Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
Home
My WebLink
About
Cornerstone OnDemand Inc; 2020-09-29;
Agreement number: 00035409.0 CONFIDENTIAL v 1.9 Page 1 of 30 Cornerstone OnDemand – Master Agreement COVER PAGE Effective Date: [Date of the last signature below]] \ds4\ /2d/ Client Name (“Client”): City of Carlsbad, CA Client Address: 1635 Faraday Ave, Carlsbad, CA - 92008, United States Billing Address: 1635 Faraday Ave, Carlsbad, CA - 92008, United States Federal Tax ID# / VAT #: Primary Contact Billing Contact (if different than Primary Contact) Name: Rachel Muller Name: Rachel Muller Title: IT Project Manager Title: IT Project Manager Email: rachel.muller@carlsbadca.gov Email*: rachel.muller@carlsbadca.gov Phone: Phone: *NOTE: All invoices will be emailed to Client unless otherwise agreed by the parties. Is Client exempt from applicable sales/VAT tax? Does Client require a purchase order (“PO”)? PO Number (if applicable): By signing below, each party acknowledges that it has read, understands, and agrees to the provisions set forth in the Cornerstone OnDemand – Master Agreement (the “Agreement”). No other terms and conditions will apply. Capitalized terms set forth in the Agreement shall have the respective meanings set forth in the Master Terms and Conditions. Except as otherwise expressly set forth herein, all purchases are non-cancelable and non-refundable. Fees are exclusive of applicable sales, use, VAT, and other taxes, and are net of withholding taxes. Client Cornerstone OnDemand, Inc. Signature: \si2\ Signature: \si4\ Name: \na2\ Name: \na4\ Title: \ti2\ Title: \ti4\ Date: \ds2\ Date: \ds4\ Approved as to form: \si1\ \si3\ DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210 Jim Gill SVP, Public Sector September 16, 2020 APPROVED AS TO FORM Celia Brewer, City Attorney BY: _______________________ Assistant City Attorney DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Assistant City Manager Geoff Patnoe 9/29/2020 Agreement number: 00035409.0 CONFIDENTIAL v 1.9 Page 2 of 30 Cornerstone OnDemand – Master Agreement MASTER TERMS AND CONDITIONS These Master Terms and Conditions are made a part of and incorporated by reference into the Cornerstone OnDemand – Master Agreement by and between Client and Cornerstone OnDemand (“Cornerstone”) (the “Agreement”). 1. Definitions. a) “Active User” means a user established on the Software with a designation of “active”. Client determines who is an Active User, subject to the maximum quantities set forth in the respective Order(s). b) “Affiliate” means a party that partially (at least 50%) or fully controls, is partially or fully controlled by, or is under partial (at least 50%) or full common control with, another party. c) “Client Content” means any and all courses, learning objects, certifications, quizzes, tests, materials, instructor-led sessions, documents, or URLs created and/or introduced by Client or its Affiliates that reside in the Software. d) “Client Data” means personal data regarding Client, its Affiliates, or any of their users which is uploaded to the Software pursuant to this Agreement. e) “Confidential Information” means any non-public information of Cornerstone or Client disclosed by either party to the other party, either directly or indirectly, in writing, orally or by inspection of tangible objects, or to which the other party may have access, which a reasonable person would consider confidential and/or which is marked “confidential” or “proprietary” or some similar designation by the disclosing party. Confidential Information shall not, however, include the existence of the Agreement or any information which the recipient can establish: (i) was or has become generally known or available or is part of the public domain without direct or indirect fault, action, or omission of the recipient; (ii) was known by the recipient prior to the time of disclosure, according to the recipient’s prior written documentation; (iii) was received by the recipient from a source other than the discloser, rightfully having possession of and the right to disclose such information; or (iv) was independently developed by the recipient, where such independent development has been documented by the recipient. f) “Order” means a purchase made by Client hereunder in an order, schedule, statement of work, addendum, or amendment signed by both parties. g) “Service” means any service rendered by Cornerstone specifically to Client, including, but not limited to: (i) hosting and making available the Software; (ii) hosting, delivery, and/or distribution of eLearning content; and/or (iii) provision of customer and/or technical support for the Software. h) “Software” means: (i) any and all of Cornerstone’s proprietary web-based applications, including, without limitation, all updates, revisions, bug-fixes, upgrades, and enhancements thereto, as well as applications that have been modified in any way by Cornerstone at the request of a client; and (ii) application functionality and eLearning content provided by Cornerstone and/or Cornerstone-contracted third parties. i) “Third Party” means any party that is not either of the parties, its Affiliates, applicants, employees, shareholders, directors, officers, contractors, customers, or Active Users. 2. Rights; Usage. In accordance with the terms and conditions of the Agreement, Cornerstone gives Client the non-transferable and non-assignable right for the duration of applicable Orders to use, and to permit its and its Affiliates’ Active Users to use, the Software items listed therein on a non-exclusive basis via the Internet. Cornerstone will (i) according to ISO 27001 (or successor/equivalent) standards, maintain appropriate safeguards for protection of Client Data, including regular back-ups, security and incident response protocols, and application and infrastructure monitoring; and (ii) not access, modify, or disclose Client Data, except as compelled by law, to prevent or address service or technical issues, or if otherwise permitted by Client. Client may retrieve Client Data any time during the term of the Agreement. If requested, at a scope and price to be agree, Cornerstone will assist with such data retrieval. 3. Restrictions. The Software and Services may be used only for Client’s and its Affiliates’ own lawful business purposes. Client shall not: (i) use or deploy the Software in violation of applicable laws or this Agreement; (ii) resell any Software or Service except through the Extended Enterprise product; (iii) create any derivative works based upon the Software; (iv) reverse engineer, reverse assemble, decompile or otherwise attempt to derive source code from the Software or any part thereof (except to the extent that such restriction is not permitted under applicable law); (v) make any Software or Service available to any unauthorized parties; or (vi) publicly release the results of benchmark tests or other comparisons of any Software or Service with other software, services, or materials. Client will be responsible for Active Users’ compliance with the Agreement and liable for Active Users’ breach thereof. Client will ensure that it has obtained all necessary consents and approvals for Cornerstone to access Client Data for the purposes permitted under this Agreement. Upon expiration or termination of this Agreement, Client shall cease using all software and Services. 4. Support. Cornerstone shall provide the level of technical support stated in the applicable Order. Only the number of administrators set forth in the applicable support package description (i.e., not all Active Users) who have completed the requisite training may contact Cornerstone for support. Client agrees to promptly provide Cornerstone with sufficient documentation, data and assistance with respect to any reported errors, and to reasonably cooperate with Cornerstone, in order for Cornerstone to comply with its support obligations hereunder. In no event shall Cornerstone be responsible or liable for any errors, bugs or other problems contained in or originating from hardware or software not provided by Cornerstone. Should use of the Software result in denial of service (DoS) with respect to the Software, Cornerstone may disable the implicated Client Content and/or deny access to Client’s portal only if and for so long as necessary to restore service. 5. Fees and Payment. Client will be invoiced for fees according to the applicable Order. Payment of fees will be due upon receipt, except where an Order expressly DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Agreement number: 00035409.0 CONFIDENTIAL v 1.9 Page 3 of 30 prescribes other payment dates. Except where otherwise stated, all fees set forth in an Order are in U.S. dollars and must be paid in the currency set forth in the Order. Late payments hereunder will incur a late charge of 1.5% (or the highest rate allowable by law, whichever is lower) per month on the outstanding balance from the date due until the date of actual payment. In addition, following notice and a reasonable time to cure, Services are subject to suspension for failure to timely remit payment therefor. 6. Term and Termination. a) Term. The term of this Agreement runs from the Effective Date through the later of: (i) three (3) years, provided that the city council appropriated funds; and (ii) expiration or termination of the last Order. b) Termination for Cause. Either party may immediately terminate this Agreement if the other party materially breaches the Agreement, and, where capable of remedy, such breach has not been materially cured within thirty (30) days of the breaching party’s receipt of written notice describing the breach in reasonable detail. c) Bankruptcy Events. A party may immediately terminate this Agreement if the other party: (i) has a receiver appointed over it or over any part of its undertakings or assets; (ii) passes a resolution for winding up (other than for a bona fide scheme of solvent amalgamation or reconstruction), or a court of competent jurisdiction makes an order to that effect and such order is not discharged or stayed within ninety (90) days; or (iii) makes a general assignment for the benefit of its creditors. 7. Confidentiality. Each of the parties agrees: (i) not to disclose any Confidential Information to any third parties except as mandated by law and except to those Affiliates and subcontractors of Cornerstone providing Services hereunder who agree to be bound by confidentiality obligations no less stringent than those set forth in this Agreement; (ii) not to use any Confidential Information for any purposes except carrying out such party’s rights and responsibilities under this Agreement; and (iii) to keep the Confidential Information confidential using the same degree of care such party uses to protect its own confidential information; provided, however, that such party shall use at least reasonable care. These obligations shall survive termination of this Agreement. If either party breaches any of its obligations with respect to confidentiality or the unauthorized use of Confidential Information hereunder, the other party shall be entitled to seek equitable relief to protect its interest therein, including but not limited to, injunctive relief, as well as money damages. 8. Intellectual Property. As between the parties, Cornerstone will and does retain all proprietary and intellectual property rights, title and interest in and to the Software and Services. Client retains all proprietary and intellectual property rights, title and interest in and to Client Data and Client Content. 9. Indemnification. a) Indemnification by Cornerstone. Cornerstone agrees to indemnify, defend, and hold harmless Client from and against any and all Third Party claims and causes of action, as well as related losses, liabilities, judgments, awards, settlements, damages, expenses and costs (including reasonable attorney’s fees and related court costs and expenses) (collectively, “Damages”) incurred or suffered by Client which directly relate to or directly arise out of the violation or infringement of any third-party intellectual property rights by Client’s authorized use of the Software. The foregoing provisions of this section shall not apply to the extent the Damages relate to or arise out of: (i) Client Data; (ii) Client Content; or (iii) unauthorized use and/or alteration of the Software by Client and/or its users. b) Indemnification by Client. Client agrees to indemnify, defend, and hold harmless Cornerstone from and against any and all Damages incurred or suffered by Cornerstone which directly relate to or directly arise out of the violation or infringement of any third-party intellectual property rights by Client Data or Client Content. The foregoing provisions of this section shall not be applicable to the extent the Damages relate to or arise from Cornerstone’s use of Client Data or Client Content in violation of this Agreement. c) Indemnification Procedures. To obtain indemnification, indemnitee shall: (i) give written notice of any claim promptly to indemnitor; (ii) give indemnitor, at indemnitor’s option, sole control of the defense and settlement of such claim, provided that indemnitor may not, without the prior consent of indemnitee (not to be unreasonably withheld), settle any claim unless it unconditionally releases indemnitee of all liability; (iii) provide to indemnitor all available information and assistance; and (iv) not take any action that might compromise or settle such claim. d) Infringement Cures. Should the Software or any part thereof become, or in Cornerstone’s reasonable opinion be likely to become, the subject of a claim for infringement of a third party intellectual property right, then Cornerstone may, at its sole option and expense: (i) procure for Client the right to use and access the infringing or potentially infringing item(s) of the Software free of any liability for infringement; or (ii) replace or modify the infringing or potentially infringing item(s) of the Software with a non-infringing substitute otherwise materially complying with the functionality of the replaced system. e) Exclusive Remedies. The remedies set forth in this section shall be exclusive with respect to any infringement claim hereunder. 