 

Exhibit 10.7

*** Confidential Treatment Requested

 

[gpub5rrcvtqh000001.jpg]

Amendment #3

 

Amended and Restated Services and Material Agreement

This Amendment Number 3 (“Amendment #3”), effective as of February 29, 2016
(“Amendment #1 Effective Date”), between Silver Spring Networks, Inc. (“Silver
Spring”) and Commonwealth Edison Company (“ComEd”) amends the Amended and
Restated Services and Material Agreement, dated January 25, 2012, between Silver
Spring and ComEd (the “Agreement”). Silver Spring and ComEd are referred to
herein as the “Parties” or a “Party,” as applicable.  Capitalized terms not
defined in this Amendment #3 will have the same meaning as in the Agreement.  

The Parties agree to amend the Agreement as follows:

 

1.

Section 25.3 is hereby deleted in its entirety and the following inserted in its
stead:

“25.3 Receiving Party’s Obligations

During the term of this Agreement and thereafter, except as a Disclosing Party
may otherwise authorize in writing in advance, each Receiving Party shall use
the other Party’s Confidential Information only to fulfill its commitments and
exercise its rights under this Agreement.  Each Receiving Party agrees not to
disclose any Confidential Information of the other Party to anyone other than
those employees, agents, contractors or Subcontractors of the Receiving Party
who need to know such Confidential Information for the purposes of this
Agreement and who have entered into binding written obligations of
confidentiality substantially similar to the obligations set forth herein.  Upon
reasonable request by the Disclosing Party, the receiving Party will provide
copies of the confidentiality agreements entered into with its employees, agents
or contractors.  Each Receiving Party shall treat all Confidential Information
of the Disclosing Party with the degree of care it accords to its own
Confidential Information, but not less than reasonable care.  Neither Receiving
Party shall reverse engineer, disassemble or decompile any prototypes, firmware,
software or other tangible objects which embody the other Party’s Confidential
Information.  Each Receiving Party will notify and cooperate with the other
Party in enforcing the Disclosing Party’s rights if such Receiving Party becomes
aware of a threatened or actual violation of the confidentiality requirements of
this Section.  Upon completion of Work pursuant to this Agreement, except as
otherwise provided in this Agreement, except as otherwise provided in the
Agreement, upon written request, a Receiving Party shall return any and all
tangible embodiments of Confidential Information to the Disclosing Party or
destroy any and all electronic copies of Confidential Information maintained by
each Receiving Party using a media sanitization process mutually agreed to by
the Parties.”`

 

2.

The attached Exhibit O “Special Terms and Conditions for Personally Identifiable
Information (SF) shall be added to the Agreement.

 

3.

Integration; Conflict. The foregoing provisions shall govern notwithstanding any
contrary provision in the Agreement or any previously executed agreement between
the Parties. Except as otherwise expressly provided or modified herein, the (i)
terms and conditions of the Agreement remain in full force and effect, and (ii)
this Amendment #1 and the Agreement constitute the entire and exclusive
agreement between the Parties regarding the subject matter hereof, and supersede
all proposals and prior agreements, oral or written, and all other
communications.  In the event of a conflict between this Amendment #3 and the
Agreement, this Amendment #3 shall govern.

 

 

*** Certain omitted portions of this exhibit have been filed with the Securities
and Exchange Commission pursuant to a request for confidential treatment under
Rule 24b-2 promulgated under the Securities Exchange Act of 1934

--------------------------------------------------------------------------------

 

IN WITNESS WHEREOF, the Parties have caused this Amendment #1 to be executed by
their duly authorized representatives.

 

Commonwealth Edison Company

 

Silver Spring Networks, Inc.

 

 

 

 

 

 

 

By:

 

/s/ ***

 

By:

 

/s/ Jim P. Burns

Name:

 

***

 

Name:

 

Jim P. Burns

Title:

 

Principal Category Manager

 

Title:

 

CFO

Date:

 

02/29/2016

 

Date:

 

02/29/2016

 

 

 

Approved by Legal:

***

***

 

 

ComEd-SSN Amendment #3 (20160201)

Page 2 of 5

Confidential

 

--------------------------------------------------------------------------------

 

EXHIBIT O

SPECIAL TERMS AND CONDITIONS

FOR

PERSONALLY IDENTIFIABLE INFORMATION (SF)

