 
Exhibit 10.47

[*] = CERTAIN INFORMATION IN THIS EXHIBIT HAS BEEN OMITTED AND FILED SEPARATELY
WITH THE COMMISSION.  CONFIDENTIAL TREATMENT HAS BEEN REQUESTED WITH RESPECT TO
THE OMITTED PORTIONS.
 
Master Agreement for Subcontracted Services
Statement of Work
MASS Agreement #4902A20003
SOW #4906AT0073



This Statement of Work ("SOW")#4906AT0073 adopts and incorporates by reference
the terms and conditions of the Master Agreement for Subcontracted Services -
IBM as Prime # 4902A20003 (the “Agreement” or “MASS”), between International
Business Machines Corporation (“IBM” or “Buyer”), and Chordiant Software, Inc.
(“Supplier” or “Chordiant”). This SOW is effective beginning on the latest date
of signature by both parties and will remain in effect until [*] (the “Initial
Term”). Transactions performed under this SOW will be conducted in accordance
with and be subject to the terms and conditions of this SOW, the Agreement, and
any other applicable attachments or amendments. In the event of any conflict
between this SOW, or the Agreement, this SOW will govern and any applicable Work
Authorizations (“WAs”). This SOW is not a WA.


Not withstanding anything in the MASS to the contrary, the MASS shall remain in
effect with respect to this SOW through the term of this SOW.



1.0  
SCOPE OF WORK

Supplier resources will assist Buyer with the following services for the Call
Center Application (CCA) Tower Project for CIGNA Corporation (“CIGNA” or
“Customer”):



1.1  
Support of JSF SDK to Enable Portlet Development



Supplier will provide JSF SDK support in Chordiant Foundation which will provide
the platform on which to build portlets for the reference CIGNA Architecture.
Chordiant will demonstrate JSF/SDK test scenarios in lab environment.
 
Definition of Chordiant JSF SDK
The JSF SDK allows developers to build Java Server Faces user interfaces which
connect with Chordiant processes (via the Interaction Controller), and Chordiant
business services. JSF SDK pages can be hosted by the existing Chordiant Cafe
desktop, or alternative custom desktops. The contents of this JSF SDK are:
-  [*]


The JSF SDK will be used by Buyer, with Supplier’s support, to deliver a
Reference Build. The reference build will provide the following:
-  [*]





1.2  
Services Support for CIGNA Development & Build Effort



Supplier will assist Buyer in the following activities of the CIGNA Call Center
Application (CCA) Tower Project:

·  
Support the baseline Portlet development by providing [*] hours of architect
support to assist with initial JSF SDK implementation, the Reference
Architecture outlined above and the Portlet development. (These hours are
included in the total hours noted in Section 3.0.)

·  
Assist with the high and low level design of the Chordiant functional solution

·  
Provide guidance and mentoring on how to maximize the value from the Chordiant
product

·  
Assist with the high and low level design of Chordiant software integration in
the overall architecture

·  
Provide guidance and mentoring on techniques to extend the Chordiant Physical
Data Model and the Chordiant Business Object Model

·  
Assist with the extension of the Chordiant Physical Data Model and the Chordiant
Business Object Model

·  
Assist with the design and development of Chordiant Business Flows and Chordiant
Business Services

·  
Assist with design and development of Chordiant Queue management

·  
Assist with the installation and configuration of the Chordiant solution in the
customer environments

·  
Assist with performance testing and tuning the Chordiant solution

·  
Provide Subject Matter Expertise for Information Technology Governance related
to managing a Chordiant engagement leveraging Harmony Methodology, Chordiant
Product and Chordiant Integration Architecture




2.0  
SUPPLIER ROLES



Supplier will provide consultants for the following type(s) of roles:



o  
Technical Architect

o  
Functional Architect

o  
Consultancy Services Manager

o  
Data Architect

o  
Portal Architect

o  
Application Architect

o  
Business Analyst

o  
Class Modeler

o  
Interaction Flow Designer

o  
Business Services Designer

o  
Performance Tuning Specialist

o  
Infrastructure Architect




3.0  
COMPLETION CRITERIA

Supplier will have fulfilled its obligations under this SOW when anyone of the
following first occurs:

·  
IBM has agreed that Supplier has provided the hours as defined in Section 5.0
below in this Statement of Work or

·  
Either party terminates the SOW in accordance with the provisions of the Master
Agreement for Subcontractor Services, or IBM terminates the SOW upon thirty days
prior written notice.






4.0  
SUPPLIER’S RESPONSIBILITIES

In addition to delivering the Services on schedule, Supplier will:

·  
Participate in progress reviews, as requested by Buyer, to demonstrate
Supplier’s performance of its obligations;

·  
As part of Supplier’s importation requirements, provide to Buyer on the
commercial invoice:

·  
An invoice description that provides enough detail to verify the effort and time
period expended for the month.




5.0  
PAYMENTS

Supplier services will be payable and invoiced to Buyer on a time and materials
basis at rates provided in the table below per consultant, plus applicable sales
taxes and expenses; total estimated to be [*] for Supplier Services as follows:


Table 1


Positions
Roles
Estimated Hours
Hourly Rates
Technical Architect
Technical Architect
Functional Architect
Performance Tuning Specialist
Data Architect
Portal Architect
Application Architect
Infrastructure Architect
Interaction Flow Designer
Business Services Designer
[*]
$[*]
Consultancy Services Manager
Consultancy Services Manager
[*]
$[*]
Business Analyst
Business Analyst
Class Modeler
[*]
$[*]
Total Estimated Hours
 
[*]
 



  The service fee estimate related for the Supplier Services described under
this SOW is intended to be an estimate for Buyer's budgeting and Supplier's
resource scheduling purposes; the estimate does not include expenses or taxes.
Once fees for services reach this estimate, Supplier will cooperate with Buyer
to provide continuing services on a time and materials basis or at Buyer’s
direction, stop performing services. In the event that additional services are
required, Buyer and Supplier will handle such services through the Change
Control Process and such additional services will be mutually agreed to by both
parties. All amounts due to Supplier hereunder will be invoiced monthly. All
such invoices shall be payable net 45 days for this SOW only. Actual travel and
living expenses are in addition to the service fees. Chordiant will be
reimbursed for actual expenses incurred and adhere to the IBM expense policy.
Chordiant will work with IBM to manage expenses.
  
  All travel and living invoices are at actual cost with no mark-up. (Buyer will
reimburse Supplier for the following travel expenses only, provided they are
incurred in performance of this SOW and with Buyer’s prior written approval: (i)
tolls, parking fees, taxis, buses or auto rentals fees for autos rented from a
Buyer designated rental company; (ii) personal automobile use under the
applicable automobile allowance plan, excluding normal commutation; (iii) air
transportation at the economy, tourist or coach class rate for the most direct
route of a scheduled airline; (iv) reasonable lodging charges for the immediate
area; (v) reasonable and actual meal expenses; (vi) necessary business calls
made on Buyer’s behalf; (vii) reasonable tipping; (viii) reasonable valet and
laundry charges if a trip extends beyond four consecutive (4) days. Supplier
must submit an invoice listing all travel expenses, and all applicable receipts
for lodging, airline travel, rental cars or any other reimbursable expenditure
to the Technical Coordinator. Buyer will not reimburse Supplier for personal
expenses.)


The rates provided in the above table are only relevant to the SOW. Buyer may
request up to an additional 10,000 hours based on the rates in the table above.
Any additional hours beyond the table above and 10,000 hours will be billed at
the following rates:


Table 2




Positions
Hourly Rates
Technical Architect
$[*]
Consultancy Services Manager
$[*]
Business Analyst
$[*]
Developer
$[*]



For services billed under Table 2, actual travel and living expenses are in
addition to the service fees.





6.0  
SUPPLIER SOFTWARE



Buyer and Supplier will enter into an order form regarding the purchase and
resale of Supplier Software by Buyer to Customer in the form attached as Exhibit
4-D hereto (the “Order Form”), and Supplier and Customer will enter into a
software license agreement in the form attached as Exhibit 4-E hereto (the “End
User Agreement”), which End User Agreement contains the terms and conditions,
including warranty and indemnification, governing Customer’s use of the Supplier
Software.


6.1 Documentation.
 
Following execution of the Order Form and the End User Agreement, Supplier shall
deliver to Buyer on behalf of the Customer one copy of the Supplier Software
(via CD-Rom or electronic download) and all necessary and reasonable
documentation, including user, systems, operating and program manuals for the
Supplier Software which Supplier customarily provides to end user licensees of
the Supplier Software.



7.0  
ASSET PROTECTION

In the event that assets are loaned to Supplier and there is no separate loan
agreement in place between Buyer and Supplier for those assets, Supplier will be
responsible for risk of loss and for the return of those assets to Buyer.



8.0  
SUPPLIER SUPPORT SERVICES



The ongoing support and maintenance obligations for the Supplier Software are
set forth in Exhibit 1 hereto (the “Service Level Agreement”). So long as Buyer
has paid the annual support and maintenance fee under the Order Form, Supplier
is then offering support and maintenance services for the Supplier Software and
neither Buyer nor Customer has otherwise breached any provision of the End User
Agreement, Supplier shall provide the support and maintenance services specified
on the Service Level Agreement to Buyer on behalf of Customer. With regard to
the provision of support and maintenance services under the Service Level
Agreement, for so long as the Service Level Agreement is in effect, Supplier
shall comply with Sections 16 (Security), 27 (Audit), 25 (Compliance), 38
(Confidentiality) and 39 (IBM Data). The Service Level Agreement shall survive
the termination of this SOW, so long as Buyer has paid the annual support and
maintenance fee under the Order Form, Supplier is then offering support and
maintenance services for the Supplier Software and neither Buyer nor Customer
has otherwise breached any provision of the End User Agreement.


10.0 Buyer's Responsibilities
 
Responsibilities. Attachment A-1
 
Buyer and the IBM team when necessary has the right to interview and approve
staffing before supplier personnel are brought onto the project.
 
In addition to Buyer's responsibilities as expressly set forth elsewhere in this
SOW or the Base Agreement, Buyer shall be responsible for the following:
 
 
Buyer shall designate one individual to communicate directly with the Supplier
Account Executive, to whom all Supplier communications concerning this SOW shall
be addressed ( “the Relationship Manager").
 
 
Buyer shall cooperate with Supplier, including by making available timely
management decisions, information, approvals and acceptances, as reasonably
requested by Supplier so that Supplier may accomplish its obligations and
responsibilities hereunder. The Relationship Manager, or his or her designee,
will be the principal point of contact for obtaining such decisions,
information, approvals and acceptances. Only personnel as expressly so
designated by Buyer will be authorized to make commitments on the part of Buyer
that amend this SOW.
 


12.0 Communications
All communications between the parties will be carried out through the following
designated coordinators. All notices required in writing under this Agreement
will be made to the appropriate contact listed below at the following addresses
and will be effective upon actual receipt. Notices may be transmitted
electronically, by registered or certified mail, or courier. All notices, with
the exception of legal notices, may also be provided by facsimile.






Business Coordinators
FOR SUPPLIER
 
FOR BUYER
 
Name
  [*]
Name
  [*]
Title
  Sales Manager
Title
  Partner
Address
  8 Commerce Drive
  Bedford, NH 03110
Address
  55 Main St, 1 Financial Plaza, Hartford, Ct.
Phone
  [*]
Phone
  [*]
Fax
  [*]
Fax
  [*]
E-mail
  [*]
E-mail
  [*]



Legal Coordinators
FOR SUPPLIER
 
FOR BUYER
 
Name
  Derek Witte
Name
  [*]
Title
  General Counsel
Title
  Procurement Solution Advisor
Address
  20400 Stevens Creek Blvd.
  Cupertino, CA 95014
Address
 
Phone
  [*]
Phone
  [*]
Fax
  [*]
Fax
 
E-mail
  [*]
E-mail
  [*]



Technical Coordinators
FOR SUPPLIER
 
FOR BUYER
 
Name
  [*]
Name
  [*]
Title
  Sales Manager
Title
  same as above
Address
  8 Commerce Drive
  Bedford, NH 03110
Address
 
Phone
  [*]
Phone
 
Fax
  [*]
Fax
 
E-mail
  [*]
E-mail
 





13.0 Electronic Commerce


Unless previously submitted by Supplier, in order to initiate electronic
transfer of payments associated with this SOW, Supplier will complete the
attached form entitled “Authorization for Electronic Funds Transfer” and fax the
completed form to Accounts Payable at the number included on the form.


Unless previously submitted by Supplier, in order to initiate electronic
transfer of payments associated with this SOW, Supplier will provide the
required information in the attachment entitled “Electronic Funds Transfer.”


14.0 Training.
 
Supplier shall be responsible for the training of Supplier Personnel at no
additional cost to Buyer. This training includes all new-hire training of all
types (including with respect to technical and domain requirements and necessary
cultural and communication skills) prior to the point when the Supplier employee
is qualified to meet the skill set requirements for his or her respective
activities under the Subcontract, including so that such Supplier Personnel has
expertise with Supplier’s then-in-effect architecture and technology. Supplier
shall provide training necessary to meet all compliance requirements mandated on
a country, state, federal or local level for the duties performed in connection
with the Supplier’s Supplier Services.
 
Any training required on Supplier Software for Buyer or Customer personnel will
be charged at the following rates:
 
Course
# Days
Tuition
per person per course
Chordiant Foundation Server
   
CSF - Technical Developer
[*]
$ [*]
CSF - Technical Developer Sandpit
[*]
$ [*]
CSF - Design
[*]
$ [*]
Business Analyst
[*]
$ [*]
Business Analyst Sandpit
[*]
$ [*]
     
Chordiant Certifications
 
 
Technical Developer (CCTD)
[*]
$ [*]
Business Analyst (CCBA)
[*]
$ [*]



 
Subcontractor shall retain IBM specific training materials and other
documentation used in connection with the Subcontractor’s Subcontractor Services
in accordance with IBM provided record retention policies and CIGNA’s seven year
retention requirement.
 
16.0 Security. 
 
Throughout the Subcontract Term and the Termination Assistance Period, Supplier
shall, at no additional cost to Buyer, maintain the security requirements
specified in Exhibit 4-C. 
 
17.0 Supplier Personnel Equipment.
 
Except for the IBM Equipment Buyer shall provide pursuant to the Subcontract
(including CIGNA Equipment provided by Buyer), Supplier shall provide to
Supplier Personnel all standard desktop computer Equipment and Software required
to perform the Supplier Services (including standard Microsoft Office products
or compatible, functionally equivalent products that are compatible with IBM
identified systems, e-mail and LAN/WAN servers). Buyer and Supplier shall agree
on the necessary set of application-specific tools, and which items Supplier
shall provide and which items Buyer shall provide. Supplier shall provide all
office equipment (including PCs), consumables, services and the like required to
support Supplier Personnel at Supplier Service Locations.
 
20.0 IBM/CIGNA Facilities


  20.1 Use of IBM/CIGNA Service Locations. The IBM/CIGNA Service Locations shall
be made available to Supplier on an “as is, where is” basis. Supplier shall
follow any directions of Buyer with respect to the use of such space. Supplier
and Supplier Agents shall: (a) keep the IBM/CIGNA Service Locations in good
order; (b) not commit or permit waste or damage to such facilities; (c) not use
such facilities for any unlawful purpose; and (d) act and comply with all of
Buyer’s and CIGNA’s standard policies and procedures, which have been provided
to Supplier in writing (for the avoidance of doubt, electronic notification is
considered “in writing”), as in effect from time to time, including procedures
for the physical security of the IBM/CIGNA Service Locations, including those
set forth on Exhibit 3 hereto. Supplier shall be responsible for damage to the
IBM/CIGNA Service Locations caused by Supplier or Supplier Agents, subject to
reasonable wear and tear. Subcontractor shall not make any improvements or
changes involving structural, mechanical or electrical alterations to such space
without IBM’s or CIGNA’s prior written consent. Improvements to the IBM/CIGNA
Service Locations shall become the property of IBM or CIGNA (as applicable).
When the IBM/CIGNA Service Locations are no longer required for performance of
the Subcontractor Services, Subcontractor shall return the IBM/CIGNA Service
Locations to IBM or CIGNA in substantially the same condition as when
Subcontractor began use of the facilities, subject to reasonable wear and tear.
Supplier shall permit Buyer of CIGNA and Buyer’s or CIGNA’s designees to enter
into those portions of the IBM/CIGNA Service Locations occupied by Supplier’s
staff at any time. Except for the IBM/CIGNA Service Locations described in this
Subcontract which shall be made available to Supplier, Supplier shall be
responsible for providing all other space that is necessary to provide the
Supplier Services at Supplier’s own or other facilities. Supplier acknowledges
that the location of the IBM/CIGNA Service Locations may change and Supplier
shall provide the Supplier Services with respect to any such relocated IBM/CIGNA
Service Locations at the same cost, subject to Buyer being financially
responsible for Supplier’s incremental expenses for a Buyer-initiated relocation
of the Supplier Services to any such relocated IBM/CIGNA Service Location, but
Subcontractor shall use commercially reasonable efforts to avoid any significant
incremental expenses above the expense estimate set forth in Section 5.0 above
and shall notify IBM the of any incremental expense increase and additional
Subcontractor Services Charges, if any, for compliance with IBM’s direction to
relocate such Subcontractor Services.
 
  20.2 Use of IBM/CIGNA Facility Items. Buyer and CIGNA shall provide reasonable
use of IBM/CIGNA Facility Items substantially equivalent to those made available
by Buyer or CIGNA to its own personnel who perform similar functions. Supplier
may only use the IBM/CIGNA Facility Items for the sole and exclusive purpose of
providing the Supplier Services. Any other uses are subject to the prior written
approval of Buyer or CIGNA in their discretion. Supplier shall keep and use the
IBM/CIGNA Facility Items in a reasonable and efficient manner. Supplier shall
not commit waste or damage to the IBM/CIGNA Facility Items or use them for any
unlawful purpose or act. Supplier is responsible for any damage to IBM/CIGNA
Facility Items resulting from the abuse, misuse, neglect or gross negligence of
Supplier (or its subcontractors or other guests) or other failure to comply with
its obligations respecting such resources. Supplier shall (and shall cause
Supplier Personnel to) review, be knowledgeable of and comply with Buyer’s and
CIGNA’s policies and procedures regarding access to and use of the IBM/CIGNA
Facility Items which have been provided to Supplier in writing, including
procedures for physical and logical security, including those set forth on
Exhibit 2 hereto, and shall follow any of Buyer’s reasonable directions with
respect to the use of such items.
 
  20.3 No Violation of Laws. Supplier shall: (a) treat, use and maintain the
IBM/CIGNA Service Locations in a reasonable manner, but in no event to a lesser
standard than it maintains for its own locations; and (b) not commit, and use
all reasonable efforts to ensure that no Supplier employees nor Supplier Agents
commit, any act in violation of any Laws in such Supplier occupied IBM/CIGNA
Service Location or any act in violation of Buyer’s of CIGNA’s insurance
policies or in breach of Buyer’s or CIGNA’s obligations under the applicable
real estate leases for such Supplier occupied IBM/CIGNA Service Locations, in
each case of which Supplier is apprised in writing by Buyer.
 
