The URL can be used to link to this page

21-015 Intersections, Inc., dba Aura, Data Breach Agreement Aura Confidential Information – Data Breach Agreement DATA BREACH AGREEMENT This Data Breach Agreement (the “Agreement”) is entered into on the last date signed below (the “Effective Date”), by and between Intersections Inc. d/b/a Aura, a Delaware corporation with its principal place of business at 2553 Dulles View Dr., Suite 400, Herndon, VA 20171 (“Aura”), and City of Cupertino, a California municipality with its principal place of business at 10300 Torre Avenue, Cupertino, CA 95014 (“Client”). RECITALS 1. Aura provides certain personal credit monitoring and identity protection products and services for consumers (the “Services”). 2. Client wishes for Aura to provide certain of those services to certain consumers under certain specialized circumstances as set forth in an applicable written program exhibit to this Agreement. THEREFORE, for good and valuable consideration the receipt and sufficiency of whi ch each party acknowledges, the parties agree to the following terms and conditions: TERMS AND CONDITIONS 1. Offering of the Services. Aura will provide certain Services as set forth in the Program Exhibit attached hereto as Exhibit A and as may be otherwise agreed by the parties in a further Program Exhibit (Exhibit A, and each such further Program Exhibit, a “Program Exhibit”), to Client and to individuals identified by Client whose personal data was or may have been compromised by one or more security breaches or unauthorized information disclosures at Client and who are identified to Aura by Client (each an “Affected Consumer”). Each Affected Consumer must be an individual with a valid U.S. mailing address, be at least 18 years of age and have a Social Security Number. Each party shall fulfill its responsibilities as set forth in the applicable Program Exhibit. Client shall not offer the Services to any Affected Consumer except as specified in a Program Exhibit. In the event of any conflict between a Program Exhibit and a provision of this Agreement, this Agreement prevails, unless the Program Exhibit states expressly that it overrides the Agreement with respect to that provision. 2. Enrollment. Aura may enroll Affected Consumers in the Services (“Complimentary Customer(s)”) in its sole discretion. Client shall not purport to enroll any Complimentary Customer in the Services, or collect information from any Complimentary Customer for such purpose or otherwise in connection with the Services, except as may otherwise be approved in writing by Aura. Aura Confidential Information – Data Breach Agreement 2 3. Taxes. Some of our Services may be taxable in certain states, provided Aura has not deemed the Client to be a reseller of Aura Services, all fees and charges payable by the Client may include applicable taxes and duties charged by Aura, including value added taxes and applicable sales tax which the Client is responsible for paying. If the Client is legally entitled to an exemption from any sales, use, or similar transaction t ax, Client must provide Aura with legally sufficient tax exemption certificates for each taxing jurisdiction. Once Aura has received, reviewed and approved such documentation, Aura will apply the tax exemption certificates to charges under the Client’s account occurring after the date Aura receives the tax exemption certificates. If any deduction or withholding is required by law, the Client will notify Aura and will pay Aura any additional amounts necessary to ensure that the net amount that Aura receives after any deduction and withholding, equals the amount Aura would have received if no deduction or withholding had been required. Additionally, the Client will provide Aura with documentation showing that the withheld and deducted amounts have been paid to the relevant taxing authority. Aura reserves the right to pass through to the Client any additional fees or charges created by a change in regulation, tax law (including, but not limited to, changes in taxability of a product or service or changes in requirements of businesses to collect such taxes), similar change in policy by a taxing authority, or a change in the nature of our business that requires Aura to collect such taxes under applicable law that we were not required to collect before such change i n the nature of our business. 4. Payments. Each party shall make any payments required under a Program Exhibit in accordance with the Program Exhibit. Client will pay Aura for the services set forth in Exhibit A, and in Appendix 1 to Exhibit A, which amount shall not exceed $7,985.00. Except as otherwise set forth in a Program Exhibit, all payments are due no more than 30 days after invoice date. Late payments bear interest of the lesser of 1.5% per month or the maximum amount permitted at law. Each party shall be responsible for paying any tax, duty or similar charge levied by or payable to a duly constituted taxing authority against or upon revenue collected or received by that party under this Agreement. 5. Term. 5.1. Term. This Agreement shall continue for one year from the Effective Date unless either party terminates this Agreement with at least thirty (30) days prior written notice. Termination of this Agreement shall terminate any and all Program Exhibits under this Agreement. 5.2. Termination. Either party may terminate this Agreement for breach upon immediate written notice if the other party fails to cure a material breach more than 30 days after delivery by the terminating party of written notice stating its intent to terminate and reasonably describing the breach. Either party at its option may terminate this Agreement by written notice to the other party in the event the other party: (A) makes a general assignment for the benefit of creditors; (B) suffers or permits appointment of a trustee or receiver for its business or assets, if Aura Confidential Information – Data Breach Agreement 3 the trustee or receiver is not dismissed within 60 days; (C) becomes subject to a voluntary or involuntary bankruptcy proceeding, if the proceeding is not dismissed within 60 days; or (D) is liquidated voluntarily or otherwise. 