Safeguarding Personally Identifiable Information

1.1 Definition. “Personally Identifiable Information” means any name or number
that may be used, alone or in conjunction with any other information, to
identify a specific person, including any (a) name, address, email address,
password, account number, social security number, date of birth, official state
or government issued driver’s license or identification number, alien
registration number, government passport number, employer or taxpayer
identification number, or any similar identification, (b) personal, financial,
or healthcare information, credit card information, bank account number, credit
card number or debit card number, (c) unique biometric data, such as
fingerprint, voice print, retina or iris image, or other unique physical
representation, (d) unique electronic identification number, address, or routing
code, (e) telecommunication identifying information or access device (as defined
in 18 U.S.C. §1029(e)), or (f) personal preferences, demographic data, marketing
data, or any other identification data, including customer’s utility account
number and usage data. For the avoidance of doubt, Personally Identifiable
Information includes all “nonpublic personal information,” as defined under the
Gramm-Leach-Bliley Act (15 U.S.C. §6801 et seq.) and “protected health
information” as defined under the Health and Insurance Portability and
Accountability Act of 1996 (42 U.S.C. §1320d), and “Personal Data” as that term
is defined in EU Data Protection Directive (Directive 95/46/EEC) on the
protection of individuals with regard to processing of personal data and the
free movement of such data.

1.2 Treatment of Personally Identifiable Information. Without limiting any
warranty or obligation in the Agreement, and in particular the confidentiality
provisions of the Agreement, during the Term and thereafter in perpetuity,
Contractor will not gather, store, log, archive, use, or otherwise retain any
Personally Identifiable Information to which it has gained access in connection
with the Agreement in any manner, and will not disclose, distribute, sell,
share, rent, or otherwise transfer any Personally Identifiable Information to
any party or person, except (a) as expressly provided in the Agreement, or (b)
as specifically and expressly directed in advance in writing by Exelon.
Contractor represents, covenants, and warrants that Contractor will use
Personally Identifiable Information in compliance with (i) the Agreement, and
(ii) all applicable federal, state, and local privacy, confidentiality, consumer
protection, advertising, electronic mail, and data security laws and
regulations, whether in effect now or in the future and as they may be amended
from time-to-time, including the Gramm-Leach-Bliley Act of 1999 (Public Law
106-102, 113 Stat. 1138) and its implementing regulations and the Fair and
Accurate Credit Act of 2003 (collectively, “Privacy/Consumer Laws”). In addition
to and in no way  limiting Contractor’s indemnity obligations under Section 16.5
of the Agreement, Contractor shall indemnify, hold harmless, and defend Exelon
and its affiliates and the officers, directors, employees, agents,
representatives,  successors, and assigns of Exelon and its affiliates (“Exelon
Parties”) for any and all claims against Exelon Parties by governmental
authorities for actual or alleged failure of an Exelon Party to comply with any
applicable laws, including privacy laws, to the extent caused by any act,
omission, conduct, negligence, or default by Contractor or Contractor’s failure
to comply with the terms of this Addendum. Contractor shall pay any and all
costs, losses, damages, awards of settlement, and expenses (including claims,
internal administrative costs, third-party fees, attorneys’ fees and expenses,
and consultant’s fees and expenses) incurred as a result of such claims, to the
extent caused by Contractor’s failure to comply with the terms of this Addendum.

1.3 Retention of Personally Identifiable Information. Contractor will not retain
any Personally Identifiable Information for any period longer than necessary for
Contractor to fulfill its obligations under the Agreement. As soon as Contractor
no longer needs to retain such Personally Identifiable Information in order to
perform its duties under the Agreement, Contractor will comply with Section 1.4
(Return of Personally Identifiable Information) with respect to the return or
destruction of Personally Identifiable Information.

 

ComEd-SSN Amendment #3 (20160201)

Page 3 of 5

Confidential

 

--------------------------------------------------------------------------------

 

1.4 Return of Personally Identifiable Information. On Exelon’s written request
or upon expiration or termination of the Agreement for any reason, the
Contractor will promptly, and no later than thirty (30) days after such request,
expiration or termination (a) return or destroy, at Exelon’s option, all
originals and copies of all documents and materials it has received containing
Personally Identifiable Information, (b) deliver or destroy, at Exelon’s option,
all originals and copies of all summaries, records, descriptions, modifications,
negatives, drawings, adaptations, and other documents or materials, whether in
writing or in machine-readable form, prepared by Contractor, prepared under its
direction, or at its request, from the documents and materials referred to in
clause (a), and (c) provide a notarized written statement to Exelon certifying
that all documents and materials referred to in clauses (a) and (b) have been
delivered to Exelon or destroyed, as requested by Exelon. Contractor’s
destruction or erasure of Personally Identifiable Information pursuant to this
Section shall be in compliance with best industry practices (e.g., Department of
Defense 5220-22-M Standard).

