Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
Home
My WebLink
About
QCM Technologies Inc; 2022-04-28; ITPSA2022-001
Tracking #: ITPSA: 2022-001 City Attorney Approved Version 6/12/18 1 AGREEMENT FOR LOGRHYTM TRUSOC SERVICES QCM TECHNOLOGIES INC THIS AGREEMENT is made and entered into as of the ______________ day of _________________________, 2022, by and between the CITY OF CARLSBAD, a municipal corporation, ("City"), and QCM Technologies Inc., an Arizona corporation, ("Contractor"). RECITALS A. City requires the professional services of a managed security provider that is experienced in information technology managed security services. B. Contractor has the necessary experience in providing professional services and advice related to information technology managed security services. C. Contractor has submitted a proposal to City and has affirmed its willingness and ability to perform such work. NOW, THEREFORE, in consideration of these recitals and the mutual covenants contained herein, City and Contractor agree as follows: 1. SCOPE OF WORK City retains Contractor to perform, and Contractor agrees to render, those services (the "Services") that are defined in attached Exhibit "A", which is incorporated by this reference in accordance with this Agreement’s terms and conditions. In the event of a conflict between the terms and conditions in Exhibit “A” and the terms and conditions of this Agreement, the terms and conditions of this Agreement control over the terms and conditions in Exhibit “A.” 2. STANDARD OF PERFORMANCE While performing the Services, Contractor will exercise the reasonable professional care and skill customarily exercised by reputable members of Contractor's profession practicing in the Metropolitan Southern California Area, and will use reasonable diligence and best judgment while exercising its professional skill and expertise. 3. TERM The term of this Agreement will be effective for a period of one (1) year from the date first above written. The City Manager may amend the Agreement to extend it for one (1) additional two (2) year period or parts thereof. Extensions will be based upon a satisfactory review of Contractor's performance, City needs, and appropriation of funds by the City Council. The parties will prepare a written amendment indicating the effective date and length of the extended Agreement. 4. TIME IS OF THE ESSENCE Time is of the essence for each and every provision of this Agreement. 5. COMPENSATION The total fee payable for the Services to be performed during the initial Agreement term will be sixty-nine thousand eight hundred fourteen dollars and twenty cents ($69,814.20). No other compensation for the Services will be allowed except for items covered by subsequent amendments to this Agreement. If the City elects to extend the Agreement, the amount will not increase and shall not exceed sixty-nine thousand eight hundred fourteen dollars and twenty cents ($69,814.20) for Years 2 and 3 of the Agreement. The City reserves the right to withhold a ten percent (10%) retention until City has accepted the work and/or Services specified in Exhibit "A". DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 April 28th Tracking #: ITPSA: 2022-001 City Attorney Approved Version 6/12/18 2 Incremental payments, if applicable, should be made as outlined in attached Exhibit "A". 6. STATUS OF CONTRACTOR Contractor will perform the Services in Contractor's own way as an independent contractor and in pursuit of Contractor's independent calling, and not as an employee of City. Contractor will be under control of City only as to the result to be accomplished, but will consult with City as necessary. The persons used by Contractor to provide services under this Agreement will not be considered employees of City for any purposes. The payment made to Contractor pursuant to the Agreement will be the full and complete compensation to which Contractor is entitled. City will not make any federal or state tax withholdings on behalf of Contractor or its agents, employees or subcontractors. City will not be required to pay any workers' compensation insurance or unemployment contributions on behalf of Contractor or its employees or subcontractors. Contractor agrees to indemnify City within thirty (30) days for any tax, retirement contribution, social security, overtime payment, unemployment payment or workers' compensation payment which City may be required to make on behalf of Contractor or any agent, employee, or subcontractor of Contractor for work done under this Agreement. At the City’s election, City may deduct the indemnification amount from any balance owing to Contractor. 7. SUBCONTRACTING Contractor will not subcontract any portion of the Services without prior written approval of City. If Contractor subcontracts any of the Services, Contractor will be fully responsible to City for the acts and omissions of Contractor's subcontractor and of the persons either directly or indirectly employed by the subcontractor, as Contractor is for the acts and omissions of persons directly employed by Contractor. Nothing contained in this Agreement will create any contractual relationship between any subcontractor of Contractor and City. Contractor will be responsible for payment of subcontractors. Contractor will bind every subcontractor and every subcontractor of a subcontractor by the terms of this Agreement applicable to Contractor's work unless specifically noted to the contrary in the subcontract and approved in writing by City. 8. OTHER CONTRACTORS The City reserves the right to employ other Contractors in connection with the Services. 9. INDEMNIFICATION Contractor agrees to indemnify and hold harmless the City and its officers, officials, employees and volunteers from and against all claims, damages, losses and expenses including attorneys fees arising out of the performance of the work described herein caused by any negligence, recklessness, or willful misconduct of the Contractor, any subcontractor, anyone directly or indirectly employed by any of them or anyone for whose acts any of them may be liable. The parties expressly agree that any payment, attorney’s fee, costs or expense City incurs or makes to or on behalf of an injured employee under the City’s self-administered workers’ compensation is included as a loss, expense or cost for the purposes of this section, and that this section will survive the expiration or early termination of this Agreement. 10. INSURANCE Contractor will obtain and maintain for the duration of the Agreement and any and all amendments, insurance against claims for injuries to persons or damage to property which may arise out of or in connection with performance of the services by Contractor or Contractor’s agents, representatives, employees or subcontractors. The insurance will be obtained from an insurance carrier admitted and authorized to do business in the State of California. The insurance DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 Tracking #: ITPSA: 2022-001 City Attorney Approved Version 6/12/18 3 carrier is required to have a current Best's Key Rating of not less than "A-:VII"; OR with a surplus line insurer on the State of California’s List of Approved Surplus Line Insurers (LASLI) with a rating in the latest Best’s Key Rating Guide of at least “A:X”; OR an alien non-admitted insurer listed by the National Association of Insurance Commissioners (NAIC) latest quarterly listings report. 10.1 Coverage and Limits. Contractor will maintain the types of coverage and minimum limits indicated below, unless the Risk Manager or City Manager approves a lower amount. These minimum amounts of coverage will not constitute any limitations or cap on Contractor's indemnification obligations under this Agreement. City, its officers, agents and employees make no representation that the limits of the insurance specified to be carried by Contractor pursuant to this Agreement are adequate to protect Contractor. If Contractor believes that any required insurance coverage is inadequate, Contractor will obtain such additional insurance coverage, as Contractor deems adequate, at Contractor's sole expense. The full limits available to the named insured shall also be available and applicable to the City as an additional insured. 10.1.1 Commercial General Liability (CGL) Insurance. Insurance written on an “occurrence” basis, including personal & advertising injury, with limits no less than $2,000,000 per occurrence. If a general aggregate limit applies, either the general aggregate limit shall apply separately to this project/location or the general aggregate limit shall be twice the required occurrence limit. 10.1.2 Automobile Liability. (if the use of an automobile is involved for Contractor's work for City). $2,000,000 combined single-limit per accident for bodily injury and property damage. 10.1.3 Workers' Compensation and Employer's Liability. Workers' Compensation limits as required by the California Labor Code. Workers' Compensation will not be required if Contractor has no employees and provides, to City's satisfaction, a declaration stating this. 10.1.4 Professional Liability. Errors and omissions liability appropriate to Contractor’s profession with limits of not less than $1,000,000 per claim. Coverage must be maintained for a period of five years following the date of completion of the work. 10.2 Additional Provisions. Contractor will ensure that the policies of insurance required under this Agreement contain, or are endorsed to contain, the following provisions: 10.2.1 The City will be named as an additional insured on Commercial General Liability which shall provide primary coverage to the City. 10.2.2 Contractor will obtain occurrence coverage, excluding Professional Liability, which will be written as claims-made coverage. 