Master Agreement for Subcontracted Services Statement of Work
Exhibit 10.47
[*]
= CERTAIN INFORMATION IN THIS EXHIBIT HAS BEEN OMITTED AND FILED
SEPARATELY WITH THE COMMISSION. CONFIDENTIAL TREATMENT HAS BEEN REQUESTED
WITH RESPECT TO THE OMITTED PORTIONS.
Statement
of Work
MASS
Agreement #4902A20003
SOW
#4906AT0073
This
Statement of Work ("SOW")#4906AT0073 adopts and incorporates by reference the
terms and conditions of the Master Agreement for Subcontracted Services - IBM
as
Prime # 4902A20003 (the
“Agreement” or “MASS”), between International Business Machines Corporation
(“IBM” or “Buyer”), and Chordiant Software, Inc. (“Supplier” or “Chordiant”).
This SOW is effective beginning on the latest date of signature by both parties
and will remain in effect until [*] (the “Initial Term”). Transactions performed
under this SOW will be conducted in accordance with and be subject to the terms
and conditions of this SOW, the Agreement, and any other applicable attachments
or amendments. In the event of any conflict between this SOW, or the Agreement,
this SOW will govern and any applicable Work Authorizations (“WAs”). This SOW is
not a WA.
Not
withstanding anything in the MASS to the contrary, the MASS shall remain in
effect with respect to this SOW through the term of this SOW.
1.0 |
SCOPE
OF WORK
|
Supplier
resources will assist Buyer with the following services for the Call Center
Application (CCA) Tower Project for CIGNA Corporation (“CIGNA” or
“Customer”):
1.1 |
Support
of JSF SDK
to Enable Portlet Development
|
Supplier
will provide JSF SDK support in Chordiant Foundation which will provide the
platform on which to build portlets for the reference CIGNA Architecture.
Chordiant will demonstrate JSF/SDK test scenarios in lab environment.
Definition
of Chordiant JSF SDK
The
JSF SDK allows developers to build Java Server Faces user interfaces which
connect with Chordiant processes (via the Interaction Controller), and Chordiant
business services. JSF SDK pages can be hosted by the existing Chordiant Cafe
desktop, or alternative custom desktops. The contents of this JSF SDK
are:
-
[*]
The
JSF SDK will be used by Buyer, with Supplier’s support, to deliver a Reference
Build. The reference build will provide the following:
-
[*]
1.2 |
Services
Support for CIGNA Development & Build
Effort
|
Supplier
will assist Buyer in the following activities of the CIGNA Call Center
Application (CCA) Tower Project:
· |
Support
the baseline Portlet development by providing [*]
hours
of architect support to assist with initial JSF SDK implementation,
the
Reference Architecture outlined above and the Portlet development.
(These
hours are included in the total hours noted in Section 3.0.)
|
· |
Assist
with the high and low level design of the Chordiant functional
solution
|
· |
Provide
guidance and mentoring on how to maximize the value from the Chordiant
product
|
· |
Assist
with the high and low level design of Chordiant software integration
in
the overall architecture
|
· |
Provide
guidance and mentoring on techniques to extend the Chordiant Physical
Data
Model and the Chordiant Business Object
Model
|
· |
Assist
with the extension of the Chordiant Physical Data Model and the Chordiant
Business Object Model
|
· |
Assist
with the design and development of Chordiant Business Flows and Chordiant
Business Services
|
· |
Assist
with design and development of Chordiant Queue management
|
· |
Assist
with the installation and configuration of the Chordiant solution in
the
customer environments
|
· |
Assist
with performance testing and tuning the Chordiant
solution
|
· |
Provide
Subject Matter Expertise for Information Technology Governance related
to
managing a Chordiant engagement leveraging Harmony Methodology, Chordiant
Product and Chordiant Integration
Architecture
|
2.0 |
SUPPLIER
ROLES
|
Supplier
will provide consultants for the following type(s) of roles:
o |
Technical
Architect
|
o |
Functional
Architect
|
o |
Consultancy
Services Manager
|
o |
Data
Architect
|
o |
Portal
Architect
|
o |
Application
Architect
|
o |
Business
Analyst
|
o |
Class
Modeler
|
o |
Interaction
Flow Designer
|
o |
Business
Services Designer
|
o |
Performance
Tuning Specialist
|
o |
Infrastructure
Architect
|
3.0 |
COMPLETION
CRITERIA
|
Supplier
will have fulfilled its obligations under this SOW when anyone of the following
first occurs:
· |
IBM
has agreed that Supplier has provided the hours as defined in Section
5.0
below in this Statement of Work or
|
· |
Either
party terminates the SOW in accordance with the provisions of the Master
Agreement for Subcontractor Services, or IBM terminates the SOW upon
thirty days prior written notice.
|
4.0 |
SUPPLIER’S
RESPONSIBILITIES
|
In
addition to delivering the Services on schedule, Supplier will:
· |
Participate
in progress reviews, as requested by Buyer, to demonstrate Supplier’s
performance of its obligations;
|
· |
As
part of Supplier’s importation requirements, provide to Buyer on the
commercial invoice:
|
· |
An
invoice description that provides enough detail to verify the effort
and
time period expended for the month.
|
5.0 |
PAYMENTS
|
Supplier
services will be payable and invoiced to Buyer on a time and materials basis
at
rates provided in the table below per consultant, plus applicable sales taxes
and expenses; total estimated to be [*]
for Supplier Services as follows:
Table
1
Positions
|
Roles
|
Estimated
Hours
|
Hourly
Rates
|
Technical
Architect
|
Technical
Architect
Functional
Architect
Performance
Tuning Specialist
Data
Architect
Portal
Architect
Application
Architect
Infrastructure
Architect
Interaction
Flow Designer
Business
Services Designer
|
[*]
|
$[*]
|
Consultancy
Services Manager
|
Consultancy
Services Manager
|
[*]
|
$[*]
|
Business
Analyst
|
Business
Analyst
Class
Modeler
|
[*]
|
$[*]
|
Total
Estimated Hours
|
[*]
|
The
service fee estimate related for the Supplier Services described under this
SOW
is intended to be an estimate for Buyer's budgeting and Supplier's resource
scheduling purposes; the estimate does not include expenses or taxes. Once
fees
for services reach this estimate, Supplier will cooperate with Buyer to provide
continuing services on a time and materials basis or at Buyer’s direction, stop
performing services. In the event that additional services are required, Buyer
and Supplier will handle such services through the Change Control Process and
such additional services will be mutually agreed to by both parties. All amounts
due to Supplier hereunder will be invoiced monthly. All such invoices shall
be
payable net 45 days for this SOW only. Actual travel and living expenses are
in
addition to the service fees. Chordiant will be reimbursed for actual expenses
incurred and adhere to the IBM expense policy. Chordiant will work with IBM
to
manage expenses.
All
travel and living invoices are at actual cost with no xxxx-up. (Buyer will
reimburse Supplier for the following travel expenses only, provided they are
incurred in performance of this SOW and with Buyer’s prior written approval: (i)
tolls, parking fees, taxis, buses or auto rentals fees for autos rented from
a
Buyer designated rental company; (ii) personal automobile use under the
applicable automobile allowance plan, excluding normal commutation; (iii) air
transportation at the economy, tourist or coach class rate for the most direct
route of a scheduled airline; (iv) reasonable lodging charges for the immediate
area; (v) reasonable and actual meal expenses; (vi) necessary business calls
made on Buyer’s behalf; (vii) reasonable tipping; (viii) reasonable valet and
laundry charges if a trip extends beyond four consecutive (4) days. Supplier
must submit an invoice listing all travel expenses, and all applicable receipts
for lodging, airline travel, rental cars or any other reimbursable expenditure
to the Technical Coordinator. Buyer will not reimburse Supplier for personal
expenses.)
The
rates provided in the above table are only relevant to the SOW. Buyer may
request up to an additional 10,000 hours based on the rates in the table above.
Any additional hours beyond the table above and 10,000 hours will be billed
at
the following rates:
Table
2
Positions
|
Hourly
Rates
|
Technical
Architect
|
$[*]
|
Consultancy
Services Manager
|
$[*]
|
Business
Analyst
|
$[*]
|
Developer
|
$[*]
|
For
services billed under Table 2, actual
travel and living expenses are in addition to the service fees.
6.0 |
SUPPLIER
SOFTWARE
|
Buyer
and Supplier will enter into an order form regarding the purchase and resale
of
Supplier Software by Buyer to Customer in the form attached as Exhibit 4-D
hereto (the “Order Form”), and Supplier and Customer will enter into a software
license agreement in the form attached as Exhibit 4-E hereto (the “End User
Agreement”), which End User Agreement contains the terms and conditions,
including warranty and indemnification, governing Customer’s use of the Supplier
Software.
6.1 Documentation.
Following
execution of the Order Form and the End User Agreement, Supplier
shall deliver to Buyer on behalf of the Customer one copy of the Supplier
Software (via CD-Rom or electronic download) and all necessary and reasonable
documentation, including user, systems, operating and program manuals for the
Supplier Software which Supplier customarily provides to end user licensees
of
the Supplier Software.
7.0 |
ASSET
PROTECTION
|
In
the event that assets are loaned to Supplier and there is no separate loan
agreement in place between Buyer and Supplier for those assets, Supplier will
be
responsible for risk of loss and for the return of those assets to
Buyer.
8.0 |
SUPPLIER
SUPPORT SERVICES
|
The
ongoing support and maintenance obligations for the Supplier Software are set
forth in Exhibit 1 hereto (the “Service Level Agreement”). So long as Buyer has
paid the annual support and maintenance fee under the Order Form, Supplier
is
then offering support and maintenance services for the Supplier Software and
neither Buyer nor Customer has otherwise breached any provision of the End
User
Agreement, Supplier shall provide the support and maintenance services specified
on the Service Level Agreement to Buyer on behalf of Customer. With regard
to
the provision of support and maintenance services under the Service Level
Agreement, for so long as the Service Level Agreement is in effect, Supplier
shall comply with Sections 16 (Security), 27 (Audit), 25 (Compliance), 38
(Confidentiality) and 39 (IBM Data). The Service Level Agreement shall survive
the termination of this SOW, so long as Buyer has paid the annual support and
maintenance fee under the Order Form, Supplier is then offering support and
maintenance services for the Supplier Software and neither Buyer nor Customer
has otherwise breached any provision of the End User Agreement.
10.0
Buyer's Responsibilities
Responsibilities.
Attachment A-1
Buyer
and the IBM team when necessary has the right to interview and approve staffing
before supplier personnel are brought onto the project.
In
addition to Buyer's responsibilities as expressly set forth elsewhere in this
SOW or the Base Agreement, Buyer shall be responsible for the
following:
Buyer
shall designate one individual to communicate directly with the Supplier Account
Executive, to whom all Supplier communications concerning this SOW shall be
addressed ( “the Relationship Manager").
Buyer
shall cooperate with Supplier, including by making available timely management
decisions, information, approvals and acceptances, as reasonably requested
by
Supplier so that Supplier may accomplish its obligations and responsibilities
hereunder. The Relationship Manager, or his or her designee, will be the
principal point of contact for obtaining such decisions, information, approvals
and acceptances. Only personnel as expressly so designated by Buyer will be
authorized to make commitments on the part of Buyer that amend this
SOW.
12.0
Communications
All
communications between the parties will be carried out through the following
designated coordinators. All notices required in writing under this Agreement
will be made to the appropriate contact listed below at the following addresses
and will be effective upon actual receipt. Notices may be transmitted
electronically, by registered or certified mail, or courier. All notices, with
the exception of legal notices, may also be provided by facsimile.
Business
Coordinators
|
|||
FOR
SUPPLIER
|
FOR
BUYER
|
||
Name
|
[*]
|
Name
|
[*]
|
Title
|
Sales
Manager
|
Title
|
Partner
|
Address
|
0
Xxxxxxxx Xxxxx
Xxxxxxx,
XX 00000
|
Address
|
00
Xxxx Xx, 0 Xxxxxxxxx Xxxxx, Xxxxxxxx, Xx.
|
Phone
|
[*]
|
Phone
|
[*]
|
Fax
|
[*]
|
Fax
|
[*]
|
E-mail
|
[*]
|
E-mail
|
[*]
|
Legal
Coordinators
|
|||
FOR
SUPPLIER
|
FOR
BUYER
|
||
Name
|
Xxxxx
Xxxxx
|
Name
|
[*]
|
Title
|
General
Counsel
|
Title
|
Procurement
Solution Advisor
|
Address
|
00000
Xxxxxxx Xxxxx Xxxx.
Xxxxxxxxx,
XX 00000
|
Address
|
|
Phone
|
[*]
|
Phone
|
[*]
|
Fax
|
[*]
|
Fax
|
|
E-mail
|
[*]
|
E-mail
|
[*]
|
Technical
Coordinators
|
|||
FOR
SUPPLIER
|
FOR
BUYER
|
||
Name
|
[*]
|
Name
|
[*]
|
Title
|
Sales
Manager
|
Title
|
same
as above
|
Address
|
0
Xxxxxxxx Xxxxx
Xxxxxxx,
XX 00000
|
Address
|
|
Phone
|
[*]
|
Phone
|
|
Fax
|
[*]
|
Fax
|
|
E-mail
|
[*]
|
E-mail
|
13.0
Electronic Commerce
Unless
previously submitted by Supplier, in order to initiate electronic transfer
of
payments associated with this SOW, Supplier will complete the attached form
entitled “Authorization for Electronic Funds Transfer” and fax the completed
form to Accounts Payable at the number included on the form.
Unless
previously submitted by Supplier, in order to initiate electronic transfer
of
payments associated with this SOW, Supplier will provide the required
information in the attachment entitled “Electronic Funds Transfer.”
14.0 Training.
Supplier
shall be responsible for the training of Supplier Personnel at no additional
cost to Buyer. This training includes all new-hire training of all types
(including with respect to technical and domain requirements and necessary
cultural and communication skills) prior to the point when the Supplier employee
is qualified to meet the skill set requirements for his or her respective
activities under the Subcontract, including so that such Supplier Personnel
has
expertise with Supplier’s then-in-effect architecture and technology. Supplier
shall provide training necessary to meet all compliance requirements mandated
on
a country, state, federal or local level for the duties performed in connection
with the Supplier’s Supplier Services.
Any
training required on Supplier Software for Buyer or Customer personnel will
be
charged at the following rates:
Course
|
#
Days
|
Tuition
per
person per course
|
Chordiant
Foundation Server
|
||
CSF
- Technical Developer
|
[*]
|
$
[*]
|
CSF
- Technical Developer Sandpit
|
[*]
|
$
[*]
|
CSF
- Design
|
[*]
|
$
[*]
|
Business
Analyst
|
[*]
|
$
[*]
|
Business
Analyst Sandpit
|
[*]
|
$
[*]
|
Chordiant
Certifications
|
|
|
Technical
Developer (CCTD)
|
[*]
|
$
[*]
|
Business
Analyst (CCBA)
|
[*]
|
$
[*]
|
Subcontractor
shall retain IBM specific training materials and other documentation used in
connection with the Subcontractor’s Subcontractor Services in accordance with
IBM provided record retention policies and CIGNA’s seven year retention
requirement.
16.0
Security.
Throughout
the Subcontract Term and the Termination Assistance Period, Supplier shall,
at
no additional cost to Buyer, maintain the security requirements specified in
Exhibit
4-C.
17.0 Supplier
Personnel Equipment.
Except
for the IBM Equipment Buyer shall provide pursuant to the Subcontract (including
CIGNA Equipment provided by Buyer), Supplier shall provide to Supplier Personnel
all standard desktop computer Equipment and Software required to perform the
Supplier Services (including standard Microsoft Office products or compatible,
functionally equivalent products that are compatible with IBM identified
systems, e-mail and LAN/WAN servers). Buyer and Supplier shall agree on the
necessary set of application-specific tools, and which items Supplier shall
provide and which items Buyer shall provide. Supplier shall provide all office
equipment (including PCs), consumables, services and the like required to
support Supplier Personnel at Supplier Service Locations.
20.0
IBM/CIGNA Facilities
20.1
Use of IBM/CIGNA Service Locations.
The IBM/CIGNA Service Locations shall be made available to Supplier on an “as
is, where is” basis. Supplier shall follow any directions of Buyer with respect
to the use of such space. Supplier and Supplier Agents shall: (a) keep the
IBM/CIGNA Service Locations in good order; (b) not commit or permit waste or
damage to such facilities; (c) not use such facilities for any unlawful purpose;
and (d) act and comply with all of Buyer’s and CIGNA’s standard policies and
procedures, which have been provided to Supplier in writing (for the avoidance
of doubt, electronic notification is considered “in writing”), as in effect from
time to time, including procedures for the physical security of the IBM/CIGNA
Service Locations, including those set forth on Exhibit 3 hereto. Supplier
shall
be responsible for damage to the IBM/CIGNA Service Locations caused by Supplier
or Supplier Agents, subject to reasonable wear and tear. Subcontractor shall
not
make any improvements or changes involving structural, mechanical or electrical
alterations to such space without IBM’s or CIGNA’s prior written consent.
Improvements to the IBM/CIGNA Service Locations shall become the property of
IBM
or CIGNA (as applicable). When the IBM/CIGNA Service Locations are no longer
required for performance of the Subcontractor Services, Subcontractor shall
return the IBM/CIGNA Service Locations to IBM or CIGNA in substantially the
same
condition as when Subcontractor began use of the facilities, subject to
reasonable wear and tear. Supplier shall permit Buyer of CIGNA and Buyer’s or
CIGNA’s designees to enter into those portions of the IBM/CIGNA Service
Locations occupied by Supplier’s staff at any time. Except for the IBM/CIGNA
Service Locations described in this Subcontract which shall be made available
to
Supplier, Supplier shall be responsible for providing all other space that
is
necessary to provide the Supplier Services at Supplier’s own or other
facilities. Supplier acknowledges that the location of the IBM/CIGNA Service
Locations may change and Supplier shall provide the Supplier Services with
respect to any such relocated IBM/CIGNA Service Locations at the same cost,
subject to Buyer being financially responsible for Supplier’s incremental
expenses for a Buyer-initiated relocation of the Supplier Services to any such
relocated IBM/CIGNA Service Location, but Subcontractor shall use commercially
reasonable efforts to avoid any significant incremental expenses above the
expense estimate set forth in Section 5.0 above and shall notify IBM the of
any
incremental expense increase and additional Subcontractor Services Charges,
if
any, for compliance with IBM’s direction to relocate such Subcontractor
Services.
20.2
Use of IBM/CIGNA Facility Items.
Buyer and CIGNA shall provide reasonable use of IBM/CIGNA Facility Items
substantially equivalent to those made available by Buyer or CIGNA to its own
personnel who perform similar functions. Supplier may only use the IBM/CIGNA
Facility Items for the sole and exclusive purpose of providing the Supplier
Services. Any other uses are subject to the prior written approval of Buyer
or
CIGNA in their discretion. Supplier shall keep and use the IBM/CIGNA Facility
Items in a reasonable and efficient manner. Supplier shall not commit waste
or
damage to the IBM/CIGNA Facility Items or use them for any unlawful purpose
or
act. Supplier is responsible for any damage to IBM/CIGNA Facility Items
resulting from the abuse, misuse, neglect or gross negligence of Supplier (or
its subcontractors or other guests) or other failure to comply with its
obligations respecting such resources. Supplier shall (and shall cause Supplier
Personnel to) review, be knowledgeable of and comply with Buyer’s and CIGNA’s
policies and procedures regarding access to and use of the IBM/CIGNA Facility
Items which have been provided to Supplier in writing, including procedures
for
physical and logical security, including those set forth on Exhibit 2 hereto,
and shall follow any of Buyer’s reasonable directions with respect to the use of
such items.
