HomeMy WebLinkAboutDS Information Technology Services Agreement Renewal____________________________________________________________________________________
FOR CITY CLERK ONLY
Council Meeting: October 2, 2023
Disposition: Authorized the City Manager to execute a general service agreement with addendum
with Xantrion, Inc., for information technology services from November 1, 2023 through October
31, 2024 in an amount not to exceed $1,131,000
Agenda Item No: 4.b
Meeting Date: October 2, 2023
SAN RAFAEL CITY COUNCIL AGENDA REPORT
Department: Digital Service & Open Government
Prepared by: Sean Mooney, Director City Manager Approval: ______________
TOPIC: INFORMATION TECHNOLOGY SERVICES AGREEMENT RENEWAL
SUBJECT: AUTHORIZE THE CITY MANAGER TO EXECUTE A GENERAL SERVICE
AGREEMENT WITH ADDENDUM WITH XANTRION, INC., FOR INFORMATION
TECHNOLOGY SERVICES FROM NOVEMBER 1, 2023 THROUGH OCTOBER 31,
2024 IN AN AMOUNT NOT TO EXCEED $1,131,000
RECOMMENDATION:
Authorize the City Manager to execute a general service agreement with addendum with Xantrion, Inc.,
for information technology services from November 1, 2023, through October 31, 2024, in an amount not
to exceed $1,131,000.
BACKGROUND:
In May 2019, the Department of Digital Service and Open Government published a Request for Proposals
for a managed-service provider to address the City’s information technology systems and assembled an
evaluation team with representatives from the Police, Fire, Library & Recreation, and Public Works
departments. The City received eight proposals. At the end of the evaluation process, Xantrion (from
Oakland, CA) was selected as the preferred vendor to partner with the City by providing the following
services:
•Technical support (“help desk”)
•Network, server, and database administration
•Equipment purchasing
•User account management
•Data backup and recovery
•Network monitoring and security
The City entered into an agreement with Xantrion in October 2019 for managed IT services across all
Departments. The City Council has approved renewing that one-year agreement for the past three years
in October 2020, October 2021, and October 2022, respectively.
In the past four years, Xantrion has helped the City improve cyber-security, supported network projects
and citywide network resilience, streamlined day-to-day tech support, improved customer service, and
SAN RAFAEL CITY COUNCIL AGENDA REPORT / Page: 2
standardized user management and purchasing. As of September 15, 2023, Xantrion has processed
2,749 support tickets since November 1, 2022, and completed the following IT projects:
• Proactive Computer Replacement – Replaced 60 end-of-life computers and worked with staff
to migrate their software, files, and settings to the new systems.
• Disaster Recovery Environment – Developed a Disaster Recovery environment to improve the
recovery time objective to hours from days or weeks in the event of a catastrophic failure at the
Public Safety Center, equipment failure, or ransomware scenario. Xantrion saved funds by
repurposing end-of-life equipment to City Hall and synced existing production systems from the
Public Safety Center.
• Azure Multi Factor Authentication (MFA) Enhancements – Worked to improve cybersecurity
by requiring number matching and providing the application requesting access and location
context to the MFA request.
• Fire Station 55 Retrofit – Deployed new IT infrastructure at Fire Station 55, including internet
service providers, networking equipment, WIFI, telephones, and relocated computers and
printers.
• Fire Station 54 Retrofit – The team deployed new IT infrastructure at Fire Station 54 including
internet service providers, networking equipment, WIFI, telephones, and relocated computers and
printers.
• LastPass Breach Mitigation – After a breach at LastPass, Xantrion worked with staff members
to re-encrypt password vaults hosted by LastPass to avoid security risks in San Rafael.
• Office 365 Teams/SharePoint Migrations – The Xantrion team is supporting the Office 365 data
migration and completed data migrations for the City Attorney, City Clerk, Digital Service,
Economic Development, Human Resources, Parking Services, Sanitation District, Community
Development, City Council Meeting Preparation, and Sustainability. The remaining Departments
are aiming to be completed before the calendar year.
• Mobile Device Management (MDM) Migration – Migrated public safety mobile devices from the
AirWatch MDM solution to Microsoft for more functionality and reduced costs. MDM allows the
City to manage and secure data and services on City-owned devices proactively.
• Security Information and Event Management (SIEM) System - Deployed Azure Sentinel to
improve cybersecurity detection and response by aggregating log data and applying detection of
suspicious activity capabilities to be triaged by Xantrion’s Security Operations Center (SOC). A
SEIM system will help the City recognize and address potential security threats and vulnerabilities
before they have a chance to disrupt Citywide operations.
• Radius Based WIFI – Deployed a WIFI system that securely and automatically connects City
owned laptops to the city network without staff interaction at City Hall and the PSC. This improves
the secure access of the City network by trusted machines.
• Replaced Police Department Mall Substation ISP & Firewall – Replaced the legacy T1
connection with a new internet service provider (ISP) that provides increased performance at a
lower cost for the Police Department’s satellite office in Terra Linda.
• Deployed Single Sign On (SSO) for Axon Evidence and NextRequest - Streamlined staff
access and improved security by leveraging the City’s identity and access management system
for these applications, including multi-factor authentication (MFA).
• LaserFiche Upgrade – Worked with the City Clerk to upgrade Laserfiche to the newest version.
SAN RAFAEL CITY COUNCIL AGENDA REPORT / Page: 3
• Windows 2012 Server upgrades – Improved the security of the network by upgrading 19 servers
that will reach end of life by year end.
ANALYSIS:
The cost of the November 1, 2022 – October 31, 2023 agreement with Xantrion was $1,068,350. Last
year, the City changed the pricing structure from a device-based model to an active-user-based model
to avoid potential impacts on long- term cost increases of new devices across the City. This approach
accommodated users who do not open tickets with Xantrion and mitigated fluctuations in the City’s hiring
where there is not a significant impact on Xantrion’s ticket workload (i.e., Spring and Summer months
when lifeguards and swim instructors are brought on board). Xantrion has proposed a 5% per user
increase in monthly costs to accommodate increases in operational costs due to inflation and cost of
living adjustments for their staff. Additional monthly costs include monthly backup of City data and hosting
our Security Event and Information Management system which assists in the detection, analysis, and
response to potential security threats.
Other changes to this agreement include reducing Xantrion’s Cybersecurity insurance coverage from
$10,000,000 to $5,000,000. This reduction is due to increased insurance rates and Xantrion’s goal to
better align with insurance practices in the industry. They have assured the City that the $5,000,000 rate
is enough to guarantee business continuity in the case of a disaster or if they were to be found negligent.
The City carries $5,000,000 in cybersecurity liability coverage as part of our insurance coverage with
California Joint Powers Risk Management Authority (CJPRMA) The change to Xantrion’s liability
coverage does not impact the City’s cybersecurity insurance coverage.
The proposed renewal is for one year, beginning November 1, 2023, and ending October 31, 2024. The
price for service with Xantrion remains competitive, and their service level and customer satisfaction with
City staff remains high.
2022-23 2023-24
(5% per user increase)
Annual Cost $1,068,350 $ 1,131,000
FISCAL IMPACT:
The total amount of the proposed new agreement is $1,131,000, and the estimated cost from November
1, 2023, to June 30, 2024, is $773,883, which funds were appropriated through the FY 2023-24 budget
in the Technology Fund (fund 601). The remaining $ 357,116, to cover the cost from July 1, 2024 to
October 31, 2024, is planned for inclusion in the FY 2024-25 budget.
OPTIONS:
The City Council has the following options to consider on this matter:
1. Authorize the City Manager to execute a general service agreement with addendum with Xantrion,
Inc., for information technology services from November 1, 2023, through October 31, 2024, in
an amount not to exceed $1,131,000.
2. Direct staff to return with more information.
3. Take no action.
RECOMMENDED ACTION:
SAN RAFAEL CITY COUNCIL AGENDA REPORT / Page: 4
Authorize the City Manager to execute a general service agreement with addendum with Xantrion, Inc.,
for information technology services from November 1, 2023, through October 31, 2023, in an amount not
to exceed $1,131,000.
ATTACHMENTS:
1. Xantrion General Service Agreement and Addendum
GENERAL SERVICE AGREEMENT
XANTRION INC.
AND
CITY OF SAN RAFAEL
866.926.8746
www.xantrion.com
15834843 4
ABLE OF CONTENTS
1 Services................................................................................................................................................. 4
1.1 Statement of Work.......................................................................................................................4
1.2 Personnel......................................................................................................................................4
2 Terms of Payment.................................................................................................................................4
2.1 Services Fees; Equipment and Software Costs.............................................................................4
2.2 Overdue Payments........................................................................................................................5
2.3 Taxes.............................................................................................................................................
