The URL can be used to link to this page

19-098 City Data Services, Technology Agreement, Software-as-a-Service TECHNOLOGY SOFTWARE-AS-A-SERVICE (SaaS) AGREEMENT i AGREEMENT BETWEEN THE CITY OF CUPERTINO AND CITY DATA SERVICES FOR SOFTWARE-AS-A-SERVICE THIS AGREEMENT ("Agreement"), by and between the CITY OF CUPERTINO, a California municipal corporation ("City"), and City Data Services a corporation whose address is 403 Alvarado Street, Brisbane, CA 94005 ( "Software Provider") (collectively referred to as the "Parties"). i RECITALS: The following Recitals are a substantive portion of this Agreement: A. City is a municipal corporation duly organized and validly existing under the laws of the State of California. B. Software Provider is specially trained, experienced and competent to perform the special services which will be required by this Agreement. . C. City and Software Provider desire to enter into an agreement for Software Provider's provision of software-as-a-service (SaaS) pertaining to City's online systems. Through this Agreement, Software Provider shall provide to City cloud based data management services for Community Service module and a component of the Single Family module relating to the City's network. The full scope of services covered by this agreement is described in the attached Exhibit A: Service Level Agreement (the "SLA"). NOW, THEREFORE, the Parties mutually agree as follows: j i 1. TERM The term of this Agreement shall commence on July 1, 2019. The termination of this Agreement is June 20, 2020, unless the Agreement is terminated prior thereto under the provisions of Section 16, below. 2. SCOPE OF SERVICES AND CONDITIONS THEREOF Subject to the terms and conditions set forth in this Agreement, Software Provider shall perform each and every service to the schedule of performance set forth in the SLA(collectively"Services"), as described below. A. Responsibilities of Software Provider. Software Provider shall provide the software services as further described in the SLA. The Services provided under this Agreement shall include (a) any software, plug-ins or extensions related to the Services or upon which the Services are based including any and all updates, upgrades,bug fixes, dot releases,version upgrades or any similar changes that may be made available to the Software Provider from time to time (the"Software"), (b) any and all technical documentation necessary or use of the Services, in hard copy form or online (the "Documentation"), (c) regular maintenance of Software Provider's system, and (d) other technology, user interfaces, know-how and other trade secrets,techniques, designs,inventions, data, images,text, content,APIs, and Page 1 of 12 090517 tools provided in conjunction with the Services. B. Equipment.If necessary to enable Software Provider to fulfill its obligations under the SLA, Software Provider shall, at its sole cost and expense, furnish all facilities, personnel and equipment to City necessary to provide the Services (the "Equipment"). City agrees, if necessary, to install the Equipment at the location(s) and in the manner specified by Software Provider and as directed by Software Provider. Any Equipment installed by City is a part of the Service and loaned to City by Software Provider, not sold. City agrees to return the Equipment to Software Provider at the termination of this Agreement in an undamaged condition, less ordinary wear and tear. c. Registration. Prior to using the Services, City shall identify the administrative users for its account ("Administrators"). Each Administrator will be provided an administrator ID and password. D. License Grant. Software Provider hereby grants City a license to use the Software and the Documentation for the permitted purpose of accessing the Services. E. Reservation of Rights and Data Ownership. City shall own all right, title and interest in its data that is related to the services provided by this contract. Software Provider shall not access City user accounts or City data, except (1) as essential to fulfillment of the objectives of this Agreement, (2) in response to service or technical issues, or (3) at City's written request. F. Data Protection. In carrying out the Services, Software Provider shall endeavor to protect the confidentiality of all confidential,non-public City data("City Data") as follows: 1. Implement and maintain appropriate security measures to safeguard against unauthorized access, disclosure or theft of City Data in accordance with recognized industry practice. 2. City Data shall be encrypted at rest and in transit with controlled access. Unless otherwise stipulated,Software Provider is responsible for encryption of the City Data. 3. Software Provider shall not use any City Data collected by it in connection with the Service for any purpose other than fulfilling the obligations under this Agreement. G. Software Ownership. Software Provider owns the Services, Software, Documentation, and any underlying infrastructure provided by Service Provider in connection with this Agreement. City acknowledges and agrees that (a) the Services, any Software and Documentation are protected by United States and international copyright, trademark, patent, trade secret and other intellectual property or proprietary rights laws, (b) Software Provider retains all right, title and interest (including, without limitation, all patent, copyright, trade secret and other intellectual property rights) in and to the Services, the Software, any Documentation, any other deliverables, any and all related and underlying technology and any derivative works or modifications of any of the foregoing, including, without limitation, (c) the Software and access to the Services are licensed on a subscription basis,not sold, and City acquires no ownership or other interest in or to the Services, the Software or the Documentation other than the license rights expressly stated herein, and(d)the Services are offered as an on-line, hosted solution, and that City has no right to obtain a copy of the Services. Page 2 of 12 090517 11. Restrictions. City agrees not to, directly or indirectly: (i) modify, translate, copy or create derivative works based on the Service or any element of the Software, (ii) interfere with or disrupt the integrity or performance of the Services or the data contained therein or block or disrupt any use or enjoyment of the Services by any third party, (iii) attempt to gain unauthorized access to the Services or their related systems or networks or (iv) remove or obscure any proprietary or other notice contained in the Services, including on any reports or data printed from the Services. 1. Security Incident. In the event a data breach occurs with respect to City Data, Software Provider shall immediately notify the appropriate City contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident. Software Provider shall (1) cooperate with City to investigate and resolve the data breach, (2) promptly implement necessary remedial measures,if necessary,and(3)document responsive actions taken related to the data breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary. i. Notification of Legal Requests. Software Provider shall contact City upon receipt of any electronic discovery, litigation holds, discovery searches and expert testimonies related to City Data. Software Provider shall not respond to subpoenas, service of process and other legal requests related to City without first notifying City, unless prohibited by law from providing such notice. K. Access to Security Logs and Reports. Software Provider shall provide reports to City in a format as specified in the SLA agreed to by both Software Provider and City. Reports shall include latency statistics, user access, user access IP address, user access history and security logs for all City files related to this Agreement. L. Responsibilities and Uptime Guarantee. Software Provider shall be responsible for the acquisition and operation of all hardware, software and network support related to the services being provided. The technical and professional activities required for establishing, managing and maintaining the environments are the responsibilities of Software Provider. The system shall be available for City's use on a 24/7/365 basis (with agreed-upon maintenance downtime). m1. Subcontractor Disclosure. Software Provider shall identify all of its strategic business partners related to services provided under this Agreement, including all subcontractors or other entities or individuals who may be a party to a joint venture or similar agreement with Software Provider, and who shall be involved in any application development and/or operations. N. Business Continuity and Disaster Recovery. Software Provider shall provide to City a written business continuity and disaster recovery plan prior to or at the time of execution of this agreement and shall ensure that it meets City's recovery time objective (RTO) of four(4) hours or less. o. Compliance with Accessibility Standards. Software Provider shall comply with and adhere to the Americans with Disabilities Act of 1990 (42 U.S.C. § 12101). P. Web Services. Software Provider shall use Web services exclusively to interface with City Data in near real time when possible. Q. Encryption of Data at Rest. Software Provider shall ensure hard drive encryption consistent with validated cryptography standards as referenced in FIPS 140-2, Page 3 of 12 090517 Security Requirements for Cryptographic Modules for all personal data,unless City approves the storage of personal data on Software Provider's portable device in order to accomplish work as defined in the statement of work. 3. COMPENSATION TO SOFTWARE PROVIDER Software Provider shall be compensated for services performed pursuant to this Agreement in a total amount not to exceed four thousand two hundred dollars ($4,200.00). The payments specified in this section shall be the only payments to be made to Software Provider for services rendered pursuant to this Agreement. Software Provider shall invoice City according to the following schedule of milestones/deliverables: Upon execution of this Agreement $4,200.00 Upon completion of Quarter 1, FY19-20 $1,050.00 Upon completion of Quarter 2,FY19-20 $1,050.00- Upon completion of Quarter 3, FY19-20 $1,050.00 Upon completion of Quarter 4, FY19-20 $1,050.00 City shall pay Contractor within thirty (30) days after receipt of Service Provider's invoice. City shall return to Contractor any payment request determined not to be a proper payment request as soon as practicable, but not later than seven (7) days after receipt, and shall explain in writing the reasons why the payment request is not proper. 4. TIME IS OF THE ESSENCE Software Provider and City agree that time is of the essence regarding the performance of this Agreement. 5. LICENSES; PERMITS; ETC. Software Provider represents and warrants to City that it has all licenses, permits, qualifications, and approvals of whatsoever nature which are legally required to carry out the purposes of this Agreement. 6. ASSIGNMENTS. Software Provider may assign, sublease, or transfer this Agreement, or any interest therein, to a third party with the prior written consent of City. Such consent shall not be unreasonably withheld. City's withholding of consent shall be deemed reasonable if it appears that the intended assignee in question is not financially or technically capable of performing Software Provider's obligations under this Agreement,or if City has reason to conclude that the proposed assignee is otherwise incapable of fulfilling Software Provider's duties hereunder. 7. INDEPENDENT PARTIES City and Software Provider intend that the relationship between them created by this Agreement is that of independent contractor. No civil service status or other right of employment will be acquired by virtue of Software Provider's services. None of the benefits provided by City to its employees, including but not limited to,unemployment insurance,workers'compensation plans,vacation and sick leave Page 4 of 12 090517 i are available from City to Software Provider, its employees or agents. Software Provider is not a "public official" for purposes of Government Code §§ 87200 et seq. 8. IMMIGRATION REFORM AND CONTROL ACT (IRCA) Software Provider assumes any and all responsibility for verifying the identity and employment authorization of all of his/her employees performing work hereunder, pursuant to all applicable IRCA or other federal or state rules and regulations. Software Provider shall indemnify and hold City harmless from and against any loss, damage, liability, costs or expenses arising from any noncompliance of this provision by Software Provider. 9. NON-DISCRIMINATION Consistent with City's policy prohibiting harassment and discrimination, Software Provider agrees that neither it nor its employee or subcontractors shall harass or discriminate against a job applicant, a City employee, or a citizen on the basis of race, religious creed, color, national origin, ancestry, handicap, disability, marital status, pregnancy, sex, age, sexual orientation, or any other protected class status. Software Provider agrees that any and all violations of this provision shall constitute a material breach of this Agreement. 10. INTELLECTUAL PROPERTY INDEMNIFICATION Software Provider agrees to,at its expense, defend and/or settle any claim made by a third party against City alleging that the City's use of the Services infringes such third party's United States patent, copyright, trademark or trade secret (an "IP Claim"), and pay those amounts finally awarded by a court of competent jurisdiction against City with respect to such IP Claim. 11. DUTY TO INDEMNIFY AND HOLD HARMLESS Software Provider shall indemnify,defend, and hold harmless City and its officers, officials, agents, employees and volunteers from and against any and all liability, claims, actions, causes of action or demands whatsoever against any of them, including for any injury to or death of any person or damage to property or other liability of any nature, whether physical, emotional, consequential or otherwise, arising out, pertaining to, or related to the performance of this Agreement by Software Provider or Software Provider's employees, officers, officials, agents or independent contractors, except where such liability arises solely as a result of the active negligence or tortious conduct of City or its agent. Such costs and expenses shall include reasonable attorneys' fees of counsel of City's choice, expert fees and all other costs and fees of litigation. The provisions of this Section survive the completion of the Services or termination of this Contract. 12. INSURANCE: A. General Requirements. On or before the commencement of the term of this Agreement, Software Provider shall furnish City with certificates showing the type, amount, class of operations covered, effective dates and dates of expiration of insurance coverage in compliance with the requirements listed in Exhibit `B". Page 5 of 12 090517 Software Provider shall maintain in force at all times during the performance of this Agreement all appropriate coverage of insurance required by this Agreement. B. Subrogation Waiver. Software Provider agrees that in the event of loss due to any of the perils for which it has agreed to provide comprehensive general and automotive liability insurance, Software Provider shall look solely to its insurance for recovery. Software Provider hereby grants to City, on behalf of any insurer providing comprehensive general and automotive liability insurance to either Software Provider or City with respect to the services of Software Provider herein, a waiver of any right to subrogation which any such insurer of said Software Provider may acquire against City by virtue of the payment of any loss under such insurance. 13. RECORDS Software Provider shall maintain internal records reflecting that the Services were performed by Software Provider hereunder in accordance with customary recordkeeping practices in the software development industry. Software Provider shall provide free access to such records to the representatives of City or its designee's at all reasonable and proper times, and gives City the right to examine and audit same, and to make transcripts therefrom as necessary. No such examination and audit shall give City the right to access records relating to other Software Provider customers. Such records shall be maintained for a period of three (3) years after Software Provider receives final payment from City for all services required under this agreement. 14. NONAPPROPRIATION This Agreement is subject to the fiscal provisions of the Cupertino Municipal Code and Agreement will terminate without any penalty (a) at the end of any fiscal year in the event that funds are not appropriated for the following fiscal year, or (b) at any time within a fiscal year in the event that funds are only appropriated for a portion of the fiscal year and funds for this Agreement are no longer available. This Section shall take precedence in the event of a conflict with any other covenant, term, condition, or provision of this Agreement. 