20.3
No Violation of Laws.
Supplier shall: (a) treat, use and maintain the IBM/CIGNA Service Locations
in a
reasonable manner, but in no event to a lesser standard than it maintains for
its own locations; and (b) not commit, and use all reasonable efforts to ensure
that no Supplier employees nor Supplier Agents commit, any act in violation
of
any Laws in such Supplier occupied IBM/CIGNA Service Location or any act in
violation of Buyer’s of CIGNA’s insurance policies or in breach of Buyer’s or
CIGNA’s obligations under the applicable real estate leases for such Supplier
occupied IBM/CIGNA Service Locations, in each case of which Supplier is apprised
in writing by Buyer.
22.0
Safety
and Security Procedures.
22.1
While
at the IBM/CIGNA Service Locations, Supplier’s employees and the Supplier Agents
shall comply with Buyer’s and CIGNA’s reasonable requests, rules and regulations
regarding personnel and professional conduct (including the wearing of an
identification badge and adhering to regulations and general safety practices
or
procedures), which have been provided to Supplier in writing (for the avoidance
of doubt, electronic notification is considered “in writing”), including the
regulations set forth in Exhibit
4-C hereto
and otherwise conduct themselves in a businesslike and professional
manner.
22.2
Except as otherwise designated, at IBM/CIGNA Service Locations, smoking is
prohibited inside all buildings operated or occupied by Buyer or CIGNA,
including leased offices and at off-site IBM/CIGNA sponsored conferences and
meetings.
22.3
If operating at a IBM/CIGNA Service Location, Supplier shall be responsible
for
adhering to all individual IBM and CIGNA Safety, Occupational Health,
Environmental and Operational procedures provided to Supplier in writing in
a
manner timely enough to enable compliance and updated regularly to allow Buyer
to ensure their currency and to all local, state, and federal laws and
regulations, including Occupational Safety and Health Act (OSHA) and
Environmental Protection Agency (EPA).
22.4
If located at an IBM/CIGNA Service Location, Supplier shall immediately notify
Buyer or CIGNA security department (as appropriate) in the event of a fire
or
other emergency by calling the emergency telephone number. Supplier shall train
all employees located at IBM/CIGNA Service Locations to respond to fire, civil
defense, bomb threats, evacuations, and other emergencies alarms, based on
procedures established by Buyer or CIGNA which have been provided to Supplier
in
writing (for the avoidance of doubt, electronic notification is considered
“in
writing”).
22.5
If the Supplier notices any condition at an IBM/CIGNA Service Location that
is
unsafe, unhealthy, or in any other way could cause an accident, Supplier shall
notify Buyer immediately, if correction of the condition shall take more than
routine attention, or remedy the condition, if correction of the condition
shall
take only minimal attention.
23.0
Cooperation.
To
the extent Buyer performs any of the Supplier Services, or retains IBM Third
Party Contractors to do so, Supplier shall fully cooperate with and work in
good
faith with Buyer and IBM Third Party Contractors as reasonably directed by
Buyer. Such cooperation may include (subject to Supplier’s reasonable and
appropriate security and confidentiality requirements): (a) providing access
to
any facilities being used to provide the Supplier Services, as necessary for
IBM
Third Party Contractors to perform the work assigned to them; (b) providing
access (remotely or onsite as requested by Buyer) to the Equipment, Software
and/or systems used to provide the Supplier Services; (c) reasonable integration
activities to ensure compatibility of systems/products/services of the total
solution; and (d) providing written requirements, standards, policies or other
documentation for the Supplier Services and for the Equipment, Software or
systems procured, operated, supported or used by Supplier in connection
therewith. The Parties shall cooperate in good faith to ensure smooth
performance of the Supplier Services. To that end, there shall be a continuous
exchange of information between the Parties with respect to, but not limited
to,
the Supplier Services, quality control and encountered difficulties.
Supplier
will provide the cooperation called for in this Section 23.0 on a time and
materials basis for services performed at the rates provided in Section 5.0
above, and on the basis of actual cost for expenses incurred. Supplier will
inform and discuss any additional work or expenses with Buyer before incurring
such cost or expense.
24.0 Notification.
Supplier
shall immediately notify Buyer when it becomes aware that an act or omission
of
an IBM Third Party Contractor shall cause, or has caused, a problem or delay
in
providing the Supplier Services, and shall use commercially reasonable efforts
to work with Buyer to prevent or circumvent such problem or delay. Supplier
and
Buyer shall cooperate with each other to resolve differences and conflicts
arising between the Supplier Services and other activities undertaken by Buyer
or any of the IBM Third Party Contractors.
25.0
COMPLIANCE
25.1
Governmental Approvals.
Supplier
shall obtain, provide, file and maintain all Governmental Approvals that are
necessary for Supplier or Supplier Agents to commence and complete the
Supplier’s provision of the Supplier Services. Upon Supplier’s reasonable
request, Buyer shall cooperate with and assist Supplier in obtaining any
Governmental Approvals, to the extent reasonably possible. Supplier shall have
financial responsibility for all fees and taxes associated with obtaining and
maintaining all Governmental Approvals.
(a)
Without limiting Supplier’s obligations under this Section, Supplier shall be
responsible for monitoring and properly notifying Buyer of any Governmental
Approvals required in connection with providing the Supplier Services from
the
Offshore Locations.
(b)
Buyer shall have the right to terminate upon notice to Supplier the relevant
portion of any SOW if the foregoing Governmental Approvals are not obtained
or
provided within the required time frames, and the charges thereafter will be
equitably adjusted to reflect such removal.
25.2
Compliance with Laws.
Supplier (and Supplier’s Affiliates) and Supplier Personnel shall comply with
all laws. If Supplier becomes aware of non-compliance with any laws, Supplier
shall promptly notify Buyer in writing. Supplier shall provide Buyer with,
upon
request, data and reports necessary for Buyer to comply with all laws. If
Supplier maintains any records required in electronic form, such records and
their confidentiality shall comply with all applicable laws. Supplier shall
be
responsible for any fines and penalties imposed on Supplier resulting from
the
failure of Supplier, Supplier Personnel to comply with laws.
25.3
Compliance with Laws in Offshore Locations.
Supplier shall be responsible for monitoring and complying with all laws
relating to licensing, import-export, data flows, technology transfers (but
excluding tax laws), applicable to its performance of the Supplier Services
from
the Offshore Locations. All costs relating to the compliance with such laws
shall be paid by Supplier, except that conforming changes to IBM/CIGNA systems
to receive the Supplier Services shall be handled by Buyer or CIGNA at their
own
cost unless the change is a part of the Supplier Services under a Statement
of
Work. Buyer shall provide reasonable assistance to Supplier in connection with
such compliance as requested by Supplier.
25.4
Compliance with Privacy Regulations.
Subcontractor shall comply with: (a) the European Commission Data Protection
Directive (95/46/EC) or Data Protection Xxx 0000 or any implementing or related
legislation of any member state in the European Economic Area; (b) the Health
Insurance Portability and Accountability Act of 1996; (c) subject to 15.5,
the
Xxxxxxxx-Xxxxx Act of 2002 (Pub. L. 107-204, 116 Stat. 745); and (d) any other
applicable data protection laws or regulations to the extent applicable to
Subcontractor’s provision of the Subcontractor Services. Specific provisions
relating to HIPAA and data protection laws are set forth in Exhibit
13 hereto.
25.6
Interpretation of CIGNA Laws.
CIGNA shall have final approval over the interpretation and application, and
the
appropriate method for complying with any CIGNA Laws (i.e., laws that are
specific to CIGNA’s business). Supplier (and Supplier’s Affiliates), Supplier
Agents, and Supplier Personnel shall comply with all such CIGNA written
directions in this regard.
27.0
AUDIT
27.1
Books and Records.
Supplier shall keep and maintain, in accordance with generally accepted
accounting principals and practices, and make available for the inspection,
examination and audit by Buyer, its authorized employees, agents or
representatives and auditors (“IBM Auditors”), upon reasonable notice, complete
and accurate books and records in connection with the Service, as necessary
to:
(a) demonstrate Supplier’s compliance with its obligations under this
Subcontract; (b) verify volumes, charges and resource utilization and payment
by
Supplier of all license, maintenance and other service fees required in
connection with the performance of the Supplier Services in accordance with
this
Subcontract; (c) comply with all applicable Laws; and (d) verify data security
measures, pre-placement checks physical security measures related to this
Subcontract. Supplier shall permit and cooperate with any audit conducted by
Buyer or IBM Auditors. Upon reasonable notice, but not more than once annually,
at the sole expense of Buyer, IBM Auditors shall have the right to inspect
and
audit Supplier’s books, records, systems and operations related to the Supplier
Services.
27.2
Facilities and Personnel.
Supplier shall provide to IBM’s Auditors access upon request to any facility or
part of a facility at which Supplier is providing the Supplier Services, to
Supplier Personnel, and to data and records relating to the Supplier Services
for the purposes of performing audits and inspections of Buyer and its business
to verify the integrity of IBM Data and to examine the systems related to the
Supplier Services that process, store, support and transmit that data. The
foregoing audit rights shall include audits: (a) of practices and procedures;
(b) of systems; (c) of security practices and procedures; (d) of disaster
recovery and backup procedures; (e) necessary to enable Buyer to meet applicable
Laws; and (f) of any Supplier quality assurance processes.
27.3
Fee Audit.
a.
Upon Buyer’s request, Supplier shall provide IBM’s Auditors with access to such
financial records and supporting documentation to the extent necessary to
ascertain the correctness of fees due and payable to Supplier hereunder, as
may
be requested by Buyer or IBM’s Auditors. Such IBM Auditors may audit any of the
charges charged to Buyer to determine if such fees are accurate and in
accordance with this Subcontract.
b.
If it is determined that Supplier has overcharged Buyer, IBM shall notify
Supplier of the amount of such overcharge and Supplier shall promptly pay to
Buyer the amount of the overcharge, plus interest at the rate of 1.5% per month
calculated from the date of receipt by Supplier of the overcharged amount until
the date of payment to Buyer.
c.
In addition to Buyer’s rights set forth in Section (b) above, if any such audit
reveals an overcharge to Buyer of 5% or more of the aggregate fees being audited
Supplier shall, at Buyer’s option, issue to Buyer a credit against the Service
Charges or reimburse Buyer, in either case, for the reasonable cost of such
audit, provided such audit is not performed on a contingency fee basis.
27.4
Cooperation
a.
Supplier and Supplier Personnel shall assist and cooperate with Buyer or its
designees in connection with audit functions and with regard to examinations
by
regulatory authorities. Supplier shall provide such assistance as reasonably
required to carry out the audits, including: (i) providing use of Supplier
locations, facilities and resources, including space, office furnishings
(including lockable cabinets), telephone and facsimile services, utilities,
office-related equipment and duplicating services; and (ii) installing and
operating audit software. For the avoidance of doubt, reasonable audit
cooperation is part of the Supplier Services (including participation from
accountants and other Supplier finance personnel) and shall not be counted
against resource utilization. Any actual and reasonable expenses incurred by
Supplier outside ordinary course of business expenses as a result of such audit
will be reimbursed to Supplier by Buyer.
b.
Other than in connection with a sales or use tax audit, Supplier shall notify
Buyer promptly by telephone or by email if any governmental or regulatory
authority requests an inspection or makes written or oral inquiries of Supplier
regarding any aspect of Buyer’s activities pursuant to this Subcontract, so long
as such notification does not violate any applicable Laws or breach any
obligation of confidentiality to a third party. Unless otherwise required by
applicable Laws, Subcontractor shall not allow physical access to any
governmental or regulatory authority relating to such activities without giving
IBM the right to have a representative present. Supplier and Buyer shall
cooperate in resolving any concerns of any governmental or regulatory authority.
Supplier shall notify Buyer promptly by telephone or by email if Supplier
believes that the actions or inactions of any governmental or regulatory
authority, including the issuance or failure to issue any report, permit, or
license, may cause a negative impact on Supplier’s ability to perform the
Supplier Services.
c.
At the conclusion of a Buyer audit or examination provided for in this
Subcontract or any applicable Statement of Work and prior to issuing the final
audit report, Buyer shall conduct, or request its external auditors or examiners
to conduct, an exit conference with Supplier to discuss issues identified in
the
review. Supplier and Buyer shall meet to review each final audit report promptly
after the issuance thereof and to mutually agree upon an appropriate and
effective manner in which to respond to the deficiencies identified and changes
suggested by the audit report.
d.
If any audit by an auditor designated by Buyer or a regulatory authority results
in Supplier being notified that Supplier is not in compliance with the terms
of
this Subcontract or other required compliance requirements, Supplier shall
comply with such terms after having a reasonable opportunity to contest such
audit finding should such finding be upheld. Subcontractor shall bear the
expense of any such response, and any remedial actions, to the extent that
Subcontractor was not in compliance with the terms of this Subcontract or the
required compliance requirements.
27.5
General Procedures.
Notwithstanding the intended breadth of Buyer’s audit rights, Buyer and its
internal and external auditors, inspectors, regulators and other representatives
shall not be given access to: (i) the proprietary information of other Supplier
customers; (ii) Supplier locations that are not related to Buyer or the Supplier
Services; or (iii) Supplier’s internal costs, except as to the extent such costs
are the basis upon which Buyer is charged. In performing audits, Buyer shall
endeavor to avoid unnecessary disruption of Supplier’s operations and
unnecessary interference with Supplier’s ability to perform the Supplier
Services. The external auditors and inspectors designated by Buyer under this
Article 27 to conduct operational and/or financial audits shall not be Supplier
Competitors. Buyer’s auditors shall comply with Supplier’s applicable,
reasonable security requirements, including, where appropriate, execution of
a
non-disclosure agreement reasonably acceptable to Supplier.
27.6
Record Retention.
Until: (a) seven years after expiration or termination of this Subcontract;
(b)
pending matters relating to this Subcontract (e.g., disputes) are closed; or
(c)
no longer required to meet Buyer’s records retention policy (as modified from
time to time), whichever is later, as notified to Supplier, Supplier shall
maintain and provide access upon request to the records, documents and other
information required to meet Buyer’s audit rights under this Subcontract.
27.7
Legal Discovery.
Buyer is required to preserve and produce electronic data in support of its
legal discovery obligations, as they may arise, for investigations and/or
litigation. As part of the Supplier Services, Supplier shall cooperate with
any
legal discovery requests made by any IBM Entity, including the dissemination
of
preservation requests, collection of data, imaging of systems, back-up of
electronic information, maintenance, retention and production of any such data.
Supplier shall keep detailed records of its efforts to preserve data required
for legal discovery.
28.0
Change Control Procedures.
28.1
Buyer and
Supplier shall comply with the following Change Control Procedures:
a.
Change Control Procedures shall provide, at a minimum, that: (A) no Change
shall
be implemented without written agreement by both Parties, except as may be
necessary on a temporary basis to maintain the continuity of the Supplier
Services; (B) with respect to all Changes, Buyer and Supplier shall: (I) other
than those Changes made on a temporary basis to maintain the continuity of
the
Supplier Services, schedule Changes so as not to unreasonably interrupt Buyer’s
business operations; and (II) monitor the status of Changes against the
applicable schedule; (C) with respect to any Change made on a temporary basis
to
maintain the continuity of the Supplier Services, Supplier shall document and
provide to Buyer notification (which may be given orally provided that any
oral
notice must be confirmed in writing to Buyer within five Business Days) of
the
Change no later than the next Calendar Day after the Change is made; and (D)
Supplier shall update the Change Control Procedures as necessary and shall
provide such updated Change Control Procedures to Buyer for its approval.
30.0
Pre-Placement Checks
30.1
Supplier recognizes Buyer’s desire to maintain a safe and secure working
environment for Buyer employees. For
purposes of this Subcontract, “Certain Supplier Personnel” means any Supplier
Personnel who: (i) are to have behind-the-firewall access to Buyer or CIGNA
or
their Affiliates’ computer and telecommunications network (e.g., Buyer or CIGNA
Equipment, Software or Buyer or CIGNA Data), whether such access is provided
through an on-site or remote connection;
or (ii) perform certain Software development projects Buyer deems to be highly
sensitive to Buyer’s or CIGNA’s business operations.
30.2
Supplier
shall have administrative responsibility for conducting the background checks.
Supplier does not conduct drug testing on its personnel. Buyer may conduct
drug
testing and background checks itself, at Buyer’s expense, on any Supplier
personnel scheduled to work at IBM/CIGNA Service Locations. Supplier will make
such personnel available for the drug tests and background checks. Buyer shall
have financial responsibility therefore and shall reimburse Supplier for the
check and test costs on a Pass-Through Expense basis.
30.3
Supplier shall permit and cooperate with Buyer’s audits of Supplier compliance
with the background screening stated herein.
34.0
Replacement, Qualifications and Retention of Supplier
Personnel.
34.1
If Buyer determines in good faith that the continued assignment to Buyer of
any
particular Supplier Personnel is not in the best interests of Buyer, then Buyer
shall give Supplier written notice to that effect requesting that such Supplier
Personnel be replaced; provided, however, upon Buyer’s request, Supplier shall
immediately reassign any individual from the Buyer account so long as Buyer
demonstrates to Supplier the need for such immediate reassignment. Promptly
after its receipt of such a request by Buyer, Supplier shall investigate the
matters stated in the request and discuss its findings with Buyer. If requested
to do so by Buyer, Supplier shall immediately remove the individual in question
from performance of the Supplier Services pending completion of Supplier’s
investigation and discussions with Buyer. If, following discussions with
Supplier, Buyer still in good faith requests replacement of such Supplier
Personnel, Supplier shall promptly replace such Supplier Personnel with an
individual of suitable ability and qualifications. Nothing in this provision
shall operate or be construed to limit Supplier’s responsibility for the acts or
omissions of Supplier Personnel.
34.2
Supplier shall maintain and conduct procedures for the replacement of Supplier
Personnel in such a manner so as to assure an orderly succession for any
Supplier Personnel who is replaced. Upon request, after a determination that
a
Supplier Personnel shall be replaced, Supplier shall make such procedures
available to Buyer. The timing for transfer, reassignment or replacement of
Supplier Personnel shall be closely coordinated with the requirements for timing
and other elements of the Supplier Services so as to maintain continuity in
the
performance of the Supplier Services.
34.3
Supplier shall use its diligent and reasonable efforts to keep the turnover
rate
of Supplier Personnel to a reasonably low level. If Buyer believes that Supplier
Personnel’s turnover rate is excessive and so notifies Supplier, Supplier shall:
(i) determine the cause of the excess; (ii) develop a mutually agreed upon
plan
to minimize turnover; and (iii) meet with Buyer to discuss the implementation
and timely impact of the plan. Supplier shall be responsible for replacing
personnel who are retiring, or who otherwise leave the Buyer account, with
professional personnel.
35.0
Subcontractors.