10.2.3 This insurance will be in force during the life of the Agreement and any extensions of it and will not be canceled without thirty (30) days prior written notice to City sent by certified mail pursuant to the Notice provisions of this Agreement. 10.3 Providing Certificates of Insurance and Endorsements. Prior to City's execution of this Agreement, Contractor will furnish certificates of insurance and endorsements to City. 10.4 Failure to Maintain Coverage. If Contractor fails to maintain any of these insurance coverages, then City will have the option to declare Contractor in breach, or may purchase replacement insurance or pay the premiums that are due on existing policies in order to maintain the required coverages. Contractor is responsible for any payments made by City to obtain or DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 Tracking #: ITPSA: 2022-001 City Attorney Approved Version 6/12/18 4 maintain insurance and City may collect these payments from Contractor or deduct the amount paid from any sums due Contractor under this Agreement. 10.5 Submission of Insurance Policies. City reserves the right to require, at any time, complete and certified copies of any or all required insurance policies and endorsements. 11. BUSINESS LICENSE Contractor will obtain and maintain a City of Carlsbad Business License for the term of the Agreement, as may be amended from time-to-time. 12. ACCOUNTING RECORDS Contractor will maintain complete and accurate records with respect to costs incurred under this Agreement. All records will be clearly identifiable. Contractor will allow a representative of City during normal business hours to examine, audit, and make transcripts or copies of records and any other documents created pursuant to this Agreement. Contractor will allow inspection of all work, data, documents, proceedings, and activities related to the Agreement for a period of three (3) years from the date of final payment under this Agreement. 13. OWNERSHIP OF DOCUMENTS All work product produced by Contractor or its agents, employees, and subcontractors pursuant to this Agreement is the property of City. In the event this Agreement is terminated, all work product produced by Contractor or its agents, employees and subcontractors pursuant to this Agreement will be delivered at once to City. Contractor will have the right to make one (1) copy of the work product for Contractor’s records. 14. COPYRIGHTS Contractor agrees that all copyrights that arise from the services will be vested in City and Contractor relinquishes all claims to the copyrights in favor of City. 15. NOTICES The name of the persons who are authorized to give written notice or to receive written notice on behalf of City and on behalf of Contractor under this Agreement. For City For Contractor Name Maria Callander Name Timothy Kinnerup Title IT Director Title Vice President Sales & Business Development Department Information Technology Address 9060 E Via Linda, Ste 220 City of Carlsbad Scottsdale, AZ 85258 Address 1635 Faraday Ave Phone No. (480) 483-4371 Carlsbad, CA 92008 Email tkinnerup@qcmtech.com Phone No. 760.442.2454 Each party will notify the other immediately of any changes of address that would require any notice or delivery to be directed to another address. /// /// DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 Tracking #: ITPSA: 2022-001 City Attorney Approved Version 6/12/18 5 16. CONFLICT OF INTEREST Contractor shall file a Conflict of Interest Statement with the City Clerk in accordance with the requirements of the City of Carlsbad Conflict of Interest Code. The Contractor shall report investments or interests in all categories. Yes No 17. GENERAL COMPLIANCE WITH LAWS Contractor will keep fully informed of federal, state and local laws and ordinances and regulations which in any manner affect those employed by Contractor, or in any way affect the performance of the Services by Contractor. Contractor will at all times observe and comply with these laws, ordinances, and regulations and will be responsible for the compliance of Contractor's services with all applicable laws, ordinances and regulations. Contractor will be aware of the requirements of the Immigration Reform and Control Act of 1986 and will comply with those requirements, including, but not limited to, verifying the eligibility for employment of all agents, employees, subcontractors and consultants whose services are required by this Agreement. 18. DISCRIMINATION AND HARASSMENT PROHIBITED Contractor will comply with all applicable local, state and federal laws and regulations prohibiting discrimination and harassment. 19. DISPUTE RESOLUTION If a dispute should arise regarding the performance of the Services the following procedure will be used to resolve any questions of fact or interpretation not otherwise settled by agreement between the parties. Representatives of Contractor or City will reduce such questions, and their respective views, to writing. A copy of such documented dispute will be forwarded to both parties involved along with recommended methods of resolution, which would be of benefit to both parties. The representative receiving the letter will reply to the letter along with a recommended method of resolution within ten (10) business days. If the resolution thus obtained is unsatisfactory to the aggrieved party, a letter outlining the disputes will be forwarded to the City Manager. The City Manager will consider the facts and solutions recommended by each party and may then opt to direct a solution to the problem. In such cases, the action of the City Manager will be binding upon the parties involved, although nothing in this procedure will prohibit the parties from seeking remedies available to them at law. 20. TERMINATION In the event of the Contractor's failure to prosecute, deliver, or perform the Services, City may terminate this Agreement for nonperformance by notifying Contractor by certified mail of the termination. If City decides to abandon or indefinitely postpone the work or services contemplated by this Agreement, City may terminate this Agreement upon written notice to Contractor. Upon notification of termination, Contractor has five (5) business days to deliver any documents owned by City and all work in progress to City address contained in this Agreement. City will make a determination of fact based upon the work product delivered to City and of the percentage of work that Contractor has performed which is usable and of worth to City in having the Agreement completed. Based upon that finding City will determine the final payment of the Agreement. Either party upon tendering thirty (30) days written notice to the other party may terminate this Agreement. In this event and upon request of City, Contractor will assemble the work product and put it in order for proper filing and closing and deliver it to City. Contractor will be paid for work performed to the termination date; however, the total will not exceed the lump sum fee payable DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 □ ~ Tracking #: ITPSA: 2022-001 City Attorney Approved Version 6/12/18 6 under this Agreement. City will make the final determination as to the portions of tasks completed and the compensation to be made. 21. COVENANTS AGAINST CONTINGENT FEES Contractor warrants that Contractor has not employed or retained any company or person, other than a bona fide employee working for Contractor, to solicit or secure this Agreement, and that Contractor has not paid or agreed to pay any company or person, other than a bona fide employee, any fee, commission, percentage, brokerage fee, gift, or any other consideration contingent upon, or resulting from, the award or making of this Agreement. For breach or violation of this warranty, City will have the right to annul this Agreement without liability, or, in its discretion, to deduct from the Agreement price or consideration, or otherwise recover, the full amount of the fee, commission, percentage, brokerage fees, gift, or contingent fee. 22. CLAIMS AND LAWSUITS By signing this Agreement, Contractor agrees that any Agreement claim submitted to City must be asserted as part of the Agreement process as set forth in this Agreement and not in anticipation of litigation or in conjunction with litigation. Contractor acknowledges that if a false claim is submitted to City, it may be considered fraud and Contractor may be subject to criminal prosecution. Contractor acknowledges that California Government Code sections 12650 et seq., the False Claims Act applies to this Agreement and, provides for civil penalties where a person knowingly submits a false claim to a public entity. These provisions include false claims made with deliberate ignorance of the false information or in reckless disregard of the truth or falsity of information. If City seeks to recover penalties pursuant to the False Claims Act, it is entitled to recover its litigation costs, including attorney's fees. Contractor acknowledges that the filing of a false claim may subject Contractor to an administrative debarment proceeding as the result of which Contractor may be prevented to act as a Contractor on any public work or improvement for a period of up to five (5) years. Contractor acknowledges debarment by another jurisdiction is grounds for City to terminate this Agreement. 