15. NOTICES All notices,demands,requests or approvals to be given under this Agreement shall be given in writing and conclusively shall be deemed served when delivered personally or on the second business day after deposit in the U.S. Mail, postage prepaid, addressed as hereinafter provided. All notices, demands, requests, or approvals shall be addressed as follows: TO CITY: City of Cupertino 10300 Torre Ave. Cupertino CA 95014 Attention: Bill Mitchell Page 6 of 12 090517 Copy to: Heather Miner City Attorney City of Cupertino 10300 Torre Avenue Cupertino, CA 95014-3255 TO SOFTWARE PROVIDER: City Data Services, LLC 403 Alvarado Street Brisbane, CA 94005 Attention: Steve Crounse 16. TERMINATION A. Basis for Termination. In the event Software Provider fails or refuses to perform any of the provisions hereof at the time and in the manner required hereunder, Software Provider shall be deemed in default in the performance of this Agreement. If Software Provider fails to cure the default within the time specified and according to the requirements set forth in City's written notice of default, and in addition to any other remedy available to the City by law,the City Manager may terminate the Agreement by giving Software Provider written notice thereof,which shall be effective immediately. The City Manager shall also have the option, at its sole discretion and without cause, of terminating this Agreement by giving seven (7) calendar days' prior written notice to Software Provider as provided herein. Upon receipt of any notice of termination, Software Provider shall immediately discontinue performance. B. Pro Rata Payments. City shall pay Software Provider for services satisfactorily performed up to the effective date of termination. In such event, a calculation of the amounts due shall be deemed correct as computed on a pro rata basis with compensation provided for the period of service paid as a percentage of the total contract amount. C. Handling of City Data. In the event of a termination of this Agreement, Software Provider shall implement an orderly return of City data in a CSV or another mutually agreeable format at a time agreed to by the parties and the subsequent secure disposal of City data. During any period of service suspension, Software Provider shall not take any action to intentionally erase any City data for a period of 30 days after the effective date of termination,unless authorized by City. City shall be entitled to any post-termination assistance generally made available with respect to the Services; unless a unique data retrieval arrangement has been established as part of the SLA. Software Provider shall securely dispose of all requested data in all of its forms, such as disk, CD/ DVD, backup tape and paper, when requested by City. Data shall be permanently deleted and shall not be recoverable, according to National Institute of Standards and Technology (MIST)- approved methods. Certificates of destruction shall be provided to City. 17. WARRANTY AND WARRANTY DISCLAIMER Software Provider warrants that, (i) the services shall be provided in a diligent, Page 7 of 12 090517 professional, and workmanlike manner in accordance with industry standards, (ii) the services provided under this agreement do not infringe or misappropriate any intellectual property rights of any third party, and (iii) the services shall substantially perform in all material respects as described in the SLA in the event of any breach of section (iii), above, Software Provider shall, as its sole liability and your sole remedy,repair or replace the services that are subject to the warranty claim at no cost to City or if Software Provider is unable to repair or replace, then it will refund any pre-paid fees for services not rendered. Except for the warranty described in this section, the services are provided without warranty of any kind, express or implied including, but not limited to, the implied warranties or conditions of design, merchantability, fitness for a particular purpose, and any warranties of title and non-infringement. 18. COMPLIANCE Software Provider shall comply with all state or federal laws and all ordinances, rules,policies and regulations enacted or issued by City. 19. CONFLICT OF LAW This Agreement shall be interpreted under,and enforced by the laws of the State of California excepting any choice of law rules which may direct the application of laws of another jurisdiction. Any suits brought pursuant to this Agreement shall be filed with the Superior Court for the County of Santa Clara, State of California. 20. ADVERTISEMENT Software Provider shall not post, exhibit, display or allow to be posted, exhibited, displayed any signs, advertising, show bills, lithographs, posters or cards of any kind pertaining to the services performed under this Agreement unless prior written approval has been secured from City to do otherwise. 21. INTEGRATED CONTRACT This Agreement, including all appendices, represents the full and complete understanding of every kind or nature whatsoever between the Parties, and all preliminary negotiations and agreements of whatsoever kind or nature are merged herein. No verbal agreement or implied covenant shall be held to vary the provisions hereof. Any modification of this Agreement will be effective only by written execution signed by both City and Software Provider. In the event that any Service Level Agreement,Exhibit,associated instrument or agreement executed by the Parties in conjunction with this Agreement or prior thereto contains a term that conflicts with the terms of this Agreement,the terms of this Agreement shall govern and supersede any other document or Exhibit. 22. AUTHORITY The individual(s) executing this Agreement represent and warrant that they have the legal capacity and authority to do so on behalf of their respective legal entities. IN WITNESS WHEREOF,the parties have caused this Agreement to be executed. Page 8 of 12 090517 SOFTWARE PROVIDER APPROVED AS TO FORM: City Data Services, LLC i By _ "/� -�" City Attorney Title.�t ven J. Crounse, Partner Heather Miner Date 06 04 2019 ATTEST: CITY OF CUPERTINO A Municipal Corporation �.� City Clerk BY n� Tit Date ❑Over$175,000-Counci Approval Required ❑ Over $45,000- Department Head Approval Required ❑ Up to $45,000- Designated Supervisor Approval Required RECOMMENDED FOR APPROVAL Kerri Heusler, Housing Manager I Exhibits: Exhibit A: Service Level Agreement Exhibit B: Insurance Requirements and Proof of Insurance I I i i i Page 9 of 12 090517 Contract No. Exhibit A: Service Level Agreement ("SLA") 10 Exhibit A /0,"� City Data Services www.citydata,services Kerri Heusler, Housing Senior Planner June 2019 City of Cupertino 10300 Torre Avenue Cupertino, CA 95014 Dear Ms. Heusler, City Data Services provides cloud-based data management services.As per your request, please find the following j Scope of Services for work for City of Cupertino for FY 2019-20. These services are provided for maintaining the Community Services module and a component of the Single Family module: SCOPE OF SERVICES—System Maintenance Under the scope of the maintenance contract, CDS will provide: • Ability to store, display, and summarize application information; • Ability to store, display, and summarize individual program administration information; • Ability to store, display, and summarize individual program contract information; I • Ability to enter, store, display, and summarize compliance information; • Maintain all database and report elements created under the initial setup agreement; • Maintain data backups and download on a determined schedule; • Modify database as needed to add or remove fields,or improve presentation of data; • Modify existing reports as needed to meet City's requirements; • Provide customer service to City and their clients throughout the contract; and • Promptly respond to request for assistance, training or database repair. Maintenance fee for Community Service (formerly Public Service) is in the amount of$350 per month for an annual total of$4,200. For the term of the agreement, this fee remains constant regardless of the number of users, trainings, units, programs, projects or reports included in this module. HOURLY RATES Maintenance and ongoing operations of City's CDS database are included in the monthly maintenance fee. All new reports or forms are covered under the maintenance contract without additional charge. In the event that forms outside of this module and component are required, the typical charge for developing a new form or report, and integrating it into the database, will be$850 per page, with discounts for larger documents. Maintenance invoices are billed quarterly and require payment within 30 days of submission of invoice.A one percent fee will be incurred for bills that are 30 days past due. Steve Crounse, Partner City Data Services, LLC South San Francisco, California citydataservicesa yahoo.com 415.572.4572 650.533.5933 Contract No. Exhibit B: Insurance Requirements and Proof of Insurance Proof of insurance coverage described below is attached to this Exhibit, with City named as additional insured. 1. MINIMUM SCOPE AND LIMITS OF REQUIRED INSURANCE POLICIES Additional Insureds: City, its City Council,boards and commissions,officers,employees and volunteers shall be named as additional insureds under all insurance coverages, except any professional liability insurance, required by this Agreement. The naming of an additional insured shall not affect any recovery to which such additional insured would be entitled under this policy if not named as such additional insured. An additional insured named herein shall not be held liable for any premium, deductible portion of any loss, or expense of any nature on this policy or any extension thereof. Any other insurance held by an additional insured shall not be required to contribute anything toward any loss or expense covered by the insurance provided by this policy. Workers' Compensation: Statutory coverage as required by the State of California and Liability Insurance with limit of no less than $1,000,000 per accident for bodily injury or disease. General Liability: Commercial general liability coverage in the following minimum limits: Bodily Injures $1,000,000 each occurrence $1,000,000 aggregate - all other Property Damage: $500,000 each occurrence $1,000,000 aggregate If submitted, combined single limit policy with aggregate limits in the amounts of$2,000,000 will be considered equivalent to the required minimum limits shown above. Cyber Liability: Insurance, with limits not less than: $2,000,000 each occurrence $2,000,000 aggregate - all other Coverage shall be sufficiently broad to respond to the duties and obligations as is undertaken by Software Provider in this agreement and shall include, but not be limited to, claims involving infringement of intellectual property, including but not limited to infringement of copyright, trademark,trade dress, invasion of privacy violations, information theft, damage to or destruction of electronic information, release of private information, alteration of electronic information, extortion and network security. The policy shall provide coverage for breach response costs as well as regulatory fines and penalties as well as credit monitoring expenses with limits sufficient to respond to these obligations. 11 i Contract No. If the Software Provider maintains broader coverage and /or higher limits than the minimums shown above, the City requires and shall be entitled to the broader coverage and/or higher limits maintained by the Software Provider.Any available insurance proceeds in excess of the specified minimum limits of insurance and coverage shall be available to the City. 2. ABSENCE OF INSURANCE COVERAGE. City may direct Software Provider to immediately cease all activities with respect to this Agreement if it determines that Software Provider fails to carry, in full force and effect, all insurance policies with coverages at or above the limits specified in this Agreement. At the City's discretion, under conditions of lapse, City may purchase appropriate insurance and charge all costs related to such policy to Software Provider. 3. PROOF OF INSURANCE COVERAGE AND COVERAGE VERIFICATION. A Certificate of Insurance, on an Accord form, and completed coverage verification shall be provided to City by each of Software Provider's insurance companies as evidence of the stipulated coverages prior to the Commencement Date of this Agreement, and annually thereafter for the term of this Agreement. All of the insurance companies providing insurance for Software Provider shall be licensed to do insurance business in the State of California and shall have, and provide evidence of, a Best Rating Service rate of A VI or above. The Certificate of Insurance and coverage verification and all other notices related to cancellation or non-renewal shall be mailed to: City Clerk City of Cupertino 10300 Torre Avenue Cupertino, CA 95014-3202 12 A��0® CERTIFICATE OF LIABILITY INSURANCE DATE 01/31/201 YYYY) 01/31/2019 THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER,AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement.A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). PRODUCER CONTACT NAME: USAA INSURANCE AGENCY INC PHONE FAx A/C,No,Ext: 888 661-3938 A/C,No): 877 872=7604 9800 FREDERICKSBURG RD E-MAIL SAN ANTONIO,TX 78288 ADDRESS:service.cert lemcorn (888)661-3938 INSURER(S)AFFORDING COVERAGE NAIC# INSURER A:TRAVELERS CASUALTY INSURANCE COMPANY OF AMERICA INSURED INSURER B CITY DATA SERVICES 403 ALVARADO STREET INSURERC: BRISBANE,CA 94005 INSURER D: INSURER E: INSURER F: COVERAGES CERTIFICATE NUMBER: 020856025131820 REVISION NUMBER: THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES.LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. INSR ADDL SUBR POLICY EFF POLICY EXP LTR TYPE OF INSURANCE INSD WVD POLICY NUMBER MM/DD/YYYY MMIDD/YYYY LIMITS COMMERCIAL GENERAL LIABILITY EACH OCCURRENCE $ DAMAGE TO RENTED CLAIMS-MADE OCCUR PREMISES Ea occurrence $ MED EXP(Any oneperson) $ PERSONAL 8 ADV INJURY $ GEN'L AGGREGATE LIMIT APPLIES PER: GENERAL AGGREGATE $ PRO- POLICY FIJECT LOC PRODUCTS-COMP/OPAGG $ OTHER: $ A AUTOMOBILE LIABILITY X BA-3L840042-19 02/10/2019 02/10/2020 COMBINED t)SINGLE LIMIT $1,000,000 ANY AUTO BODILY INJURY(Per person) $ SCHED OWNED X AUTOS AUTOS ONLY BODILY INJURY(Per accident) $ HIRED NON-OWNED PROPERTY DAMAGE AUTOS ONLY AUTOS ONLY (Per accident) $ $ UMBRELLA LIAR OCCUR EACH OCCURRENCE $ EXCESS LIAB CLAIMS-MADE AGGREGATE $ DED RETENTION$ $ WORKERS COMPENSATION NIA PER FOR AND EMPLOYERS'LIABILITY Y/N ANY PRO PR I ETOR/PARTN ER/EXECUTIVE ❑ E.L.EACH ACCIDENT $ OFFICER/MEMBER EXCLUDED? (Mandatory in NH) E.L.DISEASE-EA EMPLOYEE $ If yes,describe under DESCRIPTION OF OPERATIONS below E.L.DISEASE-POLICY LIMIT $ DESCRIPTION OF OPERATIONS I LOCATIONS I VEHICLES(ACORD 101,Additional Remarks Schedule,may be attached If more space Is required) AS RESPECTS TO AUTO LIABILITY-CERTIFICATE HOLDER IS ADDITIONAL INSURED AS PER CA 20 48- DESIGNATED INSURED. CERTIFICATE HOLDER CANCELLATION CITY OF CUPERTINO,ITS OFFICERS, SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE AGENTS,EMPLOYEES AND VOLUNTEERS THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN 10300 TORRE AVE ACCORDANCE WITH THE POLICY PROVISIONS. CUPERTINO,CA 95014 AUTHORIZED REPRESENTATIVE ©1988-2015 ACORD CORPORATION.All rights reserved. ACORD 25 (2016/03) The ACORD name and logo are registered marks of ACORD AC"R" CERTIFICATE OF LIABILITY INSURANCE DATE(MM/DD/YYYY) 02/19/2019 THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER,AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED,the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). PRODUCER NAME:CONTACT John Espiritu Huckleberry Insurance Services PHONE E 4158531766 NC No 500 2nd Street, Level 0 E-MAIL ADDRESS: I p@ ryohn.es iritu huckleber .co San Francisco,CA 94107 INSURERS AFFORDING COVERAGE NAIC# INSURER A: Markel Insurance Company 38970 INSURED INSURER B: City Data Services, LLC INSURER C: 218 Shaw Rd INSURERD: South San Francisco,CA 94080 INSURER E: INSURER F: COVERAGES CERTIFICATE NUMBER: REVISION NUMBER: THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES.LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. INSR ADDTYPE OF INSURANCE INSD SUER POLICY NUMBER MMIDDPOLICY/YYYY MM LTR IDDfYYYY LIMITS COMMERCIAL GENERAL LIABILITY EACH OCCURRENCE $ DAMAGE T �IENT . CLAIMS-MADE OCCUR PREM SESOEa occE ence $ MED EXP(Any one person) $ PERSONAL&ADV INJURY $ GEN'L AGGREGATE LIMIT APPLIES PER: GENERAL AGGREGATE $ POLICY PEt° LOC PRODUCTS POLICY $ OTHER: $ AUTOMOBILE LIABILITY COMBINED SINGLE LIMIT $ Ea accident ANY AUTO BODILY INJURY(Per person) $ OWNED SCHEDULED AUTOS ONLY AUTOS BODILY INJURY(Per accident) $ HIRED NON-OWNED PROPERTY DAMAGE $ AUTOS ONLY AUTOS ONLY Per accid L $ ent UMBRELLA LIAB OCCUR EACH OCCURRENCE $ EXCESS LAB HCLAIMS-MADE AGGREGATE $ DED RETENTION$ $ WORKERS COMPENSATION X STATUTE ERH AND EMPLOYERS'LIABILITY ANYPROPRIETOR/PARTNER/EXECUTIVE YIN E.L.EACH ACCIDENT $ 1,000,000 X OFFICER/MEMBER EXCLUDED? Y❑ NIA MWC0143771-01 02/28/2019 02/18/2020 (Mandatory In NH) E.L.DISEASE-EA EMPLOYEE $ 1,000,000 If yes,describe under 1,000,000 DESCRIPTION OF OPERATIONS below E.L.DISEASE-POLICY LIMIT $ DESCRIPTION OF OPERATIONS/LOCATIONS/VEHICLES (ACORD 101,Additional Remarks Schedule,may be attached if more space is required) CERTIFICATE HOLDER CANCELLATION SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. AUTHORIZED REPRESENTATIVE ©1988-2015 ORD ORPORATION. All rights reserved. ACORD 25(2016/03) The ACORD name and logo are registered marks of A RD THE HARTFORD BUSINESS SERVICE CENTER THE '' 3600 WISEMAN BLVD HARTFORD SAN ANTONIO TX 78251 June 7, 2019 THE CITY OF CUPERTINO, IT'S OFFICERS,AGENTS,EMPLOYEES AND VOLUNTEERS 10300 TORRE AVE CUPERTINO CA 95014 