1.5 Security

(i) In General. Contractor will maintain and enforce physical and logical
security procedures with respect to its access and maintenance of Personally
Identifiable Information that (a) are at least equal to industry standards for
such types of locations, and  (b) provide reasonably appropriate technical and
organizational safeguards against accidental or unlawful destruction, loss,
alteration, or unauthorized disclosure, access, or acquisition of Personally
Identifiable Information accessible by Contractor under the Agreement.
Contractor will use commercially reasonable efforts to secure and defend its
location and equipment against “hackers” and others who may seek, without
authorization, to modify or access Contractor systems or the information found
therein. Contractor will periodically test its systems for potential areas where
security could be breached.

(ii) Security Breach Notification. Contractor shall immediately notify Exelon
after becoming aware of any unauthorized access to, acquisition, disclosure,
loss, use of, or any other potential corruption, compromise, or destruction of
any Personally Identifiable Information (“Security Breach”).  Contractor will
assist and cooperate with Exelon with respect to any investigation, disclosures
to affected parties, and other remedial measures as requested by Exelon or
required under any applicable Privacy/Consumer Laws.  If a Security Breach is
caused by Contractor’s failure to comply with this Addendum, Contractor shall
promptly reimburse Exelon for its costs and expenses, including any claims,
internal administrative costs, third-party fees and expenses (including
attorneys and consultants), and any other costs, damages, and losses incurred by
Exelon as a result of such Security Breach. In the event of any Security Breach
by Contractor that requires notification to any person or entity, including any
customer, shareholder, or current or former employee of Exelon Parties under any
Privacy/Consumer Laws, such notification shall be provided by Exelon, unless
otherwise approved by Exelon in writing.  Exelon shall have sole control over
the timing and method of providing such notification. Contractor will use best
efforts to promptly remedy any breach of security or unauthorized access or
acquisition of Personally Identifiable Information and deliver to Exelon within
sixty (60) days of such breach or unauthorized access or acquisition a root
cause assessment and future incident mitigation plan with regard to any breach
of security or unauthorized access or acquisition affecting Personally
Identifiable Information.

(iii) Communications and Operational Management. To the extent used to store,
transmit, process or otherwise handle Personally Identifiable Information,
Contractor shall (a) deploy industry standard anti-virus software and all
appropriate back-up protocols to ensure essential business information can be
promptly recovered in the event of a disaster or media failure, (b) ensure its
operating procedures are appropriately documented and designed to protect
information, computer media, and data from theft, misuse, and unauthorized
access, and (c) utilize industry standard encryption to protect Personally
Identifiable Information while it is at rest, in transit, or residing on backup
tapes.

(iv) On-Going Independent Monitoring of Security Controls.  Contractor commits
to execute on-going, independent monitoring of its control environment at its
own cost and expense through Service Organization Control (SOC) 1 evaluations
conducted in accordance with the Statement on Standards for Attestation
Engagements (SSAE) No. 16, or SOC 2 audits (a/k/a SSAE Type 2) of the Trust
Services Principles (TSPs).  Contractor will provide copies of its SOC 1 or SOC
2 reports to Buyer annually with respect to its primary operations.  Contractor
will ensure any data center, software as a service (SaaS)

 

ComEd-SSN Amendment #3 (20160201)

Page 4 of 5

Confidential

 

--------------------------------------------------------------------------------

 

or cloud-computing subcontractors complete and forward SOC reports to Buyer on
an annual basis as well.  Contractor will report to Buyer its plans to cure any
control deficiencies identified through on-going, independent monitoring
examinations.

1.6 Termination for Regulatory Non-Compliance. If Contractor’s relationship with
Exelon pursuant to this Agreement is identified in writing by any regulatory
agency, with jurisdiction over Exelon Parties, to present a risk to any
customers, current or former employees, agents, contractors, or subcontractors
of Exelon Parties, that requires correction, Exelon shall notify Contractor of
such assessment and the need for Contractor to cure, at its sole expense, the
risks identified. Notwithstanding anything to the contrary contained in the
Agreement, if Contractor fails to cure, or is incapable of curing, the
identified risks within the shorter of a) forty-five (45) calendar days after
receiving such notice from Exelon, or b) the deadline given by such regulatory
agency, Exelon shall be entitled to immediately terminate the Agreement for its
convenience and without the obligation to pay any termination fees or other
costs to Contractor.