  22.0 Safety and Security Procedures. 


 
22.1 While at the IBM/CIGNA Service Locations, Supplier’s employees and the
Supplier Agents shall comply with Buyer’s and CIGNA’s reasonable requests, rules
and regulations regarding personnel and professional conduct (including the
wearing of an identification badge and adhering to regulations and general
safety practices or procedures), which have been provided to Supplier in writing
(for the avoidance of doubt, electronic notification is considered “in
writing”), including the regulations set forth in Exhibit 4-C hereto and
otherwise conduct themselves in a businesslike and professional manner.
 
 


 
22.2   Except as otherwise designated, at IBM/CIGNA Service Locations, smoking
is prohibited inside all buildings operated or occupied by Buyer or CIGNA,
including leased offices and at off-site IBM/CIGNA sponsored conferences and
meetings.
 
22.3 If operating at a IBM/CIGNA Service Location, Supplier shall be responsible
for adhering to all individual IBM and CIGNA Safety, Occupational Health,
Environmental and Operational procedures provided to Supplier in writing in a
manner timely enough to enable compliance and updated regularly to allow Buyer
to ensure their currency and to all local, state, and federal laws and
regulations, including Occupational Safety and Health Act (OSHA) and
Environmental Protection Agency (EPA).
 
 
22.4 If located at an IBM/CIGNA Service Location, Supplier shall immediately
notify Buyer or CIGNA security department (as appropriate) in the event of a
fire or other emergency by calling the emergency telephone number. Supplier
shall train all employees located at IBM/CIGNA Service Locations to respond to
fire, civil defense, bomb threats, evacuations, and other emergencies alarms,
based on procedures established by Buyer or CIGNA which have been provided to
Supplier in writing (for the avoidance of doubt, electronic notification is
considered “in writing”).
 
 


 
22.5 If the Supplier notices any condition at an IBM/CIGNA Service Location that
is unsafe, unhealthy, or in any other way could cause an accident, Supplier
shall notify Buyer immediately, if correction of the condition shall take more
than routine attention, or remedy the condition, if correction of the condition
shall take only minimal attention.
 
23.0 Cooperation.
 
To the extent Buyer performs any of the Supplier Services, or retains IBM Third
Party Contractors to do so, Supplier shall fully cooperate with and work in good
faith with Buyer and IBM Third Party Contractors as reasonably directed by
Buyer. Such cooperation may include (subject to Supplier’s reasonable and
appropriate security and confidentiality requirements): (a) providing access to
any facilities being used to provide the Supplier Services, as necessary for IBM
Third Party Contractors to perform the work assigned to them; (b) providing
access (remotely or onsite as requested by Buyer) to the Equipment, Software
and/or systems used to provide the Supplier Services; (c) reasonable integration
activities to ensure compatibility of systems/products/services of the total
solution; and (d) providing written requirements, standards, policies or other
documentation for the Supplier Services and for the Equipment, Software or
systems procured, operated, supported or used by Supplier in connection
therewith. The Parties shall cooperate in good faith to ensure smooth
performance of the Supplier Services. To that end, there shall be a continuous
exchange of information between the Parties with respect to, but not limited to,
the Supplier Services, quality control and encountered difficulties. Supplier
will provide the cooperation called for in this Section 23.0 on a time and
materials basis for services performed at the rates provided in Section 5.0
above, and on the basis of actual cost for expenses incurred. Supplier will
inform and discuss any additional work or expenses with Buyer before incurring
such cost or expense.
 
24.0 Notification.
 
Supplier shall immediately notify Buyer when it becomes aware that an act or
omission of an IBM Third Party Contractor shall cause, or has caused, a problem
or delay in providing the Supplier Services, and shall use commercially
reasonable efforts to work with Buyer to prevent or circumvent such problem or
delay. Supplier and Buyer shall cooperate with each other to resolve differences
and conflicts arising between the Supplier Services and other activities
undertaken by Buyer or any of the IBM Third Party Contractors. 
 
25.0 COMPLIANCE 
 
25.1 Governmental Approvals. Supplier shall obtain, provide, file and maintain
all Governmental Approvals that are necessary for Supplier or Supplier Agents to
commence and complete the Supplier’s provision of the Supplier Services. Upon
Supplier’s reasonable request, Buyer shall cooperate with and assist Supplier in
obtaining any Governmental Approvals, to the extent reasonably possible.
Supplier shall have financial responsibility for all fees and taxes associated
with obtaining and maintaining all Governmental Approvals.
 
(a) Without limiting Supplier’s obligations under this Section, Supplier shall
be responsible for monitoring and properly notifying Buyer of any Governmental
Approvals required in connection with providing the Supplier Services from the
Offshore Locations.
 
(b) Buyer shall have the right to terminate upon notice to Supplier the relevant
portion of any SOW if the foregoing Governmental Approvals are not obtained or
provided within the required time frames, and the charges thereafter will be
equitably adjusted to reflect such removal.
 
25.2 Compliance with Laws. Supplier (and Supplier’s Affiliates) and Supplier
Personnel shall comply with all laws. If Supplier becomes aware of
non-compliance with any laws, Supplier shall promptly notify Buyer in writing.
Supplier shall provide Buyer with, upon request, data and reports necessary for
Buyer to comply with all laws. If Supplier maintains any records required in
electronic form, such records and their confidentiality shall comply with all
applicable laws. Supplier shall be responsible for any fines and penalties
imposed on Supplier resulting from the failure of Supplier, Supplier Personnel
to comply with laws.
 
25.3 Compliance with Laws in Offshore Locations. Supplier shall be responsible
for monitoring and complying with all laws relating to licensing, import-export,
data flows, technology transfers (but excluding tax laws), applicable to its
performance of the Supplier Services from the Offshore Locations. All costs
relating to the compliance with such laws shall be paid by Supplier, except that
conforming changes to IBM/CIGNA systems to receive the Supplier Services shall
be handled by Buyer or CIGNA at their own cost unless the change is a part of
the Supplier Services under a Statement of Work. Buyer shall provide reasonable
assistance to Supplier in connection with such compliance as requested by
Supplier.
 
25.4 Compliance with Privacy Regulations. Subcontractor shall comply with: (a)
the European Commission Data Protection Directive (95/46/EC) or Data Protection
Act 1998 or any implementing or related legislation of any member state in the
European Economic Area; (b) the Health Insurance Portability and Accountability
Act of 1996; (c) subject to 15.5, the Sarbanes-Oxley Act of 2002 (Pub. L.
107-204, 116 Stat. 745); and (d) any other applicable data protection laws or
regulations to the extent applicable to Subcontractor’s provision of the
Subcontractor Services. Specific provisions relating to HIPAA and data
protection laws are set forth in Exhibit 13 hereto.
 
25.6 Interpretation of CIGNA Laws. CIGNA shall have final approval over the
interpretation and application, and the appropriate method for complying with
any CIGNA Laws (i.e., laws that are specific to CIGNA’s business). Supplier (and
Supplier’s Affiliates), Supplier Agents, and Supplier Personnel shall comply
with all such CIGNA written directions in this regard.
 
27.0 AUDIT
 
27.1 Books and Records. Supplier shall keep and maintain, in accordance with
generally accepted accounting principals and practices, and make available for
the inspection, examination and audit by Buyer, its authorized employees, agents
or representatives and auditors (“IBM Auditors”), upon reasonable notice,
complete and accurate books and records in connection with the Service, as
necessary to: (a) demonstrate Supplier’s compliance with its obligations under
this Subcontract; (b) verify volumes, charges and resource utilization and
payment by Supplier of all license, maintenance and other service fees required
in connection with the performance of the Supplier Services in accordance with
this Subcontract; (c) comply with all applicable Laws; and (d) verify data
security measures, pre-placement checks physical security measures related to
this Subcontract. Supplier shall permit and cooperate with any audit conducted
by Buyer or IBM Auditors. Upon reasonable notice, but not more than once
annually, at the sole expense of Buyer, IBM Auditors shall have the right to
inspect and audit Supplier’s books, records, systems and operations related to
the Supplier Services.
 
27.2 Facilities and Personnel. Supplier shall provide to IBM’s Auditors access
upon request to any facility or part of a facility at which Supplier is
providing the Supplier Services, to Supplier Personnel, and to data and records
relating to the Supplier Services for the purposes of performing audits and
inspections of Buyer and its business to verify the integrity of IBM Data and to
examine the systems related to the Supplier Services that process, store,
support and transmit that data. The foregoing audit rights shall include audits:
(a) of practices and procedures; (b) of systems; (c) of security practices and
procedures; (d) of disaster recovery and backup procedures; (e) necessary to
enable Buyer to meet applicable Laws; and (f) of any Supplier quality assurance
processes. 
 
27.3 Fee Audit.
 
a. Upon Buyer’s request, Supplier shall provide IBM’s Auditors with access to
such financial records and supporting documentation to the extent necessary to
ascertain the correctness of fees due and payable to Supplier hereunder, as may
be requested by Buyer or IBM’s Auditors. Such IBM Auditors may audit any of the
charges charged to Buyer to determine if such fees are accurate and in
accordance with this Subcontract.
 
b. If it is determined that Supplier has overcharged Buyer, IBM shall notify
Supplier of the amount of such overcharge and Supplier shall promptly pay to
Buyer the amount of the overcharge, plus interest at the rate of 1.5% per month
calculated from the date of receipt by Supplier of the overcharged amount until
the date of payment to Buyer.
 
c. In addition to Buyer’s rights set forth in Section (b) above, if any such
audit reveals an overcharge to Buyer of 5% or more of the aggregate fees being
audited Supplier shall, at Buyer’s option, issue to Buyer a credit against the
Service Charges or reimburse Buyer, in either case, for the reasonable cost of
such audit, provided such audit is not performed on a contingency fee basis.
 
27.4 Cooperation
 
a. Supplier and Supplier Personnel shall assist and cooperate with Buyer or its
designees in connection with audit functions and with regard to examinations by
regulatory authorities. Supplier shall provide such assistance as reasonably
required to carry out the audits, including: (i) providing use of Supplier
locations, facilities and resources, including space, office furnishings
(including lockable cabinets), telephone and facsimile services, utilities,
office-related equipment and duplicating services; and (ii) installing and
operating audit software. For the avoidance of doubt, reasonable audit
cooperation is part of the Supplier Services (including participation from
accountants and other Supplier finance personnel) and shall not be counted
against resource utilization. Any actual and reasonable expenses incurred by
Supplier outside ordinary course of business expenses as a result of such audit
will be reimbursed to Supplier by Buyer.
 
b. Other than in connection with a sales or use tax audit, Supplier shall notify
Buyer promptly by telephone or by email if any governmental or regulatory
authority requests an inspection or makes written or oral inquiries of Supplier
regarding any aspect of Buyer’s activities pursuant to this Subcontract, so long
as such notification does not violate any applicable Laws or breach any
obligation of confidentiality to a third party. Unless otherwise required by
applicable Laws, Subcontractor shall not allow physical access to any
governmental or regulatory authority relating to such activities without giving
IBM the right to have a representative present. Supplier and Buyer shall
cooperate in resolving any concerns of any governmental or regulatory authority.
Supplier shall notify Buyer promptly by telephone or by email if Supplier
believes that the actions or inactions of any governmental or regulatory
authority, including the issuance or failure to issue any report, permit, or
license, may cause a negative impact on Supplier’s ability to perform the
Supplier Services.
 
c. At the conclusion of a Buyer audit or examination provided for in this
Subcontract or any applicable Statement of Work and prior to issuing the final
audit report, Buyer shall conduct, or request its external auditors or examiners
to conduct, an exit conference with Supplier to discuss issues identified in the
review. Supplier and Buyer shall meet to review each final audit report promptly
after the issuance thereof and to mutually agree upon an appropriate and
effective manner in which to respond to the deficiencies identified and changes
suggested by the audit report.
 
d. If any audit by an auditor designated by Buyer or a regulatory authority
results in Supplier being notified that Supplier is not in compliance with the
terms of this Subcontract or other required compliance requirements, Supplier
shall comply with such terms after having a reasonable opportunity to contest
such audit finding should such finding be upheld. Subcontractor shall bear the
expense of any such response, and any remedial actions, to the extent that
Subcontractor was not in compliance with the terms of this Subcontract or the
required compliance requirements.
 
27.5 General Procedures. Notwithstanding the intended breadth of Buyer’s audit
rights, Buyer and its internal and external auditors, inspectors, regulators and
other representatives shall not be given access to: (i) the proprietary
information of other Supplier customers; (ii) Supplier locations that are not
related to Buyer or the Supplier Services; or (iii) Supplier’s internal costs,
except as to the extent such costs are the basis upon which Buyer is charged. In
performing audits, Buyer shall endeavor to avoid unnecessary disruption of
Supplier’s operations and unnecessary interference with Supplier’s ability to
perform the Supplier Services. The external auditors and inspectors designated
by Buyer under this Article 27 to conduct operational and/or financial audits
shall not be Supplier Competitors. Buyer’s auditors shall comply with Supplier’s
applicable, reasonable security requirements, including, where appropriate,
execution of a non-disclosure agreement reasonably acceptable to Supplier.
 
27.6 Record Retention. Until: (a) seven years after expiration or termination of
this Subcontract; (b) pending matters relating to this Subcontract (e.g.,
disputes) are closed; or (c) no longer required to meet Buyer’s records
retention policy (as modified from time to time), whichever is later, as
notified to Supplier, Supplier shall maintain and provide access upon request to
the records, documents and other information required to meet Buyer’s audit
rights under this Subcontract.
 
27.7 Legal Discovery. Buyer is required to preserve and produce electronic data
in support of its legal discovery obligations, as they may arise, for
investigations and/or litigation. As part of the Supplier Services, Supplier
shall cooperate with any legal discovery requests made by any IBM Entity,
including the dissemination of preservation requests, collection of data,
imaging of systems, back-up of electronic information, maintenance, retention
and production of any such data. Supplier shall keep detailed records of its
efforts to preserve data required for legal discovery. 
 
28.0 Change Control Procedures.  
 
28.1 Buyer and Supplier shall comply with the following Change Control
Procedures:
 
a. Change Control Procedures shall provide, at a minimum, that: (A) no Change
shall be implemented without written agreement by both Parties, except as may be
necessary on a temporary basis to maintain the continuity of the Supplier
Services; (B) with respect to all Changes, Buyer and Supplier shall: (I) other
than those Changes made on a temporary basis to maintain the continuity of the
Supplier Services, schedule Changes so as not to unreasonably interrupt Buyer’s
business operations; and (II) monitor the status of Changes against the
applicable schedule; (C) with respect to any Change made on a temporary basis to
maintain the continuity of the Supplier Services, Supplier shall document and
provide to Buyer notification (which may be given orally provided that any oral
notice must be confirmed in writing to Buyer within five Business Days) of the
Change no later than the next Calendar Day after the Change is made; and (D)
Supplier shall update the Change Control Procedures as necessary and shall
provide such updated Change Control Procedures to Buyer for its approval.
 
30.0 Pre-Placement Checks
 
30.1 Supplier recognizes Buyer’s desire to maintain a safe and secure working
environment for Buyer employees. For purposes of this Subcontract, “Certain
Supplier Personnel” means any Supplier Personnel who: (i) are to have
behind-the-firewall access to Buyer or CIGNA or their Affiliates’ computer and
telecommunications network (e.g., Buyer or CIGNA Equipment, Software or Buyer or
CIGNA Data), whether such access is provided through an on-site or remote
connection; or (ii) perform certain Software development projects Buyer deems to
be highly sensitive to Buyer’s or CIGNA’s business operations.
 
30.2 Supplier shall have administrative responsibility for conducting the
background checks. Supplier does not conduct drug testing on its personnel.
Buyer may conduct drug testing and background checks itself, at Buyer’s expense,
on any Supplier personnel scheduled to work at IBM/CIGNA Service Locations.
Supplier will make such personnel available for the drug tests and background
checks. Buyer shall have financial responsibility therefore and shall reimburse
Supplier for the check and test costs on a Pass-Through Expense basis.
 
30.3 Supplier shall permit and cooperate with Buyer’s audits of Supplier
compliance with the background screening stated herein.
 
34.0 Replacement, Qualifications and Retention of Supplier Personnel. 
 
34.1 If Buyer determines in good faith that the continued assignment to Buyer of
any particular Supplier Personnel is not in the best interests of Buyer, then
Buyer shall give Supplier written notice to that effect requesting that such
Supplier Personnel be replaced; provided, however, upon Buyer’s request,
Supplier shall immediately reassign any individual from the Buyer account so
long as Buyer demonstrates to Supplier the need for such immediate reassignment.
Promptly after its receipt of such a request by Buyer, Supplier shall
investigate the matters stated in the request and discuss its findings with
Buyer. If requested to do so by Buyer, Supplier shall immediately remove the
individual in question from performance of the Supplier Services pending
completion of Supplier’s investigation and discussions with Buyer. If, following
discussions with Supplier, Buyer still in good faith requests replacement of
such Supplier Personnel, Supplier shall promptly replace such Supplier Personnel
with an individual of suitable ability and qualifications. Nothing in this
provision shall operate or be construed to limit Supplier’s responsibility for
the acts or omissions of Supplier Personnel.
 
34.2 Supplier shall maintain and conduct procedures for the replacement of
Supplier Personnel in such a manner so as to assure an orderly succession for
any Supplier Personnel who is replaced. Upon request, after a determination that
a Supplier Personnel shall be replaced, Supplier shall make such procedures
available to Buyer. The timing for transfer, reassignment or replacement of
Supplier Personnel shall be closely coordinated with the requirements for timing
and other elements of the Supplier Services so as to maintain continuity in the
performance of the Supplier Services.
 
34.3 Supplier shall use its diligent and reasonable efforts to keep the turnover
rate of Supplier Personnel to a reasonably low level. If Buyer believes that
Supplier Personnel’s turnover rate is excessive and so notifies Supplier,
Supplier shall: (i) determine the cause of the excess; (ii) develop a mutually
agreed upon plan to minimize turnover; and (iii) meet with Buyer to discuss the
implementation and timely impact of the plan. Supplier shall be responsible for
replacing personnel who are retiring, or who otherwise leave the Buyer account,
with professional personnel.
 
35.0 Subcontractors. 
 
Except for the subcontractors identified on Exhibit 4 hereto (the “Permitted
Subcontractors”), Supplier shall not subcontract its material obligations under
this Subcontract or any Supplier Services which involve the use of or access to
IBM Data without Buyer’s prior written consent. Supplier may use these Permitted
Subcontractors in connection with the provision of the Supplier Services subject
to the terms of this Subcontract (including the provisions of this Section).
Buyer hereby pre-approves those certain subcontracts between Supplier and third
party original hardware/equipment manufacturers and original software licensors
who perform routine maintenance and support and that do not materially impact a
Buyer or Supplier function that is part of the Supplier Services. 
 
