1







AMENDMENT #1


To the Software License and Hosting Services Agreement


This amendment (“Amendment #1”), with an effective date of December 1, 2014
(“Amendment #1 Effective Date”), is hereby made to the Software License and
Hosting Services Agreement, having an Effective Date of November 19, 2013 (the
“Agreement”) between Covisint Corporation (“Licensor” or “Covisint”) and Cisco
Systems, Inc. (“Cisco”). By way of this Amendment #1, the following
modifications shall be made to the Agreement:


I.
The following definitions are hereby added to Section 1 of the Agreement:

1.30
“Covisint Cloud Data Exchange Service" means the hosted Licensor service that
provides cloud data exchange, integration broker, cloud service bus capabilities
that allows for routing, delivery, translation, publishing, subscription,
archiving and retrieval of messages, service interfaces and API’s based on a
central messaging hub and global protocol support that supports message tracking
and trading partner management, any-to-any data transformation, and a range of
standard and custom connectivity options.



II.
Attachments 1 and 2 to Exhibit H to the Agreement are hereby deleted and
replaced in their entirety, as attached to this Amendment #1.



III.
Attachment 4 to Exhibit H is hereby added to the Agreement, as attached to this
Amendment #1.



IV.
Exhibit I is hereby added to the Agreement, as attached to this Amendment #1



V.
All remaining and unmodified terms and conditions in the Agreement shall
continue on in full force and effect.





IN WITNESS WHEREOF, the parties have caused this Amendment #1 to be executed,
which may be in duplicate counterparts, each of which will be deemed to be an
original instrument.
Covisint Corporation
Cisco Systems, Inc.
By: /s/ Joel Kremke
By: /s/ John Morrell
Printed Name: Joel Kremke
Printed Name: John Morrell
Title: SVP
Title: Senior Director
Date: February 5, 2015
Date: February 5, 2015






























Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

2

ATTACHMENT 1 TO EXHIBIT H


DESCRIPTION OF HOSTING SERVICES


 
1.0 SETUP SERVICES
***



2.0 THE LICENSOR SERVICE
The Hosting Service includes:
•
all required hardware
•
high-speed Internet connection
•
Documentation
•
all required software and all required third-party software
•
system administration and operations
•
system and data backups and backup storage
•
application support




Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

3

3.0 MAINTENANCE AND SUPPORT
Licensor will perform the following technical support and maintenance services
at no additional cost:


•
Operation and maintenance of Hosting Services;
•
Service Level management;
•
Scheduled and unscheduled maintenance;
•
Release management;
•
Change management;
•
Change Request management;
•
Security management;
•
Service monitoring;
•
Backup and disaster recovery;
•
Covisint service desk support;
•
Incident management.






































































Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

4



ATTACHMENT 2 TO EXHIBIT H


FEES


1.0
GENERAL

Licensor shall issue invoices to Cisco for all fees due under this Exhibit. All
Fees shall be subject to acceptance by Cisco. The Licensor Fees, Setup Service
Fees and Monthly Support Fees shall be invoiced as due according to the schedule
set forth in Attachment 1 to Exhibit H.


* * *
Item #
Product/Service Description
Price
1.0
Cisco Exchange Portal
 
1.01
Cisco Exchange Portal Setup
***
1.02
Cisco Exchange Portal Recurring Subscription ***
***
1.03
Additional End Users ***
***
1.04
Catalog SSO Application Setup
***
1.05
Non-Catalog SSO Application Setup
***
1.06
SSO Application Recurring Subscription
***
1.07
Additional Covisint IDBridge (see Exhibit A, Section 5)
 
1.08
End Point Integration Setup
***
1.09
End Point Integration Recurring Subscription
***
1.10
End Point Throughput Subscription per Cisco Customer
***
***
***
***


