Exhibit 10.1

ADDENDUM TO MASTER SERVICES AGREEMENT

Addendum, dated as of September 22, 2011, between Internap Network Services
Corporation and SoundBite Communications, Inc. (“SoundBite”), to the Master
Services Agreement, dated August 28, 2003 (the “Agreement”).

 

1. As the parties wish to add security requirements to the Agreement, the
parties agree to add Attachment A attached to this Addendum to the Agreement.

 

2. If there is a conflict between the terms of this Addendum and the terms of
the Agreement, this Addendum shall control. Except as modified by this Addendum,
the Agreement shall continue to apply.

 

INTERNAP NETWORK SERVICES CORPORATION     SOUNDBITE COMMUNICATIONS, INC. By:  
LOGO [g501625exa_sig1.jpg]     By:   LOGO [g501625exa_sig2.jpg]  

 

     

 

Name:  

Bruce S. Hoffman

    Name:  

Robert C. Leahy

Title:  

Director of Sales

    Title:  

COO & CFO

Date:  

9/21/2011

    Date:  

9/22/11

 

[Page 1 of 14]



--------------------------------------------------------------------------------

ATTACHMENT A

INFORMATION SECURITY STANDARD

Introduction

This SoundBite Information Security Standard defines the information protection
controls used to protect SoundBite Information and applies to any organization
(Company) that stores, processes, transmits, or access that information.
SoundBite uses these controls internally and, to the degree that a vendor to
SoundBite handles SoundBite Information, particularly SoundBite Confidential
Information or SoundBite Highly Confidential Information, SoundBite requires
that Company meet these security requirements as well.

This standard is based on industry-accepted standards including, but not limited
to, the PCI DSS, NIST 800-53, and ISO 27002.

This standard reflects the superset of SoundBite’s information protection
requirements which originate from SoundBite’s regulatory requirements,
contractual requirements, and internal risk management requirements.

 

1. Definitions

 

  1.1. Information Security Executive Sponsor – Company executive officer or
director with ultimate responsibility for the Information Security Program.

 

  1.2. Information Security Officer – Person responsible for the day-to-day
management of the Information Security Program.

 

  1.3. Information Security Policy – Company policy documents that outlines
high-level requirements or rules that define the Information Security Program.
Compliance is mandatory.

 

  1.4. Information Security Program – The people, processes, and technology
required to implement, to operate, to manage, to maintain, and to assure
conformance by Company with the Information Security Plan and Information
Security Policies.

 

  1.5. Malicious Code – Viruses, worms, Trojans, back-doors, root kits, malware
and any other software that may disrupt business or compromise data
confidentiality or integrity.

 

  1.6. Security Incident – Any event including, but not limited to, a hacking
attack, system compromise, information mishandling, policy violation, loss of
information, theft of information, or fraud that Company knows or suspects might
have resulted in a failure to protect the confidentiality of SoundBite
Confidential Information.

 

  1.7. Service – Any services or work performed on behalf of SoundBite
Communications.

 

  1.8. SoundBite Confidential Information – Any information or data made
available to Company by SoundBite except for information contractually excluded
from confidentiality obligations, such as public information. SoundBite Highly
Confidential Information is a subset of SoundBite Confidential Information.

 

  1.9.

SoundBite Highly Confidential Information – Any information or data made
available to Company by SoundBite that includes information that could be used
to identify a person. This includes but is not limited to consumer names when
provided in conjunction with identifying information such as a phone number,
Card Holder Data (CHD) as defined by the Payment Card Industry (PCI) Data
Security Standard (DSS), Protected Health Information (PHI) as defined by the
Health Insurance Portability and Accountability Act of 1996 (P.L.104-191)
(HIPAA), Non-Public Personal Information (NPI) as defined by section

 

[Page 2 of 14]



--------------------------------------------------------------------------------

  501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA), and Personal Information
(PI) as defined by the Mass Privacy Act (M.G.L. 93 H, 93 I, and 201 CMR 17.00).
SoundBite Highly Confidential Information is a subset of SoundBite Confidential
Information.

 

  1.10. Staff – All Company employees, contractors, sub-contractors,
consultants, or other parties who may use Company’s information systems or
access SoundBite’s information systems or SoundBite Confidential Information.

 

  1.11. Standard – This document: The SoundBite Communications Information
Security Standard.

 

  1.12. Strong Encryption – Encryption performed using industry-standard
cryptographic algorithms such as AES, 3DES, SHA, RSA, and RC4 where a minimum
key length of 128 bits is used for symmetric ciphers and a minimum key length of
1024 bits is used for asymmetric ciphers.

 

  1.13. Un-trusted Networks – The Internet and any network not operated by
Company alone or by Company in exclusive collaboration with SoundBite.

 

  1.14. Written Information Security Plan – A formal document that defines the
objectives of the Information Security Program, assigns responsibility for the
Information Security Program, and describes how the responsible parties either
do or will achieve the objectives of the Information Security Program.

 

2. SoundBite Information Security Standard

 

  2.1. Information Security Program Governance

 

  2.1.1. Information Security Program Ownership

 

  2.1.2. Risk Management

 

  2.1.2.1. Company must have a formal risk analysis and management process that
documents the organization’s assets, the threats against those assets, the
inherent vulnerability of the assets to those threats, and the controls designed
to protect the assets from the threats.

 

  2.1.2.2. Company must conduct an annual risk assessment so as to evaluate the
effectiveness of the controls and ultimately determine the residual risk to the
assets.

 

  2.2. Information Security Policy

 

  2.2.1. Company must have, maintain and follow a Written Information Security
Plan

 

  2.2.2. Company must have and adhere to a written and comprehensive set of
Information Security Policy documents. The Information Security Policy documents
must, at a minimum, include the following content:

 

  2.2.2.1. The following, overarching content shall either be included in all
policy documents or in an overarching policy document that governs all other
security policy documents:

 

  2.2.2.1.1. A definition of information security or information security
mission statement, including, but not limited to, the policy’s overall objective
and scope.

