSENT SUCH EXECUTED MSA, THE EXECUTION OF THIS DOCUMENT IS DEEMED TO BE ACCEPTANCE OF THE TERMS AND CONDITIONS SET FORTH IN THE INTERNAP STANDARD MSA LOCATED AT xxxx://xxxxxxxx.xxx/xxxxx/xxx.xxxx, INCLUDING ALL ATTACHMENTS THERETO, ALL OF WHICH ARE INCORPORATED BY REFERENCE HEREIN. IN THE EVENT OF A CONFLICT BETWEEN THE MSA AND THIS SALES ORDER, THE MSA SHALL PREVAIL. THE PROVISION OF SERVICES HEREUNDER IS SUBJECT TO INTERNAP’S CONTINUING APPROVAL OF CUSTOMER’S CREDIT-WORTHINESS.
Customer Acceptance
Printed Name: | Xxxxxx X. Xxxxx |
Title: | COO & CFO | |||||
By: |
|
Date: | 2/18/10 | |||||
Authorized INTERNAP Signature | ||||||||
By: |
|
Date: | 2/18/10 |
Internap Network Services Confidential | 2/10/2010 | Page 15 of 5 |
Internap Services - Service Change Order |
Date: | 2/10/2010 | Valid Thru | 3/12/2010 | |||||
To: | Soundbite 00 Xxxxxx Xxxxx Xxxxxxx, XX 00000 |
From | Internap Network Services, Corp. Xxxxx Xxxx / Xxxx Xxxxxx 000 Xxxxxxxx Xxxxxx, Xxxxx X000 Xxxxxxx, XX 00000 | |||||
Subject: | Ashburn Renewal plus IP | TERM | 2 Years |
Summary of Services
Location |
SO# | 5VCOID | QTY | Description |
MRC | Treatment | Extended | Effective Date | ||||||||||||
BSN |
10000100385 | 149953 | 1.00 | Gige Dual Usage 250Mbps Monthly Fee |
$ | 10,000.00 | Replace | $ | 10,000.00 | |||||||||||
BSN |
10000100385 | 149957 | 1.00 | 100mb Dual 4Mbps Monthly Fee |
$ | 1,100.00 | Replace | $ | 1,100.00 | |||||||||||
BSN |
10000100385 | 149955 | 1.00 | GigE Cross Connect Monthly Fee |
$ | 200.00 | Replace | $ | 200.00 | |||||||||||
BSN |
10000100385 | 149955 | 1.00 | GigE Cross Connect Monthly Fee |
$ | 200.00 | Replace | $ | 200.00 | |||||||||||
BSN |
10000100385 | 149958,[Illegible] | 2.00 | Standard Ethernet Cross Connect Monthly Fee |
$ | 150.00 | Replace | $ | 300.00 | |||||||||||
WDC002 |
10000106740 | 161674 | 1.00 | Standard Back Channel Ethernet Cross Connect Monthly Fee |
$ | 225.00 | Replace | $ | 225.00 | |||||||||||
WDC002 |
10000054291 | 72611 | 1.00 | Private Cage (Square Footage) Monthly Fee |
$ | 11,770.00 | Replace | $ | 11,770.00 | |||||||||||
WDC002 |
10000054291 | 72809 | 1.00 | Private Cage (Square Footage) Monthly Fee |
$ | 5,835.00 | Replace | $ | 5,835.00 | |||||||||||
WDC002 |
10000056918 | 79261 | 1.00 | Private Cage (Square Footage) Monthly Fee |
$ | [Illegible] | Replace | $ | [Illegible] | |||||||||||
WDC002 |
10000056918 | [Illegible] | 1.00 | Private Cage (Square Footage) Monthly Fee |
$ | 1,177.00 | Replace | $ | 1,177.00 | |||||||||||
WDC002 |
10000056918 | 79282, 79263 | 2.00 | 30A 208V Primary Power Circuit Monthly Fee |
$ | 910.000 | Replace | $ | 1,620.000 | |||||||||||
WDC002 |
10000064936 | [Illegible] | 2.00 | 30A 208V Primary Power Circuit Monthly Fee |
$ | 845.00 | Replace | $ | 1,690.00 | |||||||||||
WDC002 |
10000067594 | 91405 | 1.00 | 100mb Dual 4Mbps Monthly Fee |
$ | 500.00 | Replace | $ | 500.00 | |||||||||||
WDC002 |
10000054291 | S-83340,72612- | 10.00 | 20A 120V Primary Power Circuit Monthly Fee |
$ | 360.00 | Replace | $ | [Illegible] | |||||||||||
WDC002 |
10000054291 | 87896-87903 | 6.00 | 20A 120V Primary Power Circuit Monthly Fee |
$ | 325.00 | Replace | $ | [Illegible] | |||||||||||
WDC002 |
10000079712 | 118118 | [Illegible].00 | Back Channel Fiber Cross Connect Monthly Fee |
