Documents

State of Michigan 2020 Kaseware contract

Sep. 21 2021 — 8:57p.m.

/86
1/86

STATE OF MICHIGAN PROCUREMENT Department of Technology, Management & Budget 525 W. Allegan Street, Lansing, Ml 48909 NOTICE OF CONTRACT NOTICE OF CONTRACT NO. 171-200000000425 between THE STATE OF MICHIGAN and Various Phone Number Email Address Jarrod Barron CONTRACT SUMMARY DESCRIPTION: MSP Enter rise Criminal lntelli ence S stem Agency Acron m DTMB INITIAL EFFECTIVE DATE INITIAL EXPIRATION DATE INITIAL AVAILABLE OPTIONS EXPIRATION DATE BEFORE CHANGE S NOTED BELOW 01/31/2020 01/31/2025 5-1 year PAYMENT TERMS Net45 ALTERNATE PAYMENT OPTIONS D P-card D Payment Request (PRC) MINIMUM DELIVERY REQUIREMENTS N/A MISCELLANEOUS INFORMATION New Contract established from RFP# 190000001010. Program Managers: 1. MSP: Troy Allen, 2. DTMB: Gordon ESTIMATED CONTRACT VALUE AT TIME OF EXECUTION D Other 01/31/2025 DELIVERY TIMEFRAME N/A EXTENDED PURCHASING ~ Yes D No $3,293,000.00

CONTRACT NO. 171-200000000425 FOR THE CONTRACTOR: Kaseware, Inc. Company Name Authorized Agent Signature Mark Dodge Authorized Agent (Print or Type) Date FOR THE STATE: Signature Jarrod Barron – IT Category Specialist Name & Title DTMB – Central Procurement Services Agency Date 01 / 28 / 2020 1/29/2020

STATE OF MICHIGAN CONTRACT TERMS Software Contract This Software Contract (this "Contract") is agreed to between the State of Michigan (the "State") and Kaseware, Inc. ("Contractor"), a Delaware corpo ration. This Contract is effective on January 31, 2020 ("Effective Date"), and unless earlier terminated , will expire on January 31, 2025 (the "Term"). This Contract may be renewed for up to five additional one-year periods . Renewal must be by written notice from the State and will automatically extend the Term of this Contract. 1. Definitions. For the purposes of this Contract, the following terms have the following meanings: "Acceptance" has the meaning set forth in Section 12.5. "Acceptance Tests" means such tests as may be conducted in accordance with Section 12 and the Statement of Work to determine whether the Software meets the requirements of this Contract and the Documentat ion. "Affiliate" of a Person means any other Person that directly or indirectly, through one or more intermedia ries, controls, is controlled by, or is under common control with, such Person. For purposes of this definition, the term "control" (including the terms "controlled by" and "under common control with") means the direct or indirect ownersh ip of more than fifty percent (50%) of the voting securities of a Person. "Allegedly Infringing Materials" has the mean ing set forth in Section 27.3(b)(ii). "API" means all App lication Programm ing Interfaces and assoc iated API Documentat ion provided by Contractor, and as updated from time to time , to allow the Software to integrate with various State and Third Party Software. "Approved Open-Source Components" means Open-Source Components that may be included in or used in connect ion with the Softwa re and are spec ifica lly identified in an exhibit to the Statement of Work , and approved by the State. "Authorized Users" means all Persons authorized by the State to access and use the Software under this Contract , subject to the maximum number of users spec ified in the applicable Statement of Work . "Business Day" means a day other than a Saturday, Sunday or other day on which the State is authorized or required by Law to be closed for business.

“Business Owner” is the individual appointed by the agency buyer to (a) act as the agency’s representative in all matters relating to the Contract, and (b) co-sign off on notice of Acceptance for the Software. The Business Owner will be identified in the Statement of Work. “Business Requirements Specification” means the initial specification setting forth the State’s business requirements regarding the features and functionality of the Software, as set forth in the Statement of Work. “Change” has the meaning set forth in Section 2.2. “Change Notice” has the meaning set forth in Section 2.2(b). “Change Proposal” has the meaning set forth in Section 2.2(a). “Change Request” has the meaning set forth in Section 2.2. “Confidential Information” has the meaning set forth in Section 20.1. “Configuration” means State-specific changes made to the Software without Source Code or structural data model changes occurring. “Contract” has the meaning set forth in the preamble. “Contract Administrator” is the individual appointed by each party to (a) administer the terms of this Contract, and (b) approve any Change Notices under this Contract. Each party’s Contract Administrator will be identified in the Statement of Work. “Contractor” has the meaning set forth in the preamble. “Contractor’s Bid Response” means the Contractor’s proposal submitted in response to the RFP. “Contractor Personnel” means all employees of Contractor or any Permitted Subcontractors involved in the performance of Services hereunder. “Contractor’s Test Package” has the meaning set forth in Section 11.2. “Criminal Justice Information Data” or “CJI Data” means data necessary for criminal justice agencies to perform their mission and enforce the laws. “Deliverables” means the Software, and all other documents and other materials that Contractor is required to or otherwise does provide to the State under this Contract and otherwise in connection with any Services, including all items specifically identified as Deliverables in the Statement of Work. “Dispute Resolution Procedure” has the meaning set forth in Section 32.1. “Documentation” means all user manuals, operating manuals, technical manuals and any other instructions, specifications, documents or materials, in any form or media, that describe the functionality, installation, testing, operation, use, maintenance, support, technical or other components, features or requirements of the Software.

“DTMB” means the Michigan Department of Technology, Management and Budget. “Effective Date” has the meaning set forth in the preamble. “Fees” means collectively, the License Fees, Implementation Fees, and Support Services Fees. “Financial Audit Period” has the meaning set forth in Section 30.1. “Force Majeure” has the meaning set forth in Section 33.1. “Harmful Code” means any: (a) virus, trojan horse, worm, backdoor or other software or hardware devices the effect of which is to permit unauthorized access to, or to disable, erase, or otherwise harm, any computer, systems or software; or (b) time bomb, drop dead device, or other software or hardware device designed to disable a computer program automatically with the passage of time or under the positive control of any Person, or otherwise prevent, restrict or impede the State's or any Authorized User's use of such software. “HIPAA” has the meaning set forth in Section 19.1. “Implementation Fees” has the meaning set forth in Section 16.2. “Implementation Plan” means the schedule included in the Statement of Work setting forth the sequence of events for the performance of Services under the Statement of Work, including the Milestones and Milestone Dates. “Integration Testing” has the meaning set forth in Section 12.1(c). “Intellectual Property Rights” means all or any of the following: (a) patents, patent disclosures, and inventions (whether patentable or not); (b) trademarks, service marks, trade dress, trade names, logos, corporate names, and domain names, together with all of the associated goodwill; (c) copyrights and copyrightable works (including computer programs), mask works and rights in data and databases; (d) trade secrets, know-how and other confidential information; and (e) all other intellectual property rights, in each case whether registered or unregistered and including all applications for, and renewals or extensions of, such rights, and all similar or equivalent rights or forms of protection provided by applicable Law in any jurisdiction throughout the world. “Key Personnel” means any Contractor Personnel identified as key personnel in the Statement of Work. “Law” means any statute, law, ordinance, regulation, rule, code, order, constitution, treaty, common law, judgment, decree or other requirement or rule of any federal, state, local or foreign government or political subdivision thereof, or any arbitrator, court or tribunal of competent jurisdiction. “License Fee” has the meaning set forth in Section 16.1. “Loss or Losses” means all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs or expenses of whatever kind, including reasonable attorneys' fees and the costs of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers.

“Maintenance Release” means any update, upgrade, release or other adaptation or modification of the Software, including any updated Documentation, that Contractor may generally provide to its licensees from time to time during the Term, which may contain, among other things, error corrections, enhancements, improvements or other changes to the user interface, functionality, compatibility, capabilities, performance, efficiency or quality of the Software. “Milestone” means an event or task described in the Implementation Plan under the Statement of Work that must be completed by the corresponding Milestone Date. “Milestone Date” means the date by which a particular Milestone must be completed as set forth in the Implementation Plan under the Statement of Work. “New Version” means any new version of the Software that the Contractor may from time to time introduce and market generally as a distinct licensed product, as may be indicated by Contractor's designation of a new version number. “Nonconformity” or “Nonconformities” means any failure or failures of the Software to conform to the requirements of this Contract, including any applicable Documentation. “Open-Source Components” means any software component that is subject to any open-source copyright license agreement, including any GNU General Public License or GNU Library or Lesser Public License, or other obligation, restriction or license agreement that substantially conforms to the Open Source Definition as prescribed by the Open Source Initiative or otherwise may require disclosure or licensing to any third party of any source code with which such software component is used or compiled. “Open-Source License” has the meaning set forth in Section 4. “Operating Environment” means, collectively, the platform, environment and conditions on, in or under which the Software is intended to be installed and operate, as set forth in the Statement of Work, including such structural, functional and other features, conditions and components as hardware, operating software and system architecture and configuration. “Permitted Subcontractor” has the meaning set forth in Section 9.4. “Person” means an individual, corporation, partnership, joint venture, limited liability company, governmental authority, unincorporated organization, trust, association or other entity. “Pricing” means any and all fees, rates and prices payable under this Contract, including pursuant to any Schedule or Exhibit hereto. “Pricing Schedule” means the schedule attached as Schedule B, setting forth the License Fees, Implementation Fees, Support Services Fees, and any other fees, rates and prices payable under this Contract. “Project Manager” is the individual appointed by each party to (a) monitor and coordinate the day-to￾day activities of this Contract, and (b) for the State, to co-sign off on its notice of Acceptance for the Software. Each party’s Project Manager will be identified in the Statement of Work.

“Representatives” means a party's employees, officers, directors, partners, shareholders, agents, attorneys, successors and permitted assigns. “RFP” means the State’s request for proposal designed to solicit responses for Services under this Contract. “Services” means any of the services Contractor is required to or otherwise does provide under this Contract, the Statement of Work, the Service Level Agreement. “Service Level Agreement” means the service level agreement attached as Schedule C to this Contract, setting forth Contractor’s obligations with respect to the hosting, management and operation of the Software. “Site” means the physical location designated by the State in, or in accordance with, this Contract or the Statement of Work for delivery and installation of the Software. “Software” means Contractor’s software set forth in the Statement of Work, and any Maintenance Releases or New Versions provided to the State and any Configurations made by or for the State pursuant to this Contract, and all copies of the foregoing permitted under this Contract. “Source Code” means the human readable source code of the Software to which it relates, in the programming language in which the Software was written, together with all related flow charts and technical documentation, including a description of the procedure for generating object code, all of a level sufficient to enable a programmer reasonably fluent in such programming language to understand, build, operate, support, maintain and develop modifications, upgrades, updates, adaptations, enhancements, new versions and other derivative works and improvements of, and to develop computer programs compatible with, the Software. “Specifications” means, for the Software, the specifications collectively set forth in the Business Requirements Specification, Technical Specification, Documentation, RFP or Contractor’s Bid Response, if any, for such Software, or elsewhere in the Statement of Work. “State” means the State of Michigan. “State Data” has the meaning set forth in Section 19.1. “State Materials” means all materials and information, including documents, data, know-how, ideas, methodologies, specifications, software, content and technology, in any form or media, directly or indirectly provided or made available to Contractor by or on behalf of the State in connection with this Contract. “State Resources” has the meaning set forth in Section 10.1(a). “Statement of Work” means any statement of work entered into by the parties and attached as a schedule to this Contract. The initial Statement of Work is attached as Schedule A, and subsequent Statements of Work shall be sequentially identified and attached as Schedules A-1, A-2, A-3, etc. “Stop Work Order” has the meaning set forth in Section 25.

“Support Services” means the software maintenance and support services Contractor is required to or otherwise does provide to the State under the the Service Level Agreement. “Support Services Commencement Date” means, with respect to the Software, the date on which the Warranty Period for the Software expires or such other date as may be set forth in the Statement of Work. “Support Services Fees” has the meaning set forth in Section 16.3. “Technical Specification” means, with respect to any Software, the document setting forth the technical specifications for such Software and included in the Statement of Work. “Term” has the meaning set forth in the preamble. “Test Data” has the meaning set forth in Section 11.2. “Test Estimates” has the meaning set forth in Section 11.2. “Testing Period” has the meaning set forth in Section 12.1(b). “Third Party” means any Person other than the State or Contractor. “Transition Period” has the meaning set forth in Section 24.3 “Transition Responsibilities” has the meaning set forth in Section 24.3. “Unauthorized Removal” has the meaning set forth in Section 9.3(b). “Unauthorized Removal Credit” has the meaning set forth in Section 9.3(c). “User Data” means all data, information and other content of any type and in any format, medium or form, whether audio, visual, digital, screen, GUI or other, that is input, uploaded to, placed into or collected, stored, processed, generated or output by any device, system or network by or on behalf of the State, including any and all works, inventions, data, analyses and other information and materials resulting from any use of the Software by or on behalf of the State under this Contract, except that User Data does not include the Software or data, information or content, including any GUI, audio, visual or digital or other display or output, that is generated automatically upon executing the Software without additional user input. “Warranty Period” means the ninety (90) calendar-day period commencing on the date of the State's Acceptance of the Software. “Work Product” means all State-specific deliverables that Contractor is required to, or otherwise does, provide to the State under this Contract including but not limited to computer scripts, macros, user interfaces, reports, project management documents, forms, templates, and other State-specific documents and related materials together with all ideas, concepts, processes, and methodologies developed in connection with this Contract whether or not embodied in this Contract. 2. Statements of Work. Contractor shall provide Services and Deliverables pursuant to Statements of Work entered into under this Contract. No Statement of Work shall be effective unless signed by each

party’s Contract Administrator. The term of each Statement of Work shall commence on the parties' full execution of the Statement of Work and terminate when the parties have fully performed their obligations. The terms and conditions of this Contract will apply at all times to any Statements of Work entered into by the parties and attached as a schedule to this Contract. The State shall have the right to terminate such Statement of Work as set forth in Section 24. Contractor acknowledges that time is of the essence with respect to Contractor’s obligations under each Statement of Work and agrees that prompt and timely performance of all such obligations in accordance with this Contract and the Statements of Work (including the Implementation Plan and all Milestone Dates) is strictly required. 2.1 Statement of Work Requirements. Each Statement of Work will include the following: (a) names and contact information for Contractor’s Contract Administrator, Project Manager and Key Personnel; (b) names and contact information for the State’s Contract Administrator, Project Manager and Business Owner; (c) a detailed description of the Services to be provided under this Contract, including any training obligations of Contractor; (d) a detailed description of the Software to be provided under this Contract, including the: (i) version and release number of the Software; (ii) Business Requirements Specification; (iii) Technical Specification; and (iv) a description of the Documentation to be provided; (e) an Implementation Plan, including all Milestones, the corresponding Milestone Dates and the parties’ respective responsibilities under the Implementation Plan; (f) the due dates for payment of Fees and any invoicing requirements, including any Milestones on which any such Fees are conditioned, and such other information as the parties deem necessary; (g) disclosure of all Open-Source Components (each identified on a separate exhibit to the Statement of Work), in each case accompanied by such related documents as may be required by this Contract; (h) description of all liquidated damages associated with this Contract; and (i) a detailed description of all State Resources required to complete the Implementation Plan. 2.2 Change Control Process. The State may at any time request in writing (each, a “Change Request”) changes to the Statement of Work, including changes to the Services and Implementation Plan (each, a “Change”). Upon the State’s submission of a Change Request, the parties will evaluate and implement all Changes in accordance with this Section 2.2.

(a) As soon as reasonably practicable, and in any case within twenty (20) Business Days following receipt of a Change Request, Contractor will provide the State with a written proposal for implementing the requested Change (“Change Proposal”), setting forth: (i) a written description of the proposed Changes to any Services or Deliverables; (ii) an amended Implementation Plan reflecting: (A) the schedule for commencing and completing any additional or modified Services or Deliverables; and (B) the effect of such Changes, if any, on completing any other Services under the Statement of Work; (iii) any additional State Resources Contractor deems necessary to carry out such Changes; and (iv) any increase or decrease in Fees resulting from the proposed Changes, which increase or decrease will reflect only the increase or decrease in time and expenses Contractor requires to carry out the Change. (b) Within thirty (30) Business Days following the State’s receipt of a Change Proposal, the State will by written notice to Contractor, approve, reject, or propose modifications to such Change Proposal. If the State proposes modifications, Contractor must modify and re-deliver the Change Proposal reflecting such modifications, or notify the State of any disagreement, in which event the parties will negotiate in good faith to resolve their disagreement. Upon the State’s approval of the Change Proposal or the parties’ agreement on all proposed modifications, as the case may be, the parties will execute a written agreement to the Change Proposal (“Change Notice”), which Change Notice will be signed by the State’s Contract Administrator and will constitute an amendment to the Statement of Work to which it relates; and (c) If the parties fail to enter into a Change Notice within fifteen (15) Business Days following the State’s response to a Change Proposal, the State may, in its discretion: (i) require Contractor to perform the Services under the Statement of Work without the Change; (ii) require Contractor to continue to negotiate a Change Notice; (iii) initiate a Dispute Resolution Procedure; or (iv) notwithstanding any provision to the contrary in the Statement of Work, terminate this Contract under Section 24. (d) No Change will be effective until the parties have executed a Change Notice. Except as the State may request in its Change Request or otherwise in writing, Contractor must continue to perform its obligations in accordance with the Statement of Work pending negotiation and execution of a Change Notice. Contractor will use its best efforts to limit any delays or Fee increases from any Change to those necessary to perform the Change in accordance with the applicable Change Notice. Each party is responsible for its own costs and expenses of preparing, evaluating, negotiating, and otherwise processing any Change Request, Change Proposal, and Change Notice. (e) The performance of any functions, activities, tasks, obligations, roles and responsibilities comprising the Services as described in this Contract are considered part of the Services and, thus, will

not be considered a Change. This includes the delivery of all Deliverables in accordance with their respective Specifications, and the diagnosis and correction of Non-Conformities discovered in Deliverables prior to their Acceptance by the State or, subsequent to their Acceptance by the State, as necessary for Contractor to fulfill its associated warranty requirements and its Support Services under this Contract. (f) Contractor may, on its own initiative and at its own expense, prepare and submit its own Change Request to the State. However, the State will be under no obligation to approve or otherwise respond to a Change Request initiated by Contractor. 3. License Grant and Restrictions. 3.1 Contractor License Grant. Contractor hereby grants to the State, exercisable by and through its Authorized Users, a nonexclusive, royalty-free, irrevocable (except as provided herein) right and license during the Term and such additional periods, if any, as Contractor is required to perform Services under this Contract or any Statement of Work, to: (a) access and use the Hosted Services, including in operation with other software, hardware, systems, networks and services, for the State’s business purposes, including for Processing State Data; (b) generate, print, copy, upload, download, store and otherwise Process all GUI, audio, visual, digital and other output, displays and other content as may result from any access to or use of the Services; (c) prepare, reproduce, print, download and use a reasonable number of copies of the Specifications and Documentation for any use of the Services under this Contract; and (d) access and use the Services for all such non-production uses and applications as may be necessary or useful for the effective use of the Hosted Services hereunder, including for purposes of analysis, development, configuration, integration, testing, training, maintenance, support and repair, which access and use will be without charge and not included for any purpose in any calculation of the State’s or its Authorized Users’ use of the Services, including for purposes of assessing any Fees or other consideration payable to Contractor or determining any excess use of the Hosted Services as described in Section 3.3. 3.2 License Restrictions. The State will not: (a) rent, lease, lend, sell, sublicense, assign, distribute, publish, transfer or otherwise make the Hosted Services available to any third party, except as expressly permitted by this Contract or in any Statement of Work; or (b) use or authorize the use of the Services or Documentation in any manner or for any purpose that is unlawful under applicable Law. 3.3 Use. The State will pay Contractor the corresponding Fees set forth in the Statement of Work for all Authorized Users access and use of the Service Software. Such Fees will be Contractor’s sole and exclusive remedy for use of the Service Software, including any excess use.