 

[Page 3 of 14]



--------------------------------------------------------------------------------

  2.2.2.1.2. A statement of management intent to support the goals and
principals of information security in line with business strategy and
objectives,

 

  2.2.2.1.3. Control objectives, including, but not limited to, risk assessment
and risk management.

 

  2.2.2.1.4. A brief overview of security policies, principles, and standards.

 

  2.2.2.1.5. Regulatory and industry standards compliance requirements.

 

  2.2.2.1.6. Policy maintenance requirements.

 

  2.2.2.1.7. Penalties for policy violations, which must include actions up to
and including termination.

 

  2.2.2.2. The following specific security policy topics must be addressed by
one or more Information Security Policy documents:

 

  2.2.2.2.1. Asset Management, including, but not limited to, hardware,
software, and information

 

  2.2.2.2.2. Third Party Service Provider Security

 

  2.2.2.2.3. Access Control

 

  2.2.2.2.4. Acceptable Use, including, but not limited to, email usage,
computer and communications systems access and use, and Internet/ intranet
access and use

 

  2.2.2.2.5. Anti-Virus

 

  2.2.2.2.6. Authentication and Identity Management

 

  2.2.2.2.7. Background Check

 

  2.2.2.2.8. Change Management

 

  2.2.2.2.9. Incident Response

 

  2.2.2.2.10. Information Classification

 

  2.2.2.2.11. Logging and Security Monitoring

 

  2.2.2.2.12. Passwords

 

  2.2.2.2.13. Physical and Environmental Security

 

  2.2.2.2.14. Risk Assessment

 

  2.2.2.2.15. System and Network Device Configuration and Hardening

 

  2.2.2.2.16. Security Awareness

 

  2.2.2.2.17. New Hire, Role Change, and Termination

 

  2.2.2.2.18. Vulnerability Management

 

  2.2.2.2.19. Equipment Installation and Removal

 

  2.2.2.2.20. Segregation of Duties

 

  2.2.2.2.21. Third Party Connectivity

 

[Page 4 of 14]



--------------------------------------------------------------------------------

  2.2.2.2.22. Incident Reporting

 

  2.2.2.2.23. Emergency Operations Plan

 

  2.2.2.2.24. Testing and Revision Procedures

 

  2.2.3. All policies must be communicated to staff and staff must acknowledge
that they will comply with the policies.

 

  2.2.4. Company must have in place a disciplinarily process for non-compliance
with the Information Security Policy.

 

  2.3. Background Checks

 

  2.3.1. Prior to assigning any individual to perform the Services in the United
States, or, if Services are to be performed outside of the United States, to the
maximum extent permitted under local law, Company shall perform background
checks consisting of the following:

 

  2.3.1.1. SSN Verification – Search of the individual’s Social Security number,
tax ID number or other applicable government-issued identifier to verify the
accuracy of the individual’s identity and current and previous addresses.

 

  2.3.1.2. Criminal Checks – A criminal background search performed by an
independent, professional search firm of all court records (at least National
and County within the US) in each jurisdiction of the individual’s current and
previous addresses over the past seven (7) years.

 

  2.3.1.3. Reference Checks – Verification of previous employers and a minimum
of at least two (2) confirmed work references.

 

  2.3.1.4. Education – Verification of education listed on the candidates resume
or otherwise noted by the candidate.

 

  2.3.1.5. Credit Checks – Credit Report for Finance and Senior Level Executives

 

  2.3.1.6. DMV Checks Department of Motor Vehicles for all employees in Sales
positions.

 

  2.3.1.7. Citizenship – Validation of citizenship or certification to work in
the country in which the individual is assigned.

 

  2.3.2. Where an individual has ended his/her employment with Company and has
been re-hired by Company, irrespective of the amount of time that has elapsed, a
new background check must be performed.

 

  2.3.3. Company shall utilize a specialist vetting company for the performance
of background checks. The Company is wholly accountable for compliance with this
Standard.

 

  2.3.3.1. Company shall retain evidence of all background checks performed for
a period of at least two years. These records shall document the checks
performed and their outcome.

 

  2.3.4.

In the event that any staff is found to have been convicted of and/or have any
active/pending charges for any Disqualifying Offense listed below, that person
shall be prevented from accessing any SoundBite Confidential Information and

 

[Page 5 of 14]



--------------------------------------------------------------------------------

  that person shall be prevented from entering SoundBite’s facilities.
Additionally, in the event that the person has already had access to any
SoundBite Confidential Information, Company must notify SoundBite immediately
and in no event later than the next business day.

 

  2.3.4.1. Disqualifying Offenses

 

  2.3.4.1.1. Dishonesty including, but not limited to felony convictions in the
following categories:

 

  2.3.4.1.1.1. Fraud Offenses

 

  2.3.4.1.1.1.1. Credit Card Fraud

 

  2.3.4.1.1.1.2. Credit Card Fraud

 

  2.3.4.1.1.1.3. Embezzlement

 

  2.3.4.1.1.1.4. Bad/Worthless Checks

 

  2.3.4.1.1.2. Fraudulent Trading

 

  2.3.4.1.1.3. Possession of Stolen Property

 

  2.3.4.1.1.4. Forgery and Counterfeiting

 

  2.3.4.1.1.5. Proceeds of Criminal Offenses

 

  2.3.4.1.1.6. Theft

 

  2.3.4.1.1.7. Bribery and/or Corruption

 

  2.3.4.1.1.8. Money Laundering

 

  2.3.4.1.1.9. Concealment of Property

 

  2.3.4.1.1.10. Trespassing with Intent to Steal (Burglary)

 

  2.3.4.1.1.11. Blackmail/Extortion

 

  2.3.4.1.2. Business Offenses

 

  2.3.4.1.2.1. Any offense involving computer misuse

 

  2.3.4.1.2.2. Organizing or engaging in illegal work

 

  2.3.4.1.2.3. Economic, Corporate, or Business Espionage

 

  2.3.4.1.3. Crimes Against Persons

 

  2.3.4.1.3.1. Serious sexual offenses or offenses against children

 

  2.3.4.1.3.2. Racially motivated or discrimination offenses

 

