The URL can be used to link to this page

CC SR 20200304 G - Cloud Based Cyber Security CITY COUNCIL MEETING DATE: 03/04/2020 AGENDA REPORT AGENDA HEADING: Consent Calendar AGENDA DESCRIPTION: Consideration and possible action to enter into an agreement with Arctic Wolf Networks Inc. to provide cloud-based cybersecurity event log aggregation, monitoring, and incident notification services. RECOMMENDED COUNCIL ACTION: (1) Authorize the City Manager to execute a 16-month contract with Arctic Wolf Networks Inc. to provide cloud-based cybersecurity event log aggregation, monitoring, and incident notification services (Security-as-a-Service). FISCAL IMPACT: FY19-20 – $7,700 Amount Budgeted: $20,000 Additional Appropriation: N/A Account Number(s): 101-400-1470-5101 (General Fund – IT/Professional/Technical Services) ORIGINATED BY: Lukasz Buchwald, IT Manager REVIEWED BY: Kit Fox, AICP, Interim Deputy City Manager APPROVED BY: Ara Mihranian, AICP, City Manager ATTACHED SUPPORTING DOCUMENTS: A. Contract with Arctic Wolf Networks (page A-1) B. Arctic Wolf fact sheet (page B-1) C. Acceptable Use Policy (http://www.arcticwolf.com/terms/acceptableuse) (page C-1) D. Business Associate Addendum (http://www.arcticwolf.com/terms/baa) (page D-1) E. Master Solutions Agreement (http://www.arcticwolf.com/terms/solutionterms) (page E-1) F. Privacy Policy (https://arcticwolf.com/privacy-policy-for-customer-portal- users/) (page F-1) G. SHI Quote for AWN Services (page G-1) BACKGROUND AND DISCUSSION: One of the main responsibilities of the IT Division is to manage the City’s cybersecurity posture by reducing or preventing risks to the network, computer devices, and the City’s data, and to raise cybersecurity awareness among all the end-users. Municipalities have become a prime target for cybercriminals because of their generous insurance policies and budget constraints, which often affect how much they can spend on protection, monitoring, and security expertise. In several highly-publicized incidents last year, various local municipalities were affected by cyber attacks, with the hackers demanding a multi-million dollar ransom. It is no longer a matter of “if” a breach, malware attack, or phishing incident will occur, but more about having tools in place for alerting Staff and vendors when events occur and having a remediation plan in place to return operations to an operational state within a reasonable timeframe. Currently, the City utilizes multiple standard IT industry tools, such as anti-malware software, firewalls and email spam filtering. The City is planning to implement multifactor authentication soon. We also require adherence to procedural and administrative best practices, such as maintaining robust physical and logical security of network infrastructure, maintenance of backup systems, and patching operating systems on servers and personal computers with security updates, among other responsibilities. While the City has not experienced a significant cybersecurity inciden t to date, due diligence and constant vigilance are required to reduce the risks or impacts of future incidents. The City’s IT Manager researched cloud-based cybersecurity providers (Security-as-a- Service) that operate in the municipal space. Based on the findings and feedback from other municipalities, two vendors were identified as potential good fits: Dell SecureWorks (Dell) and Arctic Wolf Networks (AWN). Dell was originally chosen as a preferred vendor because of its lower price, but after consulting with the City Attorney, it was deemed impractical and potentially hugely time-consuming to negotiate an agreement with multiple resellers (as required with Dell’s proposal). AWN offered a paid three-month proof-of-concept (POC) service arrangement and was amenable to allowing the City to make significant changes to its standard services agreement (Attachment B). Accordingly, IT and the City Attorney’s Office worked with AWN to adapt the agreement to include the City’s standard in surance and indemnity requirements. The IT Manager received approval from the then-Deputy City Manager on October 29, 2019, for the POC purchase and after the onboarding project, the City went live at the end of November 2019. With the three-month POC nearly over (as of the date this report was completed), the IT Division is very satisfied with the proactive reporting and other cybersecurity services provided by AWN and is convinced that continuing use of the service provides an ongoing benefit to the City. The initial agreement with AWN is for 16 months to make the potential future renewal coterminous with City’s budget cycle (Attachment A). The contract allows for 5 one-year renewals for a total of 76 months. The estimated annual cost is around $25,000 (to be included in the FY20-21 budget) and may be subject to annual adjustments. In order to fulfill City’s purchasing policy requirements, the AWN contract and pricing is piggybacking on the National Association of State Procurement Officials (NASPO) cooperative agreement. The cooperative purchasing program like NASPO ValuePoint allows state, local, and tribal governments to purchase IT, security, and law enforcement products and services offered through specific pre-negotiated contracts. Because of the nature of the service provided, our standard services contract template did not apply here and the vendor’s standard service agreement was used instead. The City Attorney’s Office is generally satisfied with the outcome of contract negotiations and, although the terms listed below are standard in the cloud services industry, the City Council should be aware that: A. Even though the City has the ability to terminate the contract for convenience, due to the nature of the subscription service, the City will not be entitled to any refunds upon early termination. B. The limitation of liability is defined as not to exceed three times the annual total fees paid for the service. C. The City is indemnified from third party claims of breach of intellectual property in the event that the City’s system is breached through the consultant’s cybersecurity solutions. The purchase of AWN’s services will commence through one of its channel partners, SHI, Inc. (SHI). AWN services are only available for purchase through a partner, so SHI has been chosen as the City has an existing relationship with this vendor and our account manager from SHI has proven to be very responsive and helpful. SHI will issue the invoice for the initial term and will most likely handle all the future r enewals. The services, however, will be provided by Arctic Wolf directly. ALTERNATIVES: In addition to the Staff recommendation, the following alternative action is available for the City Council’s consideration: 1. Take other action as deemed appropriate by the City Council. 01203.0001/630926.11 01203.0001/630926.9 Arctic Wolf Networks – Master Solutions Agreement Last Updated: 1/1/2020 Page 1 of 9 CONFIDENTIAL MASTER SOLUTIONS AGREEMENT This Master Solution Agreement (the “Agreement”) is entered into by and between Arctic Wolf Networks, Inc., a Delaware corporation (“Artic Wolf”) and City of Rancho Palos Verdes, a general law city & municipal corporation (the “City”) and governs any executed order forms, quotes, or other ordering document (“Order Form(s)”) that reference this Agreement. Order Forms may be issued to City by Arctic Wolf Networks, Inc. (“Arctic Wolf”) or an Arctic Wolf authorized partner (“Authorized Partner”). This Agreement is effective on the date last executed in the signature block below (the “Effective Date”). This Agreement permits City to purchase subscriptions to the Solutions identified in the Order Form from Arctic Wolf or such Authorized Partner and sets forth the terms and conditions under which those Solutions will be delivered. The Agreement consists of the terms and conditions set forth below, any attachments or exhibits identified herein and any Order Forms that reference this Agreement. If there is a conflict between the terms below, the Order Form, or the terms set forth in an URL referenced herein, the documents will control in the following order, unless specifically indicated otherwise: the Order Form, this Master Solutions Agreement, and the terms located at any URL referenced in this Agreement. In consideration of the mutual covenants and agreements contained herein, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows: 1. Scope. City will purchase and Arctic Wolf will provide the specific products and services (“Solutions”) set forth on an executed Order Form. A Solution may consist of hardware equipment (“Equipment”), a cloud service offering (“Service”), software, including any add-ons offering enhanced features and functionality (collectively, the “Software”), and/or professional services (“Professional Services”), all of which are more fully described herein. Each Solution is provided on a subscription basis for a set term designated on the Order Form (each, a “Subscription Term”) for the one-time and subscription fees set forth therein (the “Fees”). City may access and use the Solutions, and any Documentation associated therewith, solely for its own internal business purposes and in accordance with the terms and conditions of this Agreement, such associated Documentation, any scope of use restrictions designated in the applicable Order Form , and the Solutions Terms found at www.arcticwolf.com/terms/solutionsterms, as may be updated from time to time by Arctic Wolf. “Documentation” means user manuals, training materials, product descriptions and specifications and other printed information relating to the Arctic Wolf Solution, as in effect and generally available from Arctic Wolf, but expressly excluding marketing and sales collateral and materials. 2. Equipment. If the Order Form specifies that City will receive Equipment, then City is responsible for installing the Equipment at the location(s) specified by Arctic Wolf. The Equipment is a part of the Solutions and loaned to City by Arctic Wolf, not sold. City acknowledges that if City attempts to install or use the Equipment at a location other than specified by Arctic Wolf, the Solutions may fail to function or may function improperly. Other than normal wear and tear, City is directly responsible for loss, repair, replacement and other costs, damages, fees and charges during the Subscription Term and if City does not return the Equipment to Arctic Wolf in an undamaged condition. City is responsible for all costs associated with shipping the Equipment back to Arctic Wolf upon termination of the Subscription Term. City understands and agrees that should City elect to use Equipment outside the U.S., additional charges may apply for the shipping, export, and/or import of the Equipmen t. 3. Professional Services. Certain Arctic Wolf Solutions may require Professional Services, such as onboarding, or may be stand-alone offerings, and any such Professional Services shall be specified on an applicable Order Form. 4. Software and Services. Provided City is in full compliance with the terms of this Agreement, Arctic Wolf grants to City a limited, non- transferable, non-sublicensable, non-exclusive license during the Subscription Term to (i) install the object code form of the Software, but only in connection with City’s use of the Solutions and otherwise in accordance with the Documentation, this Agreement, and the Solution Terms located at www.arcticwolf.com/terms/solutionterms, as may be updated from time-to-time and a copy of which in effect as of the Effective Date is attached hereto as Exhibit A, (ii) use Arctic Wolf’s third party cloud service providers in conjunction with City’s use of the Solution, and (iii) access the Arctic Wolf City Portal, subject to the Privacy Policy located at https://arcticwolf.com/privacy-policy-for-customer-portal-users/, as may be updated from time-to-time. City Data will be retained in accordance with the Solutions Terms. City must implement Software and Services in order to enable features of the Solutions. City acknowledges that any changes made to the City’s infrastructure or configuration of the Solutions after initial deployment may cause the Solutions to cease working or function improperly and that Arctic Wolf will have no responsibility for the impact of any such City changes. 5. Reservation of Rights and Ownership. Arctic Wolf owns, or has the right to license, the Solutions, and any associated Documentation (“Arctic Wolf Technology”). City acknowledges and agrees that (a) the Arctic Wolf Technology is protected by United States and international copyright, trademark, patent, trade secret and other intellectual property or proprietary rights laws, (b) Arctic Wolf retains all right, title and interest (including, without limitation, all patent, copyright, trade secret and other intellectual property rights) in and to the Arctic Wolf Technology, excluding any rights, title, and interest in any Third Party Products (as defined in Section 12.3 below) which shall be retained by its third party licensor(s), any other deliverables, any and all related and underlying technology and any derivative works or modifications of any of the foregoing, including, without limitation, any Feedback, (c) there are no implied licenses and any rights not expressly granted to City hereunder are reserved by Arctic Wolf, (d) the Solution, excluding Professional Services, is licensed on a subscription basis, not sold, and City acquires no ownership or other interest (other than the license rights expressly stated herein) in or to the Arctic Wolf Technology, and (e) the Solution is offered as an on-line, hosted solution, and City has no right to obtain a copy of the Software . Feedback includes suggestions, comments or other feedback (“Feedback”) provided to Arctic Wolf by City with respect to the Solutions. 6. Restrictions, Responsibilities, Warranties, Prohibited Use, and City Data. 6.1 Restrictions. City agrees not to, directly or indirectly: (i) modify, translate, copy or create derivative works based on the Arctic Wolf Technology, (ii) reverse engineer, decompile, disassemble, or otherwise seek to obtain the source code or non -public APIs to the Solutions, except to the extent expressly permitted by applicable law (and then only upon advance notice to Arctic Wolf); (iii) interfere with or disrupt the integrity or performance of the Solutions or the data contained therein or block or disrupt any use or enjoyment of the Solutions by any third party, (iv) attempt to gain unauthorized access to the Solution or their related systems or networks or (v) remove or obscure any proprietary or other notice contained in the Arctic Wolf Technology, including on any reports or data printed from the Arctic Wolf Technology. City agrees to abide by the terms of the Acceptable Use Policy at http://www.arcticwolf.com/terms/acceptableuse, as may be updated from time-to-time. If Arctic Wolf, in its reasonable discretion, determines that City’s use of the Solutions imposes an unreasonable or disproportionately large load on Arctic Wolf’s A-1 01203.0001/630926.11 01203.0001/630926.9 Arctic Wolf Networks – Master Solutions Agreement Last Updated: 1/1/2020 Page 2 of 9 CONFIDENTIAL infrastructure or that City is abusing its use of the Solutions, Arctic Wolf may, in addition to any other right herein, temporarily suspend City’s access to the Solutions until such activity is rectified. If commercially practicable, Arctic Wolf shall provide City with notice prior to any such suspension and shall work with City in good faith to reinstate the Solutions promptly. 6.2 Arctic Wolf Responsibilities. Arctic Wolf shall provide the Solutions in accordance with the terms of this Agreement, as further described in the Solutions Terms. The Solutions provided under this Agreement shall include any updates, upgrades, bug fixes, version upgrades or any similar changes that are made generally available to Arctic Wolf’s customers free of charge from time to time during the Subscription Term. 6.3. City Responsibilities. City must identify the administrative users for its account (“Administrators”). Each Administrator will receive an administrator ID and password and will need to register with Arctic Wolf. City is responsible for notifying Arctic Wolf about changes to Administrators, including but not limited to termination, change of authority, and the addition of Administrators. City acknowledges and agrees that Administrators will be able to view all City Data and other traffic and activities that occur on City’s network and that City is responsible for all activities that occur under Administrator accounts. Administrator IDs are granted to individual, named persons and cannot be shared or used by more than one Administrator but may be reassigned from time to time to new Administrators. City represents and warrants that it shall (i) obtain any licenses and/or consents necessary for Arctic Wolf to perform its obligations under this Agreement, (ii) be responsible for ensuring the security and confidentiality of all Administrator IDs and passwords, (iii) use commercially reasonable efforts to prevent unauthorized access to, or use of, the Solutions, (iv) notify Arctic Wolf promptly of any unauthorized use of the Solutions or any breach, or attempted breach, of security of the Solutions, (v) not use the Solutions in a manner that would violate applicable laws or regulations, and (vi) use of the Solutions and the transfer of any City Data to Arctic Wolf will not be used for any fraudulent purposes . City acknowledges and agrees that the Solutions may consume additional CPU and memory in City’s environment while in running in production. 