Account Information: Contact Us Policy Holder Details : City Data Services LLC Business Service Center Business Hours: Monday- Friday (7AM-7PM Central Standard Time) Phone: (888) 242-1430 Fax: (888)443-6112 Email: agency.services(o)thehartford.com Website: https://business.thehartford.com Enclosed please find a Certificate Of Insurance for the above referenced Policyholder. Please contact us if you have any questions or concerns. Sincerely, Your Hartford Service Team WLTRO05 CERTIFICATE OF LIABILITY INSURANCE DATE(MMIDD/YYYY) 06/07/2019 THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW.THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER,AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must be endorsed. If SUBROGATIONIS WAIVED, subject to the terms and conditions of the policy,certain policies may require an endorsement.A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). PRODUCER CONTACT USAA INSURANCE AGENCY INC/PHS 65812845 PHONE (888)242-1430 FAX (888)443-6112 (A/C,No,Ext): (A/C,No): The Hartford Business Service Center 3600 Wiseman Blvd E-MAIL San Antonio,TX 78265 ADDRESS: INSURER(S)AFFORDING COVERAGE NAIC# INSURED INSURERA: The Sentinel Insurance Company 11000 City Data Services LLC INSURER B: 403 ALVARADO ST BRISBANE CA 94005-1603 INSURER C: INSURER D: INSURER E: INSURER F: COVERAGES CERTIFICATE NUMBER: REVISION NUMBER: THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED.NOTWITHSTAN DING ANY REQUIREMENT,TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS,EXCLUSIONS AND CONDITIONS OF SUCH POLICIES.LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. INSR TYPE OF INSURANCE ADDL SUBR POLICY NUMBER POLICY EFF POLICY EXP LIMITS LTR IN SIR WVD MM/DD/YYYY (MM/DDIYYYYI COMMERCIAL GENERAL LIABILITY EACH OCCURRENCE $2,000,000 CLAIMS-MADE OCCUR DAMAGE TO RENTED $1,000,000 PREMISES Ea occurrence X General Liability MED EXP(Any one person) $10,000 A X 65 SBM R04156 02/10/2019 02/10/2020 PERSONAL&ADV INJURY $2 000 000 GEN'L AGGREGATE LIMIT APPLIES PER: GENERAL AGGREGATE $4,000,000 POLICY❑PRO LOC PRODUCTS-COMP/OPAGG $4,000,000 JECT OTHER: AUTOMOBILE LIABILITY COMBINED SINGLE LIMIT Ea accident ANY AUTO BODILY INJURY(Per person) ALL OWNED r SCHEDULED AUTOS AUTOS BODILY INJURY(Per accident) HIRED NON-OWNED PROPERTY DAMAGE AUTOS AUTOS (Per accident) UMBRELLA LIAS OCCUR EACH OCCURRENCE EXCESS LIAB CLAIMS- AGGREGATE MADE DED I RETENTION$ WORKERS COMPENSATION PER OTH- AND EMPLOYERS'LIABILITY STATUTE ER ANY YIN E.L.EACH ACCIDENT PROPRIETOR/PARTNER/EXECUTIVE OFFICER/MEMBER EXCLUDED? NIA E.L.DISEASE-EA EMPLOYEE (Mandatory in NH) If yes,describe under E.L.DISEASE-POLICY LIMIT DESCRIPTION OF OPERATIONS below DESCRIPTION OF OPERATIONS/LOCATIONS/VEHICLES(ACORD 101,Additional Remarks Schedule,may be attached if more space is required) Those usual to the Insured's Operations.City of Cupertino is Additional Insured per the Business Liability Coverage Form SS0008 attached to this policy. CERTIFICATE HOLDER CANCELLATION THE CITY OF CUPERTINO, SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED IT'S OFFICERS,AGENTS,EMPLOYEES BEFORE THE EXPIRATION DATE THEREOF,NOTICE WILL BE DELIVERED AND VOLUNTEERS IN ACCORDANCE WITH THE POLICY PROVISIONS. 10300 TORRE AVE AUTHORIZED REPRESENTATIVE CUPERTINO CA 95014 ©1988-2015 ACORD CORPORATION.All rights reserved. ACORD 25(2016/03) The ACORD name and logo are registered marks of ACORD FailSafe® GIGA enterprise liability Declarations Page HARTFORD FIRE INSURANCE CO., HARTFORD PLAZA, HARTFORD, CT 06115 A stock insurance company, herein called the Insurer THIS POLICY CONTAINS CLAIMS MADE COVERAGE, WHICH MEANS THAT CLAIMS MUST BE FIRST MADE DURING THE POLICY PERIOD. ALSO, COVERED CLAIM EXPENSES PAYABLE UNDER THE POLICY REDUCE AND MAY COMPLETELY EXHAUST THE LIMITS OF LIABILITY. PLEASE READ THE POLICY CAREFULLY AND DISCUSS IT WITH YOUR AGENT OR BROKER. Policy Number: 46 TE 0323528-18 Renewal of Policy Number: 46 TE 0323528 Named Insured CITY DATA SERVICES LLC Address 403 ALVARADO ST BRISBANE, CA 94005 2. Policy Period Start Date 7/07/18 End Date 7/07/19 at 12:01 a.m. standard time at the address shown in item 1 above 3. Retroactive Date 7/07/17 If the space above is left blank, coverage does not apply to any wrongful act committed before the Start Date stated in item 2 above. 4. Limits of Liability Each Wrongful Act Limit 2,000,000 Aggregate Limit 2,000,000 5. Retention Each Wrongful Act 10,000 6. Premium $1,273.00 7. Forms and Endorsements: This Declarations page, the policy and endorsements listed below and all changes later added to the policy by us in written endorsements constitute the entire insurance policy: SEE FORM GU207 (SCHEDULE OF FORMS AND ENDORSEMENTS) 8. Producer Name 91676 BIN INSURANCE HOLDINGS LLC Address 30 N LA SALLE ST STE 2500 CHICAGO, IL 60602 Countersignature Date Authorized Representative FS 00 G002 00 1016 FailSafe GIGe Page 1 of 1 ©2016, The Hartford GU207 (6-78) ENDORSEMENT This endorsement, effective on 7/07/18 at 12:01 A.M standard time, forms a part of Policy No. 46 TE 0323528-18 of the HARTFORD FIRE INSURANCE CO. Issued to CITY DATA SERVICES LLC Douglas Elliot, President SCHEDULE FSOOG00700 10/16 FAILSAFE GIGA ENTERPRISE LIABILITY CONTENTS FSOOG00300 10/16 FAILSAFE GIGA ENTERPRISE LIABILITY FSOOH02600 10/16 ADDRESS FOR WRONGFUL ACT OR CLAIM NOTIFICATION OR CORRESPONDENCE ENDORSEMENT FSOOH02700 10/16 DISCLOSURE FORM CLAIMS-MADE POLICY IMPORTANT NOTICE TO POLICYHOLDER FSOOH13700 10/16 ASBESTOS EXCLUSION FSOOH14100 10/16 UNSOLICITED SENDING OF INFORMATION EXCLUSION FSOOH30100 10/16 ADDITIONAL YOU FSOOH32800 10/16 PRIOR ACTS LIMIT RESTRICTION ENDORSEMENT(ONE LIMIT CHANGE) FSOOH60400 10/16 FIRST PARTY EXPENSE ENDORSEMENT FSOOH90000 10/16 WAR, HOSTILE LOSS OR TERRORISM EXCLUSION FSO4HOO400 10/16 CALIFORNIA CHANGES Rev. Ed. Date (04/02) GU 207 (6-78) FailSafe® G I G A enterprise liability Contents Pages 2—3 Section I -Coverage Page 2 A. Insuring Agreement B. Defense Page 3 C. When We Insure Pages 3— 13 Section II -Definitions Pages 13— 15 Section III - Exclusions Page 15 Section IV- Nuclear Energy Liability Exclusion Pages 15 - 16 Section V- Limits of Liability and Retention Page 15 A. Limits of Liability Page 16 B. Retention for Each Wrongful Act Pages 16— 17 Section VI - Extended Reporting Periods Page 16 A. Terms Applicable to Both Types of Extended Reporting Period B. Basic Extended Reporting Period Page 17 C. Optional Extended Reporting Period Pages 17—21 Section VII -Conditions Page 17 A. Territory B. Currency Page 18 C. Bankruptcy D. Cancellation E. When We Do Not Renew F. Entire Agreement G. Changes H. Duties in the Event of Wrongful Act or Claim Page 19 I. Legal Action Against Us J. Mergers, Consolidations or Acquisitions Page 20 K. Other Insurance and Payments Available to You L. Payment of Premiums and Retention Page 21 M. Transfer of Rights of Recovery against Others to Us N. Transfer of Your Rights and Duties Under This Policy O. Representations and Statements FS 00 G007 00 1016 FailSafe GIGA®Release 4.0 Page 1 of 1 ©2016, The Hartford 46 TE 0323528-18 7/07/18 1 THE HARTFORD FailSafe® G I G A enterprise liability This is a claims first made policy. Please read it carefully and contact your agent or broker if you have any questions. Your policy applies only to claims when: the wrongful act occurs on or after the applicable Retroactive Date and before the end of the policy period, and the claim is first made against any of you during the policy period and you use your best efforts to report such claim to us in writing as soon as practicable in accordance with the terms of this policy. Covered claim expenses and damages within the Retention amount must be paid by you and do not reduce the Limits of Liability. Covered claim expenses and damages above the Retention amount are payable under this policy and reduce the Limits of Liability. Some provisions in this policy restrict coverage. Read the entire policy carefully to determine rights,duties and what is and what is not covered. The words"we,""us"and "our"refer to the stock insurance company member of THE HARTFORD shown on the Declarations Page of this policy. The words"you"and"your"mean any person or entity described under the definition of"you or your'in Section II—Definitions. All other words and phrases that appear in bold type are defined in Section II— Definitions. In return for payment of the premium, and subject to all of the terms and conditions of this policy, including those changed, added or deleted by endorsements that we issue forming a part of this policy, we agree with you as follows: FS 00 G003 00 1016 FailSafe GIGA® Release 4.0 Page 1 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford Section I - Coverage A. Insuring Agreement We will pay on your behalf money in excess of the Retention that you become legally required to pay as damages and claim expenses because of a claim caused by a(n): Professional Liability 1. professional services wrongful act; Data Privacy and Network Security Liability 2. data privacy wrongful act, including the actual or alleged failure to comply with your written and publicly available policies, procedures, and standards for the collection, use and disclosure of nonpublic personal information; 3. actual or alleged failure to provide any required notices in connection with any part of a data privacy wrongful act; or 4. network wrongful act. B. Defense 1. For all covered claims made in the United States of America, its territories and possessions, Puerto Rico or Canada, we have the right and duty to defend you. We have the right to appoint counsel. We may investigate any claim as we deem appropriate. 2. For all covered claims made outside the United States of America, its territories and possessions, Puerto Rico or Canada, we have the right but not the duty to defend you, appoint counsel and investigate. If we choose not to defend,appoint counsel and investigate such a claim,the first named insured under our supervision will arrange for investigation and defense of the claim as reasonably appropriate. Subject to the Limits of Liability, we will reimburse the first named insured for paying damages or claim expenses for covered claims. 3. The following terms apply to all covered claims, wherever they are made: a. You will not settle any claim without our prior written consent, even if the claim is less than the amount of the Retention.We have the right to settle all claims,wherever made, unless we receive a written objection from the first named insured before we agree to a settlement. The first named insured will be notified before we agree to a settlement. If the first named insured objects to a settlement recommended by us and acceptable to the claimant, then our duty to pay will be limited to: (1) the amount of damages for which the claim could have been settled; plus (2) all claim expenses incurred and paid or payable by us or the first named insured at the time we made our recommendation; plus (3) fifty percent(50%) of all covered damages and claim expenses incurred and paid or payable by us or the first named insured after the time we made our recommendation. If the total of these amounts falls within your Retention, we will have no duty to pay damages and claim expenses on that claim. In no event will we be obligated to pay more than the remaining applicable Limit of Liability determined under Section V—Limits of Liability and Retention. In claims where the first named insured has objected to a settlement recommended by us, we have the right to stop defending and paying claim expenses upon tendering control of the defense to you. FS 00 G003 00 1016 FailSafe GIGA®Release 4.0 Page 2 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford b. We have the right to exercise all of your rights in choosing arbitrators and in conducting all arbitrations. c. Our right and duty to defend claims and to pay or reimburse for claim expenses will end when we have used up the applicable Limit of Liability by paying damages and/or claim expenses. 4. At our discretion, and with your consent, we may pay early intervention costs incurred to investigate a wrongful act reported to us that may result in a claim. Such costs may be paid during the time between when such wrongful act is reported and the time a claim is made to us, per Section VII — Conditions, Duties in the Event of a Wrongful Act or Claim, and will reduce the Limits of Liability. Should such early intervention costs be incurred for what becomes an actual claim, such intervention costs will be deemed claims expenses, and therefore, subject to your Retention obligation. C. When We Insure This policy applies to a wrongful act only if all the terms in 1 through 3 below are met: 1. the wrongful act was committed on or after the applicable Retroactive Date shown in the Declarations and before the end of the policy period; 2. before the Start Date of this policy shown in the Declarations,no specified insured knew of or should have reasonably known of: a. a wrongful act; or b. any fact(s)or circumstance(s) which could reasonably be expected to result in a claim; and 3. the claim because of the wrongful act is: a. first made against any of you during the policy period; and b. reported to us in writing by you using your best efforts to notify us as soon as practicable after any specified insured becomes aware of it. All claims arising from the same wrongful act are considered to be one claim. A claim is deemed first made when the earliest of the following occurs: any of you receive written notice of such claim; or subject to the Section VII —Conditions, Duties in the Event of Wrongful Act or Claim, we receive from you or your agent written notice of the wrongful act, which later results in a claim. A claim is deemed reported to us when we first receive it in writing. Section II — Definitions ■ actual income loss means the net profit before taxes that you would have earned or incurred during the period of restoration had there not been a network outage. Actual income loss will be calculated on an hourly basis and limited to the period of restoration. ■ business interruption loss means the sum of actual income loss and extra expense resulting from a network outage. business interruption loss does not include any: 1. contractual liability or the value of, or associated with, any cancelled contract, including but not limited to any sums due pursuant to a contractual provision for liquidated damages, agreed penalties, or similar remedy; FS 00 G003 00 1016 FailSafe GIGA®Release 4.0 Page 3 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford 2. costs or expenses incurred to update, replace, restore, or improve the computer system; 3. costs or expenses incurred to identify or remediate vulnerabilities or errors in the computer system; 4. damages; 5. claim expenses; 6. other first party expenses; or 7. amounts that are uninsurable pursuant to applicable law. ■ claim means a written demand received by any of you for damages or injunctive relief. This includes a suit, arbitration or other type of alternative dispute resolution proceeding against any of you. It also includes a request to toll or waive the running of the statute of limitations. It does not include a request by you for reimbursement of first party expenses, nor does it include a data privacy regulation proceeding. ■ claim expenses means reasonable expenses incurred by us or by you with our prior written consent investigating and defending a claim. 1. claim expenses also include: a. the cost of bonds to release attachments, but only for bond amounts within the remaining applicable Limit of Liability. We do not have to furnish these bonds; b. costs taxed against you in the suit. However,these payments do not include attorney's fees or attorney's expense taxed against you; c. interest on the full amount of any judgment that accrues before or after entry of the judgment and before we have paid, offered to pay or deposited in court the part of the judgment that is within the remaining applicable Limit of Liability; and d. actual loss of earnings up to $1,000 per day for each of you that you personally incur because of time off from work at our request to help us investigate or defend a claim. 