5
3 Term, Termination................................................................................................................................5
3.1 Term..............................................................................................................................................5
3.2 Termination for Convenience.......................................................................................................5
3.3 Termination for Cause..................................................................................................................
5
3.4 Effect of Termination....................................................................................................................6
3.5 Survival..........................................................................................................................................6
4 Equipment, Software and Supplies.......................................................................................................
6
4.1 Equipment; Software; Supplies.....................................................................................................
6
4.2 Limited Warranty..........................................................................................................................7
5 Independent Contractor Status............................................................................................................7
6 Non-Solicitation....................................................................................................................................
7
7 Unauthorized Access to Data or Use of the Services............................................................................
7
8 No Warranties; Limitations of Liability; Indemnification......................................................................8
8.1 No Warranties...............................................................................................................................8
8.2 Limitation of Liability....................................................................................................................
8
8.3 Indemnification.............................................................................................................................
8
9 Confidentiality.......................................................................................................................................9
9.1 Definition......................................................................................................................................
9
9.2 Confidentiality...............................................................................................................................9
9.3 Access to Systems.........................................................................................................................
9
10 Compliance.........................................................................................................................................10
10.1 Protection of Personally Identifiable Information......................................................................10
10.2 Compliance with Laws Applicable to Client................................................................................10
10.3 Compliance with Software Manufacturer's Licensing and Allowed Usage Requirements .........
11
11 Security Incident Response.................................................................................................................11
11.1 Obligations..................................................................................................................................11
11.2 Disclaimer...................................................................................................................................11
13 Other Insurance Provisions.................................................................................................................12
14 Harassment Free Workplace; Nondiscrimination...............................................................................
13
15 Miscellaneous.....................................................................................................................................13
15.1 Notices........................................................................................................................................13
15.2 Governing Law............................................................................................................................13
15.3 Remedies.................................................................................................................................... 13
15.4 Dispute Resolution; Attorney's Fees........................................................................................... 13
15.5 Force Majeure............................................................................................................................. 15
866.926.8746 2 www.xantrion com
15834843 4
15.6 Headings.....................................................................................................................................
15
15.7 Severability.................................................................................................................................
15
15.8 No Waiver...................................................................................................................................
15
15.9 No Assignment............................................................................................................................
15
15.10 City Business License / Other Taxes............................................................................................16
15.11 Entire Agreement; Modification.................................................................................................
16
16 Counterparts.......................................................................................................................................17
Exhibit A -Addendum To The General Service Agreement Information Technology Services
19
866.926.8746 3 www.xantrion.com
15834843 4
GENERAL SERVICE AGREEMENT
This General Service Agreement, including any attachments referenced herein and made a part hereof (this
"Agreement"), is entered into as of November 1, 2023 (the "Effective Date"), by and between Xantrion, Inc., a
California corporation ("Xantrion"), with offices at 651 20th Street, First Floor, Oakland, CA 94612, and City of
San Rafael with offices at 1400 Fifth Avenue, San Rafael, CA 94901 ("Client").
1 Services
1.1 Statement of Work
Xantrion shall provide the services (the "Services") as described in the Addendum To The General Service
Agreement Information Technology Services of even date herewith, attached as Exhibit A hereto and
incorporated herein by reference ("Addendum"). The Services shall be performed and delivered in a
workmanlike manner in accordance with generally recognized industry standards for computer consultants
performing similar services.
1.2 Personnel
Xantrion, acting as an independent contractor, shall engage employees, consultants, or subcontractors
("Xantrion Personnel") to provide the Services specifically outlined in the Addendum, and Xantrion shall be fully
and directly responsible for all Xantrion Personnel. Xantrion shall (i) provide competent and qualified personnel
to perform the Services; (ii) ensure that it complies with all laws, regulations, ordinances and licensing
requirements; (iii) ensure Xantrion Personnel performing any Services on Client's premises comply with any
applicable Client guidelines as provided to Xantrion from time to time, including, but not limited to, any data
security policies; and (iv) determine the method, detail, and means of performing the Services under this
Agreement.
2 Terms of Payment
2.1 Services Fees; Equipment and Software Costs
Unless otherwise agreed to in writing by the parties, payment for Services by Xantrion ("Service Fees") rendered
and any equipment, software, licenses, 3rd party services, hardware, parts and supplies ("Supplies") shall be due
within forty-five (45) days from the date of the applicable invoice provided by Xantrion to Client. If Xantrion
does not receive payment within such forty-five (45) day -period, Xantrion shall have the option to suspend the
Services without any liability until payment is received.
866 926 8746
4
www xantrion.corn
15834843 4
2.2 Overdue Payments
Interest shall accrue on any delinquent amounts owed by Client to Xantrion at the rate of [0.8333% per month.
In the event of a good faith dispute related to the invoices submitted by Xantrion, Client shall notify Xantrion in
writing setting forth the reasons of such dispute, and the parties shall cooperate to resolve such dispute.
2.3 Taxes
Client shall be responsible for any applicable sales or use taxes on any amounts payable by Client hereunder.
Term, Termination
3.1 Term
Unless sooner terminated, the term of this Agreement, and the applicable Services requested asset forth in the
accompanying Addendum shall be for one (1) year commencing on the Effective Date ("Term") and shall continue
during the Term unless this Agreement is otherwise terminated sooner in accordance with Section 3.2 or Section
3.3. During this Term, Xantrion shall not increase its fee rates over and above the rates charged on Services provided
as of the Effective Date. New Services added during the Term may be charged at Xantrion's then -current rates. The
termination of any Service shall not modify any Term of this Agreement. The termination of this Agreement shall
immediately terminate any and all Services executed hereunder.
3.2 Termination for Convenience
Either party may terminate this Agreement or any applicable Service at any time without cause upon at
least ninety (90) days' prior written notice to the other party. In the event that either party elects to
terminate this Agreement pursuant to this Section 3.2, Xantrion agrees to provide sufficient efforts and
cooperation to ensure an orderly and efficient transition of Services to Client or another service provider,
whichever Client elects, at Xantrion's then -current time and materials rates.
3.3 Termination for Cause
Either party may terminate this Agreement or any applicable Service for Cause (as defined below)
immediately upon written notice to the other party.
For purposes of this Agreement, "Cause" means: (i) Client's failure to pay any amount due within thirty (30)
days of the applicable due date; (ii) a party's conviction of, or plea of nolo contendere to, any felony, or any
other crime involving fraud, embezzlement, or act of moral turpitude; (iii) a party's unauthorized use or
disclosure of any Confidential Information or other proprietary information of the other party or any other
866.926.8746
www.xantrion.com
1583�1843 1
party to whom the offending party owes an obligation of nondisclosure as a result of the parties' relationship;
(iv) a material breach of this Agreement by a party which is incapable of cure, or with respect to a material
breach capable of cure, is not cured within thirty (30) days after receipt of written notice from the affected
party of such breach; (v) a dissolution or liquidation of any party, or any corporate action taken by any party
for such purpose; (vi) any party's insolvency or admission of its inability to pay its debts generally as they
become due; or (vii) any party's voluntary filing of a bankruptcy petition or general assignment for the benefit
of creditors.
3.4 Effect of Termination
Upon termination of this Agreement, Xantrion shall not be obligated to provide any further Services to Client
and Xantrion shall have the right to remove any equipment or other Supplies belonging to Xantrion which has
been installed or placed at Client's location for the performance of the Services hereunder. Client shall pay all
outstanding invoices, as well as any invoices which may be submitted to Client following the date of termination
for Services Fees or Supplies or costs incurred up to the date of termination, within ten (10) days of the date of
termination or within thirty (30) days of the date of the invoice, whichever is later. Upon termination of this
Agreement for any reason, each party shall (i) return to the other party or destroy all documents and tangible
materials (and any copies) containing, reflecting, incorporating or based on the other party's Confidential
Information, (ii) permanently erase all of the other party's Confidential Information from its computer systems,
and (iii) if requested by the other party, provide written confirmation within ten (10) days of receiving such
request that it has complied with the requirements of this section.
3.5 Survival.
The terms of Sections 2, 3, 4, 5, 7, 8, 9, and 15 shall survive the termination of this Agreement.
4 Equipment, Software and Supplies
4.1 Equipment; Software; Supplies
Xantrion is not responsible for compatibility issues, project delays, or other problems with Supplies (i) provided
by Client, (ii) purchased by Client through a third party, or (iii) manufactured by a third party and purchased by
Client from Xantrion (collectively, "Third Party Products") except if expressly recommended by Xantrion.