6.4 Prohibited Use. Because City may access the Solutions from anywhere in the world, it is City’s responsibility to ensure that City has the right to access and use the Solutions where City is located. City represents and warrants that City is not a Prohibited Person nor owned or controlled by a Prohibited Person. “Prohibited Persons” shall mean a person or entity appearing on the lists published by the U.S. Department of Commerce, the U.S. Department of State, the U.S. Department of Treasury or any other list that may be published by the U.S . Government, as amended from time to time, that is prohibited from acquiring ownership or control of items under this Agreement, or with which Arctic Wolf is prohibited from doing business. City further represents that the Solutions shall not be used for or in connection (i) with nuclear activities, (ii) in the development of biological or chemical weapons, missiles, or unmanned aerial vehicles , (iii) to support terrorist activities, or (iv) in any other way that would violate economic sanctions laws. City agrees to promptly notify Arctic Wolf, and terminate its use of the Solutions, if City discovers that any of the foregoing conditions apply. Arctic Wolf may suspend any use of the Solutions it reasonably believes City may be (or is alleged to be) in violation of the foregoing. 6.5 City agrees to comply with all export and import laws and regulations of the United States and other applicable jurisdictions. Without limiting the foregoing: (i) City represents and warrants that it is not listed on any U.S. government list of prohibited or restricted parties or located in (or a national of) a country that is subject to a U.S. government embargo or that has been designated by the U.S. governme nt as a “terrorist supporting” country, (ii) City will not (and will not permit any of its users to) access or use the Solutions in violation of any U.S. export embargo, prohibition or restriction, and (iii) City will not submit to the Arctic Wolf, directly or through the Solutions, any information that is controlled under the U.S. International Traffic in Arms Regulations. 7. Fees, Payment, Taxes, and Audit. 7.1. [INTENTIONALLY OMITTED] 7.2 For purchases made by City through a partner authorized and licensed to sell and /or deliver Arctic Wolf Solutions (an “Authorized Partner”), the order form or other equivalent transaction document containing terms related to this Section 7, Fees, Payment, Taxes, Audit, and other terms, as may be applicable, shall be between City and the Authorized Partner. Notwithstanding the foregoing, City understands and agrees that should City fail to remit payments to any Partner when due or if City terminates or suspends its business, becomes subject to any bankruptcy or insolvency proceeding under federal or state or similar statute that is not dismissed within sixty (60) days, or becomes insolvent or su bject to direct control by a trustee, receiver, or similar authority, Arctic Wolf may immediately terminate this MSA without any further obligation or liability. 8. Compliance with Laws. Each party represent and warrant that, during the term of this Agreement, the parties will comply with all foreign, federal, state and local statutes, laws, orders, rules, regulations and requirements, including those of any governmental (including any regulatory or quasi-regulatory) agency applicable to such party as it pertains to its performance obligations herein and, in the case of City, in connection with its use of the Solutions. 9. Confidentiality. Either party (as a “Discloser”) may disclose confidential and proprietary information, orally or in writing (“Confidential Information”) to the other party (as a “Recipient”). All such information shall be marked with a restrictive legend of the Discloser or reasonably understood to constitute confidential information. Notwithstanding the foregoing, contract terms relating to City Data shall be set forth in Section 10. Notwithstanding the marking requirements of this Section, City acknowledges that the following constitutes Confidential Information of Arctic Wolf: any trade secrets, know-how, inventions (whether or not patentable), techniques, ideas, or processes related to the Arctic Wolf Technology; the design and architecture of the Arctic Wolf Technology; the computer code, internal documentation, and design and functional specifications of the Arctic Wolf Technology; and any problem reports, analysis and performance information related to the Arctic Wolf Technology. Each party agrees to hold the other party’s Confidential Information in strict confidence, not to disclose such Confidential Information to third parties not authorized by the Discloser to receive such Confidential Information, and not to use such Confidential Information for any purpos e except as expressly permitted hereunder. Each party agrees to take commercially reasonable steps to protect the other party’s Con fidential Information and to ensure that such Confidential Information is not disclosed, distributed or used in violation of the provisions of this Agr eement. The Recipient may disclose Confidential Information only (a) with the Discloser’s prior written c onsent, or (b) to those employees, officers, directors, agents, consultants, and advisors with a clear and well-defined “need to know” purpose who are informed of and bound by the obligations of this Agreement. Notwithstanding the foregoing, the Recipient may disclose Confidential Information to the extent required by law, including by not limited to, the California Public Records Act . However, the Recipient will give the Discloser prompt notice to allow the Discloser a reasonable opportunity to obtain a protective order and such Confidential Information disclosed to the extent required by law shall otherwise remain A-2 01203.0001/630926.11 01203.0001/630926.9 Arctic Wolf Networks – Master Solutions Agreement Last Updated: 1/1/2020 Page 3 of 9 CONFIDENTIAL confidential and subject to the protections and obligations of this Agreement . The Discloser agrees that the foregoing obligations shall not apply with respect to any information that the Recipient can document (i) is rightfully in its possession or known to it prior to receipt from the Discloser without an obligation of confidentiality, (ii) is or has become public knowledge through no fault of t he Recipient, (iii) is rightfully obtained by the Recipient from a third party without breach of any confidentiality obligation , or (iv) is independently developed by employees of the Recipient who had no access to Discloser’s Confidential Information. Upon expiration or termination of this Agreement for any reason, and except as otherwise provided in Section 16 below, each party shall promptly return to the other party or destroy all copies of the other party's Confidential Information and copies, notes or other derivative material relating to the Confidential Information. Notwithstanding the foregoing, and subject to the Privacy Policy, Arctic Wolf may retain City’s name, contact names, email address, and such other necessary contact information following termination of this Agreement for its internal business purposes, including but not limited to the improvement of its Solutions. 10. City Data. 10.1 “City Data” means operational data and other internal business information submitted by or on behalf of City to the Solutions, including, but not limited to operational values, event logs, and usernames. As between the parties, City shall retain all right, title and interest (including any and all intellectual property rights) in and to the City Data as provided to Arctic Wolf and the Solutions (excluding any Arctic Wolf Technology used with the City Data). City hereby grants Arctic Wolf a non-exclusive, worldwide, royalty-free right to collect, use, copy, store, transmit, modify and create derivative works of data City Data solely to the extent necessary to provide the Solutions to City. City is solely responsible for the accuracy, content and legality of all City Data. City represents and warrants to Arctic Wolf that City has all necessary rights, consents and permissions to collect, share and use all City Data as contemplated in this Agreement. City further represents and warrants that all City Data complies with the Acceptable Use Policy. City hereby authorizes Arctic Wolf to aggregate City Data with other data so that results are non- personally identifiable with respect to City and collect anonymous technical logs and data regarding City’s use of the Solutions (“Aggregate/Anonymous Data”). Notwithstanding anything to the contrary herein, such Aggregate/Anonymous Data will be deemed Arctic Wolf Technology, which Arctic Wolf may use for any business purpose during or after the term of this Agreement, including without limitation to develop and improve the Solutions and services and to create and distribute reports and other materials. For clarity, this Section 10.1 does not give Arctic Wolf the right to identify City as the source of any Aggregate/Anonymous Data without City’s prior written permission. City understands and agrees that City Data may be accessed by Arctic Wolf in the US, Canada, and other parts of the world and by non-US citizens, and City hereby consents to such access. 10.2 [INTENTIONALLY OMITTED] 10.3 California Consumer Privacy Act. The parties acknowledge and agree that Arctic Wolf is a service provider for the purposes of the California Consumer Privacy Act (“CCPA”) and may receive personal information from City pursuant to this Agreement for a business purpose. Arctic Wolf shall not sell any such personal information. Arctic Wolf shall not retain, use or disclose any personal information provided by City pursuant to this Agreement except as necessary for the specific purpose of performing the Solutions for City pursuant to this Agreement or as permitted by the CCPA. The terms “personal information,” “service provider,” “sale,” and “sell” are as defined in Section 1798.140 of the CCPA. Arctic Wolf certifies that it understands the restrictions of this Section 10.3. 11. Indemnity. 11.1 Arctic Wolf’s Indemnity. Subject to Section 11.3, Arctic Wolf will defend any third party claim or action brought against City to the extent based on (a) the allegation that the Solutions infringe any intellectual property right (patents, utility models, design rights, copyrights and trademarks or any other intellectual property right) having effect in the United States and (b) a breach of Customer’s environment resulting from a breach of the Software. Arctic Wolf will pay any settlements that Arctic Wolf agrees to in a writing signed by an authorized officer of Arctic Wolf or final judgments awarded to the third party claimant by a court of competent jurisdiction. The foregoing obligations do not apply with respect to the Solutions, or portions or components thereof, that are (a) not provided by Arctic Wolf, (b) combined with other products, processes or materials that are not reasonably contemplated by the Documentation where the alleged infringement relates to such combination, or (c) not used by City in strict accordance with this Agreement or the published Documentation. 11.2 [INTENTIONALLY OMITTED] 11.3 Procedures. Arctic Wolf’s indemnification obligations are conditioned on the City (a) providing the Arctic Wolf with prompt written notice of any claim, provided that the failure to provide such notice shall only limit the Arctic Wolf’s obligation to indemnify to the extent that the failure prejudices Arctic Wolf in its defense of the claim, (b) granting Arctic Wolf the sole control of the defense or settlement of the claim, and (c) providing reasonable information and assistance to Arctic Wolf in the defense or settlement of the claim at Arctic Wolf’s expense. 11.4 Options. If City’s use of the Solutions has become, or in Arctic Wolf’s opinion is likely to become, the subject of any claim of infringement, Arctic Wolf may at its option and expense (a) procure for City the right to continue using and receiving the Solutions as set forth hereunder, (b) replace or modify the Solutions to make them non-infringing, (c) substitute an equivalent for the Solutions, or (d) if Arctic Wolf, in its sole discretion, determines that options (a)-(c) are not reasonably practicable, terminate this Agreement and refund any pre-paid unused Fees as of the effective date of termination. 11.5 Sole Remedy. THIS SECTION 11 STATES ARCTIC WOLF’S ENTIRE RESPONSIBILITY AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDY WITH RESPECT TO INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. 12. Warranty and Warranty Disclaimer. 12.1 Solutions Warranty. ARCTIC WOLF WARRANTS THAT DURING THE SUBSCRIPTION TERM AND PROVIDED THAT CUSTOMER IS NOT IN BREACH OF THIS AGREEMENT THAT, (I) THE SOLUTIONS PROVIDED UNDER THIS AGREEMENT DO NOT INFRINGE OR MISAPPROPRIATE ANY INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY, AND (II) THE SOLUTIONS SHALL SUBSTANTIALLY PERFORM IN ALL MATERIAL RESPECTS AS DESCRIBED IN THE DOCUMENTATION. IN THE EVENT OF ANY BREACH OF THIS SECTION 12.1, ARCTIC WOLF SHALL, AS ITS SOLE LIABILITY AND CUSTOMER’S SOLE REMEDY, REPAIR OR REPLACE THE SOLUTIONS THAT ARE SUBJECT TO THE WARRANTY CLAIM AT NO COST TO CUSTOMER OR IF ARCTIC WOLF IS UNABLE TO REPAIR OR REPLACE, A-3 01203.0001/630926.11 01203.0001/630926.9 Arctic Wolf Networks – Master Solutions Agreement Last Updated: 1/1/2020 Page 4 of 9 CONFIDENTIAL THEN ARCTIC WOLF WILL REFUND ANY PRE-PAID FEES FOR THE SOLUTIONS, OR PARTS THEREOF, SUBJECT TO THE WARRANTY CLAIM. EXCEPT FOR THE WARRANTY DESCRIBED IN THIS SECTION, THE SOLUTIONS ARE PROVIDED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF DESIGN, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES OF TITLE. CUSTOMER ACKNOWLEDGES THAT THE SOLUTIONS ARE PROVIDED “AS IS” AND FURTHER ACKNOWLEDGE THAT ARCTIC WOLF DOES NOT WARRANT (A) THE OPERATION OF THE SOLUTIONS WILL BE UNINTERRUPTED, OR ERROR FREE, (B) THE SOLUTIONS ARE NOT VULNERABLE TO FRAUD OR UNAUTHORIZED USE, (C) THE FEATURES OR FUNCTIONALITIES OF THE SOLUTIONS WILL BE AVAILABLE AT ANY TIME IN THE FUTURE, AND (D) THE SOLUTIONS WILL IDENTIFY OR DETECT EVERY VULNERABILITY OR SECURITY ISSUE. CUSTOMER IS RESPONSIBLE AND ARCTIC WOLF SHALL HAVE NO RESPONSIBILITY FOR DETERMINING THAT THE USE OF THE SOLUTIONS COMPLIES WITH APPLICABLE LAWS IN THE JURISDICTION(S) IN WHICH CUSTOMER MAY DEPLOY AND USE THE SOLUTIONS. 12.2 Open Source Warranty. The Software includes certain Open Source Software. Open Source Software is governed solely by the applicable open source licensing terms, if any, and is provided “AS IS”. Arctic Wolf provides no warranty specifically related to any Open Source Software or any applicable Open Source Software licensing terms. The foregoing language is not intended to limit Arctic Wolf’s warranty obligation for the Solution pursuant to Section 12.1. “Open Source Software” means software with its source code made available pursuant to a license by which, at a minimum, the copyright holder provides anyone the rights to study, change, and/or distri bute the software to anyone and for any purpose. 12.3 Third Party Product. Third Party Product (as defined in this Section 12.3) may carry a limited warranty from a limited warranty from the third-party publisher, provider, or original manufacturer of such Third Party Products. To the extent required or allowed, Arctic Wolf will pass through to City or directly manage for the benefit of City’s use of the Third Party Products as part of the Solutions (such decision to be made in Arctic Wolf’s discretion), the manufacturer warranties related to such Third Party Products. “Third Party Product” means any non-Arctic Wolf branded products and services (including Equipment, and any operating system software included therewith) and non -Arctic Wolf-licensed software products, including Open Source Software. 13. Limitation of Liability. FOR ANY CAUSE RELATED TO OR ARISING OUT OF THIS AGREEMENT, WHETHER IN AN ACTION BASED ON A CONTRACT, TORT (INCLUDING NEGLIGENCE AND STRICT LIABILITY) OR ANY OTHER LEGAL THEORY, HOWEVER ARISING, ARCTIC WOLF WILL IN NO EVENT BE LIABLE TO CUSTOMER OR ANY THIRD PARTY FOR (A) DAMAGES BASED ON USE OR ACCESS, INTERRUPTION, DELAY OR INABILITY TO USE THE SOLUTIONS, LOST REVENUES OR PROFITS, LOSS OF SOLUTIONS, BUSINESS OR GOODWILL, LOSS OR CORRUPTION OF DATA, LOSS RESULTING FROM SYSTEM FAILURE, MALFUNCTION OR SHUTDOWN, FAILURE TO ACCURATELY TRANSFER, READ OR TRANSMIT INFORMATION, FAILURE TO UPDATE OR PROVIDE CORRECT INFORMATION, SYSTEM INCOMPATIBILITY OR PROVISION OF INCORRECT COMPATIBILITY INFORMATION OR BREACHES IN SYSTEM SECURITY, OR (B) ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, OR (C) ANY AMOUNTS THAT EXCEED THREE TIMES (3X) THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER FOR THE SOLUTIONS THAT ARE THE SUBJECT OF THE CLAIM DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRIOR TO THE EVENT WHICH GIVES RISE TO SUCH DAMAGES. THESE LIMITATIONS SHALL APPLY WHETHER OR NOT ARCTIC WOLF HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. 