35.1 Supplier shall include in its subcontracts as flow-down provisions,
provisions substantially similar to those provisions of this Subcontract
relating to Buyer facilities, personnel requirements, Buyer’s intellectual
property rights, Buyer’s audit rights, confidentiality, representations and
warranties. Supplier shall require each of its Affiliates and all Permitted
Suppliers to carry insurance at levels customary and appropriate for the types
and volumes of Supplier Services being provided by such Affiliates and Permitted
Suppliers.
 
35.2 The Change of Control of a Permitted Subcontractor to an IBM Competitor
shall in all cases be deemed good cause for the purposes of this Section. Upon
any such revocation, Supplier shall, upon Buyer’s request, replace such
subcontractor with a new subcontractor, subject to Buyer’s approval of the new
subcontractor, the transition plan, and certain material terms of the
subcontract reasonably specified by Buyer. Any revocation of the approval of a
subcontractor pursuant to this Section shall not excuse Supplier from providing
the Supplier Services and meeting the Service Levels; provided that Buyer gives
Supplier 30 days’ notice unless a different notice period has been approved or
agreed by Buyer.
 
35.3 No subcontracting shall release Supplier from its responsibility for its
obligations under this Subcontract. Supplier shall remain responsible for
obligations, services and functions performed by subcontractors to the same
extent as if these obligations, services and functions were performed by
Supplier employees. Supplier shall be Buyer’s sole point of contact. Supplier
shall not disclose Buyer or CIGNA Confidential Information to a subcontractor
(including an Affiliate of Supplier) until such subcontractor has executed a
nondisclosure agreement in a mutually agreed form.
 
35.4 Supplier shall be responsible for all payments to Supplier Agents under
contracts between Supplier and Supplier Agents. Supplier shall promptly pay for
all services, materials, Equipment and labor used by Supplier or Supplier Agents
in providing the Supplier Services and Supplier shall keep Buyer’s premises free
of all liens by Supplier or Supplier Agents.
 
35.5 Nothing in this Subcontract shall prevent, and Subcontractor shall not
prevent or inhibit (through damages, penalties or otherwise), IBM or any IBM
Entity from contracting directly with any of the subcontractors or third party
providers used by Subcontractor in connection with the provision of the
Subcontractor Services upon the cessation of a Service or expiration or
termination of this Subcontract.
 
36.0 REPRESENTATIONS, WARRANTIES AND COVENANTS
 
36.1 By Supplier. Supplier represents, warrants and covenants to Buyer during
the Subcontract Term and the Termination Assistance Period that:
 
a It shall render the Supplier Services with promptness and diligence and shall
execute them in a workmanlike manner, in accordance with the practices and high
professional standards that are the accepted industry norms applicable to the
Supplier Services. Supplier represents and covenants that it shall use adequate
numbers of qualified individuals with suitable training, education, experience
and skill to perform the Supplier Services.
 
b It is now, and shall be during the Subcontract Term and the Termination
Assistance Period, an equal opportunity employer complying with all such
applicable Laws.
 
c It shall maintain the Equipment and Software for which it is responsible under
this Subcontract so that they operate substantially in accordance with their
applicable specifications, including: (i) maintaining Equipment in good
operating condition, subject to normal wear and tear; (ii) undertaking repairs
and preventive maintenance on such Equipment substantially in accordance with
the applicable manufacturer’s recommendations; and (iii) performing Software
maintenance substantially in accordance with the applicable Supplier’s
documentation, recommendations and specifications, in accordance with the
provisions of Section 8 above.
 
f It shall perform its responsibilities under this Subcontract in a manner that
does not infringe, or constitute an infringement or misappropriation of, the
copyright, trademark, trade secret or other proprietary rights of a third party;
provided, however, that Supplier shall not have any obligation or liability
under this clause (f) if and to the extent any such infringement or
misappropriation is caused by: (i) modifications made by Customer, Buyer or IBM
Third Party Contractors not specified or authorized (in each case, in writing)
by Supplier or Supplier Agents; (ii) IBM/CIGNA’s combination of otherwise
non-infringing Supplier’s work product or services with items not furnished or
specified by Supplier or Supplier Agents in writing that by sole virtue of such
combination, makes the work product, service or item infringing; (iii) a breach
of this Subcontract by Buyer; (iv) failure of IBM/CIGNA to use Supplier-provided
corrections or modifications that would remedy the non-infringement and that
offer equivalent features and functionality; (v) third party Software not
provided by Supplier, except to the extent that such infringement or
misappropriation arises from the failure of Supplier to obtain the necessary
third party Software licenses or Required Consents or to abide by the
limitations of the applicable third party Software licenses; (vi) Equipment or
Software or other resources provided to Supplier by IBM/CIGNA; or (vii) the
distribution, operation or use of Software of Materials for the benefit of a
third party outside of the other party’s enterprise.
 
g It has not violated applicable Laws or regulations or Buyer policies (of which
Supplier has been given notice) regarding the offering of inducements in
connection with this Subcontract. If Supplier does not comply with the
foregoing, Buyer shall have the right to terminate this Subcontract for cause
without affording Supplier an opportunity to cure.
 
h If any Equipment provided by Subcontractor, including those provided by any
Affiliate or third party subcontractor to Subcontractor, directly or indirectly
causes any damage or loss to any IBM system or results in the loss of any IBM
Data, Subcontractor shall, at no additional charge to IBM, repair or replace
affected IBM Equipment.
 
i It shall cooperate with Buyer and shall take commercially reasonable actions
and precautions to prevent the introduction and proliferation of Malicious Code
into the systems used to provide the Supplier Services or the IBM environment.
If Malicious Code is found to have been introduced into the systems used by
Supplier to provide the Supplier Services, Supplier shall at no additional
charge eliminate the Malicious Code from such systems used by Supplier to
provide the Supplier Services and, if the Malicious Code causes a loss of
operational efficiency or loss of data, to assist Buyer to the same extent to
mitigate and restore those losses with generally accepted data restoration
techniques. Without the prior written consent of Buyer, Supplier represents,
warrants and covenants that it shall not insert into any Software code that
would have the effect of disabling or otherwise shutting down all or a portion
of the Supplier Services, and with respect to disabling code that may be part of
any Software, that it shall not invoke the disabling code at any time.
 
k It is duly authorized to enter into this Subcontract and to make the
commitments set forth in this Subcontract.
 
l Its execution, delivery and performance of this Subcontract does not
constitute a violation of any judgment, order, or decree; a material default
under any material contract by which it or any of its material assets are bound;
or an event that would, with notice or lapse of time, or both, constitute such a
default.
 
m Supplier warrants that it will perform the Services using reasonable care and
skill, and according to the agreed upon specifications. Buyer agrees that it
must report any deficiencies of the Services to Supplier in writing within
ninety (90) days of performance of the Services in order to receive the warranty
remedy. In such case Supplier will re-perform the Services at no additional
charge.
 
n All current and future employees and agents of and consultants to Supplier
with access to or involved in the performance of Supplier Services have executed
and delivered or shall execute and deliver to Supplier a proprietary rights
agreement with Supplier substantially consistent with the form attached as
Exhibit 10 hereto pursuant to which such employee or consultant agrees to
confidentiality and intellectual property assignment terms sufficient to enable
Supplier to meet its obligations to Buyer and Customer under the Subcontract and
sufficient to enable Buyer to meet its obligations to Customer under the Prime
Contract.
 
37.0 INDEMNIFICATION 
 
37.1 By Supplier. Supplier shall indemnify, defend and hold harmless Buyer and
CIGNA and their respective officers, directors, employees, agents, successors
and assigns from any and all Losses and threatened Losses arising from or in
connection with any of the following:
 
a.  Claims by Governmental Authorities for fines, penalties, financial sanctions
or late charges arising from or in connection with Subcontractor’s (or
Subcontractor Personnel’s) failure to comply with any laws solely to the extent
Subcontractor’s failure to comply with laws constitutes a breach of
Subcontractor’s services obligations under the Subcontract or a Statement of
Work which services obligation was communicated to Subcontractor by IBM as a
written requirement in order to enable IBM to comply with such laws;
 
b.  Supplier’s use or disclosure of information in breach of its confidentiality
obligations set forth in this Subcontract;
 
c.  Supplier’s failure to obtain the Required Consents or comply with the terms
of any third party consent or underlying agreement;
 
d.  any claim or action initiated by an Affiliate of Supplier or potential or
actual agent of Supplier (including Supplier Personnel) asserting rights in
connection with this Subcontract;
 
e.  any actual or alleged infringement or misappropriation of the trade secret,
copyright or other proprietary rights, alleged to have occurred because of
systems or other resources provided by or on behalf of Supplier or Supplier
Personnel or based upon performance of the Service; provided, however, that
Supplier shall not have any obligation or liability under this clause (h) if and
to the extent any such infringement or misappropriation is caused by: (i)
modifications made by Buyer, CIGNA, IBM Third Party Contractors or CIGNA Third
Party Contractors not specified or authorized (in each case, in writing) by
Supplier or Supplier Agents; (ii) Buyer’s or CIGNA’s combination of otherwise
non-infringing Supplier’s work product or services with items not furnished or
specified by Supplier or Supplier Agents in writing that by sole virtue of such
combination, makes the work product, service or item infringing; (iii) a breach
of this Subcontract by Buyer; (iv) failure of Buyer or CIGNA to use
Supplier-provided corrections or modifications that would remedy the
non-infringement and that offer equivalent features and functionality; (v) third
party Software not provided by Supplier, except to the extent that such
infringement or misappropriation arises from the failure of Supplier to obtain
the necessary third party Software licenses or Required Consents or to abide by
the limitations of the applicable third party Software licenses; or (vi)
Equipment, or Software provided to Supplier by Buyer or CIGNA, neither of which
has been authorized or approved by Buyer.
 
f.  any amounts assessed against any IBM Entity, including taxes, penalties and
interest, assessed against any IBM Entity, that are the obligation of Supplier
under this Subcontract;
 
g.  any claim relating to any violation by Supplier or Supplier Agents or their
respective officers, directors, employees, representatives or agents, of any Law
or any common law protecting persons or members of protected classes or
categories, including laws or regulations prohibiting discrimination or
harassment on the basis of a protected characteristic;
 
h.  any claim or action by, on behalf of, or related to, any prospective,
then-current or former employees of Supplier or Supplier Agents arising out of
hiring practices of Supplier or employment or termination of employment with
Supplier, including any claim arising under occupational health and safety,
worker’s compensation, ERISA or other applicable Law, except for claims arising
out of misrepresentations made by Buyer to Hired Employees, if any, prior to
their respective Hire Dates;
 
i.  any claim or action by, on behalf of, or related to, any prospective,
then-current or former employees of Supplier or Supplier Agents based on a
theory that Buyer is an employer or joint employer of any Supplier or Supplier
Agent personnel;
 
j.  any claim or action by, on behalf of, or related to, any third party
providing services to Buyer prior to the SOW Effective Date relating to actions
of Supplier or Supplier Personnel, including the hiring by Supplier of the third
party’s employees;
 
k.  damages for the death or bodily injury of an agent, employee, customer,
business invitee or business visitor or other person caused by the tortious
conduct of Supplier or Supplier Agents;
 
l.  damages for the damage, loss or destruction of real or tangible personal
property caused by the tortious conduct of Supplier or Supplier Agents;
 
m.  any claim or action or other proceeding asserted against Buyer but resulting
from an act or omission of Supplier or any Supplier Agent in its capacity as an
employer of a person; and
 
n.  any claim in connection with the handling and processing of any and all
immigration and employment-related issues and requirements arising in connection
with the Supplier Personnel (whether located in the United States or elsewhere).
 
38.0 CONFIDENTIALITY 
 
38.1 IBM or CIGNA Confidential Information. Supplier shall: (a) use the same
care and discretion to avoid disclosure, publication or dissemination of IBM or
CIGNA Confidential Information as it uses with respect to its own similar
information that it does not wish to disclose, publish or disseminate; and (b)
use IBM or CIGNA Confidential Information solely to the extent required to
fulfill its obligations or exercise its rights under this Subcontract. Supplier
shall not disclose, publish, release, transfer or otherwise make available IBM
or CIGNA Confidential Information in any form to, or for the use or benefit of,
any person or entity without Buyer’s consent. Subject to Section 16.4, Supplier
shall, however, be permitted to disclose relevant aspects of the IBM or CIGNA
Confidential Information to its officers, directors, agents, professional
advisors, Supplier Agents and employees, to the extent that such disclosure is
not restricted under this Subcontract or any Governmental Approvals and only to
the extent that such disclosure is reasonably necessary for the performance of
its duties and obligations, or exercise of its rights, under this Subcontract;
provided, however, that all such persons or entities have entered into an
agreement containing terms consistent with the terms set forth in this Article
and Supplier shall take all reasonable measures to ensure that IBM or CIGNA
Confidential Information is not disclosed, published or disseminated in
contravention of the provisions of this Subcontract by such officers, directors,
agents, professional advisors, Supplier Agents and employees. The obligations in
this Section shall not restrict any disclosure pursuant to any law (provided
that Supplier shall give prompt notice to Buyer and the disclosing IBM Entity of
such order). 
 
38.2 Restricted Materials. Subcontractor hereby acknowledges and agrees that the
following items, whether in paper or electronic form, are IBM or CIGNA
Confidential Information: all IBM or CIGNA financial, pricing, and costs of or
relating to IBM or CIGNA or suppliers or customers of IBM, CIGNA and their
Affiliates, all marketing and business plans and forecasts of IBM or CIGNA, any
information related to consumer goods in development or discovery, IBM
protocols, case report forms, data management plans, data listings, statistical
analyses results, minutes, notes, or recollections of contents of meetings or
strategy discussions relating to IBM’s or CIGNA’s business operations,
personally identifiable information and policy and procedure manuals (excluding
any pre-existing Subcontractor Confidential Information) (collectively,
“Restricted Materials”). Subcontractor shall treat all Restricted Materials as
strictly confidential and: (a) shall use the Restricted Materials only to the
extent necessary to perform its obligations or exercise its rights under this
Subcontract; (b) shall provide access to such Restricted Materials only to those
Subcontractor Personnel who have a need to know in connection with
Subcontractor’s performance of its obligations or exercise of its rights under
this Subcontract; and (c) shall use the same care and discretion to avoid
disclosure, publication or dissemination of Restricted Materials as it uses with
respect to its own similar information that it does not wish to disclose,
publish or disseminate. Other IBM or CIGNA Confidential Information not
expressly listed in this Section may be considered Restricted Materials of IBM
or CIGNA and should be treated as such by Subcontractor upon written notice from
IBM.
 
38.3 Supplier Confidential Information. Buyer shall: (a) use the same care and
discretion to avoid disclosure, publication or dissemination of Supplier
Confidential Information as it uses with respect to its own similar information
that it does not wish to disclose, publish or disseminate; and (b) use Supplier
Confidential Information solely to the extent required to fulfill its
obligations or exercise its rights under this Subcontract. Buyer shall not
disclose, publish, release, transfer or otherwise make available Supplier
Confidential Information in any form to, or for the use or benefit of, any
person or entity without Supplier’s consent. Buyer shall, however, be permitted
to disclose relevant aspects of the Supplier Confidential Information to its
officers, directors, agents, professional advisors, contractors, subcontractors
and employees and to the officers, directors, agents, professional advisors,
contractors, subcontractors and employees of the IBM Entities, to the extent
that such disclosure is not restricted under this Subcontract or any
Governmental Approvals and only to the extent that such disclosure is reasonably
necessary for the performance of its duties and obligations, or exercise of its
rights, under this Subcontract; provided, however, that Buyer shall take all
reasonable measures to ensure that Supplier Confidential Information of Supplier
is not disclosed, published or disseminated in contravention of the provisions
of this Subcontract by such officers, directors, agents, professional advisors,
contractors, subcontractors and employees. The obligations in this Section shall
not restrict any disclosure pursuant to any Law (provided that the recipient
shall give prompt notice to Supplier of such order).
 
38.4 Exceptions. The obligations mentioned under Section 38.1, Section 38.2 and
Section 38.3 do not apply if, and to the extent that the receiving party is able
to prove that: (a) it previously had such knowledge and information without
obligation of confidentiality; (b) such knowledge and information was or becomes
part of the public domain, publicly available or public knowledge through no
fault of the receiving party; (c) it has received such knowledge and information
from a third party, the disclosure to such third party without constituting a
breach of the confidentiality undertaking hereunder; or (d) it independently
developed such knowledge or information without use of or access to the
disclosing party’s confidential information, as demonstrated by reasonable
supporting evidence.
 
38.5 No Copies. The receiving party (nor any person or entity to whom the
receiving party has a right to disclose the Confidential Information of the
disclosing Party under this Article 29) shall not make copies of Confidential
Information, in whole or in part, obtained from the disclosing party, except as
necessary to perform its obligations under this Subcontract.
 
38.6 Ownership of Confidential Information. For the avoidance of doubt, all IBM
or CIGNA Confidential Information (including Restricted Materials) is the
property of Buyer or CIGNA, respectively. For the avoidance of doubt, all
Supplier Confidential Information is the property of Supplier.
 
38.7 Confidential Agreement. This Subcontract is a confidential agreement
between Supplier and Buyer. In no event may this Subcontract be reproduced or
copies shown to any third parties by either Buyer or Supplier without the prior
written consent of the other Party, except as may be necessary by reason of
legal, accounting or regulatory requirements of Supplier or Buyer, as the case
may be, or to obtain legal, accounting or other advice in connection with this
Subcontract, in which event Supplier and Buyer agree to exercise reasonable
diligence in limiting such disclosure to the minimum necessary under the
particular circumstances and cause anyone to whom such Party provides this
Subcontract to keep it confidential in accordance with the provisions of this
Subcontract. Neither Party is permitted to issue any press release, distribute
any advertising, or make any public announcement concerning this Subcontract or
its business relationship with the other Party without the other Party’s prior
written consent. The obligations in this Section 38.7 shall not restrict any
disclosure of required pursuant to any Law; provided that: (a) each Party shall
give reasonable and prompt advance notice of such disclosure requirement to the
other and give the other reasonable opportunity to object to and contest such
disclosure; and (b) each Party shall use reasonable efforts to secure
confidential treatment of any such information that is required to be disclosed.
 
38.8 Disclosure. Notwithstanding the confidentiality, non-disclosure and
proprietary rights provisions of this Subcontract, Supplier acknowledges and
agrees that Buyer and Supplier has the right to file a copy of, and/or disclose,
all or part of this Subcontract and related documents and information, including
performance reports and fees and invoicing, as may be required or requested by
its regulators and auditors.
 