$ | 200.00 | Replace | $ | 200.00 | |||||||||||
WDC002 |
10000056289 | 77900 | [Illegible].00 | Back Channel OC-X Cross Connect Monthly |
$ | 200.00 | Replace | $ | 200.00 | |||||||||||
WDC002 |
10000071711 | 99303,99304 | [Illegible].00 | GigE Cross Connect Monthly Fee |
$ | 200.00 | Replace | $ | 400.00 | |||||||||||
WDC002 |
10000054291 | 72621 | [Illegible].00 | 20A 120V Redundant Power Circuit Monthly Fee |
$ | [Illegible] | Replace | $ | 180.00 | |||||||||||
WDC002 |
10000067594 | 91406, 91407 | [Illegible].00 | Ethernet Cross Connect |
$ | 175.00 | Replace | $ | 350.00 | |||||||||||
WDC002 |
10000067558 | 77443 | [Illegible].00 | Standard Back Channel Ethernet Cross Connect Monthly Fee |
$ | 175.00 | Replace | $ | 175.00 | |||||||||||
WDC002 |
10000064145 | 87264 | [Illegible].00 | Back Channel [Illegible] Cross Connect Monthly Fee |
$ | 125.00 | Replace | $ | 125.00 | |||||||||||
WDC002 |
10000060018 | 80590 | [Illegible].00 | T-1 Cross Connect |
$ | 80.00 | Replace | $ | 80.00 | |||||||||||
WDC002 |
10000060018 | 347, 155728, 11 | [Illegible].00 | T-1 Cross Connect |
$ | 75.00 | Replace | $ | 225.00 | |||||||||||
WDC002 |
10000058916 | 79278, 79278 | [Illegible].00 | POTs Cross Connect |
$ | 50.00 | Replace | $ | 100.00 | |||||||||||
WDC002 |
10000054291 | 72620, 72622 | [Illegible].00 | Standard 20A [Illegible] Primary Power Circuit Monthly Fee |
$ | [Illegible] | Replace | $ | 1,250.00 | |||||||||||
WDC002 |
10000079712 | [Illegible] | [Illegible].00 | Back Channel Fiber Cross Connect Monthly Fee |
$ | 200.00 | Remove | $ | 200.00 |
Treatment Summary
Total [Illegible] | ||||||
Renew | Renew extends terms for existing services through Effective Date at the MRC specified |
$ | ||||
Retain | Retain maintains contract terms for existing services through Effective Date at the MRC specified |
$ | ||||
Replace | Replace terminates existing services on the effective date and replaces them with services specified on Services Proposal [ILLEGIBLE] |
$ | 50,050.00 | |||
Remove | Remove terminates services on the effective date |
$ | 200.00 |
Early Termination Fees (ETF)
$ | ||||
$ | ||||
$ | ||||
|
|
|||
Total ETF Fees |
$ | |||
|
|
ETF Notes
Internap Network Services Confidential | 2/10/2010 | Page 16 of 5 |
Internap Sales Order - Colocation Services |
Date: | 2/10/2010 | Valid Thru: | 3/12/2010 | |||||
To: | Soundbite 00 Xxxxxx Xxxxx Xxxxxxx, XX 00000 |
From: | Internap Network Services, Corp. Xxxxx Xxxx / Xxxx Xxxxxx 000 Xxxxxxxx Xxxxxx, Xxxxx X000 Xxxxxxx, XX 00000 | |||||
Subject: | Ashburn Renewal plus IP | TERM: | 2 Years |
Internap Colocation Services
Qty | Design & Engineering Fees |
Total One-Time |
Monthly Recurring Charges |
Total Monthly |
||||||||||||||
Service Point WDC002 |
||||||||||||||||||
Facility address Equinix - 00000 Xxxxxxxx Xxxxx, Xxxx. X, Xxxxxxx, XX 00000 |
||||||||||||||||||
Space (Power not Included) |
||||||||||||||||||
Cabinet(s) (Shared colo not in private cage) |
||||||||||||||||||
Private Cage (Square Ft) |
400 | $ | 0.00 | $ | 0.00 | $ | 56.00 | $ | 22,400.00 | |||||||||
Power |
||||||||||||||||||
120V - 20 AMP Primary (incl Power Strip) |
21 | $ | 0.00 | $ | 0.00 | $ | 360.00 | $ | 7,560.00 | |||||||||
120 V - 20 AMP Redundant (incl. Power Strip) |