5.3. Compliance. Aura may upon written notice to Client suspend or terminate any provision of this Agreement to the extent reasonably necessary to comply with any (A) law, regulation, government agency, ruling or directive applicable to the Services, or (B) requirement, a consumer reporting agency or other third party that supplies data or software, which software agreement, including without limitation failure of the consumer reporti ng agency or third party to supply such data or termination of the applicable supply agreement. 5.4. Service End-of-Life. Aura may elect at its sole discretion to substitute or terminate certain Services provided to the Client and/or Complimentary Customer. In such event, Aura will use commercially reasonable efforts to: (i) substitute substantially similar services in lieu of the Services being replaced; and (ii) minimize the impact resulting from such changes on the Complimentary Customer. Aura will provide Client with notice before terminating a Service or substituting a replacement Service. 5.5. Effects of Termination. Upon expiration or termination of this Agreement, (A) all licenses granted under the Agreement, and any authorization of Client to offer the Services, immediately terminate, and (B) each party shall cease use of, and destroy or return to the other party, any tangible or intangible material containing Confidential Information of the other party. Notwithstanding termination of the Agreement, Aura may, at its option, continue to provide the Services to any Complimentary Customer of the Services in accordance with the Agreement until such Complimentary Customer’s enrollment in the Services terminates or expires without renewal. The parties’ rights and obligations under the Agreement applicable to provision of the Services to those Complimentary Customers that Aura continues to service, including without limitation the payment of fees, commissions and expenses, remain in effect until Aura ceases to provide the Services to those Complimentary Customers. 5.6. Survival. If the term stated in a Program Exhibit exceeds the initial term and agreed upon renewal term of this Agreement, then this Agreement shall survive as applicable to that Program Exhibit until the Program Exhibit expires or is terminated, unless the Agreement is terminated under Section 5.2 above. Sections 4, 6, and 8 through 12 and any payment obligation incurred prior to the effective date of expiration or termination of the Agreement, and any provision of a Program Exhibit which states expressly that it survives termination of the Program Exhibit, survive expiration or termination of the Agreement. 6. Information. 6.1. Confidential Information Defined. For purposes of this Agreement, “Confidential Information” means information of a party (the “Disclosing Party”) that is disclosed to the other Aura Confidential Information – Data Breach Agreement 4 party (the “Receiving Party”) by or on behalf of the Disclosing Party during the term of this Agreement, including without limitation trade secrets, know-how, inventions, techniques, processes, algorithms, computer software programs, schematics, financial and business data, projections and plans, operational plans and details, and designs. “Confidential Information” also includes the terms and conditions of this Agreement. Notwithstanding anything to the contrary in this Section 6.1 “Confidential Information” does not include information that (A) is or becomes generally available to the public through no act or omission of the Receiving Party: (B) was in the Receiving Party's lawful possession prior to receipt from the Disclosing Par ty; (C) is lawfully disclosed to the Receiving Party by a third party without violation of any right of the Disclosing Party; or (D) is independently developed by the Receiving Party. 6.2. Obligations. The Receiving Party may not: A. Use the Disclosing Party's Confidential Information other than for performance under this Agreement; or B. Disclose the Disclosing Party’s Confidential Information to any third party without the Disclosing Party’s written consent, except (1) to the Receiving Party’s attorneys or accountants under a professional duty of confidentiality to the Disclosing Party; (2) to the Receiving Party’s contractor under the contractor’s written agreement to use and disclose the information only as permitted under this Agreement, provided the Receivi ng Party remains liable for, and shall take all steps reasonably required to enforce, the contractor’s compliance with those obligations, or (3) as required under applicable law, regulation or court order, provided that the Receiving Party gives the Disclosing Party reasonable notice prior to such disclosure to the extent circumstances reasonably permit. 6.3. Client acknowledges and agrees that all Complimentary Customer Information will be subject to the privacy policy distributed to Complimentary Customers by Aura. Aura may use Complimentary Customer Information only in accordance with its privacy policy and applicable law. Client may use Complimentary Customer Information only in order to perform services or functions on behalf of Aura as set forth in a Program Exhibit or as further agreed by the parties in writing. Each party shall develop, implement and maintain a comprehensive information security program to safeguard Complimentary Customer Information in accordance with 16 C.F.R. Part 314 and disclose the information about its safeguards as reasonably requested by the other party. Neither party’s obligations under this Section 6.3 apply to information in the possession of or obtained by that party independent of the Services. “Complimentary Customer Information” means any “nonpublic personal information,” as that term is defined in the Gramm - Leach-Bliley Act, 15 U.S.C. § 6809(4), received or obtained by a party about an actual or prospective Complimentary Customer. Notwithstanding anything to the contrary in the foregoing, however, Complimentary Customer Information does not include information obtained or received by a party independent of this Agreement, even if that information is the Aura Confidential Information – Data Breach Agreement 5 same as or similar to informa tion obtained or received by the party in connection with this Agreement. 