2. claim expenses do not include any first party expenses or any of your overhead expenses or any salaries, wages, fees, or benefits of any you. ■ computer system(s) means the following, if leased or owned by the named insured, or operated by a third party service provider: computers, input and output devices, network devices and equipment, peripheral devices, storage devices, back-up facilities, mobile devices, and associated computer programs, software and applications, including cloud-based computer programs, software and applications. ■ contract worker agreement means a signed agreement between the named insured and an individual person who is an agent or independent contractor when the agreement provides that: 1. the agent or independent contractor will provide specific enterprise services on behalf of the named insured; 2. the named insured will indemnify the agent or independent contractor for those enterprise services; and 3. the agreement is made before any wrongful act that may give rise to a claim. ■ crisis management expenses means reasonable and necessary fees and expenses: 1. charged by a crisis management firm in the performance of crisis management services; and 2. for printing, advertising, mailing of materials, or travel by an executive officer, partner, owner, employee, agent of the named insured, or the crisis management firm as a direct response to a data privacy wrongful act. crisis management expenses do not include any of your overhead expenses or any salaries, wages, fees, or benefits of any you, nor do they include any amounts that are uninsurable pursuant to applicable law. FS 00 0003 00 1016 FailSafe GIGA®Release 4.0 Page 4 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford ■ crisis management firm means any public relations or law firm hired or appointed by us or by you to perform crisis management services in connection with a data privacy wrongful act. ■ crisis management services means those services performed by a crisis management firm to minimize potential harm to the named insured arising from a data privacy wrongful act, including: 1. maintaining and restoring public confidence in the named insured; 2. providing advice to the named insured in connection with such data privacy wrongful act; 3. determining the named insured's legal obligations under data privacy laws; 4. providing necessary legal services to the named insured in responding to a data privacy wrongful act; and 5. communicating prior to a claim or data privacy regulatory proceeding with regulators, consumers, and clients regarding a data privacy wrongful act. ■ cyber extortion expenses means those reasonable and necessary expenses incurred by the named insured as a result of a cyber extortion threat including cyber extortion payments. cyber extortion expenses do not include any of your overhead expenses or any salaries, wages, fees, or benefits of any you, nor do they include any amounts that are uninsurable pursuant to applicable law. ■ cyber extortion payments means necessary monetary amounts paid by the named insured to a party who is not insured under this policy and whom the named insured believes to be responsible for the cyber extortion threat. ■ cyber extortion threat means any credible threat by a person or organization against the named insured to: 1. cause a network intrusion; 2. alter, damage, encrypt, render inaccessible, or continue to render inaccessible any computer program, software or electronic data that is stored within the computer system; 3. release,disseminate, destroy,or use nonpublic personal information obtained from the computer system through a network intrusion; or 4. release, disseminate, destroy, or use third party corporate confidential information. The foregoing notwithstanding,any such threat will not constitute a cyber extortion threat unless,priorto the surrendering of property or other consideration as payment by or on behalf of the named insured, the named insured conducts a reasonable investigation and determines that such threat is technologically credible. All cyber extortion threats that are logically or causally connected by common facts, circumstances, situations, events, transactions and/or decisions are considered one cyber extortion threat occurring on the earliest date such cyber extortion threat was first made. ■ cyber investigation expenses means those reasonable and necessary expenses incurred by the named insured to: 1. conduct an investigation of the computer system by a third party to determine the source or cause of a data privacy wrongful act or network intrusion; and 2. retain the services of a PCI Forensic Investigator to comply with the terms of the named insured's payment card agreement. cyber investigation expenses do not include any of your overhead expenses or any salaries, wages, fees, or benefits of any you, nor do they include any amounts that are uninsurable pursuant to applicable law. ■ damages means a money award,judgment or settlement that you become legally required to pay, including punitive, exemplary and multiplied damages where insurable by law. FS 00 G003 00 1016 FailSafe GIGA®Release 4.0 Page 5 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford damages do not include: 1. any kind of: refund, rebate, redemption coupon, offset, return or credit that has been paid to or by any of you, or that is owed to or by any of you; examples include but are not limited to any of the following: any licensing fee or other fee, royalty, subscription or access charge, or other charge; 2. disgorgement of profits or any money or credits that represent any gain, profit or advantage to which any of you are not legally entitled; 3. your cost to comply with any non-money or injunctive relief; 4. cost or expense to recall, upgrade, replace, repair, correct, complete or re-perform enterprise services, in whole or part, by: a. any of you; or b. another party if any of you had the opportunity to recall, upgrade, replace, repair,correct, complete or re-perform enterprise services; 5. any criminal: fine or penalty; 6. any payment any of you make without our prior written consent; 7. the purchase or contract price for your enterprise services; or 8. any first party expenses or any of your overhead expenses or any salaries, wages, fees, or benefits of any you. In accordance with the foregoing, insurable punitive, exemplary and multiplied damages will be covered based upon the law of the most favorable of the following jurisdictions to you: a. where the punitive, exemplary or multiplied damages are imposed or awarded; b. where the claim resulting in punitive, exemplary, or multiplied damages occurred; c. where the wrongful act giving rise to a claim that resulted in punitive, exemplary, or multiplied damages occurred; d. where the named insured against whom punitive, exemplary, or multiplied damages are imposed or awarded is incorporated, resides or has their principal place of business; or e. where we are incorporated or have our principal place of business. ■ data privacy laws means any local, state,federal or foreign laws, statutes and regulations governing the collection, control, confidentiality, sharing, or use of nonpublic personal information. Data privacy laws include but are not limited to: 1. Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) (HIPAA); 2. Health Insurance Technology for Economic and Clinical Health Act of 2009 (HITECH); 3. Gramm-Leach-Bliley Act of 1999, also known as,the Financial Services Modernization Act of 1999; 4. The Family Educational Rights and Privacy Act("FERPA"); 5. Children's Online Privacy Protection Act of 1998 ("COPPA"); 6. Section 5(a)of the Federal Trade Commission Act but solely for alleged unfair and deceptive acts or practices resulting in a data privacy wrongful act or network wrongful act; or FS 00 G003 00 1016 FailSafe GIGA®Release 4.0 Page 6 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford 7. State privacy protection and breach notification laws, including but not limited to the California Database Protection and breach notification laws, including but not limited to the California Database Protection Act of 2003(Cal.SB 1386) and California A.B. 1950. ■ data privacy regulatory expenses means: 1. reasonable and necessary legal fees and expenses incurred by the named insured in the defense of a data privacy regulation proceeding; 2. fines or penalties assessed in connection with a data privacy regulation proceeding; and 3. amounts which the named insured is legally obligated to deposit in a fund as equitable relief, including consumer redress funds, due to a settlement or adverse judgment in a data privacy regulation proceeding. data privacy regulatory expenses do not include any of your overhead expenses or any salaries, wages, fees, or benefits of any you, nor do they include any amounts that are uninsurable pursuant to applicable law. ■ data privacy regulation proceeding means a civil, administrative or regulatory proceeding against, or a civil investigation of, a named insured by a governmental agency commenced by an investigative demand or similar request for information or by a complaint or similar pleading, alleging violation of any data privacy law as a result of a data privacy wrongful act or a network wrongful act. ■ data privacy wrongful act means any act, error or omission by you or a rogue employee that results in: 1. the improper collection, control, disclosure or use of nonpublic personal information; 2. a violation by the named insured of a data privacy law; or 3. the improper disclosure or use of third party corporate confidential information. ■ data restoration expenses means the actual, reasonable, and necessary expenses incurred by you to restore, replace or recover a computer program, software, application or other electronic data that is altered, destroyed, stolen, impaired or erased as a result of a network intrusion. If you determine that such computer program,software,application or other electronic data cannot be reasonably restored, replaced or recovered, then data restoration expenses means only the reasonable and necessary costs incurred by you to reach this determination. data restoration expenses do not include costs or expenses incurred to: 1. identify or remediate any errors or vulnerabilities or to update, restore, replace, upgrade, maintain, or improve any computer system; 2. duplicate the research that led to the development of the named insured's computer program, software, application, other electronic data or any proprietary or confidential information or intellectual property; or 3. develop or purchase any computer program, software, application or other electronic data. Nor do data restoration expenses include: a. the economic or market value of any computer system, computer program, software, application or other electronic data; b. any amounts that are uninsurable pursuant to applicable law; or c. any of your overhead expenses or any salaries, wages,fees, or benefits of any you. ■ denial of service attack means a malicious attempt by a third party to restrict or prevent access to the internet, or computer program, software or application within the computer system. FS 00 G003 00 1016 FailSafe GIGA®Release 4.0 Page 7 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford ■ enterprise services means the tangible and intangible work product and services you provide to others for a fee or other remuneration. Enterprise services include, but are not limited to, technology services. Enterprise services expressly do not include any violations of law, rule or regulations related to one's status as, or any performance or failure to perform services as an accountant, architect, civil or structural engineer, dental or medical health care professional, insurance agent or broker, lawyer, mortgage broker or banker, real estate agent or broker, or surveyor. ■ executive officer means a director or officer in a position created by your charter, constitution, by-laws or any other similar governing document. ■ extra expense means actual, reasonable and necessary expenses incurred by you to reduce, minimize, or stop a network outage, but only to the extent such expenses are in excess of the your normal operating expenses, including but not limited to, any of your overhead expenses or any salaries,wages, fees, or benefits of any of you. ■ first named insured means the named insured first listed in item 1 of the Declarations. ■ first party expenses means the following expenses incurred by the named insured: 1. business interruption loss; 2. crisis management expenses; 3. cyber extortion expenses; 4. cyber investigation expenses; 5. data privacy regulatory expenses; 6. data restoration expenses; 7. notification and identity protection expenses; and 8. pci expenses. ■ interrelated wrongful act means multiple wrongful acts that are logically or causally connected by common facts, circumstances, situations, events, transactions and/or decisions. Interrelated wrongful acts that occur before the end of the last technology errors and omissions/liability policy issued by an insurance company member of The Hartford are considered one wrongful act occurring on the date the earliest such wrongful act is committed. An interrelated wrongful act is subject to the Each Wrongful Act Limit. ■ named insured means: 1. the persons or entities listed in item 1 of the Declarations; and 2. any subsidiary. ■ network intrusion means the gaining of access to or use of the computer system by an unauthorized person, or by an authorized person in an unauthorized manner, including but not limited to the transmission of malicious code to or participation in a denial of service attack against computer systems that are not owned, operated or controlled by you. All network intrusions that are logically or causally connected by common facts, circumstances, situations, events, transactions and/or decisions are considered one network intrusion occurring on the earliest date such network intrusion first occurred. ■ network outage means the actual and measurable failure, interruption, degradation, suspension or delay in service or the failure of the computer system directly resulting from a network intrusion or a denial of service attack. All network outages that are logically or causally connected by common facts, circumstances, situations, events, transactions and/or decisions are considered one network outage occurring on the earliest date such network outage first occurred. ■ network wrongful act means any act, error or omission by you, a rogue employee, or a third party service provider, which results in a network intrusion. FS 00 0003 00 1016 FailSafe GIGA®Release 4.0 Page 8 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford ■ nonpublic personal information means: 1. a natural person's name; address; unpublished telephone number; social security number; driver's license or state identification number; credit, debit or other financial account number; medical information; education records; username; passwords or personal identification numbers;website cookies;geolocation data; or any other information that would allow access to the natural person's financial or medical account; or 2. any other information of a natural person that is designated as private or confidential by any local, state, federal or foreign laws, statutes or regulations. Notwithstanding the foregoing, nonpublic personal information does not include information that is lawfully available to the general public. ■ notification and identity protection expenses means reasonable and necessary expenses incurred by you to: 1. notify individuals, customers or clients of a data privacy wrongful act in compliance with a data privacy law; 2. voluntarily notify individuals, customers and clients of a data privacy wrongful act; 3. establish call center services to answer calls following notification of a data privacy wrongful act; and 4. provide credit monitoring; identity monitoring; medical identity monitoring; account monitoring; fraud detection and alerts; identity theft insurance; and identity protection or restoration services to individuals in response to a data privacy wrongful act. notification and identity protection expenses do not include any of your overhead expenses or any salaries, wages, fees, or benefits of any you, nor do they include any amounts that are uninsurable pursuant to applicable law. ■ payment card agreement means a contract between you and a financial institution, payment card company, payment card processor, or merchant that establishes the terms and conditions for accepting and processing payment cards. ■ pci expenses means the monetary fines, expenses, assessments, or fraud reimbursements that you are legally obligated to pay or incur under the terms of a payment card agreement as a result of a data privacy wrongful act or a network wrongful act. pci expenses do not include: any of your overhead expenses or any salaries, wages, fees, or benefits of any you; any charge backs, interchange fees, service charges, cost or expenses for system improvements, or any other costs or expenses related thereto; or any amounts that are uninsurable pursuant to applicable law. ■ period of restoration means the period of time that begins with the date and time of the network outage after application of the waiting period set forth on the Declarations and ends on the date and time the computer system is or could have been restored to substantially the level of operation that had existed prior to the network outage. The foregoing notwithstanding, in no event shall the period of restoration exceed the number of days set forth in the Declarations. ■ personal injury means: 1. any form of defamation or disparagement causing harm to the character, reputation or feelings of any person, entity, product or service, including but not limited to libel, slander, product or service disparagement, trade libel, infliction of emotional distress, outrage or outrageous conduct; 2. any form of invasion, infringement or interference with rights of publicity or privacy, including but not limited to false light, public disclosure of private facts, intrusion and commercial appropriation of name or likeness; 3. wrongful entry or eviction, trespass, eavesdropping or other invasion of the right of private occupancy; and 4. malicious prosecution or false: arrest, detention or imprisonment. FS 00 G003 00 1016 FailSafe GIGe Release 4.0 Page 9 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford ■ policy period means the time beginning with the Start Date shown in the Declarations and ending with the earlier of: 1. the date of termination or cancellation; or 2. the End Date shown in the Declarations. ■ pollutants means any solid, liquid, gaseous or thermal irritant or contaminant, including smoke, vapor, soot, fumes, acids, alkalis, chemicals, odors, noise, lead, oil