14. Term and Renewal. This Agreement shall be in effect for the Subscription Term specified in the Order Form from the Effective Date through June 30, 2021. The parties may, by mutual written agreement, extend the contract up to an additional five (5) one -year terms (the Subscription Term). 14.1. [INTENTIONALLY OMITTED] 14.2 For purchases made by City through an Authorized Partner, the Order Form or other equivalent transaction document containing the terms related to Term, Renewal and other terms, as may be applicable, shall be between City and the Authorized Partner. The Subscription Term and renewals hereunder will apply to purchases made through an Authorized Partner, notwithstanding anything to the contrary in the Order Form or any Documentation. 15. Updates. Arctic Wolf reserves the right to modify the Solutions, this Agreement, any terms referenced in a URL set forth herein, and the Documentation in Arctic Wolf’s sole discretion and without notice provided that such changes shall not materially decreas e the Solutions that City has subscribed to during the then-current Subscription Term. Should Arctic Wolf make any modifications, Arctic Wolf will post the amended terms on the respective URL links and will update the “Last Updated Date” within such terms. If any change materially decreases the Solutions, Arctic Wolf will notify City via the City Portal, City newsletter, www.arcticwolf.com/terms website, or such other communication method implemented by Arctic Wolf from time-to-time. City may notify Arctic Wolf within 30 days after the effective date of the material change of its rejection of such change. If City notifies Arctic Wolf of its rejection during such thirty (30) day period, then City will remain governed by the terms in effect immediately prior to the change until the end of City’s then-current Subscription Term. However, any subsequent renewal of the Subscription Term will be renewed under the then-current terms, unless otherwise agreed in writing by the parties. 16. Termination. Either party may terminate this Agreement for cause if the other party commits a material breach of this Agreement, provided that such terminating party has given the other party ten (10) days advance notice to try and remediate the breach. If City purchases the Solutions through an Authorized Reseller, City acknowledges and agrees that Arctic Wolf may immediately without notice terminate this Agreement should City fail to pay any amounts due and owing to the Authorized Reseller. Customer may terminate this Agreement or any Order Form for convenience upon thirty (30) days advance notice, provided, however, Customer will not be entitled to a refund of any prepaid fees and any fees for any committed Subscription Term will become immediately due and payable. Upon termination, City agrees to cease all use of the Solutions and Arctic Wolf Technology, installed or otherwise, and destroy all copies of any Arctic Wolf Technology that are in its possession or under its control and promptly remove and return all Equipment to Arctic Wolf. Except as otherwise required by law, upon termination Arctic Wolf will remove, delete, or otherwise destroy all copies of City Data in its possession. Sections 7 (only as to amounts due and owing) and 9 through 14, 16, and 17 will survive the non-renewal or termination of this Agreement. A-4 01203.0001/630926.11 01203.0001/630926.9 Arctic Wolf Networks – Master Solutions Agreement Last Updated: 1/1/2020 Page 5 of 9 CONFIDENTIAL 17. Miscellaneous. 17.1 Except as otherwise provided herein, all notices, requests, consents, claims, demands, waivers and other communications hereunder shall be in writing and shall be deemed to have been given: (a) when delivered by hand (with written confirmation of receipt); (b) on the next business day after the date sent, if sent for overnight delivery by a generally recognized international courier (e.g., FedEx, DHL, etc.) (receipt requested); or (c) on the date sent by e-mail of a PDF document (with confirmation of transmission) if sent during normal business hours of the recipient, and on the next business day if sent after normal business hours of the recipient. Such communications must be sen t to the respective parties at the addresses set forth on the signature page hereof (or at such other address for a party as shall be specified in a notice given in accordance with this Section 17). For contractual purposes, City (1) consents to receive communications in an electronic form via the email address it provides herein or via the City Portal; and (2) agrees that all agreements, notices, disclosures, and other communications that Arctic Wolf provides electronically satisfies any legal requirement that those communications would satisfy if they were on paper. T his Section does not affect City's non-waivable rights. 17.2 The parties to this Agreement are independent contractors. Neither party has the authority to bind the other party without the express written authorization of the other party. Nothing herein may be construed to create an employer-employee, franchisor-franchisee, agency, partnership, or joint venture relationship between the parties 17.3 This Agreement shall inure to the benefit of and be binding upon the respective permitted suc cessors and assigns of the parties. City shall not be entitled to assign, subcontract, delegate or otherwise transfer any of its rights and/or duties arising out of this Ag reement and/or parts thereof to third parties, voluntarily or involuntarily, includi ng by change of control, operation of law or any other manner, without Arctic Wolf’s express prior written consent. Any purported assignment, subcontract, delegation or other transfer in violation of the forego ing shall be null and void. No such assignment, subcontract, delegation or other transfer shall relieve the assigning party of any of its obligations hereunder. 17.4 The rights and obligations of the parties under this Agreement shall not be governed by the provisions of the 1980 U.N. Convention on Contracts for the International Sale of Goods or the United Nations Convention on the Limitation Period in the International Sale of Goods, as amended. This Agreement shall be governed by the laws of the State of California without regard to the conflicts of law provisions thereof. Any controversy or claim arising out of or relating to this Agreement, or the breach thereof, shall be settled by arbitration in Santa Clara County, California in English and in accordance with the JAMS International Arbitration Rules then in effect. Any judgment on the award rendered by the arbitrator may be entered in any court having jurisdiction thereof. Notwithstanding the foregoing, each Party shall have the right to institute an action in a court of proper jurisdiction for preliminary injunctive relief pending a final decision by the arbitrator(s), pro vided that a permanent injunction and damages shall only be awarded by the arbitrat or(s). In any action or proceeding to enforce rights under this Agreement, the prevailing Party shall be entitled to recover costs and attorneys’ fees. 17.5 [INTENTIONALLY OMITTED] 17.6 No failure or delay by any party in exercising any right, power or privilege hereunder shall operate as a waiver thereof nor shall any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any other right, power or privi lege. The rights and remedies under this Agreement are cumulative and are in addition to and not in substitution for any other rights and remedies available at law or in equity or otherwise. 17.7 If any provision of this Agreement is held invalid or unenforceable by any court of competent jurisdiction, the other provisions of this Agreement will remain in full force and effect. Any provision of this Agreement held invalid or unenforceable only in part or degree will remain in full force and effect to the extent not held invali d or unenforceable. The parties agree to replace such void or unenforceable provision of this Agreement with a valid and enforceable provision that will achieve, to the extent possible, the economic, business and other purpose of such void or unenforceable provision. 17.8 This Agreement (including the exhibits hereto, if any, and any BAA (as defined in Section 17.9 below)) constitutes the parties’ entire agreement by and between the parties with respect to the subject matter hereof and supersedes any prior or contemporaneous agreement or understanding by and among the parties with respect to such subject matter. Except as otherwise provided herein, this Agreement may be amended, modified or supplemented only by an agreement in writing signed by each party. 17.9 In the event that Arctic Wolf will have access to personal healthcare information in the delivery of the Solutions, the parti es agree to the Business Associate Addendum (“BAA”) located at www.arcticwolf.com/terms/baa or as otherwise may be attached hereto as Exhibit A. In the event the parties have entered into a BAA in relation to protected health information, the parties intend for both this Agreement and BAA to be binding upon them and the BAA is incorporated into this Agreement by reference. 17.10 The parties have participated mutually in the negotiation and drafting of this Agreement. In the event an ambiguity or question of intent or interpretation arises, this Agreement will be construed as if drafted mutually by the parties and no presumption or burden of proof will arise favoring or disfavoring any party by virtue of the authorship of any of the provisions of this Agreement . 17.11 The Parties have agreed that this agreement as well as any notice, document or instrument relating to it be drawn up in English only. [SIGNATURES ON THE NEXT PAGE] A-5 01203.0001/630926.11 01203.0001/630926.9 Arctic Wolf Networks – Master Solutions Agreement Last Updated: 1/1/2020 Page 6 of 9 CONFIDENTIAL IN WITNESS WHEREOF, the parties have caused this Agreement to be executed by their duly authorized representatives on the Effective Date set forth below. Arctic Wolf Networks, Inc., a Delaware corporation: City of Rancho Palos Verdes, a general law city & municipal corporation: Signed: ____________________________________ Name: Brian NeSmith Title: President & CEO Signed: ____________________________________________ Name: John Cruikshank Title: Mayor Effective Date: ________________________________________ Approved as to form: ___________________________________________________ Name: William W. Wynder Title: City Attorney Notice Address: 111 W. Evelyn Ave. Suite 115 Sunnyvale, CA 94086 Attn: General Counsel Notice Address: City of Rancho Palos Verdes 30940 Hawthorne Boulevard Rancho Palos Verdes, CA 90275 Attn: Lukasz Buchwald A-6 01203.0001/630926.11 01203.0001/630926.9 Arctic Wolf Networks – Master Solutions Agreement Last Updated: 1/1/2020 Page 7 of 9 CONFIDENTIAL Exhibit A Solutions Terms In Effect as of the Effective Date Last Updated: 11/18/2019 Managed Detection and Response Solution Terms This Managed Detection and Response – Solution Terms sets forth the terms and conditions of the Managed Detection and Response Solution (the “Solution”). The Solution, if purchased by Customer as evidenced by Customer’s election on an Order Form, will be provided in accordance with the terms set forth herein and the Master Solutions Agreement (the “Agreement”) made by and between Customer and Arctic Wolf Networks, Inc. (“Arctic Wolf”). Any capitalized terms not otherwise defined herein shall have the meaning set forth in the Agreement. The Solution: Specific features and functionality provided as part of the Solution include:  collection of Customer Data, including Customer’s system logs, from Customer’s systems using Equipment,  analysis by Arctic Wolf Concierge Security Team (“CST”) of both Equipment and log data through the correlation of Customer Data with threat and vulnerability information,  scanning of Customer’s internal and external systems,  escalation of Security Incidents in need of attention by Customer as set forth herein,  advisory recommendations to intended to improve Customer’s security robustness,  calculation of Customer’s Security Score, as more fully described below,  Log Search capabilities, if purchased by Customer, as evidenced on an Order Form,  Host Containment functionality, and  regular summary Executive Dashboard reports, as described herein and the Documentation. NOTE: The performance of the Solution, including specifically, notification of Emergencies or Security Incidents, as defined below, will not commence until after onboarding is complete. The performance of (i) remediation services for Security Incidents, (ii) the re -imaging of Customer’s systems, or (iii) change of policy settings is outside the scope of the Solution. Data Transfer. Any Equipment provided by Arctic Wolf to Customer is physically deployed to monitor Customer’s system traffic. Such system tr affic is augmented with additional sources of log data, as required, to deliver Managed Detection and Response. All such information is deemed Customer Data. Essential log sources will be determined by Customer and Arctic Wolf during the onboarding process preceding the Order Form Effective Date. Any Customer Data will be transmitted to Arctic Wolf via a secure tunnel in compliance with ISO27001 and SOC 2 Type II. The Solution operates redundantly with Customer’s back-up services in order to minimize potential service interruptions. Hosting providers used by Arctic Wolf to deliver the Solution may experience service interruptions and service outages outside the control of Arctic Wolf. If such a hosting provi der issues an outage notice that could materially impact delivery of the Solutions, Arctic W olf will use commercially reasonable efforts to promptly notify Customer about the outage and communicate the planned recovery time provided by the hosting provider. Although anonymized, Customer Data may include personal or confidential information. Customer, in accordance with the terms of the Agreement, will obtain express consent from any applicable parties whose personal or confidential information may be included in the Customer Data. Such consent will permit Arctic Wolf and Customer to monitor the information, systems, and assets owned or controlled by such persons. If Customer does not receive necessary consent, Customer will immediately notify Arctic Wolf. Customer understands and agrees that failure to receive nec essary consent will impact Arctic Wolf’s delivery of the Solution. Data Retention. Arctic Wolf will store Customer Data for the Data Retention period specified in Customer’s then-current Order Form. Customer Data may be returned to Customer in accordance with the terms of the Agreement. Updates & Upgrades. Automated maintenance and update cycles to the Equipment will be performed remotely by Arctic Wolf. Arctic Wolf will provide any services related to the replacement or upgrades of the Equipment. Any costs related to such Equipment replacement or upgrades will be in accordance with the Agreement. Security Incidents. The CST supporting Customer will be available 24 hours a day, 7 days a week, including holidays. Customer may schedule specific activities with their CST by contacting Arctic Wolf at security@arcticwolf.com. Arctic Wolf will acknowledge any schedule request submitted by Customer to security@arcticwolf.com within one (1) hour of receipt of such request. CST will provide an estimate of response time determined by scope, size, and urgency. Arctic Wolf will notify and escalate to Customer any Security Incidents, the definition of which will be agreed upon by Customer and Arctic Wolf during onboarding, discovered by Arctic Wolf within two (2) hours of Arctic Wolf’s discovery of such Security Incident. Arctic Wolf standard Security Incident notification process is through e-mail; however, during onboarding, Arctic Wolf and Customer may agree to alternate notification processes. Security Incident notifications will include a description of the Security Incident, the level of exposure, and a suggested remediation strategy. Customer is responsible for implementing, in its sole discretion, any remediation strategies identified by Arctic Wolf. Customer may request validation by Arctic Wolf that any such implemented remediation strategies are working as expected. Emergencies. During onboarding, Arctic Wolf and Customer will agree on and document which Security Incidents will be defined as an “Emergency”. Emergencies will typically include the discovery of ransomware and other alerts that could cause degradation/outage to Customer’s infrastructure security. Arctic Wolf will escalate Emergencies to Customer within thirty (30) minutes of Arctic Wolf’s discovery of the Emergency. A-7 01203.0001/630926.11 01203.0001/630926.9 Arctic Wolf Networks – Master Solutions Agreement Last Updated: 1/1/2020 Page 8 of 9 CONFIDENTIAL Any Emergency identified by Customer can be escalated to Customer’s CST by calling: 888-272-8429, option 2. Customer must describe the Emergency in the initial call and Arctic Wolf will respond within 5 minutes. Scans. On a monthly basis, Arctic Wolf will use the Solution to conduct external vulnerability assessment scans of Customer’s enviro nment. As part of these scans, vulnerability and exploit information will be normalized and correlated with other data sources in o rder to determine Customer’s Security