Notwithstanding anything contained herein to the contrary, in the event Xantrion installs a Third Party Product
and such Third Party Product fails within ninety (90) days of installation, Xantrion will provide the labor to re-
install the product free of charge.
866.926.8746
www.xantrion.com
15834843 4
4.2 Limited Warranty
Xantrion represents and warrants to Client that the Supplies, processes, and procedures employed, used, and
operated by Xantrion in providing the Services will be sufficient to provide the Services at the levels of reliability
represented in the description and definition of the Services.
Third Party Products purchased through Xantrion are warrantied by their respective manufacturers and any
applicable manufacturer's warranties will be passed through to the Client. Xantrion will only accept returns on
such Third Party Products if they are defective and returned within thirty (30) days of Client's receipt of such
Third Party Product.
5 Independent Contractor Status
Client and Xantrion acknowledge and agree that: (i) Xantrion is an independent Contractor, (ii) the parties are
not engaged in a joint venture, partnership, employment, or fiduciary relationship; and (iii) neither party is
authorized to act as agent or incur any obligation on behalf of the other.
6 Non -Solicitation
Client acknowledges that Xantrion will recruit and train personnel to provide Services for Client under this
Agreement, and that this is a costly and time-consuming endeavor. Client therefore agrees not to directly, or
indirectly through a third party, solicit, induce, recruit for employment, or attempt to solicit, induce, or recruit
for employment, any Xantrion personnel who has performed Services for Client under this Agreement to provide
the same or similar services. Client shall comply with this obligation during the term of this Agreement, and for
a period of twelve (12) consecutive months after termination. Client shall be relieved of its obligations under this
provision if Client first pays Xantrion the sum of the actual cost of retaining and training individual personnel.
The Parties further agree that this amount shall be no less than $60,000 per individual personnel, which Client
agrees accurately reflects the minimum reasonable value of Xantrion's time and costs with respect to recruiting
and training personnel to work for Client. Notwithstanding any other provisions in this Agreement, the parties
retain all legal remedies, at law or equity, upon violation of this provision.
7 Unauthorized Access to Data or Use of the Services
Xantrion is not responsible to Client for unauthorized access to the electronic data of Client stored on Xantrion's
servers ("Client Data") or the unauthorized use of the Services unless such unauthorized access or use results
from Xantrion's failure to meet its obligations described in the Agreement. Client is responsible for the use of
the Services by any employee or consultant of Client, other than Xantrion, any person to whom Client has given
access to the Client Data, and any person who gains access to the Client Data or Services as a result of Client's
failure to use reasonable security precautions, even if such use was not authorized by Client.
866.926.8746
\A/ww xantrion.com
1583118a3 4
8 No Warranties; Limitations of Liability; Indemnification
8.1 No Warranties
EXCEPT AS PROVIDED IN SECTION 1.1 (SERVICES) AND SECTION 4.2 (LIMITED WARRANTY), XANTRION
EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, WITH REGARD TO
THE SERVICES PROVIDED HEREUNDER, AND WITH REGARD TO ANY THIRD PARTY PRODUCTS, INCLUDING IN
EACH CASE ANY WARRANTY OF NON -INFRINGEMENT, AND ANY AND ALL WARRANTIES OF MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE OR ARISING FROM THE COURSE OF DEALING BETWEEN THE PARTIES
OR USAGE OF TRADE. THESE DISCLAIMERS OF WARRANTY AND LIMITATIONS OF LIABILITY CONSTITUTE AN
ESSENTIAL PART OF THIS AGREEMENT.
8.2 Limitation of Liability
IN NO EVENT WILL XANTRION, WHETHER IN CONTRACT, TORT, EQUITY OR OTHERWISE, BE LIABLE FOR: (1)
ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE OR EXEMPLARY DAMAGES (EVEN IF SUCH
DAMAGES ARE FORESEEABLE, AND WHETHER OR NOT EITHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED
WARRANTY.); OR (II) COSTS OF PROCUREMENT OF SUBSTITUTE PRODUCTS OR SERVICES, SUPPLIES, LOST
PROFITS, LOSS OF DATA; OR (III) ANY DIRECT DAMAGES ARISING FROM OR RELATING TO THIS AGREEMENT,
TO THE EXTENT THAT THE AGGREGATE AMOUNT OF SUCH DAMAGES EXCEEDS THE AGGREGATE SERVICES
FEES ACTUALLY PAID BY CLIENT HEREUNDER IN THE SIX (6) CALENDAR MONTHS BEFORE SUCH CLAIM AROSE;
PROVIDED THAT SUCH LIMITATION OF LIABILITY SHALL NOT EXTEND TO DIRECT DAMAGES INCURRED AS A
RESULT OF THE WILLFUL MISCONDUCT OF XANTRION OR ITS EMPLOYEES. THE PARTIES AGREE THAT THE
LIMITATIONS IN THIS SECTION ARE INTEGRAL TO THE AMOUNT OF FEES CHARGED IN CONNECTION WITH THIS
AGREEMENT AND THAT, WERE XANTRION TO ASSUME ANY FURTHER LIABILITY, SUCH FEES WOULD OF
NECESSITY HAVE BEEN SUBSTANTIALLY HIGHER.
8.3 Indemnification
To the fullest extent permitted by law subject to the limitations set forth in this Agreement„ Xantrion shall
indemnify and hold harmless, and defend the Client, its officers, agents, employees and volunteers (collectively,
the "Client Indemnitees") from and against any and all suits, actions, legal proceedings, claims, demands,
damages, losses and expenses which may be made by individuals or organizations, including, but not limited to
attorneys' fees, expert fees and all other costs and fees of litigation (each a "Claim" and collectively the "Claims"),
arising out of or resulting from the Xantrion's negligence or willful misconduct in the performance of the Services.
The acceptance or approval of Xantrion's Services by Client or any of its directors, officers or employees shall not
relieve or reduce Xantrion's indemnification obligations. However, to the extent that any Claim arises from,
relates to, or is in connection with, the negligence or willful misconduct of the Client Indemnitees, or any of them,
then Xantrion's indemnification obligation and liability hereunder for the Claim shall be reduced in proportion to
the Client Indemnitees' total share of liability for the Claim as a result of the Client Indemnitees' negligence or
willful misconduct.
866.926.8746 8 www xantrion.com
9 Confidentiality
9.1 Definition
The term "Confidential Information" as used in this Agreement shall mean any information disclosed, directly or
indirectly, by a party (the "Discloser") to the other party (the "Recipient") that may reasonably be considered
proprietary or confidential including, without limitation, the Discloser's operational and business methods and
practices, economic and financial information, know-how, recommendations, instructional methods, Client Data
(as defined below), software and information systems, technical processes, products, product designs,
machinery, research and development, intellectual property, and any material embodiments thereof.
Notwithstanding the foregoing, the term "Confidential Information" shall not include any information that (i) is
or becomes generally available to the public other than as a result of the Recipient's breach of this agreement;
(ii) is or becomes available to the Recipient on a non -confidential basis from a third -party source, provided that
such third party is not and was not prohibited from disclosing such Confidential Information; (iii) was in
Recipient's possession prior to the Discloser's disclosure hereunder; or (iv) was or is independently developed by
Recipient without using any Confidential Information.
9.2 Confidentiality
The Recipient agrees to (i) take reasonable measures to protect and safeguard the confidentiality of, and avoid
disclosure and unauthorized use of, the Discloser's Confidential Information with at least the same degree of
care as the Recipient would protect its own Confidential Information, but in no event with less than a
commercially reasonable degree of care; (ii) not use the Discloser's Confidential Information, or permit it to be
accessed or used, for any purpose other than to exercise its rights or perform its obligations under this
Agreement; and (iii) not disclose any such Confidential Information to any person or entity, except as required to
assist the Recipient to,exercise its rights or perform its obligations under this Agreement.
Disclosure of Confidential Information is not prohibited if such disclosure is compelled pursuant to a legal
proceeding or is otherwise prescribed by law. If the Recipient receives a request to disclose any Confidential
Information pursuant to the order or requirement of a court, administrative agency, or other governmental
body, the Recipient, prior to disclosing any Confidential Information, and, except as may be prohibited by law,
will notify the Discloser of such requirements to afford the Discloser the opportunity to seek a protective order
or other remedy.