  2.3.4.1.3.3. Murder or manslaughter

 

  2.3.4.1.3.4. Crimes involving assault, violence, or threatening behavior

 

  2.3.4.1.3.5. Human trafficking

 

  2.3.4.1.4. Other

 

  2.3.4.1.4.1. Felony (US) or host country equivalent serious crime

 

[Page 6 of 14]



--------------------------------------------------------------------------------

  2.3.4.1.4.2. Producing, supplying, importing, or trafficking controlled
drugs/substances

 

  2.3.4.1.4.3. Firearms and explosives offenses

 

  2.3.4.1.4.4. Terrorism

 

  2.3.4.1.4.5. Pretrial Diversions (US) for disqualifying crimes

 

  2.3.4.1.4.6. Deferred Adjudication for disqualifying crimes

 

  2.3.4.1.4.7. More than 2 misdemeanor convictions (US) or host country
equivalent minor crimes relating to fraud, ethics, or other topics covered in
this section, , within past 5 years.

 

  2.3.4.1.4.8. Convictions (US) involving imprisonment for terms of six months
or greater (whether or not all of that term was served)

 

  2.4. Access Control

 

  2.4.1. Company must have a user identification process in place that validates
the identity of each user. For example, in the United States, using the process
defined by the Form I-9, Employment Eligibility Verification, as published by
the Department of Homeland Security U.S. Citizenship and Immigration Services,
(This is the standard employment verification process required in the U.S.
wherein an employee presents certain government issued IDs to the employer to
prove their identity and right to work.)

 

  2.4.2. Company shall have appropriate new-hire, role-change, and terminations
processes that ensure that:

 

  2.4.2.1. User accounts are appropriately created and disabled or removed

 

  2.4.2.2. Information access privileges for all user accounts are appropriately
enabled and disabled

 

  2.4.3. Company must have an access control process that:

 

  2.4.3.1. Assigns access rights based on roles

 

  2.4.3.2. Provides for segregation of duties between information owners (who
approve access changes) and information custodians (who implement access
changes)

 

  2.4.3.3. Updates access rights based on personnel or system changes

 

  2.4.3.4. Requires the periodic review of access rights for all systems that
store, process, transmit, or access SoundBite Confidential Information. These
reviews must be conducted on at least a quarterly basis. More frequent reviews
may be required based on the risk to the application or system.

 

  2.4.4. Access to Company system components and SoundBite Confidential Data
must be restricted based on a user’s need to know and be set to “deny all”
unless specifically allowed.

 

[Page 7 of 14]



--------------------------------------------------------------------------------

  2.4.5. All Company users must have BOTH:

 

  2.4.5.1. A unique User ID

 

  2.4.5.2. Either a password/passphrase or two-factor authentication

 

  2.4.5.2.1. Company must have an appropriate password policy in place:

 

  2.4.5.2.1.1. Passwords must contain a minimum of 8 characters

 

  2.4.5.2.1.2. Passwords must contain 3 out of 4 of the following character
types:

 

  2.4.5.2.1.2.1. Uppercase letters

 

  2.4.5.2.1.2.2. Lowercase letters

 

  2.4.5.2.1.2.3. Numbers

 

  2.4.5.2.1.2.4. Special characters, for example,

 

       ~, !, @, #, $, %, ^, &, *, (, ), _, +,

 

       -, =, [, ], \, ;, ‘, ,, ., /, :, “

 

  2.4.5.2.1.3. Passwords are changed after a maximum of 60 days

 

  2.4.5.2.1.4. Previous 10 passwords are not allowed to be reused

 

  2.4.5.2.1.5. User is locked out after not more than 5 failed login attempts

 

  2.4.5.2.1.6. User is automatically logged out after not more than 15 minutes
of inactivity

 

  2.4.5.2.2. Passwords/passphrases are to be encrypted with strong encryption in
transit and at rest.

 

  2.4.5.2.3. Two-factor authentication is defined as the use of two of the
following authentication types:

 

  2.4.5.2.3.1. Something the user knows, like a password

 

  2.4.5.2.3.2. Something the user has, like a SecurID token or digital
certificate

 

  2.4.5.2.3.3. Something the user is, like a fingerprint

 

  2.5. Operational Security

 

  2.5.1. Company must have operating procedures that are documented, reviewed
and maintained by an owner, and made available to all users who need them.

 

  2.5.2. Company must have a formal, documented change management and change
control process.

 

  2.5.3. Changes managed according to the change management process must be
documented, for example, using a change control ticketing system.

 

  2.5.4. Company must prohibit Staff from connecting to networks, systems,
databases, or applications that contain SoundBite Confidential Information from
any system not exclusively managed by Company according to this Information
Security Standard. For example, Staff would typically not be able to access
SoundBite Confidential Information from their personally-owned computers.

 

[Page 8 of 14]



--------------------------------------------------------------------------------

  2.5.5. Company must have processes and mechanisms established for the security
hardening and maintenance of servers, workstations, network devices, and
off-the-shelf applications, including, but not limited to, Web server software,
application server software, and database server software.

 

  2.5.5.1. Implement only one primary function per server

 

  2.5.5.2. Disable all unnecessary services and insecure protocols (e.g. telnet)

 

  2.5.5.3. Configure system security parameters to prevent misuse

 

  2.5.5.4. Remove all unnecessary functionality, such as scripts, drivers,
features, subsystems, file systems and unnecessary web servers

 

  2.5.6. Company must use industry-standard anti-virus software on all
applicable systems. Applicable systems shall include, at a minimum, all systems
that run any version of the Microsoft Windows operating system, inbound and
outbound e-mail systems, and any other systems that Company identifies, during
its risk assessment process, as potentially being susceptible to Malicious Code.
This antivirus requirement shall not apply to e-mail solutions the sole function
of which is the sending of system-generated e-mail content.