Score and prioritization of any identified remediation strategies. Arctic Wolf will deliver to Customer a summary security re port that includes Security Incident and Emergency notification activities on a monthly and quarterly basis. Security Score. Customer’s Security Score is provided as part of the Solution is for illustrative and informational purposes only and may be used by Customer for internal benchmarking purposes. The Security Score is based on certain information related to the results of the Solution within Customer’s environment and is compiled using the Customer Data made available to Arctic Wolf in conjunction with its delivery of the Sol ution. Customer’s Security Score will be communicated in Customer’s summary reports in addition to being available on Customer’s online Executive Dashboard. Customers may elect to compare their Security Score against industry averages from organizations in the same industry vertical to assess ho w Customer is performing against industry norms. Host Containment. Based upon the agreed upon escalation process and provided that the Arctic Wolf Agent is deployed by Customer, CST will remotely isolate a Customer endpoint device(s) that shows evidence of compromise or other suspicious activity. When CST identifies certain indicators of attack on an endpoint, the containment action will be initiated systematically, in accordance with the agreed upon escalation process, to rapidly quarantine the suspected compromised system. The indicators of attack that may drive containment actions include those relating to ransomware (and other types of advanced malware), malicious command-and-control (C2) activity, or active data exfiltration attempts. When an endpoint is in a contained state, only essential control traffic between the Arctic Wolf Agent and the Arctic Wolf server will be allowed in order to enable forensics investigations. The endpoints under containment will receive a containment notification and the containment action will be detailed in an inc ident ticket. The customer portal will display the Customer endpoints that are currently in a contained state. CST is available to a Customer to answer questions or provide detailed information on the contained endpoints. A-8 01203.0001/630926.11 01203.0001/630926.9 Arctic Wolf Networks – Master Solutions Agreement Last Updated: 1/1/2020 Page 9 of 9 CONFIDENTIAL Last Updated: 11/18/2019 Managed Risk Solution Terms These Managed Risk – Solution Terms set forth the terms and conditions of the Managed Risk Solution (the “Solution”). The Solution, if purchased by Customer as evidenced by Customer’s election on an Order Form, will be provided in accordance with the terms set forth herein and the Master Solutions Agreement (the “Agreement”) made by and between Customer and Arctic Wolf Networks, Inc. (“Arctic Wolf”). Any capitalized terms not otherwise defined herein shall have the meaning set forth in the Agreement. The Solution: The Solution provides Customers with security vulnerability analytics and trends in Customer’s network and endpoints which as sist in the prevention of system attacks. Specific services included as part of the Solution include:  Arctic Wolf will provide Customer with Internal Vulnerability Assessment (IVA) through an on-premise Managed Risk scanner. Managed Risk scanners, at the election of Customer at the time of order, may be a deployed as a physical piece of equipment or virtual instance.  During onboarding, Arctic Wolf will work with Customer to determine Customer’s Managed Risk scanner configuration. The scann er, based upon the agreed upon configuration, will scan Customer’s network to identify security vulnerabilities within Customer’s host and/or network infrastructures.  Information obtained from the IVA scans will be paired with an external vulnerability assessment (“EVA”) function. The EVA will be run from Arctic Wolf’s cloud-hosted environment, will scan Customer’s IP addresses associated with Customer’s organization or such other addresses designated by Customer and for which Customer is legally authorized to scan, and will provide Customer with a comprehensive s ecurity risk posture based on an industry-standard and recognized Cybersecurity Framework and Arctic Wolf’s proprietary algorithm.  Customer may purchase access to the Arctic Wolf Agent (the “Agent”), proprietary end point software, which, if purchased, will be configured by Arctic Wolf during onboarding in accordance with. Use of the Agent allows Arctic Wolf to run local system scans to augment the Customer Data used to identify security vulnerability analytics and trends in Customer’s network and endpoints.  Customer understands and agrees that Arctic Wolf, in the performance of the Solution, may use a GeoIP service to report the location of Customer's IP address.  If licensed by Customer on an Order Form, Customer may purchase access and use rights in and to Insights, an analytics platfo rm that aggregates Customer Data from the Agent and IVA. Insights will allow Customer the ability to build custom dashboards and rep orts and will be licensed in accordance with the terms and conditions set forth in the Agreement. Data Transfer. Any Equipment provided by Arctic Wolf to Customer is physically deployed to monitor Customer’s system traffic. Such system traffic is augmented with additional sources of log data, as required, to deliver Managed Detection and Response. All such information is deemed Customer Data. Essential log sources will be determined by Customer and Arctic Wolf during the onboarding process preceding the Subscription Start Date. Any Customer Data will be transmitted to Arctic Wolf in accordance with the terms of the Agreement via a secure tunnel in compliance with ISO27001 and SOC 2 Type II. The Solution will be provided redundantly to Customer’s back -up services in order to minimize potential service interruptions. Hosting providers used by Arctic Wolf to deliver the Solution may experience service interruptions and service outages outside the control of Arctic Wolf. If such a hosting provider issues an outage notice that could materially impact delivery of the Solutions, Arctic Wolf will use commerc ially reasonable efforts to promptly notify Customer about the outage and communicate the planned recovery time provided by the hosting provider. Although anonymized, Customer Data may include personal or confidential information. Customer, in accordance with the terms of the Agreement, will obtain express consent from any applicable parties who’s personal or confidential information may be included in the Customer Data. Such consent will permit Arctic Wolf and Customer to monitor the information, systems, and assets owned or controlled by such persons. If Customer does not receive necessary consent, Customer will immediately notify Arctic Wolf. Customer understands and agrees that failure to receive nec essary consent will impact Arctic Wolf’s delivery of the Solution. Updates & Upgrades. Any automated maintenance and update cycles to the Solution will be performed remotely by Arctic Wolf. Arctic Wolf will provi de any services related to the replacement or upgrades of the Equipment. Any costs related to such Equipment replacement or upgrades will be in accordance with the Agreement. A-9 DATASHEET Industry’s Fiercest SOC-as-a-Service A security operations center (SOC) is the most essential element of modern security. But SOCs are expensive, complicated, and far beyond the reach of most small to midsize enterprises. Many take the easy route and invest in products, though investment in new security products is no guarantee of security. Arctic Wolf Managed Detection and Response differs from traditional managed security services. It is a dynamic combination of world-class Concierge Security Team (CST), advanced machine learning, and comprehensive, up-to-the-minute threat intelligence. Your CST conducts both routine and non-routine tasks to protect you from known and emerging threats. Arctic Wolf Managed Detection and Response Capabilities Arctic Wolf Customer Portal — Tactical and Strategic Insights Concierge Security Team™ • Customer-dedicated primary point of contact • Actionable remediation recommendations Advanced Threat Detection • Machine learning with adaptive tuning for efficiency and scale • Proactive hunting and remote forensic analysis Security Incident and Crisis Support • Prioritize security incidents with actionable intelligence • Required steps for response and remediation Log Search • Simple interface, sample search templates • Facilitates rapid searching of operational logs • Available to MSP Plus and Resellers • Comprehensive log collection and retention • No query languages to learn Cloud Monitoring • 360-degree visibility across customer’s on-premises and cloud resources – Public cloud infrastructure – SaaS applications – Security services Compliance • Log management and compliance reporting • Reduces time and costs of audit preparation Simple, Predictable Pricing • Fixed recurring price • Unlimited data collection Arctic Wolf Managed Detection and ResponseTM Summary and customized reports to understand your security posture and fulfill compliance needs Network Inspection Managed IDS, flow creation, network security monitoring Log Analysis & Search Aggregation and correlation Threat Intelligence Multiple sources leveraged to identify potential IOC or IOA Cloud Monitoring IaaS/SaaS configuration, user/admin anomalies Endpoint Visibility Asset data, EDR lite Compliance Reports and audit support B-1 Contact Us arcticwolf.com 1.888.272.8429 ask@arcticwolf.com ©2019 Arctic Wolf Networks, Inc. All rights reserved. Arctic Wolf Networks, AWN and the Arctic Wolf Networks logo are trademarks of Arctic Wolf Networks, Inc. in the United States and/or other jurisdictions. Other names used in this document are for identification purposes only and may be trademarks of their respective owners. SOC2 Type II Certified Concierge Security Team™ The Concierge Security Team (CST) is your single point of contact for your Arctic Wolf Managed Detection and Response. Your CST serves as your trusted security advisor and an extension of your internal team. • Conducts daily triage and forensics • Customizes service to your needs • Provides actionable remediation recommendations Customized Rule Engine (CRulE) CRulE provides unlimited flexibility to tailor our services to the specific needs of every customer. It allows the Concierge Security team to apply your exact security and operational policies and update them as needed to align expeditiously with your changing business needs. • Unlimited security policy customization • Unlimited rules granularity or generalization • Unlimited situational rules customization Hybrid AI Hybrid AI demonstrably identifies attacks, reduces false positives, and speeds up the time between detection and response. It augments a security team’s expertise with the efficiency and productivity of artificial intelligence. • 10X better threat detection • Human intelligence and intuition • Machine scale and efficiency Security Optimized Data Architecture (SODA) SODA unifies the ingestion, parsing, and analysis of network traffic and log data. It provides the foundation for the security analytics that give our security engineers deep pervasive visibility into your security posture. • On-demand access to the relevant security data for incident investigation • Instrumented for cybersecurity data science • Immediately operational with zero setup time The Arctic Wolf Difference SaaS Cloud Monitoring FW/UTM Logs Flow Data IDS Alerts DNS Logs HTTP & TLS AD EndpointAgent ServerLogs EmailGateway WirelessAP Arctic Wolf Cloud Connectors SecaaSIaaS Arctic Wolf Physical Sensor Arctic Wolf Agent WirelessNetworks Windows Event Logs System Vulnerabilities ConfigurationBenchmarks Process Tables Installed Patches Vulnerabilities OSINT CIS Benchmarking Notifications Custom Reports Trouble Tickets Trusted AdviceConcierge Security Team (CST) ActionableResults ThreatIntelligence Secure Transport Secure Transport B-2 2/25/2020 Acceptable Use Policy - Arctic Wolf https://arcticwolf.com/terms/acceptable-user-policy/1/2         QUICK LINKS SOC-as-a-Service Managed Detection and Response Managed Risk SIEM Replacement Cloud Monitoring Log Search Regulatory Compliance Simple, Predictable Pricing HEADQUARTERS Arctic Wolf Networks, Inc. 111 West Evelyn Avenue, Suite 115 Sunnyvale, CA 94086 CONTACT 1.888.272.8429 ask@arcticwolf.com Acceptable Use Policy Last Updated Date: June 17, 2019 Customer acknowledges and agrees not to or attempt to: Probe, scan, or test the vulnerability of any sensor, system, or network without prior written notice to Arctic Wolf; Breach or otherwise circumvent any security or authentication measures; Access, tamper with, or use non-public areas or parts of the Solutions, or shared areas of the Solutions of which access has not been granted by Arctic W Interfere with or disrupt any user, host, or network (e.g. sending a virus, intentionally overloading, ooding, spamming, or mail-bombing any part of the Solutions); Access or search the Solutions by any means other than our publicly supported interfaces (e.g., “scraping”); Restrict, inhibit, interfere with, or otherwise intentionally disrupt or cause a performance degradation to the Solutions, or otherwise cause a performanc degradation to any Arctic Wolf (or Arctic Wolf supplier) facilities; Alter, modify, or tamper with the Solutions or permit any other person to do the same who is not rst authorized to do so by Arctic Wolf; Provide guidance, information, or assistance with respect to causing damage or a security breach to Arctic Wolf’s network or systems. ARCTIC WOLF RESERVES THE RIGHT TO NOTIFY ITS SUBSCRIBERS OF ANY INFORMATION THAT AFFECTS THE SECURITY OF ARCTIC WOLF SOLUTIO  Anything we can help you nd today? 🐺 2 C-1 2/25/2020 Acceptable Use Policy - Arctic Wolf https://arcticwolf.com/terms/acceptable-user-policy/2/2 © 2020 Arctic Wolf Networks Inc. All Rights Reserved. Privacy Policy | Terms of Use | Information Security | Cookie Policy     Anything we can help you nd today? 🐺 2 C-2 2/25/2020 Business Associate Addendum - Arctic Wolf https://arcticwolf.com/terms/business-associate-addendum/1/4 Business Associate Addendum Last Updated Date: November 18, 2019 This BUSINESS ASSOCIATE ADDENDUM (“BAA”) is entered into between Arctic Wolf Networks, Inc. (“Arctic Wolf” or “Business Associate”) and the custome agreeing to the terms below (the “Customer” or “Covered Entity”), and supplements, amends and is incorporated into the Agreement (as dened below). This B applies to the extent Customer is acting as a Covered Entity or a Business Associate to create, receive, maintain, or transmit PHI (as dened below) via the Solu and to the extent Arctic Wolf, as a result, is deemed under HIPAA to be acting as a Business Associate or Subcontractor of Customer. “Agreement” means the Master Solutions Agreement and accompanying Order Form(s) entered into between Business Associate and Customer for the provis Solutions, which Agreement(s) may be in the form of online terms of service. This BAA will be effective as of the date Customer accepts the Agreement. Customer must have an existing Agreement in place for this BAA to be valid and effective. Together with the Agreement, this BAA will govern each party’s respective obligations relating to PHI. The purpose of this BAA is to ensure the Parties satisfy the requirements of the nal regulations issued by the U.S. Department of Health and Human Services (“DHHS”) pursuant to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”) and the Health Information Technology Economic and Clinical Health Act, enacted as Title XIII, Subtitle D of the American Recovery and Reinvestment Act of 2009, and implementing Regulations and Guidance (“HITECH”), governing the Standards for Privacy of Individually Identiable Health Information at 45 CFR part 160 and part 164, subparts A and E, a amended by HITECH (the “Privacy Rules”), and the security of electronic Protected Health Information collected, maintained, used, or transmitted by certain entities, including health care providers (the “Security Standards”). Business Associate and Covered Entity may be referred to individually herein as a “Party” a collectively, the “Parties”. RECITALS WHEREAS, Business Associate and Covered Entity are Parties to the Agreement pursuant to which Business Associate provides Solutions to Covered En and WHEREAS, Covered Entity’s data, including Protected Health Information (“PHI”), may be used or disclosed to the Business Associate during Business Associate’s performance of the Solutions under the terms of the Agreement; and WHEREAS, the purpose of this BAA is to satisfy the requirements of HIPAA, as may be amended from time to time; NOW, THEREFORE, if Business Associate receives PHI from Covered Entity and is considered a “business associate” as that term is dened in HIPAA and regulations promulgated by DHHS to implement certain provisions of HIPAA, the Parties do hereby agree to the terms as set forth below as to such PHI. AGREEMENTS 1. Denitions All capitalized terms not otherwise dened herein have the meanings ascribed to them under HIPAA, the Privacy Rules and Security Standards, as amended by HITECH. Anything we can help you nd today? 