or oil product, radiation, and waste. Waste includes materials to be recycled, reconditioned or reclaimed. Pollutants also means any substance located anywhere in the world identified on a list of hazardous substances issued by any federal agency(including, nonexclusively, the Environmental Protection Agency)or any state, county, municipality or locality or counterpart thereof, or any foreign equivalent thereof. ■ professional services wrongful act means the following when actually or allegedly committed by you, a rogue employee, or on your behalf: 1. an error, unintentional omission, or negligent act in your performance of enterprise services; 2. a breach of warranties or representations about the fitness,quality,suitability, performance or use of your enterprise services; 3. the failure of your enterprise services to perform the function or serve the purpose intended; and 4. a security wrongful act in your performance of enterprise services. ■ rogue employee means any past or present employee of any named insured who acts or acted outside the scope of his or her employment to intentionally cause a wrongful act. Rogue Employee does not include any specified insured. ■ security wrongful act: 1. failure to prevent: a. denial of service; b. disruption of service; c. unauthorized access to, unauthorized use of, repudiation of access to,tampering with or introduction of malicious code into: firmware, data, software, systems or networks; d. identity theft or disclosure of nonpublic personal information; or e. disclosure of third party corporate confidential information; and 2. the improper collection, control, or use of nonpublic personal information. ■ specified insured means: 1. any named insured including the spouse and/or domestic partner of a named insured that is an individual; 2. any past or present partner, executive officer, or any individual in an equivalent position of a named insured, including but not limited to individuals that hold management positions similar to an executive officer for any named insured that does not have a charter, constitution, by-laws or any other similar governing document; 3. any individual responsible for the insurance, legal,or financial matters of the named insured including but not limited to General Counsel, Risk Manager, or Insurance Manager of the named insured; 4. any member of the named insured that could be afforded coverage under this policy; or FS 00 G003 00 1016 FailSafe GIGA®Release 4.0 Page 10 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford 5. the executors,administrators or legal representatives of 1,2,3, or 4 listed above in the event of a death, incapacitation or bankruptcy of 1, 2, 3 or 4 listed above; but this only applies while performing their duties as such. specified insured does not include any rogue employee. ■ subsidiary means any corporation of which the first named insured owns, directly or indirectly, more than fifty percent (50%)of the issued and outstanding voting stock. The stock must be owned by the first named insured on the Start Date shown in the Declarations of this policy. 1. Subsidiary also includes any corporation which becomes a subsidiary during the policy period, provided that as soon as practical, but no later than within ninety (90)days of its becoming a subsidiary, you have: a. provided us with full details of the new subsidiary including a completed and signed subsidiary application and any other underwriting information we may require; b. agreed to and paid any additional premium related to the subsidiary; and c. agreed to any change in the terms and conditions of this policy required by us relating to the new subsidiary. 2. This policy does not apply to any claim or first party expense arising from or involving a subsidiary for any wrongful act, cyber extortion threat, network intrusion, or network outage that was committed when the first named insured did not own directly or indirectly more than fifty percent (50%) of the issued and outstanding voting stock of the subsidiary. ■ technology services means the following services performed for others for a fee or remuneration: 1. consulting, analysis, design, installation, training, maintenance, support and repair of or on: software, wireless applications, firmware, shareware, networks, systems, hardware, devices or components; 2. integration of systems; 3. processing of, management of, mining or warehousing of data; 4. administration, management, operation or hosting of: another party's systems, technology or computer facilities; 5. website development; website hosting; 6. internet access services; intranet, extranet or electronic information connectivity services; software application connectivity services; 7. manufacture, sale, licensing, distribution, or marketing of: software, wireless applications, firmware, shareware, networks, systems, hardware, devices or components; 8. design and development of: code, software or programming; 9. providing software application: services, rental or leasing; 10. screening, selection, recruitment or placement of candidates for temporary or permanent employment by others as information technology professionals; 11. telecommunication services; 12. telecommunication products; and 13. web related software and connectivity services performed for others. ■ telecommunication products means computer hardware, firmware and/or software products, electronic equipment or devices manufactured, sold, handled, distributed or disposed of by you which are specifically designed or intended for use in telecommunication systems or your telecommunication services. FS 00 0003 00 1016 FailSafe GIGA®Release 4.0 Page 11 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford ■ telecommunication services means the following services performed for others: 1. telephone services including competitive access provider, dial tone access, digital subscriber line (DSL), incumbent/ local exchange carrier, facsimile, integrated services digital network (ISDN), interconnection, local, long distance, reseller, switching, and 911 emergency services; 2. means call conferencing, call forwarding, call identification, call return, call waiting, calling card, directory assistance, repeat dialing, speed dial, toll free, video conferencing, voice messaging services; 3. cellular and wireless communication services including paging and ground based satellite communication services; 4. provision of cable television services; and 5. telecommunication consulting services. ■ temporary worker means a person who is provided to you by a third party for a specific time period to support or increase your work force in special situations. Such situations may include employee absences, temporary skill shortages and seasonal workloads. A temporary worker is not an employee of yours. ■ third party corporate confidential information means third party corporate information provided to you and protected under a nondisclosure agreement or confidentiality provision of a contract entered into by the named insured with the owner of the third party corporate information. ■ third party service provider means an independent contractor operating on behalf of the named insured pursuant to a written contract or agreement with the named insured but only if such independent contractor is acting within the scope of the terms of the written contract or agreement for the benefit of the named insured. ■ wrongful act means the following: 1. data privacy wrongful act; 2. network wrongful act; 3. professional services wrongful act; and 4. security wrongful act. Wrongful act also includes an interrelated wrongful act. Wrongful act includes any of the foregoing when caused by the acts of a rogue employee. ■ you or your mean, individually and collectively: 1. any named insured; 2. any past or present partner, executive officer, or any individual in an equivalent position of a named insured, including but not limited to individuals that hold management positions similar to an executive officer for any named insured that does not have a charter, constitution, by-laws or any other similar governing document, but only while performing their duties as such; 3. any past or present employee of the named insured but only while performing their duties as such; employee does not include a temporary worker; 4. any individual person who is an agent or independent contractor but only while acting within the scope of his or her contract worker agreement with the named insured; 5. a client that the named insured is required, in a written contract to perform enterprise services, to add as an additional insured under this policy. But the client is insured under this policy only if: a. the wrongful acts were committed by the named insured in the named insured's performance of enterprise services; FS 00 G003 00 1016 FailSafe GIGA®Release 4.0 Page 12 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford b. the written contract is entered before the wrongful act giving rise to the claim is committed; and c. there are no allegations of independent misconduct by the client. 6. any member or stockholder of the named insured; but this only applies with respect to their liability as a member or stockholder; or 7. the executors, administrators or legal representatives of each of you listed in items 1 through 6 above in the event of your death, incapacity or bankruptcy; but this only applies while performing their duties as such. Section III — Exclusions A. We will not pay damages, first party expenses, or claim expenses or defend any of you for any wrongful actor claim arising out of or in any way related to any actual or alleged: 1. bodily injury, sickness, disease or death sustained by a person; or mental anguish, emotional distress, mental injury, fright or shock when they result in or from bodily injury, sickness, disease or death; 2. physical damage to or physical loss of tangible property and any resulting loss, corruption or destruction of data or information, including all resulting loss of use of that property, data or information. However, this exclusion will not apply to: a. the loss, corruption or destruction of data or information when the tangible property on which the data or information is or was kept is not physically damaged or physically lost; and b. that portion of a claim due to a data privacy wrongful act as a result of the loss of the named insured's leased or owned computer hardware, including mobile, networked, and data storage equipment; 3. obligation which any of you may have to pay under any workers' compensation act, employer's liability law, unemployment compensation law, disability benefits law, or any similar law; or any foreign equivalent; 4. disruption of, surge in, fluctuation in or loss of: power, connectivity or communications. However, this exclusion will not apply to any of the foregoing when directly caused by a wrongful act committed by any of you; 5. withdrawal or recall of all or part of enterprise services from the marketplace. However,this exclusion will not apply to claims by third parties for the loss of use resulting from withdrawal or recall of enterprise services due to a wrongful act committed by any of you; 6. cost: overruns, guarantees, estimates or estimates being exceeded; 7. false, deceptive, fraudulent, intentionally misleading or misrepresenting statements in advertising; 8. sweepstakes, lotteries or other games of chance; or contests; 9. price fixing, or any other violation of: any securities, antitrust or restraint of trade laws, the Racketeer Influenced and Corrupt Organizations Act; any similar law; or any foreign equivalent; 10. Section 616 of the Fair Credit Reporting Act; any actual or alleged violation of Section 605(g) of the Fair Credit Reporting Act; 11. false, deceptive, or unfair business or trade practices; unfair competition; or violation of consumer protection laws, any similar law, or any foreign equivalent. However, this exclusion will not apply to that portion of a claim alleging the violation of a data privacy law; 12. violation or misuse of any intellectual property right, including but not limited to: a. infringement or dilution of:title, slogan, trademark, trade name, trade dress, service mark or service name; b. infringement of copyright, plagiarism or misappropriation of ideas; FS 00 0003 00 1016 FailSafe GIGA®Release 4.0 Page 13 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford c. piracy; d. patent infringement or patent misuse; or e. misuse, misappropriation or theft of trade secrets; 13. personal injury; 14. tortious interference with the contractual relationships of others; 15. discrimination, harassment or misconduct by any of you because of or relating to: race, creed, color, age, gender, sex, sexual preference or orientation, national origin, religion, disability, handicap, health condition, marital status, or any other class protected under federal, state, local or other law; or any similar law in a jurisdiction outside the United States of America; 16. acts or omissions by any of you regarding: a. refusal to employ; b. termination of a person's employment; c. employment-related practices, policies,acts or omissions;these include but are not limited to coercion,demotion, evaluation, re-assignment, discipline, defamation, harassment, humiliation or discrimination; or d. breach of fiduciary duty or other responsibility in connection with any employee benefit or pension plan; this includes but is not limited to violation of the duty or responsibility imposed on fiduciaries by the Employee Retirement Income Security Act of 1974 (ERISA) or any changes to that law; any similar law; or any foreign equivalent; 17. or threatened discharge, dispersal, seepage, migration, release or escape of pollutants or any loss, cost or expense arising out of any: a. request, demand, order or statutory or regulatory requirement that any of you or others test for, monitor, clean up, remove, contain,treat, detoxify or neutralize, or in any way respond to or assess the effects of pollutants; or b. claim or suit by or on behalf of a governmental authority for damages because of testing for, monitoring,cleaning up, removing, containing, treating, detoxifying or neutralizing, or in any way responding to, or assessing the effects of pollutants; or 18. electromagnetic radiation, including but not limited to magnetic energy, waves, fields, or forces. B. We will not pay damages or claim expenses or defend any of you for any claim made by or on behalf of: 1. any of you; however, this exclusion will not apply to claims made: a. by any of you described in items 3, 4 or 5 of the definition of you when the claim is made in their capacity as a client as a result of enterprise services performed by the named insured on their behalf; or b. against the named insured by any of you described in items 3 or 4 of the definition of you when the claim is the result of the named insured's failure to prevent identity theft or disclosure of nonpublic personal information. 