3.4 State License Grant. The State hereby grants to Contractor a limited, non-exclusive, non￾transferable license (i) to use the State's (or individual agency’s, department’s or division’s) name, trademarks, service marks or logos, solely in accordance with the State’s specifications, and (ii) to display, reproduce, distribute and transmit in digital form the State’s (or individual agency’s, department’s or division’s) name, trademarks, service marks or logos in connection with promotion of the Services as communicated to Contractor by the State. Use of the State’s (or individual agency’s, department’s or division’s) name, trademarks, service marks or logos will be specified in the applicable Statement of Work. 4. Open-Source Licenses. Any use hereunder of Open-Source Components shall be governed by, and subject to, the terms and conditions of the applicable open-source license (“Open-Source License”). Contractor shall maintain an exhibit available to the State upon request that lists all open-source licenses being utilized and identifies the URL where these licenses are publicly available. 5. Software Implementation. 5.1 Implementation. Contractor will deliver, install, configure, integrate, and otherwise provide and make fully operational the Software on or prior to the applicable Milestone Date in accordance with the criteria set forth in the Statement of Work. 5.2 Site Preparation. Unless otherwise set forth in the Statement of Work, Contractor is responsible for ensuring the relevant Operating Environment is set up and in working order to allow Contractor to deliver and install the Software on or prior to the applicable Milestone Date. Contractor will provide the State with such notice as is specified in the Statement of Work, prior to delivery of the Software to give the State sufficient time to prepare for Contractor’s delivery and installation of the Software. If the State is responsible for Site preparation, Contractor will provide such assistance as the State requests to complete such preparation on a timely basis. 6. Hosting. Contractor will maintain the Availability Requirement and the Support Service Level Requirement set forth in the Service Level Agreement attached as Schedule C to this Contract. 7. Support Services 7.1 Support Services. Contractor shall provide the State with the Support Services described in the Service Level Agreement attached as Schedule C to this Contract. Such Support Services shall be provided: (a) Free of charge during the Warranty Period, it being acknowledged and agreed that the License Fee includes full consideration for such Services during such period. (b) Thereafter, for so long as the State elects to receive Support Services for the Software, in consideration of the State's payment of Support Services Fees in accordance with Section 16 and the rates set forth in the Pricing Schedule. 8. Data Privacy and Information Security. 8.1 Undertaking by Contractor. Without limiting Contractor’s obligation of confidentiality as further described, Contractor is responsible for establishing and maintaining a data privacy and information

security program, including physical, technical, administrative, and organizational safeguards, that is designed to: (a) ensure the security and confidentiality of the State Data; (b) protect against any anticipated threats or hazards to the security or integrity of the State Data; (c) protect against unauthorized disclosure, access to, or use of the State Data; (d) ensure the proper disposal of State Data; and (e) ensure that all Contractor Representatives comply with all of the foregoing. In no case will the safeguards of Contractor’s data privacy and information security program be less stringent than the safeguards used by the State, and Contractor must at all times comply with all applicable State IT policies and standards, which are available at http://www.michigan.gov/dtmb/0,4568,7-150-56355 56579 56755-- -,00.html. 8.2 To the extent that Contractor has access to the State’s computer system, Contractor must comply with the State’s Acceptable Use Policy, see http://michigan.gov/cybersecurity/0,1607,7-217- 34395 34476---,00.html. All Contractor Personnel will be required, in writing, to agree to the State’s Acceptable Use Policy before accessing the State’s system. The State reserves the right to terminate Contractor’s access to the State’s system if a violation occurs. 8.3 Right of Audit by the State. Without limiting any other audit rights of the State, the State has the right to review Contractor’s data privacy and information security program prior to the commencement of Services and from time to time during the term of this Contract. During the providing of Services, on an ongoing basis from time to time and without notice, the State, at its own expense, is entitled to perform, or to have performed, an on-site audit of Contractor’s data privacy and information security program. In lieu of an on-site audit, upon request by the State, Contractor agrees to complete, within forty-five (45) calendar days of receipt, an audit questionnaire provided by the State regarding Contractor’s data privacy and information security program. 8.4 Audit Findings. With respect to State Data, Contractor must implement any required safeguards as identified by the State or by any audit of Contractor’s data privacy and information security program. 8.5 State’s Right to Termination for Deficiencies. The State reserves the right, at its sole election, to immediately terminate this Contract or the Statement of Work without limitation and without liability if the State determines that Contractor fails or has failed to meet its obligations under this Section 8. 8.6 Security Requirements. Contractor shall comply with the security requirements set forth in Schedule D to this Contract. 9. Performance of Services. Contractor will provide all Services and Deliverables in a timely, professional and workmanlike manner and in accordance with the terms, conditions, and Specifications set forth in this Contract and the Statement of Work. 9.1 Contractor Personnel. (a) Contractor is solely responsible for all Contractor Personnel and for the payment of their compensation, including, if applicable, withholding of income taxes, and the payment and withholding of social security and other payroll taxes, unemployment insurance, workers’ compensation insurance payments and disability benefits. (b) Prior to any Contractor Personnel performing any Services, Contractor will: (i) ensure that such Contractor Personnel have the legal right to work in the United States;

(ii) upon request, require such Contractor Personnel to execute written agreements, in form and substance acceptable to the State, that bind such Contractor Personnel to confidentiality provisions that are at least as protective of the State’s information (including all Confidential Information) as those contained in this Contract; and (iii) upon request, perform background checks on all Contractor Personnel prior to their assignment. The scope is at the discretion of the State and documentation must be provided as requested. Contractor is responsible for all costs associated with the requested background checks. The State, in its sole discretion, may also perform background checks on Contractor Personnel. (c) Contractor and all Contractor Personnel will comply with all rules, regulations, and policies of the State that are communicated to Contractor in writing, including security procedures concerning systems and data and remote access, building security procedures, including the restriction of access by the State to certain areas of its premises or systems, and general health and safety practices and procedures. (d) The State reserves the right to require the removal of any Contractor Personnel found, in the judgment of the State, to be unacceptable. The State’s request must be written with reasonable detail outlining the reasons for the removal request. Replacement personnel for the removed person must be fully qualified for the position. If the State exercises this right, and Contractor cannot immediately replace the removed personnel, the State agrees to negotiate an equitable adjustment in schedule or other terms that may be affected by the State’s required removal. 9.2 Contractor’s Project Manager. Throughout the Term of this Contract, Contractor must maintain a Contractor employee acceptable to the State to serve as Contractor’s Project Manager, who will be considered Key Personnel of Contractor. Contractor’s Project Manager will be identified in the Statement of Work. (a) Contractor’s Project Manager must: (i) have the requisite authority, and necessary skill, experience, and qualifications, to perform in such capacity; (ii) be responsible for overall management and supervision of Contractor’s performance under this Contract; and (iii) be the State’s primary point of contact for communications with respect to this Contract, including with respect to giving and receiving all day-to-day approvals and consents. (b) Contractor’s Project Manager must attend all regularly scheduled meetings as set forth in the Implementation Plan, and will otherwise be available as set forth in the Statement of Work. (c) Contractor will maintain the same Project Manager throughout the Term of this Contract, unless: (i) the State requests in writing the removal of Contractor’s Project Manager; (ii) the State consents in writing to any removal requested by Contractor in writing;

(iii) Contractor’s Project Manager ceases to be employed by Contractor, whether by resignation, involuntary termination or otherwise. (d) Contractor will promptly replace its Project Manager on the occurrence of any event set forth in Section 9.2(c). Such replacement will be subject to the State's prior written approval. 9.3 Contractor’s Key Personnel. (a) The State has the right to recommend and approve in writing the initial assignment, as well as any proposed reassignment or replacement, of any Key Personnel. Before assigning an individual to any Key Personnel position, Contractor will notify the State of the proposed assignment, introduce the individual to the State’s Project Manager, and provide the State with a resume and any other information about the individual reasonably requested by the State. The State reserves the right to interview the individual before granting written approval. In the event the State finds a proposed individual unacceptable, the State will provide a written explanation including reasonable detail outlining the reasons for the rejection. (b) Contractor will not remove any Key Personnel from their assigned roles on this Contract without the prior written consent of the State. The Contractor’s removal of Key Personnel without the prior written consent of the State is an unauthorized removal (“Unauthorized Removal”). An Unauthorized Removal does not include replacing Key Personnel for reasons beyond the reasonable control of Contractor, including illness, disability, leave of absence, personal emergency circumstances, resignation, or for cause termination of the Key Personnel’s employment. Any Unauthorized Removal may be considered by the State to be a material breach of this Contract, in respect of which the State may elect to terminate this Contract for cause under Section 24.1. (c) It is further acknowledged that an Unauthorized Removal will interfere with the timely and proper completion of this Contract, to the loss and damage of the State, and that it would be impracticable and extremely difficult to fix the actual damage sustained by the State as a result of any Unauthorized Removal. Therefore, Contractor and the State agree that in the case of any Unauthorized Removal in respect of which the State does not elect to exercise its rights under Section 24.1, Contractor will issue to the State an amount equal to $25,000 per individual (each, an “Unauthorized Removal Credit”). (d) Contractor acknowledges and agrees that each of the Unauthorized Removal Credits assessed under Subsection (c) above: (i) is a reasonable estimate of and compensation for the anticipated or actual harm to the State that may arise from the Unauthorized Removal, which would be impossible or very difficult to accurately estimate; and (ii) may, at the State’s option, be credited or set off against any Fees or other charges payable to Contractor under this Contract. 9.4 Subcontractors. Contractor will not, without the prior written approval of the State, which consent may be given or withheld in the State’s sole discretion, engage any Third Party to perform Services. The State’s approval of any such Third Party (each approved Third Party, a “Permitted Subcontractor”) does not relieve Contractor of its representations, warranties or obligations under this Contract. Without limiting the foregoing, Contractor will: (a) be responsible and liable for the acts and omissions of each such Permitted Subcontractor (including such Permitted Subcontractor's employees who, to the extent providing Services or Deliverables, shall be deemed Contractor Personnel) to the same extent as if such acts or omissions were by Contractor or its employees;

(b) name the State a third party beneficiary under Contractor’s Contract with each Permitted Subcontractor with respect to the Services; (c) be responsible for all fees and expenses payable to, by or on behalf of each Permitted Subcontractor in connection with this Contract, including, if applicable, withholding of income taxes, and the payment and withholding of social security and other payroll taxes, unemployment insurance, workers' compensation insurance payments and disability benefits; and (d) notify the State of the location of the Permitted Subcontractor and indicate if it is located within the continental United States. 10. State Obligations. 10.1 State Resources and Access. The State is responsible for: (a) providing the State Materials and such other resources as may be specified in the Statement of Work (collectively, “State Resources”); and (b) if the Software is internally hosted on State systems, providing Contractor Personnel with such access to the Site(s) and Operating Environment as is necessary for Contractor to perform its obligations on a timely basis as set forth in the Statement of Work. 10.2 State Project Manager. Throughout the Term of this Contract, the State will maintain a State employee to serve as the State’s Project Manager under this Contract. The State’s Project Manager will be identified in the Statement of Work. The State’s Project Manager will be available as set forth in the Statement of Work. 11. Pre-Delivery Testing. 11.1 Testing By Contractor. Before delivering and installing the Software, Contractor must: (a) test the Software to confirm that it is fully operable, meets all applicable Specifications and will function in accordance with the Specifications and Documentation when properly installed in the Operating Environment; (b) scan the Software using industry standard scanning software and definitions to confirm it is free of Harmful Code; and (c) remedy any Non-Conformity or Harmful Code identified and retest and rescan the Software. 11.2 Test Data and Estimates. Unless otherwise specified in the Statement of Work, Contractor shall provide to the State all test data and testing scripts used by Contractor for its pre-delivery testing (“Test Data”), together with the results Contractor expects to be achieved by processing the Test Data using the Software (“Test Estimates,” and together with Test Data, “Contractor’s Test Package”). 12. Acceptance Testing. 12.1 Acceptance Testing.

(a) Unless otherwise specified in the Statement of Work, upon installation of the Software, Acceptance Tests will be conducted as set forth in this Section 12 to ensure the Software conforms to the requirements of this Contract, including the applicable Specifications and Documentation. The State may, but is not obligated, to perform its own pretest on the Software utilizing Contractor’s Test Package. If the State does perform a pretest, and Contractor’s Test Package does not successfully pass the Test Data or Test Estimate scripts as described by Contractor, the State, at its discretion, is not obligated to move into the formal Acceptance Tests set forth in this Section. The State may elect to send Contractor’s Test Package back to Contractor to correct any problems encountered with the Test Data or Test Estimates. (b) All Acceptance Tests will take place at the designated Site(s) in the Operating Environment described in the Statement of Work, commence on the Business Day following installation of the Software and be conducted diligently for up to thirty (30) Business Days, or such other period as may be set forth in the Statement of Work (the “Testing Period”). Acceptance Tests will be conducted by the party responsible as set forth in the Statement of Work or, if the Statement of Work does not specify, the State, provided that: (i) for Acceptance Tests conducted by the State, if requested by the State, Contractor will make suitable Contractor Personnel available to observe or participate in such Acceptance Tests; and (ii) for Acceptance Tests conducted by Contractor, the State has the right to observe or participate in all or any part of such Acceptance Tests. Contractor is solely responsible for all costs and expenses related to Contractor’s performance of, participation in, and observation of Acceptance Testing. (c) Upon delivery and installation of any API, Configuration or Customization to the Software under the Statement of Work, additional Acceptance Tests will be performed on the modified Software as a whole to ensure full operability, integration, and compatibility among all elements of the Software (“Integration Testing”). Integration Testing is subject to all procedural and other terms and conditions set forth in Section 12.1, Section 12.3, and Section 12.4. (d) The State may suspend Acceptance Tests and the corresponding Testing Period by written notice to Contractor if the State discovers a material Non-Conformity in the tested Software or part or feature of the Software. In such event, Contractor will immediately, and in any case within ten (10) Business Days, correct such Non-Conformity, whereupon the Acceptance Tests and Testing Period will resume for the balance of the Testing Period. 12.2 Notices of Completion, Non-Conformities, and Acceptance. Within fifteen (15) Business Days following the completion of any Acceptance Tests, including any Integration Testing, the party responsible for conducting the tests will prepare and provide to the other party written notice of the completion of the tests. Such notice must include a report describing in reasonable detail the tests conducted and the results of such tests, including any uncorrected Non-Conformity in the tested Software. (a) If such notice is provided by either party and identifies any Non-Conformities, the parties’ rights, remedies, and obligations will be as set forth in Section 12.3 and Section 12.4.

(b) If such notice is provided by the State, is signed by the State’s Business Owner and Project Manager, and identifies no Non-Conformities, such notice constitutes the State's Acceptance of such Software. (c) If such notice is provided by Contractor and identifies no Non-Conformities, the State will have thirty (30) Business Days to use the Software in the Operating Environment and determine, in the exercise of its sole discretion, whether it is satisfied that the Software contains no Non-Conformities, on the completion of which the State will, as appropriate: (i) notify Contractor in writing of Non-Conformities the State has observed in the Software and of the State’s non-acceptance thereof, whereupon the parties’ rights, remedies and obligations will be as set forth in Section 12.3 and Section 12.4; or (ii) provide Contractor with a written notice of its Acceptance of such Software, which must be signed by the State’s Business Owner and Project Manager. 12.3 Failure of Acceptance Tests. If Acceptance Tests identify any Non-Conformities, Contractor, at Contractor’s sole cost and expense, will remedy all such Non-Conformities and re-deliver the Software, in accordance with the requirements set forth in the Statement of Work. Redelivery will occur as promptly as commercially possible and, in any case, within thirty (30) Business Days following, as applicable, Contractor’s: (a) completion of such Acceptance Tests, in the case of Acceptance Tests conducted by Contractor; or (b) receipt of the State’s notice under Section 12.1(a) or Section 12.2(c)(i), identifying any Non-Conformities. 12.4 Repeated Failure of Acceptance Tests. If Acceptance Tests identify any Non-Conformity in the Software after a second or subsequent delivery of the Software, or Contractor fails to re-deliver the Software on a timely basis, the State may, in its sole discretion, by written notice to Contractor: (a) continue the process set forth in this Section 12; (b) accept the Software as a nonconforming deliverable, in which case the Fees for such Software will be reduced equitably to reflect the value of the Software as received relative to the value of the Software had it conformed; or (c) deem the failure to be a non-curable material breach of this Contract and the Statement of Work and terminate this Contract for cause in accordance with Section 24.1. 12.5 Acceptance. Acceptance (“Acceptance”) of the Software (subject, where applicable, to the State’s right to Integration Testing) will occur on the date that is the earliest of the State’s delivery of a notice accepting the Software under Section 12.2(b), or Section 12.2(c)(ii). 13. Training. Contractor shall provide training on all uses of the Software permitted hereunder in accordance with the times, locations and other terms set forth in the Statement of Work and the Pricing Schedule. Upon the State's request, Contractor shall timely provide training for additional Authorized Users or other additional training on all uses of the Software for which the State requests such training, at such reasonable times and locations and pursuant to such rates and other terms as are set forth in the Pricing Schedule.

14. Maintenance Releases; New Versions 14.1 Maintenance Releases. Provided that the State is current on its Support Services Fees, during the Term, Contractor shall provide the State, at no additional charge, with all Maintenance Releases, each of which will constitute Software and be subject to the terms and conditions of this Contract. 14.2 New Versions. Provided that the State is current on its Support Services Fees, during the Term, Contractor shall provide the State, at no additional charge, with all New Versions, each of which will constitute Software and be subject to the terms and conditions of this Contract. 14.3 Installation. The State has no obligation to install or use any Maintenance Release or New Versions. If the State wishes to install any Maintenance Release or New Version, the State shall have the right to have such Maintenance Release or New Version installed, in the State's discretion, by Contractor or other authorized party as set forth in the Statement of Work. Contractor shall provide the State, at no additional charge, adequate Documentation for installation of the Maintenance Release or New Version, which has been developed and tested by Contractor and Acceptance Tested by the State. The State’s decision not to install or implement a Maintenance Release or New Version of the Software will not affect its right to receive Support Services throughout the Term of this Contract. 15. Source Code Escrow 15.1 Escrow Contract. The parties may enter into a separate intellectual property escrow agreement. Such escrow agreement will govern all aspects of Source Code escrow and release. 16. Fees 16.1 License Fee. In consideration of, and as payment in full for, the rights and license to use the Software and Documentation as provided in this Contract, the State shall pay to Contractor the license fees (the “License Fee”) set forth on the Pricing Schedule, subject to and in accordance with the terms and conditions of this Contract, including the applicable timetable and other provisions of the Statement of Work and this Section 16. 16.2 Implementation Fees. In consideration of, and as payment in full for, Contractor’s provision of implementation services as provided in this Contract and the Statement of Work, the State shall pay to Contractor the implementation fees (the “Implementation Fees”) set forth on the Pricing Schedule, subject to and in accordance with the terms and conditions of this Contract, including the applicable timetable and other provisions of the Statement of Work and this Section 16. 16.3 Support Service Fees. In consideration of Contractor providing the Support Services as required under the Service Level Agreement , the State shall pay to Contractor the Support Services fees (the “Support Service Fees”) set forth in the Pricing Schedule, subject to and in accordance with the terms and conditions of this Contract, including the applicable provisions of the Service Level Agreement and this Section 16. 16.4 Firm Pricing/Fee Changes. All Pricing set forth in this Contract is firm and will not be increased, except as otherwise expressly provided in this Section 16.4. (a) The License Fee will not be increased at any time except for the addition of additional licenses, the fees for which licenses will also remain firm in accordance with the Pricing set forth in the Pricing Schedule.

17. Invoices and Payment. 17.1 Invoices. Contractor will invoice the State for Fees in accordance with the requirements set forth in the Statement of Work, including any requirements that condition the rendering of invoices and the payment of Fees upon the successful completion of Milestones. Contractor must submit each invoice in both hard copy and electronic format, via such delivery means and to such address as are specified by the State in the Statement of Work. Each separate invoice must: (a) clearly identify the Contract and purchase order number to which it relates, in such manner as is required by the State; (b) list each Fee item separately; (c) include sufficient detail for each line item to enable the State to satisfy its accounting and charge-back requirements; (d) for Fees determined on a time and materials basis, report details regarding the number of hours performed during the billing period, the skill or labor category for such Contractor Personnel and the applicable hourly billing rates; (e) include such other information as may be required by the State as set forth in the Statement of Work; and (f) Itemized invoices must be submitted to . 17.2 Payment. Invoices are due and payable by the State, in accordance with the State’s standard payment procedures as specified in 1984 Public Act no. 279, MCL 17.51, et seq., within forty-five (45) calendar days after receipt, provided the State determines that the invoice was properly rendered. The State will only disburse payments under this Contract through Electronic Funds Transfer (EFT). Contractor must register with the State at http://www.michigan.gov/SIGMAVSS to receive electronic fund transfer payments. If Contractor does not register, the State is not liable for failure to provide payment 17.3 Taxes. The State is exempt from State sales tax for direct purchases and may be exempt from federal excise tax, if Services or Deliverables purchased under this Contract are for the State’s exclusive use. Notwithstanding the foregoing, all Fees are inclusive of taxes, and Contractor is responsible for all sales, use and excise taxes, and any other similar taxes, duties and charges of any kind imposed by any federal, state, or local governmental entity on any amounts payable by the State under this Contract. 17.4 Payment Disputes. The State may withhold from payment any and all payments and amounts the State disputes in good faith, pending resolution of such dispute, provided that the State: (a) timely renders all payments and amounts that are not in dispute; (b) notifies Contractor of the dispute prior to the due date for payment, specifying in such notice: (i) the amount in dispute; and (ii) the reason for the dispute set out in sufficient detail to facilitate investigation by Contractor and resolution by the parties;

(c) works with Contractor in good faith to resolve the dispute promptly; and (d) promptly pays any amount determined to be payable by resolution of the dispute. Contractor shall not withhold any Services or fail to perform any obligation hereunder by reason of the State's good faith withholding of any payment or amount in accordance with this Section 17.4 or any dispute arising therefrom. 17.5 Right of Setoff. Without prejudice to any other right or remedy it may have, the State reserves the right to set off at any time any amount owing to it by Contractor against any amount payable by the State to Contractor under this Contract. 18. Intellectual Property Rights 18.1 Ownership Rights in Software (a) Subject to the rights and licenses granted by Contractor in this Contract, and the provisions of Section 18.1(b): (i) Contractor reserves and retains its entire right, title and interest in and to all Intellectual Property Rights arising out of or relating to the Software; and (ii) none of the State or Authorized Users acquire any ownership of Intellectual Property Rights in or to the Software or Documentation as a result of this Contract. (b) As between the State, on the one hand, and Contractor, on the other hand, the State has, reserves and retains, sole and exclusive ownership of all right, title and interest in and to User Data, including all Intellectual Property Rights arising therefrom or relating thereto. 18.2 Rights in Open-Source Components. Ownership of all Intellectual Property Rights in Open￾Source Components shall remain with the respective owners thereof, subject to the State's rights under the applicable Open-Source Licenses. 18.3 The State is and will be the sole and exclusive owner of all right, title, and interest in and to all API and Work Product developed exclusively for the State under this Contract, including all Intellectual Property Rights. In furtherance of the foregoing: (a) Contractor will create all API and Work Product as work made for hire as defined in Section 101 of the Copyright Act of 1976; and (b) to the extent any API, Work Product, or Intellectual Property Rights do not qualify as, or otherwise fails to be, work made for hire, Contractor hereby: (i) assigns, transfers, and otherwise conveys to the State, irrevocably and in perpetuity, throughout the universe, all right, title, and interest in and to such API or Work Product, including all Intellectual Property Rights; and (ii) irrevocably waives any and all claims Contractor may now or hereafter have in any jurisdiction to so-called “moral rights” or rights of droit moral with respect to the API or Work Product.