9.3 Access to Systems
Xantrion representatives and contractors, shall only access Client systems and data as is necessary to perform
the Services agreed to. Client understands that Xantrion representatives may share access with other vendors
866.926.8746
www.xantrion com
1383d8J', -t
to the limited extent required to perform the Services. Notwithstanding the foregoing, when access to criminal
justice data or systems is necessary to perform the Services, Xantrion agrees that its designated representatives
will comply with Client's requirements for access to such systems and information, including but not limited to
fingerprinting and a satisfactory background check, as a precondition to being granted access to those systems
or data.
10 Compliance
None of the Services or underlying information or technology may be downloaded, exported, or re-exported
into any country to which the United States has embargoed goods, or to any individual or entity that has been
denied export privileges by the U.S. Treasury Department or the U.S. Department of Commerce. By using the
Services, Client is agreeing to the foregoing and Client is representing and warranting that Client is not a national
resident of, or located in or under the control of, any country subject to such export controls.
10.1 Protection of Personally Identifiable Information
The parties agree to use commercially reasonable security precautions to protect Personally Identifiable
Information, "PII", (as hereafter defined) transmitted to or from, or stored at, Xantrion's data centers. Client
must comply with the laws applicable to Client's use of the Services and with Xantrion's policies and procedures,
as may be amended. Client agrees to cooperate with Xantrion's reasonable investigation of Service outages,
security problems, and any suspected breach. For purposes of this Agreement, "PII" means (i) any information
that identifies an individual, such as name, social security number or other government issued number, date of
birth, address, telephone number, biometric data, mother's maiden name, or other personally identifiable
information; (ii) any "non-public personal information" as that term is defined in the Gramm -Leach -Bliley Act
found at 15 USC Subchapter 1, § 6809(4), and (iii) any "protected health information" as defined in the Health
Insurance Portability and Accountability Act of 1996 ("HIPAA").
The parties agree to comply with the applicable provisions of HIPAA, the requirements of any regulations
promulgated thereunder including, without limitation, the federal privacy regulations as contained in 45 CFR
Parts 160 and 164 (the "Federal Privacy Standards"), the Electronic Transaction Standards (45 CFR Parts 160 and
162) the Security Standards (45 CFR Parts 160, 162 and 164), and the Health Information Technology for
Economic and Clinical Health Act (the "HITECH Act"), Public Law 111-05 and regulations promulgated thereafter.
The parties further agree to comply with the applicable provisions of the PROTECT Our Children Act contained in
42 USC 13032 and 18 USC 2258A .
10.2 Compliance with Laws Applicable to Client
As it pertains to Client's Confidential Information and/or Data stored or managed by Xantrion, Xantrion will
comply with any and all confidentiality, security, privacy and or compliance requirements, rules and/or
regulations imposed on Client by local, state or federal authorities, agencies, regulatory agreements and or laws
866.926 8746
10
www.xantrion.com
1583418,13 u
to the extent Client has provided to Xantrion in writing the specific requirements to satisfy said confidentiality,
security, privacy and or compliance requirements, rules and/or regulations.
10.3 Compliance with Software Manufacturer's Licensing and Allowed Usage Requirements
Client acknowledges its obligation to comply with all provisions of software manufacturer's licensing and
allowed usage requirements. Client agrees to honor the provisions of the "Microsoft Cloud Agreement"
incorporated herein by reference.
11 Security Incident Response
11.1 Obligations
Xantrion acknowledges its obligation to support Clients in the event of a Security Incident. Services we will
perform and the basis on which they will be billed are described in the Addendum — Services.
11.2 Disclaimer
Xantrion does not represent that any service will prevent a security incident. Nor do we represent that we have
legal expertise or expertise in forensic investigations. Clients are advised to consider purchasing cyber-liability
policies to protect against the risk of a security incident. In the event of an incident, Client is advised to contact
their own legal counsel to determine their obligations to report an incident, and to notify their insurance carrier
of a potential claim and to permit the insurance company or its designated agents to conduct any investigation.
12 INSURANCE
During the term of this Agreement, Xantrion shall, at its own expense, maintain and carry insurance with
financially sound and reputable insurers, in full force and effect that includes, but is not limited to:
Insurance Type
Description of Liability covered
Aggregate
Limit
Cyber Liability, Privacy/Network
Data breach of our systems or a Client system for which we
$5 mm
Security, Cyber Crime & Cyber
are liable Including forensic costs, notification costs, credit
Deception Endorsement
or identity protection, extortion, regulatory action, fines and
penalties. and business interruption.
Third Party Crime
Third Party Crime
$250 K
866.926 8746
11
www Xantrion com
1583�'843 rl
Commercial General Liability
Bodily injury, personal injury and property damage caused
$2 mm
by the business' operations, products, or injury that occurs
on the business' premises.
Errors and Omissions Liability
Claims made by Clients for failure to provide products or
$10 mm
services, inadequate work or negligent actions.
Workers Compensation
On the job injury
$1 mm
Employment Practices Liability
Claims made by employees alleging discrimination (based on
$1 mm
sex, race, age or disability, for example), wrongful
termination, harassment and other employment -related
issues, this also extends to Third Party —Clients, Vendors,
etc.
13 Other Insurance Provisions
13.1 Except for professional liability insurance or worker's compensation insurance, the insurance policies shall be
specifically endorsed to include Client, its officers, agents, employees, and volunteers, as additional insureds under
the policies.
13.2 The additional insured coverage under Xantrion's insurance policies shall be "primary and noncontributory'
with respect to any insurance or coverage maintained by Client and shall not call upon Client's insurance or self-
insurance coverage for any contribution. The "primary and noncontributory" coverage in Xantrion's policies shall be
at least as broad as ISO form CG20 010413.
13.3 Except for professional liability insurance or worker's compensation insurance, the insurance policies shall
include, in their text or by endorsement, coverage for contractual liability and personal injury.
13.4 By execution of this Agreement, Xantrion hereby grants to Client a waiver of any right to subrogation
which any insurer of Xantrion may acquire against Client by virtue of the payment of any loss under such
insurance. Xantrion agrees to obtain any endorsement that may be necessary to effect this waiver of
subrogation, but this provision applies regardless of whether or not Client has received a waiver of subrogation
endorsement from the insurer.
13.5 Xantrion's worker's compensation insurance shall be specifically endorsed to waive any right of
subrogation against Client.
13.6 Xantrion shall cooperate with Client in providing Client with copies of all insurance provisions or
endorsements required by this Agreement.
866.926.8746 12 www.xantrion.com
15834843 4
14 Harassment Free Workplace; Nondiscrimination
Xantrion and Client mutually commit too bservingthe highest standards of conduct in maintaining an environment
that is free of discrimination, including harassment of any kind and on the basis of a legally protected status.
Accordingly, Xantrion and Client will not tolerate any form of harassment against anyone, including employees,
vendors, independent contractors, or guests. Xantrion and Client understand and acknowledge their legal
obligation both, not to engage in, and to report any unwelcome conduct, whether verbal, physical, sexual, or
visual, and that is based upon a person's protected status. Xantrion and Client shall not discriminate, in anyway,
against any person on the basis of age, sex, race, color, religion, ancestry, national origin or disability in connection
with or related to the performance of their duties and obligations under this Agreement.
1s Miscellaneous
15.1 Notices
All notices under this Agreement shall be sent to a party at the respective address indicated in the introductory
paragraph hereof, or to such other address as such party shall have notified the other in writing. All such notices
so addressed shall be deemed duly given (a) upon delivery, if delivered by courier or by hand (against receipt);
or (b) three days after posting, if sent by certified or registered mail, return receipt requested.
15.2 Governing Law
This Agreement shall be construed and controlled by the laws of the State of California, without reference to
conflicts of law principles. To the extent that any lawsuit is permitted under this Agreement, the parties hereby
expressly consent to the personal and exclusive jurisdiction and venue of the state and federal courts located in
Marin County, California.
15.3 Remedies
The parties agrees that remedies at law for a breach or threatened breach of any of the provisions of this
Agreement, including any disclosure or use of the Confidential Information, may be inadequate and, in
recognition of this fact, in addition to all other remedies available at law, the parties will be entitled to seek
specific performance or injunctive relief to enforce the terms of this Agreement.
15.4 Dispute Resolution; Attorney's Fees
Xantrion and Client agree to each use its best efforts to mutually resolve any claim, controversy, liability or
dispute arises between the parties relating to or in connection in any way with this Agreement or its
interpretation, validity or enforcement (collectively, "Disputes" or, in the singular, "Dispute").