7. Other Intellectual Property. Client acknowledges and agrees that Aura is and shall remain the sole owner of each of Aura’s trademark, service mark, copyright, patent right, or other intellectual property right under which the Services are marketed (the “Aura Trademarks”) and any and all right, title and interest, including without limitation any patent, copyright or trade secret right, in any invention, discovery, process, method or work of authorship used or provided by Aura in connection with the Services, including any advertising provided by Aura to Client, or any derivative work or improvement of any of the foregoing (collectively with the Aura Trademarks, the “Aura Intellectual Property”). Aura grants Client a nonexclusive, nontransferable, non-sublicensable license, during the Term, to use and display the Aura Trademarks identified in the applicable Order or otherwise approved by Aura in writing in the Territory (as defined in the applicable Order) for the sole purpose of performing under this Agreement. Client acknowledges and agrees that, by virtue of use of the Aura Intellectual Property, Client does not acquire any right, title or interest in the Aura Intellectual Property and that all use of the Aura Intellectual Property inures to the benefit of Aura. 8. Representations and Warranties. 8.1. Mutual Representations and Warranties. Each party represents and warrants to the other as follows: A. It is a legal entity organized and existing as specified in the preamble of this Agreement above, with all right and authority necessary to enter and perform under this Agreement; B. This Agreement has been duly entered into by it; C. Its performance under this Agreement does not violate any law, regulation, court order or material agreement to which it is subject; and D. It has not and will not provide or use in connection with this Agreement any (1) Trademark in violation of any right of a third party in a Trademark; or (2) Intellectual Property in violation of any third-party patent, copyright, trade secret or other proprietary or intellectual property right. 8.2. Exclusions. THE REPRESENTATIONS AND WARRANTIES SPECIFIED IN THIS SECTION 8.2 ARE THE SOLE WARRANTIES MADE BY ANY PARTY IN CONNECTION WITH THE SUBJECT MATTER OF THIS AGREEMENT, AND ARE MADE TO AND FOR THE BENEFIT OF THE OTHER PARTY ONLY. NEITHER PARTY MAKES ANY OTHER REPRESENTATION OR WARRANTY OF ANY KIND WHATSOEVER, WHETHER EXPRESS, Aura Confidential Information – Data Breach Agreement 6 IMPLIED, STATUTORY, OR ARISING FROM COURSE OF DEALING OR PERFORMANCE, AND HEREBY DISCLAIMS AND EXCLUDES FROM THIS AGREEMENT ALL IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, NONINTERFERENCE WITH DATA, ACCURACY, OR THAT THE SERVI CE IS ERROR-FREE. 9. Indemnification. 9.1. Obligations. Each party agrees to defend, indemnify and hold harmless the other party and each of its employees, agents, officers, directors and shareholders, from and against any claim, suit, demand, or action, including without limitation reasonable attorneys’ fees (each and collectively, a “Claim”): A. Arising from breach by the indemnifying party of its obligation or warranty under this Agreement; B. Alleging that use in accordance with this Agreement of: (1) a Trademark provided by the indemnifying party infringes or violates the right of a third party in a Trademark, or (2) Intellectual Property provided by the indemnifying party infringes or violates a third party’s right in Intellectual Property, including without limitation a patent, copyright, trade secret right; or C. Alleging that use of information, including without limitation Complimentary Customer Information, provided by the indemnifying party violates a law or regulation related to privacy or a third party’s confidentiality or privacy right. 9.2. Procedures. Any person or entity seeking to be defended, indemnified or held harmless under this Section 9.2 must: A. Give the indemnifying party prompt notice of the Claim; B. Cooperate reasonably in defense of the Claim; and C. Allow the indemnifying party sole control of the defense; provided that the indemnified person or entity may participate in the defense, at its own expense, and the indemnifying party may not consent to any agreement, order or relief that imposes any obligation on the indemnified person or entity without the indemnified person’s or entity’s written consent. 10. Liability Limitations. EXCEPT IN THE EVENT OF BREACH BY A PARTY OF ITS OBLIGATIONS WITH RESPECT TO CONFIDENTIAL INFORMATION OR PRIVACY, UNAUTHORIZED USE OF INTELLECTUAL PROPERTY OR A TRADEMARK, OR LIABILITY UNDER SECTION 8 ABOVE: (A) IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY Aura Confidential Information – Data Breach Agreement 7 INDIRECT, EXEMPLARY, PUNITIVE, SPECIAL, OR CONSEQUENTIAL DAMAGES, INCLUDING WITHOUT LIMITATION LOST PROFITS OR OTHER ECONOMIC LOSS, LOST REIMBURSEMENTS, AND LOST DATA, OR FOR ANY CLAIM BY ANY THIRD PARTY, EVEN IF THE BREACHING PARTY HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR CLAIM; AND (B) EACH PARTY’S CUMULATIVE LIABILITY FOR BREACH UNDER THIS AGREEMENT SHALL NOT EXCEED THE GREATER OF THE AMOUNT OF FEES OR COMMISSIONS (1) PAID DURING THE 24 MONTHS PRECEDING THE MONTH IN WHICH THE CLAIM ARISES OR (2) DUE UNDER THE AGREEMENT WHEN THE CLAIM ARISES. 