The URL can be used to link to this page

Home My WebLink About2022-12-06; City Council; Resolution 2022-271RESOLUTION NO. 2022-271 A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF CARLSBAD, CALIFORNIA, AUTHORIZING THE CITY MANAGER TO EXECUTE A SUBSCRIPTION AND SERVICE AGREEMENT WITH PROCORE TECHNOLOGIES, INC FOR THE USE OF PROCORE PROJECT MANAGEMENT PRO SOFTWARE WITH NO COST ASSOCIATED WITH THE AGREEMENT FOR THE INITIAL TERM AND AUTHORIZING THE CITY MANAGER TO EXECUTE EXTENSIONS AND AMENDMENTS, IF APPROPRIATE WHEREAS, the City Council of the City of Carlsbad, California has determined that the most effective way to operate and support the City of Carlsbad's project management requirements is with Procore Project Management Pro Software; and WHEREAS, the City of Carlsbad currently does not have a project management solution in place and Procore Project Management Pro Software will be the solution chosen from a citywide requirement gathering process; and WHEREAS, in order for the City of Carlsbad to use Procore Project Management Pro Software the City of Carlsbad is required to sign at no cost with Procore Technologies a subscription and service agreement for the project management solution in conjunction with a supplemental terms and conditions agreement with EC America, Inc for implementation, licensing and subscription services; and WHEREAS, the city manager will have the authority to execute the subscription and service agreement with Procore Technologies and, if required, to execute extensions and amendments to the agreement; WHEREAS, all cost associated with the use of Procore Project Management Pro Software are included with the EC America, Inc supplemental terms and conditions agreement for implementation, licensing and subscription services of Procore Project Management Pro Software. NOW, THEREFORE, BE IT RESOLVED by the City Council of the City of Carlsbad, California, as follows: 1.That the above recitations are true and correct. 2.That the subscription and service agreement with Procore Technologies (Attachment A) is approved and the City Manager is authorized to execute all required documents on behalf of the city including possible extension and amendments for four one-year terms. 3.That there is no cost for the subscription and service agreement with Procore Technologies, Inc. and all cost associated with the use of Procore Project Management Pro Software are included with the EC America, Inc supplemental terms and conditions agreement for implementation, licensing and subscription services for the initial term ending one year from the date the agreement is signed: PASSED, APPROVED AND ADOPTED at a Regular Meeting of the City Council of the City of Carlsbad on the 6th day of December, 2022, by the following vote, to wit: AYES: NAYS: ABSENT: Blackburn, Bhat-Patel, Acosta, Norby. None. Hall. � or MATT HALL, Mayor � /¥1../FAVIOLA MEDINA, City Clerk Services Manager "f -(SEAL) Procore_SSA_Rev 2022.01.10 Page 1 of 21 PROCORE SUBSCRIPTION AND SERVICES AGREEMENT This Subscription and Services Agreement, including any Orders and SOWs, (“Agreement”) is entered into as of the date of the last signature below (the “Effective Date”) between the applicable Procore contracting entity set forth in Section 11.5 (“Procore”) and the City of Carlsbad, with offices at 1635 Faraday Ave, Carlsbad, CA 92008 (“Customer”). Procore and Customer may also be referred to herein individually as “Party” or together as the “Parties.” Capitalized terms used but not otherwise defined herein have the respective meanings designated in Section 12. The Parties hereby agree as follows: 1.PROVISION OF SERVICES 1.1. Access to Subscription Services. Subject to Customer’s compliance with this Agreement and timely payment of applicable Fees, during the Subscription Term, Procore shall make the Subscription Services available to Customer for Customer’s internal business use in accordance with the Usage Metrics purchased by Customer. Customer agrees that its purchase and use of the Subscription Services are not contingent on any future functionality or features, or dependent on any oral or written statements made by Procore or any of its Affiliates regarding future functionality or features. 1.2. Evolving Procore Technology. Subject to Section 7.2(b), Procore may issue Updates for the Services during the Subscription Term. 1.3. Protection of Customer Data. Procore shall maintain administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Customer Data. Where Customer’s use of the Services includes the processing of “personal data” subject to applicable data protection laws, such use will be governed by the data processing addendum (“DPA”) that is incorporated into this Agreement. Customer shall only provide to Procore the minimum amount of personal data necessary to enable Customer to use the Services in accordance with this Agreement. 1.4. Beta Services. From time to time, Procore may invite Customer and Authorized Users to participate in a program regarding certain pre-release or beta services (collectively, “Beta Services”). Customer may accept or decline to participate in any Beta Services. Any services designated by Procore as Beta Services (e.g., “beta,” “pilot,” “limited release,” “developer preview,” “non-production evaluation,” or other similar designation) are solely for Customer’s evaluation purposes. If Customer opts into a Beta Service, Customer agrees to participate in usage and other testing and provide Feedback) about such Beta Service, as reasonably requested by Procore. Beta Services are not considered Services under this Agreement, are not supported, and may be subject to additional program terms. Unless otherwise stated, any Beta Service evaluation period will expire upon the earlier of one (1) year from the evaluation start date and the date of such Beta Service’s commercial release, unless such Beta Service is earlier discontinued by Procore. Procore may discontinue any Beta Service at any time and may never make such Beta Service generally available. Beta Services are provided “as is,” without express or implied warranty, and without indemnity. Procore and its Affiliates will have no liability for, and Customer hereby fully and irrevocably releases Procore and its Affiliates from, any liability or damage arising out of or in connection with any Beta Service. 2.USE OF SERVICES 2.1. Customer’s Responsibilities. Only Authorized Users are permitted to access and use the Services. Customer acknowledges that Procore may contact Customer and Authorized Users in connection with Procore’s and its Affiliates’ services. Customer shall be solely responsible for (a) Authorized Users’ compliance with this Agreement and any Order(s) issued hereunder; (b) the accuracy and quality of Customer Data, the means by which Customer acquired Customer Data, and obtaining appropriate usage rights with respect to Customer Data; (c) maintaining the confidentiality of usernames, passwords, and other account information or access credentials (as applicable); (d) all activities that occur under its Authorized Users’ usernames, passwords, accounts or access credentials as a result of Authorized Users’ access to the Services; and (e) ensuring Authorized Users’ use the Services only in accordance with the Documentation. Customer shall provide written notice to Authorized Users and/or Data Subjects that Customer Personal Data (as defined in the DPA) is subject to Customer’s own privacy policy and other terms regarding the use or handling of Customer Personal Data in accordance with applicable Data Protection Law. Customer shall provide disclosures to and obtain consents from Authorized Users as required under applicable Data Protection Law in order to share Customer Data. Customer shall notify Procore immediately of any unauthorized use of, or access to, the Services. 2.2. Restrictions. Customer shall not and shall not permit others to (a) make any Services available to any third party other than Customer or Authorized Users; (b) sell, resell, license, sublicense, distribute, rent, or lease any Services, or include any Services in a service bureau or outsourcing offering; (c) use the Services to store or transmit infringing, tortious, libelous, or otherwise unlawful material, Harmful Code, or material that otherwise violates the rights of any DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Attachment A Dec. 6, 2022 PRCECRE" Procore_SSA_Rev 2022.01.10 Page 2 of 21 third-party; (d) interfere with or disrupt the integrity or performance of the Services or any third-party data contained therein; (e) use, or permit direct or indirect access to, the Services in a way that seeks to circumvent the Usage Metrics, (f) use the Services to exploit any Procore Intellectual Property Rights except as otherwise expressly permitted under this Agreement, an Order, or the Documentation; (g) frame or mirror any part of the Services, except as permitted by and in accordance with the Documentation; (h) access the Services in order to develop a competitive product or service or benchmark with a non-Procore product or service, or to otherwise exploit for competitive purposes; (i) subject to applicable law, reverse engineer, copy, or modify any software included as part of the Services; (j) use the Services for any improper, fraudulent, or other non-legitimate business purpose; (k) use the Services in a way that could be considered harmful, malicious, threatening, offensive, pornographic, defamatory, bigoted, hateful, indecent, or otherwise objectionable in Procore’s reasonable discretion; (l) use the Services to send unsolicited communications, promotions, or advertisements in violation of the CAN-SPAM Act or any other applicable anti-spam or e-privacy law, rule, or regulation; (m) use any automated device or process, such as a robot, spider, datamining, web-scraping, or other means to circumvent, access, use, or integrate with the Services or its contents, including but not limited to other user account information; (n) damage, interfere, disable, or impair the Services in any way; or (o) use the Service in violation of applicable law. 2.3. Affiliates. Customer’s Affiliates may purchase Services under this Agreement if such Affiliate directly enters into an Order with Procore or its applicable Affiliate, and by doing so such Customer Affiliate agrees to be bound by the terms of this Agreement as if it were an original party hereto. Each Affiliate’s Order(s), and the corresponding Usage Metrics, are separate and distinct from Customer’s and its other Affiliates’ respective Orders and Usage Metrics, unless otherwise set forth on an applicable Order. 