🐺 2 D-1 2/25/2020 Business Associate Addendum - Arctic Wolf https://arcticwolf.com/terms/business-associate-addendum/2/4 2. Obligations and Activities of Business Associate (a) Business Associate agrees to not use or further disclose PHI other than as required by law, the Agreement, or as permitted or required by this BAA. (b) Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI, to prevent use disclosure of the PHI other than as provided for by this BAA. (c) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including Breaches of Unsecured PHI as required at 45 C.F.R § 164.410, and any Security Incident of which it becomes aware. The Parties agree this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as dened below) f which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s rewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incide results in unauthorized access, use or disclosure of PHI. (d) In the event of a Breach of any Unsecured PHI that Business Associate accesses, maintains, retains, modies, records, stores, destroys, or otherwise hold uses on behalf of Covered Entity, Business Associate shall provide notice of such Breach to Covered Entity immediately, but in any event not more than 7 busin days after discovering the Breach or, by exercising reasonable diligence would have discovered the Breach. Notice of a Breach shall include, to the extent known to Business Associate: (i) the identication of each individual whose PHI has been, or is reasonably believe have been, accessed, acquired, or disclosed during the Breach, (ii) the date of the Breach, if known, (iii) a description of the types of unsecured PHI that were involved in the Breach, (iv) the scope of the Breach, (v) a description of the Business Associate’s response to the Breach, and (vi) and steps Business Associate is taking to protect against any further breaches. In the event of a Breach, Business Associate shall, in consultation with Covered Entity, mitigate, to the extent practicable, any harmful effect of such Breach tha known to Business Associate. (e) Business Associate agrees to ensure that any agents and subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate a to substantially similar restrictions, conditions, and requirements that apply to Business Associate with respect to such information. (f) Business Associate agrees to make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Regulations. (g) Business Associate agrees to maintain and make available to Covered Entity, within ten (10) business days following a written request, information nece to permit Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. (h) If Business Associate maintains information in a Designated Record Set, it agrees to make available to Covered Entity, within ten (10) business days follo a written request, PHI in such Designated Record Set, in order for Covered Entity to respond to individuals’ requests for access to information about them in accordance with 45 C.F.R § 164.524. If Business Associate maintains, on behalf of Covered Entity, information in an electronic Designated Record Set, Busines Associate shall provide such information in the electronic format to Covered Entity upon request, or, if directed by the Covered Entity, directly to a requesting individual. (i) If Business Associate maintains information in a Designated Record Set, it agrees to make any amendments or corrections to PHI in such Designated Rec Set within ten (10) business days following a written request by the Covered Entity in accordance with 45 C.F.R. § 164.526. 3. Permitted Uses and Disclosures by Business Associate (a) Business Associate may use and disclose PHI as necessary to perform the Solutions set forth in the Agreement only if such use or disclosure is in complia with each applicable requirement of Section 164.504(e) of the Privacy Rules, relating to business associate contracts. (b) Business Associate may use or disclose PHI as required by law. (c) Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s minimum necessary policies and procedu Anything we can help you nd today? 🐺 2 D-2 2/25/2020 Business Associate Addendum - Arctic Wolf https://arcticwolf.com/terms/business-associate-addendum/3/4 (d) Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity. (e) Except as otherwise limited in this BAA, Business Associate may use or disclose PHI for the proper management and administration of Business Associat to carry out the legal responsibilities of Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurance from the person to whom the information is disclosed that it will remain condential and used or further disclosed only as required by law or for the purpose fo which it was disclosed to the person, and the person noties Business Associate of any instances of which it is aware in which the condentiality of the informa has been breached. 4. Obligations of Covered Entity (a) Covered Entity shall provide Business Associate notice of any limitation(s) in the notice of privacy practices of Covered Entity in accordance with 45 C.F. 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. (b) Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s uses and disclosures of PHI. (c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. (d) Covered Entity shall use appropriate administrative, technical and physical safeguards to prevent use or disclosure of PHI other than as provided for by this BAA. 5. Term and Termination (a) Term. The Term of this BAA shall be effective as of the Effective Date and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section. (b) Termination for Cause. Business Associate authorizes termination of the Agreement by Covered Entity, if Covered Entity determines Business Associate violated a material term of this BAA and Business Associate has not cured the breach or ended the violation within the time specied by Covered Entity. In the event that Business Associate becomes aware of a pattern of activity or a practice of Covered Entity that constitutes a material violation of the obligations of Covered Entity under this BAA, Business Associate will have the same termination rights and obligations specied as to Covered Entity in this Section 5. (c) Effect of Termination. Upon termination of this BAA for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, in unencrypted form, shall: (i) Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibi or which it is not reasonably feasible for Business Associate to return or destroy. (ii) Return to Covered Entity or destroy the remaining PHI that Business Associate still maintains in any form. (iii) Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of th PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI. (iv) Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditio set out at Section 2 of this BAA, which applied prior to termination. (v) Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper manageme and administration or to carry out its legal responsibilities or when such return or destruction is reasonably feasible. 6. Miscellaneous (a) Regulatory References. A reference in this BAA to a section in the HIPAA Regulations means the section as in effect or as amended, and for which complia is required.  Anything we can help you nd today? 🐺 2 D-3 2/25/2020 Business Associate Addendum - Arctic Wolf https://arcticwolf.com/terms/business-associate-addendum/4/4         QUICK LINKS SOC-as-a-Service Managed Detection and Response Managed Risk SIEM Replacement Cloud Monitoring Log Search Regulatory Compliance Simple, Predictable Pricing HEADQUARTERS Arctic Wolf Networks, Inc. 111 West Evelyn Avenue, Suite 115 Sunnyvale, CA 94086 CONTACT 1.888.272.8429 ask@arcticwolf.com © 2020 Arctic Wolf Networks Inc. All Rights Reserved. Privacy Policy | Terms of Use | Information Security | Cookie Policy    (b) Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for Business Associate and Covere Entity to comply with the requirements of the HIPAA Regulations and any other applicable law. (c) Survival. The obligations of the Parties shall survive the termination of this BAA. (d) Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Regulations and any other applicable law. (e) Order of Precedence. In the event of possible conict or inconsistency between documents, the conict or inconsistency shall be resolved by giving precedence in the following order: 1) this BAA and 2) the Agreement. (f) Governing Law. This BAA is subject to the “Governing Law” section in the Agreement. Except as expressly modied or amended under this BAA, the terms the Agreement remain in full force and effect.  Anything we can help you nd today? 🐺 2 D-4 Arctic Wolf Networks – Master Solutions Agreement Last Updated: 01/01/2020 Page 1 of 6 CONFIDENTIAL MASTER SOLUTIONS AGREEMENT This Master Solution Agreement (the “Agreement”) is a legal agreement entered into by and between the Customer identified on an order form (“Customer”) and governs any executed order forms, quotes, or other ordering document (“Order Form(s)”) that reference this Agreement and may be issued to Customer by Arctic Wolf Networks, Inc. (“Arctic Wolf”) or an Arctic Wolf authorized partner (“Authorized Partner”). This Agreement is effective on the date Customer executes the Order Form or submits a matching purchase order to Arctic Wolf or its Authorized Partner (the “Effective Date”). This Agreement permits Customer to purchase subscriptions to the Solutions identified in the Order Form from Arctic Wolf or such Authorized Partner and sets forth the terms and conditions under which those Solutions will be delivered. The Agreement consists of the terms and conditions set forth below, any attachments or exhibits identified herein and any Order Forms that reference this Agreement. If there is a conflict between the terms below, the Order Form, or the terms set forth in an URL referenced herein, the documents will control in the following order: the Order Form, this Master Solutions Agreement, and the terms located at any URL referenced in this Agreement. BY EXECUTING AN ORDER FORM, DELIVERING A PURCHASE ORDER OR OTHER CONFIRMATION TO ARCTIC WOLF OR ITS AUTHORIZED PARTNER DOCUMENTING ACCEPTANCE OF AN ORDER FORM, OR OPERATING, DOWNLOADING, INSTALLING, REGISTERING OR OTHERWISE USING THE SOLUTIONS, OR CLICKING AN "I ACCEPT” OR “CONTINUE" BUTTON ASSOCIATED WITH THIS AGREEMENT, CUSTOMER (OR ITS AUTHORIZED AGENT, IF APPLICABLE) EXPRESSLY AND EXPLICITLY ACKNOWLEDGES AND AGREES THAT THIS IS A BINDING AGREEMENT AND CUSTOMER HEREBY AGREES TO THE TERMS OF THIS AGREEMENT AND ACCEPTS ARCTIC WOLF’S OFFER TO LICENSE OR SELL THE SOLUTIONS PURSUANT TO THE TERMS HEREIN. AN ORDER FORM IS CONSIDERED ACCEPTED BY ARCTIC WOLF WHEN COUNTERSIGNED BY ARCTIC WOLF OR ITS AUTHORIZED PARTNER, WHETHER MANUALLY OR ELECTRONICALLY. IF YOU ARE AN EMPLOYEE OR OTHER REPRESENTATIVE ENTERING INTO THIS AGREEMENT ON BEHALF OF CUSTOMER, YOU HEREBY REPRESENT AND WARRANT TO ARCTIC WOLF THAT YOU ARE (A) AUTHORIZED TO ENTER INTO THIS AGREEMENT ON BEHALF OF CUSTOMER; AND (B) YOU ARE OVER 18 YEARS OLD. IF CUSTOMER DOES NOT ACCEPT ALL THE TERMS AND CONDITIONS IN THIS AGREEMENT OR IS NOT AUTHORIZED TO ENTER INTO THIS AGREEMENT, DO NOT ACCEPT THE ORDER FORM, ISSUE A PURCHASE ORDER OR OTHER CONFIRMATION, REGISTER OR OTHERWISE USE THE SOLUTIONS. In consideration of the mutual covenants and agreements contained herein, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows: 1. Scope. Customer will purchase and Arctic Wolf will provide the specific products and services (“Solutions”) as specified in the applicable Order Form. A Solution may consist of hardware equipment (“Equipment”), a cloud service offering (“Service”), software, including any add-ons offering enhanced features and functionality (collectively, the “Software”), and/or professional services (“Professional Services”). Each Solution is provided on a subscription basis for a set term designated on the Order Form (each, a “Subscription Term”) for the one-time and subscription fees set forth therein (the “Fees”). Customer may access and use the Solutions, and any Documentation associated therewith, solely for its own internal business purposes and in accordance with the terms and conditions of this Agreement, such associated Documentation, any scope of use restrictions designated in the applicable Order Form, and the Solutions Terms found at www.arcticwolf.com/terms/solutionsterms, as may be updated from time to time by Arctic Wolf. “Documentation” means user manuals, training materials, product descriptions and specifications and other printed information relating to the Arctic Wolf Solution, as in effect and generally available from Arctic Wolf, but expressly excluding marketing and sales collateral and materials. 2. Equipment. If the Order Form specifies that Customer will receive Equipment, then Customer is responsible for installing the Equipment at the location(s) specified by Arctic Wolf. The Equipment is a part of the Solutions and loaned to Customer by Arctic Wolf, not sold. Customer acknowledges that if Customer attempts to install or use the Equipment at a location other than specified by Arctic Wolf, the Solutions may fail to function or may function improperly. Other than normal wear and tear, Customer is directly responsible for loss, repair, replacement and other costs, damages, fees and charges during the Subscription Term and if Customer does not return the Equipment to Arctic Wolf in an undamaged condition. Customer is responsible for all costs associated with shipping the Equipment back to Arctic Wolf upon termination of the Subscription Term. Customer understands and agrees that should Customer elect to use Equipment outside the U.S., additional charges may apply for the shipping, export, and/or import of the Equipment. 3. Professional Services. Certain Arctic Wolf Solutions may require Professional Services, such as onboarding, or may be stand-alone offerings, and any such Professional Services shall be specified on an applicable Order Form. 4. Software and Services. Provided Customer is in full compliance with the terms of this Agreement, Arctic Wolf grants to Customer a limited, non-transferable, non-sublicensable, non-exclusive license during the Subscription Term to (i) install the object code form of the Software, but only in connection with Customer’s use of the Solutions and otherwise in accordance with the Documentation, this Agreement, and the Solution Terms located at www.arcticwolf.com/terms/solutionsterms/, as may be updated from time-to-time, (ii) use Arctic Wolf’s third party cloud service providers in conjunction with Customer’s use of the Solution, and (iii) access the Arctic Wolf Customer Portal, subject to the Privacy Policy located at https://arcticwolf.com/privacy-policy-for-customer-portal-users/ (“Privacy Policy”), as may be updated from time-to-time. Customer Data will be retained in accordance with the Solutions Terms. Customer must implement Software and Services in order to enable features of the Solutions. Customer acknowledges that any changes made to the Customer’s infrastructure or configuration of the Solutions after initial deployment may cause the Solutions to cease working or function improperly and that Arctic Wolf will have no responsibility for the impact of any such Customer changes. 5. Reservation of Rights and Ownership. Arctic Wolf owns, or has the right to license, the Solutions, any associated Documentation (“Arctic Wolf Technology”). Customer acknowledges and agrees that (a) the Arctic Wolf Technology is protected by United States and international copyright, trademark, patent, trade secret and other intellectual property or proprietary rights laws, (b) Arctic Wolf retains all right, title and interest (including, without limitation, all patent, copyright, trade secret and other intellectual property rights) in and to the Arctic Wolf Technology, excluding any rights, title, and interest in any Third Party Products (as defined in Section 12.3 below) which shall be retained by its third party licensor(s), any other deliverables, any and all related and underlying technology and any derivative works or modifications of any of the foregoing, including, without limitation, any Feedback, (c) there are no implied licenses and any rights not expressly granted to Customer hereunder are reserved by Arctic Wolf, (d) the Solution, excluding Professional Services, is licensed on a subscription basis, not sold, and Customer acquires no ownership or other interest (other than the license rights expressly stated herein) in or to the Arctic Wolf Technology, and E-1 Arctic Wolf Networks – Master Solutions Agreement Last Updated: 01/01/2020 Page 2 of 6 CONFIDENTIAL (e) the Solution is offered as an on-line, hosted solution, and Customer has no right to obtain a copy of the Software . Feedback includes suggestions, comments or other feedback (“Feedback”) provided to Arctic Wolf by Customer with respect to the Solutions. 