2. any entity which is a parent, affiliate, subsidiary,joint venturer, co-venturer or other entity in which any of you owns an interest or is a partner, director, officer, sole proprietor, trustee or employee; 3. any entity affiliated with any of you through any common ownership or control; 4. any entity directly or indirectly controlled, operated or managed by any of you; or FS 00 0003 00 1016 FailSafe GIGe Release 4.0 Page 14 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford 5. any federal, state or local government body, subdivision or agency; any regulatory or licensing agency or bureau; or any foreign equivalent. However, this exclusion will not apply when the claim is made in their capacity as a client as a result of enterprise services performed by the named insured on their behalf. For the purposes of exclusions B.2 through 4 above, the words"owns,"'ownership or control' and "controlled" mean ten percent (10%) or more ownership of a publicly-held corporation or thirty percent (30%)or more ownership of a privately- held corporation, or ten percent (10%) or more of any other type of entity. C. We will not pay damages, first party expenses, or claim expenses for any wrongful act, cyber extortion threat, network intrusion, network outage, or claim arising out of or in any way related to any: 1. dishonest, fraudulent, criminal or intentional wrongful act or omission by any of you; or 2. material defect or bug known by any of you that could reasonably be expected to cause harm; when such act or knowledge is established by your admission or final adjudication by a jury, court or arbitrator. However,exclusions CA and 2 above do not apply to any of you who did not commit,acquiesce in, or remain passive after learning of the actions giving rise to the claim. For purposes of this exclusion, the knowledge, action or inaction of any executive officer, partner, or any individual in an equivalent position of a named insured, including any individual that holds a management position similar to an executive officer for named insureds that do not have a charter,constitution, by-laws or any other similar governing document,will be imputed to the applicable named insured. D. We will not pay damages, first party expenses, or claim expenses or defend any of you for any claim arising out of or in any way related to any actual or alleged wrongful act, cyber extortion threat, network intrusion, network outage, or claim that has been reported under any other policy, issued by any entity, when the inception date of that other policy preceded the Start Date of this policy. Section IV— Nuclear Energy Liability Exclusion A. We will not pay damages, first party expense, or claim expenses or defend any of you for any wrongful act or claim arising out of or in any way related to any: 1. actual,alleged or threatened discharge,dispersal,release or escape of nuclear material,nuclear waste or radiation;or 2. direction, request or voluntary decision to test for, abate, monitor, clean up, remove, contain, treat, detoxify or neutralize, nuclear material, nuclear waste or radiation. Section V — Limits Of Liability And Retention A. Limits of Liability 1. Each Wrongful Act Limit Subject to A.2 below,the Each Wrongful Act Limit stated in item 4 of the Declarations is the most we will pay for any combination of claim expenses and damages for the total of all claims made during the policy period, including any applicable Extended Reporting Period, arising from one wrongful act, regardless of the number of: a. you this policy covers; b. claims that are made; or c. persons or entities making claims. An interrelated wrongful act is subject to the Each Wrongful Act Limit. FS 00 G003 00 1016 FailSafe GIGA®Release 4.0 Page 15 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford 2. Aggregate Limit The Aggregate Limit stated in item 4 of the Declarations is the most we will pay for any combination of claim expenses and damages for the total of all claims made during the policy period, including any applicable Extended Reporting Period, regardless of the number of: a. you this policy covers; b. claims that are made; c. persons or entities making claims; or d. wrongful act that are committed. B. Retention for Each Wrongful Act The Retention stated in item 5 of the Declarations is the amount of money you must pay for covered damages and/ or claim expenses for each wrongful act before this policy will begin to pay. You may not insure the Retention. The Retention will not be reduced by the payment of any deductible amount or any amount retained by any of you under any other policy of insurance; and the Retention will not be reduced by any payment made on your behalf by another person or entity. The Retention will not reduce the Limits of Liability. You will pay the full amount of the Retention for each wrongful act to appropriate parties as directed by us. If we advance any such payments,you will reimburse us within thirty(30)days of our written demand. If you fail to make direct payments or to reimburse us as described above, all of you against whom the claim has been made and the named insured are individually and collectively responsible for paying us back for any advance payments we have made and for interest, attorney's fees and costs associated with our collection of the money. Section VI — Extended Reporting Periods A. Terms Applicable to Both Types of Extended Reporting Period An Extended Reporting Period changes the time within which a claim may be made against you and still be reported by you,and considered by us,for coverage in accordance with the terms of this policy.This policy has two types of Extended Reporting Periods: the Basic Extended Reporting Period and the Optional Extended Reporting Period. Both the Basic Extended Reporting Period and the Optional Extended Reporting Period: 1. provide coverage for claims that are first made against you during such applicable Extended Reporting Period, but: a. we will not pay damages or claim expenses or defend any of you for any wrongful act or claim arising out of or in any way related to any actual or alleged wrongful act that is committed during an Extended Reporting Period; and b. only if, there is no other insurance for the claim; 2. do not extend the policy period or add to the scope of coverage provided as of the end of the policy period; 3. do not reinstate or increase the Limits of Liability. The Limits of Liability for any Extended Reporting Period will be a part of, and not in addition to, the Limits of Liability listed in the Declarations for the policy period; 4. run concurrently(if the Optional Extended Reporting Period is purchased); and 5. are not renewable. B. Basic Extended Reporting Period We will automatically provide a Basic Extended Reporting Period if this policy is: 1. cancelled; FS 00 0003 00 1016 FailSafe GIGe Release 4.0 Page 16 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford 2. non-renewed; or 3. renewed by us with insurance that does not apply on a claims made or claims made and reported basis. The Basic Extended Reporting Period begins with the end of the policy period and lasts for ninety (90) days. C. Optional Extended Reporting Period 1. For an additional premium, we will offer an Optional Extended Reporting Period endorsement, unless this policy is cancelled for non-payment of premium or Retention or for your failure to comply with policy provisions. 2. If the Optional Extended Reporting Period endorsement is purchased,the Optional Extended Reporting Period begins with the end of the policy period and lasts for the period of time stated in the endorsement. 3. Optional Extended Reporting Period coverage is available only if: a. the first named insured has paid all premiums and Retentions due for this policy at the time the first named insured requests an Optional Extended Reporting Period endorsement; b. we receive the first named insured's written request for it within thirty (30) days after the end of the policy period; c. the first named insured gives us written acceptance of our offer within fifteen (15) days of the day that we make our offer; and d. we receive payment in full for the Optional Extended Reporting Period within thirty (30)days of the first named insured's acceptance of our offer. 4. Once in effect, the Optional Extended Reporting Period cannot be cancelled. We need not return any part of the premium paid for any reason whatsoever. 5. Premium for the Optional Extended Reporting Period will be determined by taking into account the following: a. the exposures insured; b. previous types and amounts of insurance; c. Limits of Liability available under this policy for future payment of wrongful acts and claim expenses; and d. other related factors. Section VII — Conditions A. Territory This policy applies to wrongful acts, cyber extortion threats, network intrusions, and denial of service attacks committed anywhere in the universe;except this policy does not apply when the claim is made,or the first party expenses are incurred, in a country against which the United States government has imposed trade sanctions, embargoes, or any similar regulations that prohibit the transaction of business with or within such countries at the time the claim is made or the first party expenses are incurred. B. Currency The currency of this policy is United States of America dollars. If damages, first party expenses, or claim expenses are paid in a currency other than United States dollars, payment will be considered to have been made in United States dollars at the rate of exchange that was used for the payment. If no actual currency exchange was made, then the rate of exchange will be the rate published in The Wall Street Journal on the day following the date that payment was made. FS 00 0003 00 1016 FailSafe GIGA®Release 4.0 Page 17 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford C. Bankruptcy Bankruptcy or insolvency of you or of your estate will not relieve us of our obligations under this policy. D. Cancellation 1. The first named insured may cancel this policy by mailing or delivering to us advance written notice of cancellation. 2. We may cancel this policy by mailing to the first named insured written notice of cancellation at least: a. ten (10)days before the cancellation is effective, if we cancel for non-payment of any premium when due; or b. sixty (60)days before the cancellation is effective, if we cancel for any other reason. 3. We will mail our notice to the address shown in the Declarations for the named insured. 4. Notice of cancellation by us will state when the cancellation is effective. The policy period will end on that date. 5. If this policy is cancelled, we will send the first named insured any premium refund due. If we cancel, the refund will be the pro-rata unearned premium. If the first named insured cancels, we will compute the return premium at ninety percent(90%)of the pro-rata unearned premium. 6. Proof of mailing will be sufficient proof of notice. 7. Premium adjustment may be made either at the time cancellation is effected or as soon as practicable after cancellation becomes effective. But payment or tender of unearned premium is not a condition of cancellation. E. When We Do Not Renew 1. If we decide not to renew this policy, we will mail written notice of non-renewal to the first named insured. We will mail the notice at least sixty(60)days before the policy period ends. 2. We will mail it to the address shown in the Declarations for the named insured. Proof of mailing will be sufficient proof of notice. 3. If we offer to renew this policy on the same or different terms and the first named insured does not accept our offer during the current policy period, this policy will expire at the end of the policy period. 4. If there is an inconsistency between the terms and conditions regarding the nonrenewal of this policy stated in a state amendatory endorsement attached to this policy and the terms and conditions of this When We Do Not Renew provision, we will apply those terms and conditions that are more favorable to you, where permitted by law. F. Entire Agreement This policy contains all the agreements between you and us concerning this insurance. G. Changes The first named insured is authorized by you to agree with us on all changes in the terms and conditions of this policy. This policy can only be changed by an endorsement that is issued by us. H. Duties in the Event of Wrongful Act or Claim 1. The named insured must notify us in writing as soon as practicable of a wrongful act or circumstance that may result in a claim under this policy. This requirement applies only when the wrongful act is known to: a. any person who is a named insured; FS 00 G003 00 1016 FailSafe GIGe Release 4.0 Page 18 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford b. any partner, executive officer, or any individual in an equivalent position of a named insured, including but not limited to individuals that hold management positions similar to an executive officer for any named insured that does not have a charter, constitution, by-laws or any other similar governing document; or c. any individual responsible for the insurance, legal, or financial matters of the named insured including but not limited to General Counsel, Risk Manager, or Insurance Manager of the named insured. 2. If during the policy period any of you first become aware of a wrongful act to which this policy applies which may result in a claim under this policy and give us written notice within the policy period of: a. the specific wrongful act, the date of the wrongful act and the name of the potential claimant; b. the damages which have or may result from the wrongful act; and c. the circumstances by which you first became aware of the wrongful act; then any claim first made arising out of the wrongful act will be deemed to have been made on the date we received written notice and therefore subject to items 3 and 4 below. All notices or correspondence regarding wrongful acts or claims must be sent to the address(es) or facsimile(s) indicated by endorsement to this policy. 3. If a claim is made against any of you, as soon as any specified insured knows of such a claim, you must: a. immediately record the specifics of the claim and the date received; b. immediately send us copies of all demands, notices, summonses and legal papers received in connection with the claim; c. authorize us to obtain records and other information; d. cooperate with us in the investigation, settlement, and defense of the claim; and e. assist us, upon our request, in enforcing any right against any person or entity that may be liable to you or the claimant because of damages to which this policy may also apply. 4. None of you will, except at your own cost, make a payment, assume any obligation, or incur any cost without our prior written consent. I. Legal Action Against Us No person or entity has a right under this policy: 1. to join us as a party or bring us into a suit asking for damages from you; or 2. to sue us under this policy unless all of its terms and conditions have been fully complied with. A person or entity may sue us to recover on an agreed settlement or on a final judgment against you obtained after an actual trial or other binding adjudication. But we will not be liable for claim expenses or damages that are not payable under the terms and conditions of this policy or that are more than the applicable Limit of Liability. An agreed settlement means a settlement that we agree to in writing. J. Mergers, Consolidations or Acquisitions 1. If, after the Start Date of this policy shown in the Declarations, the named insured: a. merges or consolidates with another entity; or FS 00 G003 00 1016 FailSafe GIGA®Release 4.0 Page 19 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford b. acquires more than fifty percent(50%)of the assets of another entity, and the named insured is the surviving entity, the entity merged or consolidated with or acquired by the named insured will be afforded coverage under this policy as a named insured for a period of ninety (90)days or until the expiration of this policy, whichever is less. 2. We may endorse this policy to provide coverage beyond the period of time indicated in item 1 above if, within ninety (90)days of the merger, consolidation or acquisition transaction, you have: a. provided us with full details of the transaction and any other additional underwriting information that we may require; b. agreed to any amendment of the terms and conditions of this policy by endorsement issued by us relating to such transaction; and c. agreed to and paid any additional premium for the endorsement related to such transaction. 3. This policy does not apply to any claim or first party expenses arising from or involving an entity that is merged or consolidated with or acquired by the named insured for any wrongful act, cyber extortion threat, network intrusion, or network outage that was committed when the first named insured did not own directly or indirectly more than fifty percent (50%)of the issued and outstanding voting stock of the entity. 4. The applicable retroactive date for an entity that was merged or consolidated with or acquired by the named insured will be the date of the merger, consolidation or acquisition by the named insured. We may endorse this policy to provide a different applicable retroactive date for the merged or consolidated with or acquired entity, if applicable information is provided to demonstrate similar coverage has been continuously maintained by the entity. 