3.THIRD-PARTY APPLICATIONS Products or services developed by third parties may be available to Customer, including via Procore’s API, for use with the Services (“Third-Party Applications”). By using Third-Party Applications, Customer permits Procore to grant providers of such Third-Party Applications access to Customer Data or other data as required for the use and support of such Third-Party Applications in conjunction with the Subscription Services. Third-Party Applications are not Services under this Agreement, may be subject to the third-party provider’s additional terms, and may require an additional fee to such providers in order to use the Third-Party Applications. The Procore software may contain features designed to interoperate with Third-Party Applications. Such features are not considered Services under this Agreement. Procore may cease providing such features for any reason, including if the provider of a Third-Party Application ceases to make the Third-Party Application available for interoperation with the Services, without entitling Customer to any refund, credit, or compensation. Notwithstanding any obligations Procore may have under an applicable DPA, Procore is not responsible for the use or protection of Customer Data in any Third-Party Applications. 4.FEES AND PAYMENT 4.1. Fees. Customer shall pay Procore all fees as set forth in the applicable Order or SOW, as well as any Overages (“Fees”).Except as set forth in Section 7.2, all payment obligations are non-cancelable and Fees paid are non-refundable. 4.2. Payment Terms. Except as otherwise set forth in the applicable Order, all Fees will be billed annually in advance. All invoices for Fees, Taxes, and Overages are due and payable within the time frame and in the currency set forth in the applicable Order, without deduction or setoff. Interest on unpaid amounts will accrue from the applicable invoice’s due date at the higher of 1.5% per month and the highest rate allowed by applicable law. Customer is responsible for providing complete and accurate billing and contact information to Procore and promptly notifying Procore of any changes to such information. If Customer fails to pay any undisputed portion of a past due invoice, including accrued interest, within ten (10) business days after receiving notice that its account is overdue, Procore may, without limiting its other rights and remedies, suspend the Services until such amounts are paid in full (“Non- Payment Suspension”). Procore is not obligated to continue to provide Services without payment of applicable Fees. 4.3. Use of Purchase Orders. No terms of any purchase order or other form or agreement provided by Customer will modify or supplement this Agreement, regardless of any failure of Procore to object to such terms, and any such terms will have no force or effect. 4.4. Taxes. Fees and Overages do not include any taxes, tariffs, levies, duties, or similar governmental charges or assessments of any nature, including, value-added, sales, use, or withholding taxes, assessable by any jurisdiction (collectively, “Taxes”). Customer is responsible for paying all Taxes associated with its purchases under this Agreement. If Procore is legally required to pay or collect Taxes for which Customer is responsible under this Section, Procore shall invoice Customer and Customer shall pay such amounts, unless Customer provides Procore with a valid tax exemption certificate authorized by the appropriate taxing authority. For clarity, Procore is solely responsible for taxes assessable against it based on its own income, property, and employees. Unless prohibited by the applicable taxing jurisdiction, the tax situs will be Customer’s ship-to address as set forth in the applicable Order. DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 82 of 103 Procore_SSA_Rev 2022.01.10 Page 3 of 21 4.5. Usage Verification & Subscription Review. Customer acknowledges that Procore or its Affiliates may, at Procore’s expense, review Customer’s use of the Subscription Services for the purpose of verifying Customer’s compliance with this Agreement. Customer shall reasonably cooperate with and assist Procore or its Affiliates, as applicable, in such review and verification of Customer’s Usage Metrics. In addition, but no more than once annually, Procore’s subscription management team may initiate an offsite “Subscription Review” by requesting copies of records evidencing Customer’s Usage Metrics (for example, invoice details, project budgets, contract values, and change orders) and other reasonable substantiation. Customer shall provide such records within fifteen (15) business days, or such other mutually agreeable time frame, of Procore’s written request. Procore may invoice Customer, and Customer shall pay, for any usage of the Services that exceeds the Usage Metrics (“Overages”). Overages will be invoiced at Procore’s then-current standard rates. 4.6. Purchases Through a Reseller. If Customer purchases Services through a Reseller, the pricing and payment terms for such Services are between Customer and Reseller (“Reseller Terms”). Customer acknowledges that (a) all payments for Services procured via a Reseller will be made directly to the Reseller and in accordance with the Reseller Terms; and (b) if a Reseller notifies Procore of its right to terminate or suspend any Services, Procore may terminate or suspend such Services. Procore will not be liable to Customer or any third party for any liabilities, claims, or expenses arising from or relating to any applicable Reseller Terms. 5.PROPRIETARY RIGHTS AND LICENSES 5.1. Ownership; Reservation of Rights. All Procore Intellectual Property Rights, including Intellectual Property Rights in the Services, Beta Services, Documentation, Statistical Usage Data, and Procore’s Confidential Information, are and will remain owned exclusively by Procore and its Affiliates, as applicable. Ownership in all Updates, derivatives, modifications, new functionalities, enhancements, and customization related to the Services created by or on behalf of Procore will immediately vest in Procore upon creation. Unless otherwise specified in an applicable SOW, all deliverables provided in the performance of Professional Services are owned by Procore and will be made available as part of the Subscription Services provided under this Agreement. Nothing in this Agreement will preclude or limit Procore from using or exploiting any concepts, ideas, techniques, or know-how of or related to the Services. Other than as expressly set forth in this Agreement, no license or other rights in or to the Services or other Procore Intellectual Property Rights are granted to Customer, and all such rights are expressly reserved to Procore and its Affiliates. 5.2. Use of Procore Logos. Use of Procore’s logos, and all other Procore trademarks, service marks, product names, and trade names of Procore, is subject to the Procore trademark usage guidelines at www.procore.com/legal/trademark. 5.3. Customer Data. Customer Data and Customer’s Confidential Information are and will remain owned exclusively by Customer or its Authorized Users, as applicable. Customer hereby grants Procore, its Affiliates, and its subprocessors a worldwide right and license to access, host, display, process, analyze, transmit, reproduce, and otherwise utilize Customer Data (subject to Sections 1.3 and 6.2) for the purposes of providing and improving the Services in accordance with this Agreement. 5.4. Statistical Usage Data. Procore and its Affiliates may collect, use, and otherwise process Statistical Usage Data for their own analysis, analytics, marketing, and other internal business purposes, including, without limitation, improving Procore’s products and services. Except where Customer has expressly provided its written consent, Procore will only disclose Statistical Usage Data if such data is (a) aggregated or anonymized; and (b) does not disclose the identity of Customer or its Authorized Users or any Customer Confidential Information. 5.5. Feedback. To the extent that Customer or its Authorized Users provide any recommendations, suggestions, proposals, ideas, improvements, or other feedback regarding the Services or Documentation (“Feedback”), Customer hereby grants Procore an irrevocable, perpetual, royalty-free license to freely use, reproduce, distribute, modify, incorporate, commercially exploit, and further develop such Feedback without any restrictions or attribution. 6.CONFIDENTIALITY 6.1. Definition of Confidential Information. “Confidential Information” means all information or data disclosed by a Partyor any of its Affiliates (as applicable, the “Disclosing Party”) that is confidential, proprietary, or otherwise not publicly available, or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure whether oral or in writing, and disclosed during the Term in connection with the Services. Confidential Information includes, (a) with respect to Customer, Customer Data; (b) with respect to Procore, the Services, and the Beta Services, including any discussions or information related to Beta Services; and (c) with respect to a Party, any technical, financial, economic, marketing, strategic, business, product, design, operational, of such Party. Confidential Information does not include any information that (a) is or becomes generally known to the public without breach of this Agreement or any other agreement by the Party receiving information or any of its Affiliates (as applicable, the “Receiving Party”); (b) was known to the Receiving Party prior to its disclosure by the Disclosing DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 83 of 103 Procore_SSA_Rev 2022.01.10 Page 4 of 21 Party without breach of any obligation owed to the Disclosing Party; (c) is received from a third party without restriction on disclosure and without breach of any obligation owed to the Disclosing Party; (d) was independently developed by the Receiving Party without use of or reference to any Confidential Information; or (e) is subject to disclosure under the California Public Records Act, the Civil Discovery Act or other applicable federal or state law. 6.2. Protection of Confidential Information. The Receiving Party shall (a) use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care); (b) not use any Confidential Information for any purpose outside the scope of this Agreement; and (c) except as otherwise expressly consented to by an authorized representative of the Disclosing Party, limit access to Confidential Information to those of its and its Affiliates’ employees and contractors who need that access for purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections no less restrictive than those herein.. 6.3. Compelled Disclosure. The Receiving Party may disclose Confidential Information to the extent compelled by law or legal process to do so, on condition that the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the compelled disclosure. If the Receiving Party is compelled by law to disclose Confidential Information as part of a proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party shall reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to that Confidential Information. 