10. Warranties. Each party represents and warrants to the other party that, as of the date hereof: (i) it has full power and authority to execute and deliver the Agreement; (ii) the Agreement has been duly authorized and executed by an appropriate employee of such party; (iii) the Agreement is a legally valid and binding obligation of such party; and (iv) its execution, delivery and/or performance of the Agreement does not conflict with any agreement, understanding or document to which it is a party. CORNERSTONE WARRANTS THAT THE SOFTWARE WILL PERFORM SUBSTANTIALLY IN MATERIAL ACCORDANCE WITH THE AGREEMENT AND APPLICABLE DOCUMENTATION REGARDING EXISTING FUNCTIONALITY PROVIDED BY CORNERSTONE; NO NEW OR DIFFERENT FUNCTIONALITY IS PROMISED HEREUNDER. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CORNERSTONE DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. 11. Liability. a) Liability Cap. EXCEPT FOR (i) A PARTY’S INTELLECTUAL PROPERTY INDEMNIFICATION OBLIGATIONS; (ii) A PARTY’S WILLFUL DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Agreement number: 00035409.0 CONFIDENTIAL v 1.9 Page 4 of 30 MISCONDUCT; OR (iii) LIABILITY WHICH CANNOT BE LIMITED BY APPLICABLE LAW, EACH PARTY’S MAXIMUM AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT, REGARDLESS OF THE THEORY OF LIABILITY, WILL BE LIMITED TO THE TOTAL FEES PAID OR PAYABLE BY CLIENT TO CORNERSTONE HEREUNDER FOR THE TWELVE-MONTH PERIOD IMMEDIATELY PRECEDING THE DATE THE CAUSE OF ACTION AROSE. THE EXISTENCE OF MORE THAN ONE CLAIM SHALL NOT EXPAND SUCH LIMIT. THE PARTIES ACKNOWLEDGE THAT THE FEES AGREED UPON BETWEEN CLIENT AND CORNERSTONE ARE BASED IN PART ON THESE LIMITATIONS, AND THAT THESE LIMITATIONS WILL APPLY NOTWITHSTANDING ANY FAILURE OF ANY ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. THE FOREGOING LIMITATION SHALL NOT APPLY TO A PARTY’S PAYMENT OBLIGATIONS UNDER THE AGREEMENT. b) Exclusion of Consequential Damages. NEITHER PARTY WILL BE LIABLE FOR LOST PROFITS, LOST REVENUE, LOST BUSINESS OPPORTUNITIES, LOSS OF DATA, INTERRUPTION OF BUSINESS, PROVIDING REPLACEMENT SOFTWARE (EXCEPT AS SET FORTH IN SECTION “INFRINGEMENT CURES”), OR ANY OTHER INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATING TO THIS AGREEMENT, REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 12. Communications. Neither party shall issue any press release using the name of the other party as a customer or provider without the other party’s consent. 13. Miscellaneous Provisions. a) Governing Law; Jurisdiction. This Agreement will be governed by and construed in accordance with the laws of the State of California and the federal laws of the United States of America, without regard to conflict of law principles. Cornerstone and Client agree that any suit, action or proceeding arising out of, or with respect to, this Agreement or any judgment entered by any court in respect thereof shall be brought exclusively in the state or federal courts of the State of California located in the County of San Diego, and each of Cornerstone and Client hereby irrevocably accepts the exclusive personal jurisdiction and venue of those courts for the purpose of any suit, action or proceeding. b) Force Majeure. Neither party will be liable for any failure or delay in its performance under this Agreement due to any cause beyond its reasonable control, including without limitation acts of war, acts of God, earthquake, flood, weather conditions, embargo, riot, epidemic, acts of terrorism, sabotage, governmental act, failure of the Internet or other acts beyond such party’s reasonable control, provided that the delayed party: (i) gives the other party prompt notice of such cause; and (ii) uses reasonable commercial efforts to correct promptly such failure or delay in performance. c) Counterparts. The Agreement and Orders may be executed in any number of counterparts and electronically, each of which shall be an original but all of which together shall constitute one and the same instrument. d) Entire Agreement. This Agreement contains the entire understanding of the parties in respect of its subject matters and supersedes all prior agreements and understandings (oral or written) between the parties with respect to such subject matters. Orders, schedules, and exhibits hereto constitute a part hereof as though set forth in full herein. Purchase orders submitted by Client are for Client’s internal administrative purposes only, and the terms and conditions contained in those purchase orders will have no force and effect. Any modification, amendment, or addendum to this Agreement must be in writing and signed by both parties. e) Assignment. Neither party may assign this Agreement or any of its rights, obligations, or benefits hereunder, by operation of law or otherwise, without the other party’s prior written consent; provided, however, either party, without the consent of the other party, may assign this Agreement to an Affiliate or to a successor (whether direct or indirect, by operation of law, and/or by way of purchase, merger, consolidation or otherwise) to all or substantially all of the business or assets of such party, where the responsibilities or obligations of the other party are not increased by such assignment and the rights and remedies available to the other party are not adversely affected by such assignment. Subject to that restriction, this Agreement will be binding on, inure to the benefit of, and be enforceable against the parties and their respective successors and permitted assigns. f) No Third-Party Beneficiaries. The representations, warranties and other terms contained herein are for the sole benefit of the parties hereto and their respective successors and permitted assigns, and shall not be construed as conferring any rights on any other persons. g) Statistical Data. Without limiting the confidentiality rights and intellectual property rights protections set forth in this Agreement, Cornerstone has the perpetual right to use aggregated, anonymized, and statistical data (“Statistical Data”) derived from the operation of the Software, and nothing herein shall be construed as prohibiting Cornerstone from utilizing the Statistical Data for business and/or operating purposes, provided that Cornerstone does not share with any third party Statistical Data which reveals the identity of Client, Client’s users, or Client’s Confidential Information. h) Suggestions. Cornerstone shall have a royalty-free, worldwide, perpetual license to use or incorporate into the Software and Services any suggestions, ideas, enhancement requests, feedback, recommendations, or other information provided by Client or its users relating to the operation of the Software and Services. i) Third-Party Applications and Service Providers. i) External Applications. Cornerstone shall not be responsible for Client’s access to, or operation of, third-party applications purchased separately by Client from a third party, including without limitation those that maybe capable of interoperating with the Software ii) Optional Features. Cornerstone’s Software may include certain optional features provided by third parties (“Optional Features”). A list of such Optional Features, including information regarding the DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Agreement number: 00035409.0 CONFIDENTIAL v 1.9 Page 5 of 30 security, privacy, and/or support policies of those third parties, is available upon request. iii) Service Providers. Cornerstone offers a certification program to certify third-party service providers that implement, configure, and/or administer Software (“Certified Consultants”). A list of Certified Consultants is available upon request. Client may not permit any non-Certified Consultant to implement and/or configure Software. None of the warranties or support obligations hereunder shall apply to any Software implemented or configured by any non-Certified Consultant. j) Export Controls. Client understands that use of the Software and Services is subject to U.S. export controls and trade and economic sanctions laws and agrees to comply with all such applicable laws and regulations, including without limitation the Export Administration Regulations maintained by the U.S. Department of Commerce, and the trade and economic sanctions maintained by the Treasury Department’s Office of Foreign Assets Control. k) Rule 10b-5 Limitations. Each party acknowledges that United States securities laws prohibit any person who has material, non-public information about a publicly-traded company from purchasing or selling securities of such company, or from communicating such information to any other person under circumstances in which it is reasonably foreseeable that such person is likely to purchase or sell securities of such company. l) Severability. If any provision of this Agreement is held by a court or arbitrator of competent jurisdiction to be contrary to law, such provision shall be changed by the court or by the arbitrator and interpreted so as to best accomplish the objectives of the original provision to the fullest extent allowed by law, and the remaining provisions of this Agreement shall remain in full force and effect. m) Notices. Any notice or communication required or permitted to be given hereunder may be delivered by hand, deposited with an overnight courier, or mailed by registered or certified mail, return receipt requested and postage prepaid to the address for the other party first written above or at such other address as may hereafter be furnished in writing by either party hereto to the other party. Such notice will be deemed to have been given as of the date it is delivered, if by personal delivery; the next business day, if deposited with an overnight courier; and five days after being so mailed. n) Independent Contractors. Client and Cornerstone are independent contractors, and nothing in this Agreement shall create any partnership, joint venture, agency, franchise, sales representative or employment relationship between Client and Cornerstone. Each party understands that it does not have authority to make or accept any offers or make any representations on behalf of the other. Neither party may make any statement that would contradict anything in this section. o) Waiver. No failure or delay on the part of either party in exercising any right, power or remedy under this Agreement shall operate as a waiver, nor shall any single or partial exercise of any such right, power or remedy preclude any other or further exercise or the exercise of any other right, power or remedy. p) Survival. Sections of the Agreement intended by their nature and content to survive termination of the Agreement shall so survive. DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 6 of 30 DATA PROCESSING ADDENDUM DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 7 of 30 Preamble This Data Processing Addendum (the “Addendum”) forms part of and is subject to the terms of the master agreement executed by the undersigned parties (the “Master Agreement”) concerning the provisioning of human capital management software by the undersigned Cornerstone entity (hereinafter also “Cornerstone” or the “Processor”) to Client (hereinafter also the “Controller”). It applies to all activities carried out by the Processor within the framework of the Master Agreement whereby the Processor's employees or third parties commissioned by the Processor might Process Personal Data of the Controller and/or Active Users. In the event of any conflict between the terms of the Master Agreement and the terms of this Addendum, the terms of this Addendum shall prevail. 1 Definitions 1.1 “GDPR” means Regulation (EU) 2016/679 of 27 April 2016. 