38.9 Unauthorized Acts. Without limiting the rights of the IBM Entities in
respect of a breach of this Section 38, Supplier shall: (a) promptly notify
Buyer of any unauthorized possession, use or knowledge, or attempt thereof, of
the Buyer or CIGNA Confidential Information by any person or entity that may
become known to Supplier; (b) promptly furnish to Buyer full details of the
unauthorized possession, use or knowledge, or attempt thereof, and assist Buyer
in investigating or preventing the recurrence of any unauthorized possession,
use or knowledge, or attempt thereof, of IBM or CIGNA Confidential Information;
(c) cooperate with Buyer in any litigation and investigation against third
parties deemed necessary by Buyer to protect the proprietary rights of Buyer;
and (d) promptly use its diligent and reasonable efforts to prevent a recurrence
of any such unauthorized possession, use or knowledge, or attempt thereof, of
IBM or CIGNA Confidential Information. Without limiting the rights of the
Supplier in respect of a breach of this Section 38, Buyer shall: (a) promptly
notify Supplier of any unauthorized possession, use or knowledge, or attempt
thereof, of the Supplier Confidential Information by any person or entity that
may become known to Buyer or CIGNA; (b) promptly furnish to Supplier full
details of the unauthorized possession, use or knowledge, or attempt thereof,
and assist Supplier in investigating or preventing the recurrence of any
unauthorized possession, use or knowledge, or attempt thereof, of Supplier
Confidential Information; (c) cooperate with Supplier in any litigation and
investigation against third parties deemed necessary by Supplier to protect the
proprietary rights of Supplier; and (d) promptly use its diligent and reasonable
efforts to prevent a recurrence of any such unauthorized possession, use or
knowledge, or attempt thereof, of Supplier Confidential Information.
 
38.10 Injunctive Relief. Supplier acknowledges that, in the event of any breach
of the provisions of this Section 38, Buyer may suffer damages that are not
easily determinable, and shall be entitled to seek equitable relief, including
an injunction or an order for specific performance, in addition to all other
remedies available to Buyer at law or in equity. Buyer acknowledges that, in the
event of any breach of the provisions of this Section 38, Supplier may suffer
damages that are not easily determinable, and shall be entitled to seek
equitable relief, including an injunction or an order for specific performance,
in addition to all other remedies available to Supplier at law or in equity. 
 
38.11 Shared Service Location. If: (a) Supplier provides the Supplier Services
to Buyer from a Shared Environment; and (b) any part of the business of Supplier
or any such third party is now or is in the future competitive with Buyer’s or
CIGNA’s business as specified through IBM’s or CIGNA’s Competitors, then
Supplier shall develop a process, subject to Buyer’s approval, to restrict
access in any such Shared Environment to IBM or CIGNA Confidential Information
so that Supplier’s employees or Supplier Agents providing services to such IBM
or CIGNA Competitors do not have access to IBM or CIGNA Confidential
Information.
 
38.12 Attorney Client Privileged Documents. Supplier recognizes that it may
obtain access to client documents, data and databases created by and for Buyer
or CIGNA and associated communications related thereto which are confidential
attorney work product or subject to the attorney-client privilege. Supplier
shall not reveal to any third parties any such data or information: (a) marked
with the words “attorney-client privilege” or “attorney work product” or words
of similar import; or (b) designated by Buyer to Supplier as being subject to
the attorney-client privilege or confidential attorney work product (such marked
and designated data or information, collectively, “Privileged Work Product”).
Supplier shall safeguard to prevent the unintentional disclosure of Privileged
Work Product to third parties. The only Supplier Personnel who may have access
to Privileged Work Product shall be those for whom such access is necessary for
the purpose of providing Supplier Services to Buyer as provided in this
Subcontract. Supplier recognizes that Privileged Work Product has been prepared
in anticipation of litigation and that Supplier is performing the Supplier
Services in respect of the Privileged Work Product as an agent of Buyer, and
that all matters related thereto and protected from disclosure by Rule 26 of the
United States Federal Rules of Civil Procedure (or any similar law in other
local jurisdictions). Should Supplier ever be notified of any judicial or other
proceeding seeking to obtain access to Privileged Work Product, Supplier shall:
(i) immediately notify Buyer; (ii) take such reasonable actions at Buyer’s
expense as may be specified by Buyer to resist providing such access; and (iii)
if such access cannot be resisted, then only permit access to the extent
required by law. 
 
38.13 Review. Buyer reserves the right to review Supplier’s policies and
procedures used to maintain the security and confidentiality of Personal
Information, including auditing Supplier concerning such policies and
procedures. The provisions of this Section, are in addition to, and shall not be
construed to limit any other confidentiality obligations under this Subcontract.
Any exclusion from the definition of IBM or CIGNA Confidential Information
contained in this Subcontract shall not apply to Personal Information.
 
38.14 Survival. The Parties’ obligations of non-disclosure and confidentiality
shall survive the expiration or termination of this Subcontract for a period of
seven years.
 
39.0 IBM DATA 
 
39.1 Ownership of IBM or CIGNA Data. All IBM or CIGNA Data is, or shall be, and
shall remain the property of IBM or CIGNA (as appropriate), as the case may be,
and shall be deemed IBM or CIGNA Confidential Information. Without IBM’s
approval (in its sole discretion), IBM or CIGNA Data shall not be: (a) used by
Supplier other than is necessary for Supplier’s performance under this
Subcontract and solely in connection with providing the Supplier Services and
the performance of Supplier’s obligations under this Subcontract; (b) disclosed,
sold, assigned, leased or otherwise disposed of or provided to third parties by
Supplier except as directed by Buyer; or (c) commercially exploited by or on
behalf of Supplier. Supplier shall not possess or assert liens or other rights
in or to IBM Data.
 
39.2 IBM Access to IBM Data. Buyer shall have unrestricted access (subject to
Supplier’s reasonable security precautions) to, and the right to review and
retain the entirety of, all computer or other files containing IBM or CIGNA Data
in the possession or under the control of Supplier or Supplier Agents. At no
time shall any of such files or other materials or information be stored or held
in a form or manner not reasonably accessible to Buyer. Except as specifically
set forth in this Subcontract, Supplier shall have no implied right to access
any data files, directories of files, or other IBM or CIGNA Confidential
Information and shall access and/or use such files and IBM or CIGNA Confidential
Information only as and to the extent necessary to perform the Supplier Services
that are the subject of this Subcontract or the Statements of Work. Upon the
request of IBM, Subcontractor shall confirm that, to the best of its knowledge,
all files and other information provided to IBM or its designee are complete and
that no material element, amount, or other fraction of such files containing IBM
or CIGNA Data or other information that constitutes IBM or CIGNA Data to which
IBM may request access or review has been deleted, withheld, disguised or
encoded in a manner inconsistent with the purpose and intent of providing full
and complete access to IBM or CIGNA Data to IBM or its designee as contemplated
by this Subcontract. 
 
39.5 Return of Data. Upon request by Buyer at any time during the Subcontract
Term and upon the cessation of a Service or expiration or termination of this
Subcontract (or at the end of the Termination Assistance Period if directed by
Buyer), Supplier shall: (a) promptly return to Buyer, in the format and on the
media requested by Buyer, all or any part of the IBM or CIGNA Data; and (b)
erase or destroy all or any part of the IBM or CIGNA Data in Supplier’s
possession, in each case to the extent so requested by Buyer. Any archival tapes
containing IBM or CIGNA Data shall be used by Supplier solely for back-up
purposes.
 
39.6 Data Safeguards.
 
a Supplier shall establish and maintain safeguards against the destruction,
loss, or alteration of IBM or CIGNA Data in the possession of Supplier in
accordance with Exhibit 4-C. 
 
b Supplier shall implement a data security plan designed to impose security on
all parts of Supplier’s organization that are exposed to, or have access to,
Buyer or to IBM or CIGNA Data. Such plan shall at a minimum be as protective as
required by this Subcontract, including Exhibit 4-C hereto. In addition,
Supplier shall at all times comply with all statutory and regulatory
requirements.
 
c Supplier shall maintain the security procedures that are required by this
Subcontract, including Exhibit 4-C hereto.
 
40.0 PROPRIETARY RIGHTS
 
Definitions.
 
The following definitions shall apply to the defined terms used in this Section
40.
 
“IBM Intellectual Property” means Intellectual Property of IBM existing as of
the commencement of this service engagement or subsequently developed by IBM or
its subcontractors other than Supplier outside the scope of this SOW.
 
“Intellectual Property” means all present and future right title and interest
whatsoever whether legal or beneficial anywhere in the world in any copyright
and in any registered designs, unregistered design rights, trade marks (whether
or not registered), goodwill, rights or protections equivalent or similar to
copyright (including all moral rights), topography rights, patents, petty
patents, utility models, database rights, data, know-how, trade secrets,
research and development information, preparatory designs, design standards
specifications, computer software (including all source code object code in
relation thereto) calculations, formulae, confidential information, designations
and rights under any international convention for protection of any of the
foregoing and any licenses applications or consents (respectively) granted
applied for or given in respect of any of the foregoing.
 
“Supplier Intellectual Property” means Intellectual Property of Supplier
existing as of the commencement of this service engagement or subsequently
developed by Supplier outside the scope of this SOW.
 
“Supplier Software” means all commercially licensed Supplier proprietary
Software programs licensed to Customer under the Order Form and End-User
Agreement.
 
40.1 Limited License Grant to IBM Technology. Buyer hereby grants to Supplier
(and, to the extent necessary for Supplier to provide the Supplier Services, to
Supplier Agents designated by Supplier that sign a written agreement with
Supplier with terms consistent with the applicable terms contained herein) a
world-wide, non-exclusive, non-transferable, limited, license during the
Subcontract Term to Use the IBM proprietary Software programs (including any
CIGNA proprietary Software programs that CIGNA has licensed to Buyer) and
related documentation that is identified as such in the applicable Subcontract
that may be delivered by Buyer to Supplier in connection with Supplier’s
performance of the Supplier Services (the “Licensed IBM Technology”), such Use
to be made solely in connection with Supplier’s performance of the Supplier
Services in accordance with the provisions of this Subcontract. 
 
40.2 Conditions on Supplier License Rights to IBM Technology.
 
q Except for the license rights in and to the Licensed IBM Technology granted
under Section 40.1, no license or other right in or to any of the Licensed IBM
Technology is granted by implication, estoppel or otherwise by Buyer to
Supplier. Buyer shall own, and Supplier hereby perpetually assigns to Buyer all
right, title and interest in and to the Licensed IBM Technology, including all
right, title and interest in and to any modifications, enhancements or
derivative works of or based on the Licensed IBM Technology (except as set forth
in Section 40.5).
 
r Except as expressly provided in Section 40.1 with respect to Supplier Agents,
Supplier may not sublicense, assign, lease or otherwise transfer, distribute or
exploit any of the Licensed IBM Technology or any of the license rights granted
to it under Section 40.1, to any Affiliate of Supplier or to any third party,
whether directly, indirectly or by operation of law, including by merger, stock
transfer, or otherwise.
 
s Supplier shall not reverse engineer, decompile, disassemble, modify or enhance
any of the Licensed IBM Technology or any part thereof or otherwise attempt to
create any derivative works of any of the Licensed IBM Technology or any part
thereof except as required in connection with Supplier’ s performance of the
Supplier Services.
 
t Supplier shall adhere to all of the operational and security rules, procedures
and guidelines that are instituted from time to time by Buyer and communicated
to Supplier on a timely basis in connection with the exercise by Supplier of its
right to access remotely certain of the Licensed IBM Technology.
 
u All Licensed IBM Technology constitutes IBM or CIGNA Confidential Information
and valuable trade secrets of Buyer. As such, Supplier shall keep all Licensed
IBM Technology confidential in accordance with the provisions of Section 38.
 
v Supplier’s license rights in and to the Licensed IBM Technology shall
terminate automatically upon the cessation of a Service or expiration or earlier
termination of the Subcontract Term. Promptly after the cessation of a Service
or expiration or earlier termination of the Subcontract Term (or partial
termination to the extent the Licensed IBM Technology, or parts thereof, are no
longer required to perform the Supplier Services), or as otherwise requested by
Buyer, Supplier shall deliver to Buyer or destroy any and all devices, records,
data, computer disks and tapes, notes, reports, proposals, lists,
correspondence, specifications, drawings, blueprints, sketches, materials,
Equipment, other documents or tangible property of any type comprising or
containing any Licensed IBM Technology and any and all copies and reproductions
of any of the aforementioned items in the possession or control of Supplier. An
Executive of Supplier shall provide Buyer with written certification that all
devices, records, data, computer disks and tapes, notes, reports, proposals,
lists, correspondence, specifications, drawings, blueprints, sketches,
materials, Equipment, other documents or tangible property of any type
comprising or containing any Licensed IBM Technology and any and all copies and
reproductions thereof have been destroyed or deleted from Supplier’s, Supplier’s
employees’, subcontractors, and Supplier’s Agents’ electronic storage devices.
 
40.3 IBM Intellectual Property. All worldwide right, title and interest in and
to all IBM Intellectual Property, together with any and all intellectual
property rights inherent in any of the IBM Intellectual Property and appurtenant
thereto including all patent rights, copyrights, trademarks, know-how and trade
secrets, shall belong exclusively to Buyer perpetually.
 
40.4 Supplier Intellectual Property.
 
a All worldwide right, title and interest in and to all Supplier Intellectual
Property, together with any and all intellectual property rights inherent in any
of the Supplier Intellectual Property and appurtenant thereto including all
patent rights, copyrights, trademarks, know-how and trade secrets, shall belong
exclusively to Supplier perpetually.
 
b. Supplier hereby grants to Customer a worldwide, perpetual, irrevocable, fully
paid-up, nonexclusive, unlimited license to Use and sublicense, and to permit
third parties to Use, the Supplier Intellectual Property (exclusive of Supplier
Software) that is incorporated or embedded in any Customer New Intellectual
Property for so long as such Supplier Intellectual Property remains embedded or
incorporated in such Customer New Intellectual Property and is not separately
commercially exploited by Customer. If any software (exclusive of Supplier
Software) is included in the Supplier Intellectual Property, then such software
shall be licensed to Customer as set forth in this Section 40.4(c) in both
object code and source code format. The rights and licenses granted in this
Section 40.4(c) are to all Customer Entities, both current and future, and to
the extent part of such operations are sold or divested, such rights and
licenses shall extend to such sold or divested part or entity. Upon Customer’s
request, Subcontractor shall deliver to Customer a copy of the Subcontractor
Intellectual Property (exclusive of Supplier Software) in object code and source
code format. Source code to Supplier Intellectual Property constitutes
Subcontractor Confidential Information and valuable trade secrets of Supplier.
As such, Customer shall keep all such source code confidential in accordance
with the provisions of Article 38.
 
c. Notwithstanding the provisions of paragraph b of this Section 40.4 above, any
Subcontractor Intellectual Property that is sold or licensed on a commercial
basis by Subcontractor (including without limitation the Supplier Software)
shall not be licensed to Buyer or Customer except under the terms of a separate
license agreement (which may or may not include a license to source code). For
the sake of clarification, Supplier has licensed Supplier Software to the
Customer under the terms and conditions of the Order Form and End-User
Agreement. No Supplier Software has been licensed to Buyer.
 
40.5 New Intellectual Property. 
 
a. IBM New Intellectual Property. Buyer owns, and Supplier hereby perpetually
assigns to Buyer, all rights, title and interests in all modifications and
enhancements to, and derivatives of, IBM Intellectual Property (collectively,
“IBM New Intellectual Property”). 
 
b. Supplier New Intellectual Property. Supplier shall own all modifications and
enhancements to, and derivatives of, Supplier Intellectual Property (exclusive
of Supplier Software) that are developed by Supplier during the provision of any
Supplier Services (collectively, “Supplier New Intellectual Property”). Supplier
hereby grants to Customer an unlimited, worldwide, fully paid-up license to Use
(and allow Customer’s agents and third parties to Use) any Supplier New
Intellectual Property, subject to Buyer’s ownership of IBM Data and IBM or CIGNA
Confidential Information contained therein. Supplier shall own all modifications
and enhancements to, and derivatives of, Supplier Software that are developed by
Supplier during the provision of any Supplier Services. Supplier hereby grants
to Customer a license to Use the New Supplier Software to the same extent as the
Customer is permitted to Use the Supplier Software under the terms and
conditions of the End-User Agreement.
 
c. Customer New Intellectual Property. Unless expressly stated otherwise in
Subcontract and except for modifications and enhancements to, and derivatives
of, IBM Intellectual Property, Supplier Intellectual Property or Supplier
Software, Customer owns, and Supplier hereby perpetually assigns to Customer,
all rights, title and interests in work product that are developed or provided
by Supplier in connection with the provision of any Supplier Services, including
any Deliverables (including related documentation necessary to use and support
the Deliverables and work product embedded in the Deliverables) whether
developed or provided in connection with Subcontract (collectively, “Customer
New Intellectual Property”).
 
40.6 Deliverables.
 
Supplier shall not introduce any third party-owned or licensed components in
Deliverables without obtaining Customer’s prior written approval in each
instance. To the extent Customer approves of such introduction, prior to such
introduction Supplier shall obtain the right to grant Customer, without
additional charge, a perpetual, irrevocable, fully-paid up, non-exclusive
license to Use such third party components as part of the Deliverables, and to
sublicense such rights to other entities for the purpose of providing services
similar to the Supplier Services to Customer. To the extent Supplier is unable
to obtain the rights described in this Section 40.6, Supplier shall notify
Customer in writing of its inability to grant Customer such a license and of the
cost and viability of other components that can perform the requisite functions
and with respect to which Supplier has the ability to grant such a license. This
notice shall contain the third party Supplier’s proposed terms and conditions,
if any, for making the components available to Customer after expiration, upon
any partial or whole termination of this Subcontract, or upon cessation of
Supplier Services. Supplier may introduce such components in Deliverables only
with Customer’s prior written approval. 
 
All reports, processes, methodologies, deliverables, plans, information,
materials, data, drawings, inventions, suggestions, computer Software,
renditions, mock-ups, prototypes or other works provided by Subcontractor as a
deliverable or otherwise under this Subcontract that do not constitute
Deliverables shall be licensed by Subcontractor to Customer in accordance with
Section 40.4.
 
40.8 Pre-Existing IP. Subcontractor must identify and obtain Buyer’s prior
written approval for the use of any pre-existing Subcontractor Intellectual
Property that shall be embedded in IBM New Intellectual Property or Customer New
Intellectual Property prior to the development of any such IBM New Intellectual
Property or Customer Intellectual Property.
 