19. State Data. 19.1 Ownership. The State’s data (“State Data”), which will be treated by Contractor as Confidential Information, includes: (a) User Data; and (b) any other data collected, used, processed, stored, or generated by the State in connection with the Services, including but not limited to (i) personally identifiable information (“PII”) collected, used, processed, stored, or generated as the result of the Services, including, without limitation, any information that identifies an individual, such as an individual’s social security number or other government-issued identification number, date of birth, address, telephone number, biometric data, mother’s maiden name, email address, credit card information, or an individual’s name in combination with any other of the elements here listed; and (ii) personal health information (“PHI”) collected, used, processed, stored, or generated as the result of the Services, which is defined under the Health Insurance Portability and Accountability Act (“HIPAA”) and its related rules and regulations; and (iii) CJI Data. State Data is and will remain the sole and exclusive property of the State and all right, title, and interest in the same is reserved by the State. This Section 19.1 survives termination or expiration of this Contract. 19.2 Contractor Use of State Data. Contractor is provided a limited license to State Data for the sole and exclusive purpose of providing the Services, including a license to collect, process, store, generate, and display State Data only to the extent necessary in the provision of the Services. Contractor must: (a) keep and maintain State Data in strict confidence, using such degree of care as is appropriate and consistent with its obligations as further described in this Contract and applicable law to avoid unauthorized access, use, disclosure, or loss; (b) use and disclose State Data solely and exclusively for the purpose of providing the Services, such use and disclosure being in accordance with this Contract, any applicable Statement of Work, and applicable law; and (c) not use, sell, rent, transfer, distribute, or otherwise disclose or make available State Data for Contractor’s own purposes or for the benefit of anyone other than the State without the State’s prior written consent. This Section 19.2 survives termination or expiration of this Contract. 19.3 Loss or Compromise of Data. In the event of any act, error or omission, negligence, misconduct, or breach on the part of Contractor that compromises or is suspected to compromise the security, confidentiality, or integrity of State Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of State Data, Contractor must, as applicable: (a) notify the State as soon as practicable but no later than twenty-four (24) hours of becoming aware of such occurrence; (b) cooperate with the State in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by the State; (c) in the case of PII or PHI, at the State’s sole election, (i) with approval and assistance from the State, notify the affected individuals who comprise the PII or PHI as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within five (5) calendar days of the occurrence; or (ii) reimburse the State for any costs in notifying the affected individuals; (d) in the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals who comprise the PII for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twenty-four (24) months following the date of notification to such individuals; (e) perform or take any other actions required to comply with applicable law as a result of the occurrence; (f) pay for any costs associated with the occurrence, including but not limited to any costs incurred by the State in investigating and resolving the occurrence, including reasonable attorney’s fees associated with such investigation and resolution; (g) without limiting Contractor’s obligations of indemnification as further described in this Contract, indemnify,

defend, and hold harmless the State for any and all claims, including reasonable attorneys’ fees, costs, and incidental expenses, which may be suffered by, accrued against, charged to, or recoverable from the State in connection with the occurrence; (h) be responsible for recreating lost State Data in the manner and on the schedule set by the State without charge to the State; and (i) provide to the State a detailed plan within ten (10) calendar days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. Notification to affected individuals, as described above, must comply with applicable law, be written in plain language, not be tangentially used for any solicitation purposes, and contain, at a minimum: name and contact information of Contractor’s representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor. The State will have the option to review and approve any notification sent to affected individuals prior to its delivery. Notification to any other party, including but not limited to public media outlets, must be reviewed and approved by the State in writing prior to its dissemination. This Section 19.3 survives termination or expiration of this Contract. 19.4 Discovery. Contractor shall immediately notify the State upon receipt of any requests which in any way might reasonably require access to State Data or the State's use of the Hosted Services. Contractor shall notify the State Project Manager by the fastest means available and also in writing. In no event shall Contractor provide such notification more than twenty-four (24) hours after Contractor receives the request. Contractor shall not respond to subpoenas, service of process, FOIA requests, and other legal requests related to the State without first notifying the State and obtaining the State’s prior approval of Contractor’s proposed responses. Contractor agrees to provide its completed responses to the State with adequate time for State review, revision and approval. 20. Confidential Information. Each party acknowledges that it may be exposed to or acquire communication or data of the other party that is confidential in nature and is not intended to be disclosed to third parties. This Section 20 survives termination or expiration of this Contract. 20.1 Meaning of Confidential Information. The term “Confidential Information” means all information and documentation of a party that: (a) has been marked “confidential” or with words of similar meaning, at the time of disclosure by such party; (b) if disclosed orally or not marked “confidential” or with words of similar meaning, was subsequently summarized in writing by the disclosing party and marked “confidential” or with words of similar meaning; and, (c) should reasonably be recognized as confidential information of the disclosing party. The term “Confidential Information” does not include any information or documentation that was or is: (a) in the possession of the State and subject to disclosure under the Michigan Freedom of Information Act (FOIA); (b) already in the possession of the receiving party without an obligation of confidentiality; (c) developed independently by the receiving party, as demonstrated by the receiving party, without violating the disclosing party’s proprietary rights; (d) obtained from a source other than the disclosing party without an obligation of confidentiality; or, (e) publicly available when received, or thereafter became publicly available (other than through any unauthorized disclosure by, through, or on behalf of, the receiving party). Notwithstanding the above, in all cases and for all matters, State Data is deemed to be Confidential Information. 20.2 Obligation of Confidentiality. The parties agree to hold all Confidential Information in strict confidence and not to copy, reproduce, sell, transfer, or otherwise dispose of, give or disclose such Confidential Information to third parties other than employees, agents, or subcontractors of a party who have a need to know in connection with this Contract or to use such Confidential Information for any

purposes whatsoever other than the performance of this Contract. The parties agree to advise and require their respective employees, agents, and subcontractors of their obligations to keep all Confidential Information confidential. Disclosure to the Contractor’s subcontractor is permissible where: (a) the subcontractor is a Permitted Subcontractor; (b) the disclosure is necessary or otherwise naturally occurs in connection with work that is within the Permitted Subcontractor's responsibilities; and (c) Contractor obligates the Permitted Subcontractor in a written contract to maintain the State’s Confidential Information in confidence. At the State’s request, any of the Contractor’s Representatives may be required to execute a separate agreement to be bound by the provisions of this Section 20.2. 20.3 Cooperation to Prevent Disclosure of Confidential Information. Each party must use its best efforts to assist the other party in identifying and preventing any unauthorized use or disclosure of any Confidential Information. Without limiting the foregoing, each party must advise the other party immediately in the event either party learns or has reason to believe that any person who has had access to Confidential Information has violated or intends to violate the terms of this Contract. Each party will cooperate with the other party in seeking injunctive or other equitable relief against any such person. 20.4 Remedies for Breach of Obligation of Confidentiality. Each party acknowledges that breach of its obligation of confidentiality may give rise to irreparable injury to the other party, which damage may be inadequately compensable in the form of monetary damages. Accordingly, a party may seek and obtain injunctive relief against the breach or threatened breach of the foregoing undertakings, in addition to any other legal remedies which may be available, to include, in the case of the State, at the sole election of the State, the immediate termination, without liability to the State, of this Contract or any Statement of Work corresponding to the breach or threatened breach. 20.5 Surrender of Confidential Information upon Termination. Upon termination or expiration of this Contract or a Statement of Work, in whole or in part, each party must, within five (5) Business Days from the date of termination, return to the other party any and all Confidential Information received from the other party, or created or received by a party on behalf of the other party, which are in such party’s possession, custody, or control. If Contractor or the State determine that the return of any Confidential Information is not feasible, such party must destroy the Confidential Information and certify the same in writing within five (5) Business Days from the date of termination to the other party. 21. HIPAA Compliance. The State and Contractor must comply with all obligations under HIPAA and its accompanying regulations, including but not limited to entering into a business associate agreement, if reasonably necessary to keep the State and Contractor in compliance with HIPAA. 22. ADA Compliance. The State is required to comply with the Americans with Disabilities Act of 1990 (ADA), and has adopted a formal policy regarding accessibility requirements for websites and software applications. Contractor’s Service Software must comply, where relevant, with level AA of the World Wide Web Consortium (W3C) Web Content Accessibility Guidelines (WCAG) 2.0. 23. CJIS Compliance. Contractor shall comply with all Criminal Justice Information Services (CJIS) Security Policy requirements that are communicated to the Contractor in writing, including the FBI CJIS Security Addendum attached as Schedule F. Changes required to Contractor’s performance due to a change in CJIS requirements shall be subject to Section 2.2 Change Control Process. Contractor personnel who will be subject to a Michigan State Police (MSP) performed background check pursuant to Schedule F, as determined by the State, shall complete security awareness training within six

(6) months of initial assignment and biennially thereafter. MSP shall provide Contractor with the required training materials. Documentation of completion of the training will be provided to MSP upon request. The State reserves the right to perform additional background checks on Contractor personnel as may be required to comply with the CJIS Security Policy. During the term, Contractor will maintain complete and accurate records relating to its data protection practices and the security of any of the State’s Confidential Information, including any backup, disaster recovery or other policies, practices or procedures relating to the State’s Confidential Information and any other information relevant to its compliance with this Section 23. Contractor shall make all such records, appropriate personnel, and relevant materials available in the event of an audit initiated by the State or the FBI. Contractor shall comply with all CJIS requirements for the Infrastructure Services Provider’s data center including, if necessary, entering into an FBI CJIS Security Addendum or other required agreements with its Infrastructure Services Provider on behalf of the State. Contractor will assist the State with entering into any other necessary agreements with the Infrastructure Services provider 24. Termination, Expiration, Transition. The State may terminate this Contract, the Support Services, or any Statement of Work, in accordance with the following: 24.1 Termination for Cause. In addition to any right of termination set forth elsewhere in this Contract: (a) The State may terminate this Contract for cause, in whole or in part, if Contractor, as determined by the State: (i) endangers the value, integrity, or security of State Systems, State Data, or the State’s facilities or personnel; (ii) becomes insolvent, petitions for bankruptcy court proceedings, or has an involuntary bankruptcy proceeding filed against it by any creditor; or (iii) breaches any of its material duties or obligations under this Contract. Any reference to specific breaches being material breaches within this Contract will not be construed to mean that other breaches are not material. (b) If the State terminates this Contract under this Section 24.1, the State will issue a termination notice specifying whether Contractor must: (a) cease performance immediately, or (b) continue to perform for a specified period. If it is later determined that Contractor was not in breach of this Contract, the termination will be deemed to have been a termination for convenience, effective as of the same date, and the rights and obligations of the parties will be limited to those provided in Section 24.2. (c) The State will only pay for amounts due to Contractor for Services accepted by the State on or before the date of termination, subject to the State’s right to set off any amounts owed by the Contractor for the State’s reasonable costs in terminating this Contract. Contractor must promptly reimburse to the State any Fees prepaid by the State prorated to the date of such termination, including any prepaid Support Services Fees. Further, Contractor must pay all reasonable costs incurred by the State in terminating this Contract for cause, including administrative costs, attorneys’ fees, court costs, transition costs, and any procurement costs the State incurs during procurement of the Services from other sources. 24.2 Termination for Convenience. The State may immediately terminate this Contract in whole or in part, without penalty and for any reason, including but not limited to, appropriation or budget shortfalls. The termination notice will specify whether Contractor must: (a) cease performance immediately, or (b)

continue to perform in accordance with Section 24.3. If the State terminates this Contract for convenience, the State will pay all reasonable costs, as determined by the State, for State approved Transition Responsibilities to the extent the funds are available. 24.3 Transition Responsibilities. Upon termination or expiration of this Contract for any reason, Contractor must, for a period of time specified by the State (not to exceed 90 calendar days; the “Transition Period”), provide transition assistance requested by the State, to allow for the expired or terminated portion of the Contract to continue without interruption or adverse effect, and to facilitate the orderly transfer of the Services to the State or its designees. Such transition assistance may include but is not limited to: (a) continuing to perform the Services at the established Contract rates; (b) taking all reasonable and necessary measures to transition performance of the work, including all applicable Services to the State or the State’s designee; (c) taking all necessary and appropriate steps, or such other action as the State may direct, to preserve, maintain, protect, or return to the State all State Data; and (d) preparing an accurate accounting from which the State and Contractor may reconcile all outstanding accounts (collectively, the “Transition Responsibilities”). The Term of this Contract is automatically extended through the end of the Transition Period. 24.4 Survival. This Section 24 survives termination or expiration of this Contract. 25. Stop Work Order. The State may, at any time, order the Services of Contractor fully or partially stopped for its own convenience for up to ninety (90) calendar days at no additional cost to the State. The State will provide Contractor a written notice detailing such suspension (a “Stop Work Order”). Contractor must comply with the Stop Work Order upon receipt. Within 90 days, or any longer period agreed to by Contractor, the State will either: (a) issue a notice authorizing Contractor to resume work, or (b) terminate this Contract. The State will not pay for any Services, Contractor’s lost profits, or any additional compensation during a stop work period. 26. Contractor Representations and Warranties. 26.1 Authority. Contractor represents and warrants to the State that: (a) It is duly organized, validly existing, and in good standing as a corporation or other entity as represented under this Contract under the laws and regulations of its jurisdiction of incorporation, organization, or chartering; (b) It has the full right, power, and authority to enter into this Contract, to grant the rights and licenses granted under this Contract, and to perform its contractual obligations; (c) The execution of this Contract by its Representative has been duly authorized by all necessary organizational action; and (d) When executed and delivered by Contractor, this Contract will constitute the legal, valid, and binding obligation of Contractor, enforceable against Contractor in accordance with its terms. (e) Contractor is neither currently engaged in nor will engage in the boycott of a person based in or doing business with a strategic partner as described in 22 USC 8601 to 8606. 26.2 Bid Response. Contractor represents and warrants to the State that: (a) The prices proposed by Contractor were arrived at independently, without consultation, communication, or agreement with any other Bidder for the purpose of restricting competition; the prices

quoted were not knowingly disclosed by Contractor to any other Bidder to the RFP; and no attempt was made by Contractor to induce any other Person to submit or not submit a proposal for the purpose of restricting competition; (b) All written information furnished to the State by or for Contractor in connection with this Contract, including Contractor’s Bid Response, is true, accurate, and complete, and contains no untrue statement of material fact or omits any material fact necessary to make the information not misleading; (c) Contractor is not in material default or breach of any other contract or agreement that it may have with the State or any of its departments, commissions, boards, or agencies. Contractor further represents and warrants that it has not been a party to any contract with the State or any of its departments that was terminated by the State within the previous five (5) years for the reason that Contractor failed to perform or otherwise breached an obligation of the contract; and (d) If any of the certifications, representations, or disclosures made in Contractor’s Bid Response change after contract award, the Contractor is required to report those changes immediately to the Contract Administrator. 26.3 Software Representations and Warranties. Contractor further represents and warrants to the State that: (a) it is the legal and beneficial owner of the entire right, title and interest in and to the Software, including all Intellectual Property Rights relating thereto; (b) it has, and throughout the license term, will retain the unconditional and irrevocable right, power and authority to grant and perform the license hereunder; (c) the Software, and the State's use thereof, is and throughout the license term will be free and clear of all encumbrances, liens and security interests of any kind; (d) neither its grant of the license, nor its performance under this Contract does or to its knowledge will at any time: (i) conflict with or violate any applicable Law; (ii) require the consent, approval or authorization of any governmental or regulatory authority or other third party; or (iii) require the provision of any payment or other consideration to any third party; (e) when used by the State or any Authorized User in accordance with this Contract and the Documentation, the Software or Documentation as delivered or installed by Contractor does not or will not: (i) infringe, misappropriate or otherwise violate any Intellectual Property Right or other right of any third party; or (ii) fail to comply with any applicable Law; (f) as provided by Contractor, the Software does not or will not at any time during the license term contain any:

(i) Harmful Code; or (ii) Open-Source Components or operate in such a way that it is developed or compiled with or linked to any Open-Source Components, other than Approved Open-Source Components maintained in the exhibit described in the statement of work. (g) all Documentation is and will be complete and accurate in all material respects when provided to the State such that at no time during the license term will the Software have any material undocumented feature; and (h) it will perform all Services in a timely, skillful, professional and workmanlike manner in accordance with commercially reasonable industry standards and practices for similar services, using personnel with the requisite skill, experience and qualifications, and will devote adequate resources to meet its obligations under this Contract. (i) when used in the Operating Environment (or any successor thereto) in accordance with the Documentation, all Software as provided by Contractor, will be fully operable, meet all applicable specifications, and function in all respects, in conformity with this Contract and the Documentation; and (j) no Maintenance Release or New Version, when properly installed in accordance with this Contract, will have a material adverse effect on the functionality or operability of the Software. 26.4 Disclaimer. EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH IN THIS AGREEMENT, CONTRACTOR HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, WITH RESPECT TO THIS CONTRACT. 27. Indemnification 27.1 General Indemnification. Contractor must defend, indemnify and hold the State, its departments, divisions, agencies, offices, commissions, officers, and employees harmless, without limitation, from and against any and all actions, claims, losses, liabilities, damages, costs, attorney fees, and expenses (including those required to establish the right to indemnification), arising out of or relating to: (a) any breach by Contractor (or any of Contractor’s employees, agents, subcontractors, or by anyone else for whose acts any of them may be liable) of any of the promises, agreements, representations, warranties, or insurance requirements contained in this Contract; (b) any infringement, misappropriation, or other violation of any Intellectual Property Right or other right of any Third Party; and (c) any bodily injury, death, or damage to real or tangible personal property occurring wholly or in part due to action or inaction by Contractor (or any of Contractor’s employees, agents, subcontractors, or by anyone else for whose acts any of them may be liable). 27.2 Indemnification Procedure. The State will notify Contractor in writing if indemnification is sought; however, failure to do so will not relieve Contractor, except to the extent that Contractor is materially prejudiced. Contractor must, to the satisfaction of the State, demonstrate its financial ability to carry out these obligations. The State is entitled to: (i) regular updates on proceeding status; (ii) participate in the defense of the proceeding; (iii) employ its own counsel; and to (iv) retain control of the defense, at its own cost and expense, if the State deems necessary. Contractor will not, without the State’s prior written consent (not to be unreasonably withheld), settle, compromise, or consent to the entry of any judgment in or otherwise seek to terminate any claim, action, or proceeding. Any litigation activity on behalf of the State or any of its subdivisions, under this Section 27, must be coordinated with

the Department of Attorney General. An attorney designated to represent the State may not do so until approved by the Michigan Attorney General and appointed as a Special Assistant Attorney General. 27.3 Infringement Remedies. (a) The remedies set forth in this Section 27.3 are in addition to, and not in lieu of, all other remedies that may be available to the State under this Contract or otherwise, including the State’s right to be indemnified for such actions. (b) If any Software or any component thereof, other than State Materials, is found to be infringing or if any use of any Software or any component thereof is enjoined, threatened to be enjoined or otherwise the subject of an infringement claim, Contractor must, at Contractor’s sole cost and expense: (i) procure for the State the right to continue to use such Software or component thereof to the full extent contemplated by this Contract; or (ii) modify or replace the materials that infringe or are alleged to infringe (“Allegedly Infringing Materials”) to make the Software and all of its components non-infringing while providing fully equivalent features and functionality. (c) If neither of the foregoing is possible notwithstanding Contractor’s best efforts, then Contractor may direct the State to cease any use of any materials that have been enjoined or finally adjudicated as infringing, provided that Contractor will: (i) refund to the State all amounts paid by the State in respect of such Allegedly Infringing Materials and any other aspects of the Software provided under the Statement of Work for the Allegedly Infringing Materials that the State cannot reasonably use as intended under this Contract; and (ii) in any case, at its sole cost and expense, secure the right for the State to continue using the Allegedly Infringing Materials for a transition period of up to six (6) months to allow the State to replace the affected features of the Software without disruption. (d) If Contractor directs the State to cease using any Software under subsection (c), the State may terminate this Contract for cause under Section 24.1. (e) Contractor will have no liability for any claim of infringement arising solely from: (i) Contractor’s compliance with any designs, specifications, or instructions of the State; or (ii) modification of the Software by the State without the prior knowledge and approval of Contractor; unless the claim arose against the Software independently of any of the above specified actions. 28. Liquidated Damages. 28.1 The parties agree that any delay or failure by Contractor to timely perform its obligations in accordance with the Implementation Plan and Milestone Dates agreed to by the parties will interfere with