1.2 "Personal Data" means any information Processed by Cornerstone on behalf of Client relating to an identified or identifiable natural person; see article 4(1) of the GDPR. 1.3 "Personal Data Breach" means, according to Article 4(12) of the GDPR, a breach of security leadin g to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed. 1.4 “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (see Article 4(2) of the GDPR). 1.5 “Subprocessors” has the meaning as being defined in section 5.1 of this Addendum. 1.6 "Third Country" means a country without a system of ensuring adequate protection within the meaning of Article 45 of the GDPR. Capitalized terms used, but not otherwise defined, herein shall have the same meanings assigned to those terms in the Master Agreement. 2 Scope of the Addendum Cornerstone acts as a data processor for Client, who acts as the data controller. Personal Data may include the categories of Personal Data, the categories of data subjects and the purposes of the Processing set out in Annex 1. 3 Processing of Personal Data 3.1 Cornerstone shall Process Personal Data for the purposes of providing services under the Master Agreement only in accordance with the Master Agreement and this Addendum, and in accordance with documented instructions listed in this Addendum and the Master Agreement. Client may issue further documented instructions consistent with and in the scope of this Addendum and the Master Agreement. DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 8 of 30 3.2 Cornerstone must notify Client in writing without undue delay regarding events which significantly impede Cornerstone's current or future ability to Process Personal Data in accordance with this Addendum. 3.3 Cornerstone must limit the access to Personal Data to its employees or Subprocessors for whom access to said data is reasonably necessary to fulfill Cornerstone's obligations to Client. Cornerstone must ensure that persons authorized to Process Personal Data are bound by the same or equivalent confidentiality obligations as Cornerstone and/or are under an appropriate statutory obligation of confidentiality. 3.4 Cornerstone shall implement and maintain appropriate technical and organizational measures as described in Article 32 of the GDPR. For this purpose, the parties agree on the security measures set forth in Annex 2 for the Processing of Personal Data. 3.5 The appropriate technical and organizational security measures must be determined with due regard to: (i) the state of the art, (ii) the cost of their implementation, and (iii) the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. 3.6 Cornerstone shall make available to Client upon request information necessary to demonstrate compliance with Processor’s obligations set forth in Article 28 of the GDPR, and allow for and reasonably assist with audits, including inspections, conducted by the Controller or an independent third party auditor appointed by the Controller, as follows: (i) Cornerstone shall at its own cost obtain and make available upon Client’s request an audit report from an independent auditor regarding Cornerstone's compliance with the data security requirements of the controls defined in SSAE 18 or ISO 27001 (or equivalent standard). Such audit report must be issued on the basis of a recognized standard for such reports. (ii) In addition, Client is entitled, at a time and scope to be agreed by the parties, to conduct or have conducted an annual audit, including an inspection, if and to the extent the audit report set forth in the preceding paragraph does not meet the requirements set forth in Article 28 of the GDPR. Any third party auditor shall not be a competitor of Cornerstone, and shall, upon Cornerstone's request, sign a customary non-disclosure agreement to treat all information obtained or received from Cornerstone confidentially, and may share any such information obtained or received only with Client and Cornerstone. Client shall be responsible for costs of the audit, and agrees to pay Cornerstone a reasonable fee per audit to be mutually agreed by the parties to cover Cornerstone assistance with the audit. An additional audit may take place: (i) if required by a competent legal supervisory authority of Client; or (ii) following a Personal Data Breach. 3.7 Cornerstone shall without undue delay notify Client about any: (i) request by a legal authority for disclosure of Personal Data Processed under the Agreement, unless such notification is expressly prohibited under applicable law; or (ii) request for access to Personal Data received directly from identified data subjects DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 9 of 30 themselves or from third parties. 3.8 Cornerstone shall notify Client without undue delay after becoming aware of a Personal Data Breach. The notification shall at least describe the nature of the Personal Data Breach (including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned) and the measures taken or proposed by Cornerstone to address the Personal Data Breach. 3.9 Cornerstone shall provide reasonable and timely assistance to Client (at Client's expense) to help enable Client to respond to: (i) any request from a data subject to exercise any of the data subject’s rights under applicable data protection laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the Processing of the Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Cornerstone, Cornerstone shall promptly inform Client and provide full details of the same, except to the extent prohibited by law. 3.10 Cornerstone shall, upon Client’s request and at Client’s expense, reasonably assist the Controller in ensuring compliance with Controller’s obligations pursuant to Articles 32 to 36 of the GDPR (including security of Processing, notification of Personal Data breach, data protection impact assessment and prior consultation), based on the nature of Processing and the information available to Cornerstone. 4 Client's General Obligations Client will comply with all its obligations under applicable data protection laws and regulations. 5 Other Data Processors 5.1 Cornerstone may engage other processors (“Subprocessors”) for the Processing of Personal Data under this Addendum, provided Cornerstone ensures such Subprocessors’ compliance with the terms of this Addendum. As of the effective date of the Addendum, Cornerstone relies on the Subprocessors listed in Annex 1 to provide the Services. 5.2 Prior to the engagement of another Subprocessor, Cornerstone shall inform Client’s administrators of the intended subprocessing at least 30 days prior thereto, thereby giving the Client the opportunity to object to such change on reasonable grounds, as set forth in Article 28 of the GDPR. 5.3 Client authorizes Cornerstone to transfer Client Data to Cornerstone Affiliates and/or other Subprocessors located in the United States, Israel, India, New Zealand and/or other locations outside the European Economic Area, as is reasonably required to provide support, perform technical projects or perform other types of services under the Master Agreement, provided that, to the extent applicable, either: (i) such locations are recognized by the European Commission as providing adequate data protection; (ii) Cornerstone has executed on behalf of Client the EU Standard Contractual Clauses with such Affiliates and/or other Subprocessors (Client hereby grants such proxy to Cornerstone); or (iii) upon Client’s request, Client executes the EU Standard Contractual Clauses directly with such Affiliates and/or other Subprocessors. 5.4 Cornerstone shall remain fully liable to the Client for the performance of its Subprocessors’ obligations hereunder. DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 10 of 30 6 Data Retrieval and Deletion 6.1 Client may retrieve its Personal Data at any time prior to termination of the Master Agreement as set forth therein. 6.2 Promptly upon the expiration or earlier termination of the Master Agreement, or earlier upon Client’s request, Cornerstone shall securely destroy or render unreadable or undecipherable, each and every original and copy in every media of all Personal Data in Cornerstone’s possession, custody or control. 6.3 Notwithstanding section 6.2, backups of Personal Data are to be deleted according to and in compliance with Cornerstone’s general backup cycle, which means that backups will be deleted at the latest within approximately six (6) months from the decommissioning of Client’s portal. 6.4 Cornerstone shall provide to Client, upon Client’s request, written confirmation that deletion has occurred in accordance with this section 6. 6.5 In the event applicable law does not permit Cornerstone to comply with delivery or destruction of Personal Data as set forth herein, Cornerstone shall ensure the privacy, confidentiality and security of Personal Data in accordance with the standards agreed in this Addendum and shall not use or disclose any Personal Data after termination of the Master Agreement. 7 Miscellaneous The parties may agree in good faith on any reasonable amendment to the Addendum required to maintain compliance with the applicable law. Such amendment may include additional fees to be reasonably agreed by the parties. Client: City of Carlsbad, CA Cornerstone OnDemand Signature: \si2\ Signature: \si4\ Name: \na2\ Name: \na4\ Title: \ti2\ Title: \ti4\ Date: \ds2\ Date: \ds4\ Approved as to form: \si1\ DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210 September 16, 2020 SVP, Public Sector Jim Gill APPROVED AS TO FORM Celia Brewer, City Attorney BY: _______________________ Assistant City Attorney DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 9/29/2020 Geoff Patnoe Assistant City Manager Page 11 of 30 ANNEX 1 I. Categories of data, categories of data subjects and purposes of the Processing a) Categories of Personal Data The Personal Data being Processed by Cornerstone may concern the following categories of data: • Learning, performance, recruiting, and/or HR data b) Categories of data subjects The Personal Data Processed by Cornerstone may concern the following categories of data subjects: • Employees, suppliers, contractors, agents, directors, officers, customers, members, and/or partners of the data controller and/or its affiliates c) Purpose and nature of the Processing operations Personal Data may be Processed by Cornerstone for the following purposes: • Delivery and use of human capital management software; • Implementation services related to configuration of human capital management software; • Product support; and • Technical projects as further described in Cornerstone OnDemand’s SSAE18 audit report, ISO27001 audit report, and IT security policy. d) Special categories of data None. II. Current Subprocessors Subprocessor Country Services performed Cornerstone OnDemand Limited* U.K. Support, Technical Project Services Cornerstone OnDemand, Inc.* U.S.A. Support, R&D, Technical Project Services Cornerstone OnDemand Spain S.L. Spain Support Cornerstone OnDemand Global Operations, Inc. EU branches Support Cornerstone OnDemand Global Operations, Inc. Israel Support Cornerstone OnDemand ANZ New Zealand Support Cornerstone OnDemand Services India Private Limited India Support, Technical Project Services *If this Cornerstone entity is the party executing the Addendum, the entity will be deemed the Processor and not a Subprocessor. DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 12 of 30 Cornerstone utilizes Amazon Web Services (“AWS”) as a technology infrastructure provider. Acting in this capacity, AWS has no need to, and is prohibited from, accessing any Client Data. Additionally, Client Data is fully encrypted, with Cornerstone managing the encryption keys. Cornerstone’s AWS environment will either meet or exceed Cornerstone’s security standards, and be located in the same region as Cornerstone’s data centers. DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 13 of 30 ANNEX 2 Security measures (1) Cornerstone shall Process Personal Data in accordance with applicable law to which Cornerstone is subject and in accordance the data security requirements of the controls defined in SSAE 16 SOC 2 or ISO 27001 (or equivalent standard). (2) Cornerstone shall appoint a fixed contact point for Client to carry out any matters in relation to the Processing of Personal Data. (3) Cornerstone shall ensure that Cornerstone's employees receive adequate training and instructions, including, but not limited to, education on general safety awareness, relevant security policies and procedures, and Personal Data Processing. (4) Cornerstone shall maintain organizational and technical measures to ensure separation of data between clients and systems. (5) Access Control of Processing Areas Cornerstone shall maintain suitable measures in order to prevent unauthorized persons from gaining access to the data Processing equipment (namely telephones, database and application servers and related hardware) where the Personal Data is Processed or used. This is accomplished by measures