40.9 Enforceability.
 
a. During the Subcontract Term and any time thereafter, Supplier shall assist
Buyer or its designee, at Buyer’s expense, in every reasonable way to secure all
of Buyer’s worldwide perpetual ownership rights, title and interest in IBM
Intellectual Property and IBM New Intellectual Property (and all licenses to
Supplier Intellectual Property granted to pursuant to this Article 40) in any
and all countries, including the disclosure to Buyer of all pertinent
information and data with respect thereto, the execution of all applications,
registrations, filings, specifications, oaths, assignments and all other
instruments which Buyer shall deem necessary or appropriate to: (a) apply for
and obtain such rights, title and interest and to assign and convey to Buyer,
its successors, assigns and nominees the sole and exclusive rights, title and
interests worldwide perpetually in and to the IBM Intellectual Property and IBM
New Intellectual Property; and (b) obtain such license rights as set forth in
this Article 40 in and to Supplier Intellectual Property. Supplier further
agrees that its obligation to execute or cause to be executed any such
instrument or papers shall continue after the cessation of a Service or
expiration or termination of the Subcontract Term. If testimony or information
relative to any of said matters or related to any interference or litigation is
requested by Buyer either during the Subcontract Term or following its
expiration or termination or the cessation of a Service, Supplier agrees to give
all information and testimony and do all things reasonably requested that
Supplier may lawfully do, at Buyer’s sole expense. Without limiting the
foregoing, Supplier, at Buyer’s request, agrees to execute such assignments and
confirmations of: (i) assignment of all rights, title and interests in and to
the IBM Intellectual Property and the IBM New Intellectual Property; and (ii)
license rights as set forth in this Article 40 in and to Supplier Intellectual
Property, each of (i) and (ii) in form acceptable to Buyer. If Buyer is unable
because of Supplier’ s unavailability, refusal, dissolution or for any other
reason to secure a signature by or on behalf of Supplier to apply for or to
pursue any application, registration, filing or other instrument for any United
States, Indian or foreign intellectual property rights covering the IBM
Intellectual Property and the IBM New Intellectual Property, then Supplier
hereby irrevocably designates and appoints Buyer and its duly authorized
officers and agents as Supplier’s agent and attorney in fact, to act for and on
Supplier’ s behalf and stead to execute and file any such application,
registration, filing or other instrument, and to do all other lawfully permitted
acts to further the prosecution and issuance of such intellectual property
rights, with the same legal force and effect as if executed by Supplier. 
 
b. During the Subcontract Term and any time thereafter, Supplier shall assist
Customer or its designee, at Customer’s expense, in every reasonable way to
secure all of Buyer’s worldwide perpetual ownership rights, title and interest
in Customer New Intellectual Property (and all licenses to Supplier New
Intellectual Property granted to pursuant to this Article 40) in any and all
countries, including the disclosure to Customer of all pertinent information and
data with respect thereto, the execution of all applications, registrations,
filings, specifications, oaths, assignments and all other instruments which
Customer shall deem necessary or appropriate to: (a) apply for and obtain such
rights, title and interest and to assign and convey to Buyer, its successors,
assigns and nominees the sole and exclusive rights, title and interests
worldwide perpetually in and to the Customer New Intellectual Property; and (b)
obtain such license rights as set forth in this Article 40 in and to Supplier
New Intellectual Property. Supplier further agrees that its obligation to
execute or cause to be executed any such instrument or papers shall continue
after the cessation of a Service or expiration or termination of the Subcontract
Term. If testimony or information relative to any of said matters or related to
any interference or litigation is requested by Customer either during the
Subcontract Term or following its expiration or termination or the cessation of
a Service, Supplier agrees to give all information and testimony and do all
things reasonably requested that Supplier may lawfully do, at Customer’s sole
expense. Without limiting the foregoing, Supplier, at Buyer’s request, agrees to
execute such assignments and confirmations of: (i) assignment of all rights,
title and interests in and to the Customer New Intellectual Property; and (ii)
license rights as set forth in this Article 40 in and to Supplier New
Intellectual Property, each of (i) and (ii) in form acceptable to Buyer. If
Buyer is unable because of Supplier’ s unavailability, refusal, dissolution or
for any other reason to secure a signature by or on behalf of Supplier to apply
for or to pursue any application, registration, filing or other instrument for
any United States, Indian or foreign intellectual property rights covering the
Customer New Intellectual Property, then Supplier hereby irrevocably designates
and appoints Customer and its duly authorized officers and agents as Supplier’s
agent and attorney in fact, to act for and on Supplier’ s behalf and stead to
execute and file any such application, registration, filing or other instrument,
and to do all other lawfully permitted acts to further the prosecution and
issuance of such intellectual property rights, with the same legal force and
effect as if executed by Supplier.
 
40.10 General Intellectual Property Provisions.
 
aa Copyright Legends. The Parties agree to reproduce copyright legends which
appear on any portion of the Intellectual Property which may be owned by third
parties.
 
bb No Implied Licenses. Except as expressly specified in this Subcontract,
nothing in this Subcontract shall be deemed to grant to one Party, by
implication, estoppel or otherwise, license rights, ownership rights or any
other intellectual property rights in any Intellectual Property owned by the
other Party or any Affiliate of the other Party.
 
cc Residuals. Nothing in this Subcontract shall: (i) restrict either Party from
using ideas, concepts or know-how relating to the Supplier Services that are
retained in the memories of such Party’s employees or representatives after
performing the obligations of such Party under this Subcontract; or (ii)
preclude or limit Supplier from providing services and/or developing Software or
materials for itself or other clients, irrespective of the possible similarity
of such materials that might be delivered to Buyer under this Subcontract,
except to the extent that the exercise of any of the foregoing infringes upon a
patent or trademark of a Party or its Affiliates. Except as described above,
this Section 40.10 shall not be deemed to limit either Party’s obligations under
this Subcontract with respect to the disclosure or use of Confidential
Information.
 
43.0 Insurance.
 
43.1 Supplier shall, and shall cause Supplier Agents to, throughout the Term and
the Termination Assistance Period, maintain in full force and effect from a
third party that is rated “A” or “A-” in Best’s Insurance Guide, or otherwise
acceptable to Buyer, the following insurance coverage for its worldwide
operations:  
 
tt Supplier agrees to maintain a policy of workers’ compensation insurance (as
required by the applicable state statute) on its employees. Such policy shall
provide statutory limits and contain Employer’s Liability coverage in an amount
not less than $5,000,000 per occurrence. To the extent reasonably obtainable,
Supplier agrees to have its workers’ compensation insurance policy amended to
waive the insurors rights of subrogation against Buyer for recovery of claims
paid under Supplier’s policy.
 
uu Automobile liability covering all vehicles owned, non-owned, hired and leased
in an amount not less than $1,000,000.00 per claim (combined single limit for
bodily injury and property damage).
 
vv Commercial general liability insuring against bodily injury, property damage,
contractors’ completed operations and contractual liability (covering Supplier’s
indemnification obligations contained herein) with a combined single limit of
not less than $5,000,000.00 per claim.
 
ww Professional liability and errors and omissions insurance in an amount not
less than $5,000,000.00 per claim and in the aggregate.
 
xx Umbrella coverage (including commercial general liability coverage) of not
less than $20,000,000.00 over the coverages shown above.
 
yy Fidelity coverage in the amount of $5,000,000.00 to cover fraudulent or
dishonest acts by an employee of Supplier. Buyer shall be named as a loss payee
in respect to the Services performed for Buyer.
 
43.2 Inspection. Supplier shall allow Buyer or CIGNA or their representatives or
property insurance company representatives, at any time with reasonable advance
notice, to inspect, test or examine fire protection and security Equipment,
systems and procedures at the IBM or CIGNA Service Location.
 
43.3 Certificates. Supplier shall furnish Buyer with certificates of insurance
evidencing the above coverages and endeavoring to notify Buyer 30 days in
advance in writing of cancellation. Such certificates or policies shall be in a
form and underwritten by a carrier and/or placed through a broker satisfactory
to Buyer. Except for the Workers’ Compensation, Professional Liability and
Employer’s Liability policies, all policies of insurance shall name Buyer as an
additional insured where allowed by local country law. Each policy shall contain
a provision that no act or omission of Supplier shall affect or limit the
obligation of the insurer to pay Buyer the amount of any loss sustained.
Insurance carried on a claims made basis shall be carried for a 60 day after the
Term and the Termination Assistance Period to cover all claims.
 
43.4 Use of Proceeds. Proceeds received by Supplier from any claims under the
insurance policy referenced in this Article shall be used to rapidly affect
necessary repairs or replacement or to reimburse the affected CIGNA Entities.
 
43.5 Waiver of Subrogation. The insurance coverages under this Section 43 with
respect to premises liability and only for liability arising out of Supplier’s
negligence on such premises, shall be primary, and non-contributing with respect
to any other insurance or self insurance which may be maintained by Buyer.
 
43.6 Risk of Loss. Supplier shall be responsible for risk of loss of, and damage
to, Equipment, Software or other materials in its possession or under its
control , except to the extent such loss or damage is caused by Buyer or CIGNA.
 
Section 44.0 Further Assurances.
 
44.1 Each party agrees to execute documents and provide such information and
cooperation as reasonably requested by a party to effectuate the grant of rights
hereunder including any documents, information or cooperation reasonably
necessary to effectuate the intent of the parties herein.
 

 
 

--------------------------------------------------------------------------------

 





ACCEPTED AND AGREED TO:
 
ACCEPTED AND AGREED TO:
IBM
 
Chordiant Software, Inc.
By: /s/ Dan Reinhard
 
By: /s/ Kelly Hicks
Buyer Signature Date
September 28, 2006
 
Supplier Signature Date September 28, 2006
Dan Reinhard
 
Kelly Hicks
Printed Name
 
Printed Name
Procurement Solutions Advisor/ Client Services Procurement
 
VP, Worldwide Sales Operations
Title & Organization
 
Title & Organization
     
Buyer Address:
2455 South Road
Poughkeepsie, NY 12601
 
Supplier Address:
20400 Stevens Creek Blvd.
Cupertino, CA 95014
USA
 












 
 

--------------------------------------------------------------------------------

 

EXHIBIT 1 - Service Level Agreement
 


1.  INTRODUCTION
 
The Service Level Agreements defined in this schedule are associated with the
steady-state management of the Call Center Application.
 
1.1  The Service Levels set forth herein shall be effective upon production
implementation of the application.
 
1.2  The primary objective of Chordiant Product Support is to assist IBM in
maintaining and/or regaining an operational state by commercially reasonable
efforts. The secondary objective of Product Support is to provide in due course
the correction of any underlying Errors.
 
Chordiant shall make available to Customer Support in the form of access via
e-mail, web and telephone (telephone access during the Support Hours only) in
English to the Designated Contacts and/or via the support website for technical
information, technical advice and technical consultation regarding Customer’s
use of the Supported Software.


Product Support will include the following:


(a) Problem Prevention

1.  
Notification of availability of generally available patches and releases.



(b) Problem Identification

1.  
Clarification of Chordiant error messages,

2.  
Assistance in identifying and verifying the causes of suspected Errors, and;

3.  
Advice on bypassing identified Errors (providing workarounds) in the Supported
Software.



(c) Problem Resolution

1.  
Reporting and tracking product defects and enhancement requests,

2.  
Resolution of defects via workaround, maintenance release or in exceptional
circumstances emergency patches, and

3.  
Notification of status on issues, including escalation when required.



Resolution of Errors. Chordiant will endeavor to provide an initial response
acknowledging Errors reported by Customer in accordance with the priority levels
and response times set out in Schedule A. Chordiant will acknowledge each
Customer report of a case by written acknowledgment setting forth a Case Problem
Number for use by Customer and Chordiant in all correspondence relating to such
case. Thereafter, Chordiant shall use commercially reasonable efforts to provide
a Resolution.


Exceptions. Chordiant shall have no responsibility to fix any Errors arising out
of or related to the following causes:

a.  
any modifications or enhancements made by the Customer to the Software, unless
such modifications or enhancements are specifically approved in writing by
Chordiant Product Support; this includes but is not limited to;

- location of binaries
- scripts provided by Chordiant
- any application specific object (e.g., table, view, index, trigger)
- any application specific operating system permissions or role privileges

b.  
Any modification or combination of the Software (in whole or in part), including
without limitation any portions of the Software code or Source Code customized
by the customer that is not part of the unmodified Software delivered by
Chordiant or for which Chordiant has not received and acknowledged receipt of
the source code and agreed to Support.

c.  
Use of the Software in an environment other than a Supported Environment.

d.  
Accident; electrical or electromagnetic stress; neglect; misuse; failure or
fluctuation of electric power, failure of media not furnished by Chordiant;
operation of the Software with other media and hardware, software or
telecommunication equipment or software; or causes other than ordinary use.



2. IBM Responsibilities 


IBM agrees to:
(i) Provide Chordiant with remote access to the Supported Software during the
term of this Agreement via an electronic link; and
(ii) Provide any reasonable assistance that Chordiant may require from the
Designated Contacts and other appropriate Customer representatives (e.g. network
administrator, as the case may be) to enable Chordiant to provide IBM with
Support; and
(iii) Establish and maintain the conditions of the Supported Environment in
compliance with Chordiant Certified Matrix and Technical Stack developed for the
installed release or any environmental operating ranges specified by the
manufacturers of the components of the Designated Center. Any deviation from
this Supported Environment voids all Resolutions within the timeframe set forth
below unless agreed to by Chordiant in writing.


IBM agrees to designate two (2) appropriately qualified and trained personnel to
be the Designated Contacts, and only those individuals shall request Support
services. IBM agrees endeavor to adequately train and obtain “Chordiant
certification” for, and forward to Chordiant the names and contact details of
the Designated Support Contacts. IBM shall provide Chordiant with access to
IBM’s personnel and its equipment during Support Hours. This access must include
the ability to dial-in from Chordiant facilities to the equipment on which the
Supported Programs are operating and to obtain the same access to the equipment
as those of IBM’s employees having the highest privilege or clearance level.


IBM agrees to maintain procedures to facilitate reconstruction of any lost or
altered files, data or programs and IBM agrees that Chordiant will not be
responsible under any circumstances for any consequences arising from lost or
corrupted data, files or programs. IBM is solely responsible for carrying out
all necessary backup procedures for its own benefit, to ensure that data
integrity can be maintained in the event of loss of data for any reason and that
Customer programs can be restored.


IBM agrees to notify Chordiant Product Support promptly of any malfunction of
the Supported Software.


IBM agrees to provide Chordiant with access to and use of such of the Customer’s
information and facilities reasonably necessary to service the Supported
Software including, but not limited to, an accurate description of the
Designated Center and the current Supported Environment, the problem being
reported, the transactions and any error messages, along with screenshots and
log files.


IBM agrees to install the Current Release as soon as reasonably practicable, or
as stated in the CIGNA SLSA which requires IBM to stay current to N-2. If CIGNA
requires IBM to not maintain N-2 IBM will work with Chordiant to purchase
extended maintenance support and assess the impact to the SLA below in
accordance with the change control process.


 
Problem Management Requirements
 
Severity Level
Response
Escalation & Communication
Resolution
Severity 1
[*] mins
[*] hr during Business Hours
[*] hrs off-hours
[*] hours [*] % of the time
 
IBM must provide 24x7 contact information.
Severity 2
[*] Business Hour
[*] hrs during Business Hours
[*] hrs off-hours
[*] hours [*] % of the time
Severity 3
[*] business hrs
[*] business day
[*] days [*] % of the time
Measurement Process
See Text Below
Measurement Calculation
See Text Below
Measurement Frequency
-  Daily
-  Weekly
Monthly (current + 12 month rolling)
Service Level Weighting
TBD% for each severity category and response/escalation/resolution criteria
Measurement Period Start Date
Two weeks after the Implementation Date
Service Level Effective Date
The first day of the month following 30 days of measurement.
Continuous Improvement Applies
No
Scope of Requirements
These Program Management Requirements apply only to Chordiant Foundation as
originally delivered (including subsequently delivered Updates). These
Requirements shall not apply to any customizations, modifications or derivative
works of Chordiant Foundation.




4.  
Supplier will name an SLA Manager as initial contact person responsible for
assisting IBM with meeting Problem Management SLA’s during 8:30 AM to 5:30 PM
Eastern Time on Business Days. SLA Manager will provide 7 x 24 coverage model
and contact/name and numbers.

 

5.  
Once IBM identifies Chordiant Foundation as the cause of an outage, IBM will
notify SLA Manager who will provide Supplier staff to resolve product issues
based on the following:

 

a.  
Severity 1: Supplier provides staff to resolve problem on 7X24 basis until
resolution or IBM agrees problem is not caused by Supplier product.

 

b.  
Severity 2 and 3: Supplier provides staff to resolve problem on 5 X 8 basis
until resolution or IBM agrees problem is not caused by Supplier product.

 

6.  
If Supplier causes IBM to miss a CIGNA Service Level which causes IBM to pay a
Service Level Credit, Supplier will refund IBM the percentage of the Annual
Maintenance Charge set forth below during the following fiscal quarter:

 

a.  
Supplier’s monthly amount at risk is [*] % of the Annual Maintenance Charges
paid by IBM

 

b.  
Supplier’s penalty exposure will be limited to no more than one occurrence per
month.

 

c.  
IBM will have no more then one month from the end of the fiscal quarter of a
missed CIGNA Service Level to request that Supplier refund a percentage of the
Annual Maintenance Charge.

 



7.  
Root Cause Analysis. The Root Cause Analysis shall be completed for all Severity
1 issues and for other severity levels upon IBM’s request. If Supplier product
is identified as a contributor to a Severity 1 issue, Supplier SLA Manager will
participate in the Root Cause Analysis and assist IBM with documenting the
following:

 

§  
What happened?

§  
Why did it happen?

§  
What was done to correct the problem?

§  
What was the business impact?

§  
What's being done to prevent recurrence?



Supplier shall make commercially reasonable efforts to determine the exact root
cause for all Severity 1 issues. The root cause analysis shall be completed and
available to CIGNA within 5 business days after completion of a workaround or
fix.


Supplier shall perform a post evaluation for all Severity 1 issues. The post
evaluation shall determine if preventative measures can be enacted to avoid the
outage in the future. The post evaluation shall contain a detailed description
of the scope and scale of work, the estimated costs and estimated timeframe for
implementing the preventive measures.



8.  
DEFINITIONS

 

a.  
“Availability”: The aggregate number of hours in any month during which each
defined and supported system to be measured for the Service Level is actually
available, excluding Scheduled Hours of Operational Downtime.

 

b.  
“Business Days”: means Monday through Friday, excluding CIGNA designated
holidays during which time the Call Centers are not in operation.

 

c.  
“Business Hours”: shall mean (whether capitalized or not) the hours of operation
as defined on Eastern Time.

 

d.  
“CCA Application”: is defined as the desktop plus the call center interaction
history plus Chordiant Foundation.

 

e.  
Normal System Hours of Operation” shall mean 24 x 7 (excluding Scheduled
Maintenance and other mutually agreed periods).

 

f.  
“Prime Shift”: shall mean 06:00 to 22:00 Eastern Time on Business Days.

 

g.  
“Reporting Prime Shift” shall mean 07:00 to 22:00 Eastern Time on Business Days.

 

h.  
“Problem Resolution Hours of operation”: Unless specifically stated, Vendor
shall work to resolve reported or identified problems on the following work
schedule:

 

i.  
Severity 1: 7x24

 

ii.  
Severity 2, 3, 4: Monday through Friday, 7:00 AM to 6:00 PM local time excluding
CIGNA holidays, except in cases of Network Data where the operations is to be
staffed 24x7

 

iii.  
Service Requests: Monday through Friday, 8:00 AM to 5:00 PM local time excluding
CIGNA holidays

 

i.  
“Resolve or Resolution”: To correct an Incident or Problem for which Supplier is
responsible with either a permanent solution or an interim work around solution.
Supplier may, with IBM’s approval, defer the implementation of a Resolution to a
mutually agreed time (e.g. implementation of a new software fix or release)
beyond the Service Level Agreement.