7.REPRESENTATIONS, WARRANTIES, EXCLUSIVE REMEDIES, DISCLAIMERS 7.1. General Warranty. Each Party represents and warrants that it has the necessary rights to enter into this Agreement and has the legal power to do so. 7.2. Procore Limited Warranties. Procore warrants that (a) the Subscription Services will perform materially in accordance with the applicable Documentation; (b) Procore will not materially reduce the core functionality of the Subscription Services during the current Subscription Term; (c) Procore will use industry standard measures to deliver the Subscription Services free of Harmful Code; and (d) Procore will perform the Professional Services in a diligent and professional manner. Customer’s exclusive remedy and Procore’s entire liability for a breach of the above warranties will be, at Procore’s option, (x) the correction of the deficient Service that caused the breach of warranty, or (y) provision of comparable functionality. If Procore cannot accomplish (x) or (y) in a commercially reasonable manner, as determined in its reasonable discretion, Procore may terminate the deficient service and refund to Customer any prepaid Fees for the terminated Service, prorated to cover the remaining portion of the Subscription Term following notice of the breach of warranty. 7.3. Disclaimers. Except as expressly provided herein, neither Party or its licensors makes any warranty of any kind, whether express, implied, statutory, or otherwise, and each Party and its licensors specifically disclaim all implied warranties, including any implied warranty of merchantability, fitness for a particular purpose, title, or non- infringement, to the maximum extent permitted by applicable law. Notwithstanding Procore’s obligations under the DPA, Procore does not warrant that Services will be error-free or uninterrupted, will meet Customer’s requirements or expectations, or that its security measures will be sufficient to prevent third-party access to Customer Data. 8. INDEMNIFICATION 8.1. Indemnification by Procore. (a)Procore shall defend any claim brought against Customer by a third-party to the extent such claim alleges that Customer’s use of the Subscription Services (as authorized in this Agreement, and as provided by Procore to Customer) (1) infringes any valid and enforceable third-party patent, copyright, or registered trademark, or (2) misappropriates a third-party trade secret (a “Claim”). If a third party makes a Claim against Customer, Procore shall pay all damages (including reasonable attorneys’ fees) finally awarded against Customer by a court of competent jurisdiction, or the settlement agreed to by Procore with respect to such Claim. (b)If any Claim is brought or threatened, or if Procore reasonably believes that the Subscription Services may become the subject of a Claim, Procore may, at its sole option and expense (1) procure for Customer the right to continue to use the applicable Subscription Service; (2) modify the Subscription Service to make it non- infringing; (3) replace the affected aspect of the Subscription Service with non-infringing technology having substantially similar capabilities; or (4) if Procore determines none of the foregoing is commercially practicable, terminate this Agreement upon thirty (30) days’ notice and refund Customer any prepaid Fees related to the applicable Subscription Services prorated for the remainder of the Subscription Term. DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 84 of 103 Procore_SSA_Rev 2022.01.10 Page 5 of 21 (c) Procore’s defense and indemnity obligations do not apply to, and Procore will have no liability with respect to, any Claim arising in whole or part due to (1) any modification of the Subscription Services made by anyone other than Procore, (2) any use of the Subscription Services in combination with software, products, or services not provided by Procore, (3) any Third-Party Applications; (4) Services under an Order for which there is no charge; (5) Customer’s use of the Subscription Services not in compliance with this Agreement; or (6) Customer’s failure to use any Update provided by Procore. This indemnity states Procore’s entire liability, and Customer’s exclusive remedy, for any Claims as described in Section 8.1. 8.2. Indemnification by Customer. Customer shall defend any claim brought against Procore by a third party to the extent such claim relates to the Customer Data (if used by Procore in accordance with this Agreement) or Third-Party Applications built by or on behalf of Customer. If a third party makes such a claim against Procore, Customer shall pay all damages (including reasonable attorneys’ fees) finally awarded against Procore or the settlement agreed to by Customer with respect to such claim. This indemnity states Customer’s entire liability, and Procore’s exclusive remedy, for any third-party claims as described in this Section 8.2. 8.3. Procedure. The defense and indemnity obligations above are conditioned upon the indemnified Party providing the indemnifying Party with (a) prompt notice; (b) sole control over the defense and any settlement negotiations; and (c) all information and assistance reasonably requested by the indemnifying Party in connection with the defense or settlement of the indemnifiable claim. The indemnifying Party shall not agree to a settlement that imposes any obligation or liability on the indemnified Party without the indemnified Party’s prior written consent, which will not be unreasonably withheld, conditioned, or delayed. The indemnified Party may appear in connection with such claims, at its own expense, through counsel reasonably acceptable to the indemnifying Party. 9. LIMITATION OF LIABILITY 9.1. Exclusion of Damages. Neither Party nor its respective Affiliates will be liable for any loss of profits, revenues, goodwill, anticipated savings, or use, costs of substitute goods or services, or business interruption, or work stoppage, or any indirect, special, incidental, exemplary, punitive, or consequential damages, however caused, and based on any theory of liability, whether for breach of contract, breach of warranty, tort (including negligence), product liability, or otherwise, even if such Party is advised of the possibility of such damages. The foregoing disclaimer will not apply to the extent prohibited by law. 9.2. Limitation of Liability. A Party’s and its respective Affiliates’ aggregate cumulative liability for all damages arising out of or related to this Agreement will not exceed the applicable Fees paid or payable to Procore in an Order or SOW for the applicable Services and attributable to the twelve (12) month period immediately preceding the event giving rise to the liability. The existence of more than one claim will not expand this limit. The liability limitations under this Section 9.2 will not apply to (a) Customer’s obligations to pay Fees due under this Agreement; (b) Customer’s breach of Sections 2.1 or 2.2; (c) amounts finally determined pursuant to either Party’s indemnity obligations under Section 8; (d) either Party’s gross negligence, willful misconduct, or fraud; or (e) either Party’s negligence on-site during the performance of Professional Services that results in death or personal injury. Nothing in this Agreement excludes or limits any liability that cannot be excluded or limited under applicable law. 10. TERM AND TERMINATION 10.1. Term of Agreement. This Agreement will begin on the Effective Date and continue until terminated as permitted herein (the “Term”). If there are no active Orders, this Agreement may be terminated by either Party upon ninety (90) days’ prior notice. 10.2. Subscription Term. The initial Subscription Term and any applicable renewal Subscription Term will begin and end in accordance with the start date and end date set forth in the Order. Any new Service subsequently added to an existing subscription will be coterminous with the current Subscription Term. 10.3. Suspension. In the event of Customer’s or an Authorized User’s breach of this Agreement, including without limitation for Non-Payment Suspension or violation of the restrictions in Section 2.2, Procore may, in its reasonable discretion, suspend Customer’s or an Authorized User’s access to or use of the Subscription Services. Notwithstanding the foregoing, Procore shall use good-faith, reasonable efforts, unless the circumstances dictate otherwise, to reasonably notify Customer or an Authorized User via email before taking the foregoing actions. 10.4. Termination. Either Party may terminate this Agreement or any Order or SOW upon notice if the other Party is in material breach of this Agreement, where such material breach is not cured (to the extent capable of being cured) within thirty (30) days after receiving notice of breach from the non-breaching Party, or with immediate effect where such material breach cannot be cured. For the avoidance of doubt and without limiting rights of Procore, Customer’s noncompliance with Section 2.2 or Section 4.2 will be deemed a material breach of this Agreement. This Agreement DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 85 of 103 Procore_SSA_Rev 2022.01.10 Page 6 of 21 may be terminated by either Party with immediate effect if the other Party becomes the subject of a petition in bankruptcy or other proceeding relating to insolvency, receivership, liquidation, or assignment for the benefit of creditors, and such petition or proceeding is not dismissed within forty-five (45) days. 10.5. Effect of Termination. Upon the termination of this Agreement for any reason (a) unless otherwise agreed by the Parties in writing, all outstanding Orders and access to the Subscription Services will automatically terminate; (b) Customer and its Authorized Users shall immediately cease access and use of the Subscription Services, other than for retrieval purposes provided in (d); (c) all outstanding payment obligations of Customer will become due and payable immediately; and (d) for thirty (30) days following the termination of this Agreement Procore shall make Customer Data available to Customer, at Customer’s request, via read-only access to the Subscription Service, solely for purpose of allowing Customer to retrieve Customer Data. After thirty (30) days, Procore will have no obligation to maintain or provide any Customer Data, and thereafter may delete or destroy all copies of Customer Data. If Procore is required to retain a copy of Customer Data for legal purposes, such copy remains subject to the confidentiality provisions of this Agreement. 