11. Insurance. Aura shall comply with the Insurance Requirements, attached and incorporated here as Exhibit B, and must maintain the insurance for the duration of the Agreement. Client will not execute the Agreement until Client approves receipt of satisfactory certificates of insurance and endorsements evidencing the type, amount, class of operations covered, and the effective and expiration dates of coverage. 12. Miscellaneous. 12.1. Independent Contractors. Each party is an independent contractor of the other under this Agreement. This Agreement is not intended to create any other relationship between the parties, including without limitation any employment, agency, partnership, joint venture or fiduciary relationship. 12.2. Assignment. This Agreement binds and inures to the benefit of each party’s permitted successors and assigns. Neither party may assign this Agreement without the express prior written consent of the other, which consent shall not be unreasonably withheld or delayed. Notwithstanding the foregoing, a party may assign this Agreement, without the other party’s consent, to an Affiliate, or to an entity that acquires all of the stock, or substantially all of the assets, of the assigning party, or the surviving entity in a merger with the assigning party ; in such cases, the assigning party shall give the other party notice of the assignment within thirty (30) days. For purposes of this Agreement, “Affiliate” of a party means an entity that controls, is controlled by, or is under common control with, that party. Control of an entity means direct or indirect ownership of a majority of voting stock, or other majority equity interest, in each case with sufficient authority to direct the affairs of the entity. 12.3. Nonhiring of Employees. During the term of this Agreement and for a period of twelve (12) months after the date of termination of this Agreement, Client, without the prior written consent from Aura, may not directly or indirectly employ or solicit the employment of, or contract for services from, any person employed at the vice president level or higher. Nothing in the foregoing prohibits a party from soliciting and hiring any person through a general Aura Confidential Information – Data Breach Agreement 8 advertisement or other means not targeted at employees of the other party. 12.4. Conflicts of Interest. Aura shall comply with all conflict of interest laws applicable to this Agreement and must avoid any conflict of interest. Aura warrants that no public official, employee, or member of a City of Cupertino board or commission who might have been involved in the making of this Agreement, has or will receive a direct or indirect financial interest in this Agreement, in violation of California Government Code Section 1090 et seq. Aura may be required to file a conflict of interest form if Aura makes certain governmental decisions or serves in a staff capacity, as defined in Section 18700 of Title 2 of the California Code of Regulations . Aura agrees to abide by Client’s rules governing gifts to public officials and employees. 12.5. Headings. The headings, titles, subheadings and other similar designations for the sections, subsections and exhibits of this Agreement are for convenience only a nd shall not be deemed to be a part of this Agreement. 12.6. Force Majeure. Neither party is liable for delays and failures in performing under this Agreement that result from any cause beyond the reasonable direct control of the party, with the exception of nonpayment. 12.7. Modification. No representation or promise, or modification or amendment to this Agreement is binding on either party unless in writing signed by authorized representatives of both parties. 12.8. Waiver. Any failure or delay in exercising, or any single or partial exercise of, any right or remedy by a party may not be deemed a waiver of any further, prior, or future right or remedy. 12.9. Governing Law and Forum . This Agreement is governed by and must be construed in accordance with the laws of the Commonwealth of Virginia, exclusive of its choice of law rules. 12.10. Notices. All notices required to be given in writing must be sent by overnight delivery service with Internet tracking capabilities, and/or email to legalnotices@aura.com, to the name and address (as applicable) designated in this Section below, or to such other address or email that the receiving party may in advance designate by written notice. Notice is deemed effective on the day after delivery to the overnight carrier, or, if faxed, upon the sender’s receipt of confirmation that email transmission occurred. Notices may also be made in person, and shall be deemed effective upon delivery. Aura Confidential Information – Data Breach Agreement 9 Notice to Aura: 2553 Dulles View Drive, Ste. 400 Herndon, VA 20171 Attn: Chief Revenue Officer With a copy to: Chief Legal Officer Email: legalnotices@aura.com Notice to Client: Zach Korach Finance Manager 10300 Torre Avenue Cupertino, CA 95014 zachk@cupertina.org 12.11. Severability. If any provision of this Agreement is declared invalid, the other provisions remain in full force and effect, and this Agreement is deemed to be amended to replace, to the extent legally possible, the rights and obligations contained in the invalid provision. The invalidity of any provision is not a failure of consideration. 12.12. Entire Agreement. Each Program Exhibit, and each other exhibit referenced in this Agreement, is incorporated into and governed by this Agreement. This Agreement constitutes the entire understanding of the parties with respect to the subj ect matter hereof, and supersedes all prior or contemporaneous agreements, statements and representations, oral or written, between the parties relating to the subject matter of the Agreement. 