 

j.  
Severity Definitions

 
Severity Level
Definition
Severity 1 (Highest Impact)
 
Service impacts to an ENTIRE facility, business unit, or system
• A critical system service or critical path process, or an entire network or
application is disrupted and is impacting the business.
• Timely resolution is essential to minimize financial loss or missed sales.
• An entire business unit is down or a network or major system is down and is
impacting the business.
• When a problem occurs that has the potential for impacting a process or
business function at a later time, and requires immediate resolution and/or
assistance from another support group.
Severity 2 (High Impact)
 
Service impact to a PORTION of a business unit, or facility;
 
Or Entire team/business unit is missing a PORTION of a critical component or
application
• A system service, network, or application is available, but with severe
restrictions that impact the ability of a portion of a business unit to complete
their work.
• Bypass or work-around is available, and work is continuing with significant
inconvenience.
• Timely resolution is essential to avoid financial loss or missed sales.
• When a problem occurs that has the potential for impacting a process or
business function at a later time, and requires immediate resolution and/or
assistance from another group.
Severity 3
 
(Moderate Impact) An INDIVIDUAL or small group of individuals is unable to
perform job functions.
• Unable to perform non-critical business functions.
• No significant impact to revenue or sales.
Severity 4 (Low Impact)
 
An INDIVIDUAL is able to perform job functions with a work around or some minor
inconvenience.
• Problem has a low business impact, if any.
• A minor impact to an individual.





 



 
 

--------------------------------------------------------------------------------

 

EXHIBIT 2


On Premises Guidelines
Supplier will ensure that Supplier Personnel assigned to work on Buyer’s or
Buyer’s Customer’s premises will comply with this Section.


2.1 Access to Premises
For Supplier Personnel assigned to work on Buyer’s or Buyer’s Customer’s
premises, Supplier will:

1.  
to the extent permitted by local law, conduct a preemployment criminal
background check, which must be completed prior to placement at Buyer’s or
Buyer’s Customer’s premises, covering the counties in which the person was
employed or resided for the past seven years (or longer as required by State
legislation), and inform Buyer of any negative findings;

2.  
maintain a current and complete list of the persons' names and social security
numbers;

3.  
obtain for each person a valid identification badge from Buyer and ensure that
it is displayed in order to gain access to and at all times while on Buyer’s
premises (it is Buyer's policy to deactivate any such badge if not used for one
month);

4.  
maintain a signed acknowledgment that each person will comply with Buyer’s On
Premises Guidelines;

5.  
ensure that each person with regular access to Buyer's and Buyer’s Customer’s
premises complies with all parking restrictions and with vehicle registration
requirements if any;

6.  
inform Buyer if a former employee of Buyer will be assigned work under this
Agreement, such assignment subject to Buyer approval;

7.  
at Buyer's request, remove a person from Buyer’s or Buyer’s Customer’s premises
and not reassign such person to work on Buyer's or Buyer’s Customer’s premises
(Buyer is not required to provide a reason for such request); and

8.  
notify Buyer immediately upon completion or termination of any assignment and
return Buyer’s identification badge. Upon Buyer’s request, Supplier will provide
documentation to verify compliance with this Subsection.



2.2 General Business Activity Restrictions
Supplier will ensure that Supplier Personnel assigned to work on Buyer’s or
Buyer’s Customer’s premises:

1.  
will not conduct any non-Buyer related business activities (such as interviews,
hirings, dismissals or personal solicitations) on Buyer's or Buyer’s Customer’s
premises;

2.  
will not conduct Supplier's Personnel training on Buyer’s or Buyer’s Customer’s
premises, except for on-the-job training;

3.  
will not attempt to participate in Buyer or Customer benefit plans or
activities;

4.  
will not send or receive mail unrelated to Buyer or Customer through Buyer's or
Customer’s mail systems; and

5.  
will not sell, advertise or market any products or distribute printed, written
or graphic materials on Buyer's or Buyer’s Customer’s premises without Buyer's
written permission.



2.3 Buyer’s Safety and Security Guidelines
Supplier will ensure that Supplier Personnel assigned to work on Buyer’s or
Buyer’s Customer’s premises:

1.  
do not bring weapons of any kind onto Buyer's or Buyer’s Customer’s premises;

2.  
do not manufacture, sell, distribute, possess, use or be under the influence of
controlled substances (for nonmedical reasons) or alcoholic beverages while on
Buyer's or Buyer’s Customer’s premises;

3.  
do not have in their possession hazardous materials of any kind on Buyer's or
Buyer’s Customer’s premises without Buyer's authorization;

4.  
acknowledge that all persons, property, and vehicles entering or leaving Buyer's
or Buyer’s Customer’s premises are subject to search; and

5.  
remain in authorized areas only (limited to the work locations, cafeterias, rest
rooms and, in the event of a medical emergency, Buyer's or Buyer’s Customer’s
medical facilities). Supplier will promptly notify Buyer of any accident or
security incidents involving loss of or misuse or damage to Buyer's or Buyer’s
Customer’s intellectual or physical assets, physical altercations, assaults, or
harassment and will provide Buyer with a copy of any accident or incident report
involving the

6.  
above. Supplier must coordinate with Buyer or Buyer’s Customer access to Buyer’s
or Buyer’s Customer’s premises during non-regular working hours.



2.4 Asset Control
In the event Supplier Personnel have access to information, information assets,
supplies or other property, including property owned by third parties but
provided to Supplier Personnel by Buyer ("Buyer Assets"), Supplier Personnel:

1.  
will not remove Buyer Assets from Buyer's or Buyer’s Customer’s premises without
Buyer's authorization;

2.  
will use Buyer Assets only for purposes of this Agreement and reimburse Buyer
for any unauthorized use;

3.  
will only connect with, interact with or use programs, tools or routines that
Buyer agrees are needed to provide Services;

4.  
will not share or disclose user identifiers, passwords, cipher keys or computer
dial port telephone numbers; and

5.  
in the event the Buyer Assets are confidential, will not copy, disclose or leave
such assets unsecured or unattended. Buyer may periodically audit Supplier's
data residing on Buyer's information assets.

2.5 Supervision of Supplier's Personnel
Supplier will provide continual supervision of its Personnel provided under this
Agreement, at no additional cost to Buyer. Supplier's supervisor shall have full
supervisory authority over all day-to-day employment relationship decisions
relating to Supplier’s Personnel, including those decisions relating to: wages,
hours, terms and conditions of employment, hiring, discipline, performance
evaluations, termination, counseling and scheduling. Supplier's supervisors
responsible for each work location will be responsible to know that work
location’s planned holiday (and other closing) schedules and the impacts that
all such schedules have on Supplier's Personnel. Supplier will conduct
orientation sessions with its Personnel before placement on an assignment with
Buyer, during which orientation such Personnel will be told the identity and
contact information of their supervisor. Supplier will, from time to time,
ensure that all of its Personnel working under this Agreement continue to be
aware of this information.Electronic Funds Transfer
Certificate of Originality



 
 

--------------------------------------------------------------------------------

 

EXHIBIT 3 Service Locations


IBM/CIGNA Service Locations: The following locations are identified as
authorized IBM/CIGNA service locations.




CIGNA Service Locations for CCA
 
Site Address
[*]
[*]
[*]






 
 

--------------------------------------------------------------------------------

 

EXHIBIT 4 - Permitted Subcontractors


Ness


[*]


[*]


 
  
 
 
  
 
 

--------------------------------------------------------------------------------

 
 
 
  
 
 
  
 
 
  
 
 
  EXHIBIT 4-C
 
 


 
 
  Security and Data Safeguards
 
 
  
 


               





 
 

--------------------------------------------------------------------------------

 



 
  Exhibit 4-C
 
 
  Security and Data Safeguards
 

 
 
Introduction
 
 
Vendor shall provide security controls and safeguards, and shall follow security
procedures, at all Vendor Service Locations and in connection with all Systems
and Services (whether dedicated or shared) that at a minimum comply with the
requirements set forth in this Exhibit 4-C and the General CIGNA Policies set
forth in Exhibit 4-C-1, as such requirements are more specifically defined in
the Detailed CIGNA Policies set forth in Exhibit 4-C-2, unless, with respect to
a specific SOW, different or additional requirements are set forth in such SOW.
In the event that the specific security requirements are not set forth in the
Detailed CIGNA Policies, then the Parties shall use this Exhibit 4-C and the
General CIGNA Policies to establish Vendor’s obligations.
 
 


 
 
CIGNA may update the ISCD from time to time upon notice to Vendor and, subject
to the Change Control Procedure, Vendor shall implement and comply with the
updated ISCD, subject to the following:
 
 


 
 
1. In a dedicated or shared environment, Vendor shall bear the cost of any
changes that are any one or more of the following:
 
 
 
 
 
(a) evolutionary changes related to security specific issues, such as upgrades,
new releases and versions of existing technology or safeguards (e.g., updating
anti-virus software, security patches);
 
 


 
 
(b) changes that are a direct result of changes mandated by Vendor regulation or
Vendor Law; and
 
 


 
 
(c) changes consistent with generally accepted changes made by other companies
in the healthcare industry: (i) if implemented by Vendor and given to its
customers at no additional charge or; (ii) which changes shall be chargeable to
CIGNA; provided, however, such charge shall be: (A) equitably reduced to reflect
any leverage that Vendor may gain by providing such changes to multiple Vendor
customers in the healthcare industry; and (B) paid from monies extracted from a
fund that CIGNA shall, as of the MSA Effective Date, establish, fund and govern
and which Vendor shall manage (the “Security Mitigation Fund”). Any such changes
will be discussed by the Parties and made pursuant to the Change Control
Procedure.
 
 


 
 
2.  In the event that CIGNA makes a change to the ISCD that would require Vendor
to make a change to a shared environment and such change is unique to CIGNA (and
not generally implemented by other companies), then Vendor shall: (a) provide a
proposal to CIGNA identifying the costs and implications of the change, and upon
CIGNA approval, make the change, or (b) upon notice to CIGNA, not make the
change but advise CIGNA of the costs of moving to a dedicated environment, or
(c) if CIGNA does not wish to move to a dedicated environment, Vendor shall
provide a proposal to identify the costs to implement safeguards and practices
that mitigate CIGNA’s security concerns, and upon approval by CIGNA, implement
such safeguards and practices. 
 
 


 
 
3. Vendor shall obtain CIGNA’s review and comment prior to the implementation of
any changes in a shared environment that would materially degrade the level of
security safeguards and practices provided to CIGNA. If Vendor were to implement
any change that materially degrades the level of security safeguards and
practices provided to CIGNA, Vendor will reverse such change and continue to
provide Services in accordance with applicable Service Levels. Vendor may
propose, however, for CIGNA’s review and approval, alternatives which would not
require the reversal of such change, but shall allow Vendor to continue to
provide Services in accordance with applicable Service Levels. If CIGNA does not
approve any alternative, Vendor shall reverse the change and continue to provide
Services in accordance with the Service Levels. Except as provided in paragraph
2 above, the costs of all changes in a shared environment shall be borne by
Vendor.
 
 


 
 
Definitions
 
 
“External User” shall mean any user that is a CIGNA customer that accesses
CIGNA’s systems .
 
 
“Information Security Controls Document or “ISCD” shall mean this Exhibit and
the General CIGNA Policies Exhibit 4-C-1) and Detailed CIGNA Policies (Exhibit
4-C-2), unless, with respect to a specific SOW, different or additional
requirements that are set forth in such SOW. The Information Security Controls
Document shall be deemed CIGNA’s Confidential Information under the Agreement.
 
 
“Vendor Network” shall mean the system under Vendor’s or Vendor agents’ control
that transmits any data, voice and/or video alone or in combination or is
otherwise used to provide the Services, either within Vendor or between Vendor
and CIGNA, including the network operating system in the Vendor client and
server machines, the cables connecting them and all supporting hardware
including without limitation bridges, routers and switches.
 
 
“CIGNA Network” shall mean the system under CIGNA’s or its contractor’s control
that transmits any data, voice and/or video alone or in combination that are
within the scope of the Services, either within CIGNA or between CIGNA and the
Vendor Controlled Router as defined in Schedule K (Business Continuity) of the
applicable Statement of Work, including the network operating system in the
CIGNA client and server machines, the cables connecting them and all supporting
hardware including without limitation bridges, routers and switches.
 
 
“Remediate” shall mean to alleviate the security issues so that they are no
longer a threat (and if not feasible to completely remove the threat, to
minimize the threat to a level acceptable to CIGNA, with CIGNA using reasonable
discretion), however, it shall not mean alleviating the effects resulting from
the security issue.
 
 


 
 
Capitalized terms used herein without specific definition shall have the
respective meanings given to them in the Agreement.
 


3. CIGNA Data


3.1 Data Safeguards.


3.1.1 Vendor shall establish and maintain safeguards against the destruction,
loss, or alteration of CIGNA Data in the possession of, used or viewed by Vendor
that are no less rigorous than those set forth in the ISCD. If the ISCD does not
cover certain security control, safeguards or procedures, then Vendor shall
implement, comply with and follow controls, safeguards and procedures that are
consistent with current generally accepted controls, safeguards and procedures
in the healthcare industry. Vendor personnel shall not attempt to access, and
shall not allow access to, CIGNA Data to which it is not entitled or that is not
required for the performance of the Services by Vendor personnel. Vendor shall
institute systems security measures to guard against the unauthorized access,
alteration, destruction or loss of CIGNA Data.


3.1.2 Vendor shall Remediate and resolve security issues, at Vendor’s expense
(provided it shall be at CIGNA’s expense if and to the extent the issue was
caused by CIGNA (i.e., CIGNA is at fault)), identified at Vendor Service
Locations or in connection with the Systems or Services located at Vendor
Service Locations or managed or controlled by Vendor. This extends to any CIGNA
approved Service Locations contracted by Vendor. As part of the Services and at
a minimum on an annual basis, Vendor shall (at CIGNA’s request and at Vendor’s
cost, except as provided in clause (y) immediately below), provide a report
regarding security controls across all of the Services, such report to be
carried out by an independent third party appointed by Vendor and approved by
CIGNA. The scope of work performed by such third party: (a) shall be valued at
the lesser of: (i) Vendor’s actual, out-of-pocket costs to contract for the
performance of such work; and (ii) $75,000; provided, however, that: (x) if
Vendor’s actual, out-of-pocket cost on an annual basis is less than $75,000,
CIGNA shall receive a credit for the difference between such cost and $75,000;
and (y) if the Parties mutually agree to scope(s) of work valued in the
aggregate at an amount greater than $75,000, CIGNA shall be financially
responsible for the difference between such greater amount and $75,000; and (b)
shall measure (through identification and testing of controls) against the
Information Security Control Document and the terms of the report shall be
determined by Vendor.. If CIGNA is dissatisfied by such reports, CIGNA may, at
any time, but no more than twice in any consecutive 12 calendar months, carry
out or have carried out a security audit of the Services at CIGNA’s cost, the
scope and terms of the report to be agreed between the Parties and upon Vendor
receiving appropriate assurances that any of the Vendor Confidential Information
shall not be compromised. CIGNA's ability to perform security audits shall not
be limited by CIGNA business processing that occurs on non-dedicated (i.e.
shared) vendor devices, or by work areas that are not dedicated and isolated to
CIGNA business.
 
3.1.3 Vendor shall deploy a network and host-based, real-time intrusion
detection system and vulnerability assessment process that is consistent with
the ISCD. Vendor shall actively monitor these systems and processes for
activities that indicate attempts at breaking the security of the services
provided and follow notification procedures identified in the Security Incident
Service Level set forth in the applicable Statement of Work or Exhibit 2,if any,
of the MSA. Along with the deployment of these controls, Vendor shall adopt and
follow Vendor’s operational procedures ( or as otherwise agreed to and described
in the procedures manual) to disable the source of any perceived attack,
Remediate vulnerabilities and escalate to Vendor and CIGNA security groups for
follow-up action. For purposes of clarity, “vulnerability assessment process”
means a process that tests for known vulnerabilities and produces an evaluation
of findings against such vulnerabilities.


3.1.4 CIGNA reserves the right to review Vendor’s policies and procedures used
to maintain the security and confidentiality of personal information, including
auditing Vendor concerning such policies and procedures.


3.1.5 Vendor must maintain security controls that have been attested to CIGNA in
CIGNA’s Service Provider questionnaires and/or during CIGNA standard Service
Provider audits to the level as attested. Vendor must report any changes to the
control environment immediately to CIGNA.


3.1.6  Design, implementation and integration of all Services shall be
consistent with the Information Security Control Document, unless otherwise set
forth in the applicable SOW. Connectivity and infrastructure used to provide
access to CIGNA systems and/or CIGNA data must meet applicable security controls
(encryption, access controls, etc) as defined in the Information Security
Controls Document.


3.1.6.1. Design, (All) User Access. Password composition and management policies
must comply with or exceed those in the Information Securities Control Document.



·  
Role Based Access Controls (RBAC) authorization models must be utilized for
access to information resources as documented in the Information Securities
Control Document.




·  
Ongoing administration and lifecycle management must be in accordance with the
Information Security Control Document.



3.1.6.2. Design, Internal User Access.

·  
Reasonable effort shall be made to integrate with CIGNA internal authentication
and authorization mechanisms. Integration with CIGNA's Enterprise Security
Framework is required (TIM/TAM/FIM), where those services can be reasonably
expected to fill architecture requirements



3.1.6.3 Design, External User Access.
 

·  
All external users must be provided with a one time ID and ‘PIN’ for initial
access authentication and authorization; for which the PIN is randomly generated
and sent via out-of-band mechanisms such as U.S./International mail
(communication via E-mail is NOT an accepted method).

 

·  
Support requirements for browsers that support 128 bit encryption in
communications to CIGNA end-users.

 
3.1.6.4 Virtualization, Co-location.



·  
Data repositories used to store user information must not be hosted on shared
systems that do not meet the requirements of the Information Security Controls
Document.



3.1.6.5 Off - Shore Information Protection.


The following agreements augment but do not exclude other provisions in the MSA
or a SOW:



·  
Vendor shall not store any CIGNA data classified by CIGNA as Restricted or
Highly Sensitive outside of the continental United States except as outlined in
the Information Security Controls Document. In support of the Vendor Service
Locations outside the United States, Vendor shall ensure the following controls
implemented:



(a) If offshore facility is NOT controlled by Vendor, and employees in the
facility are NOT employed by Vendor, then the Vendor shall provide a physically
isolated, network isolated area for customer service representatives (CSR)
handling CIGNA calls;


(b) CIGNA provided and CIGNA managed desktop lockdown software (currently
Verdasys Digital Guardian) shall be installed on all Vendor PC’s accessing CIGNA
data classified by CIGNA as Restricted or Highly Sensitive. The software policy
shall be managed by CIGNA or it’s vendor, and shall be configured to monitor
and/or restrict a workstation user’s ability to move, print or upload CIGNA
information.