866.926,8746 13 www xantricn.com
1583,18113 4
Failing that, and unless otherwise agreed by the parties in writing, such dispute shall be adjudicated by final,
binding arbitration under the auspices, and in accordance with then -applicable commercial arbitration rules and
procedures, of JAMS, Inc. ("JAMS") at JAMS' San Francisco offices. The arbitrator shall be mutually -agreed upon
by the parties to the arbitration. If the parties cannot agree upon an arbitrator within ten (10) business days
after the filing of any demand for arbitration or statement of claims with JAMS (or, if a party is asked to
participate in the joint selection of an arbitrator, but is unresponsive or otherwise does not do so within the
foregoing time period), then JAMS shall select as arbitrator a retired judge having at least ten (10) years'
experience in industry -related disputes pursuant to its normal procedure for selecting an arbitrator when parties
cannot agree upon an arbitrator.
The parties to the Dispute shall share equally in the costs of arbitration. If any party to the Dispute fails or
refuses to pay its portion of JAMS arbitration -related administration fees or arbitrator's fees in a timely manner,
the other party to the Dispute may, at its election, pay such fees and proceed with the arbitration without the
participation of the party who fails or refuses to pay its share of such fees, and any final arbitration award shall
require the non-paying party to reimburse the paying party for such fees and costs.
The arbitrator shall have the power to award only such damages, remedies, or relief that would be available in a
court otherwise having jurisdiction of the matter, but no other damages, remedies or relief. The arbitrator shall
render all rulings and make all adjudications based solely upon the law governing the claims, counterclaims and
defenses pleaded and shall not invoke any basis (including, without limitation, notions of "just cause") other
than such controlling law. The arbitrator shall have the authority to issue an award that provides for both legal
and equitable relief, as applicable, including, without limitation, an order for issuance of a temporary or
preliminary injunction. Notwithstanding the foregoing, the parties may avail themselves in the court of the
rights and remedies provided by Section 1281.8 of the California Code of Civil Procedure. In any arbitration
proceeding commenced under this section, the merits hearing (i.e., trial) shall begin by no later than ninety (90)
calendar days after the filing of any demand for arbitration or statement of claim with JAMS. The arbitrator shall
prepare a written statement of decision and award within five (5) business days following the conclusion of the
arbitration merits hearing. Judgment on the decision, award or other order of the arbitrator may be confirmed
and entered by the court.
The decision of the arbitrator shall be final and conclusive, and the parties hereby waive the right to trial de
novo or appeal, excepting only for the purpose of confirming the arbitrator's decision, award or other order and
entering judgment thereupon, for which purpose the court shall have sole and exclusive jurisdiction. Such
confirmation and entry of judgment may be obtained by ex parte application. Additionally, any petition to
compel arbitration and any other legal proceeding seeking to enforce or avoid arbitration under this Agreement
shall be filed and litigated exclusively in the court.
The prevailing party in any arbitration of a Dispute shall be entitled to recover from the other party or parties
the reasonable attorneys' fees and costs (including all costs of collection and recovery of any monies adjudicated
to be due), experts' fees and costs, arbitration administrative fees, court filing and other fees, and arbitrator's
fees that the prevailing party actually incurs in connection with that proceeding and any related -action or
proceeding in the court; however, the parties agree that, in the event a party to the Dispute is adjudicated to be
866.926.8746 14 www.xantrion.corn
1583a843 4
a prevailing party, that party shall seek to recover attorneys' fees under this section for the services performed
only by two (2) attorneys from the same law firm retained by that party. In the event this provision is
adjudicated to be unenforceable or the parties to the Dispute jointly elect to seek an adjudication of their
dispute in a judicial forum, the foregoing fees and costs recovery provision shall apply with equal force to that
judicial adjudication of the Dispute.
15.5 Force Majeure
Neither party shall be deemed to have defaulted or breached hereunder, nor shall it hold the other party
responsible for any cessation, interruption or delay in the performance of its obligations hereunder due to
earthquake, flood, fire, storm, natural disaster, act of God, war, terrorism, hostile or warlike action including
cyber or armed attacks in times of peace or war by a government or sovereign power, labor strike, lockout,
boycott, or other similar events beyond the reasonable control of such party (collectively, "Force Majeure"),
provided that the party relying upon this provision: (i) gives prompt written notice thereof, and (b) takes all
steps reasonably necessary to mitigate the effects of the Force Majeure event.
15.6 Headings
Headings used in this Agreement are for reference purposes only and shall not be deemed a part of this
Agreement.
15.7 5everability
If any provision in this Agreement is found or held to be invalid or unenforceable by a court of competent
jurisdiction, then (i) the validity of other provisions of this Agreement shall not be affected or impaired thereby,
and (ii) such provision shall be enforced to the maximum extent possible so as to effect the intent of the parties
and shall be reformed without further action by the parties to the extent necessary to make such provision valid
and enforceable.
15.8 No Waiver
A waiver of a breach or default under this Agreement shall not be a waiver of any other breach or default.
Failure of either party to enforce compliance with any term or condition of this Agreement shall not constitute a
waiver of such term or condition unless accompanied by a dear written statement that such term or condition is
waived.
15.9 No Assignment
Client shall not assign this Agreement without the prior written consent of the other party, which consent shall
not be unreasonably withheld, except in the event of a merger, acquisition, or sale of substantially all of Client's
assets. Subject to the foregoing, this Agreement shall inure to the benefit of the parties' permitted successors
and assigns.
866.926.8746
15
www xantrion.com
1li33si43 a
15.10 City Business License / Other Taxes
Xantrion shall obtain and maintain during the duration of this Agreement, a City of San Rafael business license as
required by the San Rafael Municipal Code. Xantrion shall pay any and all state and federal taxes and any other
applicable taxes. Client shall not be required to pay for any Services or work performed under this Agreement, until
Xantrion has provided Client with a completed Internal Revenue Service Form W-9 (Request for Taxpayer
Identification Number and Certification).
15.11 Entire Agreement; Modification
This Agreement, and any attachments hereto, contains the entire understanding of the parties with respect to
the matters contained herein. This Agreement shall supersede any prior understanding or agreement, written or
oral between the parties. In the event of any conflict between the terms hereunder and any attachment, these
terms shall govern unless such attachment expressly states that the terms and conditions of the attachment
shall control. There are no promises, covenants or undertaking other than those expressly set forth herein, and
any other terms and conditions are rejected regardless of content, timing or method of communication. Any
deviations from or additions to the terms of this Agreement must be in writing and will not be valid unless
confirmed in writing by duly authorized officers of Xantrion and Client.
866.926 8746 16 www.xantrion.com
15834843 4
16 Counterparts
This Agreement may be executed in counterparts, and each counterpart shall have the same force and effect as
an original and shall constitute an effective, binding agreement on the part of each of the undersigned. This
Agreement may be executed and delivered by facsimile transmission, by electronic mail in ".pdf," or any
electronic signature complying with the U.S. federal ESIGN Act of 2000 (e.g., www.docusign.com).
IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the date first written above.
Signed:
Printed:
Title:
Company
Date:
CITY OF SAN RAFAEL
Anne Bisagno
President
Xantrion, Inc.