like: - establishing security areas; - protection and restriction of access paths; - securing the decentralized telephones, data Processing equipment and personal computers; - establishing access authorizations for employees and third parties, including the respective documentation; - regulations on card-keys; - restriction on card-keys; - all access to the data centre where Personal Data is hosted is logged, monitored, and tracked; - the data centre where Personal Data is hosted is secured by a security alarm system; and - other appropriate security measures. (6) Access Control to Data Processing Systems Cornerstone shall maintain suitable measures to prevent its Personal Data Processing systems from being used by unauthorized persons. This is accomplished by measures like: - identification of the terminal and/or the terminal user to the Cornerstone systems; - automatic time-out of user terminal if left idle, with identification and password required to reopen; - automatic turn-off of the user ID when several erroneous passwords are entered; - log file of events (monitoring of break-in-attempts); - issuing and safeguarding of identification codes; - dedication of individual terminals and/or terminal users, and identification characteristics exclusive to specific functions; DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 14 of 30 - employee policies and training with respect to each employee's access rights to Personal Data (if any), including informing employees about their obligations and the consequences of any violations of such obligations, to ensure that employees will only access Personal Data and resources required to perform their job duties; and - all access to data content is logged, monitored, and tracked. (7) Access Control to Use Specific Areas of Data Processing Systems Cornerstone commits that the persons entitled to use its Personal Data Processing system are only able to access the data within the scope and to the extent covered by its access permission (role or authorization) and that Personal Data cannot be read, copied or modified or removed without authorization. This shall be accomplished by: - employee policies and training with respect to each employee’s access rights to the Personal Data; - allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions; - monitoring capability in respect of individuals who delete, add or modify the Personal Data; - effective and measured disciplinary action against individuals who access Personal Data without authorization; - release of Personal Data only to authorized persons; - control of files, controlled and documented destruction of Personal Data; and - policies controlling the retention of back-up copies. (8) Availability Control Cornerstone shall maintain suitable measures to ensure that Personal Data are protected from accidental destruction or loss. This is accomplished by: - infrastructure redundancy; - tape backup is stored off-site and available for restore in case of failure of SAN infrastructure for database server; - complying with Cornerstone’s business continuity policy; and - any detected security incident is recorded For all applications supported by the Cornerstone, the following controls will be implemented: (9) Transmission Control Cornerstone shall maintain suitable measures to prevent the Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by: - use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels; - certain highly confidential data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbers) is also encrypted within system transmission; and - as far as possible, all data transmissions are logged, monitored and tracked. DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 15 of 30 (10) Input Control Cornerstone implements suitable measures to ensure that it is possible to check and establish whether and by whom Personal Data has been input into Personal Data Processing systems or removed. This is accomplished by: - an authorization policy for the input of data into memory, as well as for the reading, alteration and disposal of stored Personal Data; - authentication of the authorized personnel; - protective measures for the data input into memory, as well as for the reading, alteration and disposal of stored Personal Data; - utilization of user codes (passwords); - following a policy according to which all employees of Cornerstone who have access to Personal Data Processed for Client shall reset their passwords at a minimum once in a 180 day period; - providing that entries to Data Processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked; - automatic log-off of user IDs that have not been used for a substantial period of time; - proof established within Cornerstone’s organization of the input authorization; and - electronic recording of entries. (11) Cornerstone system administrators (if any): Cornerstone shall maintain measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: - individual appointment of system administrators; - adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; - yearly audits of system administrators’ activity to assess compliance with assigned tasks, the instructions received by importer and applicable laws; - keeping an updated list with system administrators’ identification details (e.g. name, surname, function or organizational area) and tasks assigned. (12) Separation of Processing for different Purposes Cornerstone shall maintain suitable measures to ensure that Personal Data collected for different purposes can be Processed separately. This is accomplished by: - access to Personal Data is separated through application security for the appropriate users; and - modules within Cornerstone’s database separate which data is used for which purpose, i.e., by functionality and function. Client acknowledges and agrees that Cornerstone may change its security policies and related security measures, provided that Cornerstone maintains, at all times, an overall level of security as least as stringent as the one set forth in this Addendum. (13) All Client data is stored in the United States in El Segundo, CA and Ashburn, VA. Cornerstone will notify client prior to moving customer data to a different data center location. DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 16 of 30 ANNEX 3 SERVICE LEVEL AGREEMENT (STANDARD) This Service Level Agreement is subject to the terms and conditions of Client’s agreement with Cornerstone (the “Agreement”), and does not become operative until Client has signed off on Implementation and Client's portal is live on Cornerstone's production environment. For clarity, this Service Level Agreement applies only to “live” portals. DEFECTS A "Defect" is a technical defect with the Cornerstone application and/or those portions of software integrations within Cornerstone’s control. Defects fall into two general categories: major (Severity 1 and Severity 2) and minor (Severity 3). The "Severity" of a Defect is determined by Cornerstone, subject to the following definitions and parameters. Major Defects • Severity 1 (S1): A Defect that results in at least one of the following: (i) the Cornerstone URL produces no results, or (ii) Client's authorized users cannot log in to Cornerstone's application after repeated attempts. "Severity 1" does not include downtime for maintenance. • Severity 2 (S2): A Defect that results in any of the following: (i) an entire application module (e.g., Learning, Performance, Extended Enterprise, etc.) is inaccessible; (ii) no course is being delivered; (iii) no queue will process any transactions; (iv) no report within the application produces any data or the data has not been refreshed in fewer than twenty-four (24) hours; or (v) no tasks will launch. S1 S2 Initial Notification One (1) hour via an Incident Report Status Updates Every two (2) hours until resolution or as indicated in the Incident Report Resolution Twelve (12) hours Twenty-four (24) hours Remedy In the event that Cornerstone has not complied with its "Resolution" obligations set forth above, then, for each calendar day (or portion thereof) that Cornerstone has not so complied, Client shall be entitled, as its sole and exclusive remedy therefor, to a credit against Client's next invoice equal to 1/365th of the annual fees for Software set forth in the Agreement. Minor Defects • Severity 3 (S3): A Defect in one or more application features. For "Severity 3" Defects, Client determines its priority in having the Defect resolved (i.e., Priority 1 (P1), Priority 2 (P2), or Priority 3 (P3)). Any issue not clearly labeled "Priority 1" or "Priority 2" by Client at the time of initial submission will be deemed a "Priority 3" issue. As a guideline, below are some examples of the three priority levels: • Priority 1 = A prominent feature I routinely use that is important to my business, where multiple users are prevented from progressing with important tasks. There is no work-around. “I get mad whenever I think about it not working.” An example: The submit button on a task is greyed out and a DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 17 of 30 user cannot submit a performance review. • Priority 2 = A feature that is annoying when it doesn’t work, but multiple users are not prevented from progressing with important tasks. A work-around exists. “I get annoyed but can deal with it not working.” An example: Users' transcripts do not accurately reflect course completions. A temporary work-around is available via Cornerstone manually running reports for the client to access this data. • Priority 3 = A feature issue that is neither Priority 1 nor Priority 2, including without limitation, cosmetic issues with the application. “I can deal with it.” An example: An image is scaled too large on certain printed transcripts. S3/P1 S3/P2 S3/P3 Case Generation Upon submission Diagnosis/ Validation Four (4) business days Six (6) business days Twenty-one (21) business days Status Updates Available 24/7 via MySuccess Resolution Thirty (30) calendar days Sixty (60) calendar days Within a reasonable time period Escalation A Client business stakeholder (i.e., not a Client administrator) may escalate an S3/P1 defect to the Global Product Support Manager with a written statement of business impact relating to the Defect. Cornerstone may agree to shorten the resolution time for the Defect following an assessment of risk and business impact. N/A N/A Remedy In the event that Cornerstone has not complied with its "Resolution" obligations for S3/P1 and S3/P2 set forth above, then Client shall give Cornerstone prompt, written notice of such non-compliance. If, after five (5) business days from receipt of such notice of non-compliance, Cornerstone still has not resolved the problem, then Client shall be entitled, as its sole and exclusive remedy therefor, to a one- time credit against Client's next invoice equal to 1/365th of the annual fees for Software set forth in the Agreement. N/A GENERAL QUERIES Cornerstone endeavors to respond to all general queries about the application within one (1) business day. OFFLINE PLAYER AND MOBILE SUPPORT For Offline Player, Cornerstone support is limited to troubleshooting one model PC in Client’s environment that meets the minimum technical requirements specified by Cornerstone (requirements available in the Cornerstone Success Center). It is the responsibility of the primary administrator to ensure all other machines in their environment conform to the model PC requirements. Should Client desire troubleshooting assistance with issues other than on the model PC, Cornerstone may be available to provide support services for an additional fee. Client agrees to provide WebEx access (or other means of remote diagnostics) to the model PC upon request to aid troubleshoot efforts. Cornerstone will periodically release new versions of Offline Player and its mobile applications. Accordingly, technical support will be available for the then-current version and immediate prior version only. In addition, if a code change or update is required to resolve an issue, Client may be required to upgrade to the then-current DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 18 of 30 version. Client’s primary administrator is responsible for ensuring that the Offline Player and mobile applications are kept up-to-date, including applying available software updates. SOFTWARE AVAILABILITY Cornerstone will provide at least 99.5% availability per calendar month to Software (excluding reasonable and scheduled maintenance periods, which usually occur at or after 5:30pm US Pacific Time on Fridays). In the event that Cornerstone has not complied with this Software availability obligation, then, for each 0.3% (or portion thereof) of availability below 99.5%, Client will be entitled, as its sole and exclusive remedy therefor, to a credit against Client's next invoice equal to 1/365th of the annual fees for Software set forth in the Agreement. To claim a service credit hereunder, Client must submit a credit request