Except
for the subcontractors identified on Exhibit 4 hereto (the “Permitted
Subcontractors”), Supplier shall not subcontract its material obligations under
this Subcontract or any Supplier Services which involve the use of or access
to
IBM Data without Buyer’s prior written consent. Supplier may use these Permitted
Subcontractors in connection with the provision of the Supplier Services subject
to the terms of this Subcontract (including the provisions of this
Section).
Buyer hereby pre-approves those certain subcontracts between Supplier and third
party original hardware/equipment manufacturers and original software licensors
who perform routine maintenance and support and that do not materially impact
a
Buyer or Supplier function that is part of the Supplier Services.
35.1
Supplier shall include in its subcontracts as flow-down provisions, provisions
substantially similar to those provisions of this Subcontract relating to Buyer
facilities, personnel requirements, Buyer’s intellectual property rights,
Buyer’s audit rights, confidentiality, representations and warranties. Supplier
shall require each of its Affiliates and all Permitted Suppliers to carry
insurance at levels customary and appropriate for the types and volumes of
Supplier Services being provided by such Affiliates and Permitted Suppliers.
35.2
The Change of Control of a Permitted Subcontractor to an IBM Competitor shall
in
all cases be deemed good cause for the purposes of this Section. Upon any such
revocation, Supplier shall, upon Buyer’s request, replace such subcontractor
with a new subcontractor, subject to Buyer’s approval of the new subcontractor,
the transition plan, and certain material terms of the subcontract reasonably
specified by Buyer. Any revocation of the approval of a subcontractor pursuant
to this Section shall not excuse Supplier from providing the Supplier Services
and meeting the Service Levels; provided that Buyer gives Supplier 30 days’
notice unless a different notice period has been approved or agreed by
Buyer.
35.3
No subcontracting shall release Supplier from its responsibility for its
obligations under this Subcontract. Supplier shall remain responsible for
obligations, services and functions performed by subcontractors to the same
extent as if these obligations, services and functions were performed by
Supplier employees. Supplier shall be Buyer’s sole point of contact. Supplier
shall not disclose Buyer or CIGNA Confidential Information to a subcontractor
(including an Affiliate of Supplier) until such subcontractor has executed
a
nondisclosure agreement in a mutually agreed form.
35.4
Supplier shall be responsible for all payments to Supplier Agents under
contracts between Supplier and Supplier Agents. Supplier shall promptly pay
for
all services, materials, Equipment and labor used by Supplier or Supplier Agents
in providing the Supplier Services and Supplier shall keep Buyer’s premises free
of all liens by Supplier or Supplier Agents.
35.5
Nothing in this Subcontract shall prevent, and Subcontractor shall not prevent
or inhibit (through damages, penalties or otherwise), IBM or any IBM Entity
from
contracting directly with any of the subcontractors or third party providers
used by Subcontractor in connection with the provision of the Subcontractor
Services upon the cessation of a Service or expiration or termination of this
Subcontract.
36.0
REPRESENTATIONS, WARRANTIES
AND COVENANTS
36.1
By Supplier.
Supplier represents, warrants and covenants to Buyer during the Subcontract
Term
and the Termination Assistance Period that:
a
It shall
render the Supplier Services with promptness and diligence and shall execute
them in a workmanlike manner, in accordance with the practices and high
professional standards that are the accepted industry norms applicable to the
Supplier Services. Supplier represents and covenants that it shall use adequate
numbers of qualified individuals with suitable training, education, experience
and skill to perform the Supplier Services.
b
It is now,
and shall be during the Subcontract Term and the Termination Assistance Period,
an equal opportunity employer complying with all such applicable
Laws.
c
It shall
maintain the Equipment and Software for which it is responsible under this
Subcontract so that they operate substantially in accordance with their
applicable specifications, including: (i) maintaining Equipment in good
operating condition, subject to normal wear and tear; (ii) undertaking repairs
and preventive maintenance on such Equipment substantially in accordance with
the applicable manufacturer’s recommendations; and (iii) performing Software
maintenance substantially in accordance with the applicable Supplier’s
documentation, recommendations and specifications, in accordance with the
provisions of Section 8 above.
f
It shall
perform its responsibilities under this Subcontract in a manner that does not
infringe, or constitute an infringement or misappropriation of, the copyright,
trademark, trade secret or other proprietary rights of a third party; provided,
however, that Supplier shall not have any obligation or liability under this
clause (f) if and to the extent any such infringement or misappropriation is
caused by: (i) modifications made by Customer, Buyer or IBM Third Party
Contractors not specified or authorized (in each case, in writing) by Supplier
or Supplier Agents; (ii) IBM/CIGNA’s combination of otherwise non-infringing
Supplier’s work product or services with items not furnished or specified by
Supplier or Supplier Agents in writing that by sole virtue of such combination,
makes the work product, service or item infringing; (iii) a breach of this
Subcontract by Buyer; (iv) failure of IBM/CIGNA to use Supplier-provided
corrections or modifications that would remedy the non-infringement and that
offer equivalent features and functionality; (v) third party Software not
provided by Supplier, except to the extent that such infringement or
misappropriation arises from the failure of Supplier to obtain the necessary
third party Software licenses or Required Consents or to abide by the
limitations of the applicable third party Software licenses; (vi) Equipment
or
Software or other resources provided to Supplier by IBM/CIGNA; or (vii) the
distribution, operation or use of Software of Materials for the benefit of
a
third party outside of the other party’s enterprise.
g
It has not
violated applicable Laws or regulations or Buyer policies (of which Supplier
has
been given notice) regarding the offering of inducements in connection with
this
Subcontract. If Supplier does not comply with the foregoing, Buyer shall have
the right to terminate this Subcontract for cause without affording Supplier
an
opportunity to cure.
h
If any
Equipment provided by Subcontractor, including those provided by any Affiliate
or third party subcontractor to Subcontractor, directly or indirectly causes
any
damage or loss to any IBM system or results in the loss of any IBM Data,
Subcontractor shall, at no additional charge to IBM, repair or replace affected
IBM Equipment.
i
It shall
cooperate with Buyer and shall take commercially reasonable actions and
precautions to prevent the introduction and proliferation of Malicious Code
into
the systems used to provide the Supplier Services or the IBM environment. If
Malicious Code is found to have been introduced into the systems used by
Supplier to provide the Supplier Services, Supplier shall at no additional
charge eliminate the Malicious Code from such systems used by Supplier to
provide the Supplier Services and, if the Malicious Code causes a loss of
operational efficiency or loss of data, to assist Buyer to the same extent
to
mitigate and restore those losses with generally accepted data restoration
techniques. Without the prior written consent of Buyer, Supplier represents,
warrants and covenants that it shall not insert into any Software code that
would have the effect of disabling or otherwise shutting down all or a portion
of the Supplier Services, and with respect to disabling code that may be part
of
any Software, that it shall not invoke the disabling code at any
time.
k
It is duly
authorized to enter into this Subcontract and to make the commitments set forth
in this Subcontract.
l
Its
execution, delivery and performance of this Subcontract does not constitute
a
violation of any judgment, order, or decree; a material default under any
material contract by which it or any of its material assets are bound; or an
event that would, with notice or lapse of time, or both, constitute such a
default.
m
Supplier
warrants that it will perform the Services using reasonable care and skill,
and
according to the agreed upon specifications. Buyer agrees that it must report
any deficiencies of the Services to Supplier in writing within ninety (90)
days
of performance of the Services in order to receive the warranty remedy. In
such
case Supplier will re-perform the Services at no additional charge.
n
All
current and future employees and agents of and consultants to Supplier with
access to or involved in the performance of Supplier Services have executed
and
delivered or shall execute and deliver to Supplier a proprietary rights
agreement with Supplier substantially consistent with the form attached as
Exhibit
10
hereto
pursuant to which such employee or consultant agrees to confidentiality and
intellectual property assignment terms sufficient to enable Supplier to meet
its
obligations to Buyer and Customer under the Subcontract and sufficient to enable
Buyer to meet its obligations to Customer under the Prime Contract.
37.0
INDEMNIFICATION
37.1
By
Supplier.
Supplier shall indemnify, defend and hold harmless Buyer and CIGNA and their
respective officers, directors, employees, agents, successors and assigns from
any and all Losses and threatened Losses arising from or in connection with
any
of the following:
a. Claims
by Governmental Authorities for fines, penalties, financial sanctions or late
charges arising from or in connection with Subcontractor’s (or Subcontractor
Personnel’s) failure to comply with any laws solely to the extent
Subcontractor’s failure to comply with laws constitutes a breach of
Subcontractor’s services obligations under the Subcontract or a Statement of
Work which services obligation was communicated to Subcontractor by IBM as
a
written requirement in order to enable IBM to comply with such laws;
b. Supplier’s
use or disclosure of information in breach of its confidentiality obligations
set forth in this Subcontract;
c. Supplier’s
failure to obtain the Required Consents or comply with the terms of any third
party consent or underlying agreement;
d. any
claim or action initiated by an Affiliate of Supplier or potential or actual
agent of Supplier (including Supplier Personnel) asserting rights in connection
with this Subcontract;
e. any
actual or alleged infringement or misappropriation of the trade secret,
copyright or other proprietary rights, alleged to have occurred because of
systems or other resources provided by or on behalf of Supplier or Supplier
Personnel or based upon performance of the Service; provided, however, that
Supplier shall not have any obligation or liability under this clause (h) if
and
to the extent any such infringement or misappropriation is caused by: (i)
modifications made by Buyer, CIGNA, IBM Third Party Contractors or CIGNA Third
Party Contractors not specified or authorized (in each case, in writing) by
Supplier or Supplier Agents; (ii) Buyer’s or CIGNA’s combination of otherwise
non-infringing Supplier’s work product or services with items not furnished or
specified by Supplier or Supplier Agents in writing that by sole virtue of
such
combination, makes the work product, service or item infringing; (iii) a breach
of this Subcontract by Buyer; (iv) failure of Buyer or CIGNA to use
Supplier-provided corrections or modifications that would remedy the
non-infringement and that offer equivalent features and functionality; (v)
third
party Software not provided by Supplier, except to the extent that such
infringement or misappropriation arises from the failure of Supplier to obtain
the necessary third party Software licenses or Required Consents or to abide
by
the limitations of the applicable third party Software licenses; or
(vi) Equipment, or Software provided to Supplier by Buyer or CIGNA, neither
of
which has been authorized or approved by Buyer.
f. any
amounts assessed against any IBM Entity, including taxes, penalties and
interest, assessed against any IBM Entity, that are the obligation of Supplier
under this Subcontract;
g. any
claim relating to any violation by Supplier or Supplier Agents or their
respective officers, directors, employees, representatives or agents, of any
Law
or any common law protecting persons or members of protected classes or
categories, including laws or regulations prohibiting discrimination or
harassment on the basis of a protected characteristic;
h. any
claim or action by, on behalf of, or related to, any prospective, then-current
or former employees of Supplier or Supplier Agents arising out of hiring
practices of Supplier or employment or termination of employment with Supplier,
including any claim arising under occupational health and safety, worker’s
compensation, ERISA or other applicable Law, except for claims arising out
of
misrepresentations made by Buyer to Hired Employees, if any, prior to their
respective Hire Dates;
i. any
claim or action by, on behalf of, or related to, any prospective, then-current
or former employees of Supplier or Supplier Agents based on a theory that Buyer
is an employer or joint employer of any Supplier or Supplier Agent personnel;
j. any
claim or action by, on behalf of, or related to, any third party providing
services to Buyer prior to the SOW Effective Date relating to actions of
Supplier or Supplier Personnel, including the hiring by Supplier of the third
party’s employees;
k. damages
for the death or bodily injury of an agent, employee, customer, business invitee
or business visitor or other person caused by the tortious conduct of Supplier
or Supplier Agents;
l. damages
for the damage, loss or destruction of real or tangible personal property caused
by the tortious conduct of Supplier or Supplier Agents;
m. any
claim or action or other proceeding asserted against Buyer but resulting from
an
act or omission of Supplier or any Supplier Agent in its capacity as an employer
of a person; and
n. any
claim in connection with the handling and processing of any and all immigration
and employment-related issues and requirements arising in connection with the
Supplier Personnel (whether located in the United States or
elsewhere).
38.0
CONFIDENTIALITY
38.1
IBM or CIGNA Confidential Information.
Supplier shall: (a) use the same care and discretion to avoid disclosure,
publication or dissemination of IBM or CIGNA Confidential Information as it
uses
with respect to its own similar information that it does not wish to disclose,
publish or disseminate; and (b) use IBM or CIGNA Confidential Information solely
to the extent required to fulfill its obligations or exercise its rights under
this Subcontract. Supplier shall not disclose, publish, release, transfer or
otherwise make available IBM or CIGNA Confidential Information in any form
to,
or for the use or benefit of, any person or entity without Buyer’s consent.
Subject to Section 16.4, Supplier shall, however, be permitted to disclose
relevant aspects of the IBM or CIGNA Confidential Information to its officers,
directors, agents, professional advisors, Supplier Agents and employees, to
the
extent that such disclosure is not restricted under this Subcontract or any
Governmental Approvals and only to the extent that such disclosure is reasonably
necessary for the performance of its duties and obligations, or exercise of
its
rights, under this Subcontract; provided, however, that all such persons or
entities have entered into an agreement containing terms consistent with the
terms set forth in this Article and Supplier shall take all reasonable measures
to ensure that IBM or CIGNA Confidential Information is not disclosed, published
or disseminated in contravention of the provisions of this Subcontract by such
officers, directors, agents, professional advisors, Supplier Agents and
employees. The obligations in this Section shall not restrict any disclosure
pursuant to any law (provided that Supplier shall give prompt notice to Buyer
and the disclosing IBM Entity of such order).
38.2
Restricted Materials.
Subcontractor hereby acknowledges and agrees that the following items, whether
in paper or electronic form, are IBM or CIGNA Confidential Information: all
IBM
or CIGNA financial, pricing, and costs of or relating to IBM or CIGNA or
suppliers or customers of IBM, CIGNA and their Affiliates, all marketing and
business plans and forecasts of IBM or CIGNA, any information related to
consumer goods in development or discovery, IBM protocols, case report forms,
data management plans, data listings, statistical analyses results, minutes,
notes, or recollections of contents of meetings or strategy discussions relating
to IBM’s or CIGNA’s business operations, personally identifiable information and
policy and procedure manuals (excluding any pre-existing Subcontractor
Confidential Information) (collectively, “Restricted Materials”). Subcontractor
shall treat all Restricted Materials as strictly confidential and: (a) shall
use
the Restricted Materials only to the extent necessary to perform its obligations
or exercise its rights under this Subcontract; (b) shall provide access to
such
Restricted Materials only to those Subcontractor Personnel who have a need
to
know in connection with Subcontractor’s performance of its obligations or
exercise of its rights under this Subcontract; and (c) shall use the same care
and discretion to avoid disclosure, publication or dissemination of Restricted
Materials as it uses with respect to its own similar information that it does
not wish to disclose, publish or disseminate. Other IBM or CIGNA Confidential
Information not expressly listed in this Section may be considered Restricted
Materials of IBM or CIGNA and should be treated as such by Subcontractor upon
written notice from IBM.
38.3
Supplier Confidential Information.
Buyer shall: (a) use the same care and discretion to avoid disclosure,
publication or dissemination of Supplier Confidential Information as it uses
with respect to its own similar information that it does not wish to disclose,
publish or disseminate; and (b) use Supplier Confidential Information solely
to
the extent required to fulfill its obligations or exercise its rights under
this
Subcontract. Buyer shall not disclose, publish, release, transfer or otherwise
make available Supplier Confidential Information in any form to, or for the
use
or benefit of, any person or entity without Supplier’s consent. Buyer shall,
however, be permitted to disclose relevant aspects of the Supplier Confidential
Information to its officers, directors, agents, professional advisors,
contractors, subcontractors and employees and to the officers, directors,
agents, professional advisors, contractors, subcontractors and employees of
the
IBM Entities, to the extent that such disclosure is not restricted under this
Subcontract or any Governmental Approvals and only to the extent that such
disclosure is reasonably necessary for the performance of its duties and
obligations, or exercise of its rights, under this Subcontract; provided,
however, that Buyer shall take all reasonable measures to ensure that Supplier
Confidential Information of Supplier is not disclosed, published or disseminated
in contravention of the provisions of this Subcontract by such officers,
directors, agents, professional advisors, contractors, subcontractors and
employees. The obligations in this Section shall not restrict any disclosure
pursuant to any Law (provided that the recipient shall give prompt notice to
Supplier of such order).
38.4
Exceptions.
The obligations mentioned under Section 38.1, Section 38.2 and Section 38.3
do
not apply if, and to the extent that the receiving party is able to prove that:
(a) it previously had such knowledge and information without obligation of
confidentiality; (b) such knowledge and information was or becomes part of
the
public domain, publicly available or public knowledge through no fault of the
receiving party; (c) it has received such knowledge and information from a
third
party, the disclosure to such third party without constituting a breach of
the
confidentiality undertaking hereunder; or (d) it independently developed such
knowledge or information without use of or access to the disclosing party’s
confidential information, as demonstrated by reasonable supporting
evidence.
38.5
No Copies.
The receiving party (nor any person or entity to whom the receiving party has
a
right to disclose the Confidential Information of the disclosing Party under
this Article 29) shall not make copies of Confidential Information, in whole
or
in part, obtained from the disclosing party, except as necessary to perform
its
obligations under this Subcontract.
38.6
Ownership of Confidential Information. For
the avoidance of doubt, all IBM or CIGNA Confidential Information (including
Restricted Materials) is the property of Buyer or CIGNA, respectively. For
the
avoidance of doubt, all Supplier Confidential Information is the property of
Supplier.
38.7
Confidential Agreement.
This Subcontract is a confidential agreement between Supplier and Buyer. In
no
event may this Subcontract be reproduced or copies shown to any third parties
by
either Buyer or Supplier without the prior written consent of the other Party,
except as may be necessary by reason of legal, accounting or regulatory
requirements of Supplier or Buyer, as the case may be, or to obtain legal,
accounting or other advice in connection with this Subcontract, in which event
Supplier and Buyer agree to exercise reasonable diligence in limiting such
disclosure to the minimum necessary under the particular circumstances and
cause
anyone to whom such Party provides this Subcontract to keep it confidential
in
accordance with the provisions of this Subcontract. Neither Party is permitted
to issue any press release, distribute any advertising, or make any public
announcement concerning this Subcontract or its business relationship with
the
other Party without the other Party’s prior written consent. The obligations in
this Section 38.7 shall not restrict any disclosure of required pursuant to
any
Law; provided that: (a) each Party shall give reasonable and prompt advance
notice of such disclosure requirement to the other and give the other reasonable
opportunity to object to and contest such disclosure; and (b) each Party shall
use reasonable efforts to secure confidential treatment of any such information
that is required to be disclosed.
38.8
Disclosure.
Notwithstanding the confidentiality, non-disclosure and proprietary rights
provisions of this Subcontract, Supplier acknowledges and agrees that Buyer
and
Supplier has the right to file a copy of, and/or disclose, all or part of this
Subcontract and related documents and information, including performance reports
and fees and invoicing, as may be required or requested by its regulators and
auditors.
38.9
Unauthorized Acts.