August 31, 2023
By: Cristine Alilovich (Oct 9, 202317:59 PDT)
CRISTINE ALILOVICH, City Manager
ATTEST:
130nna AIW-Mi (for)
Brenna Nurmi (for) (Oct 10, 2023 07:54 PDT)
LINDSAY LARA, City Clerk
APPROVED AS TO FORM:
ROBERT F. EPSTEIN, City Attorney
866 926 8746 17 www.xantrion corn
1583a8a3.4
866.926.8746
EXHIBIT A
Addendum To The General Service Agreement Information Technology Services
18
www.xantrion.com
15834843 4
866.926.8746
ADDENDUM TO THE GENERAL SERVICE AGREEMENT
INFORMATION TECHNOLOGY SERVICES
www.xantrion.com
15900501.4
TABLE OF CONTENTS
1 Summary Service Scope and Costs......................................................................................................................4
2 CORE IT.................................................................................................................................................................5
2.1
Description of Services................................................................................................................................5
2.2
Systems Administration...............................................................................................................................5
2.3
Endpoint Support.........................................................................................................................................6
2.4
"Virtual Chief Information Officer" (vCIO) and Strategic Planning Services................................................6
2.5
Limitations and Client Obligations...............................................................................................................6
3 Systems Monitoring.............................................................................................................................................8
3.1
Description of Services................................................................................................................................8
3.2
Monitoring systems.....................................................................................................................................8
3.3
Monitoring hours.........................................................................................................................................9
3.4
Monitoring scope.........................................................................................................................................9
3.5
Patch Management...................................................................................................................................10
3.6
Thresholds & Monitoring Criteria..............................................................................................................10
3.7
Endpoint anti -virus and anti-malware management................................................................................10
3.8
Client notification of monitoring alerts.....................................................................................................10
3.9
Alert remediation......................................................................................................................................10
3.10
Limitations and client obligations..............................................................................................................11
4 Managed Backups..............................................................................................................................................12
4.1
Description of Services..............................................................................................................................12
4.2
Recovery Point Objective...........................................................................................................................12
4.3
Recovery Time Objective...........................................................................................................................12
4.4
Standby Server Hosting.............................................................................................................................12
4.5
System requirements.................................................................................................................................13
4.6
Effect of Termination.................................................................................................................................13
4.7
Estimating data backup costs....................................................................................................................13
4.8
Limitations and client obligations..............................................................................................................14
5 Managed Security Essentials.............................................................................................................................15
5.1
Description of Services..............................................................................................................................15
5.2
List of Services...........................................................................................................................................15
5.3
Security Incident Response........................................................................................................................15
5.4
Limitations and Client Obligations.............................................................................................................18
6 Managed Security..............................................................................................................................................19
6.1
Description of Services..............................................................................................................................19
6.2
List of Services..........................................................................................................................................19
6.3
Limitations and client obligations..............................................................................................................21
7 Hosting...............................................................................................................................................................21
7.1
Description of Services..............................................................................................................................21
7.2
Data location..............................................................................................................................................21
7.3
Service Level Agreement..........................................................................................................................21
7.4
Effect of Termination.................................................................................................................................21
866.926.8746
2 www.xantrion.com
15900501.4
8
Limitations applicable to all services.................................................................................................................22
8.1 Support for End Users not covered by a CORE IT agreement..................................................................22
8.2 Policy Authoring, Audit, and Questionnaire Support ................................................................................22
9
Authorized Contacts..........................................................................................................................................22
10
Phone and Email Support hours of operation...................................................................................................22
10.1 Phone Answer............................................................................................................................................22
10.2 E-mail processing..................................................................................................... .........................
22
11
Rates for Services Outside of Scope ...................................................... ....................23
........................................
12
Travel Expenses..................................................................................................................................................23
13
Service Level Agreement...................................................................................................................................24
13.1 Response Time...........................................................................................................................................24
13.2 Service Level Credits..................................................................................................................................24
15
Costs and Service Detail.....................................................................................................................................25
16
Counterparts......................................................................................................................................................26
866.926.8746 3 www xantrion.com
15900501.4
1 Summary Service Scope and Costs
Service Name
Description
Included Services
Core IT
Comprehensive IT support for your staff, Systems
✓
Administration, Remediation, Management and
Maintenance.
Systems
IT infrastructure monitoring designed to detect non-
✓
Monitoring
functioning systems or services, in addition to conditions
which may lead to instability or down time.
Managed Backups
Backup of systems and data to protect against loss.
✓
Includes "Best Effort" disaster recovery for data stored in
our repository.
Fundamental security provisions and practices
Managed Security
✓
Essentials
recommended for every organization
Managed Security
A comprehensive security offering designed to meet the
Consider for
needs of organizations subject to regulatory oversight and
Future
compliance requirements, or with a strong need to protect
Implementation
sensitive data.
Hosting
"Private Cloud" services designed to host critical business
Consider for
systems in highly -available redundant secure Datacenters,
Future
with locations in Denver and Salt Lake City.
Implementation
TOTAL
Monthly Recurring Costs (Section 15)
$94,250
866.926.8746
www-xantrion.com
15900501.4
2 CORE IT
2.1 Description of Services
CORE IT is a comprehensive offering that includes technology support, administration, design,
remediation, and maintenance, designed to provide the Client with:
• A secure and stable Information Technology environment with exceptional up time.
• A high level of employee technology support satisfaction.
• A competitive advantage.
• The lowest sustainable total cost of ownership.
CORE IT is provided at a fixed monthly cost and includes unlimited desktop and systems support.
2.2 Systems Administration
• User & Resource Management
• Employee Onboarding and Termination
■ Hardware and Business Resource provisioning
• Identity management and access control
• Server, Network Infrastructure, and Endpoint Management
• Deployment, Administration, Troubleshooting, and Remediation
• Purchasing & Warranty Management
• Replacement of systems "In Kind," at end of life
• Data Backup System management
• Application Management —Cloud or Server -Based
• Deployment, Upgrades, Troubleshooting, & Remediation
• License & Subscription Management
■ Vendor Coordination
• Cloud -Based Voice over IP Systems
■ Administration, including Moves, Adds, and Changes.
• Internet Connectivity
■ Vendor Management
• Troubleshooting & Remediation
• Mobile Devices & Tablets
• Business Email connectivity
• Office 365 apps
• Other business apps (e.g., iTraklT, TRIMS, iAnnotate)
866.926.8746
5 www xantrion.com
15900501.4
2.3 Endpoint Support
• Unlimited remote support services are provided to your staff, 24 x 7 x 365.
• On -site support, as required.
2.4 "Virtual Chief Information Officer" i;vClO) and Strategic Planning Services
The client will be assigned a Xantrion "vCIO," whose core objective is to develop and maintain a business
technology strategy that meets the business requirements and fosters growth.
Detailed Services include:
• Technology and Security Strategy and Advisement
• Quarterly Business Review meetings
• Business Continuity and Disaster Recovery Strategy
• Cyber Security Risk Assessment and Mitigation Strategy
• Budget Projections and Cost Management
• Service Delivery Oversight
• Client Satisfaction Oversight & Reporting
• Identification and Resolution of trends or systemic issues
• Support Escalation
• Account Management, including agreement maintenance & resolution of billing matters
• Project Coordination and Management
• Incident Response Coordination
2.5 Limitations and Client Obligations
2.5.1 Services provided on a Time and Materials basis
• Physical relocation of Staff systems.
Ex: An employee wishes to move from one office location to another
• Support for custom software solutions, developed specifically for your firm, and not supported by a
major vendor
Ex: Custom scripts, FileMaker Pro, and Access Databases are considered custom
software solutions
• Office Moves and Rebuilds
• Business system or Infrastructure Projects that are being driven by new functionality or features
866 926.8746
6 www_xantrion.com
15900501.4
Ex: Cloud migrations, ERP, CRM, Accounting, or other Line of Business Application
Implementation, Cloud VoiP phone migrations
• Audio/Visual Systems Setup
Ex: Deployment of a new videoconferencing solution, or assisting client guests with
connectivity to projectors or displays
2.5.2 Warranties & Valid Support Agreements are Required
Except as otherwise agreed, supported equipment, including, but not limited to: servers, shared
storage, firewalls, switches, wireless access points, desktop and laptops, must carry a valid warranty
and support agreement for these devices to remain with Xantrion's support scope. All line of business
applications must include a valid support agreement, and the appropriate licensing to ensure
compliance.
2.5.3 Spare Equipment
We suggest maintaining spare staff systems to expedite setup and deployment in the event of an
unexpected new hire or hardware failure. There is no additional monthly cost associated with the
maintenance of spare endpoint systems.
2.5.4 Disaster Recovery
Recovery from outages caused by theft of systems or environmental events such as earthquakes,
floods, fire or sprinkler system activation will be performed on a time and materials basis.
Clients wishing to reduce the risk of a disaster are encouraged to use cloud services or consider re-
locating their systems to our secure data centers, as described in Section 7. For clients who maintain
servers on -premise, we also offer Standby Server Hosting, described in Section 4.4, to reduce the
time and cost associated with recovering from a disaster.
2.5.5 E-Discovery, Forensic and Breach Investigations
Clients are advised that services provided as part of a CORE IT agreement are not designed to capture
information required to support a forensic investigation. See also the limitations described in Section
5.3.5.
2.5.6 Abuse / Sabotage
Notwithstanding other provisions, recovery from deliberate damage / sabotage to systems or data,
either on -premise or in cloud, will be performed in accordance with the Time and Materials
provisions of this agreement.
866.926 8746
www.xantrion.com
15900501.4
2.5.7 Support for Endpoints not Covered by this Agreement
Support for systems not covered by this agreement is limited to the configuration and
troubleshooting of secure remote access to business systems.
Ex: Business email connectivity or Secure Remote Desktop.
Xantrion will not provide hardware support for these systems out of scope; any operating system -
level or networking support required to establish secure remote connectivity to business resources
will be provided on a Time & Materials basis.