 

  2.5.6.1. Anti-virus solutions [or combination of solutions] must address all
types of Malicious Code.

 

  2.5.6.2. Systems must be maintained with daily anti-virus signature updates.

 

  2.5.6.3. Systems must use a current and supported versions of the Anti-Virus
solution utilized.

 

  2.5.7. Company must utilize a reasonable process to monitor its systems for
vulnerabilities. Options include vulnerability scanning and monitoring
information sources for advisory and/or patch publications.

 

  2.5.7.1. In the event that Company becomes aware of a vulnerability, they will
endeavor to remediate the vulnerability within 30 days.

 

  2.5.8. Company must implement an appropriate logging solution or solutions for
all physical security systems. The logging solution or solutions must be
appropriately secured to prevent tampering.

 

  2.5.8.1. At a minimum, the following event types must be logged:

 

  2.5.8.1.1. Individual access to SoundBite cage

 

  2.5.8.1.2. Actions taken by any individual with administrative access to
physical security systems

 

  2.5.8.1.3. Access to all audit trails

 

  2.5.8.1.4. Invalid login access attempts

 

  2.5.8.1.5. Use of identification and authentication mechanisms

 

  2.5.8.1.6. Initialization of the audit logs

 

  2.5.8.1.7. Creation and deletion of system-level objects

 

  2.5.8.2. When logging events, the following information must be logged:

 

  2.5.8.2.1. User ID

 

[Page 9 of 14]



--------------------------------------------------------------------------------

  2.5.8.2.2. Type of event

 

  2.5.8.2.3. Data and time of event

 

  2.5.8.2.4. Event success or failure

 

  2.5.8.2.5. Origination of event (for example, source IP or TTY)

 

  2.5.8.2.6. Identity or name of affected data, system component, or resource

 

  2.5.8.3. Logs must be reviewed for Security Incidents daily or generate
applicable alerts which are reviewed daily.

 

  2.5.8.4. Electronic access logs must be maintained on a rolling 90 day basis
and paper based sign in logs must be retained for at least one year.

 

  2.6. Network Security

 

  2.6.1. Company will put appropriate network access controls in place,
including, but not limited to, the segregation of network segments by use of a
firewall capable of stateful packet inspection. Application layer packet
inspection (sometimes referred to as “deep packet inspection”) is also
encouraged.

 

  2.6.2. Company must not allow direct wireless network access to systems
storing SoundBite data.

 

  2.7. Physical Security

 

  2.7.1. Company must use appropriate facility entry controls to limit, monitor,
and log physical access to systems storing, processing, transmitting, or
accessing SoundBite data.

 

  2.7.2. Company will only grant access to authorized personnel.

 

  2.7.3. Company must have appropriate procedures to track visitors and to help
all personnel easily distinguish between Staff and visitors.

 

  2.7.3.1. Visitors are to be escorted at all times.

 

  2.7.3.2. All Staff and visitors must wear ID badges visible at all times.

 

  2.7.4. Company shall have in place monitoring controls appropriate to the
facility, including, but not limited to, staffing all unlocked entries with
guards or equivalent; video surveillance at entry points, access points, and
sensitive areas; and glass-break detectors.

 

  2.7.5. Company shall establish (and implement as needed) procedures that allow
facility access in support of restoration of lost data in the event of an
emergency.

 

  2.7.6. Company shall document repairs and modifications to the physical
components of a facility which are related to security (for example, hardware,
walls, doors and locks), if the facility is used to store SoundBite data.

 

  2.7.7. Data centers housing SoundBite data must have environmental controls
and redundant power (UPS and Generator or equivalent).

 

[Page 10 of 14]



--------------------------------------------------------------------------------

  2.7.8. Company shall have an asset management policy and associated processes
that apply to all assets that process, store, transmit, or access SoundBite
data.

 

  2.7.8.1. Company shall maintain an accurate inventory of its assets.

 

  2.8. Incident Response

 

  2.8.1. The Company shall maintain an Incident Response process to address
incidents, including, but not limited to, Security Incidents, the loss of
SoundBite Information, and significant service disruptions. The Incident
Response process shall include steps for:

 

  2.8.1.1. Incident identification

 

  2.8.1.2. Incident escalation

 

  2.8.1.3. Incident containment

 

  2.8.1.4. Incident investigation, including, but not limited to, the collection
of forensic evidence appropriate for law enforcement purposes

 

  2.8.1.5. Incident remediation and recovery

 

  2.8.1.5.1. Company shall document responsive actions taken in connection with
any incident involving a Security Incident or other breach of security.

 

  2.8.1.6. Following any Security Incident or breach of security, Company shall
review events and take actions, if applicable, to make changes in business
practices relating to protection of personal information.

 

  2.8.1.7. The Company shall communicate the Incident Response process to all
Staff. First responders with direct responsibility for execution of the Incident
Response process shall be trained on that process.

 

  2.9. Notification

 

  2.9.1. Without undue delay and in any event not later than 24 hours following
the occurrence of a business interruption, or disaster affecting the Services,
Company shall notify SoundBite, and implement Company’s BC/DR Plan. Company must
use best efforts to reinstate the Services as soon as practicable.

 

  2.9.2. Without undue delay and in any event not later than 24 hours following
the occurrence of a Security Incident or other use or disclosure of SoundBite
Confidential Information in violation of this Standard by Company or any of its
officers, directors, employees, contractors, agents or other Staff, Company
shall notify SoundBite, and implement Company’s Incident Response process.
Company must use best efforts to prevent further breach of confidentiality of
SoundBite Confidential Information and to recover or otherwise prevent abuse or
fraud using lost or compromised SoundBite Confidential Information.

 

  2.9.3. Company shall notify and report to SoundBite any use or disclosure of
SoundBite Confidential Information in violation of this Agreement by Company or
any of its officers, directors, employees, contractors, agents or other Staff
without undue delay and in any event not later than 24 hours following the
disclosure.