within thirty (30) days of the event giving rise to a credit. Upon receiving the request, Cornerstone shall have five (5) business days to respond. Cornerstone will notify client of any scheduled maintenance period. DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 19 of 30 ANNEX 4 Minimum Insurance Requirements and Business License Contractor will obtain and maintain for the duration of the Agreement and any and all amendments, insurance against claims for injuries to persons or damage to property which may arise out of or in connection with performance of the services by Contractor or Contractor’s agents, representatives, employees or subcontractors. The insurance will be obtained from an insurance carrier admitted and authorized to do business in the State of California. The insurance carrier is required to have a current Best's Key Rating of not less than "A-:VII"; OR with a surplus line insurer on the State of California’s List of Approved Surplus Line Insurers (LASLI) with a rating in the latest Best’s Key Rating Guide of at least “A:X”; OR an alien non-admitted insurer listed by the National Association of Insurance Commissioners (NAIC) latest quarterly listings report. Coverage and Limits. Contractor will maintain the types of coverage and minimum limits indicated below. These minimum amounts of coverage will not constitute any limitations or cap on Contractor's indemnification obligations under this Agreement. City, its officers, agents and employees make no representation that the limits of the insurance specified to be carried by Contractor pursuant to this Agreement are adequate to protect Contractor. If Contractor believes that any required insurance coverage is inadequate, Contractor will obtain such additional insurance coverage, as Contractor deems adequate, at Contractor's sole expense. The full limits available to the named insured shall also be available and applicable to the City as an additional insured. • Commercial General Liability (CGL) Insurance. Insurance written on an “occurrence” basis, including personal & advertising injury, with limits no less than $1,000,000 per occurrence. If a general aggregate limit applies, either the general aggregate limit shall apply separately to this project/location or the general aggregate limit shall be twice the required occurrence limit. • Automobile Liability. (if the use of an automobile is involved for Contractor's work for City). $1,000,000 combined single-limit per accident for bodily injury and property damage. • Workers' Compensation and Employer's Liability. Workers' Compensation limits as required by the California Labor Code. Workers' Compensation will not be required if Contractor has no employees and provides, to City's satisfaction, a declaration stating this. • Professional Liability. Errors and omissions liability appropriate to Contractor’s profession with limits of not less than $1,000,000 per claim. Coverage must be maintained for a period of five years following the date of completion of the work. • Cyber Liability Insurance, with limits not less than $2,000,000 per occurrence or claim, $2,000,000 aggregate. Coverage shall be sufficiently broad to respond to the duties and obligations as is undertaken by Vendor in this agreement and shall include claims involving infringement of intellectual property, infringement of copyright, trademark, trade dress, invasion of privacy violations, information theft, damage to or destruction of electronic information, release of private information, alteration of electronic information, extortion and network security. The policy shall provide coverage for breach response costs as well as regulatory DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 20 of 30 fines and penalties as well as credit monitoring expenses with limits sufficient to respond to these obligations. • Additional Provisions. Contractor will ensure that the policies of insurance required under this Agreement contain, or are endorsed to contain, the following provisions: o The City will be named as an additional insured on Commercial General Liability which shall provide primary coverage to the City. o Contractor will obtain occurrence coverage, excluding Professional Liability and Cyber Liability, which will be written as claims-made coverage. o This insurance will be in force during the life of the Agreement and any extensions of it and will not be canceled without thirty (30) days prior written notice to City sent by certified mail pursuant to the Notice provisions of this Agreement. • Providing Certificates of Insurance and Endorsements. Prior to City's execution of this Agreement, Contractor will furnish certificates of insurance and endorsements to City. BUSINESS LICENSE Contractor will obtain and maintain a City of Carlsbad Business License for the term of the Agreement, as may be amended from time-to-time. DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 21 of 30 Cornerstone OnDemand – ORDER Client Name (“Client”): City of Carlsbad, CA Order Effective Date: [Date of last signature below] \ds5\ Quote Number Q-00096900 Is a new purchase order required for this purchase?* (“No,” unless box is checked) [ ]Yes: PO# Primary Client Contact Rachel Muller rachel.muller@carlsbadca.gov Client Address (Ship To) 1635 Faraday Ave, Carlsbad, CA, 92008, United States Primary Billing (Invoice) Contact Rachel Muller rachel.muller@carlsbadca.gov Client Billing (Invoice) Address 1635 Faraday Ave, Carlsbad, CA, 92008, United States Order Start Date: [Order Effective Date] Order Term/ Order End Date: 1 Year(s) *Note: Please send purchase order number to DLCollections@csod.com within three (3) business days of order signing. Product(s) Product Name Max Quantity Annual Fee(s) Learning 1,200 $24,000.00 Included Customer Success Package 1 $0.00 Unlimited Video Hosting and Delivery 1 $0.00 Inbound Data Feed - OU/Users (IDF) Connector (s) 1 $2,500.00 Single Sign On - Standard (SSO) Connector (s) 1 $2,500.00 CyberU Enterprise 1,200 $20,500.00 Edge Import 1 $0.00 Create Tool 4 $0.00 J. J. Keller - Transportation Safety Bundle 20 $200.00 ANNUAL FEE SUBTOTAL $49,700.00 One time Fee(s) Services (see attached Statement of Work) $0.00 FIRST YEAR GRAND TOTAL $49,700.00 Special Terms Client will have the option to renew this Order two times for one-year terms, for a total of three years. The pricing of the products listed above includes the implementation services listed in the SOW attached as Appendix A. Client agrees to an annual 3.00% fee increase for the Annual Fees in this Order, beginning on the first anniversary thereof. In exchange, except for Content purchases, Cornerstone agrees never to increase such prices beyond this rate during the Order Term and/or any renewal thereof for the same contract length, products and quantities. Invoicing Schedule DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 22 of 30 Payment terms for this Order shall be net 90 days. Annual fees are invoiced annually, beginning on the Order Start Date, through the Order End Date. If applicable, the final invoice for annual fees will be prorated as follows: (total number of days in the prorated period / 365) x annual fee. One-time fees are invoiced on the Order Start Date. Product Details Each data feed connector includes two login credentials. Requested modifications to a data feed connector may be subject to additional scoping and fees. Included Package: New Functionality Readiness and Adoption – adopt and drive usage of new features S.O.S. (Sustain Our System) – get help with tasks and on-boarding new admins, and tune up your reports Education – an efficient way to learn Cornerstone products, features and functions Customer Success – proactive, strategic guidance and support to make the most of your investment Technical Support – enhanced support and issue resolution Client Community – access self-help tools, connect with peers and stay up to speed on what’s new See https://www.cornerstoneondemand.com/support/included for detailed support descriptions. Purchased course(s) shall be available from the Order Start Date above, through the earlier of: (i) the Order End Date above; or (ii) termination/expiration of all Learning Orders; or (iii) termination of the Agreement, after which time all access / course registrations shall be terminated or expire without refund. Course loading and hosting services are included as a part of this Order. Content subscriptions are non-transferable; they are unique to individual users. Client will be invoiced automatically for each subscription/registration exceeding the number purchased, based on the total Content price set forth in this Order, divided by the total number of Active Users subscribed to/registered for that Content. Some Content is hosted by third-party content providers. These providers may process personal information (e.g., Active User identification, course tracking, etc.) only as necessary to provide the Content in accordance with AICC, SCORM, or equivalent standards. The list, locations, and security and privacy policies of such providers are available upon request. Original content created by Client using the Grovo Create Tool will be deemed Client Content. Any proprietary Cornerstone or Cornerstone contracted third parties' content adapted or modified by Client using the Grovo Create Tool will be deemed Software. Terms and Conditions This Order is hereby incorporated into and made part of the parties’ master agreement (the “Agreement”). If the term of the Agreement is set to expire prior to the end of the Order Term, the term of the Agreement is hereby extended through the end of the Order Term for the purposes of this Order. DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Page 23 of 30 Agreed and accepted: Client Cornerstone OnDemand Signature: \si2\ Signature: \si5\ Name: \na2\ Name: \na5\ Title: \ti2\ Title: \ti5\ Date: \ds2\ Date: \ds5\ \si1\ \in3\ \in4\ DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210 September 16, 2020 Jim Gill SVP, Public Sector APPROVED AS TO FORM Celia Brewer, City Attorney BY: _______________________ Assistant City Attorney DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Geoff Patnoe 9/29/2020 Assistant City Manager STATEMENT OF WORK SCOPE OF SERVICES AND DELIVERABLES Timeline and Delivery Upon completion of the Client portal and configuration set up tasks, Cornerstone will distribute all access credentials to the Client, which indicates the Client Portal systems are ready for use. Acceptance of these deliverables will be in accordance with the Agreement. Upon completion of the Client Portal and Configuration Set Up phase, the Software is ready for use by Client. PROJECT RESOURCES The table below outlines recommended resources and time estimates for each phase. Time durations are estimates and may vary based on client requirement. Each phase may overlap and may require a shifting of hours among phases based on Client’s processes. The project lifecycle may be repeated for each additional module. Phase Estimated Duration Cornerstone Resources Client Resources Build Prototype 2 Weeks Implementation Consultant Integration Consultant Project Manager Business Process Owners Technical Resources System Administrators Proof of Concept 2 Weeks Implementation Consultant Integration Consultant Project Manager Business Process Owners Technical Resources System Administrators Validate and Launch 4 Weeks Implementation Consultant Integration Consultant Project Manager Business Process Owners System Administrators Technical Resources DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 IMPLEMENTATION SERVICES AND ESTIMATED TIMELINE The Scope of Services outlined below provides a breakdown of the key components of the Implementation Services and the corresponding deliverables to be provided by Cornerstone and Client. Phase Cornerstone Deliverables Client Deliverables Build Prototype Week One: Collect any client process documentation (via completed process Questionnaire) Prepare prototype configuration of the Live portal based upon client response to process Questionnaire Project initiation call with client. Confirm project scope with client project team Identify and communicate to client the most important online courses for the project scope Create meeting schedule for project lifecycle Establish and document project controls and processes for status reporting, issue resolution, and risk management processes Schedule kickoff meeting Communicate requirement to complete Organizational Units, Security preferences and training Complete remote kick-off meeting Review technical projects in-scope Deliver technical projects questionnaires Deliver technical documentation (data design documents and templates) Implementation Consultant schedules and leads Organizational Unit Workshop Week Two: Schedule and lead technical kickoff calls when applicable or direct client to recorded technical workshops Complete options for any additional training that has been purchased Review prototype with client Deliver