(c) Vendor CSR’s servicing CIGNA shall perform their duties only from within the
approved vendor facility,
 
(d) Workstation IDs , antivirus, and personal firewalls must be deployed,
managed, and actively audited as outlined in the Information Security Controls
Document;


(e) User level audit logging of CIGNA/CSR activity must be enabled, and
available to CIGNA upon request. Retention periods must meet CIP policy (90 day
raw logs, 6 year incident/activity reporting). Audit logging shall be performed
for those activities specified in the Information Security Controls Document.


3.2 Backup Security. CIGNA shall have the right to establish additional Data
backups (as a supplement to any of Vendor’s obligations under a SOW) for any
Data and to keep backup copies of this Data in CIGNA’s possession. Should CIGNA
choose to exercise its rights under this Section 3.2, related expenses shall be
borne by CIGNA.


3.3 Media. No media on which CIGNA Data is stored may be used or re-used to
store data of any other customer of Vendor or to deliver data to a third party,
including another Vendor customer, unless Vendor first implements procedures
described in the Detailed CIGNA Policies.


3.4 Breach of Security. In the event Vendor or Vendor Agents discovers or is
notified of a breach or potential breach of security controls relating to the
CIGNA Data, Systems or Infrastructure under Vendor’s or Vendor Agent’s control,
Vendor shall immediately (a) notify the CIGNA Engagement Manager and CIGNA
Security Incident Response Team (CSIRT) of such breach or potential breach and
(b) if the applicable CIGNA Data was in the possession of Vendor or Vendor
Agents at the time of such breach or potential breach, Vendor shall (i)
investigate and Remediate the breach or potential breach and (ii) provide CIGNA
with assurance satisfactory to CIGNA that such breach or potential breach shall
not recur.


 
 
4.0 Security Management
 
 
Vendor shall:
 
 
provide an Vendor Information Security Advisor (or ISA) as focal point with
responsibility for day-to-day security management who is a security subject
matter expert;
 
 
in conjunction with CIGNA, review security policies and procedures that impact
the Vendor software and vendor equipment for effectiveness, and recommend
improvements, including control improvements;
 
 
review changes requested by CIGNA to its security policies and standards and
advise CIGNA whether or not such changes can be implemented, if Vendor does not
implement the changes requested by CIGNA, Vendor shall implement mitigating
controls approved by CIGNA, and such change shall be handled in accordance with
the Change Control Procedures;
 
 
communicate the security procedures to Vendor Personnel accessing CIGNA
applications and/or network (for example, login procedures, password
requirements, use of anti virus programs, and data and equipment security
procedures); and
 
 
notify CIGNA of any condition discovered or known by Vendor that is likely to
affect negatively the confidentiality, integrity, or availability of CIGNA’s
information, CIGNA’s ability to use an Vendor provided application or Vendor’s
ability to access CIGNA data.
 
 
CIGNA shall:
 
 
provide a CIGNA security subject matter expert focal point individual with
responsibility for day-to-day security management;
 
 
communicate the security procedures to CIGNA end users (for example, login
procedures, password requirements, use of anti virus programs, data and
equipment security procedures);
 
 
in conjunction with Vendor, review security policies and procedures for
effectiveness and recommend improvements; and
 
 
notify Vendor of changes CIGNA plans to make to its security policies and
standards and the changes to be implemented by Vendor.
 


 
 
5.0 Physical Security
 
 
Vendor shall, to the level or standard specified in the Information Security
Controls Document:
 
 
provide physical security controls at Vendor Service Locations;
 
 
restrict access to data processing areas for which Vendor has security
responsibility to authorized personnel only as defined in the Information
Security Controls Document;
 
 
conduct periodic reviews of the data processing areas for which Vendor has
security responsibility including reviews of access logs for unusual occurrences
and perform follow-up activities in accordance with the procedures specified in
the Information Security Controls Document;
 
 
protect Vendor Network devices on Vendor's premises from any unauthorized
access;
 
 
protect printed output from unauthorized access or removal while under Vendor's
control;
 
 
provide secure storage for removable storage media under Vendor's control;
 
 
resolve discrepancies discovered during the annual removable storage media audit
and inform and obtain acceptance from CIGNA on the resolution;
 
 
implement controls as set forth in the ISCD (and if not set forth therein
consistent with current generally accepted practices in the healthcare industry)
that are designed to eliminate residual information on removable storage media
before disposal or reuse outside of CIGNA;
 
 
during the Transition Period, with CIGNA's assistance, perform a baseline
inventory of removable storage media (for example, tapes, disks) for which
Vendor has security responsibility.
 
 
CIGNA shall protect LAN servers and infrastructure devices on CIGNA premises
from unauthorized physical access.
 
 


 
 
6.0 Network Infrastructure Security
 
 
Vendor shall for equipment under its control:
 
 
control the network operating system security and administrative user IDs;
 
 
provide and maintain current virus avoidance, detection, and elimination
software for supported servers in conjunction with the ISCD standards utilizing
Vendor approved packages. Virus protection software shall have an automated
mechanism for updating the virus definitions, implementing current definitions
within 8 hours of issuance by vendor (unless security risk mandates faster
deployment);
 
 
perform audits of media (for example, diskettes) and Vendor End User equipment
potentially affected by a virus;
 
 
monitor virus protection software alerts, follow notification procedures
identified in the Security Incident Service Level set forth in the applicable
Statement of Work or Exhibit 2, if any, of the MSA, respond to virus attacks and
initiate corrective action to eradicate viruses as detected; and
 
 
remove and/or render inoperable unneeded services.
 
 


 
 
7.0 Data Network
 
 
Vendor shall:
 
 
use Change Control Procedures to control changes to Vendor managed devices used
to connect the Vendor network to the CIGNA network. Changes to hardware and/or
software must be planned in advance, communicated to CIGNA in advance, and
thoroughly tested before being placed into production. Back-out and restoration
must be part of the plan and sufficient time must be allocated for restoration
to be accomplished;
 
 
validate that access to CIGNA systems is limited to authorized Vendor Personnel,
including Vendor agents CIGNA approved Subcontractors, utilizing security
controls as described in the Information Security Controls Document;
 
 
encrypt traffic traveling across the Vendor network to CIGNA (and visa versa)
network as specified in the Information Security Controls Document
 
 
CIGNA shall provide security to only allow authorized users to access services
hosted at Vendor Service Locations.
 

 
 

--------------------------------------------------------------------------------

 

EXHIBIT 4-C-1
 
GENERAL CIGNA POLICIES
 
Vendor shall perform an annual risk assessment across all Services under the MSA
intended to identify information resources that require protection. Assessment
shall be based upon a mutually agreeable assessment plan, to understand and
document risks from security failures that may cause loss of confidentiality,
integrity, or availability. Risk assessments shall document the potential
adverse impact to CIGNA's operations, and assets. This risk assessment shall be
conducted by a team composed of appropriate representatives from Vendor and
CIGNA and other personnel associated with the activities subject to assessment.
Vendor shall identify resolutions to address issues or risks identified from
this assessment within a reasonable timeframe and Vendor shall prepare a
proposal in accordance with the Change Control Procedure to Remediate such
issues or risks; provided, however, that if the assessment reveals required
Remediation due to Vendor nonperformance of its obligations under Exhibit 4-C or
the MSA, then such Remediation shall be at Vendor’s expense. The Parties will
work together in good faith to approve and implement the proposal prior to any
regulatory or legally mandated deadlines.  
 
The sensitivity of a resource, and therefore the level of security controls
required, depends upon the sensitivity of the data retained by or accessible
through the information resource, as defined in the Detailed CIGNA Policies.
CIGNA, as the data owner is the authority on any data classification assignments
and the approver for access.


Vendor shall utilize the procedures described in the ISCD (whether or not
included in the Procedures Manual) to ensure that the release of data is to only
authorized users and is accompanied with proper instructions regarding
appropriate use, protection, disposal and removal from premise.


Any CIGNA information classified as proprietary, restricted, or highly sensitive
is to be isolated at rest from any other customer’s data. This information is
required to be encrypted if the information can be accessed by Parties not
working on the CIGNA account as set forth in the Detailed CIGNA Policies. All
tape backups must contain only CIGNA information. Tapes and tape backups
transported from Vendor Service Locations or located at sites other than Vendor
Service Locations must be encrypted. All other storage media must maintain an
isolation of CIGNA's information from other customer’s information and/or
access, including portable media


CIGNA retains all rights to audit facilities, applications, systems and
transports where CIGNA information resides or is transported. Audit times and
frequency are at the discretion of CIGNA. Entry and exit logs to facilities that
have CIGNA information classified as proprietary, restricted, or highly
sensitive must be made available on request.


All privileged access to CIGNA information must be logged and reviewed on a
quarterly basis. This would include, but not limited to, all DBA, System
Administrator and support personnel access to information. All logs so generated
are to be protected to ensure integrity and non-repudiation.


All external facing systems containing CIGNA information are required to pass
quarterly penetration testing by third party. All internal systems are required
to pass a vulnerability scan quarterly. Vendor will perform necessary measures
to address non-compliance or vulerability issues (e.g., resulting from scans)
and follow notification procedures identified in the Security
Compliance/Vulnerabilty Issue Service Level set forth in the applicable
Statement of Work or Exhibit 2, if any, of the MSA.


All security software used by vendor must stay within the software vendor’s
definition of currently supported software with all relevant security patches
applied.


With the exception of virus protection software, Vendor will implement current
signatures/rules for security components within 2 weeks of issuance by security
component vendor (unless security risk mandates faster deployment).


Vendor will consider failure of any security hardware or software component
(e.g., network intrusion detection failure, virus protection software stoppage,
etc.) as a high (Severity 1) alert and follow notification procedures identified
in the Security Incident Service Level set forth in the applicable Statement of
Work or Exhibit 2, if any, of the MSA.


Vendor will support mechanism for CIGNA to access alert data (e.g., from virus
protection, intrusion detection, etc.) at near real time.


Any remote access via either a shared or public network to a device processing
CIGNA information requires a dual factor authentication method.


Vendor shall notify and CIGNA must approve all infrastructure and facility
changes that impact CIGNA's risk profile including: moving to new facility or
changing network configuration.


All systems and designs must implement a Role Based Access Control (RBAC)
authorization model that leverages CIGNA definitions and roles where possible.
This would include fine grain authorization within the application. This
information must be kept current and available in documented form for review
and/or audit.


All Design must include, test and validate safeguards addressing the following
data protections:

·  
Controls to support necessary access requirement

·  
Protection of data in transit and at rest

·  
Mechanisms and methods to audit systems and configurations

·  
Leverage CIGNA current security framework such as TAM, TIM, and FIM.

·  
Mutual authentication with authorization between application components



Vendor must ensure data protection follows a “Defense in Depth” philosophy.
Security services which provide optimal Availability, Confidentiality, Integrity
and Non-Repudiation should be implemented based upon agreed upon risk evaluation


Only production equipment shall run in the production environment. Test,
development, staging, and training must be physically or virtually separated
(segmented) from the production environment. The production environment must be
monitored to insure only Production systems are in the Production environment.


Vendor shall not use production data (real data) outside of the production
environment.


Vendor sites/locations must pass a CIGNA External Service Provider review before
hosting or processing CIGNA information.


All system designs must be documented with security controls identified. These
designs must pass CIP approval before construction.

 
 

--------------------------------------------------------------------------------

 



 


 


 


 
EXHIBIT 10
 












Form Non-Disclosure and Assignment Agreement


 
 

--------------------------------------------------------------------------------

 

EXHIBIT 10


Form Non-Disclosure and Assignment Agreement


 
THIS NON-DISCLOSURE AND ASSIGNMENT AGREEMENT (this “Agreement”), dated as of
this ____ day of ____________, 200__, is entered into by and between Chordiant
Software, Inc. (“Chordiant”) and [insert Chordiant employee or contractor full
name]
 


 
 
W I T N E S S E T H:
 
 
WHEREAS, my full name is [insert Chordiant employee or contractor full name] and
I am employed by or acting as a consultant to Chordiant;
 
 
WHEREAS, IBM provides certain services (the “Services”) to Connecticut General
Life Insurance Company, its affiliates and certain other entities designated by
Connecticut General Life Insurance Company (collectively, “CIGNA”) under that
certain Master Services Agreement by and between CIGNA and IBM, dated as of
September 28, 2006 (the “MSA”);
 
 
WHEREAS, Chordiant provides certain services to IBM under that certain Statement
of Work by and between Chordiant and IBM dated as of September 28, 2006 (the
“SOW”) on behalf of CIGNA;
 
 
WHEREAS, Chordiant provides licenses and rights to CIGNA pursuant to a certain
agreement between Chordiant and CIGNA dated as of September 28, 2006 (the “CIGNA
Agreement”);
 
 
WHEREAS, CIGNA possesses certain Confidential Information (as defined below)
relating to its business processes, products and technology;
 
 
WHEREAS, I understand and agree that I will have access to such Confidential
Information during my [employment] [consultancy] with Chordiant; and
 
 
NOW THEREFORE, in consideration for and as a condition to my assignment to the
CIGNA account, I agree to be bound by the terms set forth herein.
 


 

1.  
Definition of Confidential Information. As used herein, “Confidential
Information” shall mean any and all materials, information, processes,
methodologies, tools, software programs, code, intellectual property and other
data, technical or non-technical, whether written, electronic, graphic or oral,
furnished or disclosed by CIGNA or on CIGNA’s behalf to you (by IBM or
otherwise), either directly or indirectly, with the exception only of the
following: (a) information that is now in the public domain or subsequently
enters the public domain through no fault or act of the receiving party; (b)
information that is presently known or becomes known to the receiving party from
its own independent source as evidenced by the receiving party; (c) information
that the receiving party receives from any third party not under any obligation
to CIGNA to keep such information confidential; (d) information that is
independently developed by the receiving party as proven by the receiving
party’s written records; and (e) as otherwise allowed in the SOW and the MSA.

 

2.  
Non-Disclosure Obligations. I hereby understand and agree:

 

(a)  
To use the same care and discretion to avoid disclosure, publication or
dissemination of Confidential Information as I use with respect to Chordiant’s
own similar information that it does not wish to disclose, publish or
disseminate and use Confidential Information solely to the extent required to
fulfill Chordiant’s obligations under the SOW and IBM’s obligations or exercise
IBM’s rights under the MSA.

 

(b)  
Not to deliver to or disclose or otherwise make available to anyone any
Confidential Information except as authorized in the SOW and the MSA.

 

(c)  
Except as otherwise expressly stated in this Agreement, not to disclose the
existence of this Agreement, any of the activities which may take place pursuant
to this Agreement, the relationship formed, if any, under this Agreement or the
other party’s interest in the subject matter to which this Agreement relates, to
anyone except those employees of Chordiant, CIGNA and IBM with a need to know
unless authorized in the SOW and the MSA.

 

(d)  
That Confidential Information delivered by CIGNA (or by IBM, on CIGNA’s behalf),
and all copyright, patent, and other proprietary rights therein, shall remain
property of CIGNA or its direct and indirect subsidiaries and affiliates, as the
case may be, at all times.

 

(e)  
Nothing contained herein shall be construed as: (i) granting to me any right,
title or interest in or to, or any license under, any patent or patent
application, now or subsequently owned by CIGNA or IBM or their respective
designees; and (ii) granting to me any right, title or interest in or to, or any
license under Confidential Information provided by CIGNA (or by IBM, on CIGNA’s
behalf).

 

(f)  
Upon Chordiant’s completion of Services to IBM and CIGNA, or IBM’s completion of
Services to CIGNA, or upon CIGNA or IBM’s earlier request: (i) I shall
immediately cease using the Confidential Information; and (ii) return
Confidential Information (including all copies and summaries thereof) to CIGNA
(or IBM, on CIGNA’s behalf), or, at the CIGNA’s option, destroy the same
promptly after a written or oral demand. Upon CIGNA or IBM’s request, I shall
certify to the requesting party in writing that I have complied with my
obligations under this paragraph.

 

3.  
Assignment Obligations. I hereby understand and agree:

 

(a)  
That during the course of my employment, I may work on and be a part of the
development of technology, processes, methodologies, and other work product for
CIGNA (or IBM, on CIGNA’s behalf). In accordance with the provisions of the SOW
and the CIGNA Agreement, I hereby assign to Chordiant any technology, processes,
methodologies, and other work product developed by me and such technology,
processes, methodologies, and other work product which shall become the sole and
absolute property of Chordiant to enable Chordiant to meet its obligations under
the SOW and the CIGNA Agreement and for IBM to meet its obligations to CIGNA
under the MSA.

 

(b)  
That any and all inventions, improvements, discoveries, technologies, processes,
methodologies, and other work product developed or discovered by me as a result
[of my employment at] [or consultancy with] Chordiant shall be fully disclosed
to Chordiant (or IBM, on CIGNA’s behalf, as required by the MSA), and in
accordance with the provisions of the SOW I hereby assign the same to Chordiant,
CIGNA and IBM, respectively, and the same shall become the sole and absolute
property of Chordiant to enable Chordiant to meet its obligations under the SOW
and the CIGNA Agreement and for IBM to meet its obligations to CIGNA under the
MSA. Upon the request of IBM or CIGNA, I shall execute, acknowledge, and deliver
such assignments and other documents as Chordiant, IBM or CIGNA may consider
necessary or appropriate to vest all rights, titles, and interests therein to
enable Chordiant to meet its obligations under the SOW and the CIGNA Agreement
and to enable IBM to meet its obligations to CIGNA under the MSA.

 

4.  
Remedies. I hereby understand and agree:

 

(a)  
That unauthorized use or disclosure of Confidential Information may likely
result in substantial monetary and other damages to CIGNA (or IBM, on CIGNA’s
behalf) and their respective direct and indirect subsidiaries and affiliates and
will subject me to disciplinary action, including termination of employment, and
civil and criminal legal proceedings.

 

(b)  
That the unauthorized use or disclosure of Confidential Information may give
rise to irreparable injury to CIGNA (or IBM, on CIGNA’s behalf) and acknowledge
that remedies other than injunctive relief may not be adequate. Accordingly, IBM
and CIGNA and their respective direct and indirect subsidiaries and affiliates
have the right to seek equitable and injunctive relief to prevent the
unauthorized disclosure of Confidential Information.

 

5.  
Miscellaneous. I hereby understand and agree:

 

(a)  
This Agreement embodies the entire understanding between the parties as to the
subject matter of this Agreement and supersedes and replaces any and all prior
understandings, arrangements and agreements whether oral or written relating to
the Confidential Information. The terms of this Agreement shall not be amended
or modified except in writing signed by each of Chordiant and me.

 

(b)  
The provisions of this Agreement shall survive the expiration or termination of
the MSA and the SOW for a period of seven (7) years.

 

(c)  
This Agreement is a personal, indivisible, nontransferable agreement and may not
be assigned or transferred, in whole or in part, by either party.

 

(d)  
CIGNA shall be an intended third party beneficiary of this Agreement but only as
to individuals who are no longer employed by Chordiant or retained as a
consultant by Chordiant.

 

(e)  
This Agreement shall be governed by, and construed and interpreted in accordance
with, the laws of the State of New York, without respect to its rules on the
conflict of laws.

 
[REMAINDER OF PAGE LEFT INTENTIONALLY BLANK]
 


 
IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed
by their duly authorized officers as set forth below.