10.6. Refund or Payment upon Termination. If Customer terminates this Agreement due to Procore’s material breach, Procore shall refund Customer the prorated portion of prepaid Fees for unused Services. If Procore terminates this Agreement due to Customer’s material breach, Customer shall pay any unpaid Fees. Termination will not relieve Customer of its obligation to pay any Fees for the period prior to the effective date of termination. 10.7. Surviving Provisions. The Sections titled “Fees and Payment,” “Proprietary Rights and Licenses,” “Confidentiality,” “Representation, Warranties, Exclusive Remedies, Disclaimers,” “Term and Termination,” “Indemnification,” “Limitation of Liability,” and “General Provisions” will survive any termination of this Agreement. 11. GENERAL PROVISIONS 11.1. Publicity & Searchability Options. (a) The Services may contain functionality to allow Customer and third parties to search for one another for various purposes, such as inviting a third party to collaborate on a project, soliciting and/or receiving a bid, etc. Where Procore has made such functionality available, Customer will have the ability to control its visibility for such searches within the Services. 11.2. Export Control. Each Party shall comply with all applicable Export Control and Sanctions Laws and Regulations in connection with providing and using the Services. Without limiting the foregoing, (a) each Party represents that it is not listed on any list of entities or individuals who are restricted from receiving U.S. services or items subject to jurisdiction of U.S. Export Controls (including but not limited to the Specially Designated Nationals and Blocked Persons List and the Entity List) nor is it owned or controlled by any such listed entity; (b) Customer shall not, and shall ensure that Authorized Users do not, violate any Export Control and Sanctions Laws and Regulations, or cause any such violation to occur; and (c) Customer shall not use or cause any person to use the Services to store, retrieve, or transmit technical data controlled under the U.S. International Traffic in Arms Regulations. 11.3. Anti-Corruption. Neither Party has promised, made, or received any bribe, kickback, or other similar payment or transfer of value from or to any director, officer, employee, agent, or other representative of the other Party in connection with this Agreement. Reasonable gifts, entertainment, sponsorships, and donations do not violate the above restriction. 11.4. U.S. Government Rights. If Customer, or any Authorized User, is a branch, agency, or instrumentality of the United States Government, the following provision applies: The Services and Documentation comprise “commercial computer software” and “commercial computer software documentation” as such terms are used in 48 C.F.R. 12.212 and are provided to the Government (a) for acquisition by or on behalf of civilian agencies, consistent with the policy in 48 C.F.R. 12.212; or (b) for acquisition by or on behalf of units of the Department of Defense, consistent with the policies in 48 C.F.R. 227.7202-1 and 22.7202-3. The rights of the U.S. Government to use, commercial computer software, commercial computer software documentation, and technical data furnished in connection with this Agreement are solely as provided in this Agreement. No additional rights are provided to the Government unless set forth in a separate written addendum. DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 86 of 103 Procore_SSA_Rev 2022.01.10 Page 7 of 21 11.5. Contracting Entity, Governing Law & Venue. The Procore contracting entity, law that will apply to a dispute arising out of or relating to this Agreement, and jurisdiction for dispute resolution depend on where Customer is domiciled, in all cases without reference to conflict of law rules of any jurisdiction. If Customer is domiciled in: The Procore contracting entity is: Governing law is that of: The venue for dispute resolution is: California Procore Technologies, Inc. 6309 Carpinteria Ave. Carpinteria, CA 93013 USA California San Diego, California Any U.S. state other than California; Mexico; or a country in Central America, South America, or the Caribbean Procore Technologies, Inc. 6309 Carpinteria Ave. Carpinteria, CA 93013 USA Delaware New Castle County, Delaware Canada Procore Technologies, Inc. 6309 Carpinteria Ave. Carpinteria, CA 93013 USA Ontario Ontario, Canada The United Kingdom; or a country in Europe, Africa, or the Middle East Procore UK Ltd 51 Eastcheap London EC3M 1JP U.K. England London, England Australia or New Zealand Procore Technologies, Inc. 6309 Carpinteria Ave. Carpinteria, CA 93013 USA New South Wales Sydney, New South Wales A country in Asia or the Pacific region other than Australia or New Zealand Procore Technologies, Inc. 6309 Carpinteria Ave. Carpinteria, CA 93013 USA Singapore Singapore The provisions of the United Nations Convention of Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Acts will not apply to this Agreement in any manner whatsoever. 11.6. Dispute Resolution. The Parties shall attempt in good faith to promptly resolve any disputes arising out of or relating to this Agreement by negotiation between representatives of each Party with the authority to resolve such dispute. 11.7. Notices. Notices to Customer will be delivered via email or overnight delivery at the address associated with the Order. Notices to Procore will be delivered via email to legalnotice@procore.com or by overnight delivery to Procore Technologies, Inc., Attention Chief Legal Officer, 6309 Carpinteria Ave., Carpinteria, CA 93013 USA. All notices must be in writing and will be effective when received. 11.8. Force Majeure. Neither Party will be responsible or liable for any failure or delay in its performance under this Agreement (except payment of Fees, which may be delayed but not excused) to the extent due to any cause beyond its reasonable control (“Force Majeure Event”). The Party suffering a Force Majeure Event shall use reasonable efforts to mitigate against the effects of such Force Majeure Event. For the avoidance of doubt, issues relating to COVID-19 will not be considered a Force Majeure Event. 11.9. Assignment. Each Party shall not assign this Agreement, in whole or part, or any right or interest herein, without the other Party’s prior written consent, not to be unreasonably withheld, and any purported assignment will be void. However, Procore may assign this Agreement without consent to an Affiliate, or in connection with a merger, consolidation, or corporate reorganization, sale of all or substantially all of its assets or business, or other change of control transaction. Subject to the foregoing, this Agreement will be binding upon and inure to the benefit of the Parties and their respective successors and permitted assigns. 11.10. Relationship of the Parties. The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the Parties. 11.11. Entire Agreement; Order of Precedence. This Agreement (together with any SOWs and Orders) contains the entire understanding and agreement of the Parties concerning the subject matter hereof and supersedes all prior or contemporaneous communications, representations, agreements, and understandings, either oral or written, DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 87 of 103 Procore_SSA_Rev 2022.01.10 Page 8 of 21 between the Parties with respect to its subject matter. This Agreement may only be amended or waived by a writing signed by both Parties; however, Procore may provide updated terms upon renewal, which will take effect when signed by both Parties. In the event of any conflict or inconsistency between or among the following documents, the order of precedence will be: (1) the DPA, (2) the Order, (3) SOW, (4) this Agreement, and (5) any links provided herein. Any amendment will take precedence over the document it amends. 11.12. Miscellaneous. If a provision of this Agreement is unenforceable or invalid, the provision will be revised so as to best accomplish the objectives of the Parties as evidenced by this Agreement, and the remainder of this Agreement will continue in full force. The English language version of this Agreement will be the version used when interpreting or construing this Agreement. Any notices in connection with this Agreement must be provided in English. Either Party’s failure to enforce any right under this Agreement will not waive that right. There are no third-party beneficiaries to this Agreement, and Customer acknowledges that Procore will have no obligations or liability whatsoever to any third parties with which Customer does business. 12. DEFINITIONS 12.1. “Affiliate” means an entity that controls, is controlled by, or is under common control of a Party, where “control” means ownership or control, directly or indirectly, of more than fifty percent (50%) of the voting interest of such entity or party (but only for so long as such control exists) or the right to otherwise control the decision making of the subject entity. 12.2. “Authorized Users” means any individual or agents authorized by Customer to access or use the Services. 12.3. “Customer Data” means any content, data, information, personal data (as described in Section 1.3), and other materials submitted by Customer or an Authorized User to the Services. Customer Data excludes Statistical Usage Data, any content from publicly available sources, and any suggestion, enhancement request, recommendation, correction, or other Feedback relating to the operation of the Subscription Services pursuant to Section 5.4. 12.4. “Documentation” means the official Procore-provided instructions, user guides, help and training manuals, descriptions of support, and other descriptive product information applicable to the Services, whether in electronic, paper, or equivalent form, as updated from time to time, accessible at https://support.procore.com/products/online/user-guide or other websites designated by Procore. 12.5. “Export Control and Sanctions Laws and Regulations” means all laws and regulations under applicable law controlling or regulating the export, re-export, or (in-country) transfer of goods, technology, software, or services, or those that impose other trade or financial sanctions against targeted countries, territories, individuals, or entities. 12.6. “Harmful Code” means code, files, scripts, agents, malware, or programs intended to do harm, including but not limited to viruses, worms, time bombs, and Trojan horses. 12.7. "Intellectual Property Rights” means all rights, title, and interest in all intellectual property, including patents, copyrights, trade secrets, mask works, trademarks, and other intellectual property rights of any sort throughout the world. 12.8. “Order” means a written or electronic order form, executed by the Parties, identifying the Services, scope, quantity, charges, and other information relevant to a specific transaction between Customer and Procore, herein incorporated by reference. 