12.13. Execution. This Agreement may executed by one or more origi nal or facsimile counterparts, each of which will be deemed part of one and the same instrument. REMAINDER OF PAGE INTENTIONALLY LEFT BLANK [SIGNATURE PAGE TO FOLLOW] Aura Confidential Information – Data Breach Agreement 10 IN WITNESS WHEREOF, the parties hereto, intending to be legally bound hereby, have each caused its duly authorized officers or representatives to be affixed hereto its hand as of the Effective Date. ACCEPTED AND AGREED TO BY: ACCEPTED AND AGREED TO BY : INTERSECTIONS INC. DBA AURA CITY OF CUPERTINO By: By: _____ Name: Christopher R. Bray Name: _Kristina Alfaro_____ ____________ Title: CRO Title: Director of Administration Services Date: Date: _____ Tax ID No. 54-1956515 APPROVED AS TO FORM: ______________________________________ HEATHER M. MINNER Cupertino City Attorney ATTEST: ______________________________________ KIRSTEN SQUARCIA City Clerk Date _________________________________ 1334053.1 Christopher R. Bray Feb 4, 2021 Heather M. Minner Feb 4, 2021 Feb 4, 2021 AURA CONFIDENTIAL INFORMATION PROGRAM EXHIBIT A TO DATA BREACH AGREEMENT Effective on the last date signed below (the “Program Exhibit Effective Date”), Intersections Inc. d/b/a Aura (“Aura”) and City of Cupertino (“Client”) agree to this Program Exhibit (the “Program Exhibit”) to the Data Breach Agreement (the “Agreement”) between them dated . I. General: A. Definitions. Capitalized terms defined in the Agreement have the same meaning in this Program Exhibit except as otherwise set forth in the Program Exhibit. B. Representative. The following are designated as the Aura Representatives in connection with this Program Exhibit: Christopher Bray. The following are designated as the Client Representative in connection with this Program Exhibit: Zach Korach. Where this Program Exhibit permits or requires agreement, approval or notice by email, such agreement, approval or notice may be provided from one party’s representative to the other party’s representative, each as designated above. Written notice must be given in accordance with the Agreement. A party may change its representative by written or email notice. II. Services: The Services will be marketed under the trademarks Identity Guard® and NOTIFY EXPRESS® which are Aura Trademarks. Any other trademark under which the Services is marketed is an Aura Trademark. The Services to be provided under this Program Exhibit will be as follows: A. Set Up Services. Aura is responsible for the following activities: 1. Provide the web page URL to be used by Affected Consumers in order to enroll in the Services through the Aura-hosted web site. Aura’s standard security breach web pages will be used. 2. Provide Redemption codes (each and collectively “Redemption Code”) to be used by Affected Consumers in order to enroll in the Services on the Aura-hosted web site. Aura shall provide Client an encrypted file containing Redemption Codes totaling the number requested by Client. B. Affected Consumer Notification. The schedule for mailing the notification letter must be mutually agreed upon in writing prior to notification. If Appendix 1 indicates that Aura is responsible for contacting Affected Consumers, Aura will AURA CONFIDENTIAL INFORMATION 2 do so by mail or email. The letter will include a description of the Services offered, a description of the enrollment method, and an enrollment expiration date. The letter will also include a Client contact number should the Affected Customer need to contact the Client directly regarding the security incident and the Redemption Code provided to the Affected Consumer by Client. Client shall be solely responsible for providing content related to the incident and Aura shall have no liability for such content. Client may review and approve the letter prior to mailing. Letters and any other type of material (“Communication Materials”) used for notification purposes or Communication Materials describing Aura or its Services must be approved by Aura in writing or by email prior to sending. C. Complimentary Monitoring Services. Each Complimentary Customer that enrolls during the “Enrollment Period,” as defined in Section II.D below, will receive the Services for the term indicated in Appendix 1 (the “Services Term”). D. Enrollment and Fulfillment Services. Affected Consumers may enroll in the Services during the period set forth in Appendix 1 (the “Enrollment Period”). Aura is responsible for enrollment of Affected Consumers and fulfillment of Complimentary Customers as described in Appendix 1. An Affected Consumer’s enrollment shall not be made by third parties or agents of the Affected Consumer. 1. Web. the Affected Consumer will access the Aura-hosted web site using the Redemption Code provided in the notification letter. The Affected Consumer will input the information required for enrollment which includes, Social Security number, date of birth, provided Redemption Code, and provide authorization for obtaining his or her credit data from the credit reporting agencies. Fulfillment is provided online. 2. Enrollment Information. Upon request, Aura will provide Client with enrollment status and other information in order for Client to provide customer service including but not limited to information related to Client’s customers’ enrollment in the Services. This information provided by Aura in accordance with the description above will be used by Client solely for the purpose set forth in this Section II.D.3 and not disclosed to any third party for any purpose. 