***
***
***
***










































Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

5



ATTACHMENT 4 TO EXHIBIT H


DEFINITIONS


 
For this Agreement, the following capitalized terms not defined herein have the
meanings set forth below:
“API” means application programming interface.
“Authentication” means the action performed by the system to determine the
identity of an End User by collecting End User credentials, validating the
correct entry of End User credentials against the End User registry, and
producing a success or failure response.
“Data Source” means an entity from which a specific set of data is obtained by
Covisint via a single internet connection, organized in a Covisint approved
format.
“End Point” means one (1) IDP or one (1) SP or a single application, data source
that is configured to send data to and/or from Covisint Cloud Data Exchange
Services.
“Identity Provider” or "IDP" means an entity that performs the Authentication of
an End User's Identity and provides the appropriate Authentication statements to
downstream systems and/or Service Providers asserting that the End User did
authenticate to the IDP at a particular time, using a particular method of
Authentication.
“Identity” means the minimum set of data required to create a unique record in
Covisint Cloud Identity Service representing one (1) End User and the
credentials required to authenticate that End User.
“Service Provider" or "SP" means an entity that provides subscription or web
services to other entities.
  

















































Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

6



EXHIBIT I


Personal Data Transfer Agreement (Processor -Sub-processor)
 


This Personal Data Transfer Agreement (this “Agreement”) is made and entered
into as of July 24, 2014.


Between:
(1)Cisco Systems, Inc. in representation of all the Cisco Affiliates,
hereinafter “Data Processors”;
(2)Covisint Corporation, hereinafter “Sub-processors”;
Whereas
(1)
Data Processor enters into contractual agreements with its customers established
in the EEA (hereinafter the “Customer” or the “Customers” or the “Data
Controller”) for the provision of Cisco products and services and in providing
such services, including data processing agreements providing the instructions
for the Data Processor to abide by when processing personal data on behalf of
Customer, Data Processors may involve Sub-processors to perform part of the
services to Customers;

(2)
In providing Cisco products and services, Data Processor may have access to
personal data belonging to Customers’ end users and transfer them outside the
EEA area to Sub-processors to make them carry out part of the service, and in
order to secure such transfer Customers request Data Processor to enter into
Standard Model Clauses (hereinafter “EUMC”) for the purposes of Article 26(2) of
the Directive 95/46/EC (hereinafter the “Directive”) “for the transfer of
personal data to processors established in third countries which do not ensure
an adequate level of data protection” and under the EUMC, Data Processor is
appointed, as data importer;

(3)
According to the EUMC between Data Processor and Customers, when personal data
are processed in countries not ensuring adequate level of protections, companies
established in such countries and processing personal data on behalf of the Data
Processor are obliged to respect the terms and conditions set forth under these
clauses as Sub-processors.

Now, therefore, the Parties hereto agree as follows:
Definitions
(a)
"personal data", "special categories of data/sensitive data",
"process/processing", "controller", "processor", "data subject" and "supervisory
authority/authority" shall have the same meaning as in Directive 95/46/EC of 24
October 1995 (whereby "the authority" shall mean the competent data protection
authority in the territory in which the data exporter is established), under
this Agreement data subjects are Customers’ end users;

(b) "the data exporter" shall mean the controller who transfers the personal
data, under this Agreement data exporters are the Customers;
(c)
"the data importer" shall mean the processor who agrees to receive from the data
exporter personal data for further processing in accordance with the terms of
these clauses and who is not subject to a third country's system ensuring
adequate protection, under this Agreement data importers are the Data
Processors;


Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

7

(d)
“the sub-processor” means any processor engaged by the data importer or by any
other sub-processor of the data importer and who agrees to receive from the data
importer or from any other sub-processor of the data importer personal data
exclusively intended for the processing activities to be carried out on behalf
of the data exporter after the transfer in accordance with the data exporter's
instructions, the standard contractual clauses set out in the Annex C, and the
terms of the written contract for sub-processing, under this Agreement
sub-processors are all the entities listed in Annex B.