6. Restrictions, Responsibilities, Warranties, Prohibited Use, and Customer Data. 6.1 Restrictions. Customer agrees not to, directly or indirectly: (i) modify, translate, copy or create derivative works based on the Arctic Wolf Technology, (ii) reverse engineer, decompile, disassemble, or otherwise seek to obtain the source code or non-public APIs to the Solutions, except to the extent expressly permitted by applicable law (and then only upon advance notice to Arctic Wolf); (iii) interfere with or disrupt the integrity or performance of the Solutions or the data contained therein or block or disrupt any use or enjoyment of the Solutions by any third party, (iv) attempt to gain unauthorized access to the Solution or their related systems or networks or (v) remove or obscure any proprietary or other notice contained in the Arctic Wolf Technology, including on any reports or data printed from the Arctic Wolf Technology. Customer agrees to abide by the terms of the Acceptable Use Policy at http://www.arcticwolf.com/terms/acceptableuse, as may be updated from time-to-time. If Arctic Wolf, in its reasonable discretion, determines that Customer’s use of the Solutions imposes an unreasonable or disproportionately large load on Arctic Wolf’s infrastructure or that Customer is abusing its use of the Solutions, Arctic Wolf may, in addition to any other right herein, temporarily suspend Customer’s access to the Solutions until such activity is rectified. If commercially practicable, Arctic Wolf shall provide Customer with notice prior to any such suspension and shall work with Customer in good faith to reinstate the Solutions promptly. 6.2 Arctic Wolf Responsibilities. Arctic Wolf shall provide the Solutions in accordance with the terms of this Agreement, as further described in the Solutions Terms. The Solutions provided under this Agreement shall include any updates, upgrades, bug fixes, version upgrades or any similar changes that are made generally available to Arctic Wolf’s customers free of charge from time to time during the Subscription Term. 6.3. Customer Responsibilities. Customer must identify the administrative users for its account (“Administrators”). Each Administrator will receive an administrator ID and password and will need to register with Arctic Wolf. Customer is responsible for notifying Arctic Wolf about changes to Administrators, including but not limited to termination, change of authority, and the addition of Administrators. Customer acknowledges and agrees that Administrators will be able to view all Customer Data and other traffic and activities that occur on Customer’s network and that Customer is responsible for all activities that occur under Administrator accounts. Administrator IDs are granted to individual, named persons and cannot be shared or used by more than one Administrator but may be reassigned from time to time to new Administrators. Customer represents and warrants that it shall (i) obtain any licenses and/or consents necessary for Arctic Wolf to perform its obligations under this Agreement, (ii) be responsible for ensuring the security and confidentiality of all Administrator IDs and passwords, (iii) use commercially reasonable efforts to prevent unauthorized access to, or use of, the Solutions, (iv) notify Arctic Wolf promptly of any unauthorized use of the Solutions or any breach, or attempted breach, of security of the Solutions, (v) not use the Solutions in a manner that would violate applicable laws or regulations, and (vi) use of the Solutions and the transfer of any Customer Data to Arctic Wolf will not be used for any fraudulent purposes. Customer acknowledges and agrees that the Solutions may consume additional CPU and memory in Customer’s environment while in running in production. 6.4 Prohibited Use. Because Customer may access the Solutions from anywhere in the world, it is Customer’s responsibility to ensure that Customer has the right to access and use the Solutions where Customer is located. Customer represents and warrants that Customer is not a Prohibited Person nor owned or controlled by a Prohibited Person. “Prohibited Persons” shall mean a person or entity appearing on the lists published by the U.S. Department of Commerce, the U.S. Department of State, the U.S. Department of Treasury or any other list that may be published by the U.S. Government, as amended from time to time, that is prohibited from acquiring ownership or control of items under this Agreement, or with which Arctic Wolf is prohibited from doing business. Customer further represents that the Solutions shall not be used for or in connection (i) with nuclear activities, (ii) in the development of biological or chemical weapons, missiles, or unmanned aerial vehicles, (iii) to support terrorist activities, or (iv) in any other way that would violate economic sanctions laws. Customer agrees to promptly notify Arctic Wolf, and terminate its use of the Solutions, if Customer discovers that any of the foregoing conditions apply. Arctic Wolf may suspend any use of the Solutions it reasonably believes Customer may be (or is alleged to be) in violation of the foregoing. 6.5 Customer agrees to comply with all export and import laws and regulations of the United States and other applicable jurisdictions. Without limiting the foregoing: (i) Customer represents and warrants that it is not listed on any U.S. government list of prohibited or restricted parties or located in (or a national of) a country that is subject to a U.S. government embargo or that has been designated by the U.S. government as a “terrorist supporting” country, (ii) Customer will not (and will not permit any of its users to) access or use the Solutions in violation of any U.S. export embargo, prohibition or restriction, and (iii) Customer will not submit to the Arctic Wolf, directly or through the Solutions, any information that is controlled under the U.S. International Traffic in Arms Regulations. 7. Fees, Payment, Taxes, and Audit. 7.1. For direct purchases made between Arctic Wolf and Customer, the Order Form shall be between Customer and Arctic Wolf and the following terms shall apply: Pricing for the Solutions will be specified on an “Order Form”. All fees are payable in U.S. Dollars and are non-cancelable and non-refundable. Delinquent amounts shall bear interest at a rate equal to the lesser of one and one-half percent (1.5%) per month (eighteen percent (18%) per year) or the maximum rate permitted by law, whichever is less. If Customer fails to make any payments due under this Agreement or an applicable Order Form, Arctic Wolf shall notify Customer of such nonpayment. If a payment that is due remains unpaid for ten (10) days after Arctic Wolf provides Customer with notice of such nonpayment, Arctic Wolf may cease providing the Solutions without any liability to Arctic Wolf. The amounts payable to Arctic Wolf are exclusive of any sales, use, excise, value added, import, or other applicable taxes, tariffs or duties (“Taxes”). Customer is solely responsible for payment of all Taxes except for any taxes based solely on Arctic Wolf’s net income. If Customer is required to pay any Taxes, Customer shall pay such Taxes with no reduction or offset in the amounts payable to Arctic Wolf hereunder and Customer will pay and bear such additional amount as shall be necessary such that Arctic Wolf receives the full amount of the payment required as if no such reduction or offset were required. If Arctic Wolf has the legal obligation to pay or collect Taxes for which Customer is responsible, Customer authorizes Arctic Wolf to charge Customer for such amount. If Customer believes that Arctic Wolf has billed Customer incorrectly, Customer must contact Arctic Wolf no later than thirty (30) days after the closing date on the first billing statement in which the error or problem appeared in order to receive an adjustment or credit. Inquiries should be directed to Arctic Wolf’s customer support department. E-2 Arctic Wolf Networks – Master Solutions Agreement Last Updated: 01/01/2020 Page 3 of 6 CONFIDENTIAL 7.2 For purchases made by Customer through a partner authorized and licensed to sell and /or deliver Arctic Wolf Solutions (an “Authorized Partner”), the order form or other equivalent transaction document containing terms related to Fees, Payment, Taxes, Audit and other terms, as may be applicable, shall be between Customer and the Authorized Partner. Notwithstanding the foregoing, Customer understands and agrees that should Customer fail to remit payments to any Partner when due or if Customer terminates or suspends its business, becomes subject to any bankruptcy or insolvency proceeding under federal or state or similar statute that is not dismissed within sixty (60) days, or becomes insolvent or subject to direct control by a trustee, receiver, or similar authority, Arctic Wolf may immediately terminate this MSA without any further obligation or liability. 8. Compliance with Laws. Each party represent and warrant that, during the term of this Agreement, the parties will comply with all foreign, federal, state and local statutes, laws, orders, rules, regulations and requirements, including those of any governmental (including any regulatory or quasi-regulatory) agency applicable to such party as it pertains to its performance obligations herein and, in the case of Customer, in connection with its use of the Solutions. 9. Confidentiality. Either party (as a “Discloser”) may disclose confidential and proprietary information, orally or in writing (“Confidential Information”) to the other party (as a “Recipient”). All such information shall be marked with a restrictive legend of the Discloser or reasonably understood to constitute confidential information. Notwithstanding the foregoing, contract terms relating to Customer Data shall be set forth in Section 10. Notwithstanding the marking requirements of this Section, Customer acknowledges that the following constitutes Confidential Information of Arctic Wolf: any trade secrets, know-how, inventions (whether or not patentable), techniques, ideas, or processes related to the Arctic Wolf Technology; the design and architecture of the Arctic Wolf Technology; the computer code, internal documentation, and design and functional specifications of the Arctic Wolf Technology; and any problem reports, analysis and performance information related to the Arctic Wolf Technology. Each party agrees to hold the other party’s Confidential Information in strict confidence, not to disclose such Confidential Information to third parties not authorized by the Discloser to receive such Confidential Information, and not to use such Confidential Information for any purpose except as expressly permitted hereunder. Each party agrees to take commercially reasonable steps to protect the other party’s Confidential Information and to ensure that such Confidential Information is not disclosed, distributed or used in violation of the provisions of this Agreement. The Recipient may disclose Confidential Information only (a) with the Discloser’s prior written consent, or (b) to those employees, officers, directors, agents, consultants, and advisors with a clear and well-defined “need to know” purpose who are informed of and bound by the obligations of this Agreement. Notwithstanding the foregoing, the Recipient may disclose Confidential Information to the extent required by law. However, the Recipient will give the Discloser prompt notice to allow the Discloser a reasonable opportunity to obtain a protective order and such Confidential Information disclosed to the extent required by law shall otherwise remain confidential and subject to the protections and obligations of this Agreement. The Discloser agrees that the foregoing obligations shall not apply with respect to any information that the Recipient can document (i) is rightfully in its possession or known to it prior to receipt from the Discloser without an obligation of confidentiality, (ii) is or has become public knowledge through no fault of the Recipient, (iii) is rightfully obtained by the Recipient from a third party without breach of any confidentiality obligation, or (iv) is independently developed by employees of the Recipient who had no access to Discloser’s Confidential Information. Upon expiration or termination of this Agreement for any reason, and except as otherwise provided in Section 16 below, each party shall promptly return to the other party or destroy all copies of the other party's Confidential Information and copies, notes or other derivative material relating to the Confidential Information. Notwithstanding the foregoing, and subject to the Privacy Policy, Arctic Wolf may retain Customer’s name, contact names, email address, and such other necessary contact information following termination of this Agreement for its internal business purposes, including but not limited to the improvement of its Solutions. 10. Customer Data. 10.1 “Customer Data” means operational data and other internal business information submitted by or on behalf of Customer to the Solutions, including, but not limited to operational values, event logs, and usernames. As between the parties, Customer shall retain all right, title and interest (including any and all intellectual property rights) in and to the Customer Data as provided to Arctic Wolf and the Solutions (excluding any Arctic Wolf Technology used with the Customer Data). Customer hereby grants Arctic Wolf a non-exclusive, worldwide, royalty-free right to collect, use, copy, store, transmit, modify and create derivative works of data Customer Data solely to the extent necessary to provide the Solutions to Customer. Customer is solely responsible for the accuracy, content and legality of all Customer Data. Customer represents and warrants to Arctic Wolf that Customer has all necessary rights, consents and permissions to collect, share and use all Customer Data as contemplated in this Agreement. Customer further represents and warrants that all Customer Data complies with the Acceptable Use Policy. Customer hereby authorizes Arctic Wolf to aggregate Customer Data with other data so that results are non-personally identifiable with respect to Customer and collect anonymous technical logs and data regarding Customer’s use of the Solutions (“Aggregate/Anonymous Data”). Notwithstanding anything to the contrary herein, such Aggregate/Anonymous Data will be deemed Arctic Wolf Technology, which Arctic Wolf may use for any business purpose during or after the term of this Agreement, including without limitation to develop and improve the Solutions and services and to create and distribute reports and other materials. For clarity, this Section 10.1 does not give Arctic Wolf the right to identify Customer as the source of any Aggregate/Anonymous Data without Customer’s prior written permission. Customer understands and agrees that Customer Data may be accessed by Arctic Wolf in the US, Canada, and other parts of the world and by non-US citizens, and Customer hereby consents to such access. 10.2 European Union General Data Protection Regulation. If and to the extent Customer submits to Arctic Wolf personal data (as that term is defined under the GDPR) of individuals located in the European Union, United Kingdom and/or the European Economic Area, the Arctic Wolf Data Processing Agreement available at www.arcticwolf.com/terms/dpa, as may be updated by Arctic Wolf from time-to-time (the “DPA”) is hereby incorporated into this Agreement unless Customer has signed a standalone Arctic Wolf Data Processing Agreement, in which case such terms shall control. Customer acknowledges that a list of Arctic Wolf’s current Authorized Sub-Processors list, which may be updated by Arctic Wolf from time-to-time (the “List”) is available at the URL specified in the DPA, and that Customer’s is responsible for subscribing to updates to such List via the URL. It is Customer’s sole responsibility to notify Arctic Wolf of requests from data subjects related to the modification, deletion, restriction and/or objection of personally identifiable information. 10.3 California Consumer Privacy Act. The parties acknowledge and agree that Arctic Wolf is a service provider for the purposes of the California Consumer Privacy Act (“CCPA”) and may receive personal information from Customer pursuant to this Agreement for a business purpose. Arctic Wolf shall not sell any such personal information. Arctic Wolf shall not retain, use or disclose any personal information provided by Customer pursuant to this Agreement except as necessary for the specific purpose of performing the Solutions for Customer pursuant to this E-3 Arctic Wolf Networks – Master Solutions Agreement Last Updated: 01/01/2020 Page 4 of 6 CONFIDENTIAL Agreement or as permitted by the CCPA. The terms “personal information,” “service provider,” “sale,” and “sell” are as defined in Section 1798.140 of the CCPA. Arctic Wolf certifies that it understands the restrictions of this Section 10.3. 11. Indemnity. 11.1 Arctic Wolf’s Indemnity. Subject to Section 11.3, Arctic Wolf will defend any third party claim or action brought against Customer to the extent based on the allegation that the Solutions infringe any intellectual property right (patents, utility models, design rights, copyrights and trademarks or any other intellectual property right) having effect in the United States and Arctic Wolf will pay any settlements that Arctic Wolf agrees to in a writing signed by an authorized officer of Arctic Wolf or final judgments awarded to the third party claimant by a court of competent jurisdiction. The foregoing obligations do not apply with respect to the Solutions, or portions or components thereof, that are (a) not provided by Arctic Wolf, (b) combined with other products, processes or materials that are not reasonably contemplated by the Documentation where the alleged infringement relates to such combination, or (c) not used by Customer in strict accordance with this Agreement or the published Documentation. 