 

[Page 11 of 14]



--------------------------------------------------------------------------------

  2.9.4. All notifications shall be via any expedient means, followed directly
by written notice, to be sent in to both of the following addresses:

 

  2.9.4.1. John Nye

Information Security Officer

SoundBite Communications

22 Crosby Drive

Bedford, MA 01730

 

  2.9.4.2. Robert C. Leahy

CFO/COO

SoundBite Communications

22 Crosby Drive

Bedford, MA 01730

 

  2.9.5. The Company shall ensure that if there are material changes to the way
that SoundBite data is processed (e.g. Company engages a third Party Vendor for
storing, processing, transmitting, or accessing SoundBite Information), then:

 

  2.9.5.1. These changes must be communicated to SoundBite and prior approval
obtained; and

 

  2.9.5.2. These changes must be communicated to appropriate departments within
the Company.

 

  2.9.6. SoundBite Contact Information:

 

  2.9.6.1. Information Security Officer:

John Nye

jnye@soundbite.com

1-781-897-2570

 

  2.9.6.2. SoundBite Support:

sbsupport@soundbite.com

1-888-807-4732

 

  2.9.6.3. SoundBite Front Desk:

1-781-897-2500

 

  2.9.6.4. SoundBite Business Contact:

Jason Temple

jtemple@soundbite.com

781-897-2725

 

  2.10. Software Licensing

 

  2.10.1. Company will maintain appropriate licenses for all software use to
provide service to SoundBite.

 

  2.11. Data

 

  2.11.1. Company must not collect, access, use, maintain, or disclose SoundBite
data.

 

  2.11.1.1. Company will take appropriate, industry-accepted measures to protect
encryption keys, including, but not limited to, ensuring that encryption keys
are encrypted during transit.

 

  2.11.1.2. Company shall appropriately protect an encrypted communication’s
endpoints.

 

[Page 12 of 14]



--------------------------------------------------------------------------------

  2.11.2. All data provided by SoundBite to the Company remain the property of
SoundBite.

 

  2.11.3. Unless explicitly approved by SoundBite, Company may not use any
SoundBite data in a testing environment. In the event that such usage is
allowed, this Information Security Standard will apply in full effect to the
testing environment.

 

  2.11.4. Media handling and disposal

 

  2.11.4.1. So long as account is active, current, and not in default, Company
must not remove SoundBite-owned equipment from data center facilities without
prior, written consent from SoundBite in the form of a Statement of Work, Remote
Hands service ticket, or other method described elsewhere in an agreement
between the two parties.

 

  2.11.5. The Company shall only transmit, process and store SoundBite Highly
Confidential information at data centers whose location has been approved by
SoundBite.

 

  2.12. Audit and Assessment

 

  2.12.1. Company management must regularly review the compliance of information
processing within their area of responsibility with the appropriate security
policies, standards, and any other security requirements.

 

  2.12.2. On an annual basis, Company shall conduct an internal audit or
assessment of all security controls, including, but not limited, to the controls
required by this Standard.

 

  2.12.3. Company must have an external Information Security audit performed at
least annually by an independent, reputable third party which must be provided
to SoundBite upon request. This requirement shall be considered satisfied by
having an independent audit firm perform procedures under applicable auditing
standards such as SAS70, SSAE16, SOC audits (SysTrust), ISO, or other commonly
accepted IT governance frameworks. SoundBite may audit solely at their own
expense Company to monitor compliance with this Information Security Standard.
Such audits will occur during normal business hours and will not occur more than
once in any calendar year, unless required by applicable laws and regulations or
unless Company experiences a Security Incident, in which case additional audits
may be performed.

 

  2.12.3.1. SoundBite’s right to audit/inspect Company extends to SoundBite’s
authorized representatives or any applicable regulator.

 

  2.12.3.2. On-site inspections of Company’s facilities may be conducted by
SoundBite or SoundBite’s authorized representatives.

 

  2.12.3.3. Company will promptly correct any violation of this Standard found
by SoundBite or its agents and will certify in writing that the correction has
been made.

 

[Page 13 of 14]



--------------------------------------------------------------------------------

  2.13. 3rd Party Vendors

 

  2.13.1. Where any third-party will have access to SoundBite Information in
order to provide its services to Company on behalf of SoundBite, Company will
ensure that such entity signs a written contract in which it agrees (i) to
restrict its use of SoundBite Information to activities directly required for
Company’s performance of its obligations to SoundBite; (ii) to comply with all
applicable laws, rules, regulations, security requirements (as defined in this
Information Security Standard); and (iii) to implement and maintain appropriate
administrative, technical and physical safeguards to protect the security,
confidentiality and integrity of all SoundBite Information as provided for by
this Standard. Company shall be responsible for any unauthorized use or
disclosure of any SoundBite Confidential Information by any entity to whom it
discloses or provides access to SoundBite’s Confidential Information, to the
same extent as if Company had used or disclosed such information itself.

 

  2.13.2. Company must execute a written confidentiality and non-disclosure
agreements when dealing with third parties that will store, process, transmit,
or access SoundBite Confidential Information.

 

  2.13.3. Company must require third parties to demonstrate that their Staff has
been adequately screened if they require access to SoundBite Highly Confidential
Information.

 

  2.14. Regulatory Compliance

 

  2.14.1. PCI: In the event that Company stores, processes, or transmits CHD, as
defined by the PCI DSS, Company shall maintain compliance with the PCI DSS, but
only to the degree that the requirements of the PCI DSS are directly applicable
to the services provided under contract to SoundBite.

 

  2.14.1.1. Company shall either obtain a PCI Certification or allow SoundBite
to include sites that support the services provided under contract to SoundBite
in SoundBite’s annual PCI Assessment at SoundBite’s sole expense.

 

  2.14.1.2. Company will provide evidence of PCI compliant controls and/or
certification to SoundBite upon request.

 

[Page 14 of 14]



--------------------------------------------------------------------------------

Internap Sales Order - Summary       LOGO [g501625exb_logopg1.jpg]

 

 

 

Date:    2/10/2010      Valid Thru:    3/12/2010 To:   

Soundbite

22 Crosby Drive

Bedford, MA 01730

     From:   

Internap Network Services, Corp.