1.
Scope



1.1 This Agreement is entered into by and between Data Processor and
Sub-processor to provide adequate protection for Customers’ end users’ personal
data transferred by the Data Processor to Sub-processor in order to carry out
part of the services requested by Customers, which may include without
limitation (a) customer service activities, such as processing orders, providing
technical support and improving offerings, (b) sales and marketing activities as
permissible under applicable law, (c) consulting, professional, security,
storage, hosting and other services delivered to Customers, including services
offered by means of the products and solutions described at www.cisco.com, and
(d) internal business processes and management, fraud detection and prevention,
and compliance with governmental, legislative and regulatory bodies
(collectively, “Cisco Services”). In particular the parties to this Agreement
agree that Sub-processors in providing such services to Customers shall abide by
the terms and conditions provided for the data importer in the EUMC and theirs
Appendixes duly incorporated in this Agreement as Annex A into which Data
Processor will enter with their Customers every time:
(a)
Data Processor is providing a service which entails processing Customers’ End
Users’ personal data; and

(b)
In order to provide such service Customers’ End Users’ personal data shall be
transferred to one of the Sub-processors



1.2 Where a Cisco entity located in within the EEA has signed the processing
agreement with Customer, and such Cisco entity is acting as data exporter on
behalf of Customer (by power of attorney or agency agreement or otherwise), this
Agreement shall be considered as entered by and between such Cisco entity
(acting as data exporter) and the Sub-processors.


2.
Obligation on processing of personal data.



2.1 The Sub-processors shall process Customers’ end users’ personal data in
according to the instructions included herein and in Annex A, using its data
processing facilities for the purposes described in the Recitals of this
Agreement and in Clause 1.1.
 
2.2 In particular, Sub-processor warrants and undertakes that:


(a)
it will follow the instructions contained in Appendix 1 of the EUMC included in
Annex A concerning the types of processing allowed;


Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

8

(b)
it will implement the appropriate technical and organizational measures provided
in Appendix 2 of the EUMC included in Annex A to protect the personal data
against accidental or unlawful destruction or accidental loss, alteration,
unauthorized disclosure or access;

(c)
it will promptly notify the Data Processor:

i.
any legal binding request for disclosure of personal data by law enforcement
authority unless otherwise prohibited under relevant law in order to maintain
the necessary confidentiality of a law enforcement investigation;

ii.
any accidental or unauthorized access to personal data and any other breach
which caused loss or alteration of personal data; and

iii.
any request received directly from Customers’ end users without responding to
such request directly;

(d)
it will inform the Data Processor about all the inquires received directly by
Customers;

(e)
upon reasonable request of the Customers, it will submit their data processing
facilities, data files and documentation needed for processing to reviewing,
auditing and/or certifying by Customers (or any independent or impartial
inspection agents or auditors, selected with the agreement of Customers and,
when applicable with the supervisory authority) to ascertain compliance with the
warranties and undertakings in these clauses and the Annex A, with reasonable
notice and during regular business hours.

 
2.3 Sub-processor has no reason to believe, at the time of entering into this
Agreement, in the existence of any local laws that would have a substantial
adverse effect on the guarantees provided for under these clauses and Annex A
and in the event of a change in this legislation which is likely to have a
substantial adverse effect on the warranties and obligations provided by this
Agreement, the interested Sub-processor will promptly notify the change of
legislation to the Data Processor as soon as the Sub-processor is aware, in
which case the Data Processor is entitled to suspend the access to the personal
data to the interested Sub-processor.


2.4 At the request of the Customers and/or Data Processor, Sub-processor will
provide the Customers with evidence of financial resources sufficient to fulfil
its responsibilities under clause 3;


2.5 Upon termination of the provision of services provided to Customers under
which Data Processor and Sub-processor process Customers’ End Users’ personal
data, Data Processor will inform Sub-processors with a reasonable notice to
destroy or return the personal data received and certify Data Processor that it
has been done, so that they will pass the information to Customers, unless
legislation imposed on any of Sub-processor prevents it from returning or
destroying all or part of the personal data transferred. In that case, the
Sub-processor warrants that it will guarantee the confidentiality of the
personal data transferred and will not actively process the personal data
transferred anymore.


2.6 In the event that Customer requires the fulfillment of additional
obligations to those set forth herein mandatory under applicable law, Data
Processor will communicate to the Sub-processor such obligations.


3.
Liability and third party rights


Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

9



3.1 Sub-processor shall be liable to the Data Processor of any damages caused by
the breach of third party rights under these clauses. Data Processor shall be
liable to the Customers and Customers’ end users for damages any of the parties
causes by any breach of third party rights under these clauses. This does not
affect the liability of the Customers as data exporter under its data protection
law.