Without limiting the rights of the IBM Entities in respect of a breach of this
Section 38, Supplier shall: (a) promptly notify Buyer of any unauthorized
possession, use or knowledge, or attempt thereof, of the Buyer or CIGNA
Confidential Information by any person or entity that may become known to
Supplier; (b) promptly furnish to Buyer full details of the unauthorized
possession, use or knowledge, or attempt thereof, and assist Buyer in
investigating or preventing the recurrence of any unauthorized possession,
use
or knowledge, or attempt thereof, of IBM or CIGNA Confidential Information;
(c)
cooperate with Buyer in any litigation and investigation against third parties
deemed necessary by Buyer to protect the proprietary rights of Buyer; and (d)
promptly use its diligent and reasonable efforts to prevent a recurrence of
any
such unauthorized possession, use or knowledge, or attempt thereof, of IBM
or
CIGNA Confidential Information.
Without limiting the rights of the Supplier in respect of a breach of this
Section 38, Buyer shall: (a) promptly notify Supplier of any unauthorized
possession, use or knowledge, or attempt thereof, of the Supplier Confidential
Information by any person or entity that may become known to Buyer or CIGNA;
(b)
promptly furnish to Supplier full details of the unauthorized possession, use
or
knowledge, or attempt thereof, and assist Supplier in investigating or
preventing the recurrence of any unauthorized possession, use or knowledge,
or
attempt thereof, of Supplier Confidential Information; (c) cooperate with
Supplier in any litigation and investigation against third parties deemed
necessary by Supplier to protect the proprietary rights of Supplier; and (d)
promptly use its diligent and reasonable efforts to prevent a recurrence of
any
such unauthorized possession, use or knowledge, or attempt thereof, of Supplier
Confidential Information.
38.10
Injunctive Relief.
Supplier acknowledges that, in the event of any breach of the provisions of
this
Section 38, Buyer may suffer damages that are not easily determinable, and
shall
be entitled to seek equitable relief, including an injunction or an order for
specific performance, in addition to all other remedies available to Buyer
at
law or in equity. Buyer acknowledges that, in the event of any breach of the
provisions of this Section 38, Supplier may suffer damages that are not easily
determinable, and shall be entitled to seek equitable relief, including an
injunction or an order for specific performance, in addition to all other
remedies available to Supplier at law or in equity.
38.11
Shared Service Location.
If: (a) Supplier provides the Supplier Services to Buyer from a Shared
Environment; and (b) any part of the business of Supplier or any such third
party is now or is in the future competitive with Buyer’s or CIGNA’s business as
specified through IBM’s or CIGNA’s Competitors, then Supplier shall develop a
process, subject to Buyer’s approval, to restrict access in any such Shared
Environment to IBM or CIGNA Confidential Information so that Supplier’s
employees or Supplier Agents providing services to such IBM or CIGNA Competitors
do not have access to IBM or CIGNA Confidential Information.
38.12
Attorney Client Privileged Documents.
Supplier recognizes that it may obtain access to client documents, data and
databases created by and for Buyer or CIGNA and associated communications
related thereto which are confidential attorney work product or subject to
the
attorney-client privilege. Supplier shall not reveal to any third parties any
such data or information: (a) marked with the words “attorney-client privilege”
or “attorney work product” or words of similar import; or (b) designated by
Buyer to Supplier as being subject to the attorney-client privilege or
confidential attorney work product (such marked and designated data or
information, collectively, “Privileged Work Product”). Supplier shall safeguard
to prevent the unintentional disclosure of Privileged Work Product to third
parties. The only Supplier Personnel who may have access to Privileged Work
Product shall be those for whom such access is necessary for the purpose of
providing Supplier Services to Buyer as provided in this Subcontract. Supplier
recognizes that Privileged Work Product has been prepared in anticipation of
litigation and that Supplier is performing the Supplier Services in respect
of
the Privileged Work Product as an agent of Buyer, and that all matters related
thereto and protected from disclosure by Rule 26 of the United States Federal
Rules of Civil Procedure (or any similar law in other local jurisdictions).
Should Supplier ever be notified of any judicial or other proceeding seeking
to
obtain access to Privileged Work Product, Supplier shall: (i) immediately notify
Buyer; (ii) take such reasonable actions at Buyer’s expense as may be specified
by Buyer to resist providing such access; and (iii) if such access cannot be
resisted, then only permit access to the extent required by law.
38.13
Review.
Buyer reserves the right to review Supplier’s policies and procedures used to
maintain the security and confidentiality of Personal Information, including
auditing Supplier concerning such policies and procedures. The provisions of
this Section, are in addition to, and shall not be construed to limit any other
confidentiality obligations under this Subcontract. Any exclusion from the
definition of IBM or CIGNA Confidential Information contained in this
Subcontract shall not apply to Personal Information.
38.14
Survival.
The Parties’ obligations of non-disclosure and confidentiality shall survive the
expiration or termination of this Subcontract for a period of seven
years.
39.0
IBM DATA
39.1
Ownership of IBM or CIGNA Data.
All IBM or CIGNA Data is, or shall be, and shall remain the property of IBM
or
CIGNA (as appropriate), as the case may be, and shall be deemed IBM or CIGNA
Confidential Information. Without IBM’s approval (in its sole discretion), IBM
or CIGNA Data shall not be: (a) used by Supplier other than is necessary for
Supplier’s performance under this Subcontract and solely in connection with
providing the Supplier Services and the performance of Supplier’s obligations
under this Subcontract; (b) disclosed, sold, assigned, leased or otherwise
disposed of or provided to third parties by Supplier except as directed by
Buyer; or (c) commercially exploited by or on behalf of Supplier. Supplier
shall
not possess or assert liens or other rights in or to IBM Data.
39.2
IBM Access to IBM Data.
Buyer shall have unrestricted access (subject to Supplier’s reasonable security
precautions) to, and the right to review and retain the entirety of, all
computer or other files containing IBM or CIGNA Data in the possession or under
the control of Supplier or Supplier Agents. At no time shall any of such files
or other materials or information be stored or held in a form or manner not
reasonably accessible to Buyer. Except as specifically set forth in this
Subcontract, Supplier shall have no implied right to access any data files,
directories of files, or other IBM or CIGNA Confidential Information and shall
access and/or use such files and IBM or CIGNA Confidential Information only
as
and to the extent necessary to perform the Supplier Services that are the
subject of this Subcontract or the Statements of Work. Upon the request of
IBM,
Subcontractor shall confirm that, to the best of its knowledge, all files and
other information provided to IBM or its designee are complete and that no
material element, amount, or other fraction of such files containing IBM or
CIGNA Data or other information that constitutes IBM or CIGNA Data to which
IBM
may request access or review has been deleted, withheld, disguised or encoded
in
a manner inconsistent with the purpose and intent of providing full and complete
access to IBM or CIGNA Data to IBM or its designee as contemplated by this
Subcontract.
39.5
Return of Data.
Upon request by Buyer at any time during the Subcontract Term and upon the
cessation of a Service or expiration or termination of this Subcontract (or
at
the end of the Termination Assistance Period if directed by Buyer), Supplier
shall: (a) promptly return to Buyer, in the format and on the media requested
by
Buyer, all or any part of the IBM or CIGNA Data; and (b) erase or destroy all
or
any part of the IBM or CIGNA Data in Supplier’s possession, in each case to the
extent so requested by Buyer. Any archival tapes containing IBM or CIGNA Data
shall be used by Supplier solely for back-up purposes.
39.6
Data Safeguards.
a
Supplier shall establish and maintain safeguards against the destruction, loss,
or alteration of IBM or CIGNA Data in the possession of Supplier in accordance
with Exhibit
4-C.
b
Supplier shall implement a data security plan designed to impose security on
all
parts of Supplier’s organization that are exposed to, or have access to, Buyer
or to IBM or CIGNA Data. Such plan shall at a minimum be as protective as
required by this Subcontract, including Exhibit
4-C hereto.
In addition, Supplier shall at all times comply with all statutory and
regulatory requirements.
c
Supplier shall maintain the security procedures that are required by this
Subcontract, including Exhibit
4-C
hereto.
40.0
PROPRIETARY
RIGHTS
Definitions.
The
following definitions shall apply to the defined terms used in this Section
40.
“IBM
Intellectual Property” means Intellectual Property of IBM existing as of the
commencement of this service engagement or subsequently developed by IBM or
its
subcontractors other than Supplier outside the scope of this SOW.
“Intellectual
Property” means all present and future right title and interest whatsoever
whether legal or beneficial anywhere in the world in any copyright and in any
registered designs, unregistered design rights, trade marks (whether or not
registered), goodwill, rights or protections equivalent or similar to copyright
(including all moral rights), topography rights, patents, xxxxx patents, utility
models, database rights, data, know-how, trade secrets, research and development
information, preparatory designs, design standards specifications, computer
software (including all source code object code in relation thereto)
calculations, formulae, confidential information, designations and rights under
any international convention for protection of any of the foregoing and any
licenses applications or consents (respectively) granted applied for or given
in
respect of any of the foregoing.
“Supplier
Intellectual Property” means Intellectual Property of Supplier existing as of
the commencement of this service engagement or subsequently developed by
Supplier outside the scope of this SOW.
“Supplier
Software” means all commercially licensed Supplier proprietary Software programs
licensed to Customer under the Order Form and End-User Agreement.
40.1
Limited License Grant to IBM Technology.
Buyer
hereby grants to Supplier (and, to the extent necessary for Supplier to provide
the Supplier Services, to Supplier Agents designated by Supplier that sign
a
written agreement with Supplier with terms consistent with the applicable terms
contained herein) a world-wide, non-exclusive, non-transferable, limited,
license during the Subcontract Term to Use the IBM proprietary Software programs
(including any CIGNA proprietary Software programs that CIGNA has licensed
to
Buyer) and related documentation that is identified as such in the applicable
Subcontract that may be delivered by Buyer to Supplier in connection with
Supplier’s performance of the Supplier Services (the “Licensed IBM Technology”),
such Use to be made solely in connection with Supplier’s performance of the
Supplier Services in accordance with the provisions of this
Subcontract.
40.2
Conditions on Supplier License Rights to IBM Technology.
q
Except for the license rights in and to the Licensed IBM Technology granted
under Section 40.1, no license or other right in or to any of the Licensed
IBM
Technology is granted by implication, estoppel or otherwise by Buyer to
Supplier. Buyer shall own, and Supplier hereby perpetually assigns to Buyer
all
right, title and interest in and to the Licensed IBM Technology, including
all
right, title and interest in and to any modifications, enhancements or
derivative works of or based on the Licensed IBM Technology (except as set
forth
in Section 40.5).
r
Except as expressly provided in Section 40.1 with respect to Supplier Agents,
Supplier may not sublicense, assign, lease or otherwise transfer, distribute
or
exploit any of the Licensed IBM Technology or any of the license rights granted
to it under Section 40.1, to any Affiliate of Supplier or to any third party,
whether directly, indirectly or by operation of law, including by merger, stock
transfer, or otherwise.
s
Supplier shall not reverse engineer, decompile, disassemble, modify or enhance
any of the Licensed IBM Technology or any part thereof or otherwise attempt
to
create any derivative works of any of the Licensed IBM Technology or any part
thereof except as required in connection with Supplier’ s performance of the
Supplier Services.
t
Supplier shall adhere to all of the operational and security rules, procedures
and guidelines that are instituted from time to time by Buyer and communicated
to Supplier on a timely basis in connection with the exercise by Supplier of
its
right to access remotely certain of the Licensed IBM Technology.
u
All Licensed IBM Technology constitutes IBM or CIGNA Confidential Information
and valuable trade secrets of Buyer. As such, Supplier shall keep all Licensed
IBM Technology confidential in accordance with the provisions of Section
38.
v
Supplier’s license rights in and to the Licensed IBM Technology shall terminate
automatically upon the cessation of a Service or expiration or earlier
termination of the Subcontract Term. Promptly after the cessation of a Service
or expiration or earlier termination of the Subcontract Term (or partial
termination to the extent the Licensed IBM Technology, or parts thereof, are
no
longer required to perform the Supplier Services), or as otherwise requested
by
Buyer, Supplier shall deliver to Buyer or destroy any and all devices, records,
data, computer disks and tapes, notes, reports, proposals, lists,
correspondence, specifications, drawings, blueprints, sketches, materials,
Equipment, other documents or tangible property of any type comprising or
containing any Licensed IBM Technology and any and all copies and reproductions
of any of the aforementioned items in the possession or control of Supplier.
An
Executive of Supplier shall provide Buyer with written certification that all
devices, records, data, computer disks and tapes, notes, reports, proposals,
lists, correspondence, specifications, drawings, blueprints, sketches,
materials, Equipment, other documents or tangible property of any type
comprising or containing any Licensed IBM Technology and any and all copies
and
reproductions thereof have been destroyed or deleted from Supplier’s, Supplier’s
employees’, subcontractors, and Supplier’s Agents’ electronic storage
devices.
40.3
IBM Intellectual Property.
All worldwide right, title and interest in and to all IBM Intellectual Property,
together with any and all intellectual property rights inherent in any of the
IBM Intellectual Property and appurtenant thereto including all patent rights,
copyrights, trademarks, know-how and trade secrets, shall belong exclusively
to
Buyer perpetually.
40.4
Supplier Intellectual Property.
a
All worldwide right, title and interest in and to all Supplier Intellectual
Property, together with any and all intellectual property rights inherent in
any
of the Supplier Intellectual Property and appurtenant thereto including all
patent rights, copyrights, trademarks, know-how and trade secrets, shall belong
exclusively to Supplier perpetually.
b.
Supplier hereby grants to Customer a worldwide, perpetual, irrevocable, fully
paid-up, nonexclusive, unlimited license to Use and sublicense, and to permit
third parties to Use, the Supplier Intellectual Property (exclusive of Supplier
Software) that is incorporated or embedded in any Customer New Intellectual
Property for so long as such Supplier Intellectual Property remains embedded
or
incorporated in such Customer New Intellectual Property and is not separately
commercially exploited by Customer. If any software (exclusive of Supplier
Software) is included in the Supplier Intellectual Property, then such software
shall be licensed to Customer as set forth in this Section 40.4(c) in both
object code and source code format. The rights and licenses granted in this
Section 40.4(c) are to all Customer Entities, both current and future, and
to
the extent part of such operations are sold or divested, such rights and
licenses shall extend to such sold or divested part or entity. Upon Customer’s
request, Subcontractor shall deliver to Customer a copy of the Subcontractor
Intellectual Property (exclusive of Supplier Software) in object code and source
code format. Source code to Supplier Intellectual Property constitutes
Subcontractor Confidential Information and valuable trade secrets of Supplier.
As such, Customer shall keep all such source code confidential in accordance
with the provisions of Article 38.
c.
Notwithstanding the provisions of paragraph b of this Section 40.4 above, any
Subcontractor Intellectual Property that is sold or licensed on a commercial
basis by Subcontractor (including without limitation the Supplier Software)
shall not be licensed to Buyer or Customer except under the terms of a separate
license agreement (which may or may not include a license to source code).
For
the sake of clarification, Supplier has licensed Supplier Software to the
Customer under the terms and conditions of the Order Form and End-User
Agreement. No Supplier Software has been licensed to Buyer.
40.5
New Intellectual Property.
a.
IBM New Intellectual Property.
Buyer owns, and Supplier hereby perpetually assigns to Buyer, all rights, title
and interests in all modifications and enhancements to, and derivatives of,
IBM
Intellectual Property (collectively, “IBM New Intellectual
Property”).
b.
Supplier New Intellectual Property.
Supplier shall own all modifications and enhancements to, and derivatives of,
Supplier Intellectual Property (exclusive of Supplier Software) that are
developed by Supplier during the provision of any Supplier Services
(collectively, “Supplier New Intellectual Property”). Supplier hereby grants to
Customer an unlimited, worldwide, fully paid-up license to Use (and allow
Customer’s agents and third parties to Use) any Supplier New Intellectual
Property, subject to Buyer’s ownership of IBM Data and IBM or CIGNA Confidential
Information contained therein. Supplier shall own all modifications and
enhancements to, and derivatives of, Supplier Software that are developed by
Supplier during the provision of any Supplier Services.
Supplier hereby grants to Customer a license to Use the New Supplier Software
to
the same extent as the Customer is permitted to Use the Supplier Software under
the terms and conditions of the End-User Agreement.
c.
Customer New Intellectual Property.
Unless expressly stated otherwise in Subcontract and except for modifications
and enhancements to, and derivatives of, IBM Intellectual Property, Supplier
Intellectual Property or Supplier Software, Customer owns, and Supplier hereby
perpetually assigns to Customer, all rights, title and interests in work product
that are developed or provided by Supplier in connection with the provision
of
any Supplier Services, including any Deliverables (including related
documentation necessary to use and support the Deliverables and work product
embedded in the Deliverables) whether developed or provided in connection with
Subcontract (collectively, “Customer New Intellectual Property”).
40.6
Deliverables.
Supplier
shall not introduce any third party-owned or licensed components in Deliverables
without obtaining Customer’s prior written approval in each instance. To the
extent Customer approves of such introduction, prior to such introduction
Supplier shall obtain the right to grant Customer, without additional charge,
a
perpetual, irrevocable, fully-paid up, non-exclusive license to Use such third
party components as part of the Deliverables, and to sublicense such rights
to
other entities for the purpose of providing services similar to the Supplier
Services to Customer. To the extent Supplier is unable to obtain the rights
described in this Section 40.6, Supplier shall notify Customer in writing of
its
inability to grant Customer such a license and of the cost and viability of
other components that can perform the requisite functions and with respect
to
which Supplier has the ability to grant such a license. This notice shall
contain the third party Supplier’s proposed terms and conditions, if any, for
making the components available to Customer after expiration, upon any partial
or whole termination of this Subcontract, or upon cessation of Supplier
Services. Supplier may introduce such components in Deliverables only with
Customer’s prior written approval.
All
reports, processes, methodologies, deliverables, plans, information, materials,
data, drawings, inventions, suggestions, computer Software, renditions,
mock-ups, prototypes or other works provided by Subcontractor as a deliverable
or otherwise under this Subcontract that do not constitute Deliverables shall
be
licensed by Subcontractor to Customer in accordance with Section 40.4.
40.8
Pre-Existing IP.
Subcontractor must identify and obtain Buyer’s prior written approval for the
use of any pre-existing Subcontractor Intellectual Property that shall be
embedded in IBM New Intellectual Property or Customer New Intellectual Property
prior to the development of any such IBM New Intellectual Property or Customer
Intellectual Property.