12.9. “Professional Services” means the implementation, technical, consulting, training, and similar services provided by or through Procore or its Affiliates, as described in the relevant Order or SOW. 12.10. “Reseller” means a third party authorized by Procore or its Affiliates to promote, distribute, and/or resell the Services. 12.11. “Services” means collectively, as applicable, the Subscription Services, Support Services, and Professional Services Customer has ordered, and Procore has agreed to provide, as indicated on the applicable Order or SOW. 12.12. “SOW” means a statement of work executed by the Parties describing Professional Services purchased by Customer pursuant to an Order, herein incorporated by reference. 12.13. “Statistical Usage Data” means usage information or data related to the access or use of the Services. Examples of Statistical Usage Data include information or data on user visits, user activity, and numbers and types of clicks or impressions, as well as statistical, functional, behavioral, or other information or data based on or derived from such access or use. 12.14. “Subscription Services” means the Procore software-as-a-service, and all associated Updates, offered on a subscription basis by Procore via an Order that provides the functionality described in the Documentation. DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 88 of 103 Procore_SSA_Rev 2022.01.10 Page 9 of 21 12.15. “Subscription Term” means the entire period during which Customer is entitled to use the Subscription Services, including the initial term and any applicable renewal terms. 12.16. “Support Services” means the type of Procore’s customer support for the Subscription Services described in Exhibit A, and as may be specified or purchased within an Order. 12.17. “Updates” means all updates, enhancements, and other modifications that Procore makes generally available, at no additional charge, to its customers of the Subscription Services identified in an Order. 12.18. “Usage Metrics” means the metrics used to determine the scope of Customer’s access and use of the Subscription Services and associated Fees, as set out in an Order. // Signature Page Follows // DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 89 of 103 DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08888945E PROCORE SUBSCRIPTION AND SERVICES AGREEMENT Procore By: 4bV4t;l (sign here) Signature Page By: RLSBAD, a municipal of the State of California Alice Bisgrove, VP, Assistant General Counsel (print name/title) Associate General counsel (sign here) Benjami n s inger (print name/title) CLO & corporate secretary APPROVED AS TO FORM: Cindie McMahon, City Attorney BY: (;LJ.ir., ~-~ City Attorney Procore_SSA_Rov 2022.01.10 ATTEST: ~FAVIOLA MEDINA City Clerk Services Manager Page 10 of 21 Dec. 6,2022 Item #5 Page 90 of 103 Procore_SSA_Rev 2022.01.10 Page 11 of 21 PROCORE SUBSCRIPTION AND SERVICES AGREEMENT Exhibit A – Support Services and SLA Agreement 1. OVERVIEW This Support Services and SLA Agreement (“SLA”) is entered into by Procore and Customer and covers the Procore Subscription Services defined in the Procore Subscription and Services Agreement (“Agreement”) to which this SLA is attached. Except as otherwise modified or defined herein, all capitalized terms in this SLA have the meanings set forth in the Agreement. 2. DEFINITIONS For purposes of this SLA, the following definitions apply: 2.1 “Scheduled Downtime” means the window during which scheduled maintenance of the Subscription Services is performed. Procore shall use commercially reasonable efforts to not provide more than 6 hours of Scheduled Downtime per calendar month. Scheduled maintenance is communicated to users through “in app” notifications, with a minimum target of a 24-hour notice. 2.2 “Service Credit” means a calculation dividing the number of days of Subscription Service credited by 365, then multiplied by the annual Subscription Fee. In the event the annual Subscription Fee was $100,000 and the customer was due 3 days of service credit, then 3 divided by 365 times $100,000 would result in a Service Credit to the customer for $821.92. 3. SERVICE AVAILABILITY Procore’s service-level objective for the Subscription Services is 99.9% of the time, 7 days a week, and 24 hours per day as calculated over a calendar month excluding Scheduled Downtime. This does not include Force Majeure Events or other factors outside of Procore’s reasonable control. 3.1 Service Availability. The Subscription Service will be available 99.9% of the time, 7 days a week, and 24 hours per day as calculated over a calendar month excluding Scheduled Downtime (“Service Availability”). If Procore does not meet the Service Availability in any individual calendar month, Customer may notify Procore support via a support ticket within 5 business days of a failure by Procore to achieve the Service Availability, including any other relevant details concerning the incident (“SLA Claim”). Procore will promptly investigate and make a good faith, reasonable determination, based on the information available, as to the validity of the SLA Claim. Failure to timely notify Procore will forfeit Customer’s right to receive a Service Credit. 3.2 Service Credits. Upon Procore’s validation of the SLA Claim, Procore will apply a Service Credit on Customer’s next invoice, calculated in accordance with the chart below. If the Subscription Service (or any portion thereof) is discontinued for any reason, the Service Credit will be in the form of a pro rata rebate at the end of the applicable subscription period. The aggregate maximum number of Service Credits to be issued to Customer for any and all SLA Claims that occur in a calendar month will not exceed fifteen (15) days of Service Credit. Uptime Availability Days of Service Credit < 99.9% - ≥ 99.0% 3 < 99.0% - ≥ 95.0% 7 < 95.0% 15 3.3 Exclusions. Customer will not have any remedies under this SLA to the extent any SLA Claim is due to: (a) Customer’s use of the Subscription Services outside the permitted scope described in the Agreement; (b) any period of unavailability lasting less than ten (10) minutes; (c) Force Majeure Events or other factors outside of Procore’s reasonable control; (d) malfunction of equipment, systems, software, network connections, or other infrastructure not owned or operated by Procore; or (e) Scheduled Downtime. 3.4 Exclusive Remedy. Except for gross negligence or willful misconduct by Procore, the remedies set forth herein represent Customer’s sole and exclusive remedy for breach of the SLA described herein. 4. SUPPORT DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 91 of 103 Procore_SSA_Rev 2022.01.10 Page 12 of 21 4.1 Access to Support. Customer and Authorized Users have access to technical support via telephone, online chat, email, or self-paced online tutorials. Support hours can be found at support.procore.com/references/contact-support. Support does not include training sessions on the features and functionality of the Subscription Services (e.g., implementation) or training in relevant computer skills considered prerequisite to an individual’s ability to use personal computers, the Internet/World Wide Web, and online software in accordance with the requirements of the Agreement. Furthermore, only qualified, trained Customer support personnel or Authorized Users familiar with Subscription Services are authorized to contact Procore to obtain support. 4.2 Reporting. Before requesting support from Procore, Customer shall use reasonable efforts to comply with any applicable operating and troubleshooting procedures as set forth in the Documentation or as otherwise provided by Procore. If such efforts are unsuccessful, Customer should promptly notify Procore support via Procore’s Ticket Tracking System (“System”) of the issue including any supporting information Customer believes may assist Procore in both its diagnostic determination as well as the Severity/Priority classification. Upon Procore’s receipt of a support request via the System, Procore shall use commercially reasonable efforts to answer questions and provide standard error corrections to known problems. In the event of any problems or errors involving the Subscription Services that Procore cannot immediately resolve, Procore shall begin working on a resolution to the problem and shall work diligently and in a commercially reasonable manner on the problem until it is resolved. 4.3 Status Updates. Response time commitment for a first support contact between Procore and Customer after Customer contacts Procore for support is based on the Severity/Priority of the issue as entered into the System by the Customer. The Severity/Priority levels reported by Customer will be determined by Procore in its reasonable discretion, taking into consideration Customer’s report of the impact and functionality of the issue and impact to Customer. Once Procore receives an error ticket as reported from Customer, Procore shall provide Customer with timely status updates as reasonably determined by Procore until a workaround or other resolution is established by Procore. DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 92 of 103 Procore_SSA_Rev 2022.01.10 Page 13 of 21 Procore Customer Data Processing Addendum This Data Processing Addendum (this "DPA") supplements and forms part of the Subscription Services Agreement or other agreement between Customer and Procore about the provision of Services by Procore to Customer ("Agreement") when Data Protection Law applies to Customer’s access and use of the Services to process Customer Personal Data (defined below). Customer enters into this DPA on behalf of itself and, to the extent required under applicable law, in the name of and on behalf of its Data Controller Affiliates (defined below) ("Customer"). For the purposes of this DPA only, and except as otherwise indicated, the term "Customer" shall include Customer and Data Controller Affiliates. Data Processing a. Scope and Roles. This DPA applies when Customer Personal Data is processed by Procore under applicable Data Protection Law. In this context, where the law provides for the roles of "controller" and "processor," Customer is the Controller of the Customer Personal Data covered by this DPA, and Procore shall be a Processor Processing Customer Personal Data on behalf of Customer and this DPA shall apply accordingly. b. Details of Data Processing. a. Subject matter. The subject matter of the data Processing under this DPA is Customer Personal Data. b. Duration. The duration of the Processing under this DPA is determined by the Agreement. Regardless of whether the Agreement has terminated or expired, this DPA will remain in effect until, and automatically expire when Procore deletes or