2.5.8 Web Content Development
Xantrion does not manage web site content development or administration. We are happy to provide
vendor recommendations for this purpose.
3 Systems Monitoring
3.1 Description of Services
Xantrion's Monitoring services are designed to improve the overall availability, stability, and
performance of the Client's critical business systems.
Xantrion monitors key operating characteristics of the Client's designated systems and cloud solutions,
in order to detect and address early signs of potential system instability or failure, and to quickly identify
and remediate the points of failure, in the event that a system or service outage occurs. Xantrion
maintains a history of operating data which can be used as a benchmark for "normal" operations and to
aid in the troubleshooting process.
Note that while network breaches may be detected as a result of consequential anomalies in network
operations, this service is not designed to provide intrusion detection or prevention and should not be
relied upon for these purposes.
3.2 Monitoring systems
Xantrion's central monitoring systems are located in secure datacenters. Data is gathered from client
operating environments, using a combination of probes and agents installed directly on servers and
endpoints. Data is also gathered from additional sources external to the client environment to provide a
comprehensive overview of system status. Examples of external monitoring include: round-trip email
flow, RDS host availability, and Office 365 status.
866.926.8746
www.xantrion.com
15900501.4
3.3 Monitoring hours
Automated monitoring occurs 24 x 7 x 365. Engineers observe and remediate issues "live," from 6 AM
to 7 PM PST, Monday through Friday. On request, Xantrion can establish a limited number of alerts
which will trigger a notification to our live After -Hours answering service. The answering service will
then contact an available engineer off -hours, alerting them to the issue raised by the system.
3.4 Monitoring scope
The scope of Monitored Systems is dependent upon several factors, including client -specific
requirements, capabilities of the monitoring services, and limitations of the systems being monitored.
We recognize that client monitoring requirements are constantly changing as new systems are released
and cloud services evolve. Our centralized monitoring systems are similarly evolving in terms of capacity
and capabilities. Please discuss any specific monitoring needs with your vCIO, so that they may
determine whether or not they can be met.
The list below provides a sample of services & systems we will attempt to monitor:
On Premises Systems
Server hardware health
Remote Server Management systems (DRAC /
iLO)
System resource utilization
Disk utilization and 1/0
Warranty status
Service availability
Application level monitoring
Active Directory
SQL
Exchange
Internet Information Services
UPS systems availability and battery health
Networking devices
System Resource Utilization
Traffic Throughput
866 926.8746
Shared Storage
RAID and Disk health
LUN utilization
SaaS, Websites & External Services
Availability of Services
Response times
TLS/SSL certificate validity
DNS resolution
Expected page verification
Synthetic email route trip testing
Security Monitoring
Antivirus health
Windows patching health
Privileged access groups changes
Common account names monitoring
Outboard firewall port blocking
SFP monitoring
9 www.xantrion.com
15900501.4
3.5 Patch Management
Xantrion will manage patch deployment to systems, including servers, infrastructure devices,
and endpoints, using our patch management solution.
Xantrion conducts a literature review of all critical and security operating system updates as they are
released by Microsoft. Prior to general release, deployment is tested on Xantrion's systems and on
systems that clients have asked to be included within our patching test group. Xantrion will identify
and withhold any patches that are deemed problematic.
Approved patches are deployed monthly to workstations and laptop endpoints, and quarterly to
servers.
3,1-party Application patching is provided for a select list of supported applications.
3.6 Thresholds & Monitoring Criteria
Xantrion leverages a set of alerting conditions and thresholds within the central monitoring solution that
have been developed and tuned, through a combination of manufacturer's Best Practice
recommendations, in addition to real -world conditions. These thresholds are designed with the stability,
uptime and health of your systems in mind, and should not be customized.
3.7 Endpoint anti -virus and anti-malware management
Xantrion will manage the licenses, automated deployment, troubleshooting, and administration
associated with the anti -virus and anti-malware solution, for all clients with a Core IT agreement, and for
clients who have elected to bundle this offering with systems monitoring.
3.8 Client notification of monitoring alerts
If requested, Xantrion will copy any recipients that you designate on automated alert notifications. For
urgent and impactful issues, an Engineer will attempt to reach you by phone. For all other issues, we will
reach out via e-mail.
3.9 Alert remediation
Xantrion Engineers will attempt to contact Client for authorization before performing any remediation
work outside of the standard Core IT agreement. If we are unable to contact you, we will use our best
judgement in determining whether or to proceed without authorization. Examples of situations where
we may act if we are unable to reach you could include:
866.926.8746
10 www.xantrion.com
15900501.4
• The affected system is covered under a CORE IT contract and therefore remediation work is
included.
• E-mail system is completely down.
• Internet connectivity outage.
• Remediation of issues that are determined to be the direct result of managed patching.
3.10 Limitations and client obligations
The provisions listed in this section apply only to clients whose systems are not covered under a CORE IT
agreement, or those with a "Monitoring -Only" Agreement.
3.10.1 Identification of Systems to be monitored
You will provide us with a list of systems and/or cloud services that you want us to monitor. For
hardware systems on -premise, we require the following information:
• Device name
• IP address
• Hardware information (type, model, serial number)
• Administrative Login Credentials
• Physical location
3.10.2 Changes to monitoring
Requests to add or remove systems or devices from the monitored scope should be sent in writing to
support@xantrion.com.
3.10.3 Advance notification of systems maintenance
We ask that you notify us in advance of planned maintenance that will impact services and system
uptime, so that we can suspend monitoring and avoid "false alarms."
3.10.4 Remediation of issues resulting from patching
Client acknowledges that Xantrion's strategy for repairing an unstable system after patching may be,
at our discretion, restoring from backup. Systems not covered by a CORE IT or Managed Backup
agreement will be repaired on a time and materials basis.
866.926 8746 11 www.xantrion com
15900501.4
4 Managed Backups
4.1 Description of Services
Xantrion will work with the Client to design a managed backup strategy that meets the business'
Disaster Recovery and Data Retention requirements.
Services will include:
• Automated monitoring to ensure backups are completing successfully.
• Engineer review of backup -related alerts during the business day.
• Data retention as required by the Client (e.g. 30 days, 1 year, 7 years)
• Quarterly auditing of the backup selection lists and file restore testing.
• Annual test restores of a database or server critical to business operations.
• Remediation of any issues related to the managed backup solution.
• Restoration of files and servers as requested, subject to the limitations described in Sections 4.3
and 4.4
• Encryption of backup data "in transit" and "at rest" when replicating to Xantrion datacenters.
• Optional "cloud -to -cloud" backups for supported cloud services: e.g. Office 365
• An optional on -premises "backup appliance."
4.2 Recovery Point Objective
Servers are backed up nightly, by default.
4.3 Recovery Time Objective
Data recovery requests will be handled in a timely manner, with restore times being subject to a number
of factors (ex: internet bandwidth, etc.) File recovery, dependent upon data size, can generally be
performed immediately upon notification. Recovery of an entire server may take 24 hours or longer.
4.4 Standby Server Hosting
For clients storing backups in our datacenter, Xantrion maintains spare hosting capacity to allow for
recovery in the event of a local disaster impacting client systems (ie: theft, earthquake, fire, flood)
• This operation can take 24 to 72 hours and is subject to the availability of resources.
• This agreement includes the cost of 1 month of hosting in our datacenters, should long-term failover
be required.
• Xantrion has a client concentration in the San Francisco Bay Area. Resource availability is *not*
sufficient to permit the immediate recovery of all clients in the event of a regional disaster.
866.926.8746
12 www.xantrion.com
15900501.4
• Xantrion offers secure server hosting (described in Section 7) for clients who wish to ensure business
continuity in the event of local disaster.
4.5 System requirements
• Client systems must be compatible with Veeam, the backup software on which our platform is built.
• Client internet services must be sufficient to permit the nightly replication of critical business
systems.
• As a conservative rule of thumb, assume at a minimum that data will change 5% per day and
that 5 GB of data can be moved off -site per day for every 1 Mb/s of available internet
upload bandwidth capacity.
4.6 Effect of Termination
• Upon termination of the service agreement, unless otherwise requested, Xantrion will delete all
copies of your data from our datacenter infrastructure.
• In the event of termination, requests to export backup archives (ie: removable storage media) will
be fulfilled on a time and materials basis.
4.7 Estimating data backup costs
The client's estimated monthly recurring costs associated with managed backups, calculated on a per -
GB basis, are listed in Section 15.