23. JURISDICTION AND VENUE Any action at law or in equity brought by either of the parties for the purpose of enforcing a right or rights provided for by this Agreement will be tried in a court of competent jurisdiction in the County of San Diego, State of California, and the parties waive all provisions of law providing for a change of venue in these proceedings to any other county. 24. SUCCESSORS AND ASSIGNS It is mutually understood and agreed that this Agreement will be binding upon City and Contractor and their respective successors. Neither this Agreement nor any part of it nor any monies due or to become due under it may be assigned by Contractor without the prior consent of City, which shall not be unreasonably withheld. 25. ENTIRE AGREEMENT This Agreement, together with any other written document referred to or contemplated by it, along with the purchase order for this Agreement and its provisions, embody the entire Agreement and understanding between the parties relating to the subject matter of it. In case of conflict, the terms of the Agreement supersede the purchase order. Neither this Agreement nor any of its provisions may be amended, modified, waived or discharged except in a writing signed by both parties. DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 Tracking #: ITPSA: 2022-001 City Attorney Approved Version 6/12/18 7 26. AUTHORITY The individuals executing this Agreement and the instruments referenced in it on behalf of Contractor each represent and warrant that they have the legal power, right and actual authority to bind Contractor to the terms and conditions of this Agreement. CONTRACTOR CITY OF CARLSBAD, a municipal corporation of the State of California By: By: (sign here) Assistant City Manager (print name/title) ATTEST: By: (sign here) FAVIOLA MEDINA City Clerk Services Manager (print name/title) If required by City, proper notarial acknowledgment of execution by contractor must be attached. If a corporation, Agreement must be signed by one corporate officer from each of the following two groups. Group A Group B Chairman, Secretary, President, or Assistant Secretary, Vice-President CFO or Assistant Treasurer Otherwise, the corporation must attach a resolution certified by the secretary or assistant secretary under corporate seal empowering the officer(s) signing to bind the corporation. APPROVED AS TO FORM: CELIA A. BREWER, City Attorney BY: _____________________________ Assistant City Attorney DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 VPTim Kinnerup Tim Knight Controller for Technologies Statement of Work LogRhythm TruSOC Services Only for City of Carlsbad 20220308-17282-Managed LogRhythm Prepared by: QCM Technologies DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 Description of Service(s) Task 1: Managed Security Services QCM/Avertium's Managed Security Service (MSS) provides comprehensive business protection 24x7x365 from our SOC 2 certifiedCyber Fusion Center (CFC). QCM/Avertium takes pride in its commitment to deliver the highest quality and reliability as part of our MSS. Details of our client commitment to provide these services are outlined in the sections below that address the service components and the technology components of our offering. Implementation QCM/Avertium will partner with Client to configure their Log Rhythm instance to connect to the QCM/Avertium CFC in order to perform ongoing monitoring and alerting. QCM/Avertium will provide consulting and technical expertise to deliver the work defined in the Implementation project plan based onthe following approach: 1.Project Initiation / Kick-off2.Solution Design and Implementation Planning3.Core Implementation4.Log Source On-boarding5.Threat Management Foundations, Use Case Creation, Testing, & Tuning6.User Acceptance Testing7.Project Closeout Prior to the core implementation phase starting, Client will complete the following tasks: 1.Ensure supporting infrastructure is prepared for implementation2.Power on server(s) and perform initial operating system configuration when prompted.3.Assign static IP address(es).4.Assign a host name.5.Ensure RDP/SSH access.6.Ensure access and permission to install on Windows/Linux host(s).7.Provide log source documents, prerequisites and collection methods for any additional required log sources.8.Configure antivirus exclusions.9.Open relevant firewall ports.10.Create/provide service accounts required for solution.11.Ensure any required change control approvals are in place. Monitoring and Alerting Once the installation is completed, QCM/Avertium security analysts will monitor Client's environment for significant security events and will alert Client regarding these events, as defined in the Service Rules and Regulations section of this document. The security staff in the CFC will review the events by monitoring the LogRhythm system and responding to automated alerts defined during the Implementation phase of the project. •QCM/Avertium security analysts will provide concise, actionable information to support Client's response to securityevents. Ongoing activities provided as part of our service are noted below: o Monitor SIEM -investigate alerts and alarmsoCreate new SIEM policies based on client requirements -TuningoOnboarding new data sources* -(examples include new firewalls, security technologies, and applications)o Create tickets for client visibilityoRegular meetings with a Service Delivery Manager (SOM)o Quarterly or Bi-annual Executive Briefing 20220308-17282-Managed LogRhythm 2 of 8 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 Engineering QCM/Avertium will assist Client in the managing and maintenance of the Log Rhythm solution. These Maintenance tasks include: •Troubleshoot software and hardware issues when log sources are interrupted or fail to report log events •Troubleshoot solution system component problems•Updating system configuration settings on solution components for general updates, maintenance, or performance tuning •Provide source tuning and filtering •Changes shall be managed and documented according to Client change management procedures. Provide patching and software updates to the LogRhythm solution within Client change management guidelines. Assumptions and Client Requirements Client agrees to perform the obligations and acknowledges and agrees that QCM/Avertium ability to perform its obligations and its responsibilities are dependent on Client's compliance with the following: Client is responsible for making changes in their own environment in order to allow every QCM/Avertium managed device the continuous connectivity required for the complete operation and management of the device. These include, for example, incoming and outgoing firewall permissions, supplying static IP addresses, and physical connections to the network. A complete listing, based on purchased service(s), will be provided during the initial kick-off process; and can also be provided in advance upon request. Client is responsible for maintaining appropriate levels of hardware support, maintenance and connectivity to prevent network performance degradation and maintain communications between the Clients contracted devices and our managed security service. Client is responsible for all configuration changes to their own equipment required for QCM/Avertium to receive log data including implementing necessary tools to convert proprietary log formats into syslog or other standard output. Client is responsible for supplying QCM/Avertium with a maintenance window for patching and needed system adjustments and will include rebooting of the managed devices. , .Client agrees that if QCM/Avertium determines that a managed device issue is causing a critical level of outage, QCM/Avertium has the right to reboot and repair the device without additional approvals. QCM/Avertium will alert Client should such an event occur. 20220308-17282-Managed LogRhythm 3 of 8 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 Service Rules and Regulations Deployment of QCM/Avertium monitored security services in a Client network does not guarantee that intrusions, compromises, or anyother unauthorized activity will not occur on a Client network. QCM/Avertium will not be undertaking any management of any of the devices subject to this service for intrusions, compromises, orany other unauthorized activity. Client is solely responsible for acting upon the events and alerts presented to Client for the devices subject to this service. QCM/Avertium shall not have any liability or responsibility in connection with or arising out of Client's actions, failure to act or delay in acting on such events and/or alerts as and when presented. The Service Level Objectives below shall not apply during a scheduled or emergency maintenance outage or in the event of any Client-caused service outage that prohibits or otherwise limits QCM/Avertium from providing the service including but not limited to, misconduct, negligence, inaccurate or incomplete information, modifications made to the services, or modifications made to any monitored hardware or software devices by the Client. This includes issues caused by Client's employees, agents, or third parties. QCM/Avertium will occasionally use third-party vendor's products to deliver its services, (LogRhythm™, Sophos™, etc.). QCM/Avertium and Client shall comply with the vendor specifications of their product and any modifications to those specifications during the term ofthis service. Service Level Objective QCM/Avertium's Cyber Fusion Center (CFC) will maintain communications availability to the Internet 99.9% of the time during a calendar month. "Communications availability" is defined as the ability for QCM/Avertium's CFC to transmit and receive TCP/IP packets between its networks and its upstream Internet Service Provider. 