11.2 Customer Indemnity. Subject to Section 11.3, Customer agrees to defend any claim or action brought against Arctic Wolf to the extent based on Customer’s alleged breach of Sections 6 or 10 and Customer agrees to pay any settlements that Customer agrees to in a writing signed by an authorized officer of Customer or final judgments awarded to the third party claimant by a court of competent jurisdiction. 11.3 Procedures. Each party’s indemnification obligations are conditioned on the indemnified party (a) providing the indemnifying party with prompt written notice of any claim, provided that the failure to provide such notice shall only limit the indemnifying party’s obligation to indemnify to the extent that the failure prejudices the indemnifying party in its defense of the claim, (b) granting the indemnifying party the sole control of the defense or settlement of the claim, and (c) providing reasonable information and assistance to the indemnifying party in the defense or settlement of the claim at the indemnifying party’s expense. 11.4 Options. If Customer’s use of the Solutions has become, or in Arctic Wolf’s opinion is likely to become, the subject of any claim of infringement, Arctic Wolf may at its option and expense (a) procure for Customer the right to continue using and receiving the Solutions as set forth hereunder, (b) replace or modify the Solutions to make them non-infringing, (c) substitute an equivalent for the Solutions, or (d) if Arctic Wolf, in its sole discretion, determines that options (a)-(c) are not reasonably practicable, terminate this Agreement and refund any pre-paid unused Fees as of the effective date of termination. 11.5 Sole Remedy. THIS SECTION 11 STATES ARCTIC WOLF’S ENTIRE RESPONSIBILITY AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDY WITH RESPECT TO INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. 12. Warranty and Warranty Disclaimer. 12.1 Solutions Warranty. ARCTIC WOLF WARRANTS THAT DURING THE SUBSCRIPTION TERM AND PROVIDED THAT CUSTOMER IS NOT IN BREACH OF THIS AGREEMENT THAT, (I) THE SOLUTIONS PROVIDED UNDER THIS AGREEMENT DO NOT INFRINGE OR MISAPPROPRIATE ANY INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY, AND (II) THE SOLUTIONS SHALL SUBSTANTIALLY PERFORM IN ALL MATERIAL RESPECTS AS DESCRIBED IN THE DOCUMENTATION. IN THE EVENT OF ANY BREACH OF THIS SECTION 12.1, ARCTIC WOLF SHALL, AS ITS SOLE LIABILITY AND CUSTOMER’S SOLE REMEDY, REPAIR OR REPLACE THE SOLUTIONS THAT ARE SUBJECT TO THE WARRANTY CLAIM AT NO COST TO CUSTOMER OR IF ARCTIC WOLF IS UNABLE TO REPAIR OR REPLACE, THEN ARCTIC WOLF WILL REFUND ANY PRE-PAID FEES FOR THE SOLUTIONS, OR PARTS THEREOF, SUBJECT TO THE WARRANTY CLAIM. EXCEPT FOR THE WARRANTY DESCRIBED IN THIS SECTION, THE SOLUTIONS ARE PROVIDED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF DESIGN, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES OF TITLE. CUSTOMER ACKNOWLEDGES THAT THE SOLUTIONS ARE PROVIDED “AS IS” AND FURTHER ACKNOWLEDGE THAT ARCTIC WOLF DOES NOT WARRANT (A) THE OPERATION OF THE SOLUTIONS WILL BE UNINTERRUPTED, OR ERROR FREE, (B) THE SOLUTIONS ARE NOT VULNERABLE TO FRAUD OR UNAUTHORIZED USE, (C) THE FEATURES OR FUNCTIONALITIES OF THE SOLUTIONS WILL BE AVAILABLE AT ANY TIME IN THE FUTURE, AND (D) THE SOLUTIONS WILL IDENTIFY OR DETECT EVERY VULNERABILITY OR SECURITY ISSUE. CUSTOMER IS RESPONSIBLE AND ARCTIC WOLF SHALL HAVE NO RESPONSIBILITY FOR DETERMINING THAT THE USE OF THE SOLUTIONS COMPLIES WITH APPLICABLE LAWS IN THE JURISDICTION(S) IN WHICH CUSTOMER MAY DEPLOY AND USE THE SOLUTIONS. 12.2 Open Source Warranty. The Software includes certain Open Source Software. Open Source Software is governed solely by the applicable open source licensing terms, if any, and is provided “AS IS”. Arctic Wolf provides no warranty specifically related to any Open Source Software or any applicable Open Source Software licensing terms. The foregoing language is not intended to limit Arctic Wolf’s warranty obligation for the Solution pursuant to Section 12.1. “Open Source Software” means software with its source code made available pursuant to a license by which, at a minimum, the copyright holder provides anyone the rights to study, change, and/or distribute the software to anyone and for any purpose. 12.3 Third Party Product. Third Party Product (as defined in this Section 12.3) may carry a limited warranty from a limited warranty from the third-party publisher, provider, or original manufacturer of such Third Party Products. To the extent required or allowed, Arctic Wolf will pass through to Customer or directly manage for the benefit of Customer’s use of the Third Party Products as part of the Solutions (such decision to be made in Arctic Wolf’s discretion), the manufacturer warranties related to such Third Party Products. “Third Party Product” means any non- Arctic Wolf branded products and services (including Equipment, and any operating system software included therewith) and non-Arctic Wolf- licensed software products, including Open Source Software. 13. Limitation of Liability. FOR ANY CAUSE RELATED TO OR ARISING OUT OF THIS AGREEMENT, WHETHER IN AN ACTION BASED ON A CONTRACT, TORT (INCLUDING NEGLIGENCE AND STRICT LIABILITY) OR ANY OTHER LEGAL THEORY, HOWEVER ARISING, ARCTIC WOLF WILL IN NO EVENT BE LIABLE TO CUSTOMER OR ANY THIRD PARTY FOR (A) DAMAGES BASED ON USE OR ACCESS, INTERRUPTION, DELAY OR INABILITY TO USE THE SOLUTIONS, LOST REVENUES OR PROFITS, LOSS OF SOLUTIONS, BUSINESS OR GOODWILL, LOSS OR CORRUPTION OF DATA, LOSS RESULTING FROM SYSTEM FAILURE, MALFUNCTION OR SHUTDOWN, FAILURE TO ACCURATELY TRANSFER, READ OR TRANSMIT INFORMATION, FAILURE TO UPDATE OR PROVIDE CORRECT INFORMATION, SYSTEM INCOMPATIBILITY OR PROVISION OF INCORRECT COMPATIBILITY INFORMATION OR BREACHES IN SYSTEM SECURITY, E-4 Arctic Wolf Networks – Master Solutions Agreement Last Updated: 01/01/2020 Page 5 of 6 CONFIDENTIAL OR (B) ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, OR (C) ANY AMOUNTS THAT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER FOR THE SOLUTIONS THAT ARE THE SUBJECT OF THE CLAIM DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRIOR TO THE EVENT WHICH GIVES RISE TO SUCH DAMAGES. THESE LIMITATIONS SHALL APPLY WHETHER OR NOT ARCTIC WOLF HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. 14. Term and Renewal. This Agreement shall be in effect for the Subscription Term specified in the Order Form. 14.1. For direct purchases made between Arctic Wolf and Customer, the Order Form shall be between Customer and Arctic Wolf and the following terms shall apply: The Subscription Term to the Solutions will automatically renew at the end of the initial Subscription Term (i) for the same period of time as the initial Subscription Term, but in no event more than a twelve (12) month Subscription Term, and (ii) will renew at the then-current price, and subject to the then-current terms, at the time of renewal; provided however, that if either party would like to opt out of automatic renewal of the Subscription or modify any of the terms prior to renewal, then such party must notify the other party no less than sixty (60) days prior to the expiration of the then-current Subscription Term. With respect to any month-to-month Subscriptions, the effective date of termination will be the last day of the Subscription Term immediately following the 60-day notification period. As a matter of example, Customer’s Subscription Term is month-to-month and Customer provides notification of termination on the 15th of September. The effective date of termination for the Subscription Term will be the 30th of November. 14.2 For purchases made by Customer through an Authorized Partner, the Order Form or other equivalent transaction document containing the terms related to Term, Renewal and other terms, as may be applicable, shall be between Customer and the Authorized Partner. 15. Updates. Arctic Wolf reserves the right to modify the Solutions, this Agreement, any terms referenced in a URL set forth herein, and the Documentation in Arctic Wolf’s sole discretion and without notice provided that such changes shall not materially decrease the Solutions that Customer has subscribed to during the then-current Subscription Term. Should Arctic Wolf make any modifications, Arctic Wolf will post the amended terms on the respective URL links and will update the “Last Updated Date” within such terms. If any change materially decreases the Solutions, Arctic Wolf will notify Customer via the Customer Portal, Customer newsletter, www.arcticwolf.com/terms website, or such other communication method implemented by Arctic Wolf from time-to-time. Customer may notify Arctic Wolf within 30 days after the effective date of the material change of its rejection of such change. If Customer notifies Arctic Wolf of its rejection during such thirty (30) day period, then Customer will remain governed by the terms in effect immediately prior to the change until the end of Customer’s then-current Subscription Term. However, any subsequent renewal of the Subscription Term will be renewed under the then-current terms, unless otherwise agreed in writing by the parties. 16. Termination. Either party may terminate this Agreement for cause if the other party commits a material breach of this Agreement, provided that such terminating party has given the other party ten (10) days advance notice to try and remediate the breach. If Customer purchases the Solutions through an Authorized Reseller, Customer acknowledges and agrees that Arctic Wolf may immediately without notice terminate this Agreement should Customer fail to pay any amounts due and owing to the Authorized Reseller. Upon termination, Customer agrees to cease all use of the Solutions and Arctic Wolf Technology, installed or otherwise, and destroy all copies of any Arctic Wolf Technology that are in its possession or under its control and promptly remove and return all Equipment to Arctic Wolf. Except as otherwise required by law, upon termination Arctic Wolf will remove, delete, or otherwise destroy all copies of Customer Data in its possession. Sections 7 (only as to amounts due and owing) and 9 through 14, 16, and 17 will survive the non-renewal or termination of this Agreement. 17. Miscellaneous. 17.1 Except as otherwise provided herein, all notices, requests, consents, claims, demands, waivers and other communications hereunder shall be in writing and shall be deemed to have been given: (a) when delivered by hand (with written confirmation of receipt); (b) on the next business day after the date sent, if sent for overnight delivery by a generally recognized international courier (e.g., FedEx, DHL, etc.) (receipt requested); or (c) on the date sent by e-mail of a PDF document (with confirmation of transmission) if sent during normal business hours of the recipient, and on the next business day if sent after normal business hours of the recipient. Such communications must be sent to the respective parties at the addresses set forth on the signature page hereof (or at such other address for a party as shall be specified in a notice given in accordance with this Section 17). For contractual purposes, Customer (1) consents to receive communications in an electronic form via the email address it provides herein or via the Customer Portal; and (2) agrees that all agreements, notices, disclosures, and other communications that Arctic Wolf provides electronically satisfies any legal requirement that those communications would satisfy if they were on paper. This Section does not affect Customer's non-waivable rights. 17.2 The parties to this Agreement are independent contractors. Neither party has the authority to bind the other party without the express written authorization of the other party. Nothing herein may be construed to create an employer-employee, franchisor-franchisee, agency, partnership, or joint venture relationship between the parties. 17.3 This Agreement shall inure to the benefit of and be binding upon the respective permitted successors and assigns of the parties. Customer shall not be entitled to assign, subcontract, delegate or otherwise transfer any of its rights and/or duties arising out of this Agreement and/or parts thereof to third parties, voluntarily or involuntarily, including by change of control, operation of law or any other manner, without Arctic Wolf’s express prior written consent. Any purported assignment, subcontract, delegation or other transfer in violation of the foregoing shall be null and void. No such assignment, subcontract, delegation or other transfer shall relieve the assigning party of any of its obligations hereunder. 17.4 The rights and obligations of the parties under this Agreement shall not be governed by the provisions of the 1980 U.N. Convention on Contracts for the International Sale of Goods or the United Nations Convention on the Limitation Period in the International Sale of Goods, as amended. This Agreement shall be governed by the laws of the State of California without regard to the conflicts of law provisions thereof. Any controversy or claim arising out of or relating to this Agreement, or the breach thereof, shall be settled by arbitration in Santa Clara County, California in English and in accordance with the JAMS International Arbitration Rules then in effect. Any judgment on the award rendered by the arbitrator may be entered in any court having jurisdiction thereof. Notwithstanding the foregoing, each Party shall have the right to institute an action in a court of proper jurisdiction for preliminary injunctive relief pending a final decision by the arbitrator(s), provided that a permanent E-5 Arctic Wolf Networks – Master Solutions Agreement Last Updated: 01/01/2020 Page 6 of 6 CONFIDENTIAL injunction and damages shall only be awarded by the arbitrator(s). In any action or proceeding to enforce rights under this Agreement, the prevailing Party shall be entitled to recover costs and attorneys’ fees. 17.5 Each party acknowledges and agrees that any dispute or claim that may arise out of or relate to this Agreement is likely to involve complicated and difficult issues and, therefore, each such party irrevocably and unconditionally waives any right it may have to a trial by jury in respect of any legal action arising out of or relating to this Agreement or the transactions contemplated hereby. 17.6 No failure or delay by any party in exercising any right, power or privilege hereunder shall operate as a waiver thereof nor shall any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any other right, power or privilege. The rights and remedies under this Agreement are cumulative and are in addition to and not in substitution for any other rights and remedies available at law or in equity or otherwise. 17.7 If any provision of this Agreement is held invalid or unenforceable by any court of competent jurisdiction, the other provisions of this Agreement will remain in full force and effect. Any provision of this Agreement held invalid or unenforceable only in part or degree will remain in full force and effect to the extent not held invalid or unenforceable. The parties agree to replace such void or unenforceable provision of this Agreement with a valid and enforceable provision that will achieve, to the extent possible, the economic, business and other purpose of such void or unenforceable provision. 17.8 This Agreement (including the exhibits hereto, if any, and any BAA (as defined in Section 17.9 below)) constitutes the parties’ entire agreement by and between the parties with respect to the subject matter hereof and supersedes any prior or contemporaneous agreement or understanding by and among the parties with respect to such subject matter. Except as otherwise provided herein, this Agreement may be amended, modified or supplemented only by an agreement in writing signed by each party. 17.9 In the event that Arctic Wolf will have access to personal healthcare information in the delivery of the Solutions, the parties agree to the Business Associate Addendum (“BAA”) located at www.arcticwolf.com/terms/baa or as otherwise may be attached hereto as Exhibit A. In the event the parties have entered into a BAA in relation to protected health information, the parties intend for both this Agreement and BAA to be binding upon them and the BAA is incorporated into this Agreement by reference. 17.10 The parties have participated mutually in the negotiation and drafting of this Agreement. In the event an ambiguity or question of intent or interpretation arises, this Agreement will be construed as if drafted mutually by the parties and no presumption or burden of proof will arise favoring or disfavoring any party by virtue of the authorship of any of the provisions of this Agreement. 