the proper and timely implementation of the Software, to the loss and damage of the State. Further, the State will incur major costs to perform the obligations that would have otherwise been performed by Contractor. The parties understand and agree that any liquidated damages Contractor must pay to the State as a result of such nonperformance are described in the Statement of Work, and that these amounts are reasonable estimates of the State’s damages in accordance with applicable Law. 28.2 The parties acknowledge and agree that Contractor could incur liquidated damages for more than one event if Contractor fails to timely perform its obligations by each Milestone Date. 28.3 The assessment of liquidated damages will not constitute a waiver or release of any other remedy the State may have under this Contract for Contractor’s breach of this Contract, including without limitation, the State’s right to terminate this Contract for cause under Section 24.1, and the State will be entitled in its discretion to recover actual damages caused by Contractor’s failure to perform its obligations under this Contract. However, the State will reduce such actual damages by the amounts of liquidated damages received for the same events causing the actual damages. 28.4 Amounts due the State as liquidated damages may be set off against any Fees payable to Contractor under this Contract, or the State may bill Contractor as a separate item and Contractor will promptly make payments on such bills. 29. Damages Disclaimers and Limitations. 29.1 The State’s Disclaimer of Damages. THE STATE WILL NOT BE LIABLE, REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR BY STATUTE OR OTHERWISE, FOR ANY CLAIM RELATED TO OR ARISING UNDER THIS CONTRACT FOR CONSEQUENTIAL, INCIDENTAL, INDIRECT, OR SPECIAL DAMAGES, INCLUDING WITHOUT LIMITATION LOST PROFITS AND LOST BUSINESS OPPORTUNITIES. 29.2 The State’s Limitation of Liability. IN NO EVENT WILL THE STATE’S AGGREGATE LIABILITY TO CONTRACTOR UNDER THIS CONTRACT, REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR BY STATUTE OR OTHERWISE, FOR ANY CLAIM RELATED TO OR ARISING UNDER THIS CONTRACT, EXCEED THE MAXIMUM AMOUNT OF FEES PAYABLE UNDER THIS CONTRACT. 30. Records Maintenance, Inspection, Examination, and Audit. 30.1 Right of Audit. The State or its designee may audit Contractor to verify compliance with this Contract. Contractor must retain, and provide to the State or its designee and the auditor general upon request, all financial and accounting records related to this Contract through the Term of this Contract and for four (4) years after the latter of termination, expiration, or final payment under this Contract or any extension (“Financial Audit Period”). If an audit, litigation, or other action involving the records is initiated before the end of the Financial Audit Period, Contractor must retain the records until all issues are resolved. 30.2 Right of Inspection. Within ten (10) calendar days of providing notice, the State and its authorized representatives or designees have the right to enter and inspect Contractor’s premises or any other places where Services are being performed, and examine, copy, and audit all records related to this Contract. Contractor must cooperate and provide reasonable assistance. If financial errors are revealed, the amount in error must be reflected as a credit or debit on subsequent invoices until the amount is paid

or refunded. Any remaining balance at the end of this Contract must be paid or refunded within forty-five (45) calendar days. 30.3 Application. This Section 30 applies to Contractor, any Affiliate, and any Permitted Subcontractor that performs Services in connection with this Contract. 31. Insurance 31.1 Required Coverage. (a) Insurance Requirements. Contractor must maintain the insurances identified below and is responsible for all deductibles. All required insurance must: (a) protect the State from claims that may arise out of, are alleged to arise out of, or result from Contractor's or a subcontractor's performance; (b) be primary and non-contributing to any comparable liability insurance (including self-insurance) carried by the State; and (c) be provided by an company with an A.M. Best rating of “A” or better and a financial size of VII or better. Insurance Type Additional Requirements Commercial General Liability Insurance Minimal Limits: $1,000,000 Each Occurrence Limit $1,000,000 Personal & Advertising Injury Limit $2,000,000 General Aggregate Limit $2,000,000 Products/Completed Operations Deductible Maximum: $50,000 Each Occurrence Contractor must have their policy endorsed to add “the State of Michigan, its departments, divisions, agencies, offices, commissions, officers, employees, and agents” as additional insureds using endorsement CG 20 10 11 85, or both CG 2010 07 04 and CG 2037 07 0. Umbrella or Excess Liability Insurance Minimal Limits: $5,000,000 General Aggregate Contractor must have their policy endorsed to add “the State of Michigan, its departments, divisions, agencies, offices, commissions, officers, employees, and agents” as additional insureds. Automobile Liability Insurance

Minimal Limits: $1,000,000 Per Occurrence Workers' Compensation Insurance Minimal Limits: Coverage according to applicable laws governing work activities. Waiver of subrogation, except where waiver is prohibited by law. Employers Liability Insurance Minimal Limits: $500,000 Each Accident $500,000 Each Employee by Disease $500,000 Aggregate Disease. Privacy and Security Liability (Cyber Liability) Insurance Minimal Limits: $1,000,000 Each Occurrence $1,000,000 Annual Aggregate Contractor must have their policy: (1) endorsed to add “the State of Michigan, its departments, divisions, agencies, offices, commissions, officers, employees, and agents” as additional insureds; and (2) cover information security and privacy liability, privacy notification costs, regulatory defense and penalties, and website media content liability. (b) If Contractor's policy contains limits higher than the minimum limits, the State is entitled to coverage to the extent of the higher limits. The minimum limits are not intended, and may not be construed to limit any liability or indemnity of Contractor to any indemnified party or other persons. (c) If any of the required policies provide claim-made coverage, the Contractor must: (a) provide coverage with a retroactive date before the effective date of the contract or the beginning of contract work; (b) maintain coverage and provide evidence of coverage for at least three (3) years after completion of the contract of work; and (c) if coverage is canceled or not renewed, and not replaced with another claims-made policy form with a retroactive date prior to the contract effective date, Contractor must purchase extended reporting coverage for a minimum of three (3) years after completion of work.

(d) Contractor must: (a) provide insurance certificates to the Contract Administrator, containing the agreement or purchase order number, at Contract formation and within 20 calendar days of the expiration date of the applicable policies; (b) require that subcontractors maintain the required insurances contained in this Section; (c) notify the Contract Administrator within 5 business days if any insurance is cancelled; and (d) waive all rights against the State for damages covered by insurance. Failure to maintain the required insurance does not limit this waiver. 31.2 Non-waiver. This Section 31 is not intended to and is not be construed in any manner as waiving, restricting or limiting the liability of either party for any obligations under this Contract (including any provisions hereof requiring Contractor to indemnify, defend and hold harmless the State). 32. Dispute Resolution. 32.1 Unless otherwise specified in the Statement of Work, the parties will endeavor to resolve any Contract dispute in accordance with Section 32 (the “Dispute Resolution Procedure”). The initiating party will reduce its description of the dispute to writing (including all supporting documentation) and deliver it to the responding party’s Project Manager. The responding party’s Project Manager must respond in writing within five (5) Business Days. The initiating party has five (5) Business Days to review the response. If after such review resolution cannot be reached, both parties will have an additional five (5) Business Days to negotiate in good faith to resolve the dispute. If the dispute cannot be resolved within a total of fifteen (15) Business Days, the parties must submit the dispute to the parties’ Contract Administrators. The parties will continue performing while a dispute is being resolved, unless the dispute precludes performance. A dispute involving payment does not preclude performance. 32.2 Litigation to resolve the dispute will not be instituted until after the dispute has been elevated to the parties’ Contract Administrators, and either Contract Administrator concludes that resolution is unlikely, or fails to respond within fifteen (15) Business Days. The parties are not prohibited from instituting formal proceedings: (a) to avoid the expiration of statute of limitations period; (b) to preserve a superior position with respect to creditors; or (c) where a party makes a determination that a temporary restraining order or other injunctive relief is the only adequate remedy. This Section 32 does not limit the State’s right to terminate this Contract. 33. General Provisions 33.1 Force Majeure. (a) Force Majeure Events. Subject to Subsection (b) below, neither party will be liable or responsible to the other party, or be deemed to have defaulted under or breached this Contract, for any failure or delay in fulfilling or performing any term hereof, when and to the extent such failure or delay is caused by: acts of God, flood, fire or explosion, war, terrorism, invasion, riot or other civil unrest, embargoes or blockades in effect on or after the date of this Contract, national or regional emergency, or any passage of law or governmental order, rule, regulation or direction, or any action taken by a governmental or public authority, including imposing an embargo, export or import restriction, quota or other restriction or prohibition (each of the foregoing, a “Force Majeure”), in each case provided that: (a) such event is outside the reasonable control of the affected party; (b) the affected party gives prompt written notice to the other party, stating the period of time the occurrence is expected to continue; (c) the affected party uses diligent efforts to end the failure or delay and minimize the effects of such Force Majeure Event.

(b) State Performance : Termination. In the event of a Force Majeure Event affecting Contractor's performance under this Contract, the State may suspe nd its performance hereunder until such time as Contrac tor resumes performance. The State may terminate this Contract by written notice to Contractor if a Force Majeure Event affecting Contracto r's performance hereunder continues substan tially uninterrupted for a period of five (5) Business Days or more. Unless the State terminates this Contract pursuant to the preced ing sentence, any date specifically designated for Contractor's performance under this Contract will automat ically be extended for a period up to the duration of the Force Majeure Event. 33.2 Further Assurances . Each party will, upon the reasonable request of the other party , execute such documen ts and perform such acts as may be necessary to give full effect to the terms of this Contract. 33.3 Relationship of the Parties. The relationship between the parties is that of independe nt contracto rs. Nothing conta ined in this Contract is to be constr ued as creating any agency, partnership, joint ventu re or other form of joint enterprise, employment or fiduciary relationship between the parties, and neither party has authority to contract for or bind the other party in any manner whatsoever. 33.4 Media Releases. News releases (including promot ional literature and commercia l advertisemen ts) pertaining to this Contract or project to which it relates must not be made without the prior written approval of the State, and then only in accorda nce with the explicit written instructions of the State. 33.5 Notices. All notices, requests, consents, claims, demands , waivers and other comm unications under this Contract must be in writing and addressed to the parties as follows (or as otherwise spec ified by a party in a notice given in accorda nce with this Section 33.5): If to Contracto r: Kaseware, Inc. If to State: Notices sent in accordance with this Section 33.5 will be deemed effectively given: (a) when received , if delivered by hand (with written confirmation of receipt); (b) when received, if sent by a nationally recogn ized overn ight courier (receipt requested ); (c) on the date sent by e-mail (with confirmation of transm ission), if sent during normal business hours of the recipient, and on the next Business Day, if sent after normal business hours of the recipient; or (d) on the fifth (5 h) day after the date mailed, by certified or registered mail, return receipt requested, postage prepaid. 33.6 Headings. The headings in this Contract are for reference only and do not affect the interpretat ion of this Contract. 33.7 Assignment. Contracto r may not assign or otherwise transfer any of its rights, or delegate or otherwise transfer any of its obligat ions or performance, under this Contract, in each case whether voluntarily, invo luntarily, by operation of law or otherwise, without the State's prior written conse nt. The

State has the right to terminate this Contract in its entirety or any Services or Statements of Work hereunder, pursuant to Section 24.1, if Contractor delegates or otherwise transfers any of its obligations or performance hereunder, whether voluntarily, involuntarily, by operation of law or otherwise, and no such delegation or other transfer will relieve Contractor of any of such obligations or performance. For purposes of the preceding sentence, and without limiting its generality, any merger, consolidation or reorganization involving Contractor (regardless of whether Contractor is a surviving or disappearing entity) will be deemed to be a transfer of rights, obligations, or performance under this Contract for which the State’s prior written consent is required. Any purported assignment, delegation, or transfer in violation of this Section 33.7 is void. 33.8 No Third-party Beneficiaries. This Contract is for the sole benefit of the parties and their respective successors and permitted assigns. Nothing herein, express or implied, is intended to or will confer on any other person or entity any legal or equitable right, benefit or remedy of any nature whatsoever under or by reason of this Contract. 33.9 Amendment and Modification; Waiver. No amendment to or modification of this Contract is effective unless it is in writing, identified as an amendment to this Contract and signed by both parties Contract Administrator. Further, certain amendments to this Contract may require State Administrative Board Approval. No waiver by any party of any of the provisions of this Contract will be effective unless explicitly set forth in writing and signed by the party so waiving. Except as otherwise set forth in this Contract, no failure to exercise, or delay in exercising, any right, remedy, power, or privilege arising from this Contract will operate or be construed as a waiver. Nor will any single or partial exercise of any right, remedy, power or privilege under this Contract preclude the exercise of any other right, remedy, power or privilege. 33.10 Severability. If any term or provision of this Contract is invalid, illegal or unenforceable in any jurisdiction, such invalidity, illegality or unenforceability will not affect any other term or provision of this Contract or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal or unenforceable, the parties hereto will negotiate in good faith to modify this Contract so as to effect the original intent of the parties as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible. 33.11 Governing Law. This Contract is governed, construed, and enforced in accordance with Michigan law, excluding choice-of-law principles, and all claims relating to or arising out of this Contract are governed by Michigan law, excluding choice-of-law principles. Any dispute arising from this Contract must be resolved in the Michigan Court of Claims. Complaints against the State must be initiated in Ingham County, Michigan. Contractor waives any objections, such as lack of personal jurisdiction or forum non conveniens. Contractor must appoint agents in Michigan to receive service of process. 33.12 Equitable Relief. Each party to this Contract acknowledges and agrees that (a) a breach or threatened breach by such party of any of its obligations under this Contract may give rise to irreparable harm to the other party for which monetary damages would not be an adequate remedy and (b) in the event of a breach or a threatened breach by such party of any such obligations, the other party hereto is, in addition to any and all other rights and remedies that may be available to such party at law, at equity or otherwise in respect of such breach, entitled to equitable relief, including a temporary restraining order, an injunction, specific performance and any other relief that may be available from a court of competent jurisdiction, without any requirement to post a bond or other security, and without any requirement to prove actual damages or that monetary damages will not afford an adequate remedy.

Each party to this Contract agrees that such party will not oppose or otherwise challenge the appropriateness of equitable relief or the entry by a court of competent jurisdiction of an order granting equitable relief, in either case, consistent with the terms of this Section 33.12. 33.13 Nondiscrimination. Under the Elliott-Larsen Civil Rights Act, 1976 PA 453, MCL 37.2101, et seq., and the Persons with Disabilities Civil Rights Act, 1976 PA 220, MCL 37.1101, et seq., Contractor and its Permitted Subcontractors agree not to discriminate against an employee or applicant for employment with respect to hire, tenure, terms, conditions, or privileges of employment, or a matter directly or indirectly related to employment, because of race, color, religion, national origin, age, sex, height, weight, marital status, or mental or physical disability. Breach of this covenant is a material breach of this Contract. 33.14 Unfair Labor Practice. Under MCL 423.324, the State may void any Contract with a Contractor or Permitted Subcontractor who appears on the Unfair Labor Practice register compiled under MCL 423.322. 33.15 Administrative Fee and Reporting. Contractor must pay an administrative fee of 1% on all payments made to Contractor on any future uses of this Contract including transactions with the State (including its departments, divisions, agencies, offices, and commissions), MiDEAL members, and other states (including governmental subdivisions and authorized entities). Administrative fees are not due for transactions covered by the initial Statement of Work. Administrative fee payments must be made online by check or credit card: State of MI Admin Fees: https://www.thepayplace.com/mi/dtmb/adminfee State of Mi MiDEAL Fees: https://www.thepayplace.com/mi/dtmb/midealfee Contractor must submit an itemized purchasing activity report, which includes at a minimum, the name of the purchasing entity and the total dollar volume in sales. Reports should be mailed to The administrative fee and purchasing activity report are due within 30 calendar days from the last day of each calendar quarter. 33.16 Extended Purchasing Program. This contract is extended to MiDEAL members. MiDEAL members include local units of government, school districts, universities, community colleges, and nonprofit hospitals. A current list of MiDEAL members is available at www.michigan.gov/mideal. Upon written agreement between the State and Contractor, this contract may also be extended to: (a) other states (including governmental subdivisions and authorized entities) and (b) State of Michigan employees. If extended, Contractor must supply all Contract Activities at the established Contract prices and terms. The State reserves the right to impose an administrative fee and negotiate additional discounts based on any increased volume generated by such extensions. Contractor must submit invoices to, and receive payment from, extended purchasing program members on a direct and individual basis.

33.17 Schedules All Schedules that are referenced herein and attached hereto are hereby incorporated by reference. Schedule A Statement of Work Schedule B Pricing Schedule C Service Level Agreement Schedule D Data Security Requirements Schedule E Disaster Recovery Plan Schedule F Federal Bureau of Investigation Criminal Justice Information Services Security Addendum Schedule G Kaseware SaaS Security Controls Schedule H Data Retention Policy Schedule I Federal Provisions Addendum 33.18 Counterparts. This Contract may be executed in counterparts, each of which will be deemed an original, but all of which together are deemed to be one and the same agreement and will become effective and binding upon the parties as of the Effective Date at such time as all the signatories hereto have signed a counterpart of this Contract. A signed copy of this Contract delivered by facsimile, e-mail or other means of electronic transmission (to which a signed copy is attached) is deemed to have the same legal effect as delivery of an original signed copy of this Contract. 33.19 Effect of Contractor Bankruptcy. All rights and licenses granted by Contractor under this Contract are and will be deemed to be rights and licenses to “intellectual property,” and all Software and Deliverables are and will be deemed to be “embodiments” of “intellectual property,” for purposes of, and as such terms are used in and interpreted under, Section 365(n) of the United States Bankruptcy Code (the “Code”). If Contractor or its estate becomes subject to any bankruptcy or similar proceeding, the State retains and has the right to fully exercise all rights, licenses, elections, and protections under this Contract, the Code and all other applicable bankruptcy, insolvency, and similar Laws with respect to all Software and other Deliverables. Without limiting the generality of the foregoing, Contractor acknowledges and agrees that, if Contractor or its estate shall become subject to any bankruptcy or similar proceeding: (a) all rights and licenses granted to the State under this Contract will continue subject to the terms and conditions of this Contract, and will not be affected, even by Contractor’s rejection of this Contract; and (b) the State will be entitled to a complete duplicate of (or complete access to, as appropriate) all such intellectual property and embodiments of intellectual property comprising or relating to any Software or other Deliverables, and the same, if not already in the State’s possession, will be promptly delivered to the State, unless Contractor elects to and does in fact continue to perform all of its obligations under this Contract. 33.20 Compliance with Laws. Contractor and its Representatives must comply with all Laws in connection with this Contract. 33.21 Non-Exclusivity. Nothing contained in this Contract is intended nor is to be construed as creating any requirements contract with Contractor. This Contract does not restrict the State or its agencies from acquiring similar, equal, or like Services from other sources.

33.22 Entire Agreement. This Contract, together with all Schedules, Exhibits, and the Statement of Work constitutes the sole and entire agreement of the parties to this Contract with respect to the subject matter contained herein, and supersedes all prior and contemporaneous understandings and agreements, representations and warranties, both written and oral, with respect to such subject matter. In the event of any inconsistency between the statements made in the body of this Contract, the Schedules, Exhibits, and the Statement of Work, the following order of precedence governs: (a) first, this Contract, excluding its Exhibits and Schedules, and the Statement of Work; and (b) second, the Statement of Work as of the Effective Date; and (c) third, the Exhibits and Schedules to this Contract as of the Effective Date. NO TERMS ON CONTRACTORS INVOICES, WEBSITE, BROWSE-WRAP, SHRINK-WRAP, CLICK-WRAP, CLICK-THROUGH OR OTHER NON-NEGOTIATED TERMS AND CONDITIONS PROVIDED WITH ANY OF THE SERVICES, OR DOCUMENTATION HEREUNDER WILL CONSTITUTE A PART OR AMENDMENT OF THIS CONTRACT OR IS BINDING ON THE STATE OR ANY AUTHORIZED USER FOR ANY PURPOSE. ALL SUCH OTHER TERMS AND CONDITIONS HAVE NO FORCE AND EFFECT AND ARE DEEMED REJECTED BY THE STATE AND THE AUTHORIZED USER, EVEN IF ACCESS TO OR USE OF SUCH SERVICE OR DOCUMENTATION REQUIRES AFFIRMATIVE ACCEPTANCE OF SUCH TERMS AND CONDITIONS.