3. Additional Redemption Codes. During the Enrollment Period, Client may request additional Redemption Codes to provide to Affected Consumers. A file of additional codes will be provided within two (2) business days. E. Services Extension. Client may request in writing that Aura extend the Services Term in annual increments on either a single Complimentary Customer basis or on an event basis (i.e., all Complimentary Customers for a single event), subject to AURA CONFIDENTIAL INFORMATION 3 payment by Client of the Aura’s Fees identified in Section 8.c of Appendix 1 for the extended period. For any Services extensions, Client must notify Aura at least forty-five (45) days prior to the conclusion of the Complimentary Customer’s Services Term. F. Redemption Code Purchase Option. Client may request additional Redemption Codes for Identity Guard® by submitting the Appendix 2 via email for the Services indicated in Appendix 1 (i) for use by an Affected Consumer to enroll if the Enrollment Period set forth in Appendix 1 has ended. Client will be invoiced at the cost of Services as defined in Appendix 2, no reporting will be provided. G. Converting Complimentary Customers to a Paid Status. After the forty-fifth (45th) day prior to the conclusion of any Complimentary Customer’s Complimentary Service Term, Aura may offer the Complimentary Customer the option of continuing the Complimentary Service on a paid basis (the “Paid Service”) at the then current Aura retail price. Thereafter, any communication or relationship between the Complimentary Customer and Aura regarding the Paid Service shall not be governed by this Agreement. III. Compensation: A. Fees. Client agrees to pay to Aura the fees set forth in Appendix 1 and in Appendix 2, if applicable, which shall not exceed $7,985.00. B. Invoicing and Payment. Aura shall send Client an invoice based on the number of Redemption Codes purchased. Client will pay such fees within thirty (30) days of Aura’s invoice date. IV. Privacy Policy: As used in this Program Exhibit and the Agreement, “Customer Information” means “nonpublic personal information” as defined in 15 U.S.C. § 6809(4) if the information is received or obtained in connection with the Services, including without limitation providing the Services; provided “Customer Information” does not include information received or obtained prior to or independent of the Services. Aura may use Customer Information only in connection with the Services or other products or Services jointly offered by the parties under the Agreement, including without limitation marketing or providing the Services as applicable, or as permitted under 16 C.F.R. §§ 313.14 or 313.15, and shall not disclose Customer Information except as permitted under 16 C.F.R. §§ 313.14 or 313.15. Client acknowledges and agrees that all Customer Information will be subject to the privacy policy distributed to Complimentary Customers by Aura. Client may use Customer Information, including without limitation the fact that an Affected Consumer has become a Complimentary Customer, only in order to perform the Services or functions on behalf of Aura either as set forth in the Program Exhibit or as AURA CONFIDENTIAL INFORMATION 4 further agreed by the parties in writing. Each party shall develop, implement and maintain a comprehensive information security program to safeguard Customer Information in accordance with 16 C.F.R. Part 314 and disclose the information about its safeguards as reasonably requested by the other party. V. Reporting: Reports provided by Aura under this program will be provided as set forth below. A. Activity Report. On a monthly basis, until thirty (30) days after the enrollment period expires, Aura will provide a cumulative count of all Complimentary Customers enrolled. B. Redemption Code Report. If Aura is responsible for mailing the Notification Letter as set forth in Appendix 1, Aura will provide a report listing the Redemption Code provided to each Affected Consumer. Client will use such information solely to provide information about the actual incident and provide information on how to enroll in the Services. VI. Term: This Program Exhibit commences on the Program Exhibit Effective and shall continue until expiration of the Agreement, provided that this Program Exhibit and Agreement will survive expiration, as applicable to any Services Term that remains in effect and until such Services Term expires. INTERSECTIONS INC. DBA AURA CITY OF CUPERTINO By: By: Name: Christopher R. Bray Name: Kristina Alfaro ______ Title: CRO Title: Director of Administrative Services Date: Date: Christopher R. Bray Feb 4, 2021 Feb 4, 2021 AURA CONFIDENTIAL INFORMATION 5 APPENDIX 1 TO EXHIBIT A TO DATA BREACH SERVICES AGREEMENT 1. Number of Affected Consumers 360 2. Trademark(s) Ident Identity Guard® Total 3. Complimentary Service $1 million insurance Dark Web Monitoring High Risk Transactions 3-Bureau Credit Monitoring Bank Account Takeovers Checking and Savings Account Applications US-based call center IBM Watson artificial intelligence 4. Complimentary Service Term One (1) Year 5. Affected Consumer Notification Provided by Client 6. Enrollment Period 90 Days 7. Fees: a. Set Up Fee b. Complimentary Service Fee, per event c. Annual Service Extension Fee, per Complimentary Customer, per year d. Fee per notification letter mailed by Aura a. n/a b. $7,985 c. $59.00 d. n/a 8. Aura Representatives(s) Christopher Bray 9. Client Representative(s) Zach Korach 10. Client Contact Information a. Primary Point of Contact (“POC”) b. POC E-mail c. POC Phone d. Billing POC (if different from POC) e. Billing Address f. Billing Phone Number (if different from POC) g. Billing E-mail Address (if different from POC) a. Zach Korach b. zachk@cupertino.org c. 407-777-3280 d. Zach Korach e. 10300 Torre Ave, Cupertino, CA 95014 f. same g. same AURA CONFIDENTIAL INFORMATION 6 APPENDIX 2 TO EXHIBIT A TO DATA BREACH SERVICES AGREEMENT Client and Incident Name Program Exhibit Effective Date Date of the Redemption Code Request Expected Date of Affected Consumer Notification Number of Identity Guard Redemption Codes ($59.00 each) Aura Enrollment Information Telephone Enrollment Number Web Enrollment url Activation End Date Marketing ID NOTES 1334061.1 Exh. B-Insurance Requirements 1 Aura shall procure prior to commencement of Services and maintain for the duration of the Agreement, at its own cost and expense, the following insurance policies and coverage with companies doing business in