5. If after the Start Date of this policy shown in the Declarations: a. the first named insured merges or consolidates with another entity and the named insured is not the surviving entity; or b. more than 50% of the securities representing the right to vote for the first named insured's board of directors or managers is acquired by another person or entity, group of persons or entities, or persons and entities acting in concert; then coverage shall continue under this policy and any renewal or replacement hereof but only for wrongful acts occurring prior to any such transaction. The first named insured shall give us written notice and full, written details of such transaction as soon as practicable (but, in all cases, within ninety (90) days of such transaction). If any transaction described herein occurs, then we will not be obligated to offer any renewal or replacement of this policy. K. Other Insurance and Payments Available to You Coverage under this policy will apply only in excess of all other: 1. insurance, except for other insurance that is written specifically to apply in excess over this policy; 2. bonds, self-insured retentions, deductibles, indemnifications; or 3. similar agreements or payment options available to you whether they are stated to be primary, pro rata, contributory, contingent or otherwise. L. Payment of Premiums and Retention The first named insured must pay all premiums and Retentions when due. We will pay any return premiums to the first named insured. FS 00 G003 00 1016 FailSafe GIGA®Release 4.0 Page 20 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford M. Transfer of Rights of Recovery Against Others to Us You must do nothing to impair your rights to recover all or any part of any payment we have made under this policy, and those rights are transferred to us. At our request you will bring suit or transfer those rights to us and help us enforce them. Any recoveries will be paid first to reimburse the person or entity that paid the subrogation costs, then to us for the amount we have paid. Any amount that may remain will be paid to the first named insured. N. Transfer of Your Rights and Duties Under This Policy Your rights and duties under this policy may not be transferred without our written consent except in the case of death or bankruptcy. If you die or become bankrupt, your rights and duties will be transferred to your legal representative but only while acting within the scope of duties as your legal representative. Until your legal representative is appointed, anyone having proper temporary custody of your property will have your rights and duties but only with respect to that property. O. Representations and Statements By accepting this policy, you agree to all of the following: 1. the representations and statements contained in the application for coverage and other information submitted to us in applying for this policy are accurate and complete; they were made to induce our reliance upon them; 2. the representations and statements made to us in the application and other information submitted to us were made by the named insured on behalf of all of you;they are material to our decision to provide coverage;they are considered as incorporated in and constituting part of this policy; 3. we have issued this policy in reliance upon those representations and statements; 4. in the event the application or other information submitted to us contains misrepresentations or fails to state facts which affect our acceptance of the risk,the hazard assumed by us,the terms or conditions of the policy we offered or the premium we charged for this policy, we will not pay for any claim expenses, damages, or first party expenses relating to a wrongful act, claim, cyber extortion threat, network intrusion, or network outage under this policy; and 5. if you report any wrongful act, claim, cyber extortion threat, network intrusion, or network outage knowing it, or any of the representations and statements regarding the wrongful act, claim, cyber extortion threat, network intrusion, or network outage to be false or fraudulent, this insurance will not make payments for the wrongful act, claim, cyber extortion threat, network intrusion, or network outage. FS 00 G003 00 1016 FailSafe GIGA®Release 4.0 Page 21 of 21 46 TE 0323528-18 7/07/18 ©2016, The Hartford ENDORSEMENT NO:1 This endorsement, effective 12:01 am, 7/07/18 forms part of policy number 46 TE 0323528-18 issued to: CITY DATA SERVICES LLC by: HARTFORD FIRE INSURANCE CO. THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. ADDRESS FOR WRONGFUL ACT OR CLAIM NOTIFICATION OR CORRESPONDENCE ENDORSEMENT You and we agree that: Section VII—Conditions is changed to add the following: All notices or correspondence regarding wrongful acts or claims must be sent to the attention of The Hartford Hartford Financial Products Claims Department to one or more of the following: By Mail: The Hartford Claims Department Hartford Financial Products 277 Park Avenue, 16th Floor New York, New York 10172 By email: HFPClaims6cDthehartford.com By facsimile: (917)464-6000 All other terms and conditions remain unchanged. Gj?t'�j Douglas Elliot, President FS 00 H026 00 1016 FailSafe Page 1 of 1 ©2016, The Hartford DISCLOSURE FORM CLAIMS-MADE POLICY IMPORTANT NOTICE TO POLICYHOLDER THIS DISCLOSURE FORM IS NOT YOUR POLICY.IT DESCRIBES SOME OF THE MAJOR FEATURES OF OUR CLAIMS- MADE POLICY FORM. READ YOUR POLICY CAREFULLY TO DETERMINE RIGHTS, DUTIES, AND WHAT IS AND IS NOT COVERED. ONLY THE PROVISIONS OF YOUR POLICY DETERMINE THE SCOPE OF YOUR INSURANCE PROTECTION. DEFINITIONS 1. claims-made policy means an insurance policy that provides coverage only if a claim is made during the policy period or any applicable extended reporting period.A claim made during the policy period could be charged against a claims- made policy even if the event (the "wrongful act")causing the claim occurred many years prior to the policy period. If a claims-made policy has a retroactive date, an event prior to that date is not covered. 2. extended reporting period means a period allowing for making and reporting claims after expiration of a claims-made policy. This is also known as a "tail." 3. occurrence policy means an insurance policy that provides liability coverage only for an event that occurs during the policy term, regardless of when the claim is actually made. A claim made in the current policy year could be charged against a prior policy year, or may not be covered, if it arises from an event prior to the effective date. 4. retroactive date means the date on a claims-made policy that denotes the commencement date of coverage for events under the policy. YOUR POLICY Your policy is a claims-made policy. It provides coverage only when the event occurs on or after the policy retroactive date (if any) shown on your policy and before the end of the policy period, and when the claim is first made against you and reported in writing to your insurer as soon as practicable in accordance with the terms of the policy. Upon termination of your claims-made policy, an extended reporting period option is available from your insurer. There is no difference in the kind of event covered by occurrence policies or claims-made policies. Claims for damages may be assigned to different policy periods, depending on which type of policy you have. PRINCIPAL BENEFITS This policy provides coverage for damages and claim expenses in excess of the retention because of a claim caused by a wrongful act in your performance of enterprise services, up to the maximum dollar limit specified in the policy. The principal benefits and coverages are explained in detail in your claims-made policy. Please read it carefully and consult your insurance producer about any questions you might have. EXCEPTIONS, REDUCTIONS AND LIMITATIONS Your claims-made policy contains certain exceptions, reductions and limitations. Please read them carefully and consult your insurance producer about any questions you might have. RENEWALS AND EXTENDED REPORTING PERIODS Your claims-made policy has some unique features relating to renewal, extended reporting periods and coverage for events with long periods of potential liability exposure. If there is a retroactive date in your policy, no event prior to that date will be covered under the policy even if a claim is made and reported during the policy period. It is therefore important for you to be certain that there are no gaps in your insurance coverage. These gaps can occur in several ways. Among the most common are: FS 00 H027 00 1016 FailSafe Page 1 of 2 ©2016, The Hartford 46 TE 0323528-18 7/07/18 1. If you switch from an occurrence policy to a claims-made policy,the retroactive date in your claims-made policy should be no later than the expiration date of the occurrence policy. 2. When replacing a claims-made policy with a claims-made policy, you should consider the following: a. The retroactive date in the replacement policy should extend far enough back in time to cover any events with long periods of liability exposure, or b. If the retroactive date in the replacement policy does not extend far enough back in time to cover events with long periods of liability exposure, you should consider purchasing extended reporting period coverage under the old claims-made policy. 3. If you replace this claims-made policy with an occurrence policy, you may not have insurance coverage for a claim arising during the period of claims-made unless you have purchased an extended reporting period under the claims-made policy. Extended reporting period coverage must be offered to you by law for at least one year after the expiration of the claims-made policy at a premium not to exceed 200% of your last policy premium. CAREFULLY REVIEW YOUR POLICY REGARDING THE AVAILABLE EXTENDED REPORTING PERIOD COVERAGE, INCLUDING THE LENGTH OF COVERAGE, THE PRICE AND THE TIME PERIOD DURING WHICH YOU MUST PURCHASE OR ACCEPT ANY OFFER FOR EXTENDED REPORTING PERIOD COVERAGE. FS 00 H027 00 1016 FailSafe Page 2 of 2 46 TE 0323528-187/07/18 ©2016, The Hartford ENDORSEMENT NO:3 This endorsement, effective 12:01 am, 7/07/18 forms part of policy number 46 TE 0323528-18 issued to: CITY DATA SERVICES LLC by: HARTFORD FIRE INSURANCE CO. THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. ASBESTOS EXCLUSION You and we agree that: Section II — Definitions is changed to add the following: Asbestos hazard means an exposure or threat of exposure to the actual or alleged properties of asbestos and includes the mere presence of asbestos in any form. Section II —Definitions is changed to add the following: -- asbestos hazard, including any: 1. threatened loss, injury or damage of any nature or kind to persons or property which would not have occurred in whole or in part but for the asbestos hazard; 2. request, demand or order to test for, monitor, clean up, remove, encapsulate, contain, treat, detoxify or neutralize or in any way respond to or assess the effects of an asbestos hazard; or 3. testing for, monitoring, cleaning up, removing, encapsulating, containing, treating, detoxifying or neutralizing or in any way responding to or assessing the effects of an asbestos hazard. All other terms and conditions remain unchanged. q�MfJ2,3 fQ Douglas Elliot, President FS 00 H137 00 1016 FailSafe Page 1 of 1 ©2016, The Hartford ENDORSEMENT NO:4 This endorsement, effective 12:01 am, 7/07/18 forms part of policy number 46 TE 0323528-18 issued to: CITY DATA SERVICES LLC by: HARTFORD FIRE INSURANCE CO. THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. UNSOLICITED SENDING OF INFORMATION EXCLUSION Section III — Exclusions, A., of the policy is amended by the addition of the following: -- Sending of information by fax, electronic mail (e-mail), or via any other means, where prohibited by law; All other terms and conditions remain unchanged. czaI&I f'"t Douglas Elliot, President FS 00 H141 00 1016 FailSafe° Page 1 of 1 ©2016, The Hartford ENDORSEMENT NO:5 This endorsement, effective 12:01 am, 7/07/18 forms part of policy number 46 TE 0323528-18 issued to: CITY DATA SERVICES LLC by: HARTFORD FIRE INSURANCE CO. THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. ADDITIONAL YOU You and we agree that: Section II — Definitions is changed to add the following to the definition of you or your: 8. City of Cupertino, including its City Council, boards and commissions officers officials agents employees consultants and volunteers. as an additional you, but only if: a. the claim is caused by a wrongful act committed by the named insured, or by parties described in items 2 through 4 of the definition of you or your in Section II — Definitions, in the named insured's performance of enterprise services; and b. there are no allegations of independent misconduct by City of Cupertino, including its City Council boards and commissions, officers, officials agents, employees, consultants and volunteers.. Section III—Exclusions, Subsection B.1 is deleted and replaced with the following: 1. any of you; however, this exclusion will not apply to claims made: a. by any of you described in items 3, 4 or 5 of the definition of you when the claim is made in their capacity as a client as a result of enterprise services performed by the named insured on their behalf; b. against the named insured by any of you described in items 3 or 4 of the definition of you when the claim is the result of the named insured's failure to prevent identity theft or disclosure of nonpublic personal information; or c. by City of Cupertino, including its City Council, boards and commissions, officers officials agents employees consultants and volunteers. when the claim is made in their capacity as a client as a result of enterprise services performed by the named insured on their behalf. All other terms and conditions remain unchanged. (;�Oj?t,3 t Douglas Elliot, President FS 00 H301 00 1016 FailSafe Page 1 of 1 ©2016, The Hartford ENDORSEMENT NO:6 This endorsement, effective 12:01 am, 7/07/18 forms part of policy number 46 TE 0323528-18 issued to: CITY DATA SERVICES LLC by: HARTFORD FIRE INSURANCE CO. THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. PRIOR ACTS LIMIT RESTRICTION ENDORSEMENT (ONE LIMIT CHANGE) You and we agree that: Solely with regards to the Limits of Liability stated in item 4 of the Declarations that are: A. $1,000,000 in excess of the first$1,000,000 under the Each Wrongful Act Limit B. $0 in excess of the first$2,000,000 under the Aggregate Limit Section III —Exclusions, is changed to add the following sub-section: We will not pay damages, first party expenses, or claim expenses or defend any of you for any actual or alleged wrongful act that occurred prior to: 11/28/17. Nothing in this endorsement is intended, nor shall it be construed, to: • increase the Limits of Liability under this Policy stated in item 4 of the Declarations, or • obligate or require us to pay damages, first party expenses, or claims expenses under this Policy in any amount exceeding the Limits of Liability under this Policy stated in item 4 of the Declarations. All other terms and conditions remain unchanged. (:;�M��j Douglas Elliot, President FS 00 H328 00 1016 FailSafe Page 1 of 1 ©2016, The Hartford ENDORSEMENT NO:7 This endorsement, effective 12:01 am, 7/07/18 forms part of policy number 46 TE 0323528-18 issued to: CITY DATA SERVICES LLC by: HARTFORD FIRE INSURANCE CO. THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. FIRST PARTY EXPENSE ENDORSEMENT You and we agree that: The Limits of Liability stated in item 4 and the Retention Each Wrongful Act stated in item 5 of the Declarations Page are amended to add the following Limits of Insurance, Retentions, Waiting Periods, and Period of Restorations: First Party Aggregate Limit: $100,000 First Party First Party First Party First Party Expense Sublimits Retention Waiting Period Crisis Management Expense $100,000 $5,000 Cyber Investigation Expense $100,000 $5,000 Data Privacy Regulatory Expense $100,000 $5,000 Notification and Identity Protection Expense $100,000 $5,000 PCI Expense $N/A $N/A Cyber Extortion Expense $100,000 $5,000 Business Interruption Loss $N/A $N/A 0 hrs Dependent Business Interruption Loss $N/A $N/A 0 hrs Data Restoration Expense $N/A $N/A Period of Restoration Business Interruption Loss 0 days Dependent Business Interruption Loss 0 days The Retroactive Date stated in item 3. of the Declarations Page is amended to add the following: First Party Retroactive Dates Crisis Management Expense 07/07/17 Cyber Investigation Expense 07/07/17 Data Privacy Regulatory Expense 07/07/17 Notification and Identity Protection Expense 07/07/17 PCI Expense N/A The above First Party Aggregate Limit and First Party Sublimits are all sublimits of insurance that are part of,and not in addition to, the Aggregate Limit stated in item 4 of the Declarations. If the space for any of the above First Party Sublimits is left blank or indicated as"N/A", then there is no coverage for that First Party Expense. If the space for a First Party Retention is left blank or indicated as"N/A",the applicable First Party Retention will be the same as the Retention Each Wrongful Act stated in item 5 of the Declarations. If the space for a First Party Waiting Period is left blank, the applicable Waiting Period will be 12 hours. If the space for a Period of Restoration is left blank, the applicable Period of Restoration will be 30 days. FS 00 H604 00 1016 FailSafe Page 1 of 5 ©2016, The Hartford ENDORSEMENT NO: 7 Section I —Coverage, Subsection A. Insuring Agreement is amended to add: First party expenses elected below are subject to the applicable First Party Sublimit, the First Party Aggregate Limit and the Aggregate Limit stated in Item 4 of the Declarations, and are in excess of the applicable First Party Retention and Waiting Period. Where applicable, they are also subject to a period of restoration. The following first party expenses are provided if: (i) designated with an 'X' hereon, (ii) a limit is specified for the applicable First Party Sublimit stated on page 1 of this endorsement, and (iii) you receive our prior written consent for such first party expenses: ❑X Crisis Management Expenses Coverage We will reimburse the named insured for crisis management expenses that directly result from a data privacy wrongful act. X❑ Cyber Investigation Expenses Coverage We will reimburse the named insured for cyber investigation expenses that directly result from a data privacy wrongful act. XI Data Privacy Regulatory Expenses Coverage We will reimburse the named insured for data privacy regulatory expenses that directly result from a data privacy wrongful act. ❑X Notification and Identity Protection Expenses Coverage We will reimburse the named insured for notification and identity protection expenses that directly result from a data privacy wrongful act. ❑ PCI Expenses Coverage We will reimburse the named insured for pci expenses that the named insured becomes legally obligated to pay as a direct result of a data privacy wrongful act or network wrongful act. ❑X Cyber Extortion Expenses Coverage We will reimburse the named insured for cyber extortion expenses that directly result from a cyber extortion threat communicated to the named insured by a person or group, who is not insured under this policy. ❑ Business Interruption Loss Coverage We will reimburse the named insured for business interruption loss during the period of restoration,as a direct result of the named insured's network outage. ❑ Dependent Business Interruption Loss Coverage We will reimburse the named insured for business interruption loss during the period of restoration,as a direct result of a third party service provider's network outage. ❑ Data Restoration Expense Coverage We will reimburse the named insured for data restoration expenses, as a direct result of the network intrusion. FS 00 H604 00 1016 FailSafe Page 2 of 5 ©2016, The Hartford ENDORSEMENT NO: 7 Section I —Coverage, Subsection