SCHEDULE A STATEMENT OF WORK 1. BACKGROUND Michigan State Police employs Law Enforcement Professionals and Intelligence Analysts at various locations around the state. It is imperative that a system be available to collaborate regarding potential overlaps in investigations, suspects, and crime trends. Failure to do so could result in a catastrophic intelligence failure resulting in the loss of life. The system that is currently in place meets some of those needs, however, it falls short in many requirements as well. Additionally, the contract with the current vendor is nearing expiration. A system of this nature is necessary for Michigan State Police (MSP) Intelligence Analysts to successfully complete their work on a daily basis. 2. PURPOSE Contractor shall provide an enterprise software system to the State that will be available to MSP law enforcement professionals and intelligence analysts employed at various locations around the state to collaborate regarding potential overlaps in investigations, suspects, and crime trends. The Solution shall be hosted externally. Contractor shall provide implementation services, including configuration, data migration, testing and training, needed to meet the Solution requirements. The State reserves the right to purchase any additional services or products from the Contractor during the duration of the Contract that are reasonably related to the criminal intelligence system and services described herein. 3. SPECIFIC STANDARDS IT Policies, Standards and Procedures (PSP) All services and products provided as a result of this RFP must comply with all applicable Public and Controlled State IT policies and standards. Public PSP’s are found at: https://www.michigan.gov/dtmb/0,5552,7-358-82547 56579 56755---,00.html. The State will provide applicable Controlled PSP's to Contractor after signing and returning to the State the required Nondisclosure Agreement (NDA) agreement. Secure Web Application Standard Contractor’s solution must meet the State’s Secure Application Development Standards as mandated by the State. Secure Application Development Life Cycle (SADLC) Contractor is required to meet the States Secure Application Development Life Cycle requirements that include: Security Accreditation Contractor is required to complete the State Security Accreditation process for the solution. Application Scanning – Externally Hosted Solution Contractor is required to grant the right to the State to scan either the application code or a deployed version of the solution; or in lieu of the State performing a scan, Contractor will provide the State a vulnerabilities assessment after Contractor has used a State approved application scanning tool. These scans must be completed and provided to the State on a regular basis or at least for each major release. Contractor, at its sole expense, must provide resources to complete the scanning and to complete the analysis, remediation and validation of vulnerabilities identified by the scan as required by the State Secure Web Application Standards. Types of scanning and remediation may include the following types of scans and activities: • Dynamic Scanning for vulnerabilities, analysis, remediation and validation

• Static Scanning for vulnerabilities, analysis, remediation and validation • Third Party and/or Open Source Scanning for vulnerabilities, analysis, remediation and validation Infrastructure Scanning – Externally Hosted Solution A Contractor providing Hosted Services must scan the infrastructure at least once every 30 days and provide the scan’s assessment to the State in a format that can be uploaded by the State and used to track the remediation. Acceptable Use Policy To the extent that Contractor has access to the State’s computer system, Contractor must comply with the State’s Acceptable Use Policy, see https://www.michigan.gov/documents/dtmb/1340.00.01 Acceptable Use of Information Technology St andard 458958 7.pdf. All Contractor Personnel will be required, in writing, to agree to the State’s Acceptable Use Policy before accessing the State’s system. The State reserves the right to terminate Contractor’s access to the State’s system if a violation occurs. Look and Feel Standard All software items provided by the Contractor must adhere to the State of Michigan Application/Site standards which can be found at www.michigan.gov/standards. Mobile Responsiveness The Bidder’s Solution must utilize responsive design practices to ensure the application is accessible via a mobile device. Bidders must provide a list of all mobile devices that are compatible with the Solution. Additionally, Bidder must provide list of features that can be performed via a mobile device. ADA Compliance The State is required to comply with the Americans with Disabilities Act of 1990 (ADA), and has adopted a formal policy regarding accessibility requirements for websites and software applications. The State is requiring that Bidder’s proposed Solution, where relevant, to level AA of the World Wide Web Consortium (W3C) Web Content Accessibility Guidelines (WCAG) 2.0. Bidder may consider, where relevant, the W3C’s Guidance on Applying WCAG 2.0 to Non-Web Information and Communications Technologies (WCAG2ICT) for non-web software and content. The State may require that Bidder complete a Voluntary Product Accessibility Template for WCAG 2.0 (WCAG 2.0 VPAT) or other comparable document for the proposed Solution. http://www.michigan.gov/documents/dmb/1650.00 209567 7.pdf?20151026134621 4. USER TYPE AND CAPACITY The Solution must be able to meet the expected number of concurrent Users shown below. The Solution must be able to scale up or down without affecting performance. Type of User Access Type Number of Users Number of Concurrent Users State Employees & Other Approved Users Role Based 300 initial users. Potentially up to 3000 over time. 300 initial concurrent users. Potentially up to 1000 over time. 5. ACCESS CONTROL AND AUDIT The Solution must support State standard federated single sign on for end user access. The Solution must support multi-factor authentication for privileged/administrative access. The Solution must support Identity Federation/Single Sign-on (SSO) capabilities using SAML or comparable mechanisms. The Solution must already have this configured and running. The solution must provide web-based management capability to manage users and data. Audit Log Data must be captured and accessed within specified User Groups. The Audit logs must be in a human readable format. The Solution must meet the above requirements as detailed in Schedule G Kaseware SaaS Security Controls.

6. DATA RETENTION The Solution must meet the data retention requirements detailed in the attached Schedule H Data Retention Policy. 7. SECURITY Externally Hosted The Solution will be storing sensitive data. Contractor must comply with the Data Security Requirements attached as Schedule D to the Terms and Conditions. Contractor must comply with the following: • Must sign the FBI Criminal Justice Information Services (CJIS) Security Addendum and maintain compliance with such document. • Must provide a GovCloud Solution that is hosted in a FedRAMP certified facility. • Must be encrypted in transit and at rest using AES 256 bit or higher encryption modules. • Must be encrypted in transit and at rest using currently certified encryption modules in accordance with FIPS PUB 140-2 (as amended), Security Requirements for Cryptographic Modules. • Must have multi-factor authentication, requiring a hard token. • Must remain compliant with FISMA and the NIST Special Publication 800.53 (most recent version) HIGH controls using minimum control values as established in the applicable PSP. 8. END USER OPERATING ENVIRONMENT The SOM environment is X86 VMware, IBM Power VM and Oracle VM, with supporting enterprise storage monitoring and management. Development teams must accommodate the latest browser versions approved by the State of Michigan (including mobile browsers). Contractor must support the current and future State standard environment at no additional cost to the State. 9. SOFTWARE Contractor shall implement, support and maintain the Solution, consisting of the following software: Software Comments Kaseware Software as a Service Kaseware Platform with Enterprise Support Licenses (most current version, at this time that is version 3.8) and all following versions during the length of the contract. Enterprise licenses include up to 48 hours of onsite support a month during the length of the contract, as well as administrative and security compliance reporting requirements as defined by the contract. Each Kaseware license includes 10 GB of pooled storage for the cloud environment. Pooled storage means that the storage can be utilized by any users in the environment, but that the total storage will not exceed 10GB multiplied by the number of users. SocialNet A product bought through Kaseware but it is developed and owned by Shadowdragon.

Software Comments OI Monitor A product bought through Kaseware but it is developed and owned by Shadowdragon. 10. SOLUTION REQUIREMENTS The Solution shall meet the specifications detailed in Exhibit A-1 – Business Specifications in the manner described therein. 11. INTEGRATION At the State’s option and at no additional cost beyond that detailed in the Pricing Schedule, Contractor must interface the Solution with MSP’s Records Management System (RMS) so that data from the RMS is accessible to users in Kaseware. 12. MIGRATION Contractor must migrate all data from the State’s existing intelligence system and confidential informant database into the Solution. 13. TESTING SERVICES AND ACCEPTANCE Contractor shall perform testing services in compliance with Section 11. Pre-Delivery Testing and Section 12. Acceptance Testing, of the Contract Terms. 14. TRAINING SERVICES Contractor shall train MSP analysts how to use the system. Contractor must provide initial onsite training to the core Solution users (approximately 300 people) and will provide continued onsite training from the onsite resource as part of the Enterprise Tier of licenses. The amount of continued training is at the discretion of MSP. 15. HOSTING The Solution shall be hosted externally in a multi-tenant cloud environment hosted on the Azure Government Cloud. 16. DOCUMENTATION Contractor must provide all user manuals, operating manuals, technical manuals and any other instructions, specifications, documents or materials, in any form or media, that describe the functionality, installation, testing, operation, use, maintenance, support, technical or other components, features or requirements of the Software. Contractor must develop and submit for State approval complete, accurate, and timely Solution documentation to support all users and must update any discrepancies or errors throughout the life of the contract. Contractor’s user documentation must provide detailed information about all software features and functionality, enabling the State to resolve common questions and issues prior to initiating formal support requests. 17. TRANSITION SERVICES

Upon termination or expiration of the agreement, Contracto r must, for a period of time specified by the State (not to exceed 90 calendar days ), provide all reasona ble transition assistance requested by the State, to allow for the expired or term inated portion of the agreement to continue without interrupt ion or adverse effect, and to faci litate the orderly transfer of the services to the State or its designees . Such transition assistance may include but is not limited to: (a) continuing to perform the services at the established rates; (b) taking all reasonab le and necessary measures to trans ition performance of the work, including all applicable services to the State or the State's designee; (c) taking all necessary and appropriate steps , or such other action as the State may direc t, to preserve, maintain, protect, or return (in a format specified by the State) to the State all data stored in the solution; and (d) preparing an accurate accounting from which the State and Contractor may reconcile all outstanding accounts . Contractor must provide a detailed transition-in and transition-out plan, including any roles or responsibilities expected of the State. The plan must adequate ly demonstrate the steps to migrate between Contractor's Solution and third-party Solutions. 18. CONTRACTOR KEY PERSONNEL Contractor designates the following persons as Key Personnel: Contractor Contract Adminis trator. Role defined in Contract Terms . Contractor Name: Mark Dodqe Addres s: Phone: Email: Contractor Project Manager. Role defined in Contract Terms. Contractor Name: Korinne Condie Address: Phone: Email: Contractor Service Manager. Primary contact with respect to the Services, who will have the authority to act on behalf of Contractor in matters pertaining to the receipt and process ing of Support Requests and the Support Serv ices. Contractor Name: Korinne Condie Address: 4 Phone: Email Contractor Security Officer. Primary contact to respond to State inquiries regarding the security of the Contractor's systems . This person must have sufficient knowledge of the security of the Contracto r Systems and the authority to act on behalf of Contractor in matters pertaining thereto. Contractor Name: Nathan Burrows Address: Phone: Email:

19. CONTRACTOR PERSONNEL REQUIREMENTS Contractor must present certifications evidencing satisfactory Michigan State Police Background checks ICHAT and drug tests for all staff identified for assignment to this project. Proposed Contractor personnel will be required to complete and submit an RI-8 Fingerprint Card for the National Crime Information Center (NCIC) Finger Prints, if required by project. Contractor will pay for all costs associated with ensuring their staff meets all requirements. 20. STATE RESOURCES/RESPONSIBILITIES The State will provide the following resources as part of the implementation and ongoing support of the Solution. State Contract Administrator. The State Contract Administrator is the individual appointed by the State to (a) administer the terms of this Contract, and (b) approve and execute any Change Notices under this Contract. State Project Manager. The State Project Manager will serve as the primary contact with regard to implementation Services who will have the authority to act on behalf of the State in approving Deliverables, and day to day activities. Agency Business Owner. The Agency Business Owner will serve as the primary contact for the business area with regard to business advisement who will have the authority to act on behalf of the State in matters pertaining to the business Specifications. State Technical Lead. The State Technical Lead will serve as the primary contact with regard to implementation technical advisement. 21. MEETINGS Contractor must attend the following meetings at no additional cost to the State. At start of the engagement, the Contractor Project Manager must facilitate a project kick off meeting with the support from the State’s Project Manager and the identified State resources to review the approach to accomplishing the project, schedule tasks and identify related timing, and identify any risks or issues related to the planned approach. From project kick-off until final acceptance and go-live, Contractor Project Manager must facilitate weekly meetings (or more if determined necessary by the parties) to provide updates on implementation progress. Following go-live, Contractor must facilitate monthly meetings (or more or less if determined necessary by the parties) to ensure ongoing support success. 22. PROJECT REPORTS Once the Project Kick-Off meeting has occurred, the Contractor Project Manager will monitor project implementation progress and report on a weekly basis to the State’s Project Manager the following: • Progress to complete milestones, comparing forecasted completion dates to planned and actual completion dates • Accomplishments during the reporting period • Tasks planned for the next reporting period • Identify any existing issues which are impacting the project and the steps being taken to address those issues • Identify any new risks and describe progress in mitigating high impact/high probability risks previously identified 23. MILESTONES AND DELIVERABLES

Contractor shall deliver implementation services as detailed below: Milestone Event Associated Milestone Deliverable(s) Schedule Project Planning Project Kickoff Contract Execution Requirements and Design Validation Validation sessions, Final Requirement Validation Document, Final Design Document, Final Implementation Document, Execution + 90 days Test Plan Development Through coordination with MSP and DTMB, begin developing a Testing Plan for the new system to be finalized after acceptance of final solution by MSP. Execution + 90 days Provision Environments Validate Test and Production environments (Kaseware will be installed in a generic state on the Azure government cloud) Execution + 90 days Installation and Configuration of Software System is configured per the Final Design and Implementation Document, Configuration has been signed off and the Final Solution and Testing Plan Document has been provided. Execution + 120 days Data Migration Plan Final Data Migration Plan and Data Mapping & Analysis Complete Execution + 120 days System Integration System Integration, per the Final Design and Implementation Document, has been completed Execution + 240 days Testing and Acceptance Final Test Results Report, Final Acceptance Execution + 270 days Training Final Training Documentation, training completed. Execution + 120 – 260 days ShadowDragon Training Two days of training provided by the ShadowDragon team on SocialNet and OI Monitor Execution + 120 – 260 days Go-Live Production Data Migration Data Migration completed per the Data Migration Plan Production + 30 days Post Production Warranty Maintenance and Support (free of charge) Production + 90 days Production Support Services Ongoing after Final Acceptance. Ongoing The Contractor Project Manager will be responsible for maintaining an MS Project schedule (or approved alternative) identifying tasks, durations, forecasted dates and resources – both Contractor and State - required to meet the timeframes as agreed to by both parties. Changes to scope, schedule or cost must be addressed through a formal change request process with the State and the Contractor to ensure understanding, agreement and approval of authorized parties to the change and clearly identify the impact to the overall project. SUITE Documentation

In managing its obligation to meet the above milestones and deliverables, Contractor must utilize the applicable State Unified Information Technology Environment (SUITE) methodologies.

EXHIBIT A-1 – Business Specifications The Business Specifications columns are defined as follows: Column A: Business Specification number. Column B: Business Specification description. Column C: Indicates how contractor will comply with the Business Specification: 1) Current Capability – This capability is available in the system with no additional configuration or cost. 2) Requires Configuration – This capability will be met through Contractor-supported changes to existing settings and application options as part of the initial implementation at no additional cost (e.g., setting naming conventions, creating user-defined fields). 3) Modification to Software Required – The requirement will be met through Contractor modifying the underlying source code, which can be completed as part of the initial implementation. 4) Future Enhancement – This capability is a planned enhancement to the base software and will be available within the next 12 months at no additional cost. 5) Not Available – This capability is not currently available, and a future enhancement is not planned. NOTE: Configuration is referred to as a modification to the system that must be completed by the Contractor prior to Go-Live but allows an IT or non-IT end user to maintain or modify thereafter (i.e. no source code or structural data model changes occurring). Further, any configuration changes must be forward-compatible with future releases and be fully supported by the Contractor without additional costs. Column D: Contractor’s disclosure of how it will meet the requirements.

A B C D Business Specification Number Business Specification Current Capability Requires Configura tion Required Customizatio n Future Enhancemen t Not Available Bidder to explain how they will deliver the business Specification. Explain the details of any configuration and the impacted risk that may be caused if configured to meet the business specification. MANDATORY MINIMUM 1 The system must be in compliance with 28 CFR Part 23 X Kaseware’s cloud environment can be configured to meet agency access controls, audit, and security requirements. Supporting security report is attached as Schedule G Kaseware SaaS Security Controls. 2 All actions in the system must be date and time stamped, and every action tied to a user for auditing purposes. X Audit logs are created for actions performed by authenticated users and an audit log view allows filtering to determine actions, including timelines. 3 The system must be able to compartmentalize/segregate information and/or data based on laws and policies governing each application. X Information housed in Kaseware databases may be segregated to comply with necessary laws and policies governing criminal intelligence data 4 Solution must be web-based and be browser agnostic X Kaseware is a web-based, cloud software as a service. Kaseware is compatible with modern and currently vendor-supported web browsers. 5 System must function in concert with Michigan State Police’s single sign-on application portal X Kaseware supports SAML 2.0 and can be integrated for federated single-sign on. REQUIRED GENERAL REQUIREMENTS SPECS 1.0 The system must enable managers to track work progress and analyze work. X Managers/supervisors can track and manage his/her organizational unit and the units below in the organizational hierarchy. Managers can view and visualize the work performed by team members in customizable dashboards. 2.0 The system must have query and reporting capabilities X Advanced query/search and reporting are available for criminal intelligence data via both a quick keyword-ranked search and robust advanced search. Reporting can be accomplished via advanced graphing within Kaseware and via export to csv. Queries and reporting are also available for user and workflow data via access to a wide variety of configurable dashboard parts that can display graphs, maps, data tables, and other visualizations that descr be system data

associated with org units and their associated user members. 3.0 The system must be able to connect to MSP’s Record Management system with little or no customization Section 10) X Kaseware has integration capabilities for databases, APIs, and data migrations. Details on required customization and connections will be determined when details of the record management system are revealed for requirements gathering purposes. 4.0 The system must have export templates that are user-configurable and should allow easy export of data for sharing outside of the agency. X Graphs, analyses, searches, reports, attachments, cases, and investigations can be exported in multiple formats as appropriate (pdf, csv, or original attachment format). This includes selection of specific data fields and details. 5.0 Attachments must be maintained in their original file format, with original file name, and be extracted from the system as originally attached. X Kaseware keeps all attachments in the original format and makes it available to users as such. Kaseware also converts attachments to pdf in order to facilitate viewing within the browser (without download) and to provide better search options for some attachments. 6.0 Attachments must be fully searchable across the system. Users should have the option to make attachments searchable by name only or also by content. X Attachments, including name, content and metadata, are searchable throughout the system. This applies to text-based attachments, pdf attachments, and images. Kaseware uses OCR (optical character recognition) to convert pdf to text and make even pdf files searchable. 7.0 The system must be capable of generating immediate customizable messages and system notifications to be sent out via text, email and other communication media. X Kaseware provides an alert capability for situations in which groups of users need to be alerted to urgent circumstances immediately. Kaseware provides these alerts as well as other immediate notifications to users via email, in-app pop-up windows, and mobile application notifications. Kaseware also includes a built-in secure communication system that supports both instant messaging and video calling. 8.0 The System must be mobile-device compatible X Kaseware has a mobile application for both Android and iOS. Kaseware is also browser￾based and designed for use on mobile devices via mobile browsers including Chrome and Safari. 9.0 Approved users (by name or role) should be able to customize system data fields X System values in Kaseware including lookup values, labels, languages, and more are managed by those with the organization manager role and can be updated/modified in the Organization Management view. Data field values can be maintained and updated by users with the appropriate assigned role. 10.0 The System must allow users to print directly from the screen X Reports, graphs, tables, and attachments can all be printed in a variety of ways, directly from

the Kaseware web browser. The ideal way to print, however, is to use Kaseware’s built-in ability to create and print a pdf that represents the item as it will be formatting the best and for printing. Additionally, the records management screen offer a quick-link print button for common reports. The browser print button also provides the ability to print the screen directly from the web browser. 11.0 The System must allow for operational configuration changes to be made by agency staff without affecting system performance X Operational configuration changes can be made via the organization management view by users with appropriate roles/permissions without affecting system performance. This includes configuration changes like pick lists, languages, options, workflow assignees, and the like. 12.0 The System must allow for role-based task management/assignments to be made within the system. X Kaseware allows for role-based task management and assignment of requests based on roles. 13.0 The system must allow for automated query, deconfliction, and case matching. X Kaseware automatically matches details upon creation of new entities or other records in order to identify potential matching existing records. Existing records that would result in duplicates are highlighted and prevented. 14.0 The System must allow for manual entry, query, deconfliction and case matching. X Kaseware provides the means to manually match and deduplicate records as new records are entered and after the fact via a Potential Duplicates report and mitigation workflow. 15.0 The System must allow real time queries and reports and other concurrent operational functionality without affecting system performance. X Kaseware allows multiple queries and reports, along with all other capabilities, to run concurrently across multiple users without adversely affecting system performance. 16.0 The System must be capable of generating report data in a variety of formats, including but not limited to table, graph, database and spreadsheet formats. X Report data can be generated and exported in multiple formats including tables, graphs, and pdfs. All formats capable of being utilized in various external programs including databases, spreadsheets, and documents. 17.0 The System must contain functionality to download reports into a variety of formats including but not limited to Microsoft Office (i.e. Excel, Access, PDF, DBF, Text files, xml, videos etc.) X Kaseware reports and graphs can be downloaded in multiple formats, including csv files that can be opened in Excel, imported into Access, or opened as text. Kaseware reports can also be downloaded as pdf files. Additional file formats could be configured if necessary. 18.0 Users must be able to send and receive emails within the system X Email notifications are sent to users for relevant updates. Users can send emails directly from the system with select information from the system. Instant messaging is available (both to send and receive) via the chat function and the history of these chats is maintained within Kaseware.

19.0 The System must be able to auto populate previously entered data within the system as defined by the user X Organization managers (user’s with the appropriate role) can create and update common locations, predefined lists, and default values for data fields within Kaseware, enabling auto-population of these fields. Further, when existing entities are suggested and used, all relevant details for those entities are auto￾populated within the record. 20.0 The System must provide functionality to handle duplicate records. X Records managers in Kaseware have the ability to edit entities after they have been finalized, and to merge entities that need to be manually deduplicated. 21.0 The system must be able to interface with multiple external source systems, to include public-facing webforms, mobile applications, etc. X Kaseware has a built-in public portal where non-authenticated users can submit data. Further, Kaseware supports API configuration to accept data from other external sources, including external web forms and mobile applications. 22.0 The system must be able to receive multimedia attachments from external sources. X Kaseware provides the ability to upload a document, picture, and media attachments via the ‘upload a file’ functionality. 23.0 The System must be able to interface with FBI eGuardian system at a minimum to transfer of data X Kaseware can integrate with FBI eGuardian system via file exchange. This would be custom development that would be completed during implementation activities. 24.0 MSP administrators must be able to set system time out period X Time out periods may be configured within Kaseware by an authentication manager allowing administrators to set system time out periods. 25.0 The system must provide for an electronic workflow management process, that includes but is not limited to task management, assignments, and case supervision. X Kaseware provides a highly customizable workflow engine for processing items in the system, including a variety of options for collaborating, editing, approving, distributing, reassigning, and canceling items via workflow tasks. Most workflow processes are specific to a particular type of item in the system, e.g. documents, cases, or investigations. 26.0 The system must be able to accept multiple attachments in one upload without affecting the performance of the system. X Multiple attachments can be added to a case, report, or entity in a single upload and does not negatively impact system performance. 27.0 The system must effectively interface with SOM email servers to pull user information (names, contact info, roles, etc.) and manage email distribution lists. X Integration with email servers to import user information will require a custom integration that can be completed during implementation. 28.0 The system must have ability to color code the inbound and outbound email messages X Color coding email messages will require requirements analysis and customization that will be completed during implementation.