California and acceptable to Client. INSURANCE POLICIES AND MINIMUMS REQUIRED 1. Commercial General Liability (CGL) for bodily injury, property damage, personal injury liability for premises operations, products and completed operations, contractual liability, and personal and advertising injury with limits no less than $2,000,000 per occurrence (ISO Form CG 00 01). If a general aggregate limit applies, either the general aggregate limit shall apply separately to this project/location (ISO Form CG 25 03 or 25 04) or it shall be twice the required occurrence limit. a. It shall be a requirement that any available insurance proceeds broader than or in excess of the specified minimum insurance coverage requirements and/or limits shall be made available to the Additional Insured and shall be (i) the minimum coverage/limits specified in this agreement; or (ii) the broader coverage and maximum limits of coverage of any insurance policy, whichever is greater. b. Additional Insured coverage under Aura’s policy shall be "primary and non-contributory," will not seek contribution from Client’s insurance/self-insurance, and shall be at least as broad as ISO Form CG 20 01 (04/13). c. The limits of insurance required may be satisfied by a combination of primary and umbrella or excess insurance, provided each policy complies with the requirements set forth in this Agreement. Any umbrella or excess insurance shall contain or be endorsed to contain a provision that such coverage shall also apply on a primary basis for the benefit of Client before Client’s own insurance or self-insurance shall be called upon to protect Client as a named insured. 2. Automobile Liability: ISO CA 00 01 covering any auto (including owned, hired, and non-owned autos) with limits no less than $1,000,000 per accident for bodily injury and property damage. 3. Workers’ Compensation: As required by the State of California, with Statutory Limits and Employer’s Liability Insurance of no less than $1,000,000 per occurrence for bodily injury or disease. 4. Professional Liability for professional acts, errors and omissions, as appropriate to Aura’s profession, with limits no less than $2,000,000 per claim or $2,000,000 aggregate. If written on a claim made form: a. The Retroactive Date must be shown and must be before the Effective Date of the Agreement. b. Insurance must be maintained for at least five (5) years after completion of the Services. c. If coverage is canceled or non-renewed, and not replaced with another claims-made policy form with a Retroactive Date prior to the Contract Effective Date, Aura must purchase “extended reporting” coverage for a minimum of five (5) years after completion of the Services. OTHER INSURANCE PROVISIONS The aforementioned insurance shall be endorsed and have all the following conditions and provisions: Additional Insured Status The City of Cupertino, its City Council, officers, officials, employees, agents, servants and volunteers (“Additional Insureds”) are to be covered as additional insureds on Aura’s CGL and automobile liability EXHIBIT B Insurance Requirements Exh. B-Insurance Requirements 2 policies. General Liability coverage can be provided in the form of an endorsement to Aura’s insurance (at least as broad as ISO Form CG 20 10 (11/ 85) or both CG 20 10 and CG 20 37 forms, if later editions are used). Primary Coverage Coverage afforded to Client/Additional Insureds shall be primary insurance. Any insurance or self-insurance maintained by City, its officers, officials, employees, or volunteers shall be excess of Aura’s insurance and shall not contribute to it except cyber/professional liability. Notice of Cancellation Each insurance policy shall state that coverage shall not be canceled or allowed to expire, except with written notice to Client 30 days in advance or 10 days in advance if due to non-payment of premiums. Waiver of Subrogation Aura waives any right to subrogation against Client/Additional Insureds for recovery of damages to the extent said losses are covered by the insurance policies required herein. Specifically, the Workers’ Compensation policy shall be endorsed with a waiver of subrogation in favor of Client for all work performed by Aura, its employees, agents and subconsultants. This provision applies regardless of whether or not Client has received a waiver of subrogation endorsement from the insurer. Deductibles and Self-Insured Retentions Any deductible or self-insured retention must be declared to and approved by the Client. At Client’s option, either: the insurer must reduce or eliminate the deductible or self-insured retentions as respects the Client/Additional Insureds; or Aura must show proof of ability to pay losses and costs related investigations, claim administration and defense expenses. The policy shall provide, or be endorsed to provide, that the self- insured retention may be satisfied by either the insured or the Client. Acceptability of Insurers Insurers must be licensed to do business in California with an A.M. Best Rating of A-VII, or better. Verification of Coverage Aura must furnish acceptable insurance certificates and mandatory endorsements (or copies of the policies effecting the coverage required by this Agreement), and a copy of the Declarations and Endorsement Page of the CGL policy listing all policy endorsements prior to commencement of the Agreement. Client retains the right to demand verification of compliance at any time during the Agreement term. Subcontractors Aura shall require and verify that all subcontractors maintain insurance that meet the requirements of this Agreement, including naming the Client as an additional insured on subconsultant’s insurance policies. Higher Insurance Limits If Aura maintains broader coverage and/or higher limits than the minimums shown above, Client shall be entitled to coverage for the higher insurance limits maintained by Aura. Adequacy of Coverage Client reserves the right to modify these insurance requirements/coverage based on the nature of the risk, prior experience, insurer or other special circumstances, with not less than ninety (90) days prior written notice. 