Brian Kern / John Murphy

250 Williams Street, Suite E100

Atlanta, GA 30303

Subject:    Ashburn Renewal plus IP      TERM:    2 Years

Summary of New Services

 

Services

   Total
One-Time      Total
Monthly  

CDN Services

   $ —         $ —     

Colocation Services

   $ —         $ 37,055.00   

IP Services

   $ —         $ 15,750.00   

Managed Server Services

   $ —         $ —     

FCP and Value Add Services

   $ —         $ —        

 

 

    

 

 

 

TOTAL SOLUTION CHARGES

   $ —         $ 52,805.00      

 

 

    

 

 

 

Summary of Retained Services

 

Services

   Total
One-Time      Total
Monthly  

Renewed and Retained Services

      $ —        

 

 

    

 

 

 

TOTAL SERVICES

   $ —         $ 52,805.00      

 

 

    

 

 

 

Special Comments

Terms and Conditions

All service implementations are subject to Internap standard installation
intervals. While Internap will make reasonable efforts to accommodate customer
specific requests, the standard installation intervals apply for all Services
being ordered and shall begin upon Internap’s formal acceptance of this Sales
Order. Billing for services will commence upon delivery of the contracted
services. Specific billing activations dates will be communicated and confirmed
during implementation process. Internap’s formal acceptance of this Sales Order
occurs when (i) Internap has received a signed Sales Order Form complete with
accurate information and signed Agreement for Service, (ii) capacity has been
approved, (iii) Customer’s credit has been approved, and (iv) Internap has
provided countersigned order form. Changes to an accepted Sales Order,
Customer-initiated delays (including those associated with Customer provisioned
access), and credit approval issues will place the installation interval on
hold.

The initial Term specified above shall start at the Service Commencement Date as
set forth in the MSA (defined below).

The Term of this Sales Order shall automatically renew for one year periods
absent contrary written notice provided by either party, delivered in accordance
with this paragraph at least sixty days in advance of expiration. To be
effective, Customer must give any such notice of non-renewal or any notice of
disconnection by completing the form located at
https://customers.Internap.com/requests/.

THE PARTIES AGREE TO BE BOUND BY THE TERMS AND CONDITIONS CONTAINED IN THE
MASTER SALES AGREEMENT (“MSA”) SIGNED BETWEEN THE PARTIES, WHICH ARE
INCORPORATED BY REFERENCE HEREIN, ABSENT SUCH EXECUTED MSA, THE EXECUTION OF
THIS DOCUMENT IS DEEMED TO BE ACCEPTANCE OF THE TERMS AND CONDITIONS SET FORTH
IN THE INTERNAP STANDARD MSA LOCATED AT http://internap.com/legal/msa.html,
INCLUDING ALL ATTACHMENTS THERETO, ALL OF WHICH ARE INCORPORATED BY REFERENCE
HEREIN. IN THE EVENT OF A CONFLICT BETWEEN THE MSA AND THIS SALES ORDER, THE MSA
SHALL PREVAIL. THE PROVISION OF SERVICES HEREUNDER IS SUBJECT TO INTERNAP’S
CONTINUING APPROVAL OF CUSTOMER’S CREDIT-WORTHINESS.

Customer Acceptance

 

Printed Name:  

Robert C. Leahy

    Title:  

COO & CFO

By:  

LOGO [g501625exb_sig1.jpg]

 

    Date:  

2/18/10

Authorized INTERNAP Signature By:  

LOGO [g501625exb_sig2.jpg]

 

    Date:  

2/18/10

 

Internap Network Services Confidential    2/10/2010    Page 15 of 5



--------------------------------------------------------------------------------

Internap Services - Service Change Order       LOGO [g501625exb_logopg2.jpg]

 

 

 

Date:    2/10/2010      Valid Thru    3/12/2010 To:   

Soundbite

22 Crosby Drive

Bedford, MA 01730

     From   

Internap Network Services, Corp.

Brian Kern / John Murphy

250 Williams Street, Suite E100

Atlanta, GA 30303

Subject:    Ashburn Renewal plus IP      TERM    2 Years

Summary of Services

 

Location

  SO#   5VCOID   QTY   

Description

  MRC     Treatment   Extended     Effective Date

BSN

  10000100385   149953   1.00   

Gige Dual Usage 250Mbps Monthly Fee

  $ 10,000.00      Replace   $ 10,000.00     

BSN

  10000100385   149957   1.00   

100mb Dual 4Mbps Monthly Fee

  $ 1,100.00      Replace   $ 1,100.00     

BSN

  10000100385   149955   1.00   

GigE Cross Connect Monthly Fee

  $ 200.00      Replace   $ 200.00     

BSN

  10000100385   149955   1.00   

GigE Cross Connect Monthly Fee

  $ 200.00      Replace   $ 200.00     

BSN

  10000100385   149958,[Illegible]   2.00   

Standard Ethernet Cross Connect Monthly Fee

  $ 150.00      Replace   $ 300.00     

WDC002

  10000106740   161674   1.00   

Standard Back Channel Ethernet Cross Connect Monthly Fee

  $ 225.00      Replace   $ 225.00     

WDC002

  10000054291   72611   1.00   

Private Cage (Square Footage) Monthly Fee

  $ 11,770.00      Replace   $ 11,770.00     

WDC002

  10000054291   72809   1.00   

Private Cage (Square Footage) Monthly Fee

  $ 5,835.00      Replace   $ 5,835.00     

WDC002

  10000056918   79261   1.00   

Private Cage (Square Footage) Monthly Fee

  $ [Illegible]      Replace   $ [Illegible]     

WDC002

  10000056918   [Illegible]   1.00   

Private Cage (Square Footage) Monthly Fee

  $ 1,177.00      Replace   $ 1,177.00     

WDC002

  10000056918   79282, 79263   2.00   

30A 208V Primary Power Circuit Monthly Fee

  $ 910.000      Replace   $ 1,620.000     

WDC002

  10000064936   [Illegible]   2.00   

30A 208V Primary Power Circuit Monthly Fee

  $ 845.00      Replace   $ 1,690.00     

WDC002

  10000067594   91405   1.00   

100mb Dual 4Mbps Monthly Fee

  $ 500.00      Replace   $ 500.00     

WDC002

  10000054291   S-83340,72612-   10.00   

20A 120V Primary Power Circuit Monthly Fee

  $ 360.00      Replace   $ [Illegible]     