CHORDIANT SOFTWARE, INC.
[insert Chordiant employee or contractor full name]
       
By:      
By:      
   
Name:      
Name:      
   
Title:      
Title:      
   
Date:      
Date:      
   




 
 

--------------------------------------------------------------------------------

 

















EXHIBIT 13












Data Privacy Provisions








This Exhibit 13 - Data Privacy Provisions, consists of the following, attached
two parts: (a) Exhibit 13A regarding CIGNA’s Business Associate Addendum; and
(b) Exhibit 13B regarding European Union Data Privacy.


 
 

--------------------------------------------------------------------------------

 

EXHIBIT 13A




BUSINESS ASSOCIATE ADDENDUM





I.  
INTRODUCTION.



The Parties acknowledge that the Services may involve the use or disclosure of
Protected Health Information, as this term is defined in this Addendum.
Accordingly, the Parties agree to the terms in this Addendum to comply with the
Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy
Rule and Security Standards as those terms are defined in this Addendum.
 

II.  
DEFINITIONS



For purposes of this Addendum, terms defined herein shall supersede similarly
defined terms in the MSA . Terms used in this Addendum shall have the same
meaning as those terms in the HIPAA Privacy Rule and Security Standards,
currently defined, in relevant part, as follows:


“Protected Health Information” shall mean Individually Identifiable Health
Information transmitted or maintained in any form or medium that Vendor creates
or receives from or on behalf of CIGNA in the course of fulfilling its
obligations under the MSA (which, for clarification, includes this Addendum).
"Protected Health Information" shall not include: (i) education records covered
by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. §1232g;
(ii) records described in 20 U.S.C. §1232g(a)(4)(B)(iv); and (iii) employment
records held by CIGNA in its role as employer.
 
“Designated Record Set” shall mean a group of records maintained by or for CIGNA
that is: (i) the medical records and billing records about individuals
maintained by or for CIGNA; (ii) the enrollment, payment, claims adjudication,
and case or medical management record systems maintained by or for a health
plan; or (iii) used, in whole or in part, by or for CIGNA to make decisions
about individuals. As used herein, the term “Record” means any item, collection,
or grouping of information that includes Protected Health Information and is
maintained, collected, used, or disseminated by or for CIGNA.


“Electronic Media” shall mean: (1) electronic storage media including memory
devices in computers (hard drives) and any removable/transportable digital
memory medium, such as magnetic tape or disk, optical disk, or digital memory
card; or (2) transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the internet
(wide-open), extranet (using internet technology to link a business with
information accessible only to collaborating parties), leased lines, dial-up
lines, private networks, and the physical movement of removable/transportable
electronic storage media. Certain transmissions, including paper, via facsimile,
and of voice, via telephone, are not considered to be transmissions via
electronic media, because the information being exchanged did not exist in
electronic form before transmission.


“Electronic Protected Health Information” shall mean Protected Health
Information that is transmitted by or maintained in Electronic Media.


“Individually Identifiable Health Information” shall mean information that is a
subset of health information, including demographic information collected from
an individual, and



(i)  
is created or received by a health care provider, health plan, employer, or
health care clearinghouse; and




(ii)  
relates to the past, present, or future physical or mental health or condition
of an individual; the provision of health care to an individual; or the past,
present or future payment for the provision of health care to an individual; and
(a) identifies the individual, or (b) with respect to which there is a
reasonable basis to believe the information can be used to identify the
individual; and




(iii)  
relates to identifiable non-health information including but not limited to an
individual’s address, phone number and/or Social Security number.



“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable
Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.


“Secretary” shall mean the Secretary of the Department of Health and Human
Services.


“Security Incident” means the attempted or successful unauthorized access, use,
disclosure, modification, or destruction of information or interference with
system operations in an information system.


“Security Standards” shall mean the HIPAA Security Standards, 45 C.F.R.. Parts
160 and 164



III.  
OBLIGATIONS OF VENDOR



Section 1. Use and Disclosure of Protected Health Information.
 
Vendor may use and disclose Protected Health Information only to carry out the
obligations of Vendor set forth in the MSA (which, for clarification, includes
this Addendum) or as required by law, subject to the provisions set forth in
this Addendum. Vendor shall neither use nor disclose Protected Health
Information for the purpose of creating de-identified information that will be
used for any purpose other than as directed by CIGNA to carry out the
obligations of Vendor set forth in the MSA (which, for clarification, includes
this Addendum) or as required by law.


Section 2. Safeguards Against Misuse of Information.
 
Vendor agrees that it will implement safeguards to prevent the use or disclosure
of Protected Health Information in any manner other than pursuant to the terms
and conditions of the MSA (which, for clarification, includes this Addendum).
Vendor shall implement administrative, physical and technical safeguards that
protect the confidentiality, integrity, and availability of the Electronic
Protected Health Information that it creates, receives, maintains, or transmits
on behalf of CIGNA, as required by the Security Standards.
 
Section 3. Reporting of Uses and Disclosures of Protected Health Information and
Security Incidents.
 
Upon becoming aware of a use or disclosure of Protected Health Information in
violation of this Addendum, Vendor shall promptly report such use or disclosure
to CIGNA. Vendor shall promptly report to CIGNA any Security Incident of which
it becomes aware.


Section 4. Agreements with Third Parties.
 
Vendor shall contractually require that any agent or subcontractor of Vendor to
whom Vendor provides Protected Health Information that is received from CIGNA,
or created or received by Vendor on behalf of CIGNA, agrees to be bound by terms
and conditions that will allow Vendor (including any agent or subcontractor) to
comply with the terms of this Addendum with respect to such Protected Health
Information. Vendor warrants and represents that in the event of a disclosure of
Protected Health Information to any third party, the information disclosed shall
be no more than the minimum necessary for the intended purpose. Vendor shall
contractually require that any agent or subcontractor of Vendor to whom Vendor
provides Electronic Protected Health Information agrees to implement reasonable
and appropriate safeguards to protect such information.
 


Section 5. Access to Information.
 
In the event Vendor maintains Protected Health Information in a Designated
Record Set, Vendor shall, within five (5) business days of receipt of a request
from CIGNA, provide to CIGNA Protected Health Information in Vendor’s possession
that is required for CIGNA to respond to an individual’s request for access to
Protected Health Information made pursuant to 45 C.F.R. § 164.524 or other
applicable law. In the event any individual requests access to Protected Health
Information directly from Vendor, whether or not Vendor is in possession of
Protected Health Information, Vendor may not approve or deny access to the
Protected Health Information requested. Rather, Vendor shall, within two (2)
business days, forward such request to CIGNA.


Section 6. Availability of Protected Health Information for Amendment.
 
In the event Vendor maintains Protected Health Information in a Designated
Record Set, Vendor shall, within five (5) business days of receipt of a request
from CIGNA, provide to CIGNA Protected Health Information in Vendor’s possession
that is required for CIGNA to respond to an individual’s request to amend
Protected Health Information made pursuant to 45 C.F.R. § 164.526 or other
applicable law. If the request is approved, Vendor shall incorporate any such
amendments to the Protected Health Information as required by 45 C.F.R. §164.526
or other applicable law. In the event that the request for the amendment of
Protected Health Information is made directly to the Vendor, whether or not
Vendor is in possession of Protected Health Information, Vendor may not approve
or deny the requested amendment. Rather, Vendor shall, within two (2) business
days forward such request to CIGNA.


Section 7. Accounting of Disclosures.
 
Vendor agrees to document such disclosures of Protected Health Information and
information related to such disclosures as would be required for CIGNA to
respond to a request by an individual for an accounting of disclosures of
Protected Health Information in accordance with 45 CFR § 164.528 or other
applicable law. Vendor shall, within ten (10) business days of receipt of a
request from CIGNA, provide to CIGNA such information as is in Vendor’s
possession and is required for CIGNA to respond to a request for an accounting
made in accordance with 45 C.F.R. 164.528 or other applicable law. In the event
the request for an accounting is delivered directly to Vendor, Vendor shall,
within two (2) business days, forward such request to CIGNA. It shall be CIGNA’s
responsibility to prepare and deliver any such accounting requested.


Section 8. Availability of Books and Records.
 
Vendor hereby agrees to make its applicable internal practices, books and
records, including policies and procedure, available to the Secretary for
purposes of determining CIGNA’s and Vendor’s compliance with the Privacy Rule
and Security Standards. The practices, books and records subject to this Section
are those practices, books and records that relate to the use and disclosure of
Protected Health Information that is created by Vendor on behalf of CIGNA,
received by Vendor from CIGNA, or received by Vendor from a third party on
behalf of CIGNA.



IV.  
TERMINATION



a. Upon termination of the MSA, Vendor’s obligations hereunder shall terminate
when all of the Protected Health Information provided by CIGNA to Vendor, or
created or received by Vendor on behalf of CIGNA, is destroyed or returned to
CIGNA, or, if it is infeasible to return or destroy Protected Health
Information, protections are extended to such information, in accordance with
the termination provisions in this Section.
 
b. If Vendor has committed a material breach of the MSA (which, for
clarification, includes this Addendum) pertaining to the use or disclosure of
PHI, CIGNA shall either:
 
1. Provide an opportunity for Vendor to cure the breach or end the violation and
terminate the MSA if Vendor does not cure the breach or end the violation within
a time period reasonably specified by CIGNA; or
 
2. Immediately terminate the MSA if CIGNA determines cure is not possible.
 
c. Effect of Termination.
 
1. Except as provided in paragraph (2) of this section, upon termination of the
MSA or SOW, for any reason, Vendor shall return or destroy all Protected Health
Information received from CIGNA, or created or received by Vendor on behalf of
CIGNA that relate to the terminated portion of Services. This provision shall
apply to Protected Health Information that is in the possession of
subcontractors or agents of Vendor. Vendor shall retain no copies of the
Protected Health Information.
 
2. In the event that Vendor objectively demonstrates to CIGNA’s reasonable
satisfaction that returning or destroying the Protected Health Information is
infeasible, Vendor shall extend the protections of this Addendum to such
Protected Health Information and limit further uses and disclosures of such
Protected Health Information to those purposes that make the return or
destruction infeasible, for so long as Vendor maintains such Protected Health
Information.
 


 

V.  
MISCELLANEOUS



Section 1. Regulatory References. A reference in this Addendum to a section in
the HIPAA Privacy Rule or Security Standards means the section as in effect or
as amended.


Section 2. Amendment. In the event that state or federal law or regulation, or
an arbitration or judicial interpretation of same, or any regulatory or
enforcement action should explicitly or otherwise require that this Addendum be
changed, altered or modified, then the CIGNA shall notify Vendor and provide
such required amendment, and the CIGNA and Vendor shall continue to perform
Services under the MSA as modified, subject to Change Control Procedures.


Section 3. Survival. The respective rights and obligations of Vendor under
Section III(c)(2) (Effect of Termination), , Section IV(3) (Regulatory
References) and Section IV(5) (Survival) of this Addendum shall survive the
termination of the MSA or SOW.



VI.  
EFFECT OF ADDENDUM



Notwithstanding anything to the contrary in the MSA, to the extent that this
Addendum conflicts with the terms of the MSA relating to Protected Health
Information, the terms of this Addendum shall take precedence.

 
 

--------------------------------------------------------------------------------

 

 


EXHIBIT 13B


EUROPEAN UNION DATA PRIVACY





1.  
DATA PROTECTION FOR PERSONAL DATA PROCESSED IN THE EUROPEAN ECONOMIC AREA

 

1.1  
With respect to any CIGNA Data that is “personal data” (as defined in the EU
Data Privacy Directive, which is in turn defined below) and is processed within,
or transferred out of, the European Union or the European Economic Area (“CIGNA
Personal Data”), the Parties shall each comply with their respective obligations
under the European Union Data Protection Directive (Directive 95/46/EC) (the “EU
Data Protection Directive”), the laws of each member state of the European Union
that implement the EU Data Protection Directive or any related or similar Laws
of any member state of the European Union or the European Economic Area
(collectively, and as any of the same may be amended or replaced from time to
time, the “European Data Protection Laws”). Both Parties shall take the
necessary precautions to avoid acts that place the other Party in breach of its
obligations under the European Data Protection Laws and nothing in the MSA shall
be deemed to prevent any Party from taking the steps it reasonably deems
necessary to comply with the European Data Protection Laws.

 

1.2  
The Parties acknowledge that, as between CIGNA and Vendor and Permitted
Subcontractors:

 

(a)  
CIGNA alone shall determine the purposes for which and the manner in which CIGNA
Personal Data is, or is to be, processed by Vendor or Permitted Subcontractors
in the performance of the Services;

 

(b)  
CIGNA shall be the data “controller” (as defined in the EU Data Protection
Directive) in respect of all CIGNA Personal Data processed by Vendor or
Permitted Subcontractors for purposes of the European Data Protection Laws; and

 

(c)  
Vendor shall be the “data processor” (as defined in the EU Data Protection
Directive) in respect of CIGNA Personal Data processed by Vendor or Permitted
Subcontractors for purposes of the European Data Protection Laws.

 

1.3  
Without limiting the generality of Section 1.1 above, Vendor shall, and shall
cause any Permitted Subcontractors to, promptly comply with any written request
by CIGNA to (at Vendor's cost and expense except as set forth in subsection (a)
as CIGNA's cost): 

 

(a)  
correct or delete inaccurate CIGNA Personal Data processed by Vendor or Vendor
Agents to the extent the inaccuracy was caused by Vendor or Permitted
Subcontractors (otherwise CIGNA shall be responsible for the correction or
deletion);

 

(b)  
provide to CIGNA a copy of CIGNA Personal Data processed by Vendor relating to a
“Data Subject” (as defined in the EU Data Protection Directive) that is stored
in any form of retrieval or storage facilities in the possession or control of
Vendor or Permitted Subcontractors;

 

(c)  
provide reasonable information to CIGNA about Vendor’s or Permitted
Subcontractors' processing of CIGNA Personal Data;

 

(d)  
assist in respect of any request or notice, or any anticipated request or
notice, by or on behalf of any “Data Subject” (as defined in the EU Data
Protection Directive) in respect of CIGNA Personal Data processed by Vendor or
Permitted Subcontractors; and

 

(e)  
otherwise provide reasonable assistance to CIGNA as necessary to allow CIGNA to
comply with the EU Data Protection Directive.

 

1.4  
Without limiting the generality of Section 1.1 above, Vendor shall not, and
shall cause Permitted Subcontractors not to (without CIGNA's prior written
authorization):

 

(a)  
use CIGNA Personal Data for Vendor’s or any Permitted Subcontractor’s own
purposes, including marketing purposes and for any other purpose other than
performing the Services;

 

(b)  
transfer any of CIGNA Personal Data to third parties or across any country’s
border which is not reasonably required for the performance of the Services; or

 

(c)  
carry out the processing by automatic means of any CIGNA Personal Data for the
purpose of evaluating matters about a “Data Subject” (as defined in the EU Data
Protection Directive) that constitutes the sole basis for any decision that
significantly affects such Data Subjects.

 

1.5  
Without limiting the generality of Section 1.1 above, Vendor shall, and shall
cause Permitted Subcontractors to:

 

(a)  
(i) promptly notify CIGNA if any complaints are received about the processing of
CIGNA Personal Data processed by Vendor or Permitted Subcontractors from third
parties; (ii) not make any admissions or take any action which may be
prejudicial to the defense or settlement of any such complaint; and (iii)
provide to CIGNA such reasonable assistance as it may require in connection with
such complaint;

 

(b)  
in the event that Vendor, or a Permitted Subcontractor, acquires, on behalf of
CIGNA, any CIGNA Personal Data from “Data Subjects” (as defined in the EU Data
Protection Directive) as part of the Services, give such individuals a data
protection notice describing the intended use of such CIGNA Personal Data, in a
form provided by CIGNA.

 

1.6  
Without limiting the generality of Section 1.1 above, with respect to CIGNA
Personal Data that is processed by Vendor or Permitted Subcontractors within the
European Union or European Economic Area, Vendor shall, and shall cause
Permitted Subcontractors to:

 

(a)  
take technical and organizational security measures, in accordance with the
requirements of the MSA and this Exhibit, to safeguard against unauthorized and
unlawful processing of CIGNA Personal Data processed by Vendor or Permitted
Subcontractors and against accidental loss or destruction of, or damage to,
CIGNA Personal Data processed by Vendor or Permitted Subcontractors;

 

(b)  
only process CIGNA Personal Data in accordance with written instructions given
by to Vendor by CIGNA and as set out in the MSA;

 

(c)  
taking reasonable steps to ensure the reliability of those Vendor Personnel that
have access to CIGNA Personal Data; and

 

(d)  
provide all of Vendor Personnel involved in processing CIGNA Personal Data with
reasonably adequate training in the care and handling of Personal Data.

 

1.7  
CIGNA hereby instructs Vendor to take such steps as are necessary to the
performance of Vendor’s obligations under this Exhibit.

 

2.  
DATA PROTECTION FOR PERSONAL DATA PROCESSED 

 

2.1  
CIGNA and Vendor each covenant that each of them shall provide the other prompt
notice of any inquiry, notice of violation, notice of enforcement action, or
other similar notice received from the European Union or European government
agency with respect to the compliance of CIGNA and/or Vendor with the EU Data
Protection Directive with respect to the performance of CIGNA and/or Vendor
under the MSA.

 

2.2  
Vendor covenants that at all times during the MSA Term and during any
Termination Assistance Period that:

 

(a)  
Vendor shall, and shall cause Permitted Subcontractors to: (i) provide
processing of CIGNA Personal Data (including operations that are necessary to
support or accomplish the processing) in accordance with the MSA; and (ii) not
transfer any of CIGNA Personal Data to third parties or across any country’s
border which is not specified in the MSA for the processing of CIGNA Personal
Data unless CIGNA has given consent to relocate the processing elsewhere (which
consent shall be in CIGNA's sole discretion);

 

(b)  
Vendor shall not, and shall cause Permitted Subcontractors not to, otherwise
through any act or omission cause CIGNA Personal Data to be transferred to third
parties or across any country’s border which is not specified in the MSA for the
processing of CIGNA Personal Data unless CIGNA has given consent for Vendor to
relocate the processing elsewhere (which consent shall be in CIGNA’s sole
discretion);

 

(c)  
the covenants in subsections (a) and (b) are not intended to restrict Vendor
from accomplishing the following from a location that is outside the United
States, European Union and/or European Economic Area and otherwise authorized
under this Agreement: (i) its own internal processing (e.g., the preparation and
transmission of invoices); or (ii) providing Services which do not involve the
processing of CIGNA Personal Data (such as engineering services, consulting
services, software development services that do not involve tests involving the
processing of CIGNA Personal Data); and

 

(d)  
if Vendor or a Permitted Subcontractor breaches the covenants set out in
subsections (a) and (b), then in addition to any other remedies to which CIGNA
might be entitled under the MSA or at law or in equity, Vendor shall, after
notice from CIGNA, at its own expense promptly accomplish all actions necessary
to have the data returned so as to be in compliance with subsections (a) and
(b).

 