17.11 The Parties have agreed that this agreement as well as any notice, document or instrument relating to it be drawn up in English only; les parties aux présentes ont convenu que la présente convention ainsi que tous autres avis, actes ou documents s’y rattachant soient rédigés en anglais seulement. E-6 Privacy Policy for Users of the Arctic Wolf Solutions and Customer Portal Last Updated: 02/14/2020 Purpose Arctic Wolf Networks, Inc. (“AWN,” “Arctic Wolf,” “we,” “us,” “our,” or the “Company”) and its affiliates are committed to protecting the privacy of the information (“Customer Information” as defined below) provided by you and your authorized resources (“Users”, “you”, “your”) while using the Arctic Wolf Customer Portal (the “Customer Portal”) and the Arctic Wolf SOC-as-a-service or other products and services (collectively, “Solutions”). For purposes of clarity, MSP Partners (“MSP,” “MSPs”) using the Customer Portal and Solutions on behalf of its end-users are considered Users for the purposes of this Privacy Policy. This Privacy Policy describes the Customer Information (as defined below) we collect through the Solutions and Customer Portal and the manner in which the Customer Information is used to deliver and support the Solutions. Terms of Use If you have any dispute over the privacy of your information, the dispute is subject to this Privacy Policy and, as applicable, the Master Solutions Agreement or Master Partner Agreement made between us, including any provisions related to the limitation of liability and application of choice of law. Scope This Privacy Policy covers the Customer Information collected by us from Users of the Customer Portal and Solutions and the access to and submission of Customer Information for the purpose of: • Opening tickets • Adding comments to existing tickets • Adding attachment(s) to tickets • Being authenticated to use the Solutions • Uploading credentials for application event monitoring • Obtaining configuration information, reports, and metrics related to the operation of the Solutions within your environment F-1 Customer Information Each User is responsible for the quality, integrity, reliability, and appropriateness of Customer Information submitted in the Customer Portal and Solutions and must comply with terms contained in the applicable Arctic Wolf Master Solutions Agreement or, in the case of an MSP, by the terms of the applicable Arctic Wolf Master Partner Agreement. The information we may collect from you while using the Customer Portal and Solutions (the “Customer Information”) includes: Customer Information Obtained via the Customer Portal The types of Customer Information we collect about Users of the Customer Portal includes: 1) Corporate or Employee Information Customer Portal Users experiencing issues relating to the Solutions may submit support tickets via the Customer Portal. In the course of your creation of support tickets and our provision of support services, you may provide corporate or employee information that assists us with the definition and resolution of issues. 2) Uploaded Credentials Customers Portal Users may upload their credentials (such as names, email addresses, phone numbers, usernames, passwords, IP addresses, geolocation data, and device ID identifiers). Customer Information Obtained via the Solutions When using the Solutions, the Solutions may collect, and/or you may choose to submit to us, the following: 1) System Data The Solutions, depending on their set up and deployment in your environment, may collect log data from various sources, including your: • data center, • applications, • infrastructure in the cloud, • on-premises infrastructure, and • remote endpoints. In addition, the Solutions may perform inspection of network traffic, scan internal and external- facing devices, and collect configuration data, vulnerability data, system-level inventory, and event data. F-2 2) Uploaded Credentials Solutions Users may be required to upload their credentials (such as names, email addresses, phone numbers, usernames, passwords, IP addresses, geolocation data, and device ID identifiers). How We Use the Information We use Customer Information for the following purposes: 1) Support Ticket Management and Resolution Support tickets are the primary medium that Users and the Concierge Security™ engineers (CSEs) use to communicate issues or requests over the use and improvement of the Solutions. Both parties can comment and provide more information in a support ticket until the issue/request is resolved. The CSEs use a ticketing system to communicate security alerts to Users allowing the Users to respond and see the status of the alert until it is closed. 2) Provision of the Solutions System Data and uploaded credentials are integral to the functionality of our Solutions. This Information is used to provision the Solutions to you and to monitor and detect security and threat incidents within your network of connected applications and systems. Uploaded credentials can be viewed and managed by Users, including your MSP, and—to a limited extent—may be accessed and viewed by Arctic Wolf employees for support ticket issue resolution. Based on the your environment and configuration, Users can upload credentials in the Solutions and/or Customer Portal to: • configure the Solutions, and to monitor cloud infrastructure resources to detect access and misuse of a User’s networks, resources, and application instances; • monitor SaaS applications to detect malicious activities and potential data exposures in cloud-based applications; and • monitor security events related to user single sign-on and malicious endpoint activity for security providers. 3) Communication With You Arctic Wolf may use your Customer Information for business purposes of communicating with you about Solutions in which you may be interested, updating you about changes to our terms and conditions, sending you general information about Arctic Wolf and its business, or other similar types of business purposes. 4) Improve the Customer Portal and Solutions Arctic Wolf may aggregate and anonymize your Customer Information in order to improve the information it uses to deliver its Solutions. F-3 How We May Share the Information We do not sell your Customer Information. We do not share, distribute, use, disclose, review, transfer, or reference any Customer Information except as set forth herein, as expressly permitted in writing by the User, as needed by an MSP to perform services for its end users, or as required or permitted by law. Additional information about our confidentiality and security practices with respect to Customer Information is available on our Information Security Overview page. We may share Customer Information only in the manner described below. We do not control, however, how you or your third party service providers, collect, uses, shares or discloses Customer Information. We may share or disclose Customer Information in the following ways: • When changing our business structure In the event of a proposed or completed merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of our assets, similar transactions or proceedings, or steps in contemplation of such activities, Customer Information held by us may be among the assets transferred to the buyer or acquirer; • When conducting our business operations We may use third party service providers and tools to provide services on our behalf, including billing, customer ticketing and collaboration, internal support ticketing, access and identity management, cloud hosting, customer relations management, marketing and advertising, Solution improvement projects, etc. Our service providers are only provided with information they need to perform their designated functions and are not authorized to use or disclose personal information for their own marketing or other purposes. Our service providers may be located in the U.S., Canada or other foreign jurisdictions; • To comply with laws We and our affiliates or service providers in the U.S. or other jurisdictions may disclose Customer Information to comply with applicable legal or regulatory requirements (which may include lawful access by U.S. or foreign courts, law enforcement or other government authorities) and to respond to lawful requests by public authorities, including to meet national security, law enforcement requirements, court orders and legal processes; • To protect rights and safety To protect and defend the brand, rights, property and safety of Arctic Wolf Networks, Inc. and its affiliates, Arctic Wolf customers, including enforcing contracts or policies, or in connection with investigating and preventing fraud. F-4 If Users have any questions about its Customer Information or rights with respect to the foregoing, please contact us at dataprotection@arcticwolf.com or open a ticket via your Customer Portal. Security The security of Customer Information is important to us. We maintain appropriate administrative, physical, and technical safeguards to help protect the confidentiality and integrity of Customer Information, during transmission and once it is received. However, we cannot guarantee that hackers or unauthorized personnel will not gain access to Customer Information, despite our best efforts. No method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect Customer Information, we cannot guarantee its absolute security. Customer Portal Users are responsible for protecting themselves against unauthorized access to passwords, private keys and computers, and unauthorized disclosure, alteration, and destruction of Customer Information. To learn more about our Security practices, please refer to Information Security Overview. Location of Data All Customer Information uploaded to the Customer Portal and the Solutions may be stored within the Amazon Web Services environment, or such other third party cloud service provider(s) selected by us, within the U.S., however, Customer Information may be accessed by employees, including non-US citizens, outside of the U.S. EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Arctic Wolf complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Arctic Wolf has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. Arctic Wolf may process some personal data from individuals or companies via other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses. To learn more about the Privacy Shield program, refer to Privacy Shield. Supplemental Privacy Policy Terms Canada Access to Information Subject to limited exceptions under applicable law, Users may have the right to access, update and correct inaccuracies on their Customer Information. To exercise these rights, please submit a request by emailing dataprotection@arcticwolf.com or you may also call (888) 286- 6726. Please be as specific as possible in relation to the Customer Information you wish to access. F-5 Once Arctic Wolf receives your request, Arctic Wolf will review it, determine whether Arctic Wolf can verify your identity, and process the request accordingly. If Arctic Wolf needs additional information to verify your identity, Arctic Wolf will let you know. California Consumer Privacy Act The California Consumer Privacy Act (“CCPA”), which is effective as of January 1, 2020, regulates how Arctic Wolf handles personal information of California residents and gives California residents certain rights with respect to their personal information. Arctic Wolf is both a “business” and a “service provider” under the CCPA. The following supplemental privacy policy applies to information Arctic Wolf collects in its role as a business. If you would like more information about how your personal information is processed by such other companies, including companies that engage Arctic Wolf as a service provider, please contact those companies directly. This provision is effective as of January 1, 2020, shall apply only to residents of California, and may be subject to change. The general privacy policy shall continue to apply to the extent that it applies to you as a resident of California; however, if you are a resident of California, Arctic Wolf also is required to disclose certain uses and disclosures in a certain format, as well as to inform you of certain rights you may have. Any capitalized terms used in this supplemental privacy policy shall have the same meaning as in the general privacy policy. Information Arctic Wolf May Collect: We may collect the following categories of information: • Corporate or employee information that you may provide to Arctic Wolf • Uploaded Credentials - such as names, email addresses, phone numbers, usernames, passwords, IP addresses, geolocation data and device ID identifiers • System Log Data that may include personal information you elect to provide to us For each category of information, Arctic Wolf collects the information from a variety of sources, including directly from you, from your devices, and/or from your third party providers. Arctic Wolf collects the information to: • provide you with support on the Solutions, • deliver the Solutions to you, • protect Arctic Wolf (including the Solutions) and its customers, • communicate with you regarding our Solutions and terms and conditions, • conduct internal marketing activities, and • improve our Solutions. Arctic Wolf may share personal information with Third Parties as the term is defined under the CCPA. F-6 Additional Disclosures: Arctic Wolf does not sell personal information of any individual, including personal information of minors under 16 years of age. Arctic Wolf engages certain trusted third parties to perform functions and provide services to us, including auditing, marketing, hosting and maintenance, error monitoring, debugging, performance monitoring, and other short term uses. We may share your Customer Information with these third parties, but only to the extent necessary to perform these functions and provide such services. We require these third parties to maintain the privacy and security of the Customer Information they process on our behalf. Arctic Wolf has disclosed the following categories of personal information for business purposes and valuable consideration in the 12 months prior to this Privacy Policy’s last update: Identifiers (names, email addresses, phone numbers, mailing address) YES Commercial Information (Solution information) YES Geolocation Data NO Do Not Sell My Personal Information: Arctic Wolf does not sell your personal information as defined under CCPA. Your Rights: You may have certain rights with respect to your personal information, including: • The right to access, including the right to know the categories and specific pieces of personal information Arctic Wolf collects; • The right to deletion of your personal information, subject to certain limitations under applicable law; • The right to request disclosure of information collected; • The right to disclosure of information disclosed for valuable consideration; and • The right not to be discriminated against for exercising certain rights under California law. To exercise these rights, please submit a request by emailing dataprotection@arcticwolf.com or you may also call (888) 286-6726. Please be as specific as possible in relation to the personal information you wish to access. Once Arctic Wolf receives your request, Arctic Wolf will review it, determine whether Arctic Wolf can verify your identity, and process the request accordingly. If Arctic Wolf needs additional information to verify your identity, Arctic Wolf will let you know. Arctic Wolf will respond to your request within 45 days of receipt or notify you if Arctic Wolf requires additional time. If you would prefer, you may designate an authorized agent to make a request on your behalf. F-7 Changes to this Privacy Policy We reserve the right to modify this Privacy Policy at any time. Updates to the Privacy Policy will be posted on the Arctic Wolf Website with an indication of when it has been updated. We encourage you to periodically review this Privacy Policy for any changes. Additional Information Questions regarding this privacy policy or about the manner in which we or our service providers treat your Customer Information can be directed to us by sending an email to dataprotection@arcticwolf.com or by regular mail addressed to: Arctic Wolf Networks, Inc. Attn: Information Security and Data Protection Officer 111 West Evelyn Ave., Suite 115 Sunnyvale, CA 94086 U.S.A. F-8 G-1 City of Rancho Palos Verdes Lukasz Buchwald CA United States Phone: (310) 544-5200 Fax: Email: lbuchwald@rpvca.gov All Prices are in US Dollar (USD) Product Arctic Wolf MDR User License Arctic Wolf Networks-Part#: AW-MDR-USER Coverage Term: 2/29/2020-6/28/2021 2 Arctic Wolf MDR Server License Arctic Wolf Networks-Part#: AW-MDR-SE Coverage Term: 2/29/2020-6/28/2021 3 Arctic Wolf MDR Office 365 User License Arctic Wolf Networks-Part#: AW-MDR-0365 Coverage Term: 2/29/2020-6/28/2021 4 Arctic Wolf 100 Series Sensor Arctic Wolf Networks-Part#: AW-MDR-1XX-S Coverage Term: 2/29/2020-6/28/2021 5 Arctic Wolf 200 Series Sensor Arctic Wolf Networks-Part#: AW-MDR-2XX-S Coverage Term: 2/29/2020-6/28/2021 6 Arctic Wolf MDR Log Retention-90 Days Arctic Wolf Networks-Part#: AW-MDR-90D Coverage Term: 2/29/2020-6/28/2021 Pricing Proposal Quotation #: 18484673 Created On: 2/19/2020 Valid Until: 2/28/2020 Inside Account Executive Michael Klotz 300 Davidson Ave Somerset, NJ 08873 Phone: 732-652-7670 Fax : 732-652-3099 Email: Michaei_Kiotz@shi.com Qty Your Price Total 125 $168 .25 $21,031.25 40 $76.54 $3,061.60 190 $14 .35 $2,726 .50 3 $765 .36 $2,296.08 $1 ,530 .72 $1,530.72 $0 .00 $0 .00 Total $30,646.15 The Products offered under this proposal are resold in accordance with the SHI Online Customer Resale Terms and Conditions , unless a separate resale agreement exists between SHI and the Customer.