1 | $ | 0.00 | $ | 0.00 | $ | 180.00 | $ | 180.00 | |||||||||
120 V - 30 AMP Primary |
||||||||||||||||||
120 V - 30 AMP Redundant |
||||||||||||||||||
208 V - 20 AMP Primary |
2 | $ | 0.00 | $ | 0.00 | $ | 625.00 | $ | 1,250.00 | |||||||||
208V - 20AMP Redundant |
||||||||||||||||||
208 V - 30 AMP Primary |
4 | $ | 0.00 | $ | 0.00 | $ | 935.00 | $ | 3,740.00 | |||||||||
208 V - 30 AMP Xxxxxxxxx |
||||||||||||||||||
0 Xxxxx 000 X - 00 AMP Primary |
||||||||||||||||||
3 Phase 208 V - 20 AMP Xxxxxxxxx |
||||||||||||||||||
0 Xxxxx 000 X - 00 AMP Primary |
||||||||||||||||||
3 Phase 208 V - 30 AMP Redundant |
||||||||||||||||||
Cross Connects |
||||||||||||||||||
Back Channel POTS Cross Connect |
2 | $ | 0.00 | $ | 0.00 | $ | 75.0 | $ | 150.00 | |||||||||
Back Channel T1 Cross Connect |
4 | $ | 0.00 | $ | 0.00 | $ | 75.0 | $ | 300.00 | |||||||||
Back Channel DS3 Cross Connect |
1 | $ | 0.00 | $ | 0.00 | $ | 125.0 | $ | 125.00 | |||||||||
Back Channel OCX Cross Connect |
1 | $ | 0.00 | $ | 0.00 | $ | 225.0 | $ | 225.00 | |||||||||
Back Channel Ethernet Cross Connect |
2 | $ | 0.00 | $ | 0.00 | $ | 225.0 | $ | 450.00 | |||||||||
Back Channel GigE Cross Connect/Fiber Cross Connect |
3 | $ | 0.00 | $ | 0.00 | $ | 225.0 | $ | 675.00 | |||||||||
On Demand Remote Hands Charges (Billed at $300/Hour, 30 minute minimum) |
Usage Based | |||||||||||||||||
|
|
|
|
|||||||||||||||
TOTAL COLOCATION CHARGES |
One-Time | $ | — | Monthly | $ | 37,055.00 | ||||||||||||
|
|
|
|
Standard Configuration Notes:
• | Internap to provide and install (14) 4-post racks in a private cage |
• | Internap to the supply power strip for each 20a/120v circuit. Customer to supply power strips for all other power circuits |
• | Monthly cage pricing does not include power. Power is billed separately |
• | Future power requests must be approved by Internap Product Management and are subject to availability |
• | Standard Ladder racking and grounding is included in the cage construction charges |
• | Customer may not draw more than an aggregate of 33.6 kW (the “Power Cap”) in the Cage. |
• | In the event that Internap measures Customer’s draw in the Cage and such draw exceeds the Power Cap, Internap may require Customer to reduce the power draw in the Cage to the Power Cap within twenty-four (24) hours of such measurement. Internap may disconnect power circuits until the aggregate rated capacity of all circuits in the Cage equals the Power Cap. |
Special Configuration Notes:
Internap Solution Notes:
Colo-Grade Colocation Facility Includes:
24x7 engineering support
Hardened security
Redundant, conditioned power
Tiered fire suppression systems
Internap Network Services Confidential | 2/10/2010 | Page 17 of 5 |
Internap Sales Order - IP Services |
Date: | 2/10/2010 | Valid Thru: | 3/12/2010 | |||||
To: | Soundbite 00 Xxxxxx Xxxxx Xxxxxxx, XX 00000 |
From: | Internap Network Services, Corp. Xxxxx Xxxx / Xxxx Xxxxxx 000 Xxxxxxxx Xxxxxx, Xxxxx X000 Xxxxxxx, XX 00000 | |||||
Subject: | Ashburn Renewal plus IP | TERM: | 2 Years |
Internap IP Services
Design & Engineering Fees |
Total One-Time |
Monthly Recurring Charges |
Total Monthly |
|||||||||||||||||||||||||||||||
Port Services | ||||||||||||||||||||||||||||||||||
Port Type |