40.9
Enforceability.
a. During
the Subcontract Term and any time thereafter, Supplier shall assist Buyer or
its
designee, at Buyer’s expense, in every reasonable way to secure all of Buyer’s
worldwide perpetual ownership rights, title and interest in IBM Intellectual
Property and IBM New Intellectual Property (and all licenses to Supplier
Intellectual Property granted to pursuant to this Article 40) in any and all
countries, including the disclosure to Buyer of all pertinent information and
data with respect thereto, the execution of all applications, registrations,
filings, specifications, oaths, assignments and all other instruments which
Buyer shall deem necessary or appropriate to: (a) apply for and obtain such
rights, title and interest and to assign and convey to Buyer, its successors,
assigns and nominees the sole and exclusive rights, title and interests
worldwide perpetually in and to the IBM Intellectual Property and IBM New
Intellectual Property; and (b) obtain such license rights as set forth in this
Article 40 in and to Supplier Intellectual Property. Supplier further agrees
that its obligation to execute or cause to be executed any such instrument
or
papers shall continue after the cessation of a Service or expiration or
termination of the Subcontract Term. If testimony or information relative to
any
of said matters or related to any interference or litigation is requested by
Buyer either during the Subcontract Term or following its expiration or
termination or the cessation of a Service, Supplier agrees to give all
information and testimony and do all things reasonably requested that Supplier
may lawfully do, at Buyer’s sole expense. Without limiting the foregoing,
Supplier, at Buyer’s request, agrees to execute such assignments and
confirmations of: (i) assignment of all rights, title and interests in and
to
the IBM Intellectual Property and the IBM New Intellectual Property; and (ii)
license rights as set forth in this Article 40 in and to Supplier Intellectual
Property, each of (i) and (ii) in form acceptable to Buyer. If Buyer is unable
because of Supplier’ s unavailability, refusal, dissolution or for any other
reason to secure a signature by or on behalf of Supplier to apply for or to
pursue any application, registration, filing or other instrument for any United
States, Indian or foreign intellectual property rights covering the IBM
Intellectual Property and the IBM New Intellectual Property, then Supplier
hereby irrevocably designates and appoints Buyer and its duly authorized
officers and agents as Supplier’s agent and attorney in fact, to act for and on
Supplier’ s behalf and stead to execute and file any such application,
registration, filing or other instrument, and to do all other lawfully permitted
acts to further the prosecution and issuance of such intellectual property
rights, with the same legal force and effect as if executed by
Supplier.
b. During
the Subcontract Term and any time thereafter, Supplier shall assist Customer
or
its designee, at Customer’s expense, in every reasonable way to secure all of
Buyer’s worldwide perpetual ownership rights, title and interest in Customer New
Intellectual Property (and all licenses to Supplier New Intellectual Property
granted to pursuant to this Article 40) in any and all countries, including
the
disclosure to Customer of all pertinent information and data with respect
thereto, the execution of all applications, registrations, filings,
specifications, oaths, assignments and all other instruments which Customer
shall deem necessary or appropriate to: (a) apply for and obtain such rights,
title and interest and to assign and convey to Buyer, its successors, assigns
and nominees the sole and exclusive rights, title and interests worldwide
perpetually in and to the Customer New Intellectual Property; and (b) obtain
such license rights as set forth in this Article 40 in and to Supplier New
Intellectual Property. Supplier further agrees that its obligation to execute
or
cause to be executed any such instrument or papers shall continue after the
cessation of a Service or expiration or termination of the Subcontract Term.
If
testimony or information relative to any of said matters or related to any
interference or litigation is requested by Customer either during the
Subcontract Term or following its expiration or termination or the cessation
of
a Service, Supplier agrees to give all information and testimony and do all
things reasonably requested that Supplier may lawfully do, at Customer’s sole
expense. Without limiting the foregoing, Supplier, at Buyer’s request, agrees to
execute such assignments and confirmations of: (i) assignment of all rights,
title and interests in and to the Customer New Intellectual Property; and (ii)
license rights as set forth in this Article 40 in and to Supplier New
Intellectual Property, each of (i) and (ii) in form acceptable to Buyer. If
Buyer is unable because of Supplier’ s unavailability, refusal, dissolution or
for any other reason to secure a signature by or on behalf of Supplier to apply
for or to pursue any application, registration, filing or other instrument
for
any United States, Indian or foreign intellectual property rights covering
the
Customer New Intellectual Property, then Supplier hereby irrevocably designates
and appoints Customer and its duly authorized officers and agents as Supplier’s
agent and attorney in fact, to act for and on Supplier’ s behalf and stead to
execute and file any such application, registration, filing or other instrument,
and to do all other lawfully permitted acts to further the prosecution and
issuance of such intellectual property rights, with the same legal force and
effect as if executed by Supplier.
40.10
General Intellectual Property Provisions.
aa
Copyright Legends. The Parties agree to reproduce copyright legends which appear
on any portion of the Intellectual Property which may be owned by third
parties.
bb
No Implied Licenses. Except as expressly specified in this Subcontract, nothing
in this Subcontract shall be deemed to grant to one Party, by implication,
estoppel or otherwise, license rights, ownership rights or any other
intellectual property rights in any Intellectual Property owned by the other
Party or any Affiliate of the other Party.
cc
Residuals. Nothing in this Subcontract shall: (i) restrict either Party from
using ideas, concepts or know-how relating to the Supplier Services that are
retained in the memories of such Party’s employees or representatives after
performing the obligations of such Party under this Subcontract; or (ii)
preclude or limit Supplier from providing services and/or developing Software
or
materials for itself or other clients, irrespective of the possible similarity
of such materials that might be delivered to Buyer under this Subcontract,
except to the extent that the exercise of any of the foregoing infringes upon
a
patent or trademark of a Party or its Affiliates. Except as described above,
this Section 40.10 shall not be deemed to limit either Party’s obligations under
this Subcontract with respect to the disclosure or use of Confidential
Information.
43.0
Insurance.
43.1
Supplier shall, and shall cause Supplier Agents to, throughout the Term and
the
Termination Assistance Period, maintain in full force and effect from a third
party that is rated “A” or “A-” in Best’s Insurance Guide, or otherwise
acceptable to Buyer, the following insurance coverage for its worldwide
operations:
tt
Supplier agrees to maintain a policy of workers’ compensation insurance (as
required by the applicable state statute) on its employees. Such policy shall
provide statutory limits and contain Employer’s Liability coverage in an amount
not less than $5,000,000 per occurrence. To the extent reasonably obtainable,
Supplier agrees to have its workers’ compensation insurance policy amended to
waive the insurors rights of subrogation against Buyer for recovery of claims
paid under Supplier’s policy.
uu
Automobile liability covering all vehicles owned, non-owned, hired and leased
in
an amount not less than $1,000,000.00 per claim (combined single limit for
bodily injury and property damage).
vv
Commercial general liability insuring against bodily injury, property damage,
contractors’ completed operations and contractual liability (covering Supplier’s
indemnification obligations contained herein) with a combined single limit
of
not less than $5,000,000.00 per claim.
ww
Professional liability and errors and omissions insurance in an amount not
less
than $5,000,000.00 per claim and in the aggregate.
xx
Umbrella coverage (including commercial general liability coverage) of not
less
than $20,000,000.00 over the coverages shown above.
yy
Fidelity coverage in the amount of $5,000,000.00 to cover fraudulent or
dishonest acts by an employee of Supplier.
Buyer shall be named as a loss payee in respect to the Services performed for
Buyer.
43.2
Inspection.
Supplier shall allow Buyer or CIGNA or their representatives or property
insurance company representatives, at any time with reasonable advance notice,
to inspect, test or examine fire protection and security Equipment, systems
and
procedures at the IBM or CIGNA Service Location.
43.3
Certificates.
Supplier shall furnish Buyer with certificates of insurance evidencing the
above
coverages and endeavoring to notify Buyer 30 days in advance in writing of
cancellation. Such certificates or policies shall be in a form and underwritten
by a carrier and/or placed through a broker satisfactory to Buyer. Except for
the Workers’ Compensation, Professional Liability and Employer’s Liability
policies, all policies of insurance shall name Buyer as an additional insured
where allowed by local country law. Each policy shall contain a provision that
no act or omission of Supplier shall affect or limit the obligation of the
insurer to pay Buyer the amount of any loss sustained. Insurance carried on
a
claims made basis shall be carried for a 60 day after the Term and the
Termination Assistance Period to cover all claims.
43.4
Use of Proceeds.
Proceeds received by Supplier from any claims under the insurance policy
referenced in this Article shall be used to rapidly affect necessary repairs
or
replacement or to reimburse the affected CIGNA Entities.
43.5
Waiver of Subrogation.
The insurance coverages under this Section 43 with respect to premises liability
and only for liability arising out of Supplier’s negligence on such premises,
shall be primary, and non-contributing with respect to any other insurance
or
self insurance which may be maintained by Buyer.
43.6
Risk of Loss.
Supplier shall be responsible for risk of loss of, and damage to, Equipment,
Software or other materials in its possession or under its control , except
to
the extent such loss or damage is caused by Buyer or CIGNA.
Section
44.0 Further Assurances.
44.1
Each party agrees to execute documents and provide such information and
cooperation as reasonably requested by a party to effectuate the grant of rights
hereunder including any documents, information or cooperation reasonably
necessary to effectuate the intent of the parties herein.
ACCEPTED
AND AGREED TO:
|
ACCEPTED
AND AGREED TO:
|
|
IBM
|
Chordiant
Software, Inc.
|
|
By:
/s/ Xxx Xxxxxxxx
|
By:
/s/ Xxxxx Xxxxx
|
|
Buyer
Signature Date
September
28, 2006
|
Supplier
Signature Date September 28, 2006
|
|
Xxx
Xxxxxxxx
|
Xxxxx
Xxxxx
|
|
Printed
Name
|
Printed
Name
|
|
Procurement
Solutions Advisor/ Client Services Procurement
|
VP,
Worldwide Sales Operations
|
|
Title
& Organization
|
Title
& Organization
|
|
Buyer
Address:
0000
Xxxxx Xxxx
Xxxxxxxxxxxx,
XX 00000
|
Supplier
Address:
00000
Xxxxxxx Xxxxx Xxxx.
Xxxxxxxxx,
XX 00000
XXX
|
EXHIBIT
1
-
Service
Level Agreement
1. INTRODUCTION
The
Service Level Agreements defined in this schedule are associated with the
steady-state management of the Call Center Application.
1.1 The
Service Levels set forth herein shall be effective upon production
implementation of the application.
1.2 The
primary objective of Chordiant Product Support is to assist IBM in maintaining
and/or regaining an operational state by commercially reasonable efforts. The
secondary objective of Product Support is to provide in due course the
correction of any underlying Errors.
Chordiant
shall make available to Customer Support in the form of access via e-mail,
web
and telephone (telephone access during the Support Hours only) in
English
to the Designated Contacts and/or via the support website for technical
information, technical advice and technical consultation regarding Customer’s
use of the Supported Software.
Product
Support will include the following:
(a)
Problem Prevention
1. |
Notification
of availability of generally available patches and
releases.
|
(b)
Problem Identification
1. |
Clarification
of Chordiant error messages,
|
2. |
Assistance
in identifying and verifying the causes of suspected Errors,
and;
|
3. |
Advice
on bypassing identified Errors (providing workarounds) in the Supported
Software.
|
(c)
Problem Resolution
1. |
Reporting
and tracking product defects and enhancement requests,
|
2. |
Resolution
of defects via workaround, maintenance release or in exceptional
circumstances emergency patches, and
|
3. |
Notification
of status on issues, including escalation when
required.
|
Resolution
of Errors.
Chordiant will endeavor to provide an initial response acknowledging Errors
reported by Customer in accordance with the priority levels and response times
set out in Schedule A. Chordiant will acknowledge each Customer report of a
case
by written acknowledgment setting forth a Case Problem Number for use by
Customer and Chordiant in all correspondence relating to such case. Thereafter,
Chordiant shall use commercially reasonable efforts to provide a
Resolution.
Exceptions.
Chordiant
shall have no responsibility to fix any Errors arising out of or related to
the
following causes:
a. |
any
modifications or enhancements made by the Customer to the Software,
unless
such modifications or enhancements are specifically approved in writing
by
Chordiant Product Support; this includes but is not limited
to;
|
-
location of binaries
-
scripts provided by Chordiant
-
any application specific object (e.g., table, view, index, trigger)
-
any application specific operating system permissions or role
privileges
b. |
Any
modification or combination of the Software (in whole or in part),
including without limitation any portions of the Software code or Source
Code customized by the customer that is not part of the unmodified
Software delivered by Chordiant or for which Chordiant has not received
and acknowledged receipt of the source code and agreed to
Support.
|
c. |
Use
of the Software in an environment other than a Supported Environment.
|
d. |
Accident;
electrical or electromagnetic stress; neglect; misuse; failure or
fluctuation of electric power, failure of media not furnished by
Chordiant; operation of the Software with other media and hardware,
software or telecommunication equipment or software; or causes other than
ordinary use.
|
2.
IBM Responsibilities
IBM
agrees to:
(i)
Provide Chordiant with remote access to the Supported Software during the term
of this Agreement via an electronic link; and
(ii)
Provide any reasonable assistance that Chordiant may require from the Designated
Contacts and other appropriate Customer representatives (e.g. network
administrator, as the case may be) to enable Chordiant to provide IBM with
Support; and
(iii)
Establish and maintain the conditions of the Supported Environment in compliance
with Chordiant Certified Matrix and Technical Stack developed for the installed
release or any environmental operating ranges specified by the manufacturers
of
the components of the Designated Center. Any deviation from this Supported
Environment voids all Resolutions within the timeframe set forth below unless
agreed to by Chordiant in writing.
IBM
agrees to designate two (2) appropriately qualified and trained personnel to
be
the Designated Contacts, and only those individuals shall request Support
services. IBM agrees endeavor to adequately train and obtain “Chordiant
certification” for, and forward to Chordiant the names and contact details of
the Designated Support Contacts. IBM shall provide Chordiant with access to
IBM’s personnel and its equipment during Support Hours. This access must include
the ability to dial-in from Chordiant facilities to the equipment on which
the
Supported Programs are operating and to obtain the same access to the equipment
as those of IBM’s employees having the highest privilege or clearance level.
IBM
agrees to maintain procedures to facilitate reconstruction of any lost or
altered files, data or programs and IBM agrees that Chordiant will not be
responsible under any circumstances for any consequences arising from lost
or
corrupted data, files or programs. IBM is solely responsible for carrying out
all necessary backup procedures for its own benefit, to ensure that data
integrity can be maintained in the event of loss of data for any reason and
that
Customer programs can be restored.
IBM
agrees to notify Chordiant Product Support promptly of any malfunction of the
Supported Software.
IBM
agrees to provide Chordiant with access to and use of such of the Customer’s
information and facilities reasonably necessary to service the Supported
Software including, but not limited to, an accurate description of the
Designated Center and the current Supported Environment, the problem being
reported, the transactions and any error messages, along with screenshots and
log files.
IBM
agrees to install the Current Release as soon as reasonably practicable, or
as
stated in the CIGNA SLSA which requires IBM to stay current to N-2. If CIGNA
requires IBM to not maintain N-2 IBM will work with Chordiant to purchase
extended maintenance support and assess the impact to the SLA below in
accordance with the change control process.
Problem
Management Requirements
Severity
Level
|
Response
|
Escalation
& Communication
|
Resolution
|
Severity
1
|
[*]
mins
|
[*]
hr
during Business Hours
[*]
hrs
off-hours
|
[*]
hours
[*]
%
of the time
IBM
must provide 24x7 contact information.
|
Severity
2
|
[*]
Business
Hour
|
[*]
hrs
during Business Hours
[*]
hrs
off-hours
|
[*]
hours
[*]
%
of the time
|
Severity
3
|
[*]
business
hrs
|
[*]
business
day
|
[*]
days
[*]
%
of the time
|
Measurement
Process
|
See
Text Below
|
||
Measurement
Calculation
|
See
Text Below
|
||
Measurement
Frequency
|
- Daily
- Weekly
Monthly
(current + 12 month rolling)
|
||
Service
Level Weighting
|
TBD%
for each severity category and response/escalation/resolution criteria
|
||
Measurement
Period Start Date
|
Two
weeks after the Implementation Date
|
||
Service
Level Effective Date
|
The
first day of the month following 30 days of
measurement.
|
||
Continuous
Improvement Applies
|
No
|
||
Scope
of Requirements
|
These
Program Management Requirements apply only to Chordiant Foundation
as
originally delivered (including subsequently delivered Updates).
These
Requirements shall not apply to any customizations, modifications
or
derivative works of Chordiant
Foundation.
|
4. |
Supplier
will name an SLA Manager as initial contact person responsible for
assisting IBM with meeting Problem Management SLA’s during 8:30 AM to 5:30
PM Eastern Time on Business Days. SLA Manager will provide 7 x 24 coverage
model and contact/name and numbers.
|
5. |
Once
IBM identifies Chordiant Foundation as the cause of an outage, IBM
will
notify SLA Manager who will provide Supplier staff to resolve product
issues based on the following:
|
a. |
Severity
1: Supplier provides staff to resolve problem on 7X24 basis until
resolution or IBM agrees problem is not caused by Supplier product.
|
b. |
Severity
2 and 3: Supplier provides staff to resolve problem on 5 X 8 basis
until
resolution or IBM agrees problem is not caused by Supplier product.
|
6. |
If
Supplier causes IBM to miss a CIGNA Service Level which causes IBM to pay
a Service Level Credit, Supplier will refund IBM the percentage of
the
Annual Maintenance Charge set forth below during the following fiscal
quarter:
|
a. |
Supplier’s
monthly amount at risk is [*]
%
of the Annual Maintenance Charges paid by
IBM
|
b. |
Supplier’s
penalty exposure will be limited to no more than one occurrence per
month.
|
c. |
IBM
will have no more then one month from the end of the fiscal quarter
of a
missed CIGNA Service Level to request that Supplier refund a percentage
of
the Annual Maintenance Charge.
|
7. |
Root
Cause Analysis.
The Root Cause Analysis shall be completed for all Severity 1 issues
and
for other severity levels upon IBM’s request. If Supplier product is
identified as a contributor to a Severity 1 issue, Supplier SLA Manager
will participate in the Root Cause Analysis and assist IBM with
documenting the following:
|
§ |
What
happened?
|
§ |
Why
did it happen?
|
§ |
What
was done to correct the problem?
|
§ |
What
was the business impact?
|
§ |
What's
being done to prevent recurrence?
|
Supplier
shall make commercially reasonable efforts to determine the exact root cause
for
all Severity 1 issues. The root cause analysis shall be completed and available
to CIGNA within 5 business days after completion of a workaround or fix.
Supplier
shall perform a post evaluation for all Severity 1 issues. The post evaluation
shall determine if preventative measures can be enacted to avoid the outage
in
the future. The post evaluation shall contain a detailed description of the
scope and scale of work, the estimated costs and estimated timeframe for
implementing the preventive measures.
8. |
DEFINITIONS
|
a. |
“Availability”:
The aggregate number of hours in any month during which each defined
and
supported system to be measured for the Service Level is actually
available, excluding Scheduled Hours of Operational
Downtime.
|
b. |
“Business
Days”:
means Monday through Friday, excluding CIGNA designated holidays during
which time the Call Centers are not in
operation.
|
c. |
“Business
Hours”:
shall mean (whether capitalized or not) the hours of operation as defined
on Eastern Time.
|
d. |
“CCA
Application”:
is defined as the desktop plus the call center interaction history
plus
Chordiant Foundation.
|
e. |
Normal
System Hours of Operation”
shall mean 24 x 7 (excluding Scheduled Maintenance and other mutually
agreed periods).
|
f. |
“Prime
Shift”:
shall mean 06:00 to 22:00 Eastern Time on Business
Days.
|
g. |
“Reporting
Prime Shift”
shall mean 07:00 to 22:00 Eastern Time on Business
Days.
|
h. |
“Problem
Resolution Hours of operation”:
Unless specifically stated, Vendor shall work to resolve reported or
identified problems on the following work schedule:
|
i. |
Severity
1: 7x24
|
ii. |
Severity
2, 3, 4: Monday through Friday, 7:00 AM to 6:00 PM local time excluding
CIGNA holidays, except in cases of Network Data where the operations
is to
be staffed 24x7
|
iii. |
Service
Requests: Monday through Friday, 8:00 AM to 5:00 PM local time excluding
CIGNA holidays
|
i. |
“Resolve
or Resolution”:
To correct an Incident or Problem for which Supplier is responsible
with
either a permanent solution or an interim work around solution. Supplier
may, with IBM’s approval, defer the implementation of a Resolution to a
mutually agreed time (e.g. implementation of a new software fix or
release) beyond the Service Level
Agreement.
|
j. |
Severity
Definitions
|
Severity
Level
|
Definition
|
Severity
1 (Highest
Impact)
Service
impacts to an ENTIRE facility,
business unit, or system
|
•
A critical system service or critical path process, or an entire
network
or application is disrupted and is impacting the business.