client tool kit for success Weeks One: Complete process questionnaire (if not already completed) Provide branding and marketing requirements (if not already provided through questionnaire) Deliver documented learning processes including approvals, evaluations, process maps and supporting forms or documentation (if not already provided through questionnaire) Provide external user approval workflows (if not already provided through questionnaire) Provide external training requirements (if not already provided through questionnaire) Client completes administrator training as prescribed in the training plan Participates in remote kick-off meeting Assemble project team Define measures of project success Attend technical project kickoff calls Provide organization chart(s) to assist in designing Organization Unit structure Provides sample user profile record and definition Client content provider listing and courses Provide use case scenarios to model recommended configuration Week Two: Attend remote sessions Confirm meeting schedule Take online training as needed Complete design specifications for technical projects in scope. Proof of Concept Week Three: Technical follow up meeting Prep work for Proof of Concept sessions Week Four: Conduct Proof of Concept sessions to review initial portal configuration Cornerstone will update live portal (if required) based on outputs from Proof of Concept Sessions Scope of updates will be limited to : Configure for Learning Module Platform preferences, email triggers eLearning (SCORM/AICC) content load (1 course) and one (1) Level 1 evaluation Week Three: Attend remote sessions Complete administrator training as prescribed in the training plan Week Four: Attend Proof of Concept remote sessions Create customized acceptance test scripts Complete administrator training as prescribed in the training plan Complete setup in live portal including: Global Configurations – emails triggers, security roles, welcome page, preferences Language translations, as necessary DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Phase Cornerstone Deliverables Client Deliverables One (1) instructor-led training example One (1) curriculum One (1) material One (1) video One (1) proxy enrollment One (1) test One (1) training request form One (1) approval workflow Deliver sample test scripts Submit request for Client Success Manager Configuration of additional client security roles Learning Module Load eLearning course content and materials Load all required documents including curriculums, test and evaluations, Instructor Led Training events and sessions, instructors, facilities, and certifications Test content launching, tracking, and completion Complete and implement technical projects in scope. Validate & Launch Week Five: Schedule copy down from live to pilot to copy above configuration to pilot prior to commencement of UAT Copy pilot to stage if you need to preserve Historic Data Discuss User Acceptance Testing including test scripts and participants Schedule daily User Acceptance Testing touch base to solution review open issues with client (include Client Success Manager) Solidify configuration with client in preparation for User Acceptance Testing in pilot Complete technical projects in scope: Week Six through Seven: Daily User Acceptance Testing touch base to review open testing issues with client (include Client Success Manager) Triage (categorize and prioritize) reported issues and address prior to go-live Finalize integration projects in production Support Client during testing and validation Week Eight: Complete Client Success Manager handoff Copy down executed to pilot (Can do copy over from pilot to stage prior to Live Copy Down if needed) Obtain named care admins from client Support Client during testing and validation SOW Review with Client Success Manager Close out any open issues/items for Go Live Client Go-Live Discuss post live survey with client Schedule and execute final Historical Data Loads Conduct project close out Week Five: Attend follow-up remote sessions Attend User Acceptance Testing prep meetings Create and complete user acceptance test scripts Week Six through Seven: Attend all User Acceptance Testing calls Review UAT feedback with Implementation team Make corrections or configuration changes based on UAT findings in Live portal Test system interfaces end-to-end Populate specific test data like tasks and users Create and complete client-specific test assessment template Week Eight: Attend Client Success Manager transition meeting Client makes configuration adjustments on Pilot and Live portals Update Live portal configuration based on testing feedback Post Live issue remediation (partner with Client Success Manager to assist) Client Go-Live DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 ADDITIONAL SERVICES Edge Import Brief Summary Integration with Client systems enabling automated maintenance of the following data sets: Client User Accounts and Organizational Units (OUs), historical LMS user transcript records, learning objects and material files. Tasks Cornerstone: Enable Edge Import in client portals Cornerstone: Lead the client in a design workshop to review the data feed design process and supports the design decision process of the client Client: Prepares files for load Cornerstone: Guides client on loading files into the Pilot Portal Client: Reviews and corrects any errors detected in the load process Client: Reviews and approves data load on Pilot Client: Loads data to Live using Edge Import tool Assumptions Utilizes Cornerstone standard Data feed specifications as designed for the Edge Import. Client has the ability to extract and transform source data to the Design Specifications format. Client has the ability to configure file transfers of data to Cornerstone Inbound Data Feed – User/Organizational Unit (IDF User/OU) Brief Summary Integration with data from a single source Client system enabling automated maintenance of user and organizational units (OU) via a scheduled Inbound Data Feed (IDF) of the following data sets: User Profile Organizational Unit (OU) Tasks Cornerstone: Provide Client with the Cornerstone standard Inbound Data Feed of User/OU (IDF User/OU) design document and template Cornerstone: Lead Client in IDF User/OU workshop to review data feed process and support the functional decisions of Client Cornerstone: Create IDF User/OU design document for Client Client: Sign off on IDF User/OU design document Client: Load files on pilot FTP folder for load, complying with Cornerstone’s formatting requirements Cornerstone: Schedule IDF User/OU to run in pilot portal on a regular basis to allow testing by Client Cornerstone: Email the pilot portal IDF User/OU log file to identify load errors, after each load attempt Client: Review, update, and sign off the IDF User/OU process in pilot portal Client: Load files on live FTP folder for load, complying with Cornerstone’s formatting requirements Cornerstone: Schedule and automate IDF User/OU in live portal Cornerstone: Email the live IDF User/OU log file to identify load errors, after each load attempt Client: Review, update, and sign off on the IDF User/OU process in live portal Assumptions Client utilizes Cornerstone standard IDF User/OU design document and template for all data types Client is responsible for uniquely identifying records across all data types All data records referencing user data are by user’s unique identifier value (UserID) Client has skilled software resources that can extract data from source systems and transform data to the format(s) defined by the approved IDF design document Client will perform all data file consolidations necessary and provide data files in formats defined in the approved IDF User/OU design document. All mandatory data fields must be populated for all records Client is responsible for properly validating data and identifying any errors prior to signing off on feed in live portal Client acknowledges that once the design document is approved, any changes or modifications to the work, scope, or the feed will require creation of a change request document. Change requests are reviewed and could result in additional charges to Client Any changes following Client signoff will require a work order or SOW submission Single Sign On (SSO) – AES Encrypted, SAML 1.1, or SAML 2.0 Brief Summary Cornerstone to provide support on one of the following Single Sign On (SSO) integration from and outsider portal to Client’s Cornerstone DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Single Sign On (SSO) – AES Encrypted, SAML 1.1, or SAML 2.0 Portal: AES Encrypted SAML 1.1 SAML 2.0 Tasks Cornerstone: Provide Client with the Cornerstone SSO Technical Documentation Cornerstone: Lead the Client in SSO workshops to review SSO process and support the functional decisions of the Client AES Encrypted Single Sign On (SSO) o Cornerstone: Provide sample code for Pilot Portal and Live Portal to deploy the AES SSO o Cornerstone: Provide the AES end point URLs to the Client o Client: Populate, encrypt and post the token as per Cornerstone requirements o Client: Deploy, test and sign off the AES Encrypted SSO in Pilot Portal o Client: Deploy, test and sign off the AES Encrypted SSO in Live Portal SAML V 1.1 OR SAML 2.0 Single Sign On (SSO) o Client: Provide: Base64 encoded – X.509 public Certificate (.crt, .cer) Base64 encoded sample SAML Response Assertion (.txt) o Cornerstone: Configure Client’s Pilot Portal with SSO SAML 1.1 OR 2.0 o Client: Review and sign off on SSO SAML 1.1 OR 2.0 in Pilot Portal o Cornerstone: Configure Client’s Live Portal with SSO SAML 1.1 OR 2.0 o Client: Review and sign off on SSO SAML 1.1 OR 2.0 in Live Portal Assumptions Client utilizes Cornerstone standard SSO Design Specifications and complies to Cornerstone requirements to integrate AES Encrypted SSO, SAML 1.1 SSO, or SAML 2.0 SSO only. Any other type of Single Sign On Solution Integration other than the above mentioned items is outside the scope of this project and considered a custom Single Sign On Solution. Client is responsible to make sure User Identification values (UserID, Username OR Email address) are unique and matching existing users in the CSOD portal AES Encrypted Single Sign On (SSO) Client has skilled software resources (Java or .Net programming) available who can establish an AES Encrypted SSO protocol and configure authentication to support CSOD’s AES Encrypted SSO Client has skilled software resources available who can establish an SSO SAML protocol and configure authentication to support Cornerstone‘s SSO SAML V1.1 OR 2.0 SAML V 1.1 OR 2.0 Single Sign On (SSO) Client will transfer the Assertion and Certification files to Cornerstone as per Cornerstone requirements defined on design specification document and will only transfer them through FTP folder (not email) The assertion is signed using an X.509 certificate, sha1RSA algorithm and is Base64 encoded Client acknowledges that once the design document is approved, any changes or modifications to the work scope will require creation of a Change Request document. Change requests are reviewed and could result in additional charges to the Client Any changes following Client signoff will require a Work Order or SOW submission DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 TIMELINE AND DELIVERY The Implementation Services set forth and described in this Statement of Work will take eight (8) weeks in duration to complete. The Services will be performed remotely by Cornerstone, except for any on-site Services so expressly identified herein. The Services will be performed for the below flat fee(s), plus reimbursement of pre-approved travel expenses for on-site activities. Cornerstone’s implementation methodology is best delivered within an 8 week time period. Limited project extensions are available however all implementation services expire one year following contract expiration. Client and Cornerstone will create the project plan to meet this completion date during the Initiate phase. Client and Cornerstone agree to provide the necessary resources to complete all of the deliverables as per the agreed project plan. Project Components Investments Implementation Services $0.00 Learning Implementation - Small Enterprise SVCSIMP0120 Included Advisory Services $0.00 Consulting - Inbound Data Feed - OU/Users (IDF) Connector SVCSBUS0121 Included Consulting - Single Sign On - Standard (SSO) Connector SVCSBUS0135 Included Consulting - Edge Import SVCSBUS0161 Included Total Service Investment $0.00 The end of the Implementation Services is defined as the completion of the above Cornerstone deliverables as outlined under the Implementation Services section of this document. Acceptance of the deliverables will be in accordance with the Agreement. ASSUMPTIONS AND CLIENT OBLIGATIONS In order for Cornerstone to provide the Services outlined in this Statement of Work, Client shall provide the necessary resources to fulfill the obligations listed below: Select and assign