Access Type | Commit | PNAP | Qty | ||||||||||||||||||||||||||||||
1 |
100Mb Dual |
Non-CPA | 10 | WDC002 | 1 | $ | 0.00 | $ | 0.00 | $ | 1,000.00 | $ | 1,000.00 | |||||||||||||||||||||
Rate/Mb | $ | 100.00 | ||||||||||||||||||||||||||||||||
Burst rate/Mb | $ | 102.00 | ||||||||||||||||||||||||||||||||
2 |
Dual GigE |
Non-CPA | 500 | BSN | 1 | $ | 0.00 | $ | 0.00 | $ | 11,500.00 | $ | 12,500.00 | |||||||||||||||||||||
Rate Limit per handoff |
800 | Rate/Mb | $ | 25.00 | ||||||||||||||||||||||||||||||
Burst rate/Mb | $ | 27.00 | ||||||||||||||||||||||||||||||||
3 |
100Mb Dual |
Non-CPA | 5 | BSN | 1 | $ | 0.00 | $ | 0.00 | $ | 1,100.00 | $ | 1,100.00 | |||||||||||||||||||||
Rate/Mb | $ | 220.00 | ||||||||||||||||||||||||||||||||
Burst rate/Mb | $ | 222.00 | ||||||||||||||||||||||||||||||||
4 |
$ | 0.00 | ||||||||||||||||||||||||||||||||
Rate/Mb | ||||||||||||||||||||||||||||||||||
Burst rate/Mb | N/A | |||||||||||||||||||||||||||||||||
5 |
$ | 0.00 | ||||||||||||||||||||||||||||||||
Rate/Mb | ||||||||||||||||||||||||||||||||||
Burst rate/Mb | N/A | |||||||||||||||||||||||||||||||||
|
|
|
|
|||||||||||||||||||||||||||||||
TOTAL | $ | 0.00 | $ | 14,600.00 | ||||||||||||||||||||||||||||||
|
|
|
|
|||||||||||||||||||||||||||||||
Circuit Services | ||||||||||||||||||||||||||||||||||
1 |
Copper Cross Connect |
WDC002 | 2 | $ | 0.00 | $ | 0.00 | $ | 22[Illegible]00 | $ | 450.00 | |||||||||||||||||||||||
2 |
Fiber Cross-connect |
BSN | 2 | $ | 0.00 | $ | 0.00 | $ | 20[Illegible]00 | $ | 400.00 | |||||||||||||||||||||||
3 |
Copper Cross Connect |
BSN | 2 | $ | 0.00 | $ | 0.00 | $ | 15[Illegible]00 | $ | 300.00 | |||||||||||||||||||||||
4 |
||||||||||||||||||||||||||||||||||
5 |
||||||||||||||||||||||||||||||||||
|
|
|
|
|||||||||||||||||||||||||||||||
TOTAL | $ | — | $ | 1,150.00 | ||||||||||||||||||||||||||||||
|
|
|
|
|||||||||||||||||||||||||||||||
TOTAL IP SERVICES CHARGES |
One-Time | $ | — | Monthly | $ | 15,760.00 | ||||||||||||||||||||||||||||
|
|
|
|
Configuration Notes:
Bandwidth Charges are based on 95th percentile billing methodology, bursting charges apply for usage in excess of commit
Customer Provided Access (CPA] - Customer is responsible for all local access support associated with CPA orders, and must work directly with the access provider to resolve all issues.
Included with your service:
• | Full transit, route optimized TCP/IP connectivity through Internals P-NAP® facility directly to the major Internet backbones |
• | 24 x 7 Proactive circuit monitoring, outage reporting and outage troubleshooting by Internal’s own Network Operations Center (NOC) |
• | Notification schedule and escalation procedures |
• | Primary DNS for one (1) domain -or- Secondary DNS for up to 200 domains |
• | Allocation of IP addresses in compliance with ARIN policy |
Internap Network Services Confidential | 2/10/2010 | Page 18 of 5 |
Internap Services Order - Key Contacts |
Date: | 2/10/2010 | Valid Thru: | 3/12/2010 | |||||
To: | Soundbite 00 Xxxxxx Xxxxx Xxxxxxx, XX 00000 |
From: | Internap Network Services, Corp. Xxxxx Xxxx / Xxxx Xxxxxx 000 Xxxxxxxx Xxxxxx, Xxxxx X000 Xxxxxxx, XX 00000 | |||||
Subject: | Ashburn Renewal plus IP | TERM: | 2 Years |
Contact Information
Internap Network Services Confidential | 2/10/2010 | Page 19 of 5 |