•
Timely resolution is essential to minimize financial loss or missed
sales.
•
An entire
business
unit is down or a network or major system is down and is impacting
the
business.
•
When a problem occurs that has the potential for impacting a process
or
business function at a later time, and requires immediate resolution
and/or assistance from another support group.
|
Severity
2
(High Impact)
Service
impact to a PORTION
of
a business unit, or facility;
Or
Entire
team/business unit is missing a PORTION
of
a critical component or application
|
•
A system service, network, or application is available, but with
severe
restrictions that impact the ability of a portion
of
a business unit to complete their work.
•
Bypass or work-around is available, and work is continuing with
significant inconvenience.
•
Timely resolution is essential to avoid financial loss or missed
sales.
•
When a problem occurs that has the potential for impacting a process
or
business function at a later time, and requires immediate resolution
and/or assistance from another group.
|
Severity
3
(Moderate
Impact) An INDIVIDUAL or
small group of individuals is unable to perform job functions.
|
•
Unable to perform non-critical business functions.
•
No significant impact to revenue or sales.
|
Severity
4 (Low
Impact)
An
INDIVIDUAL is
able to perform job functions with a work around or some minor
inconvenience.
|
•
Problem has a low business impact, if any.
•
A minor impact to an individual.
|
EXHIBIT
2
On
Premises Guidelines
Supplier
will ensure that Supplier Personnel assigned to work on Buyer’s or Buyer’s
Customer’s premises will comply with this Section.
2.1
Access
to Premises
For
Supplier Personnel assigned to work on Buyer’s or Buyer’s Customer’s premises,
Supplier will:
1. |
to
the extent permitted by local law, conduct a preemployment criminal
background check, which must be completed prior to placement at Buyer’s or
Buyer’s Customer’s premises, covering the counties in which the person was
employed or resided for the past seven years (or longer as required
by
State legislation), and inform Buyer of any negative findings;
|
2. |
maintain
a current and complete list of the persons' names and social security
numbers;
|
3. |
obtain
for each person a valid identification badge from Buyer and ensure
that it
is displayed in order to gain access to and at all times while on Buyer’s
premises (it is Buyer's policy to deactivate any such badge if not
used
for one month);
|
4. |
maintain
a signed acknowledgment that each person will comply with Buyer’s On
Premises Guidelines;
|
5. |
ensure
that each person with regular access to Buyer's and Buyer’s Customer’s
premises complies with all parking restrictions and with vehicle
registration requirements if any;
|
6. |
inform
Buyer if a former employee of Buyer will be assigned work under this
Agreement, such assignment subject to Buyer approval;
|
7. |
at
Buyer's request, remove a person from Buyer’s or Buyer’s Customer’s
premises and not reassign such person to work on Buyer's or Buyer’s
Customer’s premises (Buyer is not required to provide a reason for such
request); and
|
8. |
notify
Buyer immediately upon completion or termination of any assignment
and
return Buyer’s identification badge. Upon Buyer’s request, Supplier will
provide documentation to verify compliance with this
Subsection.
|
2.2
General
Business Activity Restrictions
Supplier
will ensure that Supplier Personnel assigned to work on Buyer’s or Buyer’s
Customer’s premises:
1. |
will
not conduct any non-Buyer related business activities (such as interviews,
hirings, dismissals or personal solicitations) on Buyer's or Buyer’s
Customer’s premises;
|
2. |
will
not conduct Supplier's Personnel training on Buyer’s or Buyer’s Customer’s
premises, except for on-the-job training;
|
3. |
will
not attempt to participate in Buyer or Customer benefit plans or
activities;
|
4. |
will
not send or receive mail unrelated to Buyer or Customer through Buyer's
or
Customer’s mail systems; and
|
5. |
will
not sell, advertise or market any products or distribute printed, written
or graphic materials on Buyer's or Buyer’s Customer’s premises without
Buyer's written permission.
|
2.3
Buyer’s
Safety and Security Guidelines
Supplier
will ensure that Supplier Personnel assigned to work on Buyer’s or Buyer’s
Customer’s premises:
1. |
do
not bring weapons of any kind onto Buyer's or Buyer’s Customer’s premises;
|
2. |
do
not manufacture, sell, distribute, possess, use or be under the influence
of controlled substances (for nonmedical reasons) or alcoholic beverages
while on Buyer's or Buyer’s Customer’s premises;
|
3. |
do
not have in their possession hazardous materials of any kind on Buyer's
or
Buyer’s Customer’s premises without Buyer's authorization;
|
4. |
acknowledge
that all persons, property, and vehicles entering or leaving Buyer's
or
Buyer’s Customer’s premises are subject to search; and
|
5. |
remain
in authorized areas only (limited to the work locations, cafeterias,
rest
rooms and, in the event of a medical emergency, Buyer's or Buyer’s
Customer’s medical facilities). Supplier will promptly notify Buyer of any
accident or security incidents involving loss of or misuse or damage
to
Buyer's or Buyer’s Customer’s intellectual or physical assets, physical
altercations, assaults, or harassment and will provide Buyer with a
copy
of any accident or incident report involving
the
|
6. |
above.
Supplier must coordinate with Buyer or Buyer’s Customer access to Buyer’s
or Buyer’s Customer’s premises during non-regular working
hours.
|
2.4
Asset
Control
In
the event Supplier Personnel have access to information, information assets,
supplies or other property, including property owned by third parties but
provided to Supplier Personnel by Buyer ("Buyer Assets"), Supplier
Personnel:
1. |
will
not remove Buyer Assets from Buyer's or Buyer’s Customer’s premises
without Buyer's authorization;
|
2. |
will
use Buyer Assets only for purposes of this Agreement and reimburse
Buyer
for any unauthorized use;
|
3. |
will
only connect with, interact with or use programs, tools or routines
that
Buyer agrees are needed to provide
Services;
|
4. |
will
not share or disclose user identifiers, passwords, cipher keys or computer
dial port telephone numbers; and
|
5. |
in
the event the Buyer Assets are confidential, will not copy, disclose
or
leave such assets unsecured or unattended. Buyer may periodically audit
Supplier's data residing on Buyer's information
assets.
|
2.5
Supervision
of Supplier's Personnel
Supplier
will provide continual supervision of its Personnel provided under this
Agreement, at no additional cost to Buyer. Supplier's supervisor shall have
full
supervisory authority over all day-to-day employment relationship decisions
relating to Supplier’s Personnel, including those decisions relating to: wages,
hours, terms and conditions of employment, hiring, discipline, performance
evaluations, termination, counseling and scheduling. Supplier's supervisors
responsible for each work location will be responsible to know that work
location’s planned holiday (and other closing) schedules and the impacts that
all such schedules have on Supplier's Personnel. Supplier will conduct
orientation sessions with its Personnel before placement on an assignment with
Buyer, during which orientation such Personnel will be told the identity and
contact information of their supervisor. Supplier will, from time to time,
ensure that all of its Personnel working under this Agreement continue to be
aware of this information.Electronic
Funds Transfer
Certificate
of Originality
EXHIBIT
3 Service
Locations
IBM/CIGNA
Service Locations:
The following locations are identified as authorized IBM/CIGNA service
locations.
CIGNA
Service Locations for CCA
Site
Address
|
[*]
|
[*]
|
[*]
|
EXHIBIT
4 - Permitted Subcontractors
Ness
[*]
[*]
EXHIBIT
4-C
Security
and Data Safeguards
Exhibit
4-C
Security
and Data Safeguards
Introduction
Vendor
shall provide security controls and safeguards, and shall follow security
procedures, at all Vendor Service Locations and in connection with all Systems
and Services (whether dedicated or shared) that at a minimum comply with the
requirements set forth in this Exhibit
4-C
and the General CIGNA Policies set forth in Exhibit
4-C-1,
as such requirements are more specifically defined in the Detailed CIGNA
Policies set forth in Exhibit
4-C-2,
unless, with respect to a specific SOW, different or additional requirements
are
set forth in such SOW. In the event that the specific security requirements
are
not set forth in the Detailed CIGNA Policies, then the Parties shall use this
Exhibit
4-C
and the General CIGNA Policies to establish Vendor’s obligations.
CIGNA
may update the ISCD from time to time upon notice to Vendor and, subject to
the
Change Control Procedure, Vendor shall implement and comply with the updated
ISCD, subject to the following:
1. In
a dedicated or shared environment, Vendor shall bear the cost of any changes
that are any one or more of the following:
(a)
evolutionary changes related to security specific issues, such as upgrades,
new
releases and versions of existing technology or safeguards (e.g., updating
anti-virus software, security patches);
(b)
changes that are a direct result of changes mandated by Vendor regulation or
Vendor Law; and
(c)
changes consistent with generally accepted changes made by other companies
in
the healthcare industry: (i) if implemented by Vendor and given to its customers
at no additional charge or; (ii) which changes shall be chargeable to CIGNA;
provided, however, such charge shall be: (A) equitably reduced to reflect any
leverage that Vendor may gain by providing such changes to multiple Vendor
customers in the healthcare industry; and (B) paid from monies extracted from
a
fund that CIGNA shall, as of the MSA Effective Date, establish, fund and govern
and which Vendor shall manage (the “Security
Mitigation Fund”).
Any such changes will be discussed by the Parties and made pursuant to the
Change Control Procedure.
2.
In the event that CIGNA makes a change to the ISCD that would require Vendor
to
make a change to a shared environment and such change is unique to CIGNA (and
not generally implemented by other companies), then Vendor shall: (a) provide
a
proposal to CIGNA identifying the costs and implications of the change, and
upon
CIGNA approval, make the change, or (b) upon notice to CIGNA, not make the
change but advise CIGNA of the costs of moving to a dedicated environment,
or
(c) if CIGNA does not wish to move to a dedicated environment, Vendor shall
provide a proposal to identify the costs to implement safeguards and practices
that mitigate CIGNA’s security concerns, and upon approval by CIGNA, implement
such safeguards and practices.
3.
Vendor shall obtain CIGNA’s review and comment prior to the implementation of
any changes in a shared environment that would materially degrade the level
of
security safeguards and practices provided to CIGNA. If Vendor were to implement
any change that materially degrades the level of security safeguards and
practices provided to CIGNA, Vendor will reverse such change and continue to
provide Services in accordance with applicable Service Levels. Vendor may
propose, however, for CIGNA’s review and approval, alternatives which would not
require the reversal of such change, but shall allow Vendor to continue to
provide Services in accordance with applicable Service Levels. If CIGNA does
not
approve any alternative, Vendor shall reverse the change and continue to provide
Services in accordance with the Service Levels. Except as provided in paragraph
2 above, the costs of all changes in a shared environment shall be borne by
Vendor.
Definitions
“External
User” shall
mean any user that is a CIGNA customer that accesses CIGNA’s systems
.
“Information
Security Controls Document or “ISCD” shall
mean this Exhibit and the General CIGNA Policies Exhibit
4-C-1)
and Detailed CIGNA Policies (Exhibit
4-C-2),
unless, with respect to a specific SOW, different or additional requirements
that are set forth in such SOW. The Information Security Controls Document
shall
be deemed CIGNA’s Confidential Information under the Agreement.
“Vendor
Network”
shall mean the system under Vendor’s or Vendor agents’ control that transmits
any data, voice and/or video alone or in combination or is otherwise used to
provide the Services, either within Vendor or between Vendor and CIGNA,
including the network operating system in the Vendor client and server machines,
the cables connecting them and all supporting hardware including without
limitation bridges, routers and switches.
“CIGNA
Network”
shall mean the system under CIGNA’s or its contractor’s control that transmits
any data, voice and/or video alone or in combination that are within the scope
of the Services, either within CIGNA or between CIGNA and the Vendor Controlled
Router as defined in Schedule
K
(Business Continuity) of the applicable Statement of Work, including the network
operating system in the CIGNA client and server machines, the cables connecting
them and all supporting hardware including without limitation bridges, routers
and switches.
“Remediate”
shall mean to alleviate the security issues so that they are no longer a threat
(and if not feasible to completely remove the threat, to minimize the threat
to
a level acceptable to CIGNA, with CIGNA using reasonable discretion), however,
it shall not mean alleviating the effects resulting from the security
issue.
Capitalized
terms used herein without specific definition shall have the respective meanings
given to them in the Agreement.
3. CIGNA
Data
3.1 Data
Safeguards.
3.1.1 Vendor
shall establish and maintain safeguards against the destruction, loss, or
alteration of CIGNA Data in the possession of, used or viewed by Vendor that
are
no less rigorous than those set forth in the ISCD. If the ISCD does not cover
certain security control, safeguards or procedures, then Vendor shall implement,
comply with and follow controls, safeguards and procedures that are consistent
with current generally accepted controls, safeguards and procedures in the
healthcare industry. Vendor personnel shall not attempt to access, and shall
not
allow access to, CIGNA Data to which it is not entitled or that is not required
for the performance of the Services by Vendor personnel. Vendor shall institute
systems security measures to guard against the unauthorized access, alteration,
destruction or loss of CIGNA Data.
3.1.2 Vendor
shall Remediate and resolve security issues, at Vendor’s expense (provided it
shall be at CIGNA’s expense if and to the extent the issue was caused by CIGNA
(i.e., CIGNA is at fault)), identified at Vendor Service Locations or in
connection with the Systems or Services located at Vendor Service Locations
or
managed or controlled by Vendor. This extends to any CIGNA approved Service
Locations contracted by Vendor. As part of the Services and at a minimum on
an
annual basis, Vendor shall (at CIGNA’s request and at Vendor’s cost, except as
provided in clause (y) immediately below), provide a report regarding security
controls across all of the Services, such report to be carried out by an
independent third party appointed by Vendor and approved by CIGNA. The scope
of
work performed by such third party: (a) shall be valued at the lesser of: (i)
Vendor’s actual, out-of-pocket costs to contract for the performance of such
work; and (ii) $75,000; provided, however, that: (x) if Vendor’s actual,
out-of-pocket cost on an annual basis is less than $75,000, CIGNA shall receive
a credit for the difference between such cost and $75,000; and (y) if the
Parties mutually agree to scope(s) of work valued in the aggregate at an amount
greater than $75,000, CIGNA shall be financially responsible for the difference
between such greater amount and $75,000; and (b) shall measure (through
identification and testing of controls) against the Information Security Control
Document and the terms of the report shall be determined by Vendor.. If CIGNA
is
dissatisfied by such reports, CIGNA may, at any time, but no more than twice
in
any consecutive 12 calendar months, carry out or have carried out a security
audit of the Services at CIGNA’s cost, the scope and terms of the report to be
agreed between the Parties and upon Vendor receiving appropriate assurances
that
any of the Vendor Confidential Information shall not be compromised. CIGNA's
ability to perform security audits shall not be limited by CIGNA business
processing that occurs on non-dedicated (i.e. shared) vendor devices, or by
work
areas that are not dedicated and isolated to CIGNA business.
3.1.3 Vendor
shall deploy a network and host-based, real-time intrusion detection system
and
vulnerability assessment process that is consistent with the ISCD. Vendor shall
actively monitor these systems and processes for activities that indicate
attempts at breaking the security of the services provided and follow
notification procedures identified in the Security Incident Service Level set
forth in the applicable Statement of Work or Exhibit 2,if any, of the MSA.
Along
with the deployment of these controls, Vendor shall adopt and follow Vendor’s
operational procedures ( or as otherwise agreed to and described in the
procedures manual) to disable the source of any perceived attack, Remediate
vulnerabilities and escalate to Vendor and CIGNA security groups for follow-up
action. For
purposes of clarity, “vulnerability assessment process” means a process that
tests for known vulnerabilities and produces an evaluation of findings against
such vulnerabilities.
3.1.4 CIGNA
reserves the right to review Vendor’s policies and procedures used to maintain
the security and confidentiality of personal information, including auditing
Vendor concerning such policies and procedures.
3.1.5 Vendor
must maintain security controls that have been attested to CIGNA in CIGNA’s
Service Provider questionnaires and/or during CIGNA standard Service Provider
audits to the level as attested. Vendor must report any changes to the control
environment immediately to CIGNA.
3.1.6
Design,
implementation and integration of all Services shall be consistent with the
Information Security Control Document, unless otherwise set forth in the
applicable SOW. Connectivity and infrastructure used to provide access to CIGNA
systems and/or CIGNA data must meet applicable security controls (encryption,
access controls, etc) as defined in the Information Security Controls
Document.
3.1.6.1.
Design, (All) User Access. Password composition and management policies must
comply with or exceed those in the Information Securities Control Document.
· |
Role
Based Access Controls (RBAC) authorization models must be utilized
for
access to information resources as documented in the Information
Securities Control Document.
|
· |
Ongoing
administration and lifecycle management must be in accordance with
the
Information Security Control Document.
|
3.1.6.2.
Design, Internal User Access.
· |
Reasonable
effort shall be made to integrate with CIGNA internal authentication
and
authorization mechanisms. Integration with CIGNA's Enterprise Security
Framework is required (XXX/XXX/FIM), where those services can be
reasonably expected to fill architecture requirements
|
3.1.6.3
Design, External User Access.
· |
All
external users must be provided with a one time ID and ‘PIN’ for initial
access authentication and authorization; for which the PIN is randomly
generated and sent via out-of-band mechanisms such as U.S./International
mail (communication via E-mail is NOT an accepted method).
|
· |
Support
requirements for browsers that support 128 bit encryption in
communications to CIGNA end-users.
|
3.1.6.4
Virtualization, Co-location.
· |
Data
repositories used to store user information must not be hosted on shared
systems that do not meet the requirements of the Information Security
Controls Document.
|
3.1.6.5 Off
- Shore Information Protection.
The
following agreements augment but do not exclude other provisions in the MSA
or a
SOW:
· |
Vendor
shall not store any CIGNA data classified by CIGNA as Restricted or
Highly
Sensitive outside of the continental United States except as outlined
in
the Information Security Controls Document. In support of the Vendor
Service Locations outside the United States, Vendor shall ensure the
following controls implemented:
|
(a)
If offshore facility is NOT controlled by Vendor, and employees in the facility
are NOT employed by Vendor, then the Vendor shall provide a physically isolated,
network isolated area for customer service representatives (CSR) handling CIGNA
calls;
(b)
CIGNA provided and CIGNA managed desktop lockdown software (currently Verdasys
Digital Guardian) shall be installed on all Vendor PC’s accessing CIGNA data
classified by CIGNA as Restricted or Highly Sensitive. The software policy
shall
be managed by CIGNA or it’s vendor, and shall be configured to monitor and/or
restrict a workstation user’s ability to move, print or upload CIGNA
information.