29.0 The system must be able to send Tip information real time to other user(s) for review and/or other action X Kaseware allows for creation of calls for service, cases, tasks, or other documents that may be assigned to users for completion or follow up. Assignment of these items results in both email notifications and in-app notifications to the assignee and anyone that chooses to monitor the item. For situations in which groups of users need to be alerted to urgent circumstances or tip, Kaseware provides a special type of document known as an "alert." Alerts will both send notifications to specified recipients as well as add visual indicators to the various views of the associated entities for the period that the alert is active. 30.0 The system must automatically notify role￾based user(s) when there are unassigned tips or tips awaiting additional work. X Unassigned cases, tasks, etc. can be viewed and picked up by assignees within the user’s workbox/dashboard based on their viewing permissions (role). 31.0 The system must have ability to receive DD-79 webform data from external (non￾system) users and be mapped into the appropriate database X Given an appropriate communication means (API, etc.) from the external source for DD-79 webform data and appropriate definition of mapping requirements, Kaseware can ingest the information and maintain the data on appropriate records. 32.0 The system must provide for automated similar-case matching based on defined criteria and/or field type to identify potential related crimes. X Kaseware matches cases by finding the patterns in offenses, tags, or searching for keywords. All like cases are related to each other in the graph database, which can be searched for patterns and similarities 33.0 The system must have a simple, user friendly and customizable/configurable dashboard. The dashboard must be flex ble enough to accommodate use cases for multiple user roles, to include : task management, snapshot of user/system activity, etc. X Kaseware’s home tab is a fully customizable dashboard with configurable components that give users a quick snapshot of relevant system information. Each individual dashboard part shows a different view into the system. Supervisor, records manager, and dispatch dashboards are also available and customizable. 34.0 The system must be able to display current stats on homepage by district, post, or other user defined area. X Kaseware allows searching and reporting based on geospatial searching. Geospatial searches allow users to visual where the data is on a map, as well as define areas on the map from which to limit search results or reporting 35.0 The system home screen must have all￾tool access. Users can submit & receive responses to requests from home page, along w/email alerting X All functionality within Kaseware is accessible via the Kaseware landing page. The navigation menu is the starting point for creating, viewing, and analyzing content in the system. The menu is always available on the left side of the

application, and provides drill-down access to capabilities. 36.0 The system must allow for records pushed between SAR, OKAY2SAY, and RFS or other functional areas. X Kaseware can integrate with various systems via API or database integrations. Customization may be required but will depend on requirements analysis and connector capabilities with any data repository or external source. 37.0 The System must generate a unique number that is linked to that confidential informant (CI) that will be used to track all CI activity. X An informant may be treated like a case in Kaseware. User creates a new case type of Informant which would give them a unique number and allow access controls and the l ke. This would provide a unique ID as well. 38.0 The System must enable law enforcement officers to input reports, receipts for payments, and records of any other related actions for that CI X Kaseware provides the capability to create contact reports that would be attached to a CI entity and include details for actions related to the CI. Officers can also upload attachments to this contact report including images and pdfs for payments or other records. 39.0 CI data must securely deconflict and case match across the system and the tips and leads system. X Kaseware provides for deconfliction within the system via specific configurations; however, deconfliction with external systems will require customization to be completed during implementation. 40.0 The system must have e-signature functionality on mobile devices (for example: for a CI to sign receipts). X Providing esignature within Kaseware would require customization that would be completed during implementation. 41.0 The system must allow for the creation of templates from existing CI related forms, or to otherwise allow users to effectively capture/update all required data from these forms. X Custom forms can be created by end users with appropriate permissions to allow for the capture/update of required data. These custom forms can serve the purpose of gathering CI related details, and can be managed within the system without requiring customization. 42.0 The system must be able to migrate and integrate CI data from an existing access database. X Kaseware implementations traditionally include data migration from legacy systems and these migrations are completed after evaluation of the data and necessary format. 43.0 The system must be able to Encrypt communication so it’s CJIS compliant X Kaseware is CJIS compliant. 44.0 System must be able to create separate modules for non-MSP agencies - access specific X Kaseware controls authorization within the system to various modules via user roles and this can be used to segregate user access to information. In addition, separate organizations or tenants can also be created to provide for even more segregation and controlled data sharing. 45.0 The system must enable Special Ops to update their availability themselves in the system. X Kaseware provides features to enable organizations to perform dispatch and assign calls to in-service officers. This can be leveraged to provide Special Ops the ability to

update their availability and to be assigned to calls. This will also provide a map to show availability of Special Ops and assignment of available resources if desired. 46.0 The system must be able to open multiple screens/windows at one time X The Kaseware application is organized with the capability to open multiple tabs/items within the same window in order to view and edit multiple things at once. Further, Kaseware supports opening multiple instances/windows of the application on the same device or multiple devices by the same authenticated user. 47.0 The system must enable user to identify priority level of request X Tasks, cases, investigations, calls, and other events within Kaseware have priorities assigned and priority levels are customizable by the organization administrator. 48.0 Connection from the RMS system to other system must be able to do that with a click of a button X Kaseware supports communication with other systems via multiple integration methods, including APIs. Configuration will be required to enable this communication, dependent on the RMS system, and potentially customization that would be completed during implementation. 49.0 The system must be able to automate actions for compliance with 28 CFR pt. 23, to include review/purge notifications X Reviewing and purging records in Kaseware to be compliant can be accomplished however would require customization that would be completed during implementation. It would include the ability to configure review and purge timelines per organization and in line with compliance requirements. 50.0 The system must enable manual/automatic classification and marking of data within the system and apply/enforce appropriate handling rules. X Data classification can be handled with current capabilities via a tag; however, enforcement will require some custom development. Kaseware allows you to set organization-wide default access controls to determine who can see reports and entities contained in the system. You can further restrict access to information based on the type of case, or the specific case to which the report is filed. Access controls can include or exclude different users, groups, or organizational units. 51.0 The system must be able to maintain and track both complete and redacted versions of reports. X Current capability would involve uploading separate versions of a document, redacted and non-redacted, in order to track both versions and naming and tagging them appropriately. Additional functionality to complete the redaction or track them outside of an attachment would involve additional custom development. 52.0 The system must be able to link source data in the criminal intelligence reports X Kaseware provides a means to link any existing record, case, call, task, entity or other item with any new or existing item, with the goal of only

with subsequent data reports to avoid duplicate records in the system entering data about an entity or other record once. Kaseware also provides suggestions if duplicate records are detected during creation of a new record. Kaseware provides several means to prevent creation of duplicate records; however, if duplicates do end up in the system, Kaseware also provides a means to rapidly deduplicate via a report that suggests potential duplicate records and provides a simple workflow to merge them. 53.0 The system must enable users to assign custom tags or metadata to reports manually, in batch, or automatically. X Kaseware provides the ability to tag records, entities, documents, cases, and other items in order to support easily searchable and reportable terms, topics or other indicators. Kaseware also supports the ability to associate custom metadata with lookup list values, including tags. Batch assignment of tags may require customization; however, further requirements analysis will be necessary. 54.0 The system must enable users to sort, search, filter and view reports based on tags or metadata X Kaseware supports the use of custom tags throughout the records, documents, attachments, and other items and provides the ability to search, filter, or create reports based on these tags or other metadata affiliated with a record, entity or report. 55.0 The system must be able to Automate report dissemination to defined lists X Kaseware provides a records monitor capability to records managers that allows the user to email reports to other system users or external addresses. Additionally, reports that require approvals or additional detail can also be automatically routed via pre-defined workflow for those approvals. 56.0 The system must be able to track report disseminations (auditing and case management) X Audit logging and reporting is available within Kaseware to track and outline report disseminations. 57.0 The system must be able to maintain different user levels to manage access to reports based on classifications/markings, defined tags/metadata, etc X Classifications will be a customization within Kaseware that would be completed during implementation. Current access controls, case type controls, or individual case controls, control whether a user will either be granted full access, restricted access or no access. 58.0 The system must be able to generate custom reports based on this information for statistical purposes. X These custom reports would be dependent on the customization outlined above, but could be completed during implementation 59.0 The system must allow users to collect and manage report evaluations. X With the assumption that evaluations are documented through a set of forms, this is a configurable function in Kaseware. Kaseware also enables workflows to be defined that require review and approval of submitted

reports and documents, requiring such actions before a report is deemed final. 60.0 The system must allow users to rate and evaluate sources. X Kaseware would be customized to provide an additional type of person entity (source) that would have the capability to include rating for the reliability of a source. This would be a customization that could be accomplished during implementation. 61.0 The system must be able to update, recall, delete, and purge reports. X The system provides the ability for users to draft reports, update existing reports, finalize reports for dissemination, and delete reports. Purging reports via a specific timeline will require configuration to set timelines and handling of purged reports. 62.0 The system must be able to label Information to indicate levels of sensitivity, levels of confidence, and the identity of submitting agencies and control officials. X Tags may be used to indicated sensitivity or confidence. Also, potentially separate tenants may be used, as then the identity of the submitting agency would be automatically tracked. 63.0 The system should allow for receipt of a SAR from an external source system directly. X Kaseware currently supports this through the public portal, allowing for public or external submission of a suspicious activity report. Further, if another source is necessary, integration via API with that system could also be accomplished. 64.0 The system must be able to notify analyst in case of any CI arrest or warrant in the system X Alerts and monitored items within Kaseware would provide the ability to notify users of updates to CI entities as defined with the Kaseware system. 65.0 The system must be able to perform link analysis, geospatial analysis, and entity generation or have the ability to link to an external system with those capabilities X Kaseware includes integrated graphing and link analysis tools (including geospatial analysis) that allow quick and easy vis bility into the connections between an organization’s data, and any data shared with that organization by other Kaseware users or integrated systems. Kaseware automatically creates links among documents, records and entities (people, places, and things) referenced in those documents. In addition, Kaseware automatically de-duplicates entities where possible. Relationships can also be created manually between entities manually, allowing for ultimate flexibility.

SCHEDULE B PRICING Cost Table 1. Contract Summary Description Cost Comments, Assumptions, Additional Details Implementation Services $1,203,000 This includes configuration, migration, integration, testing and initial training, which covers all milestones and deliverables as set forth in Exhibit A - Project Scope. This is a fixed-fee cost based on details contained within this Contract. See Cost Table 2 for invoice timing. Licensing & Support Services $2,090,000 This includes: • 300 Kaseware Annual Subscriptions, • 60 SocialNet annual licenses, • 1 OI Monitor annual license • Kaseware Government Annual Enterprise Support Subscription Add-On, which includes: o Onsite resource available 48 hours a month to train new users, train on new functionality, create custom documentation, and assist in the further configuration of the system to meet future MSP needs. The State may opt annually whether to discontinue this resource support. o Hosting in Azure Government Cloud See Cost Table 3 for invoice timing. TOTAL $3,293,000

Cost Table 2. Implementation Services, Milestones & Payments Contractor may invoice for each Milestone Event after all of its required deliverables have been formally accepted by the State. Milestone Event Milestone Payment Project Planning $300,000 Requirements and Design Validation $25,000 Test Plan Development $25,000 Provision Environments $50,000 Installation and Configuration of Software $50,000 Data Migration Plan $25,000 System Integration $50,000 Testing and Acceptance $200,000 Training $225,000 ShadowDragon Training $3,000 Go-Live $225,000 Data Migration $25,000 Post Production Warranty N/A Production Support Services N/A TOTAL $1,203,000 Cost Table 3. Licensing & Support Services Contractor may invoice the Annual Fee after all required Go-Live deliverables have been formally accepted by the State and annually thereafter for the term of the contract. Product Comment Annual Fee Contract Total Kaseware Software as a Service* • 300 Kaseware Annual Subscriptions (10GB of pooled storage included per user, 3TB of storage for 300 users) • Kaseware Government Annual Enterprise Support Subscription Add-On $340,000* $1,700,000 SocialNet 60 SocialNet annual licenses $39,000 195,000 IOMonitor 1 OI Monitor annual license $39,000 195,000 TOTAL $418,000 $2,090,000 *Pricing for this product shall be firm for the contract’s five base years and five option years.

Cost Table 4. Hourly Rates for Optional Additional Services The hourly rates below shall be firm for the contract’s five base years and five option years. Service Remote Onsite Development $200 $225 Project Management $175 $200 Training $150 $175 Cost Table 5. Tiered Pricing for Optional Additional Licensed Products Pricing for the products below shall be firm for the contract’s five base years. Pricing for all users is at the same rate and is based on the total user count. Government/Non-Profit SKUs Product Annual Fee* Monthly Fee** KW-NPG-COMPLETE Kaseware Annual Subscription $1,200 $100 KW-NPG-COMPLETE-50 Kaseware Annual Subscription - 50-99 users $1,080 $90 KW-NPG-COMPLETE-100 Kaseware Annual Subscription - 100-249 users $960 $80 KW-NPG-COMPLETE-250 Kaseware Annual Subscription - 250-1499 users $900 $75 KW-NPG-COMPLETE-1500 Kaseware Annual Subscription - 1500-2249 users $720 $60 KW-NPG-COMPLETE-2250 Kaseware Annual Subscription - 2250-2999 users $540 $45 KW-NPG-COMPLETE-3000 Kaseware Annual Subscription - 3000-4999 users $360 $30 KW-NPG-COMPLETE-5000 Kaseware Annual Subscription - More than or 5000 users $300 $25 KW-NPG-Enterprise-Support Kaseware Government Annual Enterprise Support Subscription Add-On $70,000 N/A KW-NPG-Private Cloud Kaseware Government Private Cloud Services - Small (Non Enterprise) $12,000 $1,000 KW-NPG-Private Cloud Kaseware Government Private Cloud Services - Medium (Non Enterprise) $20,000 $1,66 KW-NPG-Private Cloud Kaseware Government Private Cloud Services - Large (Non Enterprise) $40,000 $3,333 KW-NPG-STORAGE Kaseware Additional Storage – 1GB per month $3.00 $0.25 N/A (Third-Party Item) SocialNet Annual Subscription – 125 Queries Per Day $650 N/A N/A (Third-Party Item) SocialNet Annual Subscription – 250 Queries Per Day $1,400 N/A N/A (Third-Party Item) SocialNet Annual Subscription – 500 Queries Per Day $2,800 N/A N/A (Third-Party Item) SocialNet Annual Subscription – 1000 Queries Per Day $4,500 N/A N/A (Third-Party Item) OIMonitor Annual Subscription – initial user $39,000 N/A N/A (Third-Party Item) OIMonitor Annual Subscription – each additional user $4,000 N/A *When adding optional additional products, Contractor will prorate the initial Annual Fee so that new licenses will co-terminate/renew at the same time as the annual licenses initially purchased. **Surge Licenses are also available. Upon the State’s request, the State may add short-term products for specific circumstances, which would be invoiced at the Monthly Fee rates shown above.

SCHEDULE C Service Level Agreement 1. Definitions. For purposes of this Schedule, the following terms have the meanings set forth below. All initial capitalized terms in this Schedule that are not defined in this Section 1 shall have the respective meanings given to them in the Contract. “Actual Uptime” means the total minutes in the Service Period that the Hosted Services are Available. “Availability” has the meaning set forth in Section 4.1. “Availability Requirement” has the meaning set forth in Section 4.1. “Available” has the meaning set forth in Section 4.1. “Contractor Service Manager” has the meaning set forth in Section 3.1. “Corrective Action Plan” has the meaning set forth in Section 5.6. “Critical Service Error” has the meaning set forth in Section 5.4(a). “Exceptions” has the meaning set forth in Section 4.2. “Force Majeure Event” has the meaning set forth in Section 6.1. “High Service Error” has the meaning set forth in Section 5.4(a). “Hosted Services” has the meaning set forth in Section 2.1(a). “Low Service Error” has the meaning set forth in Section 5.4(a). “Medium Service Error” has the meaning set forth in Section 5.4(a). “Resolve” has the meaning set forth in Section 5.4(b). “Scheduled Downtime” has the meaning set forth in Section 4.3. “Scheduled Uptime” means the total minutes in the Service Period. “Service Availability Credits” has the meaning set forth in Section 4.6(a). “Service Error” means any failure of any Hosted Service to be Available or otherwise perform in accordance with this Schedule. “Service Level Credits” has the meaning set forth in Section 5.5. “Service Level Failure” means a failure to perform the Software Support Services fully in compliance with the Support Service Level Requirements. “Service Period” has the meaning set forth in Section 4.1.

“Software” has the meaning set forth in the Contract. “Software Support Services” has the meaning set forth in Section 5. “State Service Manager” has the meaning set forth in Section 3.2. “State Systems” means the information technology infrastructure, including the computers, software, databases, electronic systems (including database management systems) and networks, of the State or any of its designees. “Support Request” has the meaning set forth in Section 5.4(a). “Support Service Level Requirements” has the meaning set forth in Section 5.4. “Term” has the meaning set forth in the Contract. 2. Services. 2.1. Services. Throughout the Term, Contractor will, in accordance with all terms and conditions set forth in the Contract and this Schedule, provide to the State and its Authorized Users the following services : (a) the hosting, management and operation of the Software and other services for remote electronic access and use by the State and its Authorized Users (“Hosted Services”); (b) the Software Support Services set forth in Section 5 of this Schedule; 3. Personnel 3.1. Contractor Personnel for the Hosted Services. Contractor will appoint a Contractor employee to serve as a primary contact with respect to the Services who will have the authority to act on behalf of Contractor in matters pertaining to the receipt and processing of Support Requests and the Software Support Services (the “Contractor Service Manager”). The Contractor Service Manager will be considered Key Personnel under the Contract. 3.2. State Service Manager for the Hosted Services. The State will appoint and, in its reasonable discretion, replace, a State employee to serve as the primary contact with respect to the Services who will have the authority to act on behalf of the State in matters pertaining to the Software Support Services, including the submission and processing of Support Requests (the “State Service Manager”). 4. Service Availability and Service Availability Credits. 4.1. Availability Requirement. Contractor will make the Hosted Services Available, as measured over the course of each calendar month during the Term and any additional periods during which Contractor does or is required to perform any Hosted Services (each such calendar month, a “Service Period”), at least 99.98% of the time, excluding only the time the Hosted Services are not Available solely as a result of one or more Exceptions (the “Availability Requirement”). “Available” means the Hosted Services are available and operable for access and use by the State and its Authorized Users over the Internet in material conformity with the Contract. “Availability” has a correlative meaning. The Hosted Services are not considered Available in the event of a material performance degradation or inoperability of the Hosted Services, in whole or in part. The Availability

Requirement will be calculated for the Service Period as follows: (Actual Uptime – Total Minutes in Service Period Hosted Services are not Available Due to an Exception) ÷ (Scheduled Uptime – Total Minutes in Service Period Hosted Services are not Available Due to an Exception) x 100 = Availability. 4.2. Exceptions. No period of Hosted Service degradation or inoperability will be included in calculating Availability to the extent that such downtime or degradation is due to any of the following (“Exceptions”): (a) failures of the State’s or its Authorized Users’ internet connectivity; (b) Scheduled Downtime as set forth in Section 4.3. 4.3. Scheduled Downtime. Contractor must notify the State at least twenty-four (24) hours in advance of all scheduled outages of the Hosted Services in whole or in part (“Scheduled Downtime”). All such scheduled outages will: (a) last no longer than five (5) hours; (b) be scheduled between the hours of 12:00 a.m. and 5:00 a.m., Eastern Time; and (c) occur no more frequently than once per week; provided that Contractor may request the State to approve extensions of Scheduled Downtime above five (5) hours or during hours outside of the above defined timeline, and such approval by the State may not be unreasonably withheld or delayed. 4.4. Software Response Time. Software response time, defined as the interval from the time the end user sends a transaction to the time a visual confirmation of transaction completion is received, must be less than two (2) seconds for 98% of all transactions. Unacceptable response times shall be considered to make the Software unavailable and will count against the Availability Requirement. 4.5. Service Availability Reports. Within thirty (30) days after the end of each Service Period and upon request of the State, Contractor will provide to the State a report describing the Availability and other performance of the Hosted Services during that calendar month as compared to the Availability Requirement. The report must be in electronic or such other form as the State may approve in writing and shall include, at a minimum: (a) the actual performance of the Hosted Services relative to the Availability Requirement; and (b) if Hosted Service performance has failed in any respect to meet or exceed the Availability Requirement during the reporting period, a description in sufficient detail to inform the State of the cause of such failure and the corrective actions the Contractor has taken and will take to ensure that the Availability Requirement are fully met. 4.6. Remedies for Service Availability Failures. (a) If the actual Availability of the Hosted Services is less than the Availability Requirement for any Service Period, such failure will constitute a Service Error for which Contractor will issue to the State the following credits on the fees payable for Hosted Services provided during the Service Period (“Service Availability Credits”): Availability Credit of Fees ≥99.98% None <99.98% but ≥99.0% 15%