3.2 Sub-processor agree that where Customers and the Data Processor have
factually disappeared or ceased to exist in law, then


a.Customers’ end users can enforce against the Sub-processors Clause 1 and 2 and
Annex A;


b.Customers’ end users who suffered damages as a result of any violation of the
provisions of Clause 1 and 2 and Annex A by the Sub-processor are entitled to
receive compensation from the Sub-processor.


3.3 Sub-processor agrees that if Customers’ end users invoke against them
third-party beneficiary rights and/or claims compensation for damages under the
Clauses, Sub-processor will accept the decision of Customers’ end users to:
a)
refer the dispute to mediation, by an independent person or, where applicable,
by the supervisory authority;

b)
refer the dispute to the courts in the Member State in which the Customer is
established.



3.4 Sub-processor agrees that the choice made by the Customers’ end users will
not prejudice its substantive or procedural rights to seek remedies in
accordance with other provisions of national or international law.


4.
Law applicable to the clauses



4.1 These clauses shall be governed by the law of the country in which Customer
is established.


5.
Resolution of disputes with Customers’ end users or the authority



5.2 In the event of a dispute or claim brought by Customers’ end users or the
authority concerning the processing of the personal data against either or both
of the parties, the parties will inform each other about any such disputes or
claims, and will cooperate with a view to settling them amicably in a timely
fashion.


5.3 The parties agree to respond to any generally available non-binding
mediation procedure initiated by Customers’ end user or by the authority. The
parties also agree to consider participating in any

Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

10

other arbitration, mediation or other dispute resolution proceedings developed
for data protection disputes.


5.4 Each party shall abide by a decision of a competent court of the Customers’
country of establishment or of the authority which is final and against which no
further appeal is possible.




6.
Termination



6.1 In the event that Sub-processor is in breach of its obligations under these
clauses and Annex A, then the Customers may temporarily suspend the transfer of
personal data to Sub-processor until the breach is repaired or the contract is
terminated.


6.2 The parties agree that the termination of these clauses at any time, in any
circumstances and for whatever reason (except for termination under clause 5.2)
does not exempt them from the obligations and/or conditions under the clauses as
regards the processing of the personal data transferred.


7.
Variation of these clauses



7.1 The parties may not modify these clauses except with appropriate notice to
and consent of relevant Customers and competent authorities, where required.
This does not preclude the parties from adding additional commercial clauses
where required.


8.
General



8.1 Sup-processor agrees that Appendix 1 and 2 of Annex A may contain
confidential business information which they will not disclose to third parties,
except as required by law or in response to a competent regulatory or government
agency, or as required under clause 2.
 
8.2 These clauses together with the Annex A constitute the entire agreement and
understanding of the parties and supersede any prior agreement or understanding
between the parties in respect of the transfer of personal data for the purposes
specified in Annex A











Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

11

Annex A
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of
personal data to processors established in third countries which do not ensure
an adequate level of data protection
Name of the data exporting organisation: Cisco, Inc.    
Address: 170 West Tasman Drive, San Jose, CA 95134    
Tel.: 1-408-526-4000    ; fax:    ; e-mail:    
Other information needed to identify the organisation
……………………………………………………………
(the data exporter)
And
Name of the data importing organisation: Covisint Corporation    
Address: One Campus Martius, Suite 700, Detroit, MI 48226    
Tel.: 1-313-961-4100    ; fax:    ; e-mail:    
Other information needed to identify the organisation:
…………………………………………………………………
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to
adduce adequate safeguards with respect to the protection of privacy and
fundamental rights and freedoms of individuals for the transfer by the data
exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
(a)
'personal data', 'special categories of data', 'process/processing',
'controller', 'processor', 'data subject' and 'supervisory authority' shall have
the same meaning as in Directive 95/46/EC of the European Parliament and of the
Council of 24 October 1995 on the protection of individuals with regard to the
processing of personal data and on the free movement of such data;

(b)
'the data exporter' means the controller who transfers the personal data;


Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

12

(c)
'the data importer' means the processor who agrees to receive from the data
exporter personal data intended for processing on his behalf after the transfer
in accordance with his instructions and the terms of the Clauses and who is not
subject to a third country's system ensuring adequate protection within the
meaning of Article 25(1) of Directive 95/46/EC;

(d)
'the subprocessor' means any processor engaged by the data importer or by any
other subprocessor of the data importer who agrees to receive from the data
importer or from any other subprocessor of the data importer personal data
exclusively intended for processing activities to be carried out on behalf of
the data exporter after the transfer in accordance with his instructions, the
terms of the Clauses and the terms of the written subcontract;

(e)
'the applicable data protection law' means the legislation protecting the
fundamental rights and freedoms of individuals and, in particular, their right
to privacy with respect to the processing of personal data applicable to a data
controller in the Member State in which the data exporter is established;

(f)
'technical and organisational security measures' means those measures aimed at
protecting personal data against accidental or unlawful destruction or
accidental loss, alteration, unauthorised disclosure or access, in particular
where the processing involves the transmission of data over a network, and
against all other unlawful forms of processing.

Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal
data where applicable are specified in Appendix 1 which forms an integral part
of the Clauses.
Clause 3
Third-party beneficiary clause
1.
The data subject can enforce against the data exporter this Clause, Clause 4(b)
to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7,
Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2.
The data subject can enforce against the data importer this Clause, Clause 5(a)
to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases
where the data exporter has factually disappeared or has ceased to exist in law
unless any successor entity has assumed the entire legal obligations of the data
exporter by contract or by operation of law, as a result of which it takes on
the rights and obligations of the data exporter, in which case the data subject
can enforce them against such entity.

3.
The data subject can enforce against the subprocessor this Clause, Clause 5(a)
to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases
where both the data exporter and the data importer have factually disappeared or
ceased to exist in law or have become insolvent, unless any successor entity has
assumed the entire legal obligations of the data exporter by contract or by
operation of law as a result of which it takes on the rights and obligations of
the data exporter, in


Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

13

which case the data subject can enforce them against such entity. Such
third-party liability of the subprocessor shall be limited to its own processing
operations under the Clauses.
4.
The parties do not object to a data subject being represented by an association
or other body if the data subject so expressly wishes and if permitted by
national law.

Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a)
that the processing, including the transfer itself, of the personal data has
been and will continue to be carried out in accordance with the relevant
provisions of the applicable data protection law (and, where applicable, has
been notified to the relevant authorities of the Member State where the data
exporter is established) and does not violate the relevant provisions of that
State;

(b)
that it has instructed and throughout the duration of the personal data
processing services will instruct the data importer to process the personal data
transferred only on the data exporter's behalf and in accordance with the
applicable data protection law and the Clauses;

(c)
that the data importer will provide sufficient guarantees in respect of the
technical and organisational security measures specified in Appendix 2 to this
contract;

(d)
that after assessment of the requirements of the applicable data protection law,
the security measures are appropriate to protect personal data against
accidental or unlawful destruction or accidental loss, alteration, unauthorised
disclosure or access, in particular where the processing involves the
transmission of data over a network, and against all other unlawful forms of
processing, and that these measures ensure a level of security appropriate to
the risks presented by the processing and the nature of the data to be protected
having regard to the state of the art and the cost of their implementation;

(e)
that it will ensure compliance with the security measures;

(f)
that, if the transfer involves special categories of data, the data subject has
been informed or will be informed before, or as soon as possible after, the
transfer that its data could be transmitted to a third country not providing
adequate protection within the meaning of Directive 95/46/EC;

(g)
to forward any notification received from the data importer or any subprocessor
pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory
authority if the data exporter decides to continue the transfer or to lift the
suspension;

(h)
to make available to the data subjects upon request a copy of the Clauses, with
the exception of Appendix 2, and a summary description of the security measures,
as well as a copy of any contract for subprocessing services which has to be
made in accordance with the Clauses, unless the Clauses or the contract contain
commercial information, in which case it may remove such commercial information;

(i)
that, in the event of subprocessing, the processing activity is carried out in
accordance with Clause 11 by a subprocessor providing at least the same level of
protection for the personal data and the rights of data subject as the data
importer under the Clauses; and

(j)
that it will ensure compliance with Clause 4(a) to (i).


Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

14

Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a)
to process the personal data only on behalf of the data exporter and in
compliance with its instructions and the Clauses; if it cannot provide such
compliance for whatever reasons, it agrees to inform promptly the data exporter
of its inability to comply, in which case the data exporter is entitled to
suspend the transfer of data and/or terminate the contract;

(b)
that it has no reason to believe that the legislation applicable to it prevents
it from fulfilling the instructions received from the data exporter and its
obligations under the contract and that in the event of a change in this
legislation which is likely to have a substantial adverse effect on the
warranties and obligations provided by the Clauses, it will promptly notify the
change to the data exporter as soon as it is aware, in which case the data
exporter is entitled to suspend the transfer of data and/or terminate the
contract;

(c)
that it has implemented the technical and organisational security measures
specified in Appendix 2 before processing the personal data transferred;

(d)
that it will promptly notify the data exporter about:

(i)
any legally binding request for disclosure of the personal data by a law
enforcement authority unless otherwise prohibited, such as a prohibition under
criminal law to preserve the confidentiality of a law enforcement investigation,

(ii)
any accidental or unauthorised access, and

(iii)
any request received directly from the data subjects without responding to that
request, unless it has been otherwise authorised to do so;

(e)
to deal promptly and properly with all inquiries from the data exporter relating
to its processing of the personal data subject to the transfer and to abide by
the advice of the supervisory authority with regard to the processing of the
data transferred;

(f)
at the request of the data exporter to submit its data processing facilities for
audit of the processing activities covered by the Clauses which shall be carried
out by the data exporter or an inspection body composed of independent members
and in possession of the required professional qualifications bound by a duty of
confidentiality, selected by the data exporter, where applicable, in agreement
with the supervisory authority;

(g)
to make available to the data subject upon request a copy of the Clauses, or any
existing contract for subprocessing, unless the Clauses or contract contain
commercial information, in which case it may remove such commercial information,
with the exception of Appendix 2 which shall be replaced by a summary
description of the security measures in those cases where the data subject is
unable to obtain a copy from the data exporter;

(h)
that, in the event of subprocessing, it has previously informed the data
exporter and obtained its prior written consent;

(i)
that the processing services by the subprocessor will be carried out in
accordance with Clause 11;

(j)
to send promptly a copy of any subprocessor agreement it concludes under the
Clauses to the data exporter.


Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

15

Clause 6
Liability
1.
The parties agree that any data subject, who has suffered damage as a result of
any breach of the obligations referred to in Clause 3 or in Clause 11 by any
party or subprocessor is entitled to receive compensation from the data exporter
for the damage suffered.

2.
If a data subject is not able to bring a claim for compensation in accordance
with paragraph 1 against the data exporter, arising out of a breach by the data
importer or his subprocessor of any of their obligations referred to in Clause 3
or in Clause 11, because the data exporter has factually disappeared or ceased
to exist in law or has become insolvent, the data importer agrees that the data
subject may issue a claim against the data importer as if it were the data
exporter, unless any successor entity has assumed the entire legal obligations
of the data exporter by contract of by operation of law, in which case the data
subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations
in order to avoid its own liabilities.
3.
If a data subject is not able to bring a claim against the data exporter or the
data importer referred to in paragraphs 1 and 2, arising out of a breach by the
subprocessor of any of their obligations referred to in Clause 3 or in Clause 11
because both the data exporter and the data importer have factually disappeared
or ceased to exist in law or have become insolvent, the subprocessor agrees that
the data subject may issue a claim against the data subprocessor with regard to
its own processing operations under the Clauses as if it were the data exporter
or the data importer, unless any successor entity has assumed the entire legal
obligations of the data exporter or data importer by contract or by operation of
law, in which case the data subject can enforce its rights against such entity.
The liability of the subprocessor shall be limited to its own processing
operations under the Clauses.

Clause 7
Mediation and jurisdiction
1.
The data importer agrees that if the data subject invokes against it third-party
beneficiary rights and/or claims compensation for damages under the Clauses, the
data importer will accept the decision of the data subject:

(a)
to refer the dispute to mediation, by an independent person or, where
applicable, by the supervisory authority;

(b)
to refer the dispute to the courts in the Member State in which the data
exporter is established.