20220308-17282-Managed LogRhythm 4 of 8 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 Platform Hygiene Service Level Objectives Description Frequency/Coverage Reporting Datasource logging Continuous, � 80% of in-scope Monthly assets System connectivity Continuous, � 95% of time Monthly Service Deliverables QCM/Avertium's core MSS service produces the following key deliverables over the course of the engagement: Services •Named SOM •24/7/365 monitoring and alerting •Ongoing tuning, custom rule creation •Active Threat Hunting Platform •Fully managed SIEM, Client-owned LogRhythm o Support for up to 750 MPS o 30 days hot storage; 1 year cold storage •Third-party Threat Intelligence Reporting •Weekly, Monthly, Quarterly Reporting 20220308-17282-Managed LogRhythm 5 of 8 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 Declarations and Other Assumptions Declarations Out-Of-Scope Declaration Out-of-scope issues will be reviewed throughout the term of this Statement of Work. Out-of-scope scenarios include any change within Client's environment which materially impacts QCM/Avertium's ability to deliver services in alignment with the statement of work,scoping assumptions, pricing, and other essential elements of this Statement of Work. If necessary, an amendment to this Statement of Work will be executed as mutually agreed to address pertinent out-of-scope changes. Any corresponding changes to the Statement of Work, scoping assumptions, pricing, and other essential elements will be included in the amendment. Other Assumptions Management, Administrative, Logistics, Process Assumptions •Client will provide a designated point of contact (POC) to facilitate access to information required for QCM/Avertium toperform the services noted. It is preferred that the POC have system and network administration skills. •Unless otherwise noted in this Statement of Work, all work will be done durihg QCM/Avertium's normal businesshours (Monday -Friday 8:30 am - 5:30 pm local time). Avertium/QCM will obtain prior written consent from Clientprior toincurring fees for work performed during non-standard business hours. •In the event that QCM/Avertium's needs to deliver additional professional services to Client, which is beyond the scopenoted herein, Client may procure that engagement at QCM/Avertium's then current rate. A QCM/Avertium AccountExecutive can assist and provide Client with pricing for the proposed solution. When possible, QCM/Avertium willprovide a recommended block of hours to purchase for budgetary estimate purposes. Client will be invoiced for theactual hours used during the engagement. Prior to the start of the engagement, both organizations will need to confirm. acceptance of the arrangements via email communication. 20220308-17282-Managed LogRhythm 6 of 8 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 Fees and Expenses Monthly Monitoring & Management Description Qty Price TruSOC Monitoring & Management, service orily - GSA Contract# 47QTCA21D00BD SIN# 544J2 IT Service Management Consultant Monthly Billing -26.75 hours@ $217.49 per hour TruSOC solution service using the LogRhythm SIEM platform and client owned lcensing monthly pricing noted herein includes up to 750 messages per second (MPS) 12 $5,817.85 Invoicing First month's charge will occur thirty (30) calendar days following the effective date of this Agreement. Taxes, shipping, handling, and other fees may apply and will be invoiced to Client, as applicable. Travel Expenses Travel expenses may be incurred in order for QCM/Avertium's consultants to provide the services as noted herein. However; QCM/Avertium will make every effort to obtain Client's approval before incurring such expenses. Any unwillingness to allow for travel expenses could result in the delay of providing the services you expect and the timing of the project. Travel expenses and incidentals incurred to deliver the proposed solution will be governed by the QCM/Avertium travel policies and will be billed either as incurred or at the end of the project based on assuring you have a timely billing of the total expenses. The payment of these expenses will be governed by the terms of this engagement. Subtotal: $69,814.20 20220308-17282-Managed LogRhythm 7 of 8 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 LogRhythm TruSOC Services Only for City of Carlsbad Prepared by: QCM Technologies 9060 E Via LindaSuite 220 Scottsdale, AZ 85258-5423 . Tim Kinnerup (480} 483-4371 TKinnerup@gcmtech.com Totals Prepared for: City of Carlsbad Contract Information: 20220308-17282-ManagedlogRhythm Delivery Date: 03/15/2022 Expiration Date: 06/06/2022 Total: $69,814.20 Payment terms are as agreed upon in Client's fully executed master document. Pricing offered is valid as noted in this Statement of Work. Sales tax may be applied where applicable. 20220308-17282-Managed LogRhythm 8 of 8 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 Administrative Services Branch Information Technology 1635 Faraday Ave. ï Carlsbad, CA 92008 ï 442-339-2450 t Memorandum April 21, 2022 To: Geoff Patnoe, Assistant City Manager From: Hendra Gunawan, IT Security Manager Via: Maria Callander, Director of IT Laura Rocha, Deputy City Manager Administrative Services Re: Agreement for Avertium Consulting Services with QCM Technologies This memorandum provides an explanation of the goals relating to the agreement for Avertium Managed Security Services with QCM Technologies. Background In 2016 the Police Department implemented a security tool known as a SIEM (Security Information and Event Management). This system collects log data from numerous technical systems and aggregates it into one platform. Thus, providing the ability to detect and investigate cyber threats more effectively. In 2020 this system was re-implemented to provide visibility on citywide systems, not just those at the Police Department. Since the original implementation, IT has struggled to make full use of the platform due to insufficient staff resources. When our IT Security Manager joined the team, we began investigating a managed service arrangement to address this issue. Based on the operational needs of our organization, we chose to pursue a co-managed arrangement whereby the internal staff have full access to the system and can use it as needed, but maintenance and expert use can be handling via outsourcing. Discussion The purpose of this agreement is to establish a managed services agreement with a third party to monitor cybersecurity related information for the city. This monitoring will occur on a 24/7 basis and greatly increase staff visibility into any potential threats. The agreement is for one initial year with the option to extend for one two-year period if the services are to our standards. The service provider’s team will collaborate with our internal IT team, providing expert advice and information on major security incidents or threats. Additionally, staff will be able to continue to benefit from the use of our tools, while outsourcing maintenance and monitoring of these tools. DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 {city of Carlsbad Memo - Agreement for Avertium Consulting Services with QCM Technologies April 21, 2022 Page 2 Other benefits of this service include customized reporting and the ability for the provider to quickly act on urgent issues as authorized by staff. Next Steps Approve the Agreement for Avertium Managed Security Services with QCM Technologies. Fiscal Impact The cost for the project is $67,500 for the initial year and funding was approved through the FY 2021-22 SDTIP budget process. If the two-year extension at $67,500 annually is approved the services will be operationalized and have been considered for the FY 2022-23 budget process and beyond. Attachment: Agreement for Avertium Managed Security Services with QCM Technologies CC: Brent Gerber DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 QCMTECHN ACORD™ CERTIFICATE OF LIABILITY INSURANCE I DATE (MM/DD/YYYY) 4/06/2022 THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer any rights to the certificate holder in lieu of such endorsement(s). PRODUCER ~2UifCT Sarah L. Armenta USI Southwest rt8Ntfo Extl: 602-749-4122 I FAX (AIC, No): 9811 Katy Freeway, Suite 500 iflJ~ss: sarah.armenta@usi.com Houston, TX 77024 INSURER(S) AFFORDING COVERAGE NAIC# 855 874-1450 INSURER A : Hartford Fire Insurance Company 19682 INSURED INSURER B : Hartford Casualty Insurance Company 29424 QCM Technologies, Inc. INSURER c : Technology Insurance Company, Inc. 42376 9060 E Via Linda Suite 220 Scottsdale, AZ 85258 INSURERD: INSURERE : INSURERF : COVERAGES CERTIFICATE NUMBER: REVISION NUMBER: THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. INSR TYPE OF INSURANCE ADDL SUBR ":~M&YY~~~i ,:SM&M~~i LIMITS LTR INSR WVD POLICY NUMBER A X COMMERCIAL GENERAL LIABILITY X X 59UUNVF0809 01/01/2022 01/01/202~ EACH OCCURRENCE $1 000.000 I CLAIMS-MADE [!] OCCUR ~~r~~H9E~~~.frPence) $1,000,000 f-- MED EXP (Any one person) $10,000 PERSONAL & ADV INJURY $1,000,000 f--GEN'L AGGREGATE LIMIT APPLIES PER: GENERAL AGGREGATE $2,000,000 P1 n PRO-n LOC $2,000,000 POLICY _ JECT PRODUCTS -COMP/OP AGG OTHER: $ A AUTOMOBILE LIABILITY X X 59UUNVF0809 01/01/2022 01/01/202~ COMBINED SINGLE LIMIT $1,000,000 (Ea accident) f-- ANY AUTO BODILY INJURY (Per person) $ f---OWNED SCHEDULED AUTOS ONLY AUTOS BODILY INJURY (Per accident) $ - X HIRED X NON-OWNED PROPERTY DAMAGE $ AUTOS ONLY AUTOS ONLY (Per accident) f---$ B ,__! UMBRELLA LIAB ~ OCCUR 59RHUVX9907 01/01/2022 01/01/202~ EACH OCCURRENCE $5,000 000 EXCESSLIAB CLAIMS-MADE AGGREGATE $5.000 000 oEo I xi RETENTION$10 ooo $ C WORKERS COMPENSATION TWC4065311 01/01/2022 01/01/202~ X l~-Frrnn: I I2JH-AND EMPLOYERS" LIABILITY y / N $1,000 000 ANY PROPRIETOR/PARTNER/EXECUTIVE [Ji] E.L. EACH ACCIDENT OFFICER/MEMBER EXCLUDED? N NIA (Mandatory in NH) E.L. DISEASE -EA EMPLOYEE $1 ,000,000 If yes, describe under E.L. DISEASE -POLICY LIMIT $1,000,000 DESCRIPTION OF OPERATIONS below A Professional Tech 59TE026313822 03/01/2022 01/01/202~ $3,000,000 Each Act Liability w/Cyber $3,000,000 Aggregate Retro: 12/01/01 $25,000 Retention DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) The General Liability and Automobile Liability Policies include an automatic Additional Insured endorsement that provides Additional Insured status to the Certificate Holder only when there is a written contract that requires such status, and only with regard to work performed by or on behalf of the named insured. The General Liability and Automobile Liability Policies contain a special endorsement with "Primary and Noncontributory" wording, when required by written contract. The General Liability and Automobile Liability (See Attached Descriptions) CERTIFICATE HOLDER City of Carlsbad 1635 Faraday Avenue Carlsbad, CA 92008 CANCELLATION SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. AUTHORIZED REPRESENTATIVE © 1988-2015 ACORD CORPORATION. All rights reserved. ACORD 25 (2016/03) 1 of 2 The ACORD name and logo are registered marks of ACORD #S35565781 /M35221322 VAPZP DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 DESCRIPTIONS {Continued from Page 1) Policies provide a Blanket Waiver of Subrogation when required by written contract. The General Liability includes an endorsement providing that 30 days notice of cancellation will be given to the Certificate Holder by the Insurance Carrier. Umbrella Liability follows over the General Liability, Automobile Liability and Worker's Compensation Policies. Additional Insured Includes: City of Carlsbad SAGITT A 25.3 (2016/03) 2 of 2 #S35565781 /M35221322 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 POLICY NUMBER: 59UUNVF0809 The insurance afforded herein for any subsidiary not named in this Coverage Part as a named insured does not apply to injury or damage with respect to which such insured is also a named insured under another policy or would be a named insured under such policy but for its termination or the exhaustion of its limits of insurance. 3. Newly Acquired Or Formed Organization Any organization you newly acquire or form, other than a partnership, joint venture or limited liability company, and over which you maintain financial interest of more than 50% of the voting stock, will qualify as a Named Insured if there is no other similar insurance available to that organization. However: a. Coverage under this provision is afforded only until the 180th day after you acquire or form the organization or the end of the policy period, whichever is earlier; b. Coverage A does not apply to "bodily injury" or "property damage" that occurred before you acquired or formed the organization; and c. Coverage B does not apply to "personal and advertising injury" arising out of an offense committed before you acquired or formed the organization. 4. Nonowned Watercraft With respect to watercraft you do not own that is less than 51 feet long and is not being used to carry persons for a charge, any person is an insured while operating such watercraft with your permission. Any other person or organization responsible for the conduct of such person is also an insured, but only with respect to liability arising out of the operation of the watercraft, and only if no other insurance of any kind is available to that person or organization for this liability. However, no person or organization is an insured with respect to: a. "Bodily injury" to a co-"employee" of the person operating the watercraft; or b. "Property damage" to property owned by, rented to, in the charge of or occupied by you or the employer of any person who is an insured under this provision. 5. Additional Insureds When Required By Written Contract, Written Agreement Or Permit The following person(s) or organization(s) are an additional insured when you have agreed, in a written contract, written agreement or because of a permit issued by a state or political subdivision, that such person or organization be added as an additional insured on your policy, provided the injury or damage occurs subsequent to the execution of the contract or agreement. Page 12 of 21 A person or organization is an additional insured under this provision only for that period of time required by the contract or agreement. However, no such person or organization is an insured under this provision if such person or organization is included as an insured by an endorsement issued by us and made a part of this Coverage Part. a. Vendors Any person(s) or organization(s) (referred to below as vendor), but only with respect to "bodily injury" or "property damage" arising out of "your products" which are distributed or sold in the regular course of the vendor's business and only if this Coverage Part provides coverage for "bodily injury" or "property damage" included within the "products-completed operations hazard". (1) The insurance afforded the vendor is subject to the following additional exclusions: This insurance does not apply to: (a) "Bodily injury" or "property damage" for which the vendor is obligated to pay damages by reason of the assumption of liability in a contract or agreement. This exclusion does not apply to liability for damages that the vendor would have in the absence of the contract or agreement; (b) Any express warranty unauthorized by you; (c) Any physical or chemical change in the product made intentionally by the vendor; (d) Repackaging, except when unpacked solely for the purpose of inspection, demonstration, testing , or the substitution of parts under instructions from the manufacturer, and then repackaged in the original container; (e) Any failure to make such inspections, adjustments, tests or servicing as the vendor has agreed to make or normally undertakes to make in the usual course of business, in connection with the distribution or sale of the products; (f) Demonstration, installation, servicing or repair operations, except such operations performed at the vendor's premises in connection with the sale of the product; (g) Products which, after distribution or sale by you, have been labeled or relabeled or used as a container, part or ingredient of any other thing or substance by or for the vendor; or HG 00 01 0916 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 (h) "Bodily injury" or "property damage" arising out of the sole negligence of the vendor for its own acts or omissions or those of its employees or anyone else acting on its behalf. However, this exclusion does not apply to: (i) The exceptions contained in Sub- paragraphs (d) or (f); or (ii) Such inspections, adjustments, tests or servicing as the vendor has agreed to make or normally undertakes to make in the usual course of business, in connection with the distribution or sale of the products. (2) This insurance does not apply to any insured person or organization, from whom you have acquired such products, or any ingredient, part or container, entering into, accompanying or containing such products. b. Lessors Of Equipment (1) Any person(s) or organization(s) fr~m whom you lease equipment; but only with respect to their liability for "bodily injury", "property damage" or "~ersonal a~d advertising injury" caused, in whol~ or in part, by your maintenance, operation or use of equipment leased to you by such person(s) or organization(s). (2) With respect to the insurance afforded to these additional insureds this insurance does not apply to any "occurrence" which takes place after the equipment lease expires. c. Lessors Of Land Or Premises Any person or organization from whom you lease land or premises, but only with respect to liability arising out of the ownership, maintenance or use of that part of the land or premises leased to you. With respect to the insurance afforded these additional insureds the following additional exclusions apply: This insurance does not apply to: 1. Any "occurrence" which takes place after you cease to lease that land; or 2. Structural alterations, new construction or demolition operations performed by or on behalf of such person or organization. d. Architects, Engineers Or Surveyors Any architect, engineer, or su~eyo_r, but_ onl,Y with respect to liability for bodily 1nJury , "property damage" or . "personal_ and advertising injury" caused, in whole or in part, by your acts or omissions or the acts or HG 00 01 0916 omissions of those acting on your behalf: (1) In connection with your premises; or (2) In the performance of your ongoing operations performed by you or on your behalf. With respect to the insurance afforded these additional insureds, the following additional exclusion applies: This insurance does not apply to "bodily