<99.0% but ≥95.0% 50% <95.0% 100% (b) Any Service Availability Credits due under this Section 4.6 will be applied in accordance with payment terms of the Contract. (c) If the actual Availability of the Hosted Services is less than the Availability Requirement in any two (2) of four (4) consecutive Service Periods, then, in addition to all other remedies available to the State, the State may terminate the Contract on written notice to Contractor with no liability, obligation or penalty to the State by reason of such termination. 5. Support and Maintenance Services. Contractor will provide Hosted Service maintenance and support services (collectively, “Software Support Services”) in accordance with the provisions of this Section 5. The Software Support Services are included in the Services, and Contractor may not assess any additional fees, costs or charges for such Software Support Services. 5.1. Support Service Responsibilities. Contractor will: (a) correct all Service Errors in accordance with the Support Service Level Requirements, including by providing defect repair, programming corrections and remedial programming; (b) provide unlimited telephone support 8 a.m. to 5 p.m. Eastern, Monday thru Friday, (c) provide unlimited online support 24 hours a day, seven days a week; (d) provide online access to technical support bulletins and other user support information and forums, to the full extent Contractor makes such resources available to its other customers; and (e) respond to and Resolve Support Requests as specified in this Section 5. 5.2. Service Monitoring and Management. Contractor will continuously monitor and manage the Hosted Services to optimize Availability that meets or exceeds the Availability Requirement. Such monitoring and management includes: (a) proactively monitoring on a twenty-four (24) hour by seven (7) day basis all Hosted Service functions, servers, firewall and other components of Hosted Service security; (b) if such monitoring identifies, or Contractor otherwise becomes aware of, any circumstance that is reasonably likely to threaten the Availability of the Hosted Service, taking all necessary and reasonable remedial measures to promptly eliminate such threat and ensure full Availability; and (c) if Contractor receives knowledge that the Hosted Service or any Hosted Service function or component is not Available (including by written notice from the State pursuant to the procedures set forth herein): (i) confirming (or disconfirming) the outage by a direct check of the associated facility or facilities;

(ii) if Contractor’s facility check in accordance with clause (i) above confirms a Hosted Service outage in whole or in part: (A) notifying the State in writing pursuant to the procedures set forth herein that an outage has occurred, providing such details as may be available, including a Contractor trouble ticket number, if appropriate, and time of outage; and (B) working all problems causing and caused by the outage until they are Resolved as Critical Service Errors in accordance with the Support Request Classification set forth in Section 5.4, or, if determined to be an internet provider problem, open a trouble ticket with the internet provider; and (iii) notifying the State that Contractor has fully corrected the outage and any related problems, along with any pertinent findings or action taken to close the trouble ticket. 5.3. Service Maintenance. Contractor will continuously maintain the Hosted Services to optimize Availability that meets or exceeds the Availability Requirement. Such maintenance services include providing to the State and its Authorized Users: (a) all updates, bug fixes, enhancements, Maintenance Releases, New Versions and other improvements to the Hosted Services, including the Software, that Contractor provides at no additional charge to its other similarly situated customers; provided that Contractor shall consult with the State and is required to receive State approval prior to modifying or upgrading Hosted Services, including Maintenance Releases and New Versions of Software; and (b) all such services and repairs as are required to maintain the Hosted Services or are ancillary, necessary or otherwise related to the State’s or its Authorized Users’ access to or use of the Hosted Services, so that the Hosted Services operate properly in accordance with the Contract and this Schedule. 5.4. Support Service Level Requirements. Contractor will correct all Service Errors and respond to and Resolve all Support Requests in accordance with the required times and other terms and conditions set forth in this Section 5.4 (“Support Service Level Requirements”), and the Contract. (a) Support Requests. The State will classify its requests for Service Error corrections in accordance with the descriptions set forth in the chart below (each a “Support Request”). The State Service Manager will notify Contractor of Support Requests by email, telephone or such other means as the parties may hereafter agree to in writing. Support Request Classification Description: Any Service Error Comprising or Causing any of the Following Events or Effects Critical Service Error · Issue affecting entire system or single critical production function;

· System down or operating in materially degraded state; · Data integrity at risk; · Declared a Critical Support Request by the State; or · Widespread access interruptions. High Service Error · Primary component failure that materially impairs its performance; or · Data entry or access is materially impaired on a limited basis. Medium Service Error · Hosted Service is operating with minor issues that can be addressed with an acceptable (as determined by the State) temporary work around. Low Service Error · Request for assistance, information, or services that are routine in nature. (b) Response and Resolution Time Service Levels. Response and Resolution times will be measured from the time Contractor receives a Support Request until the respective times Contractor has (i) responded to, in the case of response time and (ii) Resolved such Support Request, in the case of Resolution time. “Resolve” (including “Resolved”, “Resolution” and correlative capitalized terms) means that, as to any Service Error, Contractor has provided the State the corresponding Service Error correction and the State has confirmed such correction and its acceptance thereof. Contractor will respond to and Resolve all Service Errors within the following times based on the severity of the Service Error: Support Request Classification Service Level Metric (Required Response Time) Service Level Metric (Required Resolution Time) Service Level Credits (For Failure to Respond to any Support Request Within Service Level Credits (For Failure to Resolve any Support Request Within

the Corresponding Response Time) the Corresponding Required Resolution Time) Critical Service Error One (1) hour Three (3) hours Five percent (5%) of the Fees for the month in which the initial Service Level Failure begins and five percent (5%) of such monthly Fees for each additional hour or portion thereof that the corresponding Service Error is not responded to within the required response time. Five percent (5%) of the Fees for the month in which the initial Service Level Failure begins and five percent (5%) of such monthly Fees for the first additional hour or portion thereof that the corresponding Service Error remains un￾Resolved, which amount will thereafter double for each additional one￾hour increment. High Service Error One (1) hour Four (4) hours Three percent (3%) of the Fees for the month in which the initial Service Level Failure begins and three percent (3%) of such monthly Fees for each additional hour or portion thereof that the Three percent (3%) of the Fees for the month in which the initial Service Level Failure begins and three percent (3%) of such monthly Fees for the first additional hour or portion thereof that the

corresponding Service Error is not responded to within the required response time. corresponding Service Error remains un￾Resolved, which amount will thereafter double for each additional one￾hour increment. Medium Service Error Three (3) hours Two (2) Business Days N/A N/A Low Service Error Three (3) hours Five (5) Business Days N/A N/A (c) Escalation. With respect to any Critical Service Error Support Request, until such Support Request is Resolved, Contractor will escalate that Support Request within sixty (60) minutes of the receipt of such Support Request by the appropriate Contractor support personnel, including, as applicable, the Contractor Service Manager and Contractor’s management or engineering personnel, as appropriate. 5.5. Support Service Level Credits. Failure to achieve any of the Support Service Level Requirements for Critical and High Service Errors will constitute a Service Level Failure for which Contractor will issue to the State the corresponding service credits set forth in Section 5.4(b) (“Service Level Credits”) in accordance with payment terms set forth in the Contract. 5.6. Corrective Action Plan. If two or more Critical Service Errors occur in any thirty (30) day period during (a) the Term or (b) any additional periods during which Contractor does or is required to perform any Hosted Services, Contractor will promptly investigate the root causes of these Service Errors and provide to the State within five (5) Business Days of its receipt of notice of the second such Support Request an analysis of such root causes and a proposed written corrective action plan for the State’s review, comment and approval, which, subject to and upon the State’s written approval, shall be a part of, and by this reference is incorporated in, the Contract as the parties’ corrective action plan (the “Corrective Action Plan”). The Corrective Action Plan must include, at a minimum: (a) Contractor’s commitment to the State to devote the appropriate time, skilled personnel, systems support and equipment and other resources necessary to Resolve and prevent any further occurrences of the Service Errors giving rise to such Support Requests; (b) a strategy for developing any programming, software updates, fixes, patches, etc. necessary to remedy, and prevent any further occurrences of, such Service Errors; and (c) time frames for implementing the Corrective Action Plan. There will be no additional charge for Contractor’s preparation or implementation of the Corrective Action Plan in the time frames and manner set forth therein. 6. Force Majeure. 6.1. Force Majeure Events. Subject to Section 6.3, neither party will be liable or responsible to the other party, or be deemed to have defaulted under or breached the Contract, for any failure or delay

in fulfilling or performing any term hereof, when and to the extent such failure or delay is caused by: acts of God, flood, fire or explosion, war, terrorism, invasion, riot or other civil unrest, embargoes or blockades in effect on or after the date of the Contract, national or regional emergency, or any passage of law or governmental order, rule, regulation or direction, or any action taken by a governmental or public authority, including imposing an embargo, export or import restriction, quota or other restriction or prohibition (each of the foregoing, a “Force Majeure Event”), in each case provided that: (a) such event is outside the reasonable control of the affected party; (b) the affected party gives prompt written notice to the other party, stating the period of time the occurrence is expected to continue; (c) the affected party uses diligent efforts to end the failure or delay and minimize the effects of such Force Majeure Event. 6.2. State Performance; Termination. In the event of a Force Majeure Event affecting Contractor’s performance under the Contract, the State may suspend its performance hereunder until such time as Contractor resumes performance. The State may terminate the Contract by written notice to Contractor if a Force Majeure Event affecting Contractor’s performance hereunder continues substantially uninterrupted for a period of five (5) Business Days or more. Unless the State terminates the Contract pursuant to the preceding sentence, any date specifically designated for Contractor’s performance under the Contract will automatically be extended for a period up to the duration of the Force Majeure Event. 6.3. Exclusions; Non-suspended Obligations. Notwithstanding the foregoing or any other provisions of the Contract or this Schedule: (a) in no event will any of the following be considered a Force Majeure Event: (i) shutdowns, disruptions or malfunctions of Contractor Systems or any of Contractor’s telecommunication or internet services other than as a result of general and widespread internet or telecommunications failures that are not limited to the Contractor Systems; or (ii) the delay or failure of any Contractor Personnel to perform any obligation of Contractor hereunder unless such delay or failure to perform is itself by reason of a Force Majeure Event. (b) no Force Majeure Event modifies or excuses Contractor’s obligations under Sections 19 (State Data), 20 (Confidentiality), or 27 (Indemnification) of the Contract, Section 7 (Disaster Recovery and Backup) of this Schedule, the Availability Requirement defined in this Schedule, or any security requirements under the Contract, the Statement of Work, or applicable Schedule. 7. Disaster Recovery and Backup. Throughout the Term and at all times in connection with its actual or required performance of the Services, Contractor will: (a) maintain and operate a backup and disaster recovery plan to achieve a Recovery Point Objective (RPO) of 4 hours, and a Recovery Time Objective (RTO) of 4 hours (the “DR Plan”), and implement such DR Plan in the event of any unplanned interruption of the Hosted Services. Contractor’s current DR Plan, revision history, and any reports or summaries relating to past testing of or pursuant to the DR Plan are attached as Schedule E. Contractor will actively test, review and update the DR Plan on at least an annual basis using industry best practices as guidance. Contractor will provide the State with copies of

all such updates to the Plan within fifteen (15) days of its adoption by Contractor. All updates to the DR Plan are subject to the requirements of this Section 7; and (b) provide the State with copies of all reports resulting from any testing of or pursuant to the DR Plan promptly after Contractor’s receipt or preparation. If Contractor fails to reinstate all material Hosted Services within the periods of time set forth in the DR Plan, the State may, in addition to any other remedies available under this Contract, in its sole discretion, immediately terminate this Contract as a non-curable default.

SCHEDULE D Data Security Requirements 1. Definitions. For purposes of this Schedule, the following terms have the meanings set forth below. All initial capitalized terms in this Schedule that are not defined in this Section 1 shall have the respective meanings given to them in the Contract. “Contractor Security Officer” has the meaning set forth in Section 2 of this Schedule. “Contractor Systems” has the meaning set forth in Section 5 of this Schedule. “FedRAMP” means the Federal Risk and Authorization Management Program, which is a federally approved risk management program that provides a standardized approach for assessing and monitoring the security of cloud products and services. “FISMA” means The Federal Information Security Management Act of 2002 (44 U.S.C. ch. 35, subch. III § 3541 et seq.). “Hosted Services” means the hosting, management and operation of the computing hardware, ancillary equipment, Software, firmware, data, other services (including support services), and related resources for remote electronic access and use by the State and its Authorized Users, including any services and facilities related to disaster recovery obligations. “NIST” means the National Institute of Standards and Technology. “PSP” means the State’s IT Policies, Standards and Procedures located at: http://michigan.gov/dtmb/0,4568,7-150-56355 56579 56755---,00.html 2. Contractor will appoint a Contractor employee to respond to the State’s inquiries regarding the security of the Contractor Systems who has sufficient knowledge of the security of the Contractor Systems and the authority to act on behalf of Contractor in matters pertaining thereto (“Contractor Security Officer”). The Contractor Security Officer will be considered Key Personnel under the Contract. 3. Protection of the State’s Confidential Information. Throughout the Term and at all times in connection with its actual or required performance of the Services, Contractor will: 3.1. maintain infrastructure’s FedRAMP certification for the Hosted Services throughout the Term, and in the event the contractor is unable to maintain infrastructure’s FedRAMP certification, the State may move the Software to an alternative provider, at contractor’s sole cost and expense; 3.2. ensure that the Software is securely hosted, supported, administered, and accessed in a data center that resides in the continental United States, and minimally meets Uptime Institute Tier 3 standards (www.uptimeinstitute.com), or its equivalent; 3.3. maintain and enforce an information security program including safety and physical and technical security policies and procedures with respect to its Processing of the State’s Confidential Information that comply with the requirements of the State’s data security policies as set forth in the Contract, and must, at a minimum, remain compliant with FISMA and the NIST Special Publication

800.53 (most recent version) HIGH Controls using minimum control values as established in the applicable PSP; 3.4. provide technical and organizational safeguards against accidental, unlawful or unauthorized access to or use, destruction, loss, alteration, disclosure, transfer, commingling or processing of such information that ensure a level of security appropriate to the risks presented by the processing of the State’s Confidential Information and the nature of such Confidential Information, consistent with best industry practice and standards; 3.5. take all reasonable measures to: (a) secure and defend all locations, equipment, systems and other materials and facilities employed in connection with the Services against “hackers” and others who may seek, without authorization, to disrupt, damage, modify, access or otherwise use Contractor Systems or the information found therein; and (b) prevent (i) the State and its Authorized Users from having access to the data of other customers or such other customer’s users of the Services; (ii) the State’s Confidential Information from being commingled with or contaminated by the data of other customers or their users of the Services; and (iii) unauthorized access to any of the State’s Confidential Information; 3.6. ensure that State Data is encrypted in transit and at rest using AES 256bit or higher encryption; 3.7. ensure that State Data is encrypted in transit and at rest using currently certified encryption modules in accordance with FIPS PUB 140-2 (as amended). Security Requirements for Cryptographic Modules; 3.8. ensure the Hosted Services support Identity Federation/Single Sign-on (SSO) capabilities using Security Assertion Markup Language (SAML) or comparable mechanisms; 3.9. ensure the Hosted Services have multi-factor authentication for privileged/administrative access; and 3.10. Security Accreditation Process. Contractor must assist the State, at no additional cost, with development, completion and on-going maintenance of a system security plan (SSP) using the State’s automated governance, risk and compliance platform, which requires Contractor to submit evidence, upon request from the State, in order to validate Contractor’s security controls. On an annual basis, or as otherwise required by the State, re-assessment of the system’s controls will be required to receive and maintain authority to operate (ATO). All identified risks from the SSP will be remediated through a Plan of Action and Milestones (POAM) process with remediation time frames based on the risk level of the identified risk. For all findings associated with the Contractor’s solution, at no additional cost, Contractor will be required to create or assist with the creation of State approved POAMs and perform related remediation activities. The State will make any decisions on acceptable risk, Contractor may request risk acceptance, supported by compensating controls, however only the State may formally accept risk. 4. Unauthorized Access. Contractor may not access, and shall not permit any access to, State systems, in whole or in part, whether through Contractor’s Systems or otherwise, without the State’s express prior written authorization. Such authorization may be revoked by the State in writing at any time

in its sole discretion. Any access to State systems must be solely in accordance with the Contract and this Schedule, and in no case exceed the scope of the State’s authorization pursuant to this Section 4. All State-authorized connectivity or attempted connectivity to State systems shall be only through the State’s security gateways and firewalls and in compliance with the State’s security policies set forth in the Contract as the same may be supplemented or amended by the State and provided to Contractor from time to time. 5. Contractor Systems. Contractor will be solely responsible for the information technology infrastructure, including all computers, software, databases, electronic systems (including database management systems) and networks used by or for Contractor in connection with the Services (“Contractor Systems”) and shall prevent unauthorized access to State systems through the Contractor Systems. 6. Security Audits. During the Term, Contractor will: 6.1. maintain complete and accurate records relating to its data protection practices, IT security controls, and the security logs of any of the State’s Confidential Information, including any backup, disaster recovery or other policies, practices or procedures relating to the State’s Confidential Information and any other information relevant to its compliance with this Schedule; 6.2. upon the State’s request, make all such records, appropriate personnel and relevant materials available during normal business hours for inspection and audit by the State or an independent data security expert that is reasonably acceptable to Contractor, provided that the State: (i) gives Contractor at least five (5) Business Days prior notice of any such audit; (ii) undertakes such audit no more than once per calendar year, except for good cause shown; and (iii) conducts or causes to be conducted such audit in a manner designed to minimize disruption of Contractor’s normal business operations and that complies with the terms and conditions of all data confidentiality, ownership, privacy, security and restricted use provisions of the Contract. The State may, but is not obligated to, perform such security audits, which shall, at the State’s option and request, include penetration and security tests, of any and all Contractor Systems and their housing facilities and operating environments; and 6.3. if requested by the State, provide a copy of Contractor’s FedRAMP System Security Plan. The System Security Plan will be recognized as Contractor’s Confidential Information. 7. Nonexclusive Remedy for Security Breach. Any failure of the Services to meet the requirements of this Schedule with respect to the security of any State Data or other Confidential Information of the State, including any related backup, disaster recovery or other policies, practices or procedures, is a material breach of the Contract for which the State, at its option, may terminate the Contract immediately upon written notice to Contractor without any notice or cure period, and Contractor must promptly reimburse to the State any Fees prepaid by the State prorated to the date of such termination.

SCHEDULE E Disaster Recovery Plan MSP Disaster Recovery All organizations have unique situations when it comes to their use of information technology. As such, disaster recovery (DR) plans must be tailored to the individual organization after thorough discovery and analysis of the environment and outlined use of the system. There are important considerations and a structure to guide the creation of a DR plan, including objectives, scope, RPO and RTO targets (based on the organization’s needs), backup strategy, roles and responsibilities, incident response, DR procedures for specific scenarios, alternate work locations, and notifications. To provide a comprehensive DR plan and strategy for Kaseware at MSP, these topics would be included in the requirements discovery and the documentation for designing MSP’s implementation. Discovery would include the discussion of strategies in place for existing MSP systems as well as systems to be integrated with Kaseware. MSP’s unique objectives regarding the system would also be considered. A DR strategy for Kaseware would then be identified, planned, and agreed to as part of the implementation. Azure Disaster Recovery Kaseware is proposing cloud hosting of MSP’s Kaseware tenant on the Azure GovCloud, which offers business continuity and disaster recovery (BCDR) services for hosted solutions and data. Kaseware recommends assessing these services for MSP DR and it will be considered as a strategy during design and discovery efforts. Azure DR services are outlined and maintained by Azure. Additional details regarding Azure BCDR can be referenced at the following locations: 1. https://devblogs.microsoft.com/azuregov/azure-site-recovery-available-in-dod-and-new-azure￾government-regions/ 2. https://azure.microsoft.com/en-us/services/site-recovery/

SCHEDULE F FEDERAL BUREAU OF INVESTIGATION CRIMINAL JUSTICE INFORMATION SERVICES SECURITY ADDENDUM The goal of this document is to augment the CJIS Security Policy to ensure adequate security is provided for criminal justice systems while (1) under the control or management of a private entity or (2) connectivity to FBI CJIS Systems has been provided to a private entity (contractor). Adequate security is defined in Office of Management and Budget Circular A￾130 as “security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.” The intent of this Security Addendum is to require that the Contractor maintain a security program consistent with federal and state laws, regulations, and standards (including the CJIS Security Policy in effect when the contract is executed), as well as with policies and standards established by the Criminal Justice Information Services (CJIS) Advisory Policy Board (APB). This Security Addendum identifies the duties and responsibilities with respect to the installation and maintenance of adequate internal controls within the contractual relationship so that the security and integrity of the FBI's information resources are not compromised. The security program shall include consideration of personnel security, site security, system security, and data security, and technical security. The provisions of this Security Addendum apply to all personnel, systems, networks and support facilities supporting and/or acting on behalf of the government agency. 1.1 Definitions 1.2 Contracting Government Agency (CGA) - the government agency, whether a Criminal Justice Agency or a Noncriminal Justice Agency, which enters into an agreement with a private contractor subject to this Security Addendum. 1.3 Contractor - a private business, organization or individual which has entered into an agreement for the administration of criminal justice with a Criminal Justice Agency or a Noncriminal Justice Agency. 2.1 Responsibilities of the Contracting Government Agency. 2.2 The CGA will ensure that each Contractor employee receives a copy of the Security Addendum and the CJIS Security Policy and executes an acknowledgment of such receipt and the contents of the Security Addendum. The signed acknowledgments shall remain in the possession of the CGA and available for audit purposes. The acknowledgement may be signed by hand or via digital signature (see glossary for definition of digital signature). 3.1 Responsibilities of the Contractor. 3.2 The Contractor will maintain a security program consistent with federal and state laws, regulations, and standards (including the CJIS Security Policy in effect when the contract is executed and all subsequent versions), as well as with policies and standards established by the Criminal Justice Information Services (CJIS) Advisory Policy Board (APB).