1334073.1 ANY PROPRIETOR/PARTNER/EXECUTIVE OFFICER/MEMBER EXCLUDED? INSR ADDL SUBR LTR INSD WVD DATE (MM/DD/YYYY) PRODUCER CONTACT NAME: FAXPHONE (A/C, No):(A/C, No, Ext): E-MAIL ADDRESS: INSURER A : INSURED INSURER B : INSURER C : INSURER D : INSURER E : INSURER F : POLICY NUMBER POLICY EFF POLICY EXPTYPE OF INSURANCE LIMITS(MM/DD/YYYY)(MM/DD/YYYY) AUTOMOBILE LIABILITY UMBRELLA LIAB EXCESS LIAB WORKERS COMPENSATION AND EMPLOYERS' LIABILITY DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) AUTHORIZED REPRESENTATIVE EACH OCCURRENCE $ DAMAGE TO RENTED CLAIMS-MADE OCCUR $PREMISES (Ea occurrence) MED EXP (Any one person)$ PERSONAL & ADV INJURY $ GEN'L AGGREGATE LIMIT APPLIES PER:GENERAL AGGREGATE $ PRO-POLICY LOC PRODUCTS - COMP/OP AGG $JECT OTHER:$ COMBINED SINGLE LIMIT $(Ea accident) ANY AUTO BODILY INJURY (Per person)$ OWNED SCHEDULED BODILY INJURY (Per accident)$AUTOS ONLY AUTOS HIRED NON-OWNED PROPERTY DAMAGE $AUTOS ONLY AUTOS ONLY (Per accident) $ OCCUR EACH OCCURRENCE $ CLAIMS-MADE AGGREGATE $ DED RETENTION $$ PER OTH- STATUTE ER E.L. EACH ACCIDENT $ E.L. DISEASE - EA EMPLOYEE $ If yes, describe under E.L. DISEASE - POLICY LIMIT $DESCRIPTION OF OPERATIONS below INSURER(S) AFFORDING COVERAGE NAIC # COMMERCIAL GENERAL LIABILITY Y / N N / A (Mandatory in NH) SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). COVERAGES CERTIFICATE NUMBER:REVISION NUMBER: CERTIFICATE HOLDER CANCELLATION © 1988-2015 ACORD CORPORATION. All rights reserved. The ACORD name and logo are registered marks of ACORDACORD 25 (2016/03) CERTIFICATE OF LIABILITY INSURANCE Lockton Companies 1801 K Street NW, Suite 200 Washington DC DC 20006 (202) 414-2400 WC SACD Holdings Inc., Intersections Inc., IISI Insurance Services Inc.; Intersections Holdings Inc. and Intersections Enterprises Inc.; Intersections, Inc. dba AURA 2553 Dulles View Dr. 4th Floor Herndon VA 20171 Chubb Indemnity Insurance Company 12777 Federal Insurance Company 20281 Great Northern Insurance Company 20303 Zurich American Insurance Company 16535 *** SEE ATTACHMENT *** X X 1,000,000 1,000,000 10,000 1,000,000 2,000,000 2,000,000 X X X 1,000,000 XXXXXXX XXXXXXX XXXXXXX XXXXXXX X X 20,000,000 20,000,000 XXXXXXX N X 1,000,000 1,000,000 1,000,000 Crime E&O/Cyber Limit:$5,000,000 Deductible: $50,000 SEE ATTACHED A 73578156 11/1/2020 11/1/2021 A 35979180 11/1/2020 11/1/2021 D MPL 7843074-00 11/1/2020 11/1/2021 E SEE ATTACHED 11/1/2020 11/1/2021 B 79884992 11/1/2020 11/1/2021 C 35979180 11/1/2020 11/1/2021 11/1/2021 1351412 Y N N N N N N 2/4/2021 N N 17352578 17352578 XXXXXXX City of Cupertino 10300 Torre Avenue Cupertino, CA 95014 The Professional Liability (E&O) policy also extends coverage for Network Security and Privacy Liability. The City of Cupertino, its City Council, officers, officials, employees, agents, servants and volunteers are included as Additional Insured on the General Liability as required by written contract. X X See Attachment WC SACD Holdings, Inc. E&O/Cyber – PRIMARY Policy Number: MTP9039902 01 Policy Term: 11/1/2020 – 11/1/2021 Issuing Company: Indian Harbor Insurance Company Limit: $5,000,000 Deductible: $100,000 E&O/Cyber – 1st Layer Policy Number: EONYABV04U002 Policy Term: 11/1/2020 – 11/1/2021 Issuing Company: Liberty Insurance Underwriters Limit: $5,000,000 xs $5,000,000 E&O/Cyber – 2nd Layer Policy Number: 652045881 Policy Term: 11/1/2020 – 11/1/2021 Issuing Company: Continental Casualty Company Limit: $5,000,000 xs $10,000,000 Attachment Code: D583616 Master ID: 1351412, Certificate ID: 17352578 Aura Data Breach Agreement (Bulk Redemption Code) - 2.3.21 (Final Draft) Final Audit Report 2021-02-05 Created:2021-02-04 By:Mariela Vargas (marielar@cupertino.org) Status:Signed Transaction ID:CBJCHBCAABAA0bDYMr0IrXdD3QrG_V5ZfL7O44_XFwbD "Aura Data Breach Agreement (Bulk Redemption Code) - 2.3.21 (Final Draft)" History Document created by Mariela Vargas (marielar@cupertino.org) 2021-02-04 - 9:08:32 PM GMT- IP address: 47.32.177.207 Document emailed to Araceli Alejandre (aracelia@cupertino.org) for approval 2021-02-04 - 9:11:23 PM GMT Document approved by Araceli Alejandre (aracelia@cupertino.org) Approval Date: 2021-02-04 - 11:24:12 PM GMT - Time Source: server- IP address: 64.165.34.3 Document emailed to Christopher R. Bray (tina.wildman@aura.com) for signature 2021-02-04 - 11:24:14 PM GMT Email viewed by Christopher R. Bray (tina.wildman@aura.com) 2021-02-04 - 11:45:25 PM GMT- IP address: 66.102.8.149 Document e-signed by Christopher R. Bray (tina.wildman@aura.com) Signature Date: 2021-02-04 - 11:50:33 PM GMT - Time Source: server- IP address: 69.255.42.213 Document emailed to Heather M. Minner (minner@smwlaw.com) for signature 2021-02-04 - 11:50:35 PM GMT Email viewed by Heather M. Minner (minner@smwlaw.com) 2021-02-05 - 0:00:44 AM GMT- IP address: 45.41.142.64 Document e-signed by Heather M. Minner (minner@smwlaw.com) Signature Date: 2021-02-05 - 0:01:12 AM GMT - Time Source: server- IP address: 52.39.49.65 Document emailed to Kristina Alfaro (kristinaa@cupertino.org) for signature 2021-02-05 - 0:01:14 AM GMT Email viewed by Kristina Alfaro (kristinaa@cupertino.org) 2021-02-05 - 0:09:48 AM GMT- IP address: 198.135.177.41 Document e-signed by Kristina Alfaro (kristinaa@cupertino.org) Signature Date: 2021-02-05 - 0:10:16 AM GMT - Time Source: server- IP address: 198.135.177.41 Document emailed to Kirsten Squarcia (kirstens@cupertino.org) for signature 2021-02-05 - 0:10:17 AM GMT Email viewed by Kirsten Squarcia (kirstens@cupertino.org) 2021-02-05 - 0:10:46 AM GMT- IP address: 148.64.105.190 Document e-signed by Kirsten Squarcia (kirstens@cupertino.org) Signature Date: 2021-02-05 - 0:10:58 AM GMT - Time Source: server- IP address: 148.64.105.190 Agreement completed. 2021-02-05 - 0:10:58 AM GMT