injury", "property damage" or "personal ~nd advertising injury" arising out of the rend~nng of or the failure to render any professional services by or for you, including: 1. The preparing, approving, or failing to prepare or approve, maps, shop drawings, opinions, reports, surveys, field orders, change orders or drawings and specifications; or 2. Supervisory, inspection, architectural or engineering activities. This exclusion applies even if the claims against any insured allege n~g!igenc~. or other wrongdoing in the supervision, hiring, employment, training or monitoring of oth~rs by that insured, if the "occurrence" which caused the "bodily injury" or "property damage", or the offense which caused the "personal and advertising injury", involved the rendering of or the failure to render any professional services by or for you. e. Permits Issued By State Or Political Subdivisions Any state or political subdivision, but only with respect to operations performed by you ~r. on your behalf for which the state or political subdivision has issued a permit. With respect to the insurance afforded these additional insureds, this insurance does not apply to: (1) "Bodily injury", "property damage" or "personal and advertising injury" arising out of operations performed for the state or municipality; or (2) "Bodily injury" or "property damage" included within the "products-completed operations hazard". f. Any Other Party Any other person or organization who is not an additional insured under Paragraphs a. through e. above, but only with respect to liability for "bodily injury", "property damag~" or "personal and advertising injury" ~au_sed, in whole or in part, by your acts or omissions or the acts or omissions of those acting on your behalf: (1) In the performance of your ongoing operations; Page 13 of 21 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 (2) In connection with your premises owned by or rented to you ; or (3) In connection with "your work" and included within the "products-completed operations hazard", but only if (a) The written contract or agreement requires you to provide such coverage to such additional insured; and (b) This Coverage Part provides coverage for "bodily injury" or "property damage" included within the "products- completed operations hazard". However: (1) The insurance afforded to such additional insured only applies to the extent permitted by law; and (2) If coverage provided to the additional insured is required by a contract or agreement, the insurance afforded to such additional insured will not be broader than that which you are required by the contract or agreement to provide for such additional insured. With respect to the insurance afforded to these additional insureds, this insurance does not apply to: "Bodily injury", "property damage" or "personal and advertising injury" arising out of the rendering of, or the failure to render, any professional architectural, engineering or surveying services, including: (1) The preparing, approving, or failing to prepare or approve, maps, shop drawings, opinions, reports, surveys, field orders, change orders or drawings and specifications; or (2) Supervisory, inspection, architectural or engineering activities. This exclusion applies even if the claims against any insured allege negligence or other wrongdoing in the supervision, hiring, employment, training or monitoring of others by that insured, if the "occurrence" which caused the "bodily injury" or "property damage", or the offense which caused the "personal and advertising injury", involved the rendering of or the failure to render any professional services by or for you. The limits of insurance that apply to additional insureds is described in Section Ill -Limits Of Insurance. How this insurance applies when other insurance is available to the additional insured is described in the Other Insurance Condition in Section IV - Commercial General Liability Conditions. Page 14 of 21 No person or organization is an insured with respect to the conduct of any current or past partnership, joint venture or limited liability company that is not shown as a Named Insured in the Declarations. SECTION Ill -LIMITS OF INSURANCE 1. The Most We Will Pay The Limits of Insurance shown in the Declarations and the rules below fix the most we will pay regardless of the number of: a. Insureds; b. Claims made or "suits" brought; or c. Persons or organizations making claims or bringing "suits". 2. General Aggregate Limit The General Aggregate Limit is the most we will pay for the sum of: a. Medical expenses under Coverage C; b. Damages under Coverage A, except damages because of "bodily injury" or "property damage" included in the "products- completed operations hazard"; and c. Damages under Coverage B. 3. Products-Completed Operations Aggregate Limit The Products-Completed Operations Aggregate Limit is the most we will pay under Coverage A for damages because of "bodily injury" and "property damage" included in the "products- completed operations hazard". 4. Personal And Advertising Injury Limit Subject to 2. above, the Personal and Advertising Injury Limit is the most we will pay under Coverage B for the sum of all damages because of all "personal and advertising injury" sustained by any one person or organization. 5. Each Occurrence Limit Subject to 2. or 3. above, whichever applies, the Each Occurrence Limit is the most we will pay for the sum of: a. Damages under Coverage A; and b. Medical expenses under Coverage C because of all "bodily injury" and "property damage" arising out of any one "occurrence". 6. Damage To Premises Rented To You Limit Subject to 5. above, the Damage To Premises Rented To You Limit is the most we will pay under Coverage A for damages because of "property damage" to any one premises, while rented to you, or in the case of damage by fire, lightning or explosion, while rented to you or temporarily occupied by you with permission of the owner. HG 00 01 0916 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 In the case of damage by fire, lightning or explosion, the Damage to Premises Rented To You Limit applies to all damage proximately caused by the same event, whether such damage results from fire, lightning or explosion or any combination of these. 7. Medical Expense Limit Subject to 5. above, the Medical Expense Limit is the most we will pay under Coverage C for all medical expenses because of "bodily injury" sustained by any one person. 8. How Limits Apply To Additional Insureds If you have agreed in a written contract or written agreement that another person or organization be added as an additional insured on your policy, the most we will pay on behalf of such additional insured is the lesser of: a. The limits of insurance specified in the written contract or written agreement; or b. The Limits of Insurance shown in the Declarations. Such amount shall be a part of and not in addition to Limits of Insurance shown in the Declarations and described in this Section. The Limits of Insurance of this Coverage Part apply separately to each consecutive annual period and to any remaining period of less than 12 months, starting with the beginning of the policy period shown in the Declarations, unless the policy period is extended after issuance for an additional period of less than 12 months. In that case, the additional period will be deemed part of the last preceding period for purposes of determining the Limits of Insurance. SECTION IV COMMERCIAL GENERAL LIABILITY CONDITIONS 1. Bankruptcy Bankruptcy or insolvency of the insured or of the insured's estate will not relieve us of our obligations under this Coverage Part. 2. Duties In The Event Of Occurrence, Offense, Claim Or Suit a. Notice Of Occurrence Or Offense You or any additional insured must see to it that we are notified as soon as practicable of an "occurrence" or an offense which may result in a claim. To the extent possible, notice should include: (1) How, when and where the "occurrence" or offense took place ; (2) The names and addresses of any injured persons and witnesses; and (3) The nature and location of any injury or damage arising out of the "occurrence" or offense. HG 00 01 0916 b. Notice Of Claim If a claim is made or "suit" is brought against any insured, you or any additional insured must: (1) Immediately record the specifics of the claim or "suit" and the date received; and (2) Notify us as soon as practicable. You or any additional insured must see to it that we receive written notice of the claim or "suit" as soon as practicable. c. Assistance And Cooperation Of The Insured You and any other involved insured must: (1) Immediately send us copies of any demands, notices, summonses or legal papers received in connection with the claim or "suit"; (2) Authorize us to obtain records and other information; (3) Cooperate with us in the investigation or settlement of the claim or defense against the "suit"; and (4) Assist us, upon our request, in the enforcement of any right against any person or organization which may be liable to the insured because of injury or damage to which this insurance may also apply. d. Obligations At The Insureds Own Cost No insured will, except at that insured's own cost, voluntarily make a payment, assume any obligation, or incur any expense, other than for first aid, without our consent. e. Additional Insureds Other Insurance If we cover a claim or "suit" under this Coverage Part that may also be covered by other insurance available to an additional insured, such additional