WDC002

  10000054291   87896-87903   6.00   

20A 120V Primary Power Circuit Monthly Fee

  $ 325.00      Replace   $ [Illegible]     

WDC002

  10000079712   118118   [Illegible].00   

Back Channel Fiber Cross Connect Monthly Fee

  $ 200.00      Replace   $ 200.00     

WDC002

  10000056289   77900   [Illegible].00   

Back Channel OC-X Cross Connect Monthly

  $ 200.00      Replace   $ 200.00     

WDC002

  10000071711   99303,99304   [Illegible].00   

GigE Cross Connect Monthly Fee

  $ 200.00      Replace   $ 400.00     

WDC002

  10000054291   72621   [Illegible].00   

20A 120V Redundant Power Circuit Monthly Fee

  $ [Illegible]      Replace   $ 180.00     

WDC002

  10000067594   91406, 91407   [Illegible].00   

Ethernet Cross Connect

  $ 175.00      Replace   $ 350.00     

WDC002

  10000067558   77443   [Illegible].00   

Standard Back Channel Ethernet Cross Connect Monthly Fee

  $ 175.00      Replace   $ 175.00     

WDC002

  10000064145   87264   [Illegible].00   

Back Channel [Illegible] Cross Connect Monthly Fee

  $ 125.00      Replace   $ 125.00     

WDC002

  10000060018   80590   [Illegible].00   

T-1 Cross Connect

  $ 80.00      Replace   $ 80.00     

WDC002

  10000060018   347, 155728, 11   [Illegible].00   

T-1 Cross Connect

  $ 75.00      Replace   $ 225.00     

WDC002

  10000058916   79278, 79278   [Illegible].00   

POTs Cross Connect

  $ 50.00      Replace   $ 100.00     

WDC002

  10000054291   72620, 72622   [Illegible].00   

Standard 20A [Illegible] Primary Power Circuit Monthly Fee

  $ [Illegible]      Replace   $ 1,250.00     

WDC002

  10000079712   [Illegible]   [Illegible].00   

Back Channel Fiber Cross Connect Monthly Fee

  $ 200.00      Remove   $ 200.00     

Treatment Summary

 

          Total [Illegible]   Renew   

Renew extends terms for existing services through Effective Date at the MRC
specified

   $      Retain   

Retain maintains contract terms for existing services through Effective Date at
the MRC specified

   $      Replace   

Replace terminates existing services on the effective date and replaces them
with services specified on Services Proposal [ILLEGIBLE]

   $ 50,050.00    Remove   

Remove terminates services on the effective date

   $ 200.00   

Early Termination Fees (ETF)

 

   $                    $         $        

 

 

 

Total ETF Fees

   $        

 

 

 

ETF Notes

 

Internap Network Services Confidential    2/10/2010    Page 16 of 5



--------------------------------------------------------------------------------

Internap Sales Order - Colocation Services       LOGO [g501625exb_logopg3.jpg]

 

 

 

Date:    2/10/2010      Valid Thru:    3/12/2010 To:   

Soundbite

22 Crosby Drive

Bedford, MA 01730

     From:   

Internap Network Services, Corp.

Brian Kern / John Murphy

250 Williams Street, Suite E100

Atlanta, GA 30303

Subject:    Ashburn Renewal plus IP      TERM:    2 Years

Internap Colocation Services

 

      Qty    Design &
Engineering
Fees      Total
One-Time      Monthly Recurring
Charges      Total
Monthly  

Service Point WDC002

              

Facility address Equinix - 21715 Filigree Court, Bldg. F, Ashburn, VA 20147

              

Space (Power not Included)

              

Cabinet(s) (Shared colo not in private cage)

              

Private Cage (Square Ft)

   400    $ 0.00       $ 0.00       $ 56.00       $ 22,400.00   

Power

              

120V - 20 AMP Primary (incl Power Strip)

   21    $ 0.00       $ 0.00       $ 360.00       $ 7,560.00   

120 V - 20 AMP Redundant (incl. Power Strip)

   1    $ 0.00       $ 0.00       $ 180.00       $ 180.00   

120 V - 30 AMP Primary

              

120 V - 30 AMP Redundant

              

208 V - 20 AMP Primary

   2    $ 0.00       $ 0.00       $ 625.00       $ 1,250.00   

208V - 20AMP Redundant

              

208 V - 30 AMP Primary

   4    $ 0.00       $ 0.00       $ 935.00       $ 3,740.00   

208 V - 30 AMP Redundant

              

3 Phase 208 V - 20 AMP Primary

              

3 Phase 208 V - 20 AMP Redundant

              

3 Phase 208 V - 30 AMP Primary

              

3 Phase 208 V - 30 AMP Redundant

              

Cross Connects

              

Back Channel POTS Cross Connect

   2    $ 0.00       $ 0.00       $ 75.0       $ 150.00   

Back Channel T1 Cross Connect

   4    $ 0.00       $ 0.00       $ 75.0       $ 300.00   

Back Channel DS3 Cross Connect

   1    $ 0.00       $ 0.00       $ 125.0       $ 125.00   

Back Channel OCX Cross Connect

   1    $ 0.00       $ 0.00       $ 225.0       $ 225.00   

Back Channel Ethernet Cross Connect

   2    $ 0.00       $ 0.00       $ 225.0       $ 450.00   

Back Channel GigE Cross Connect/Fiber Cross Connect

   3    $ 0.00       $ 0.00       $ 225.0       $ 675.00   

On Demand Remote Hands Charges (Billed at $300/Hour, 30 minute minimum)

                 Usage Based            

 

 

       

 

 

 

TOTAL COLOCATION CHARGES

        One-Time       $ —           Monthly       $ 37,055.00            

 

 

       

 

 

 

Standard Configuration Notes:

 

  •  

Internap to provide and install (14) 4-post racks in a private cage

 

  •  

Internap to the supply power strip for each 20a/120v circuit. Customer to supply
power strips for all other power circuits

 

  •  

Monthly cage pricing does not include power. Power is billed separately

 

  •  

Future power requests must be approved by Internap Product Management and are
subject to availability

 

  •  

Standard Ladder racking and grounding is included in the cage construction
charges

 

  •  

Customer may not draw more than an aggregate of 33.6 kW (the “Power Cap”) in the
Cage.