(c)
Vendor CSR’s servicing CIGNA shall perform their duties only from within the
approved vendor facility,
(d)
Workstation IDs , antivirus, and personal firewalls must be deployed, managed,
and actively audited as outlined in the Information Security Controls Document;
(e)
User level audit logging of CIGNA/CSR activity must be enabled, and available
to
CIGNA upon request. Retention periods must meet CIP policy (90 day raw logs,
6
year incident/activity reporting). Audit logging shall be performed for those
activities specified in the Information Security Controls Document.
3.2 Backup
Security. CIGNA shall have the right to establish additional Data backups (as
a
supplement to any of Vendor’s obligations under a SOW) for any Data and to keep
backup copies of this Data in CIGNA’s possession. Should CIGNA choose to
exercise its rights under this Section 3.2, related expenses shall be borne
by
CIGNA.
3.3 Media.
No media on which CIGNA Data is stored may be used or re-used to store data
of
any other customer of Vendor or to deliver data to a third party, including
another Vendor customer, unless Vendor first implements procedures described
in
the Detailed CIGNA Policies.
3.4 Breach
of Security. In the event Vendor or Vendor Agents discovers or is notified
of a
breach or potential breach of security controls relating to the CIGNA Data,
Systems or Infrastructure under Vendor’s or Vendor Agent’s control, Vendor shall
immediately (a) notify the CIGNA Engagement Manager and CIGNA Security Incident
Response Team (CSIRT) of such breach or potential breach and (b) if the
applicable CIGNA Data was in the possession of Vendor or Vendor Agents at the
time of such breach or potential breach, Vendor shall (i) investigate and
Remediate the breach or potential breach and (ii) provide CIGNA with assurance
satisfactory to CIGNA that such breach or potential breach shall not recur.
4.0 Security
Management
Vendor
shall:
provide
an Vendor Information Security Advisor (or ISA) as focal point with
responsibility for day-to-day security management who is a security subject
matter expert;
in
conjunction with CIGNA, review security policies and procedures that impact
the
Vendor software and vendor equipment for effectiveness, and recommend
improvements, including control improvements;
review
changes requested by CIGNA to its security policies and standards and advise
CIGNA whether or not such changes can be implemented, if Vendor does not
implement the changes requested by CIGNA, Vendor shall implement mitigating
controls approved by CIGNA, and such change shall be handled in accordance
with
the Change Control Procedures;
communicate
the security procedures to Vendor Personnel accessing CIGNA applications and/or
network (for example, login procedures, password requirements, use of anti
virus
programs, and data and equipment security procedures); and
notify
CIGNA of any condition discovered or known by Vendor that is likely to affect
negatively the confidentiality, integrity, or availability of CIGNA’s
information, CIGNA’s ability to use an Vendor provided application or Vendor’s
ability to access CIGNA data.
CIGNA
shall:
provide
a CIGNA security subject matter expert focal point individual with
responsibility for day-to-day security management;
communicate
the security procedures to CIGNA end users (for example, login procedures,
password requirements, use of anti virus programs, data and equipment security
procedures);
in
conjunction with Vendor, review security policies and procedures for
effectiveness and recommend improvements; and
notify
Vendor of changes CIGNA plans to make to its security policies and standards
and
the changes to be implemented by Vendor.
5.0
Physical Security
Vendor
shall, to the level or standard specified in the Information Security Controls
Document:
provide
physical security controls at Vendor Service Locations;
restrict
access to data processing areas for which Vendor has security responsibility
to
authorized personnel only as defined in the Information Security Controls
Document;
conduct
periodic reviews of the data processing areas for which Vendor has security
responsibility including reviews of access logs for unusual occurrences and
perform follow-up activities in accordance with the procedures specified in
the
Information Security Controls Document;
protect
Vendor Network devices on Vendor's premises from any unauthorized
access;
protect
printed output from unauthorized access or removal while under Vendor's control;
provide
secure storage for removable storage media under Vendor's control;
resolve
discrepancies discovered during the annual removable storage media audit and
inform and obtain acceptance from CIGNA on the resolution;
implement
controls as set forth in the ISCD (and if not set forth therein consistent
with
current generally accepted practices in the healthcare industry) that are
designed to eliminate residual information on removable storage media before
disposal or reuse outside of CIGNA;
during
the Transition Period, with CIGNA's assistance, perform a baseline inventory
of
removable storage media (for example, tapes, disks) for which Vendor has
security responsibility.
CIGNA
shall protect LAN servers and infrastructure devices on CIGNA premises from
unauthorized physical access.
6.0
Network Infrastructure Security
Vendor
shall for equipment under its control:
control
the network operating system security and administrative user IDs;
provide
and maintain current virus avoidance, detection, and elimination software for
supported servers in conjunction with the ISCD standards utilizing Vendor
approved packages. Virus protection software shall have an automated mechanism
for updating the virus definitions, implementing current definitions within
8
hours of issuance by vendor (unless security risk mandates faster deployment);
perform
audits of media (for example, diskettes) and Vendor End User equipment
potentially affected by a virus;
monitor
virus protection software alerts, follow notification procedures identified
in
the Security Incident Service Level set forth in the applicable Statement of
Work or Exhibit 2, if any, of the MSA, respond to virus attacks and initiate
corrective action to eradicate viruses as detected; and
remove
and/or render inoperable unneeded services.
7.0
Data Network
Vendor
shall:
use
Change Control Procedures to control changes to Vendor managed devices used
to
connect the Vendor network to the CIGNA network. Changes to hardware and/or
software must be planned in advance, communicated to CIGNA in advance, and
thoroughly tested before being placed into production. Back-out and restoration
must be part of the plan and sufficient time must be allocated for restoration
to be accomplished;
validate
that access to CIGNA systems is limited to authorized Vendor Personnel,
including Vendor agents CIGNA approved Subcontractors, utilizing security
controls as described in the Information Security Controls
Document;
encrypt
traffic traveling across the Vendor network to CIGNA (and visa versa) network
as
specified in the Information Security Controls Document
CIGNA
shall provide security to only allow authorized users to access services hosted
at Vendor Service Locations.
EXHIBIT
4-C-1
GENERAL
CIGNA POLICIES
Vendor
shall perform an annual risk assessment across all Services under the MSA
intended to identify information resources that require protection. Assessment
shall be based upon a mutually agreeable assessment plan, to understand and
document risks from security failures that may cause loss of confidentiality,
integrity, or availability. Risk assessments shall document the potential
adverse impact to CIGNA's operations, and assets. This risk assessment shall
be
conducted by a team composed of appropriate representatives from Vendor and
CIGNA and other personnel associated with the activities subject to assessment.
Vendor shall identify resolutions to address issues or risks identified from
this assessment within a reasonable timeframe and Vendor shall prepare a
proposal in accordance with the Change Control Procedure to Remediate such
issues or risks; provided, however, that if the assessment reveals required
Remediation due to Vendor nonperformance of its obligations under Exhibit
4-C
or the MSA, then such Remediation shall be at Vendor’s expense. The Parties will
work together in good faith to approve and implement the proposal prior to
any
regulatory or legally mandated deadlines.
The
sensitivity of a resource, and therefore the level of security controls
required, depends upon the sensitivity of the data retained by or accessible
through the information resource, as defined in the Detailed CIGNA Policies.
CIGNA, as the data owner is the authority on any data classification assignments
and the approver for access.
Vendor
shall utilize the procedures described in the ISCD (whether or not included
in
the Procedures Manual) to ensure that the release of data is to only authorized
users and is accompanied with proper instructions regarding appropriate use,
protection, disposal and removal from premise.
Any
CIGNA information classified as proprietary, restricted, or highly sensitive
is
to be isolated at rest from any other customer’s data. This information is
required to be encrypted if the information can be accessed by Parties not
working on the CIGNA account as set forth in the Detailed CIGNA Policies. All
tape backups must contain only CIGNA information. Tapes and tape backups
transported from Vendor Service Locations or located at sites other than Vendor
Service Locations must be encrypted. All other storage media must maintain
an
isolation of CIGNA's information from other customer’s information and/or
access, including portable media
CIGNA
retains all rights to audit facilities, applications, systems and transports
where CIGNA information resides or is transported. Audit times and frequency
are
at the discretion of CIGNA. Entry and exit logs to facilities that have CIGNA
information classified as proprietary, restricted, or highly sensitive must
be
made available on request.
All
privileged access to CIGNA information must be logged and reviewed on a
quarterly basis. This would include, but not limited to, all DBA, System
Administrator and support personnel access to information. All logs so generated
are to be protected to ensure integrity and non-repudiation.
All
external facing systems containing CIGNA information are required to pass
quarterly penetration testing by third party. All internal systems are required
to pass a vulnerability scan quarterly. Vendor will perform necessary measures
to address non-compliance or vulerability issues (e.g., resulting from scans)
and follow notification procedures identified in the Security
Compliance/Vulnerabilty Issue Service Level set forth in the applicable
Statement of Work or Exhibit 2, if any, of the MSA.
All
security software used by vendor must stay within the software vendor’s
definition of currently supported software with all relevant security patches
applied.
With
the exception of virus protection software, Vendor will implement current
signatures/rules for security components within 2 weeks of issuance by security
component vendor (unless security risk mandates faster deployment).
Vendor
will consider failure of any security hardware or software component (e.g.,
network intrusion detection failure, virus protection software stoppage, etc.)
as a high (Severity 1) alert and
follow notification procedures identified in the Security Incident Service
Level
set forth in the applicable Statement of Work or Exhibit 2, if any, of the
MSA.
Vendor
will support mechanism for CIGNA to access alert data (e.g., from virus
protection, intrusion detection, etc.) at near real time.
Any
remote access via either a shared or public network to a device processing
CIGNA
information requires a dual factor authentication method.
Vendor
shall notify and CIGNA must approve all infrastructure and facility changes
that
impact CIGNA's risk profile including: moving to new facility or changing
network configuration.
All
systems and designs must implement a Role Based Access Control (RBAC)
authorization model that leverages CIGNA definitions and roles where possible.
This would include fine grain authorization within the application. This
information must be kept current and available in documented form for review
and/or audit.
All
Design must include, test and validate safeguards addressing the following
data
protections:
· |
Controls
to support necessary access requirement
|
· |
Protection
of data in transit and at rest
|
· |
Mechanisms
and methods to audit systems and
configurations
|
· |
Leverage
CIGNA current security framework such as XXX, XXX, and
FIM.
|
· |
Mutual
authentication with authorization between application
components
|
Vendor
must ensure data protection follows a “Defense in Depth” philosophy. Security
services which provide optimal Availability, Confidentiality, Integrity and
Non-Repudiation should be implemented based upon agreed upon risk
evaluation
Only
production equipment shall run in the production environment. Test, development,
staging, and training must be physically or virtually separated (segmented)
from
the production environment. The production environment must be monitored to
insure only Production systems are in the Production environment.
Vendor
shall not use production data (real data) outside of the production
environment.
Vendor
sites/locations must pass a CIGNA External Service Provider review before
hosting or processing CIGNA information.
All
system designs must be documented with security controls identified. These
designs must pass CIP approval before construction.
EXHIBIT
10
Form
Non-Disclosure and Assignment Agreement
EXHIBIT
10
Form
Non-Disclosure and Assignment Agreement
THIS
NON-DISCLOSURE AND ASSIGNMENT AGREEMENT (this
“Agreement”),
dated as of this ____ day of ____________, 200__, is entered into by and between
Chordiant Software, Inc. (“Chordiant”) and [insert
Chordiant employee or contractor full name]
W
I T N E S S E T H:
WHEREAS,
my full name is [insert
Chordiant employee or contractor full name]
and I am employed by or acting as a consultant to Chordiant;
WHEREAS,
IBM provides certain services (the “Services”)
to Connecticut General Life Insurance Company, its affiliates and certain other
entities designated by Connecticut General Life Insurance Company (collectively,
“CIGNA”)
under that certain Master Services Agreement by and between CIGNA and IBM,
dated
as of September 28, 2006 (the “MSA”);
WHEREAS,
Chordiant provides certain services to IBM under that certain Statement of
Work
by and between Chordiant and IBM dated as of September 28, 2006 (the “SOW”) on
behalf of CIGNA;
WHEREAS,
Chordiant
provides licenses and rights to CIGNA pursuant to a certain agreement between
Chordiant and CIGNA dated as of September 28, 2006 (the “CIGNA Agreement”);
WHEREAS,
CIGNA possesses certain Confidential Information (as defined below) relating
to
its business processes, products and technology;
WHEREAS,
I understand and agree that I will have access to such Confidential Information
during my [employment] [consultancy] with Chordiant; and
NOW
THEREFORE,
in consideration for and as a condition to my assignment to the CIGNA account,
I
agree to be bound by the terms set forth herein.
1. |
Definition
of Confidential Information.
As used herein, “Confidential
Information”
shall mean any and all materials, information, processes, methodologies,
tools, software programs, code, intellectual property and other data,
technical or non-technical, whether written, electronic, graphic or
oral,
furnished or disclosed by CIGNA or on CIGNA’s behalf to you (by IBM or
otherwise), either directly or indirectly, with the exception only
of the
following: (a) information that is now in the public domain or
subsequently enters the public domain through no fault or act of the
receiving party; (b) information that is presently known or becomes
known
to the receiving party from its own independent source as evidenced
by the
receiving party; (c) information that the receiving party receives
from
any third party not under any obligation to CIGNA to keep such information
confidential; (d) information that is independently developed by the
receiving party as proven by the receiving party’s written records; and
(e) as otherwise allowed in the SOW and the
MSA.
|
2. |
Non-Disclosure
Obligations.
I hereby understand and agree:
|
(a) |
To
use the same care and discretion to avoid disclosure, publication or
dissemination of Confidential Information as I use with respect to
Chordiant’s own similar information that it does not wish to disclose,
publish or disseminate and use Confidential Information solely to the
extent required to fulfill Chordiant’s obligations under the SOW and IBM’s
obligations or exercise IBM’s rights under the MSA.
|
(b) |
Not
to deliver to or disclose or otherwise make available to anyone any
Confidential Information except as authorized in the SOW and the MSA.
|
(c) |
Except
as otherwise expressly stated in this Agreement, not to disclose the
existence of this Agreement, any of the activities which may take place
pursuant to this Agreement, the relationship formed, if any, under
this
Agreement or the other party’s interest in the subject matter to which
this Agreement relates, to anyone except those employees of Chordiant,
CIGNA and IBM with a need to know unless authorized in the SOW and
the
MSA.
|
(d) |
That
Confidential Information delivered by CIGNA (or by IBM, on CIGNA’s
behalf), and all copyright, patent, and other proprietary rights therein,
shall remain property of CIGNA or its direct and indirect subsidiaries
and
affiliates, as the case may be, at all times.
|
(e) |
Nothing
contained herein shall be construed as: (i) granting to me any right,
title or interest in or to, or any license under, any patent or patent
application, now or subsequently owned by CIGNA or IBM or their respective
designees; and (ii) granting to me any right, title or interest in
or to,
or any license under Confidential Information provided by CIGNA (or
by
IBM, on CIGNA’s behalf).
|
(f) |
Upon
Chordiant’s completion of Services to IBM and CIGNA, or IBM’s completion
of Services to CIGNA, or upon CIGNA or IBM’s earlier request: (i) I shall
immediately cease using the Confidential Information; and (ii) return
Confidential Information (including all copies and summaries thereof)
to
CIGNA (or IBM, on CIGNA’s behalf), or, at the CIGNA’s option, destroy the
same promptly after a written or oral demand. Upon CIGNA or IBM’s request,
I shall certify to the requesting party in writing that I have complied
with my obligations under this paragraph.
|
3. |
Assignment
Obligations.
I hereby understand and agree:
|
(a) |
That
during the course of my employment, I may work on and be a part of
the
development of technology, processes, methodologies, and other work
product for CIGNA (or IBM, on CIGNA’s behalf). In accordance with the
provisions of the SOW and the CIGNA Agreement, I hereby assign to
Chordiant any technology, processes, methodologies, and other work
product
developed by me and such technology, processes, methodologies, and
other
work product which shall become the sole and absolute property of
Chordiant to enable Chordiant to meet its obligations under the SOW
and
the CIGNA Agreement and for IBM to meet its obligations to CIGNA under
the
MSA.
|
(b) |
That
any and all inventions, improvements, discoveries, technologies,
processes, methodologies, and other work product developed or discovered
by me as a result [of my employment at] [or consultancy with] Chordiant
shall be fully disclosed to Chordiant (or IBM, on CIGNA’s behalf, as
required by the MSA), and in accordance with the provisions of the
SOW I
hereby assign the same to Chordiant, CIGNA and IBM, respectively, and
the
same shall become the sole and absolute property of Chordiant to enable
Chordiant to meet its obligations under the SOW and the CIGNA Agreement
and for IBM to meet its obligations to CIGNA under the MSA. Upon the
request of IBM or CIGNA, I shall execute, acknowledge, and deliver
such
assignments and other documents as Chordiant, IBM or CIGNA may consider
necessary or appropriate to vest all rights, titles, and interests
therein
to enable Chordiant to meet its obligations under the SOW and the CIGNA
Agreement and to enable IBM to meet its obligations to CIGNA under
the
MSA.
|
4. |
Remedies.
I hereby understand and agree:
|
(a) |
That
unauthorized use or disclosure of Confidential Information may likely
result in substantial monetary and other damages to CIGNA (or IBM,
on
CIGNA’s behalf) and their respective direct and indirect subsidiaries and
affiliates and will subject me to disciplinary action, including
termination of employment, and civil and criminal legal
proceedings.
|
(b) |
That
the unauthorized use or disclosure of Confidential Information may
give
rise to irreparable injury to CIGNA (or IBM, on CIGNA’s behalf) and
acknowledge that remedies other than injunctive relief may not be
adequate. Accordingly, IBM and CIGNA and their respective direct and
indirect subsidiaries and affiliates have the right to seek equitable
and
injunctive relief to prevent the unauthorized disclosure of Confidential
Information.
|
5. |
Miscellaneous.
I hereby understand and agree:
|
(a) |
This
Agreement embodies the entire understanding between the parties as
to the
subject matter of this Agreement and supersedes and replaces any and
all
prior understandings, arrangements and agreements whether oral or written
relating to the Confidential Information. The terms of this Agreement
shall not be amended or modified except in writing signed by each of
Chordiant and me.
|
(b) |
The
provisions of this Agreement shall survive the expiration or termination
of the MSA and the SOW for a period of seven (7)
years.
|
(c) |
This
Agreement is a personal, indivisible, nontransferable agreement and
may
not be assigned or transferred, in whole or in part, by either party.
|
(d) |
CIGNA
shall be an intended third party beneficiary of this Agreement but
only as
to individuals who are no longer employed by Chordiant or retained
as a
consultant by Chordiant.
|
(e) |
This
Agreement shall be governed by, and construed and interpreted in
accordance with, the laws of the State of New York, without respect
to its
rules on the conflict of laws.
|
[REMAINDER
OF PAGE LEFT INTENTIONALLY BLANK]
IN
WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed
by
their duly authorized officers as set forth below.
CHORDIANT
SOFTWARE, INC.
|
[insert
Chordiant employee or contractor full name]
|
By:
|
By:
|
Name:
|
Name:
|
Title:
|
Title:
|
Date:
|
Date:
|
EXHIBIT
13
Data
Privacy Provisions
This
Exhibit
13
-
Data Privacy Provisions, consists of the following, attached two parts: (a)
Exhibit
13A
regarding CIGNA’s Business Associate Addendum; and (b) Exhibit
13B
regarding European Union Data Privacy.