knowledgeable, empowered Implementation team including the following roles, which may overlap: Business Process Owner for Learning Management System (aka, the Decision Maker) Lead Cornerstone System Administrator Project Manager of the Cornerstone implementation HRIS Technical Administrator (Optional, depending on data requirements and extraction capabilities) Executive Stakeholder (Optional) Begin going through kick-off documentation in the Client Success Center Empower team to make real-time decisions regarding configuration and business process functions during the project. Ensure project team attendance and active participation during all phases of the Implementation project. Client will ensure the requisite training has been completed prior to the start of UAT. Formally accept (sign-off) all key deliverables and implementation services per the Agreement. Manage Client project staffing and milestones through Cornerstone provided work plan. Ensure completion of Client project deliverables. DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Attend and participate in implementation sessions. Provide a primary point of contact for Cornerstone during and after the implementation. Ensure proper change management communication to end-users during implementation in preparation for rollout. The project will be conducted remotely Cornerstone and Client agree that changes to key members of implementation team or significant changes in business requirements or decisions, in each case by Client, that cause delays in the project timeline may require a change order to this Statement of Work. Change orders are reviewed and may result in additional charges. Client is solely responsible for testing all processes during the UAT phase Client will utilize the Cornerstone content loader to upload online content to the portal. All Client content is SCORM v1.2, SCORM 2004, xAPI or AICC v3.5 compliant Client is solely responsible for testing (Tracking, Completion, etc.) all content loaded to the Cornerstone portal. Any technical integration or service, historical data load, master data load, or data migration not expressly listed in this Statement of Work with an accompanying price will be scoped as a separate work effort and is not included in the scope of this document. Requests for application code changes are out of scope Additional contracts may be required to utilize third party (non-Cornerstone OnDemand services and integrations such as job board aggregation, video interview, background screening, employee eligibility and citizenship. Client will ensure that all data fields related to controlling data retention processes are captured correctly on the User record e.g. Legal Entity, Termination Date, Termination Reason and Employment Status. If Client only requires a single data retention period, Client will set-up one Legal Entity Organizational Unit. Client will activate the data retention processes for that Legal Entity by submitting a work order to Cornerstone's Global Product Support after the completion of the implementation deliverables. If Client requires multiple Legal Entities to fulfill Client’s data retention policy requirements, Client will need to engage a Services Partner via a paid for Consulting engagement. Except where otherwise stated or agreed by the parties, Cornerstone’s obligation to perform the Services set forth herein expires at the earlier of: (i) acceptance of the Service by Client; (ii) Twelve months from the purchase date. DocuSign Envelope ID: BF053669-BEFE-48FA-AF09-EFD94C819210DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 STATEMENT OF WORK SCOPE OF SERVICES AND DELIVERABLES Timeline and Delivery Upon completion of the Client portal and configuration set up tasks, Cornerstone will distribute all access credentials to the Client, which indicates the Client Portal systems are ready for use. Acceptance of these deliverables will be in accordance with the Agreement. Upon completion of the Client Portal and Configuration Set Up phase, the Software is ready for use by Client. PROJECT RESOURCES The table below outlines recommended resources and time estimates for each phase. Time durations are estimates and may vary based on client requirement. Each phase may overlap and may require a shifting of hours among phases based on Client’s processes. The project lifecycle may be repeated for each additional module. Phase Estimated Duration Cornerstone Resources Client Resources Build Prototype 2 Weeks Implementation Consultant Integration Consultant Project Manager Business Process Owners Technical Resources System Administrators Proof of Concept 2 Weeks Implementation Consultant Integration Consultant Project Manager Business Process Owners Technical Resources System Administrators Validate and Launch 4 Weeks Implementation Consultant Integration Consultant Project Manager Business Process Owners System Administrators Technical Resources DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 IMPLEMENTATION SERVICES AND ESTIMATED TIMELINE The Scope of Services outlined below provides a breakdown of the key components of the Implementation Services and the corresponding deliverables to be provided by Cornerstone and Client. Phase Cornerstone Deliverables Client Deliverables Build Prototype Week One: Collect any client process documentation (via completed process Questionnaire) Prepare prototype configuration of the Live portal based upon client response to process Questionnaire Project initiation call with client. Confirm project scope with client project team Identify and communicate to client the most important online courses for the project scope Create meeting schedule for project lifecycle Establish and document project controls and processes for status reporting, issue resolution, and risk management processes Schedule kickoff meeting Communicate requirement to complete Organizational Units, Security preferences and training Complete remote kick-off meeting Review technical projects in-scope Deliver technical projects questionnaires Deliver technical documentation (data design documents and templates) Implementation Consultant schedules and leads Organizational Unit Workshop Week Two: Schedule and lead technical kickoff calls when applicable or direct client to recorded technical workshops Complete options for any additional training that has been purchased Review prototype with client Deliver client tool kit for success Weeks One: Complete process questionnaire (if not already completed) Provide branding and marketing requirements (if not already provided through questionnaire) Deliver documented learning processes including approvals, evaluations, process maps and supporting forms or documentation (if not already provided through questionnaire) Provide external user approval workflows (if not already provided through questionnaire) Provide external training requirements (if not already provided through questionnaire) Client completes administrator training as prescribed in the training plan Participates in remote kick-off meeting Assemble project team Define measures of project success Attend technical project kickoff calls Provide organization chart(s) to assist in designing Organization Unit structure Provides sample user profile record and definition Client content provider listing and courses Provide use case scenarios to model recommended configuration Week Two: Attend remote sessions Confirm meeting schedule Take online training as needed Complete design specifications for technical projects in scope. Proof of Concept Week Three: Technical follow up meeting Prep work for Proof of Concept sessions Week Four: Conduct Proof of Concept sessions to review initial portal configuration Cornerstone will update live portal (if required) based on outputs from Proof of Concept Sessions Scope of updates will be limited to : Configure for Learning Module Platform preferences, email triggers eLearning (SCORM/AICC) content load (1 course) and one (1) Level 1 evaluation Week Three: Attend remote sessions Complete administrator training as prescribed in the training plan Week Four: Attend Proof of Concept remote sessions Create customized acceptance test scripts Complete administrator training as prescribed in the training plan Complete setup in live portal including: Global Configurations – emails triggers, security roles, welcome page, preferences Language translations, as necessary DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Phase Cornerstone Deliverables Client Deliverables One (1) instructor-led training example One (1) curriculum One (1) material One (1) video One (1) proxy enrollment One (1) test One (1) training request form One (1) approval workflow Deliver sample test scripts Submit request for Client Success Manager Configuration of additional client security roles Learning Module Load eLearning course content and materials Load all required documents including curriculums, test and evaluations, Instructor Led Training events and sessions, instructors, facilities, and certifications Test content launching, tracking, and completion Complete and implement technical projects in scope. Validate & Launch Week Five: Schedule copy down from live to pilot to copy above configuration to pilot prior to commencement of UAT Copy pilot to stage if you need to preserve Historic Data Discuss User Acceptance Testing including test scripts and participants Schedule daily User Acceptance Testing touch base to solution review open issues with client (include Client Success Manager) Solidify configuration with client in preparation for User Acceptance Testing in pilot Complete technical projects in scope: Week Six through Seven: Daily User Acceptance Testing touch base to review open testing issues with client (include Client Success Manager) Triage (categorize and prioritize) reported issues and address prior to go-live Finalize integration projects in production Support Client during testing and validation Week Eight: Complete Client Success Manager handoff Copy down executed to pilot (Can do copy over from pilot to stage prior to Live Copy Down if needed) Obtain named care admins from client Support Client during testing and validation SOW Review with Client Success Manager Close out any open issues/items for Go Live Client Go-Live Discuss post live survey with client Schedule and execute final Historical Data Loads Conduct project close out Week Five: Attend follow-up remote sessions Attend User Acceptance Testing prep meetings Create and complete user acceptance test scripts Week Six through Seven: Attend all User Acceptance Testing calls Review UAT feedback with Implementation team Make corrections or configuration changes based on UAT findings in Live portal Test system interfaces end-to-end Populate specific test data like tasks and users Create and complete client-specific test assessment template Week Eight: Attend Client Success Manager transition meeting Client makes configuration adjustments on Pilot and Live portals Update Live portal configuration based on testing feedback Post Live issue remediation (partner with Client Success Manager to assist) Client Go-Live DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 ADDITIONAL SERVICES Edge Import Brief Summary Integration with Client systems enabling automated maintenance of the following data sets: Client User Accounts and Organizational Units (OUs), historical LMS user transcript records, learning objects and material files. Tasks Cornerstone: Enable Edge Import in client portals Cornerstone: Lead the client in a design workshop to review the data feed design process and supports the design decision process of the client Client: Prepares files for load Cornerstone: Guides client on loading files into the Pilot Portal Client: Reviews and corrects any errors detected in the load process Client: Reviews and approves data load on Pilot Client: Loads data to Live using Edge Import tool Assumptions Utilizes Cornerstone standard Data feed specifications as designed for the Edge Import. Client has the ability to extract and transform source data to the Design Specifications format. Client has the ability to configure file transfers of data to Cornerstone Inbound Data Feed – User/Organizational Unit (IDF User/OU) Brief Summary Integration with data from a single source Client system enabling automated maintenance of user and organizational units (OU) via a scheduled Inbound Data Feed (IDF) of the following data sets: User Profile Organizational Unit (OU) Tasks Cornerstone: Provide Client with the Cornerstone standard Inbound Data Feed of User/OU (IDF User/OU) design document and template Cornerstone: Lead Client in IDF User/OU workshop to review data feed process and support the functional decisions of Client Cornerstone: Create IDF User/OU design document for Client Client: Sign off on IDF User/OU design document Client: Load files on pilot FTP folder for load, complying with Cornerstone’s formatting requirements Cornerstone: Schedule IDF User/OU to run in pilot