 

  •  

In the event that Internap measures Customer’s draw in the Cage and such draw
exceeds the Power Cap, Internap may require Customer to reduce the power draw in
the Cage to the Power Cap within twenty-four (24) hours of such measurement.
Internap may disconnect power circuits until the aggregate rated capacity of all
circuits in the Cage equals the Power Cap.

Special Configuration Notes:

Internap Solution Notes:

Colo-Grade Colocation Facility Includes:

24x7 engineering support

Hardened security

Redundant, conditioned power

Tiered fire suppression systems

 

Internap Network Services Confidential    2/10/2010    Page 17 of 5



--------------------------------------------------------------------------------

Internap Sales Order - IP Services       LOGO [g501625exb_logopg4.jpg]

 

 

 

Date:    2/10/2010      Valid Thru:    3/12/2010 To:   

Soundbite

22 Crosby Drive

Bedford, MA 01730

     From:   

Internap Network Services, Corp.

Brian Kern / John Murphy

250 Williams Street, Suite E100

Atlanta, GA 30303

Subject:    Ashburn Renewal plus IP      TERM:    2 Years

Internap IP Services

 

                             Design &
Engineering
Fees     Total
One-Time           Monthly Recurring
Charges     Total
Monthly        Port Services                                                    
  

Port Type

  Access Type   Commit     PNAP   Qty                                

1

  

100Mb Dual

  Non-CPA     10      WDC002     1      $ 0.00      $ 0.00        $ 1,000.00   
  $ 1,000.00                       Rate/Mb      $ 100.00                        
Burst rate/Mb      $ 102.00     

2

  

Dual GigE

  Non-CPA     500      BSN     1      $ 0.00      $ 0.00        $ 11,500.00     
$ 12,500.00      

Rate Limit per handoff

    800                Rate/Mb      $ 25.00                         Burst
rate/Mb      $ 27.00     

3

  

100Mb Dual

  Non-CPA     5      BSN     1      $ 0.00      $ 0.00        $ 1,100.00      $
1,100.00                       Rate/Mb      $ 220.00                        
Burst rate/Mb      $ 222.00     

4

             $ 0.00                               Rate/Mb                      
    Burst rate/Mb        N/A     

5

             $ 0.00                               Rate/Mb                      
    Burst rate/Mb        N/A                    

 

 

       

 

 

               TOTAL        $ 0.00          $ 14,600.00                  

 

 

       

 

 

     Circuit Services                  

1

  

Copper Cross Connect

      WDC002     2      $ 0.00      $ 0.00        $ 22[Illegible]00      $
450.00   

2

  

Fiber Cross-connect

      BSN     2      $ 0.00      $ 0.00        $ 20[Illegible]00      $ 400.00
  

3

  

Copper Cross Connect

      BSN     2      $ 0.00      $ 0.00        $ 15[Illegible]00      $ 300.00
  

4

                    

5

                                   

 

 

       

 

 

               TOTAL        $ —            $ 1,150.00                  

 

 

       

 

 

    

TOTAL IP SERVICES CHARGES

      One-Time      $ —            Monthly      $ 15,760.00                  

 

 

       

 

 

 

Configuration Notes:

Bandwidth Charges are based on 95th percentile billing methodology, bursting
charges apply for usage in excess of commit

Customer Provided Access (CPA] - Customer is responsible for all local access
support associated with CPA orders, and must work directly with the access
provider to resolve all issues.

Included with your service:

 

  •  

Full transit, route optimized TCP/IP connectivity through Internals P-NAP®
facility directly to the major Internet backbones

 

  •  

24 x 7 Proactive circuit monitoring, outage reporting and outage troubleshooting
by Internal’s own Network Operations Center (NOC)

 

  •  

Notification schedule and escalation procedures

 

  •  

Primary DNS for one (1) domain -or- Secondary DNS for up to 200 domains

 

  •  

Allocation of IP addresses in compliance with ARIN policy

 

Internap Network Services Confidential    2/10/2010    Page 18 of 5



--------------------------------------------------------------------------------

Internap Services Order - Key Contacts       LOGO [g501625exb_logopg5.jpg]

 

 

 

Date:    2/10/2010      Valid Thru:    3/12/2010 To:   

Soundbite

22 Crosby Drive

Bedford, MA 01730

     From:   

Internap Network Services, Corp.

Brian Kern / John Murphy

250 Williams Street, Suite E100

Atlanta, GA 30303

Subject:    Ashburn Renewal plus IP      TERM:    2 Years

Contact Information

Customer

 

Primary Contact Name:   Jason Temple Title:   VP Operations Email:  
jtemple@soundbite.com Phone:   (781) 897-2725 Mobile:   (617) 803-8236 Technical
Contact Name:   Title:   Email:   Phone:   Mobile:   Billing Contact Name:  
Title:   Email:   Phone:   Mobile:   Additional Contact Name:   Title:   Email:
  Phone:   Mobile:  

Internap

 

Account Executive Name:   Brian Kern Title:   Sr. Account Executive Email:  
bkern@internap.com Phone:   617-374-4911 Mobile:   617-947-7521 Technical
Consultant Name:   John Murphy Title:   Sr. Sales Engineer Email:  
murphy@internap.com Phone:   617-374-4907 Mobile:   978-302-6657 Client Services
Contact Name:   Elena Spadazzi Title:   Client Services Leader Email:  
espadazzi@internap.com Phone:   617-374-4910 Mobile:   Additional Contact Name:
  Trent Collie Title:   Sr. Sales Engineer Email:   tcollie@internap.com Phone:
  617-374-4922 Mobile:  

 

 

Internap Network Services Confidential    2/10/2010    Page 19 of 5