EXHIBIT
13A
BUSINESS
ASSOCIATE ADDENDUM
I. |
INTRODUCTION.
|
The
Parties acknowledge that the Services may
involve the use or disclosure of Protected Health Information, as this term
is
defined in this Addendum. Accordingly, the Parties agree to the terms in this
Addendum to comply with the Health Insurance Portability and Accountability
Act
of 1996 (“HIPAA”)
Privacy Rule and Security Standards as those terms are defined in this
Addendum.
II. |
DEFINITIONS
|
For
purposes of this Addendum, terms defined herein shall supersede similarly
defined terms in the MSA . Terms used in this Addendum shall have the same
meaning as those terms in the HIPAA Privacy Rule and Security Standards,
currently defined, in relevant part, as follows:
“Protected
Health Information”
shall mean Individually Identifiable Health Information transmitted or
maintained in any form or medium that Vendor creates or receives from or on
behalf of CIGNA in the course of fulfilling its obligations under the MSA
(which, for clarification, includes this Addendum). "Protected Health
Information" shall not include: (i) education records covered by the Family
Educational Rights and Privacy Act, as amended, 20 U.S.C. §1232g; (ii) records
described in 20 U.S.C. §1232g(a)(4)(B)(iv); and (iii) employment records held by
CIGNA in its role as employer.
“Designated
Record Set” shall
mean a group of records maintained by or for CIGNA that is: (i) the medical
records and billing records about individuals maintained by or for CIGNA; (ii)
the enrollment, payment, claims adjudication, and case or medical management
record systems maintained by or for a health plan; or (iii) used, in whole
or in
part, by or for CIGNA to make decisions about individuals. As used herein,
the
term “Record”
means any item, collection, or grouping of information that includes Protected
Health Information and is maintained, collected, used, or disseminated by or
for
CIGNA.
“Electronic
Media” shall
mean: (1) electronic storage media including memory devices in computers (hard
drives) and any removable/transportable digital memory medium, such as magnetic
tape or disk, optical disk, or digital memory card; or (2) transmission media
used to exchange information already in electronic storage media. Transmission
media include, for example, the internet (wide-open), extranet (using internet
technology to link a business with information accessible only to collaborating
parties), leased lines, dial-up lines, private networks, and the physical
movement of removable/transportable electronic storage media. Certain
transmissions, including paper, via facsimile, and of voice, via telephone,
are
not considered to be transmissions via electronic media, because the information
being exchanged did not exist in electronic form before transmission.
“Electronic
Protected Health Information”
shall mean Protected Health Information that is transmitted by or maintained
in
Electronic Media.
“Individually
Identifiable Health Information”
shall mean information that is a subset of health information, including
demographic information collected from an individual, and
(i) |
is
created or received by a health care provider, health plan, employer,
or
health care clearinghouse; and
|
(ii) |
relates
to the past, present, or future physical or mental health or condition
of
an individual; the provision of health care to an individual; or the
past,
present or future payment for the provision of health care to an
individual; and (a) identifies the individual, or (b) with respect
to
which there is a reasonable basis to believe the information can be
used
to identify the individual; and
|
(iii) |
relates
to identifiable non-health information including but not limited to
an
individual’s address, phone number and/or Social Security
number.
|
“Privacy
Rule”
shall mean the Standards for Privacy of Individually Identifiable Health
Information at 45 CFR Part 160 and Part 164, Subparts A and E.
“Secretary”
shall mean the Secretary of the Department of Health and Human
Services.
“Security
Incident”
means the attempted or successful unauthorized access, use, disclosure,
modification, or destruction of information or interference with system
operations in an information system.
“Security
Standards”
shall mean the HIPAA Security Standards, 45 C.F.R.. Parts 160 and
164
III. |
OBLIGATIONS
OF VENDOR
|
Section
1. Use and Disclosure of Protected Health Information.
Vendor
may use and disclose Protected Health Information only to carry out the
obligations of Vendor set forth in the MSA (which, for clarification, includes
this Addendum) or as required by law, subject to the provisions set forth in
this Addendum. Vendor shall neither use nor disclose Protected Health
Information for the purpose of creating de-identified information that will
be
used for any purpose other than as directed by CIGNA to carry out the
obligations of Vendor set forth in the MSA (which, for clarification, includes
this Addendum) or as required by law.
Section
2. Safeguards Against Misuse of Information.
Vendor
agrees that it will implement safeguards to prevent the use or disclosure of
Protected Health Information in any manner other than pursuant to the terms
and
conditions of the MSA (which, for clarification, includes this
Addendum).
Vendor shall implement administrative, physical and technical safeguards that
protect the confidentiality, integrity, and availability of the Electronic
Protected Health Information that it creates, receives, maintains, or transmits
on behalf of CIGNA, as required by the Security Standards.
Section
3. Reporting of Uses and Disclosures of Protected Health Information and
Security Incidents.
Upon
becoming aware of a use or disclosure of Protected Health Information in
violation of this Addendum, Vendor shall promptly report such use or disclosure
to CIGNA. Vendor shall promptly report to CIGNA any Security Incident of which
it becomes aware.
Section
4. Agreements with Third Parties.
Vendor
shall contractually require that any agent or subcontractor of Vendor to whom
Vendor provides Protected Health Information that is received from CIGNA, or
created or received by Vendor on behalf of CIGNA, agrees to be bound by terms
and conditions that will allow Vendor (including any agent or subcontractor)
to
comply with the terms of this Addendum with respect to such Protected Health
Information. Vendor warrants and represents that in the event of a disclosure
of
Protected Health Information to any third party, the information disclosed
shall
be no more than the minimum necessary for the intended purpose. Vendor shall
contractually require that any agent or subcontractor of Vendor to whom Vendor
provides Electronic Protected Health Information agrees to implement reasonable
and appropriate safeguards to protect such information.
Section
5. Access to Information.
In
the event Vendor maintains Protected Health Information in a Designated Record
Set, Vendor shall, within five (5) business days of receipt of a request from
CIGNA, provide to CIGNA Protected Health Information in Vendor’s possession that
is required for CIGNA to respond to an individual’s request for access to
Protected Health Information made pursuant to 45 C.F.R. § 164.524 or other
applicable law. In the event any individual requests access to Protected Health
Information directly from Vendor, whether or not Vendor is in possession of
Protected Health Information, Vendor may not approve or deny access to the
Protected Health Information requested. Rather, Vendor shall, within two (2)
business days, forward such request to CIGNA.
Section
6. Availability of Protected Health Information for
Amendment.
In
the event Vendor maintains Protected Health Information in a Designated Record
Set, Vendor shall, within five (5) business days of receipt of a request from
CIGNA, provide to CIGNA Protected Health Information in Vendor’s possession that
is required for CIGNA to respond to an individual’s request to amend Protected
Health Information made pursuant to 45 C.F.R. § 164.526 or other applicable law.
If the request is approved, Vendor shall incorporate any such amendments to
the
Protected Health Information as required by 45 C.F.R. §164.526 or other
applicable law. In the event that the request for the amendment of Protected
Health Information is made directly to the Vendor, whether or not Vendor is
in
possession of Protected Health Information, Vendor may not approve or deny
the
requested amendment. Rather, Vendor shall, within two (2) business days forward
such request to CIGNA.
Section
7. Accounting of Disclosures.
Vendor
agrees to document such disclosures of Protected Health Information and
information related to such disclosures as would be required for CIGNA to
respond to a request by an individual for an accounting of disclosures of
Protected Health Information in accordance with 45 CFR § 164.528 or other
applicable law. Vendor shall, within ten (10) business days of receipt of a
request from CIGNA, provide to CIGNA such information as is in Vendor’s
possession and is required for CIGNA to respond to a request for an accounting
made in accordance with 45 C.F.R. 164.528 or other applicable law. In the event
the request for an accounting is delivered directly to Vendor, Vendor shall,
within two (2) business days, forward such request to CIGNA. It shall be CIGNA’s
responsibility to prepare and deliver any such accounting requested.
Section
8. Availability of Books and Records.
Vendor
hereby agrees to make its applicable internal practices, books and records,
including policies and procedure, available to the Secretary for purposes of
determining CIGNA’s and Vendor’s compliance with the Privacy Rule and Security
Standards. The practices, books and records subject to this Section are those
practices, books and records that relate to the use and disclosure of Protected
Health Information that is created by Vendor on behalf of CIGNA, received by
Vendor from CIGNA, or received by Vendor from a third party on behalf of
CIGNA.
IV. |
TERMINATION
|
a.
Upon termination of the MSA, Vendor’s obligations hereunder shall terminate when
all of the Protected Health Information provided by CIGNA to Vendor, or created
or received by Vendor on behalf of CIGNA, is destroyed or returned to CIGNA,
or,
if it is infeasible to return or destroy Protected Health Information,
protections are extended to such information, in accordance with the termination
provisions in this Section.
b.
If Vendor has committed a material breach of the MSA (which, for clarification,
includes this Addendum) pertaining to the use or disclosure of PHI, CIGNA shall
either:
1.
Provide an opportunity for Vendor to cure the breach or end the violation and
terminate the MSA if Vendor does not cure the breach or end the violation within
a time period reasonably specified by CIGNA; or
2.
Immediately terminate the MSA if CIGNA determines cure is not
possible.
c.
Effect
of Termination.
1.
Except as provided in paragraph (2) of this section, upon termination of the
MSA
or SOW, for any reason, Vendor shall return or destroy all Protected Health
Information received from CIGNA, or created or received by Vendor on behalf
of
CIGNA that relate to the terminated portion of Services. This provision shall
apply to Protected Health Information that is in the possession of
subcontractors or agents of Vendor. Vendor shall retain no copies of the
Protected Health Information.
2.
In the event that Vendor objectively demonstrates to CIGNA’s reasonable
satisfaction that returning or destroying the Protected Health Information
is
infeasible, Vendor shall extend the protections of this Addendum to such
Protected Health Information and limit further uses and disclosures of such
Protected Health Information to those purposes that make the return or
destruction infeasible, for so long as Vendor maintains such Protected Health
Information.
V. |
MISCELLANEOUS
|
Section
1. Regulatory References.
A
reference in this Addendum to a section in the HIPAA Privacy Rule or Security
Standards means the section as in effect or as amended.
Section
2. Amendment.
In the event that state or federal law or regulation, or an arbitration or
judicial interpretation of same, or any regulatory or enforcement action should
explicitly or otherwise require that this Addendum be changed, altered or
modified, then the CIGNA shall notify Vendor and provide such required
amendment, and the CIGNA and Vendor shall continue to perform Services under
the
MSA as modified, subject to Change Control Procedures.
Section
3. Survival.
The respective rights and obligations of Vendor under Section III(c)(2) (Effect
of Termination), , Section IV(3) (Regulatory References) and Section IV(5)
(Survival) of this Addendum shall survive the termination of the MSA or SOW.
VI. |
EFFECT
OF ADDENDUM
|
Notwithstanding
anything to the contrary in the MSA, to the extent that this Addendum conflicts
with the terms of the MSA relating to Protected Health Information, the terms
of
this Addendum shall take precedence.
EXHIBIT
13B
EUROPEAN
UNION DATA PRIVACY
1. |
DATA
PROTECTION FOR PERSONAL DATA PROCESSED IN THE EUROPEAN ECONOMIC
AREA
|
1.1 |
With
respect to any
CIGNA Data that is “personal data” (as defined in the EU Data Privacy
Directive, which is in turn defined below) and
is processed within, or transferred out of, the European Union
or
the European Economic Area
(“CIGNA
Personal Data”),
the Parties shall each comply with their respective obligations under
the
European
Union Data
Protection Directive
(Directive 95/46/EC) (the “EU
Data Protection Directive”),
the laws of each member state of the European Union that implement
the EU
Data Protection Directive or any related or similar Laws of any member
state of the European Union or the European Economic Area (collectively,
and as
any of the same may be
amended or replaced from time to time, the “European
Data Protection Laws”).
Both
Parties shall take the necessary precautions to avoid acts that place
the
other Party in breach of its obligations under the European
Data Protection Laws
and nothing in the MSA shall be deemed to prevent any Party from taking
the steps it reasonably deems necessary to comply with the European
Data Protection Laws.
|
1.2 |
The
Parties acknowledge that,
as between CIGNA and Vendor and Permitted Subcontractors:
|
(a) |
CIGNA
alone shall determine the purposes for which and the manner in which
CIGNA
Personal Data is, or is to be, processed
by Vendor
or Permitted Subcontractors in the performance of the
Services;
|
(b) |
CIGNA
shall be the
data “controller”
(as defined in the EU
Data Protection Directive) in respect of all CIGNA Personal
Data processed
by Vendor or Permitted Subcontractors for
purposes of the European Data Protection Laws;
and
|
(c) |
Vendor
shall be the “data
processor” (as defined in the EU
Data Protection Directive) in respect of CIGNA Personal Data processed
by Vendor or Permitted Subcontractors for
purposes of the European Data Protection
Laws.
|
1.3 |
Without
limiting the generality of Section
1.1
above, Vendor shall,
and shall cause any
Permitted Subcontractors to, promptly
comply with any written request by CIGNA to (at Vendor's cost and expense
except as set forth in subsection (a) as CIGNA's cost):
|
(a) |
correct
or delete inaccurate CIGNA Personal Data
processed by Vendor or Vendor Agents to the extent the inaccuracy was
caused by Vendor or Permitted Subcontractors (otherwise CIGNA shall
be
responsible for the correction or
deletion);
|
(b) |
provide
to
CIGNA a
copy of CIGNA Personal Data
processed by Vendor relating
to a “Data Subject” (as
defined
in the EU Data Protection Directive) that is stored
in any form of retrieval or storage facilities in the possession or
control of Vendor or Permitted
Subcontractors;
|
(c) |
provide
reasonable
information
to CIGNA
about Vendor’s or Permitted Subcontractors' processing of CIGNA Personal
Data;
|
(d) |
assist
in respect of any
request or notice, or any anticipated request or notice, by or on behalf
of any “Data Subject” (as defined in the EU
Data Protection Directive)
in respect of CIGNA Personal Data
processed by Vendor
or Permitted Subcontractors; and
|
(e) |
otherwise
provide reasonable assistance to CIGNA as necessary to allow CIGNA
to comply with the EU Data Protection
Directive.
|
1.4 |
Without
limiting the generality of Section
1.1
above, Vendor shall
not, and shall cause Permitted Subcontractors not to (without CIGNA's
prior written authorization):
|
(a) |
use
CIGNA Personal Data for Vendor’s or any Permitted Subcontractor’s own
purposes, including marketing purposes and for any other purpose other
than performing the Services;
|
(b) |
transfer
any of CIGNA Personal Data to third parties
or across any country’s border which
is not
reasonably required
for the performance of the Services;
or
|
(c) |
carry
out the processing by automatic means of any CIGNA Personal Data for
the
purpose of evaluating matters about a “Data Subject” (as defined in the EU
Data Protection Directive) that constitutes the sole basis for any
decision that significantly affects such Data
Subjects.
|
1.5 |
Without
limiting the generality of Section
1.1
above, Vendor shall, and shall cause Permitted Subcontractors
to:
|
(a) |
(i)
promptly notify CIGNA if any complaints are received about the processing
of CIGNA Personal Data processed
by Vendor or Permitted Subcontractors from
third parties; (ii) not make any admissions or take any action which
may
be prejudicial to the defense or settlement of any such complaint;
and
(iii) provide to CIGNA such reasonable assistance as it may require
in
connection with such complaint;
|
(b) |
in
the event that Vendor, or a Permitted Subcontractor, acquires, on behalf
of CIGNA, any CIGNA
Personal
Data from “Data Subjects” (as defined in the EU Data Protection Directive)
as part of the Services, give such individuals a data protection notice
describing the intended use of such
CIGNA
Personal Data, in a form provided by
CIGNA.
|
1.6 |
Without
limiting the generality of Section
1.1
above,
with respect to CIGNA Personal
Data that
is processed by Vendor or Permitted Subcontractors within the European
Union
or European Economic
Area, Vendor shall, and shall cause Permitted Subcontractors
to:
|
(a) |
take
technical and organizational security measures, in accordance with
the
requirements of the
MSA
and this
Exhibit,
to safeguard against unauthorized and unlawful processing of CIGNA
Personal Data processed
by Vendor or
Permitted Subcontractors and against accidental loss or destruction
of, or
damage to, CIGNA Personal Data
processed by Vendor
or Permitted Subcontractors;
|
(b) |
only
process
CIGNA Personal Data in accordance with written instructions given by
to
Vendor by CIGNA
and as set out in the MSA;
|
(c) |
taking
reasonable steps to ensure the reliability of those Vendor Personnel
that
have access to CIGNA Personal Data; and
|
(d) |
provide
all of Vendor Personnel involved in processing CIGNA Personal Data
with
reasonably adequate training in the care and handling of Personal
Data.
|
1.7 |
CIGNA
hereby instructs Vendor to take such steps as are necessary to the
performance of Vendor’s obligations under this
Exhibit.
|
2. |
DATA
PROTECTION FOR PERSONAL DATA
PROCESSED
|
2.1 |
CIGNA
and Vendor each covenant that each of them shall provide the other
prompt
notice of any inquiry, notice of violation, notice of enforcement action,
or other similar notice received from the European
Union or European government agency with respect to the compliance
of
CIGNA and/or Vendor with
the EU Data Protection Directive with respect to the performance of
CIGNA
and/or Vendor under the MSA.
|
2.2 |
Vendor
covenants that at all times during the MSA Term and during any Termination
Assistance Period that:
|
(a) |
Vendor
shall, and shall cause Permitted Subcontractors to: (i) provide processing
of CIGNA Personal Data (including
operations that are necessary to support or accomplish the processing)
in
accordance with the MSA; and (ii) not transfer any of CIGNA Personal
Data
to third parties or across any country’s border which is not specified in
the MSA for the processing of CIGNA Personal Data unless CIGNA has
given
consent to relocate the processing
elsewhere (which consent shall be in CIGNA's sole discretion);
|
(b) |
Vendor
shall not, and shall cause Permitted Subcontractors not to, otherwise
through any act or omission cause CIGNA
Personal Data to be transferred to third parties or across any country’s
border which is not specified in the MSA for the processing of CIGNA
Personal Data unless CIGNA has given consent for Vendor to relocate
the
processing elsewhere (which consent shall be in CIGNA’s sole
discretion);
|
(c) |
the
covenants in subsections (a) and (b) are not intended to restrict Vendor
from accomplishing the following from a location that is outside the
United States, European Union and/or European Economic Area and otherwise
authorized under this Agreement: (i) its own internal processing (e.g.,
the preparation and transmission of invoices); or (ii) providing Services
which do not involve the processing of CIGNA Personal Data (such as
engineering services, consulting services, software development services
that do not involve tests involving the processing of CIGNA Personal
Data); and
|
(d) |
if
Vendor or a Permitted Subcontractor breaches the covenants set out
in
subsections (a) and (b), then in addition to any other remedies to
which
CIGNA might be entitled under the MSA or at law or in equity, Vendor
shall, after notice from CIGNA, at its own expense promptly accomplish
all
actions necessary to have the data returned so as to be in compliance
with
subsections (a) and (b).
|