1.7 Regulatory Examinations. Contractor agrees that any regulator or other
governmental entity with jurisdiction over Exelon Parties may examine
Contractor’s activities relating to the performance of the Agreement and this
Addendum, to the extent such authority is granted to such entities under the
law. Contractor shall promptly cooperate with and provide all information
reasonably requested by the regulator or other governmental entity in connection
with any such examination and provide reasonable assistance and access to all
equipment, records, networks, and systems reasonably requested by the regulator
or other governmental entity. Contractor agrees to comply with all reasonable
recommendations that result from such regulatory examinations within reasonable
timeframes at Contractor’s sole cost and expense. The foregoing cooperation and
assistance will be rendered at Contractor’s then-current time and materials
rates, subject to Exelon’s prior written authorization.

1.8 Insurance. Within 90 days of executing this addendum, contractor shall
obtain, pay for, and maintain in full force and effect during the term of the
Agreement and any renewals thereof additional insurance as follows:
Cyber/Network Security Insurance with a limit of not less than *** dollars (***)
per occurrence.  The full limit of coverage shall be available to pay for
Contractor’s credit monitoring obligations.

 

 

 

 

ComEd-SSN Amendment #3 (20160201)

Page 5 of 5

Confidential

 

--------------------------------------------------------------------------------

 

 

[gpub5rrcvtqh000002.jpg]

 

 

Amendment #4

 

 

Amended And Restated Services And Material

Agreement

 

This Amendment Number 4 (“Amendment #4”), effective as of the last date of
execution below (“Amendment #4 Effective Date”), between Silver Spring Networks,
Inc. (“Silver Spring”) and Commonwealth Edison Company (“ComEd”) amends the
Amended and Restated Services and Material Agreement, dated January 25, 2012,
between Silver Spring and ComEd (the “Agreement”). Silver Spring and ComEd are
referred to herein as the “Parties” or a “Party,” as applicable. Capitalized
terms not defined in this Amendment #4 will have the same meaning as in the
Agreement.

The Parties agree to amend the Agreement as follows:

1.

Section 1.8 Insurance of Exhibit O, The Special Terms and Conditions for
Personally Identifiable Information (SF) is hereby deleted and replaced by the
following in its stead:

1.8 Insurance. Within 30 days of executing this addendum, contractor shall
obtain, pay for, and maintain in full force and effect during the term of the
Agreement and any renewals thereof additional insurance as follows:
Cyber/Network Security Insurance with a limit of not less than *** dollars (***)
per occurrence. The full limit of coverage shall be available to pay for
Contractor’s credit monitoring obligations.

2.

Integration; Conflict. The foregoing provisions shall govern notwithstanding any
contrary provision in the Agreement or any previously executed agreement between
the Parties. Except as otherwise expressly provided or modified herein, the (i)
terms and conditions of the Agreement remain in full force and effect, and (ii)
this Amendment #1 and the Agreement constitute the entire and exclusive
agreement between the Parties regarding the subject matter hereof, and supersede
all proposals and prior agreements, oral or written, and all other
communications. In the event of a conflict between this Amendment #4 and the
Agreement, this Amendment #4 shall govern.

IN WITNESS WHEREOF, the Parties have caused this Amendment #4 to be executed by
their duly authorized representatives.

 

Commonwealth Edison Company

 

Silver Spring Networks, Inc.

 

 

 

 

 

 

 

By:

 

/s/ ***

 

By:

 

/s/ Scott R. Blackburn

Name:

 

***

 

Name:

 

Scott R. Blackburn

Title:

 

Commodity Manager

 

Title:

 

VP – Client Delivery

Date:

 

6/29/2016

 

Date:

 

6/29/2016

 

 

 

Approved by Legal:

***

***

 

ComEd‐SSN Amendment #4 (20160422)

Page 1 of 1

Confidential

 

*** Certain omitted portions of this exhibit have been filed with the Securities
and Exchange Commission pursuant to a request for confidential treatment under
Rule 24b-2 promulgated under the Securities Exchange Act of 1934