2.
The parties agree that the choice made by the data subject will not prejudice
its substantive or procedural rights to seek remedies in accordance with other
provisions of national or international law.


Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

16

Clause 8
Cooperation with supervisory authorities
1.
The data exporter agrees to deposit a copy of this contract with the supervisory
authority if it so requests or if such deposit is required under the applicable
data protection law.

2.
The parties agree that the supervisory authority has the right to conduct an
audit of the data importer, and of any subprocessor, which has the same scope
and is subject to the same conditions as would apply to an audit of the data
exporter under the applicable data protection law.

3.
The data importer shall promptly inform the data exporter about the existence of
legislation applicable to it or any subprocessor preventing the conduct of an
audit of the data importer, or any subprocessor, pursuant to paragraph 2. In
such a case the data exporter shall be entitled to take the measures foreseen in
Clause 5 (b).

Clause 9
Governing Law
The Clauses shall be governed by the law of the Member State in which the data
exporter is established, namely England .
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude
the parties from adding clauses on business related issues where required as
long as they do not contradict the Clause.
Clause 11
Subprocessing
1.
The data importer shall not subcontract any of its processing operations
performed on behalf of the data exporter under the Clauses without the prior
written consent of the data exporter. Where the data importer subcontracts its
obligations under the Clauses, with the consent of the data exporter, it shall
do so only by way of a written agreement with the subprocessor which imposes the
same obligations on the subprocessor as are imposed on the data importer under
the Clauses. Where the subprocessor fails to fulfil its data protection
obligations under such written agreement the data importer shall remain fully
liable to the data exporter for the performance of the subprocessor's
obligations under such agreement.

2.
The prior written contract between the data importer and the subprocessor shall
also provide for a third-party beneficiary clause as laid down in Clause 3 for
cases where the data subject is not able to bring the claim for compensation
referred to in paragraph 1 of Clause 6 against the data exporter or the data
importer because they have factually disappeared or have ceased to exist in law
or have become insolvent and no successor entity has assumed the entire legal
obligations of the data exporter


Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

17

or data importer by contract or by operation of law. Such third-party liability
of the subprocessor shall be limited to its own processing operations under the
Clauses.
3.
The provisions relating to data protection aspects for subprocessing of the
contract referred to in paragraph 1 shall be governed by the law of the Member
State in which the data exporter is established, namely England .

4.
The data exporter shall keep a list of subprocessing agreements concluded under
the Clauses and notified by the data importer pursuant to Clause 5 (j), which
shall be updated at least once a year. The list shall be available to the data
exporter's data protection supervisory authority.



Clause 12
Obligation after the termination of personal data processing services
1.
The parties agree that on the termination of the provision of data processing
services, the data importer and the subprocessor shall, at the choice of the
data exporter, return all the personal data transferred and the copies thereof
to the data exporter or shall destroy all the personal data and certify to the
data exporter that it has done so, unless legislation imposed upon the data
importer prevents it from returning or destroying all or part of the personal
data transferred. In that case, the data importer warrants that it will
guarantee the confidentiality of the personal data transferred and will not
actively process the personal data transferred anymore.

2.
The data importer and the subprocessor warrant that upon request of the data
exporter and/or of the supervisory authority, it will submit its data processing
facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:
Name (written out in full):    John Morrell
Position:    Senior Director
Address:    10 West Tasman Drive
Other information necessary in order for the contract to be binding (if
any):    
Signature…/s/ John Morrell……………………….
(stamp of organisation)
On behalf of the data importer:
Name (written out in full):    Joel Kremke
Position:    SVP
Address:    1 Campus Martius, Detroit, MI 48226


Other information necessary in order for the contract to be binding (if any):
Signature…/s/ Joel Kremke………………………….
(stamp of organisation)





Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

18

Appendix 1 to the Standard Contractual Clauses


This Appendix forms part of the Clauses and must be completed and signed by the
parties
The Member States may complete or specify, according to their national
procedures, any additional necessary information to be contained in this
Appendix
Data exporter
The data exporter is (please specify briefly your activities relevant to the
transfer):
Cisco Systems, Inc. in representation of all the Cisco affiliates Activities
relevant to the transfer include the performance of Cisco Services for
Customers.