portal on a regular basis to allow testing by Client Cornerstone: Email the pilot portal IDF User/OU log file to identify load errors, after each load attempt Client: Review, update, and sign off the IDF User/OU process in pilot portal Client: Load files on live FTP folder for load, complying with Cornerstone’s formatting requirements Cornerstone: Schedule and automate IDF User/OU in live portal Cornerstone: Email the live IDF User/OU log file to identify load errors, after each load attempt Client: Review, update, and sign off on the IDF User/OU process in live portal Assumptions Client utilizes Cornerstone standard IDF User/OU design document and template for all data types Client is responsible for uniquely identifying records across all data types All data records referencing user data are by user’s unique identifier value (UserID) Client has skilled software resources that can extract data from source systems and transform data to the format(s) defined by the approved IDF design document Client will perform all data file consolidations necessary and provide data files in formats defined in the approved IDF User/OU design document. All mandatory data fields must be populated for all records Client is responsible for properly validating data and identifying any errors prior to signing off on feed in live portal Client acknowledges that once the design document is approved, any changes or modifications to the work, scope, or the feed will require creation of a change request document. Change requests are reviewed and could result in additional charges to Client Any changes following Client signoff will require a work order or SOW submission Single Sign On (SSO) – AES Encrypted, SAML 1.1, or SAML 2.0 Brief Summary Cornerstone to provide support on one of the following Single Sign On (SSO) integration from and outsider portal to Client’s Cornerstone DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Single Sign On (SSO) – AES Encrypted, SAML 1.1, or SAML 2.0 Portal: AES Encrypted SAML 1.1 SAML 2.0 Tasks Cornerstone: Provide Client with the Cornerstone SSO Technical Documentation Cornerstone: Lead the Client in SSO workshops to review SSO process and support the functional decisions of the Client AES Encrypted Single Sign On (SSO) o Cornerstone: Provide sample code for Pilot Portal and Live Portal to deploy the AES SSO o Cornerstone: Provide the AES end point URLs to the Client o Client: Populate, encrypt and post the token as per Cornerstone requirements o Client: Deploy, test and sign off the AES Encrypted SSO in Pilot Portal o Client: Deploy, test and sign off the AES Encrypted SSO in Live Portal SAML V 1.1 OR SAML 2.0 Single Sign On (SSO) o Client: Provide: Base64 encoded – X.509 public Certificate (.crt, .cer) Base64 encoded sample SAML Response Assertion (.txt) o Cornerstone: Configure Client’s Pilot Portal with SSO SAML 1.1 OR 2.0 o Client: Review and sign off on SSO SAML 1.1 OR 2.0 in Pilot Portal o Cornerstone: Configure Client’s Live Portal with SSO SAML 1.1 OR 2.0 o Client: Review and sign off on SSO SAML 1.1 OR 2.0 in Live Portal Assumptions Client utilizes Cornerstone standard SSO Design Specifications and complies to Cornerstone requirements to integrate AES Encrypted SSO, SAML 1.1 SSO, or SAML 2.0 SSO only. Any other type of Single Sign On Solution Integration other than the above mentioned items is outside the scope of this project and considered a custom Single Sign On Solution. Client is responsible to make sure User Identification values (UserID, Username OR Email address) are unique and matching existing users in the CSOD portal AES Encrypted Single Sign On (SSO) Client has skilled software resources (Java or .Net programming) available who can establish an AES Encrypted SSO protocol and configure authentication to support CSOD’s AES Encrypted SSO Client has skilled software resources available who can establish an SSO SAML protocol and configure authentication to support Cornerstone‘s SSO SAML V1.1 OR 2.0 SAML V 1.1 OR 2.0 Single Sign On (SSO) Client will transfer the Assertion and Certification files to Cornerstone as per Cornerstone requirements defined on design specification document and will only transfer them through FTP folder (not email) The assertion is signed using an X.509 certificate, sha1RSA algorithm and is Base64 encoded Client acknowledges that once the design document is approved, any changes or modifications to the work scope will require creation of a Change Request document. Change requests are reviewed and could result in additional charges to the Client Any changes following Client signoff will require a Work Order or SOW submission DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 TIMELINE AND DELIVERY The Implementation Services set forth and described in this Statement of Work will take eight (8) weeks in duration to complete. The Services will be performed remotely by Cornerstone, except for any on-site Services so expressly identified herein. The Services will be performed for the below flat fee(s), plus reimbursement of pre-approved travel expenses for on-site activities. Cornerstone’s implementation methodology is best delivered within an 8 week time period. Limited project extensions are available however all implementation services expire one year following contract expiration. Client and Cornerstone will create the project plan to meet this completion date during the Initiate phase. Client and Cornerstone agree to provide the necessary resources to complete all of the deliverables as per the agreed project plan. Project Components Investments Implementation Services $0.00 Learning Implementation - Small Enterprise SVCSIMP0120 Included Advisory Services $0.00 Consulting - Inbound Data Feed - OU/Users (IDF) Connector SVCSBUS0121 Included Consulting - Single Sign On - Standard (SSO) Connector SVCSBUS0135 Included Consulting - Edge Import SVCSBUS0161 Included Total Service Investment $0.00 The end of the Implementation Services is defined as the completion of the above Cornerstone deliverables as outlined under the Implementation Services section of this document. Acceptance of the deliverables will be in accordance with the Agreement. ASSUMPTIONS AND CLIENT OBLIGATIONS In order for Cornerstone to provide the Services outlined in this Statement of Work, Client shall provide the necessary resources to fulfill the obligations listed below: Select and assign knowledgeable, empowered Implementation team including the following roles, which may overlap: Business Process Owner for Learning Management System (aka, the Decision Maker) Lead Cornerstone System Administrator Project Manager of the Cornerstone implementation HRIS Technical Administrator (Optional, depending on data requirements and extraction capabilities) Executive Stakeholder (Optional) Begin going through kick-off documentation in the Client Success Center Empower team to make real-time decisions regarding configuration and business process functions during the project. Ensure project team attendance and active participation during all phases of the Implementation project. Client will ensure the requisite training has been completed prior to the start of UAT. Formally accept (sign-off) all key deliverables and implementation services per the Agreement. Manage Client project staffing and milestones through Cornerstone provided work plan. Ensure completion of Client project deliverables. DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 Attend and participate in implementation sessions. Provide a primary point of contact for Cornerstone during and after the implementation. Ensure proper change management communication to end-users during implementation in preparation for rollout. The project will be conducted remotely Cornerstone and Client agree that changes to key members of implementation team or significant changes in business requirements or decisions, in each case by Client, that cause delays in the project timeline may require a change order to this Statement of Work. Change orders are reviewed and may result in additional charges. Client is solely responsible for testing all processes during the UAT phase Client will utilize the Cornerstone content loader to upload online content to the portal. All Client content is SCORM v1.2, SCORM 2004, xAPI or AICC v3.5 compliant Client is solely responsible for testing (Tracking, Completion, etc.) all content loaded to the Cornerstone portal. Any technical integration or service, historical data load, master data load, or data migration not expressly listed in this Statement of Work with an accompanying price will be scoped as a separate work effort and is not included in the scope of this document. Requests for application code changes are out of scope Additional contracts may be required to utilize third party (non-Cornerstone OnDemand services and integrations such as job board aggregation, video interview, background screening, employee eligibility and citizenship. Client will ensure that all data fields related to controlling data retention processes are captured correctly on the User record e.g. Legal Entity, Termination Date, Termination Reason and Employment Status. If Client only requires a single data retention period, Client will set-up one Legal Entity Organizational Unit. Client will activate the data retention processes for that Legal Entity by submitting a work order to Cornerstone's Global Product Support after the completion of the implementation deliverables. If Client requires multiple Legal Entities to fulfill Client’s data retention policy requirements, Client will need to engage a Services Partner via a paid for Consulting engagement. Except where otherwise stated or agreed by the parties, Cornerstone’s obligation to perform the Services set forth herein expires at the earlier of: (i) acceptance of the Service by Client; (ii) Twelve months from the purchase date. DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824 ANY PROPRIETOR/PARTNER/EXECUTIVEOFFICER/MEMBER EXCLUDED? INSR ADDL SUBRLTRINSD WVD PRODUCER CONTACTNAME: FAXPHONE(A/C, No):(A/C, No, Ext): E-MAILADDRESS: INSURER A : INSURED INSURER B : INSURER C : INSURER D : INSURER E : INSURER F : POLICY NUMBER POLICY EFF POLICY EXPTYPE OF INSURANCE LIMITS(MM/DD/YYYY) (MM/DD/YYYY) AUTOMOBILE LIABILITY UMBRELLA LIAB EXCESS LIAB WORKERS COMPENSATION AND EMPLOYERS' LIABILITY DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) AUTHORIZED REPRESENTATIVE EACH OCCURRENCE $ DAMAGE TO RENTEDCLAIMS-MADE OCCUR $PREMISES (Ea occurrence) MED EXP (Any one person) $ PERSONAL & ADV INJURY $ GEN'L AGGREGATE LIMIT APPLIES PER:GENERAL AGGREGATE $ PRO-POLICY LOC PRODUCTS - COMP/OP AGGJECT OTHER:$ COMBINED SINGLE LIMIT $(Ea accident) ANY AUTO BODILY INJURY (Per person) $ OWNED SCHEDULED BODILY INJURY (Per accident) $AUTOS ONLY AUTOS HIRED NON-OWNED PROPERTY DAMAGE $AUTOS ONLY AUTOS ONLY (Per accident) $ OCCUR EACH OCCURRENCE CLAIMS-MADE AGGREGATE $ DED RETENTION $ PER OTH-STATUTE ER E.L. EACH ACCIDENT E.L. DISEASE - EA EMPLOYEE $ If yes, describe under E.L. DISEASE - POLICY LIMITDESCRIPTION OF OPERATIONS below INSURER(S) AFFORDING COVERAGE NAIC # COMMERCIAL GENERAL LIABILITY Y / N N / A (Mandatory in NH) SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). COVERAGES CERTIFICATE NUMBER:REVISION NUMBER: CERTIFICATE HOLDER CANCELLATION © 1988-2015 ACORD CORPORATION. All rights reserved.ACORD 25 (2016/03) CERTIFICATE OF LIABILITY INSURANCE DATE (MM/DD/YYYY) $ $ $ $ $ The ACORD name and logo are registered marks of ACORD 8/12/2020 License # 0757776 (858) 373-6900 (858) 373-6897 16535 Cornerstone OnDemand, Inc. 1601 Cloverfield Blvd., #620 Santa Monica, CA 90404 26247 40142 10172 A 1,000,000 CPO016275403 1/1/2020 1/1/2021 1,000,000 10,000 1,000,000 2,000,000 2,000,000 Per Project Agg 4,000,000 1,000,000A CPO016275403 1/1/2020 1/1/2021 20,000,000B AUC039864703 1/1/2020 1/1/2021 20,000,000 0 C WC016275503 1/1/2020 1/1/2021 1,000,000 N 1,000,000 1,000,000 D Errors & Omissions F14722567002 1/1/2020 *See Below * Errors & Omissions Liability is Claims Made. Coverage Includes: Technology and Internet Errors & Omissions Liability (Cyber Liability): $5,000,000 Each Claim / $5,000,000 Aggregate; $50,000 Ded. Electronic Media Activities Liability: $5,000,000 Each Claim / $5,000,000 Aggregate; $50,000 Ded. Network Security Liability: $5,000,000 Each Claim / $5,000,000 Aggregate; $50,000 Ded. Privacy Liability: $5,000,000 Each Claim / $5,000,000 Aggregate; $50,000 Ded. Network Extortion Threat Liability: $5,000,000 Each Claim / $5,000,000 Aggregate; $50,000 Ded. For information purposes only. City of Carlsbad 1635 Faraday Ave. Carlsbad, CA 92008 CORNOND-01 CVEENEDAAL San Diego, CA - Mira Sorrento - HUB International Insurance Services Inc. 9855 Scranton Road Suite 100 San Diego, CA 92121 Zurich American Insurance Company American Guarantee & Liability Insurance Company American Zurich Insurance Company Westchester Surplus Lines Insurance Co. X 1/1/2021 X X X X X X X X DocuSign Envelope ID: 0103A10F-088B-4148-9872-0AD4708A0824