anonymizes all Customer Personal Data as described in the Agreement. c. Purpose. The purpose of the processing under the DPA is the provision of the Services by Procore to Customer as specified in the Agreement. d. Nature of the Processing. Customer Personal data is processed by Procore in connection with the Services under the Agreement and/or any applicable Order. e. Categories of Data Subjects. The Data Subjects of Customer which may include Customers’ Authorized Users, employees, contractors, suppliers, or other third parties whose Personal Data is uploaded by Customer for use in connection with the Services. f. Categories of data. Identifiers (contact detail including name, email, phone number and addresses); Employment Data (professional data, contact details, hours worked, site access) IT Data (IP addresses, browser type, language preferences, cookies data);and other Personal Data that Customer or its Authorized Users elect to submit to the Services. g. Special categories of data (if appropriate). Procore and/or its Subprocessors do not intentionally collect or process any special categories of data in connection with the provision of the Services under the Agreements. However, Customer or its Affiliates may choose to include this type of data within content that the Customer instructs Procore to process on its behalf. c. Compliance with the laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA. d. Jurisdiction Specific Terms. Certain jurisdictions require other specific terms. Where required under applicable Data Protection Law, this DPA fully incorporates the applicable Jurisdiction Specific Terms available at http://procore.com/legal/jurisdiction-specific-terms and updated from time to time, and including the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations: Procore’s obligations to Customer under the DPA are only those express obligations imposed by the CCPA that require that a "Business" and a "Service Provider" to have in place. Each party is responsible for fulfilling its respective obligations set out in the CCPA. Procore will not collect, sell, retain, disclose or use the Personal Information of the Consumer for any purpose other than to perform the Subscription Services specified in the Agreement, or as otherwise permitted by CCPA. Procore certifies that it understands and will comply with the restrictions set forth herein. The terms used in the applicable provisions of the DPA shall be replaced as follows: "Personal Data" shall mean "Personal Information"; "Controller" shall mean "Business"; "Processor" shall mean "Service Provider"; and "Data Subject" shall mean "Consumer" (collectively, the "replaced terms"). Further, the replaced terms shall have the definitions ascribed to in the CCPA. Documented Instructions. a. Customer Instructions. Customer shall, in its use of the Services, at all times provide documented instructions to Procore for the Processing of Customer Personal Data, in compliance with applicable Data Protection Law. The Parties agree that this DPA and the Agreement constitute Customer’s documented instructions regarding Procore’s Processing of Customer Personal Data ("Documented Instructions"). Procore will Process Customer Personal Data in accordance with Customer’s Documented Instructions. Additional instructions outside the scope of the Documented Instructions DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 93 of 103 Procore_SSA_Rev 2022.01.10 Page 14 of 21 (if any) require prior written agreement between Procore and Customer, including agreement on any additional fees payable by Customer to Procore for carrying out such instructions. b. Obligations and Indemnity. Customer shall ensure that its Documented Instructions comply with all laws, rules and regulations applicable to the Customer Personal Data, and that the Processing of Customer Personal Data per Customer's Documented Instructions will not cause Procore to be in breach of applicable Data Protection Law. Customer is solely responsible for the accuracy, quality, and legality of (a) the Customer Personal Data provided to Procore by or on behalf of Customer; (b) how Customer acquired any such Customer Personal Data; and (c) the Documented Instructions it provides to Procore regarding the Processing of such Personal Data. Customer shall not provide or make available to Procore any Personal Data in violation of the Agreement, this DPA, or otherwise inappropriate for the nature of the Services and shall indemnify Procore from all claims and losses in connection therewith. Confidentiality of Customer Personal Data. Procore will not access or use, or disclose to any third party, any Customer Personal Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law, a Public Authority Request and/or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Procore a demand for Customer Personal Data, Procore will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Procore may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Personal Data to a governmental body, then Procore will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Procore is legally prohibited from doing so. Authorized persons. Procore shall ensure that all persons authorized to Process Customer Personal Data on behalf of Procore are made aware of the confidential nature of the Customer Personal Data, and have committed themselves to confidentiality (e.g., by confidentiality agreements) or are under an appropriate statutory obligation of confidentiality. Authorized Subprocessors. Customer hereby generally authorizes Procore to engage Subprocessors in accordance with this Section 5. Customer approves the Subprocessors currently listed below as Appendix A. If Customer transfers Customer Personal Data to Procore under the SCCs, the above authorization will constitute Customer's prior written consent to the subcontracting by Procore of the Processing of Customer Personal Data if such consent is required under the SCCs. Procore may remove, replace or appoint suitable and reliable further Subprocessors, provided that Procore shall notify Customer, update the list of Subprocessors and provide Customer with an opportunity to object where required under applicable Data Protection Law. a. Objections. If the Customer reasonably objects to the engagement of a new Subprocessor, Procore shall have the right to cure the objection through one of the following options (to be selected at Procore’s sole discretion): (a) Procore cancels its plans to use the Subprocessor with regard to Customer Personal Data; (b) Procore will take the corrective steps requested by Customer in its objection (which removes Customer's objection) and proceed to use the Subprocessor with regard to Customer Personal Data; (c) Procore may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Service that would involve the use of such Subprocessor with regard to Customer Personal Data; and (d) Procore provides Customer with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If Procore, in its sole discretion, cannot provide any such alternative(s), or if Customer does not agree to any such alternative(s) if provided, Procore and Customer may terminate this DPA with prior written notice, or suspend the affected Services. Termination shall not relieve Customer of any fees or charges owed to Procore for Services provided up to the effective date of the termination under the Agreement. In the event that Procore elects to suspend Customer’s access to and use of affected Services, such suspension shall relieve Customer of any fees or charges owed to Procore for such Services after the effective date of the suspension. If Customer does not object to a new Subprocessor's engagement within ten (10) days of notice by Procore, that new Subprocessor shall be deemed accepted. b. Subprocessor Obligations. Where Procore authorizes a Subprocessor as described in Section 5.1: a. Procore will restrict the Subprocessor’s access to Customer Personal Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and Procore will prohibit the Subprocessor from accessing Customer Personal Data for any other purpose; b. Procore will enter into a written agreement with the Subprocessor and, to the extent that the Subprocessor performs the same data processing services provided by Procore under this DPA, Procore will impose on the Subprocessor the same contractual obligations that Procore has under this DPA; and c. Procore will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Procore to breach any of Procore obligations under this DPA. Security; Audits; Personal Data Breach; Impact Assessments. a. Security. Procore’s provision of the Services will be consistent with the measures described in Appendix B. DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 94 of 103 Procore_SSA_Rev 2022.01.10 Page 15 of 21 a. Updates to Procore Security Controls. Customer is responsible for reviewing the information made available by Procore relating to data security and making an independent determination as to whether the Security Controls set forth in Section 6.1, above, meet Customer’s requirements and legal obligations under applicable law. Customer acknowledges that the Security Controls are subject to technical progress and development and that Procore may update or modify the Security Controls from time to time provided that such updates and modifications do not materially degrade the overall security of the Services during the Subscription Term b. Confidential Security Reports and Audits. Procore does and will maintain compliance with SSAE 18 (SOC 1 & 2), or appropriate and comparable equivalents of those audit standards, for the duration of its processing of Customer Personal Data. Upon request, Procore shall, no more than once per calendar year make available for Customer’s review, a summary copy of an audit report(s) ("Report") that reflects such compliance, a request may be made by emailing legalnotice@procore.com. Customer acknowledges and agrees that such Reports are Procore’s Confidential Information. Procore shall also provide a requesting Customer with a Report and/or confirmation of Procore's own audits and/or a report of third party auditors' audits of its Subprocessors that have been provided by those Subprocessors to Procore, to the extent such reports or evidence may be shared with Customer (“Third-party Subprocessor Audit Reports”). Customer acknowledges that (a) Reports and Third-party Subprocessor Audit Reports shall be considered Confidential Information as well as confidential information of the third-party Subprocessor and (b) certain third-party Subprocessors to Procore may require Customer to execute a non-disclosure agreement with them in order to view a Third-party Subprocessor Audit Report. c. Personal Data Breach. In the event of a Personal Data Breach, Procore shall notify Customer without