Data importer
The data importer is (please specify briefly activities relevant to the
transfer):
Convisint Corporation Hosting of Software for Cisco’s use, which may include
direct or indirect access or use by Cisco End Users. Activities relevant to the
transfer include the performance of Services for Cisco.


Data subjects
The personal data transferred concern the following categories of data subjects
(please specify):
Employees, contractors, business partners, representatives and end customers of
Customers, and other individuals whose personal data is collected by or on
behalf of Customers and delivered to a Data Processor as part of the Cisco
Services.
Categories of data
The personal data transferred concern the following categories of data (please
specify):
Data related directly or indirectly to the delivery of Cisco Services, including
online and offline Customer, prospect, partner and supplier data, and data
provided by
Customers in connection with the resolution of support requests.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data
(please specify):
Data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs or trade union memberships, and data concerning health or
sex life, and data relating to offenses, criminal convictions or security
measures.
Processing operations
The personal data transferred will be subject to the following basic processing
activities (please specify):
The personal data transferred will be subject to the following basic processing
activities, as may be further set forth in contractual agreements entered into
from time to time between the Data Processors and Customers: (a) customer
service activities, such as processing orders, providing technical support and
improving offerings, (a) sales and marketing activities as permissible under
applicable law, (c) consulting, professional, security, storage, hosting and
other services delivered to Customers, including services offered by means of
the products and solutions described at www.cisco.com, and (d) internal business
processes and management, fraud detection and prevention, and compliance with
governmental, legislative and regulatory bodies .
DATA EXPORTER
Name:     John Morrell                                
Authorised Signature:     /s/ John Morrell                
DATA IMPORTER
Name:     Joel Kremke                                
Authorised Signature:     /s/ Joel Kremke                

Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

19





















































Appendix 2 to the Standard Contractual Clauses


This Appendix forms part of the Clauses and must be completed and signed by the
parties
Description of the technical and organisational security measures implemented by
the data importer in accordance with Clauses 4(d) and 5(c) (or
document/legislation attached):


1.
Data Protection Executives; Notices. The following executives are responsible
for the obligations set forth on this Appendix 2:

Cisco Data Protection Executive:

Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

20

Sub-processor Data Protection Executive: Jenny Heinze
Any notices under this Appendix or the underlying agreement regarding
obligations related to the Customer personal data (“Agreement”) should be
communicated as follows:
a.
communications regarding the day-to-day obligations should be communicated in
writing via email or other written notice to each of the Data Protection
Executives, and

b.
communications regarding any proposed changes to the terms of this Appendix or
the terms of a party’s Customer personal data obligations under the Agreement
should be directed as required under the notice provisions of the Agreement with
copies provided to the Data Protection Executives. No such changes will modify
this Appendix or the Agreement unless agreed by the parties pursuant to the
appropriate change management procedure under the Agreement.

2.
General Security Practices

2.1    ***
3.
Technical and Organizational Security Measures

3.1    Organization of Information Security
***
3.2    Human Resources Security
***
3.3    Asset Management
***
3.4    Personnel Access Controls
***
3.5    Cryptography
***
3.6    Physical and Environmental Security
***
3.7    Operations Security
***
3.8    Communications Security and Data Transfer
***
3.9    System Acquisition, Development and Maintenance
***
3.10    Supplier Relationships
***


3.11    Information Security Incident Management
***

Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.



--------------------------------------------------------------------------------

21

3.12    Information Security Aspects of Business Continuity Management
***
4.     The security measures described in this Appendix 2 are in addition to any
confidentiality obligations contained in any other agreement related to the
Services between Data Processor and Customer with respect to Customer personal
data. In the event a conflict between the terms of such other agreement and this
Appendix 2, the terms of this Appendix 2 shall control.


DATA EXPORTER
Name:                            
Authorised Signature:                    


DATA IMPORTER
Name:                            
Authorised Signature:                    







Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights
Reserved.    
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH
“***”.  A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE
SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL
TREATMENT.