insured must submit such claim or "suit" to the other insurer for defense and indemnity. However, this provision does not apply to the extent that you have agreed in a written contract or written agreement that this insurance is primary and non-contributory with the additional insured's own insurance. f. Knowledge Of An Occurrence, Offense, Claim Or Suit Paragraphs a. and b. apply to you or to any additional insured only when such "occurrence", offense, claim or "suit" is known to: (1) You or any additional insured that is an individual; (2) Any partner, if you or the additional insured is a partnership; Page 15 of 21 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 Paragraphs (a) and (b) do not apply to other insurance to which the additional insured has been added as an additional insured. When this insurance is excess, we will have no duty under Coverages A or B to defend the insured against any "suit" if any other insurer has a duty to defend the insured against that "suit". If no other insurer defends, we will undertake to do so, but we will be entitled to the insured's rights against all those other insurers. When this insurance is excess over other insurance, we will pay only our share of the amount of the loss, if any, that exceeds the sum of: (1) The total amount that all such other insurance would pay for the loss in the absence of this insurance; and (2) The total of all deductible and self-insured amounts under all that other insurance. We will share the remaining loss, if any, with any other insurance that is not described in this Excess Insurance provision and was not bought specifically to apply in excess of the Limits of Insurance shown in the Declarations of this Coverage Part. c. Method Of Sharing If all of the other insurance permits contribution by equal shares, we will follow this method also. Under this approach each insurer contributes equal amounts until it has paid its applicable limit of insurance or none of the loss remains, whichever comes first. If any of the other insurance does not permit contribution by equal shares, we will contribute by limits. Under this method, each insurer's share is based on the ratio of its applicable limit of insurance to the total applicable limits of insurance of all insurers. 5. Premium Audit a. We will compute all premiums for this Coverage Part in accordance with our rules and rates. b. Premium shown in this Coverage Part as advance premium is a deposit premium only. At the close of each audit period we will compute the earned premium for that period and send notice to the first Named Insured. The due date for audit and retrospective premiums is the date shown as the due date on the bill. If the sum of the advance and audit premiums paid for the policy period is greater than the earned premium, we will return the excess to the first Named Insured. c. The first Named Insured must keep records of the information we need for premium HG 00 01 0916 computation, and send us copies at such times as we may request. 6. Representations a. When You Accept This Policy By accepting this policy, you agree: (1) The statements in the Declarations are accurate and complete; (2) Those statements are based upon representations you made to us; and (3) We have issued this policy in reliance upon your representations. b. Unintentional Failure To Disclose Hazards If unintentionally you should fail to disclose all hazards relating to the conduct of your business that exist at the inception date of this Coverage Part, we shall not deny coverage under this Coverage Part because of such failure. 7. Separation Of Insureds Except with respect to the Limits of Insurance, and any rights or duties specifically assigned in this Coverage Part to the first Named Insured, this insurance applies: a. As if each Named Insured were the only Named Insured; and b. Separately to each insured against whom claim is made or "suit" is brought. 8. Transfer Of Rights Of Recovery Against Others To Us a. Transfer Of Rights Of Recovery If the insured has rights to recover all or part of any payment, including Supplementary Payments, we have made under this Coverage Part, those rights are transferred to us. The insured must do nothing after loss to impair them. At our request, the insured will bring "suit" or transfer those rights to us and help us enforce them. b. Waiver Of Rights Of Recovery (Waiver Of Subrogation) If the insured has waived any rights of recovery against any person or organization for all or part of any payment, including Supplementary Payments, we have made under this Coverage Part, we also waive that right, provided the insured waived their rights of recovery against such person or organization in a contract, agreement or permit that was executed prior to the injury or damage. 9. When We Do Not Renew If we decide not to renew this Coverage Part, we will mail or deliver to the first Named Insured shown in the Declarations written notice of the Page 17 of 21 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 POLICY NUMBER: 59UUNVF0809 COMMERCIAL AUTOMOBILE HA 99 16 03 12 THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. COMMERCIAL AUTOMOBILE BROAD FORM ENDORSEMENT This endorsement modifies insurance provided under the following: BUSINESS AUTO COVERAGE FORM To the extent that the provisions of this endorsement provide broader benefits to the "insured" than other provisions of the Coverage Form, the provisions of this endorsement apply. 1. BROAD FORM INSURED A. Subsidiaries and Newly Acquired or Formed Organizations The Named Insured shown in the Declarations is amended to include: (1) Any legal business entity other than a partnership or joint venture, formed as a subsidiary in which you have an ownership interest of more than 50% on the effective date of the Coverage Form. However, the Named Insured does not include any subsidiary that is an "insured" under any other automobile policy or would be an "insured" under such a policy but for its termination or the exhaustion of its Limit of Insurance. (2) Any organization that is acquired or formed by you and over which you maintain majority ownership. However, the Named Insured does not include any newly formed or acquired organization: (a) That is a partnership or joint venture, (b) That is an "insured" under any other policy, (c) That has exhausted its Limit of Insurance under any other policy, or (d) 180 days or more after its acquisition or formation by you , unless you have given us notice of the acquisition or formation. Coverage does not apply to "bodily injury" or "property damage" that results from an "accident" that occurred before you formed or acquired the organization. B. Employees as Insureds Paragraph A.1. -WHO IS AN INSURED -of SECTION II -LIABILITY COVERAGE is amended to add: d. Any "employee" of yours while using a covered "auto" you don't own, hire or borrow in your business or your personal affairs. C. Lessors as Insureds Paragraph A.1. -WHO IS AN INSURED -of Section 11 -Liability Coverage is amended to add: e. The lessor of a covered "auto" while the "auto" is leased to you under a written agreement if: (1) The agreement requires you to provide direct primary insurance for the lessor and (2) The "auto" is leased without a driver. Such a leased "auto" will be considered a covered "auto" you own and not a covered "auto" you hire. D. Additional Insured if Required by Contract (1) Paragraph A.1. -WHO IS AN INSURED -of Section II -Liability Coverage is amended to add: f. When you have agreed, in a written contract or written agreement, that a person or organization be added as an additional insured on your business auto policy, such person or organization is an "insured", but only to the extent such person or organization is liable for "bodily injury" or "property damage" caused by the conduct of an "insured" under paragraphs a. or b. of Who Is An Insured with regard to the ownership, maintenance or use of a covered "auto." Form HA 99 16 0312 © 2011 , The Hartford (Includes copyrighted material of ISO Properties, Inc., with its permission.) Page 1 of 5 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 The insurance afforded to any such additional insured applies only if the "bodily injury" or "property damage" occurs: (1) During the policy period, and (2) Subsequent to the execution of such written contract, and (3) Prior to the expiration of the period of time that the written contract requires such insurance be provided to the additional insured. (2) How Limits Apply If you have agreed in a written contract or written agreement that another person or organization be added as an additional insured on your policy, the most we will pay on behalf of such additional insured is the lesser of: (a) The limits of insurance specified in the written contract or written agreement; or (b) The Limits of Insurance shown in the Declarations. Such amount shall be a part of and not in addition to Limits of Insurance shown in the Declarations and described in this Section. (3) Additional Insureds Other Insurance If we cover a claim or "suit" under this Coverage Part that may also be covered by other insurance available to an additional insured, such additional insured must submit such claim or "suit" to the other insurer for defense and indemnity. However, this provision does not apply to the extent that you have agreed in a written contract or written agreement that this insurance is primary and non- contributory with the additional insured's own insurance. (4) Duties in The Event Of Accident, Claim, Suit