C. When We Insure is amended to add: The coverage for first party expenses offered under this policy apply only if the following applicable terms are met: 1. the wrongful act is first committed on or after the applicable Retroactive Date and before the end of the policy period; 2. the wrongful act is first discovered by you during the policy period and is reported to us in writing as soon as practicable but no later than sixty (60)days from the discovery of the wrongful act by a specified insured; 3. the cyber extortion threat or network outage first occurs during the policy period and is reported to us in writing by you as soon as practicable but no later than sixty (60) days from the date the cyber extortion threat or network outage occurs; 4. the network intrusion is discovered by you during the policy period and is reported to us in writing by you as soon as practicable but no later than sixty (60)days from the date the network intrusion is discovered; and 5. prior to surrendering cyber extortion payments or the surrendering of property or other consideration as payment, the named insured conducts a reasonable investigation and reasonably determines that the threat is technologically credible. There is no coverage under this endorsement arising out of any data privacy wrongful acts, cyber extortion threats, network intrusions, network outages,or network wrongful act occurring during any Extended Reporting Period offered under this policy. No Extended Reporting Period available to any of you shall apply to any first party expenses. None of you will, except at your own cost, make a payment,assume any obligation, or incur any cost without our consent. The named insured shall obtain prior written approval from us prior to incurring first party expenses. All notices or correspondences regarding wrongful acts, cyber extortion threats, network intrusions, or network outages, must be sent to the address(es) or facsimile(s) indicated by endorsement to this policy. If a wrongful act, cyber extortion threat, network intrusion, or network outage occurs, you must: 1. immediately record the specifics of the wrongful act,cyber extortion threat, network intrusion, or network outage, and the date it occurred; 2. immediately send us copies of all applicable demands, notices, summonses and legal papers received in connection with the wrongful act, cyber extortion threat, network intrusion, or network outage; 3. authorize us to obtain records and other information; 4. cooperate with us in the investigation of the wrongful act, cyber extortion threat, network intrusion, or network outage; and 5. assist us, upon our request, in enforcing any right against any person or entity that may be liable to you for the first party expenses that may be applicable to this coverage endorsement. Section III— Exclusions, is amended in the following manner: Subsection A, item 2. is amended to add the following: However,this exclusion will not apply to first party expenses covered hereunder as a result of the loss of the named insured's leased or owned computer hardware including mobile, networked, and data storage computing equipment; Subsection A., item 11. is amended to add the following: However, this exclusion will not apply to first party expenses covered hereunder that the named insured pays as a direct result of a data privacy wrongful act; FS 00 H604 00 1016 FailSafe Page 3 of 5 ©2016, The Hartford ENDORSEMENT NO: 7 Section III—Exclusions, is amended to add the following: We will not pay first party expenses arising out of or in any way related to any actual or alleged: --- collection, processing, analysis, or sale of nonpublic personal information without the authorization of the person from whom such information is collected, or the failure to provide adequate notice that such information is collected, processed, analyzed, or sold in violation of data privacy laws, if any specified insured knew of such activity regarding the purposes for which nonpublic personal information is collected and used; --- shortcoming in the named insured's computer system and network that a specified insured knew about prior to the inception date of this policy; --- intentional failure by you to disclose unauthorized access to or the loss of nonpublic personal information arising from a data privacy wrongful act or network wrongful act, including but not limited to the intentional failure to provide any required notices in connection with any part of a data privacy wrongful act, if any specified insured knew of such data privacy wrongful act or network wrongful act; or --- inability to use or lack of performance of software due to expiration, cancellation or withdrawal of such software; Section V— Limits of Liability and Retention, Subsection A. Limits of Liability is amended to add: 3. First Party Aggregate Limit Subject to A.2 of Section V — Limits of Liability and Retention, the First Party Aggregate Limit indicated in this endorsement is the most we will pay for the total of all first party expenses that apply to this policy, regardless of the number of: a. named insureds this policy covers; or b. wrongful acts, cyber extortion threats, network intrusions, or network outages that occur. The First Party Aggregate Limit is a sublimit of insurance that is part of, and not in addition to, the Aggregate Limit stated in item 4 of the Declarations. 4. First Party Sublimits Subject to A.2 and A.3 of Section V—Limits of Liability and Retention,the First Party Sublimit stated for each first party expense indicated in this endorsement is the most we will pay for each applicable first party expense, regardless of the the number of: a. named insureds this policy covers; or b. wrongful acts, cyber extortion threats, network intursions, or network outages that occur. The First Party Sublimits are all sublimits of insurance that are part of, and not in addition to, the First Party Aggregate Limit referenced in item 3 above and also the Aggregate Limit stated in item 4 of the Declarations. Section V—Limits of Liability and Retention is amended to add: C. First Party Retentions The First Party Retention stated for each first party expense indicated in this endorsement is the amount of money the named insured must pay for each applicable covered first party expense arising from a wrongful act, cyber extortion threat, network intrusion, or network outage before this policy will begin to pay. You may not insure a First Party Retention. A First Party Retention will not be reduced by the payment of any deductible amount or any amount retained by any of you under any other policy of insurance; and a First Party Retention will not be reduced by any payment made on your behalf by another person or entity. A First Party Retention will not reduce the applicable First Party Sublimit or the First Party Aggregate Limit. FS 00 H604 00 1016 FailSafe° Page 4 of 5 ©2016, The Hartford ENDORSEMENT NO: 7 If multiple first party expenses arise from the same wrongful act, network intrusion, cyber extortion threat or network outage,the retention for each applicable first party expense will be applied separately. However,with respect to all first party expenses other than Business Interruption Loss and Dependent Business Interruption Loss, the sum of such First Party Retentions shall not exceed the largest such applicable Retention. With respect to Business Interruption Loss and Dependent Business Interruption Loss, the Retention shall also apply after the applicable Waiting Period. All other terms and conditions remain unchanged. Douglas Elliot, President FS 00 H604 00 1016 FailSafe Page 5 of 5 ©2016, The Hartford ENDORSEMENT NO:8 This endorsement, effective 12:01 am, 7/07/18 forms part of policy number 46 TE 0323528-18 issued to: CITY DATA SERVICES LLC by: HARTFORD FIRE INSURANCE CO. THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. WAR, HOSTILE LOSS OR TERRORISM EXCLUSION You and we agree that: Section II— Definitions is changed to add the following: Hostile loss means: 1. confiscation, nationalization, requisition, seizure, destruction of or damage to property of any nature, tangible or intangible, infrastructure or service; 2. interruption or termination of services; or 3. use of military or usurped power or the imposition of martial law by or under the order of any governmental or other authority;terrorist; or military or armed person or group Terrorism means any act against any person, organization or property of any nature,tangible or intangible, infrastructure or service: 1. that involve the following or preparation for the following: a. use or threat of force or violence; or b. commission or threat of a dangerous act; or c. commission or threat of an act that interferes with or disrupts an electronic, communication, information or mechanical system; and 2. when one or both of the following applies: a. the effect is to intimidate or coerce a government or the civilian population or any segment thereof, or to disrupt any segment of the economy; or b. it appears that the intent is to intimidate or coerce a government, or to further political, ideological, religious, social or economic objectives or to express (or express opposition to)a philosophy or ideology. B. The following exclusion is added: Section III — Exclusions, Subsection A is changed to add the following: We will not pay for damages, first party expenses, or claim expenses or defend any of you for any wrongful act or claim arising out of or in any way related to any actual or alleged: 1. war, including undeclared or civil war; or FS 00 H900 00 1016 FailSafe Page 1 of 2 ©2016, The Hartford ENDORSEMENT NO: 8 2. warlike action, including action in hindering or defending against an actual, threatened or expected attack, by a military force, any government, sovereign or other authority using military personnel or other agents; or 3. insurrection, rebellion, revolution, usurped power, or action taken by governmental authority in hindering or defending against any of these; 4. hostile loss, including any action taken in hindering or defending against an actual or expected hostile loss; or 5. terrorism, including any action taken in hindering or defending against an actual, or expected incident of terrorism regardless of any other cause or event that contributes concurrently or in any sequence to the wrongful act or claim. However, with respect to terrorism, this exclusion only applies to claims arising from activities: (a) determined by any government body or government official to be an act of terrorism; or (b) that We reasonably believe to be committed on behalf of, in concert with or at the behest of an organization, group, cell or network listed in Executive Order 13224 or any addition thereto or replacement thereof; including an organization, group, cell or network which is added to such order as a result of the act of terrorism. All other terms and conditions remain unchanged. C/a OT Douglas Elliot, President FS 00 H900 00 1016 ©2016, The Hartford Page 2 of 2 ENDORSEMENT NO:9 This endorsement, effective 12:01 am, 7/07/18 forms part of policy number 46 TE 0323528-18 issued to: CITY DATA SERVICES LLC by: HARTFORD FIRE INSURANCE CO. THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. CALIFORNIA CHANGES You and we agree that: The definition of Damages in Section II — Definitions, is amended to add the following: This policy does not provide coverage for punitive, exemplary or multiplied damages in the State of California. All other terms and conditions remain unchanged. (;�Oy Z" Douglas Elliot, President FS 04 H004 00 1016 FailSafe° Page 1 of 1 ©2016, The Hartford IMPORTANT INFORMATION TO POLICYHOLDERS In the event you need to contact someone about this policy for any reason, please contact your producer. If you have additional questions, you may contact the insurance company issuing this policy at the following address and telephone number: THE HARTFORD PRODUCT SERVICES HARTFORD FINANCIAL PRODUCTS 277 PARK AVENUE 15T"FLOOR NEW YORK, NEW YORK 10172 1-212-277-0400 If you have a problem with your insurance company,its producer or representative that has not been resolved to your satisfaction, please call or write to the Department of Insurance. Consumer Services Division California Department of Insurance 300 South Spring Street 14`h Floor Los Angeles, CA 90013 1-800-927-4357 or-1-213-897-8921 Written correspondence is preferable so that a record of your inquiry can be maintained. When contacting your producer, company or the Bureau of Insurance have your policy number available. ILNP 85 14 03 89 CA EL 04 R111 01 0505 _"t THE HARTFORD U.S. DEPARTMENT OF THE TREASURY, OFFICE OF FOREIGN ASSETS CONTROL ("OFAC") ADVISORY NOTICE TO POLICYHOLDERS No coverage is provided by this Policyholder Notice nor can it be construed to replace any provisions of your policy. You should read your policy and review your Declarations page for complete information on the coverages you are provided. This Notice provides information concerning possible impact on your insurance coverage due to directives issued by the United States. Please read this Notice carefully. The Office of Foreign Assets Control ("OFAC")of the U.S. Department of the Treasury administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States. OFAC acts under Presidential national emergency powers, as well as authority granted by specific legislation, to impose controls on transactions and freeze assets under U.S.jurisdiction. OFAC publishes a list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and companies are called "Specially Designated Nationals and Blocked Persons" or"SDNs". Their assets are blocked and U.S. persons are generally prohibited from dealing with them. This list can be located on OFAC's web site at— http//www.treas.ciov/ofac. In accordance with OFAC regulations, if it is determined that you or any other insured, or any person or entity claiming the benefits of this insurance has violated U.S. sanctions law or is an SDN, as identified by OFAC, the policy is a blocked contract and all dealings with it must involve OFAC. When an insurance policy is considered to be such a blocked or frozen contract, no payments nor premium refunds may be made without authorization from OFAC. HG 00 H129 00 1016 ©2016, The Hartford Page 1 of 1 THE I Md' HARTFORD IMPORTANT NOTICE TO POLICYHOLDERS (CYBER LIABILITY COVERAGE) Access to The Hartford Cyber Center Thank you for choosing The Hartford to meet your cyber insurance needs. We recognize that that you are likely faced with complex challenges in a fast-evolving cyber landscape and—like many of your competitors—you're looking to protect assets and manage comprehensive information security and privacy programs. In addition to your cyber insurance policy, The Hartford provides you with access to a proprietary web portal that can help manage cyber-related exposures. Through The Hartford Cyber Center, policyholders can have access to: • A panel of third party incident response service providers • Third party cybersecurity service providers and a list of approved services • Risk management tools, including self-assessments, best practice guides, templates, and sample incident response plans • White papers, blogs and webinars from leading privacy and security practitioners • Up-to-date cyber-related news and events, including examples of privacy and security related events To access The Hartford Cyber Center. 1. Visit www.thehartford.com/cybercenter 2. Enter policyholder information 3. Access code: 952689 4. Login to The Hartford Cyber Center Please be advised of the following: • The Hartford Cyber Center is a proprietary web portal exclusively provided to our valued policyholders. Please do not share the access code with anyone outside of your organization. • Registration is required to access the The Hartford Cyber Center. While the policyholder can register as many users as necessary, risk managers, general counsel, security or privacy leaders are appropriate candidates for registration. • The Hartford Cyber Center enables you to access third party service provider references and materials for educational purposes only.The Hartford does not specifically endorse any such service provider within The Hartford Cyber Center and hereby disclaims all liability with respect to use of, or reliance on, such service providers.All service providers are independent contractors and not agents or affiliates of The Hartford. The Hartford does not warrant the performance of the service providers. We strongly encourage all policyholders to conduct their own assessments of the service providers' services and the fitness or adequacy of such services for the particular policyholder's needs. • Contacting a service provider about any issue does not constitute providing The Hartford with notice under your policy. Proper notice is just one important requirement of coverage. HG 00 H127 00 0516 ©2015, The Hartford Page 1 of 2 • Please read your policy. All questions concerning the coverage terms, conditions and exclusions of your policy, including any policyholder obligations related thereto, should be addressed to your agent or broker. • This Notice does not amend or otherwise affect the provisions of any insurance policy. HG 00 H127 00 0516 ©2015, The Hartford Page 2 of 2 THE HARTFORD Producer Compensation Notice You can review and obtain information on The Hartford's producer compensation practices at www.thehartford.com or at 1-800-592-5717. F-5267-0 HR 00 H093 00 0207 ©2007, The Hartford Page 1 of 1 46 TE 0323528-18 7/07/18