4.1 Security Violations. 4.2 The CGA must report security violations to the CJIS Systems Officer (CSO) and the Director, FBI, along with indications of actions taken by the CGA and Contractor. 4.3 Security violations can justify termination of the appended agreement. 4.4 Upon notification, the FBI reserves the right to: a. Investigate or decline to investigate any report of unauthorized use; b. Suspend or terminate access and services, including telecommunications links. The FBI will provide the CSO with timely written notice of the suspension. Access and services will be reinstated only after satisfactory assurances have been provided to the FBI by the CGA and Contractor. Upon termination, the Contractor's records containing CHRI must be deleted or returned to the CGA. 5.1 Audit 5.2 The FBI is authorized to perform a final audit of the Contractor's systems after termination of the Security Addendum. 6.1 Scope and Authority 6.2 This Security Addendum does not confer, grant, or authorize any rights, privileges, or obligations on any persons other than the Contractor, CGA, CJA (where applicable), CSA, and FBI. 6.3 The following documents are incorporated by reference and made part of this agreement: (1) the Security Addendum; (2) the NCIC 2000 Operating Manual; (3) the CJIS Security Policy; and (4) Title 28, Code of Federal Regulations, Part 20. The parties are also subject to applicable federal and state laws and regulations. 6.4 The terms set forth in this document do not constitute the sole understanding by and between the parties hereto; rather they augment the provisions of the CJIS Security Policy to provide a minimum basis for the security of the system and contained information and it is understood that there may be terms and conditions of the appended Agreement which impose more stringent requirements upon the Contractor. 6.5 This Security Addendum may only be modified by the FBI and may not be modified by the parties to the appended Agreement without the consent of the FBI. 6.6 All notices and correspondence shall be forwarded by First Class mail to: Information Security Officer Criminal Justice Information Services Division, FBI

FEDERAL BUREAU OF INVESTIGATION CRIMINAL JUSTICE INFORMATION SERVICES SECURITY ADDENDUM CERTIFICATION I hereby certify that I am familiar with the contents of (1) the Security Addendum, including its legal authority and purpose; (2) the NCIC Operating Manual; (3) the CJIS Security Policy; and (4) Title 28, Code of Federal Regulations, Part 20, and agree to be bound by their provisions. I recognize that criminal history record information and related data, by its very nature, is sensitive and has potential for great harm if misused. I acknowledge that access to criminal history record information and related data is therefore limited to the purpose(s) for which a government agency has entered into the contract incorporating this Security Addendum. I understand that misuse of the system by, among other things: accessing it without authorization; accessing it by exceeding authorization; accessing it for an improper purpose; using, disseminating or re-disseminating information received as a result of this contract for a purpose other than that envisioned by the contract, may subject me to administrative and criminal penalties. I understand that accessing the system for an appropriate purpose and then using, disseminating or re-disseminating the information received for another purpose other than execution of the contract also constitutes misuse. I further understand that the occurrence of misuse does not depend upon whether or not I receive additional compensation for such authorized activity. Such exposure for misuse includes, but is not limited to, suspension or loss of employment and prosecution for state and federal crimes. Printed Name/Signature of Contractor Employee Date Printed Name/Signature of Contractor Representative Date Organization and Title of Contractor Representative

SCHEDULE G Kaseware SaaS Security Controls In addition to other requirements in the contract, Contractor shall meet the Security Controls detailed in the attached Kaseware Security Policy Manual dated April 2018 as updated on 3/22/2019. [Kaseware Security Policy Manual intentionally redacted for security purposes]

SCHEDULE H Data Retention Policy The table below details the MSP Intelligence Operations Division specific retention policies. Additionally, criminal intelligence files are regulated by 28 CFR part 23. Agency Code Agency Name Item # Series Title Series Description Retention Period Approval Date Versatile Security Level 55/IOD Intelligence Operations Division 00000 - Introduction The Intelligence Operations Division includes the Michigan Intelligence Operations Center, Operations Section (including the Regional Communication Centers), and the Cyber Section which consists of the Michigan Cyber Command Center (MC3) and the Computer Crimes Unit. M.C.L. 18.1284 - 18.1292 requires that all state records, regardless of media or location, be listed on an approved Retention and Disposal Schedule. Records, regardless of format, cannot legally be destroyed without the authorization of a schedule. This schedule is supplemented by the State of Michigan's general schedules that are available online at www.michigan.gov/recordsmanagement. 55/IOD Intelligence Operations Division - Cyber Section 40190 - Computer Forensic Evidence and Analysis Records These records document the investigation of cyber crimes conducted by MSP for non￾MSP law enforcement agencies. The records for MSP investigations are created by this office, but are maintained in the case files held by other MSP offices. They may include the data files that were analyzed, images, reports, etc. RETAIN UNTIL: Case is closed an all litigation appeals are completed THEN: Destroy 3/15/2016 N C 55/IOD Intelligence Operations Division - Operations Desk 40191A - Informational Notices - Routine Incidents These records document notices that are disseminated to relevant MSP personnel about current routine incidents that are taking place to ensure awareness across the entire department. They may include communications (including e-mail), raw intelligence that is not vetted for accuracy, supporting documentation, etc. RETAIN UNTIL: Incident concludes PLUS: 30 days THEN: Destroy 3/15/2016 N C 55/IOD Intelligence Operations 40191B - Informational Notices - These records document notices that are disseminated to relevant MSP personnel RETAIN UNTIL: No 3/15/2016 N C

Agency Code Agency Item# Series Title Series Description Retention Approval Versatile Security Level Name Period Date Division - Major about current major incidents that are longer needed Operations Incidents taking place to ensure awareness across to help Desk the entire department. They may include address communications (including e-mail}, raw similar intelligence that is not vetted for accuracy, incidents in supporting documentation, etc. the future THEN: Destrov 55/IOD Intelligence 40192 - Service These records document the handling of RETAIN 3/15/2016 N C Operations Request requests for special MSP services (such as UNTIL: Division - Management canine, aerial, dive team, etc.). They may Request is Operations Records include requests, distribution of completed Desk assignments, supporting documentation, PLUS 30 etc. days THEN: Destrov 55/IOD Intelligence 40193A - Operations These records document when resources RETAIN 3/15/2016 N C Operations Log Data - are deployed or assigned, and when a UNTIL: Division - Routine routine incident is resolved. They may Request is Operations Incidents include date, status, resource assigned, completed Desk etc. PLUS 30 days THEN: Destrov 55/IOD Intelligence 40193B - Operations These records document when resources RETAIN 3/15/2016 N C Operations Log Data - are deployed or assigned, and when a UNTIL: No Division - Major major incident is resolved. They may longer needed Operations Incidents include date, status, resource assigned, to help Desk etc. address similar incidents in the future THEN: Destrov 55/IOD Intelligence 40194 - Call Tracking These records document statistics about RETAIN 3/15/2016 N I Operations Sheet the types of incidents that are handled on a UNTIL: Division - daily basis by the Operations Desk. One Calendar year Operations sheet is created for each year and is ends Desk updated daily. They may include date, PLUS 5 incident type, resources assigned, daily years counts, etc. THEN: Destroy 55/IOD Intelligence 40195 - Call These records document all calls that are RETAIN 3/15/2016 N I Operations Recordings recorded by the Operations Desk, the UNTIL: Call is Division - Regional Communications Center and the received Operations Watch Desk. They may be used for quality PLUS 90 Desk assurance, evidence and training days ournoses. Thev mav include the audio of

Agency Code Agency Item# Series Title Series Description Retention Approval Versatile Security Level Name Period Date the call, supporting documentation, THEN: etc. Note. recordings of major incidents Destroy mav be ouf/ed and retained in the case file. 55/IOD Intelligence 40196 - Computer These records document data collected by RETAIN 3/15/2016 N I Operations Aided dispatchers about incidents. They include UNTIL: Division - Dispatch 9-1-1 dispatchers from Negaunee, Gaylord, Incident is Operations (CAD) Data respons ble patrol areas, Regional resolved Desk Communications Center, etc. Troopers PLUS 1 year may add more data during and after THEN: incidents. Data may include date, time, Destroy location, incident type, response information, etc. Note. data about major incidents may be pulled and retained in the case file. 55/IOD Intelligence 40197 - Case Files- These records document criminal cases RETAIN 3/15/2016 N I Operations Criminal investigated by MSP. Note: these cases UNTIL: Case Division - are maintained by the MIOC because they is solved and Michigan are not solved, and they are so old that closed (see Intelligence they pre-date current recordkeeping 55/CJIC, item Operations systems. #30369) Center PLUS 50 years THEN: Transfer to the Archives of Michiaan 55/IOD Intelligence 40198 - Case Support These records document cases RETAIN 3/15/2016 N C Operations Materials investigated by MIOC for MSP and other UNTIL: Case Division - law enforcement agencies. They may is closed Michigan include phone records, charts, maps, PLUS 50 Intelligence photos, video, etc. years Operations THEN: Center Destrov 55/IOD Intelligence 40199 - Bulletins These records document notifications about Permanent 3/15/2016 N C Operations intelligence and informational issues. They Division - may be distributed to MSP posts, other law Michigan enforcement agencies, select private sector Intelligence entities, etc. They may address safety Operations concerns, suspicious activity, etc. They Center may include bulletins, supporting documentation etc. 55/IOD Intelligence 40200A - Michigan These records document criminal RETAIN 3/15/2016 N C Operations Criminal intelligence that is collected for analysis UNTIL: Division - Intelligence purposes. However, it was determined that Investigation Michigan System no criminal activity was involved. Data is determines Intelligence (MCIS) Data - maintained in compliance with federal that no crime Operations No Criminal regulations, 28 CFR 23. was involved Center Activitv PLUS 30

Agency Code Agency Item# Series Title Series Description Retention Approval Versatile Security Level Name Period Date days THEN: Destrov 55/IOD Intelligence 40200B - Michigan These records document criminal RETAIN 3/15/2016 N C Operations Criminal intelligence that is collected for analysis UNTIL: Data Division - Intelligence purposes. Data is maintained in is reviewed Michigan System compliance with federal regulations, 28 every 5 years Intelligence (MCIS) Data - CFR23. to determine if Operations Criminal it is still Center Activity relevant to on￾going activity THEN: Destrov 55/IOD Intelligence 40201 - OK2SAY These records document tips submitted via RETAIN 3/15/2016 N C Operations Program a hotline by students about suspicious UNTIL: Tip is Division - Records activity related to public safety. They may submitted Michigan include date, subject, information reported, PLUS 5 Intelligence etc. years Operations THEN: Center Destrov 55/IOD Intelligence 40202 - Phone These records document phone numbers RETAIN 3/15/2016 N C Operations Number Data that are involved in criminal activity. They UNTIL: Data Division - may include a case number and the phone is reviewed Michigan number. every 5 years Intelligence to determine if Operations it is still Center relevant to on￾going activity THEN: Destrov

SCHEDULE I Federal Provisions Addendum The provisions in this addendum may apply if the purchase will be paid for in whole or in part with funds obtained from the federal government. If any provision below is not required by federal law for this Contract, then it does not apply and must be disregarded. If any provision below is required to be included in this Contract by federal law, then the applicable provision applies and the language is not negotiable. If any provision below conflicts with the State’s terms and conditions, including any attachments, schedules, or exhibits to the State’s Contract, the provisions below take priority to the extent a provision is required by federal law; otherwise, the order of precedence set forth in the Contract applies. Hyperlinks are provided for convenience only; broken hyperlinks will not relieve Contractor from compliance with the law. 1. Federally Assisted Construction Contracts. If this contract is a “federally assisted construction contract” as defined in 41 CRF Part 60-1.3, and except as otherwise may be provided under 41 CRF Part 60, then during performance of this Contract, the Contractor agrees as follows: (1) The Contractor will not discriminate against any employee or applicant for employment because of race, color, religion, sex, sexual orientation, gender identity, or national origin. The Contractor will take affirmative action to ensure that applicants are employed, and that employees are treated during employment without regard to their race, color, religion, sex, sexual orientation, gender identity, or national origin. Such action shall include, but not be limited to the following: Employment, upgrading, demotion, or transfer; recruitment or recruitment advertising; layoff or termination; rates of pay or other forms of compensation; and selection for training, including apprenticeship. The Contractor agrees to post in conspicuous places, available to employees and applicants for employment, notices to be provided setting forth the provisions of this nondiscrimination clause. (2) The Contractor will, in all solicitations or advertisements for employees placed by or on behalf of the Contractor, state that all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, or national origin. (3) The Contractor will not discharge or in any other manner discriminate against any employee or applicant for employment because such employee or applicant has inquired about, discussed, or disclosed the compensation of the employee or applicant or another employee or applicant. This provision shall not apply to instances in which an employee who has access to the compensation information of other employees or applicants as a part of such employee's essential job functions discloses the compensation of such other employees or applicants to individuals who do not otherwise have access to such information, unless such disclosure is in response to a formal complaint or charge, in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or is consistent with the Contractor's legal duty to furnish information. (4) The Contractor will send to each labor union or representative of workers with which he has a collective bargaining agreement or other contract or understanding, a notice to be provided advising the said labor union or workers' representatives of the Contractor's commitments under this section, and shall post copies of the notice in conspicuous places available to employees and applicants for employment. (5) The Contractor will comply with all provisions of Executive Order 11246 of September 24, 1965, and of the rules, regulations, and relevant orders of the Secretary of Labor. (6) The Contractor will furnish all information and reports required by Executive Order 11246 of September 24, 1965, and by rules, regulations, and orders of the Secretary of Labor, or pursuant thereto, and will permit access to his books, records, and accounts by the administering agency and the Secretary of Labor for purposes of investigation to ascertain compliance with such rules, regulations, and orders. (7) In the event of the Contractor's noncompliance with the nondiscrimination clauses of this contract or with any of the said rules, regulations, or orders, this Contract may be canceled, terminated, or suspended in whole or in part and the Contractor may be declared ineligible for further Government contracts or federally assisted construction contracts in accordance with procedures authorized in Executive Order 11246 of September 24, 1965, and such other sanctions may be imposed and remedies invoked as provided in Executive Order 11246 of September 24, 1965, or by rule, regulation, or order of the Secretary of Labor, or as otherwise provided by law.

(8) The Contractor will include the portion of the sentence immediately preceding paragraph (1) and the provisions of paragraphs (1) through (8) in every subcontract or purchase order unless exempted by rules, regulations, or orders of the Secretary of Labor issued pursuant to section 204 of Executive Order 11246 of September 24, 1965, so that such provisions will be binding upon each subcontractor or vendor. The Contractor will take such action with respect to any subcontract or purchase order as the administering agency may direct as a means of enforcing such provisions, including sanctions for noncompliance: Provided, however, that in the event a Contractor becomes involved in, or is threatened with, litigation with a subcontractor or vendor as a result of such direction by the administering agency, the Contractor may request the United States to enter into such litigation to protect the interests of the United States. 2. Davis-Bacon Act (Prevailing Wage) a. If applicable, the Contractor (and its Subcontractors) for prime construction contracts in excess of $2,000 must comply with the Davis-Bacon Act (40 USC 3141-3148) as supplemented by Department of Labor regulations (29 CFR Part 5, “Labor Standards Provisions Applicable to Contracts Covering Federally Financed and Assisted Construction”). b. The Contractor (and its Subcontractors) shall pay all mechanics and laborers employed directly on the site of the work, unconditionally and at least once a week, and without subsequent deduction or rebate on any account, the full amounts accrued at time of payment, computed at wage rates not less than those stated in the advertised specifications, regardless of any contractual relationship which may be alleged to exist between the Contractor or subcontractor and the laborers and mechanics; c. The Contractor will post the scale of wages to be paid in a prominent and easily accessible place at the site of the work; d. There may be withheld from the Contractor so much of accrued payments as the contracting officer considers necessary to pay to laborers and mechanics employed by the Contractor or any Subcontractor on the work the difference between the rates of wages required by the Contract to be paid laborers and mechanics on the work and the rates of wages received by the laborers and mechanics and not refunded to the Contractor or Subcontractors or their agents. 3. Copeland “Anti-Kickback” Act. If applicable, the Contractor must comply with the Copeland “Anti-Kickback” Act (40 USC 3145), as supplemented by Department of Labor regulations (29 CFR Part 3, “Contractors and Subcontractors on Public Building or Public Work Financed in Whole or in Part by Loans or Grants from the United States”), which prohibits the Contractor and subrecipients from inducing, by any means, any person employed in the construction, completion, or repair of public work, to give up any part of the compensation to which he or she is otherwise entitled. 4. Contract Work Hours and Safety Standards Act. If the Contract is in excess of $100,000 and involves the employment of mechanics or laborers, the Contractor must comply with 40 USC 3702 and 3704, as supplemented by Department of Labor regulations (29 CFR Part 5), as applicable. 5. Rights to Inventions Made Under a Contract or Agreement. If the Contract is funded by a federal “funding agreement” as defined under 37 CFR §401.2 (a) and the recipient or subrecipient wishes to enter into a contract with a small business firm or nonprofit organization regarding the substitution of parties, assignment or performance of experimental, developmental, or research work under that “funding agreement,” the recipient or subrecipient must comply with 37 CFR Part 401, “Rights to Inventions Made by Nonprofit Organizations and Small Business Firms Under Government Grants, Contracts and Cooperative Agreements,” and any implementing regulations issued by the awarding agency. 6. Clean Air Act. If this Contract is in excess of $150,000, the Contractor must comply with all applicable standards, orders, and regulations issued under the Clean Air Act (42 USC 7401-7671q) and the Federal Water Pollution Control Act (33 USC 1251-1387). Violations must be reported to the federal awarding agency and the regional office of the Environmental Protection Agency. 7. Debarment and Suspension. A “contract award” (see 2 CFR 180.220) must not be made to parties listed on the government-wide exclusions in the System for Award Management (SAM), in accordance with the OMB guidelines at 2 CFR 180 that implement Executive Orders 12549 (3 CFR part 1986 Comp., p. 189) and 12689 (3 CFR part 1989 Comp., p. 235), “Debarment and Suspension.” SAM Exclusions contains the names of parties debarred,

suspended, or otherwise excluded by agencies, as well as parties declared ineligible under statutory or regulatory authority other than Executive Order 12549. 8. Byrd Anti-Lobbying Amendment. If this Contract exceeds $100,000, bidders and the Contractor must file the certification required under 31 USC 1352 which certification is attached to this addendum. 9. Procurement of Recovered Materials. Under 2 CFR 200.322, a non-Federal entity that is a state agency or agency of a political subdivision of a state and its contractors must comply with section 6002 of the Solid Waste Disposal Act, as amended by the Resource Conservation and Recovery Act. The requirements of Section 6002 include procuring only items designated in guidelines of the Environmental Protection Agency (EPA) at 40 CFR part 247 that contain the highest percentage of recovered materials practicable, consistent with maintaining a satisfactory level of competition, where the purchase price of the item exceeds $10,000 or the value of the quantity acquired during the preceding fiscal year exceeded $10,000; procuring solid waste management services in a manner that maximizes energy and resource recovery; and establishing an affirmative procurement program for procurement of recovered materials identified in the EPA guidelines.

Byrd Anti-Lobbying Certification The following certification and disclosure regarding payments to influence certain federal transactions are made under FAR 52.203‐11 and 52.203‐12 and 31 USC 1352, the “Byrd Anti‐Lobbying Amendment.” Hyperlinks are provided for convenience only; broken hyperlinks will not relieve Contractor from compliance with the law. 1. FAR 52.203‐12, “Limitation on Payments to Influence Certain Federal Transactions” is hereby incorporated by reference into this certification. 2. The bidder, by submitting its proposal, hereby certifies to the best of his or her knowledge and belief that: a. No federal appropriated funds have been paid or will be paid to any person for influencing or attempting to influence an officer or employee of any agency, a member of Congress, an officer or employee of Congress, or an employee of a member of Congress on his or her behalf in connection with the awarding of any federal contract, the making of any federal grant, the making of any federal loan, the entering into of any cooperative agreement, and the extension, continuation, renewal, amendment or modification of any federal contract, grant, loan, or cooperative agreement; b. If any funds other than federal appropriated funds (including profit or fee received under a covered federal transaction) have been paid, or will be paid, to any person for influencing or attempting to influence an officer or employee of any agency, a member of Congress, an officer or employee of Congress, or an employee of a member of Congress on his or her behalf in connection with this solicitation, the bidder must complete and submit, with its proposal, OMB standard form LLL, Disclosure of Lobbying Activities, to the Solicitation Manager; and c. He or she will include the language of this certification in all subcontract awards at any tier and require that all recipients of subcontract awards in excess of $150,000 must certify and disclose accordingly. 3. This certification is a material representation of fact upon which reliance is placed at the time of Contract award. Submission of this certification and disclosure is a prerequisite for making or entering into this Contract under 31 USC 1352. Any person making an expenditure prohibited under this provision or who fails to file or amend the disclosure form to be filed or amended by this provision is subject to a civil penalty of not less than $10,000, and not more than $100,000, for each such failure. Signed by: _____________________ [Type name and title] [Type company name] Date: ________________

Filters SVG