or Loss If you have agreed in a written contract or written agreement that another person or organization be added as an additional insured on your policy, the additional insured shall be required to comply with the provisions in LOSS CONDITIONS 2. -DUTIES IN THE EVENT OF ACCIDENT, CLAIM , SUIT OR LOSS -OF SECTION IV - BUSINESS AUTO CONDITIONS, in the same manner as the Named Insured. E. Primary and Non-Contributory if Required by Contract Only with respect to insurance provided to an additional insured in 1.0. -Additional Insured If Required by Contract, the following provisions apply: (3) Primary Insurance When Required By Contract This insurance is primary if you have agreed in a written contract or written agreement that this insurance be primary. If other insurance is also primary, we will share with all that other insurance by the method described in Other Insurance 5.d. (4) Primary And Non-Contributory To Other Insurance When Required By Contract If you have agreed in a written contract or written agreement that this insurance is primary and non-contributory with the additional insured's own insurance, this insurance is primary and we will not seek contribution from that other insurance. Paragraphs (3) and (4) do not apply to other insurance to which the additional insured has been added as an additional insured. When this insurance is excess, we will have no duty to defend the insured against any "suit" if any other insurer has a duty to defend the insured against that "suit". If no other insurer defends, we will undertake to do so, but we will be entitled to the insured's rights against all those other insurers. When this insurance is excess over other insurance, we will pay only our share of the amount of the loss, if any, that exceeds the sum of: (1) The total amount that all such other insurance would pay for the loss in the absence of this insurance; and (2) The total of all deductible and self-insured amounts under all that other insurance. We will share the remaining loss, if any, by the method described in Other Insurance 5.d. 2. AUTOS RENTED BY EMPLOYEES Any "auto" hired or rented by your "employee" on your behalf and at your direction will be considered an "auto" you hire. The OTHER INSURANCE Condition is amended by adding the following: Form HA 9916 0312 © 2011 , The Hartford (Includes copyrighted material of ISO Properties, Inc., with its permission.) Page 2 of 5 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 (4) Necessary for the normal operation of the covered "auto" or the monitoring of the covered "auto's" operating system. b.Section Ill -Version CA 00 01 03 10 of the Business Auto Coverage Form, Physical Damage Coverage, Limit of Insurance, Paragraph C.2 and Version CA 00 01 10 01 of the Business Auto Coverage Form, Physical Damage Coverage, Limit of Insurance, Paragraph C are each amended to add the following: $1 ,500 is the most we will pay for "loss" in any one "accident'' to all electronic equipment (other than equipment designed solely for the reproduction of sound, and accessories used with such equipment) that reproduces, receives or transmits audio, visual or data signals which, at the time of "loss", is: (1) Permanently installed in or upon the covered "auto" in a housing, opening or other location that is not normally used by the "auto" manufacturer for the installation of such equipment; (2) Removable from a permanently installed housing unit as described in Paragraph 2.a. above or is an integral part of that equipment; or (3) An integral part of such equipment. c. For each covered "auto", should loss be limited to electronic equipment only, our obligation to pay for, repair, return or replace damaged or stolen electronic equipment will be reduced by the applicable deductible shown in the Declarations, or $250, whichever deductible is less. 9. EXTRA EXPENSE BROADENED COVERAGE Under Paragraph A. -COVERAGE -of SECTION Ill • PHYSICAL DAMAGE COVERAGE, we will pay for the expense of returning a stolen covered "auto" to you. 10. GLASS REPAIR -WAIVER OF DEDUCTIBLE Under Paragraph D. -DEDUCTIBLE -of SECTION Ill -PHYSICAL DAMAGE COVERAGE, the following is added: No deductible applies to glass damage if the glass is repaired rather than replaced. 11. TWO OR MORE DEDUCTIBLES Under Paragraph D. • DEDUCTIBLE • of SECTION Ill -PHYSICAL DAMAGE COVERAGE, the following is added: If another Hartford Financial Services Group, Inc. company policy or coverage form that is not an automobile policy or coverage form applies to the same "accident", the following applies: (1) If the deductible under this Business Auto Coverage Form is the smaller (or smallest) deductible, it will be waived; (2) If the deductible under this Business Auto Coverage Form is not the smaller (or smallest) deductible, it will be reduced by the amount of the smaller (or smallest) deductible. 12. AMENDED DUTIES IN THE EVENT OF ACCIDENT, CLAIM, SUIT OR LOSS The requirement in LOSS CONDITIONS 2.a. - DUTIES IN THE EVENT OF ACCIDENT,CLAIM, SUIT OR LOSS -of SECTION IV -BUSINESS AUTO CONDITIONS that you must notify us of an "accident" applies only when the "accident" is known to: (1) You, if you are an individual; (2) A partner, if you are a partnership; (3) A member, if you are a limited liability company; or (4) An executive officer or insurance manager, if you are a corporation. 13. UNINTENTIONAL FAILURE TO DISCLOSE HAZARDS If you unintentionally fail to disclose any hazards existing at the inception date of your policy, we will not deny coverage under this Coverage Form because of such failure. 14. HIRED AUTO -COVERAGE TERRITORY Paragraph e. of GENERAL CONDITIONS 7. - POLICY PERIOD, COVERAGE TERRITORY - of SECTION IV BUSINESS AUTO CONDITIONS is replaced by the following: e. For short-term hired "autos", the coverage territory with respect to Liability Coverage is anywhere in the world provided that if the "insured's" responsibility to pay damages for "bodily injury" or "property damage" is determined in a "suit," the "suit" is brought in the United States of America, the territories and possessions of the United States of America, Puerto Rico or Canada or in a settlement we agree to. 15. WAIVER OF SUBROGATION TRANSFER OF RIGHTS OF RECOVERY AGAINST OTHERS TO US -of SECTION IV - BUSINESS AUTO CONDITIONS is amended by adding the following: Form HA 9916 0312 © 2011 , The Hartford (Includes copyrighted material of ISO Properties, Inc., with its permission.) Page 4 of 5 DocuSign Envelope ID: 0B5B4E23-9AB1-4B00-8E81-626FD8C4ED25 We waive any right of recovery we may have against any person or organization with whom you have a written contract that requires such waiver because of payments we make for damages under this Coverage Form. 16. RESULTANT MENTAL ANGUISH COVERAGE The definition of "bodily injury" in SECTION V- DEFINITIONS is replaced by the following: "Bodily injury" means bodily injury, sickness or disease sustained by any person, including mental anguish or death resulting from any of these. 17. EXTENDED CANCELLATION CONDITION Paragraph 2. of the COMMON POLICY CONDITIONS -CANCELLATION -applies except as follows: If we cancel for any reason other than nonpayment of premium, we will mail or deliver to the first Named Insured written notice of cancellation at least 60 days before the effective date of cancellation. 18. HYBRID, ELECTRIC, OR NATURAL GAS VEH~LEPAYMENTCOVERAGE In the event of a total loss to a "non-hybrid" auto for which Comprehensive, Specified Causes of Loss, or Collision coverages are provided under this Coverage Form, then such Physical Damage Coverages are amended as follows: a. If the auto is replaced with a "hybrid" auto or an auto powered solely by electricity or natural gas, we will pay an additional 10%, to a maximum of $2,500, of the "non-hybrid" auto's actual cash value or replacement cost, whichever is less, b.The auto must be replaced and a copy of a bill of sale or new lease agreement received by us within 60 calendar days of the date of "loss," c. Regardless of the number of autos deemed a total loss, the most we will pay under this Hybrid, Electric, or Natural Gas Vehicle Payment Coverage provision for any one "loss" is $10,000. For the purposes of the coverage provision, a.A "non-hybrid" auto is defined as an auto that uses only an internal combustion engine to move the auto but does not include autos powered solely by electricity or natural gas. b.A "hybrid" auto is defined as an auto with an internal combustion engine and one or more electric motors; and that uses the internal combustion engine and one or more electric motors to move the auto, or the internal combustion engine to charge one or more electric motors, which move the auto. 19. VEHICLE WRAP COVERAGE In the event of a total loss to an "auto" for which Comprehensive, Specified Causes of Loss, or Collision coverages are provided under this Coverage Form, then such Physical Damage Coverages are amended to add the following: In addition to the actual cash value of the "auto", we will pay up to $1 ,000 for vinyl vehicle wraps which are displayed on the covered "auto" at the time of total loss. Regardless of the number of autos deemed a total loss, the most we will pay under this Vehicle Wrap Coverage provision for any one "loss" is $5,000. For purposes of this coverage provision, signs or other graphics painted or magnetically affixed to the vehicle are not considered vehicle wraps. Form HA 9916 0312 © 2011 , The Hartford (Includes copyrighted material of ISO Properties, Inc., with its permission.) Page 5 of 5