undue delay and otherwise respond as described in 6.3.1 below. In addition, Procore shall, taking into account the nature of the Processing and the information available to Procore assist Customer in ensuring compliance with its obligations under applicable Data Protection Law to conduct a data protection impact assessment and, with prior notice, to assist with consultations with the Competent Supervisory Authority (defined below), where required. a. Practices. Procore does and will (a) maintain and follow a documented incident response plan and associated procedures consistent with industry standards for Personal Data Breach handling; (b) investigate Personal Data Breach of which Procore becomes aware, and, within the scope of the Services, and take such steps as Procore in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach; and (c) notify Customer without undue delay upon confirmation of a Personal Data Breach that is known or reasonably suspected by Procore to affect Customer Personal Data, and provide Customer with reasonably requested information about such Personal Data Breach and the status of the remediation and restoration activities. The obligations herein shall not apply to a Personal Data Breach caused by Customer, Customer’s Authorized Users or misuse of Customer’s Access Credentials. Procore’s obligation to report or respond to a Personal Data Breach under this Section 6 is not and will not be construed as an acknowledgement by Procore of any fault or liability of Procore with respect to the Personal Data Breach. Procore Assistance with Data Subject Requests. Procore will inform Customer of requests from Data Subjects exercising their Data Subject rights under applicable Data Protection Law (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to Procore regarding Customer Personal Data. Customer shall be responsible for handling such requests of Data Subjects. Upon a written request for assistance by Customer, Procore will reasonably assist Customer with handling such Data Subject request. Procore may charge Customer no more than a reasonable charge to perform such assistance, and such charges will be set forth in a quote and agreed in writing by the Parties, or as set forth in the Agreement. If Customer does not agree to the quote, the Parties agree to reasonably cooperate to find a feasible solution. International Transfers of Personal Data a. U.S. Based Processing. Notification of Changes. Customer acknowledges and agrees that Procore may transfer and process Customer Personal Data to and in the United States and anywhere else in the world where Procore, its Affiliates, or its Subprocessors maintain data processing operations. Procore shall ensure that such transfers are made in compliance with applicable Data Protection Law and this DPA. b. Application of SCCs. The applicable SCC Controller-to-Processor Clauses, currently available through Procore’s Jurisdiction Specific Terms located at http://procore.com/legal/jurisdiction-specific-terms, will apply to Customer Personal Data that is transferred via the Services from Europe (defined below) and/or the United Kingdom, either directly or via onward transfer, to any country not recognized by the European Commission, the Swiss Federal Data Protection and Information Commissioner and/or a competent United Kingdom regulatory authority or governmental body as providing an adequate level of protection for Customer Personal Data. This DPA fully incorporates the applicable SCCs by reference. If Customer submits Customer Personal Data to the Services for Processing by Procore, Customer and Procore will be deemed to have entered into the SCCs, where applicable, and the submission of such Customer Personal Data to the Services will constitute Customer’s prior written consent to the transfer and Processing by Procore if such consent is required under the SCCs. The SCCs, will not apply where the Customer Personal Data is DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 95 of 103 Procore_SSA_Rev 2022.01.10 Page 16 of 21 transferred in accordance with an Alternative Transfer Mechanism (defined below), such as when necessary for the performance of Services pursuant to the Agreement or on Customer’s Documented Instructions. c. Explicit Consent and Notice. Customer shall bear sole responsibility for obtaining its Authorized User’s and/or Data Subjects’ informed and explicit consent prior to the transfer of any Customer Personal Data to Procore in a manner consistent with the applicable Data Protection Law. If, at any time, an Authorized User and/or Data Subject withdraws any consent given pursuant to this Subsection, Customer shall immediately inform Procore in writing at privacy@procore.com and cease use and collection of Customer Personal Data related to such objecting Authorized User and/or Data Subject. Customer shall keep an electronic record of all consents given, and any consents withdrawn, by Authorized Users and/or Data Subjects and shall make such records available to Procore upon request. Return or Deletion of Customer Data. a. Upon termination or expiration of the Agreement, Procore shall (at Customer's written request) anonymize all Customer Personal Data in its possession or control. This requirement shall not apply to the extent Procore is required by applicable law to retain some or all of the Customer Personal Data. b. Customer acknowledges that the Services are used as a system of record and that data uploaded to the Services is required to be retained under applicable laws for the establishment, exercise or defense of legal claims. As an equivalent to deletion, Procore shall permanently and securely anonymize Customer Personal Data to the extent no individual could be identified. Indemnification by Customer. To the maximum extent permitted by applicable law and in addition to any other remedy that is available, including the indemnities provided in the Agreement, Customer agrees to defend, indemnify and hold harmless Procore, its Affiliates and Procore’s Subprocessors, including their respective officers, directors, employees, agents, successors, representatives, agents, resellers and assigns (each, a "Procore Indemnitee") from and against any and all Losses resulting Customer’s violation of this DPA and/or the infringement or violation by Customer, its Authorized Users or any other user of Customer’s Access Credentials, of any privacy or other right of any person under applicable Data Protection Law. Limitation of Liability a. Exclusion of Damages. UNDER NO CIRCUMSTANCES AND REGARDLESS OF THE NATURE OF ANY ACTION SHALL THE PROCORE INDEMNITEES BE LIABLE, DIRECTLY OR INDIRECTLY, IN WHOLE OR IN PART, TO CUSTOMER OR TO ANY OTHER PERSON OR ENTITY FOR ANY LOSSES OR LOSS, DAMAGE, CORRUPTION OR RECOVERY OF CUSTOMER PERSONAL DATA ARISING FROM OR RELATING TO CUSTOMER’S BREACH OF ITS OBLIGATIONS IN THIS DPA. b. Limitation of Liability. Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Customer and its Data Controller Affiliates and Procore, whether in contract, tort or under any other theory of liability, is subject to the "Limitation of Liability" section of the Agreement and the applicable cap (maximum) for the relevant party set forth in the Agreement. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, the Procore Indemnitees’ total liability for all Actions by Customer and all of Customers Affiliates (including Data Controller Affiliates) arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Customer Affiliate that is a contractual party to any such DPA. To the extent required by applicable law, (a) this section is not intended to modify or limit the Parties’ liability for Data Subject claims made against a Party where there is joint and several liability under Data Protection Law, or (b) limit either Party’s responsibility to pay penalties imposed on such Party by a regulatory authority. Termination of the DPA. This DPA will continue in force until the termination of the Agreement (the "Termination Date"), provided that the data protection obligations of this DPA and the SCCs shall continue to apply for so long as Procore processes Customer Personal Data. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. Entire Agreement; Order of Precedence. Except as supplemented by this DPA, the Agreement will remain in full force and effect. Any conflict between the terms of the Agreement and this DPA related to the processing of Customer Personal Data are resolved in the following order of priority: (1) the Standard Contractual Clauses, where applicable; (2) the DPA; and (3) the Agreement. Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below: DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 96 of 103 Procore_SSA_Rev 2022.01.10 Page 17 of 21 a. "Access Credentials" means any user name, identification number, password, license or security key, security token, PIN, or other security code, method, technology, or device used, alone or in combination, to verify an individual's identity and auuthorization to access and use the Services. b. "Action" means any claim, action, cause of action, demand, lawsuit, arbitration, inquiry, audit, notice of violation, proceeding, litigation, citation, summons, subpoena, or investigation of any nature, civil, criminal, administrative, regulatory, or other, whether at law, in equity, or otherwise. c. "Affiliates", "Customer Data", "Procore", and "Services" shall each have the meaning ascribed to it in the Agreement. d. "Alternative Transfer Mechanism" means a mechanism, other than SCCs that enables the lawful transfer of Personal Data from Europe or the U.K. to a third country in accordance with applicable Data Protection Law. e. "Competent Supervisory Authority" means, in accordance with Clause 13 of the EU SCCs, (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the "ICO"). With respect to Personal Data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner. f. "Controller" means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Data. Unless otherwise specified, Controller or "data exporter" refers to Customer. g. "Customer", as used on this DPA, shall include Customer (as defined in the Agreement) and its Data Controller Affiliates. h. "Customer Personal Data" means Customer Data submitted to Procore for Processing in connection with the Services pursuant to the Agreement, which contains Personal Data. i. "Data Controller Affiliates" means any of Customer's Affiliates that have not signed or otherwise accepted their own Order with Procore and therefore would not be a "customer" as defined under the Agreement but is an entity which is: (i) subject to Data Protection Law; and (ii) permitted to use the Procore Services pursuant to the Agreement between Customer and Procore. For the avoidance of doubt, no third-party beneficiaries are intended. j. "Data Protection Law" means any data protection and privacy laws and regulations that are applicable to the processing of Customer Personal Data by Procore, including, where applicable, the laws listed in Procore’s Jurisdiction Specific Terms available at http://procore.com/legal/jurisdiction-specific-terms, as may be amended, superseded or replaced from time to time. k. "Data Subject" means the identified or identifiable person to whom Customer Personal Data relates. l. "Documented Instructions" has the meaning ascribed in Subsection 2.1 of this DPA. m. "Europe" means the European Economic Area and Switzerland. n. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing of Directive 95/46/EC (General Data Protection Regulation) o. "including" and its derivatives mean "including but not limited to." p. "Losses" means any and all losses, damages, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, expert witness fees, settlement amounts, and the costs of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers. q. "Personal Data" means any data that relates to an identified or identifiable natural person, to the extent that such information is protected under applicable Data Protection Law. r. "Personal Data Breach" means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Procore or Procore’s Subprocessors. s. "Procore Indemnitee" shall have the meaning ascribed to it in Section 11, above. t. "Processing" (unless defined differently under applicable Data Protection Law) means any operation or set of operations which is performed upon Personal Data, manually or automatically, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. u. "Processor" means an entity which Processes Personal Data on behalf of the Controller pursuant to the Agreement. Processor or "data importer" in this DPA refers to Procore. v. "Public Authority Request" means a government agency or law enforcement authority, including a judicial authority request for information. w. "Services" means Procore’s Services as set forth in the Agreement. x. "Standard Contractual Clauses" or "SCCs" means : (i) where the GDPR applies the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 97 of 103 Procore_SSA_Rev 2022.01.10 Page 18 of 21 transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the "UK SCCs"); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner ("FDPIC")(the "Swiss SCCs"). y. "Subprocessor" means any Processor engaged by Procore to assist in processing Customer Personal Data in connection with the Services per Customer’s Documented Instructions under the terms of the Agreement and this DPA. Subprocessors may include Procore’s Affiliates, but shall exclude Procore employees, contractors, and consultants. z. "UK GDPR" means the UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018 and renamed by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2020 and the UK's Data Protection Act 2018. Appendix A – List of Procore Subprocessors Subprocessor Name Nature/Description of Processing Subject of Processing/Customer Personal Data Country of Storage/Processing Amazon Web Services Infrastructure Cloud Hosting i.e.: Authorized User Identifiers, Employment Data, IT Data United States S3 Buckets for storage are based on region of Customer and include the following regions as applicable: United States (default) Australia & New Zealand Brazil Canada France Germany Hong Kong Ireland Italy Korea Singapore South Africa Sweden United Arab Emirates (UAE) United Kingdom Amplitude Inc Product Analytics i.e.: Authorized User Identifiers, Employment Data, IT Data United States Ecrion Software PDF Template Processing i.e.: Authorized User Identifiers United States Fullstory Digital experience intelligence (DXI) platform i.e.: Authorized User Identifiers and video content upon consent. United States Google Analytics Product Analytics i.e.: Authorized User Identifiers, Employment Data, IT Data Global LaunchDarkly Procore Feature Management i.e.: Authorized User Identifiers, Employment Data, IT Data United States DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 98 of 103 Procore_SSA_Rev 2022.01.10 Page 19 of 21 Looker Data Analytics i.e.: Authorized User Identifiers such as email or user ID, IT Data for requests management United States New Relic Application, Database, and Machine monitoring i.e.: Authorized User Email Identifiers United States Pendo Usage Data Collection Communication i.e.: Authorized User Identifiers, Employment Data, IT Data United States SalesForce Customer Account Management Customer Identifiers and Account Information United States Sendgrid Transactional and Marketing Email i.e.: Authorized Users Email Identifiers United States Snowflake Data Warehouse i.e.: Authorized User Identifiers, IT Data, Employment Data United States Sumo Logic Application and System log aggregation i.e.: Authorized User Identifiers United States Tableau Data Visualization Reporting, SQL i.e.: Authorized User Identifiers, IT Data, Employment Data United States BugSnag Error Message Logging i.e.: Authorized User IT Data and Identifiers based on error United States Additional Subprocessors for Procore Estimating Services ("Estimating") Application Name Nature/Description of Processing Subject of Processing/Customer Personal Data Country of Storage/Processing Microsoft Azure Infrastructure / Cloud Hosting i.e.: Authorized User Identifiers, Employment Data, IT Data United States Stripe Payment processor i.e.: Authorized User Identifiers, IT Data, credit card processing as processed by Stripe United States Baremetrics Reporting for stripe i.e.: Authorized User Identifiers, IT Data, proof of payment United States Hubspot CRM i.e.: Authorized User Identifiers, Employment Data, IT Data United States Fullstory Application playback for support i.e.: Authorized User Identifiers, IT Data and Screen capture United States DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 99 of 103 Procore_SSA_Rev 2022.01.10 Page 20 of 21 Appendix B - Technical and Organizational Security Measures At all times while Procore Processes Customer Personal Data, Procore will: (a) maintain and follow a written information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Customer secure Customer Personal Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to Customer Personal Data and unauthorized access to the Services, and (c) minimize Customer Personal Data risks, including through risk assessment and regular testing. Procore will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following Security Measures (as updated from time to time): Physical Access Controls: Procore takes measures, such as security personnel and secured buildings, designed to (i) prevent unauthorized persons from gaining access to Customer Data, (ii) manage, monitor and log movement of persons into and out of Procore facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage. System Access Controls: Procore takes measures designed to prevent unauthorized use of Customer Data. These controls may vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords and two-factor authentication, documented authorization processes, documented change management processes, logging of access on several levels, system audit or event logging, and related monitoring procedures to proactively record user access and system activity for routine review. Data Access Controls: Procore takes measures designed to ensure that Customer Data is accessible and manageable only by properly authorized staff, direct database query access is restricted, and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege of access, and that Customer Data cannot be read, copied, modified, or removed without authorization in the course of Processing. Access Policy: In addition to the access control rules set forth in Subsections 1.1–1.3 above, Procore implements an access policy under which access to its system environment, to Personal Data, and to other Customer Data is restricted to authorized personnel only. Input Controls: Procore takes measures to ensure that: (i) the Customer Data source is under the control of Customer; and (ii) Personal Data integrated into Procore’s systems is managed by secured file transfer from Customer and the Authorized User subject. Data Backup: Procore ensures that backups are made on a regular basis, are secured, and are encrypted when storing data to protect against accidental destruction or loss when hosted by Procore. Organizational Management: Procore maintains a dedicated staff responsible for the development, implementation, and maintenance of Procore’s data privacy and information security programs. Audit: Procore maintains audit and risk assessment procedures for the purposes of periodic review and assessment of risks to the organization, monitoring and maintaining compliance, and reporting the condition of its information security and compliance to senior internal management. Policies: Procore maintains data protection and information security policies and makes sure that policies and measures are regularly reviewed and where necessary, improve them. Integration: Procore communicates with Customer applications utilizing cryptographic protocols such as TLS 1.2 or above to protect information in transit over public networks. At the network edge, stateful firewalls, web application firewalls, and DDoS protection are used to filter attacks. Within the internal network, applications follow a multi- tiered model which provides the ability to apply security controls between each layer. Operations: Procore maintains operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal. or release from Controller possession. Incident Response: Procore maintains incident procedures designed to investigate, respond to, mitigate and notify of events related to Customer’s data. or information assets. A dedicated network operations and security operations staff performs rapid monitoring and response capabilities to address alerts. Network Security: Procore engages in network security controls such as providing for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack. DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 100 of 103 Procore_SSA_Rev 2022.01.10 Page 21 of 21 Risk Management: Procore utilizes vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code. Business Continuity: Procore maintains business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters. Testing is performed to evaluate the plans and recovery capabilities. Additional information: For additional information on Procore’s security measures and compliance please refer to the information made available and updated periodically at the following link: https://www.procore.com/trust-and-security/security. DocuSign Envelope ID: D4E4F8D4-84AE-4394-9B6D-BD966564D633DocuSign Envelope ID: 864A4536-2679-4503-9CBA-B8F08B8B945E Dec. 6, 2022 Item #5 Page 101 of 103