The amount of data being held in aggregate by our hosted infrastructure is dependent upon several
factors, including:
• The amount of data being protected
• Daily data change rate
• The degree to which original data can be compressed and deduplicated in the backups
• Retention periods
The table below provides a guideline to estimate the total amount of data you will store in our hosted
backup infrastructure, based on the amount of data on your servers that we protect and your retention
period.
Your actual costs may vary from these.
GB of compressed data in the
Retention backups per GB of original data being Off -site Storage Schema
period protected
Typical case
866.926.8746
13 www xantrion.com
15900501.4
30 days
1 : 1
:
2 1
Daily incremental backups for the
first 30 days + 1 Full backup
Daily incremental backups for the
90 days
2 : 1
3 : 1
first 30 days + 3 x Monthly full
backups
Daily incremental backups for the
first 30 days +
1 year
5: 1
8: 1
3 x Monthly full backups
3 x Quarterly full backups
1 x Annual full Backup
Daily incremental backups for the
first 30 days +
7 Years
8: 1
10 : 1
3 x Monthly full backups
3 x Quarterly full backups
7 x Annual full backups
Example:
• Data stored on your systems:
• Retention Period:
• Estimated Data stored on our systems:
• Cost per Stored GB
• Total Monthly Cost
4.8 Limitations and client obligations
1,000 GB
1 Year
5,000 to 8,000 GB
Given in Section 14
Actual Data stored * Cost per stored GB
Clients must define data retention requirements and notify us of any changes to these requirements.
Clients with systems not covered by a CORE IT agreement must identify which systems should be
included in the scope of the backups.
Searches of electronic data, restoration of historical data for the purpose of legal investigations will be
performed under the time and materials provisions of this agreement.
It is not feasible to ensure the backup of laptop and desktop systems with a high degree of confidence.
Backups of laptop and desktop endpoints, if requested, are performed on a "Best Effort" basis. As a Best
Practice, all sensitive data should be stored on server hardware or in a secure cloud environment.
866.926 8746
14 www.xantrion.com
15900501.4
5 Managed Security Essentials
5.1 Description of Services
Xantrion's Managed Security Essentials service helps clients achieve an enhanced cybersecurity posture
and implement appropriate defensive safeguards to address common cybersecurity threats.
5.2 List of Services
The following services are included in Managed Security Essentials:
5.2.1 Security Awareness Training
End users may subscribe to Xantrion's standard security awareness training program. This program
will consist of periodic email security testing and optional online video -based training.
5.2.2 Multi -Factor Authentication
Xantrion will supply and manage an approved multi -factor authentication system.
5.2.3 Mobile Application Management
Xantrion will supply and manage an approved mobile application management system.
5.2.4 Advanced Internet Filtering
Xantrion will deploy advanced internet filtering technology to laptops, extending internet filtering to
these devices when they are outside the corporate network. Internet filtering includes the detection
of malware and blocking of malicious domains.
5.3 Security Incident Response
5.3.1 Overview
Xantrion will assist our clients in responding to Security Incidents affecting their information systems
within the limitations of existing agreements. Client Security Incidents are handled according to
Xantrion's pre -defined Security Incident Response Policy.
Please see Section 5.4 regarding limitations on services provided pursuant to this provision.
5.3.2 Definitions
Security Event: Any observable change or occurrence in a system. Certain correlated events may
become Security Alerts through automated analysis.
866.925 8746 15 www.xantrion.com
15900501.4
Security Alert: Notifications that a certain event or series of events have occurred. Alerts can be
generated from automated systems or received in the form of user request to our service desk.
Security Alerts may be escalated to become Security Incidents.
Security Incident: A single or series of security events that, as assessed by Xantrion, have a significant
likelihood of threatening information security and impacting business operations.
Containment: Containment of a Security Incident are tasks performed by incident responders to limit
the scope and impact of an ongoing Security Incident.
Recovery: Recovery from a Security Incident is the process of returning impacted systems to normal
operation and removing artifacts of the incident from the system. (For example; removing malware
and recovering data from backup). Recovery steps may include remediation of security vulnerabilities
to prevent future incidents.
53.3 Classification and Prioritization
Xantrion classifies Security Alerts into 4 categories:
Category
Description
Insufficient
Xantrion does not have the required information to properly classify
Information
this alert. Additional information is required from the client to
continue processing this alert.
Harmful
The alert is identified as an attack or attempted attack that may
result in damage or unauthorized access to information systems.
The cause of the alert has rendered the Client's infrastructure
vulnerable or compromised. Harmful alerts are escalated as Security
Incidents.
Harmless
The alert is identified as a known attack, attempted known attack or
reconnaissance effort. The client's systems are not considered
vulnerable or compromised.
The alert may be falsely triggered, is informational, or has been
False I
Positive
determined to be benign.
866.926.8746
16 www.xantrion.com
15900501.4
Xantrion prioritizes Security Incidents, based on their functional, informational, and recoverability
impact:
Priority
Description
High
The incident impacts critical business functions. Represents a high
likelihood of impacting information availability or confidentiality or
requires a significant recovery effort.
Medium
The incident impacts multiple users. Represents a medium likelihood
of impacting information availability or confidentiality. Recoverability
effort is expected to be less than 24 hours.
Low
The incident is limited in scope and does not significantly impact
business operations. There is a low likelihood of impacting
information availability or confidentiality the recovery effort is
minimal.
5.3.4 Detection
Security Incidents are declared solely by Xantrion based a variety of sources including automated
analysis and reports from end users. Xantrion will assess incoming Security Alerts to determine if a
Security Incident is occurring or has occurred.
5.3.5 Notification
Xantrion will notify our clients within 24 hours after a High or Medium priority Security Incident has
been declared within the environment.
5.3.6 Containment and recovery
For systems covered by CORE IT, Xantrion will perform all reasonable tasks to contain a Security
Incident and once contained, recover systems to normal operation.
5.3.7 Post -Incident activity
An Incident Report will be produced by Xantrion for all High and Medium priority Security Incidents.
The report will be limited to Xantrion's involvement in the incident including: a summary of the
incident, timeline of events, impact analysis, containment and recovery steps, root -cause analysis,
and any additional recommended actions.
866.926.8746
17 www.xantrion.com
15900501.4
5.4 Limitations and Client Obligations
5.4.1 Disclaimer of Warranty
Information security and compliance is a wide-ranging discipline which requires the involvement
from all parts of a business. Xantrion's expertise and this service are limited specifically to the
technical cybersecurity aspects of a comprehensive information security program. It is important to
understand that subscribing to this service alone does not guarantee compliance with any law or
regulation nor guarantee the absolute security of your systems.
5.4.2 Data Security Responsibility
Client acknowledges and agrees that Xantrion does not provide legal services or warrant that the
services or products provided or obtained on client's behalf will ensure client's compliance with any
law, including but not limited to any law relating to safety, security or privacy.
5.4.3 Missing information
Client is responsible for providing missing information for alerts classified as "Insufficient
Information". If client fails to supply such information Xantrion may send a reminder or close the
alert.
5.4.4 Incident Response
It is the responsibility of the client to direct Xantrion's response to an incident according to their own
policies and procedures, especially if evidence must be preserved, or a forensic investigation is
expected. Clients are advised to maintain their own incident response plan including their own
reporting requirements.
The primary goal of Xantrion's incident response service is to contain and recover from Security
Incidents. Client is aware that Xantrion may take immediate action without notification to contain
and recover from a detected incident. Certain containment and recovery actions may hinder future
forensic investigations.
Xantrion's capabilities to assist with containment and recovery are limited for systems not covered by
a CORE IT agreement. Containment of, and recovery from Security Incidents for these systems will be
performed in coordination with the client on a best effort, time and materials basis.
5.4.5 Investigations
Clients are advised that services provided under Managed Security Essentials are not designed to
capture information required to support a forensic investigation.
866 926.8746 18 www.xantrion.com
15900501.4
Investigation including root cause analysis, preservation of evidence, attempts to determine if
information was accessed or exfiltrated by unauthorized actors, or to identify unauthorized actors
will be performed on a best efforts, time and materials basis.
6 Managed Security
6.1 Description of Services
Xantrion's Managed Security service delivers a multi -layered cybersecurity solution tailored for small
and medium businesses. The service is designed to aid clients in meeting regulatory compliance
requirements and operating a secure computing environment.
Managed Security requires a Systems Monitoring agreement for all covered systems.
6.2 List of Services
The following services are included as part of the full Managed Security offering.
6 2.1 Cybersecurity Roadmap
Xantrion will provide access to our internally developed cybersecurity standards based on industry
leading control frameworks. A gap analysis will be performed, at least annually, between our
developed standards and current state including recommendations for improving the client's security
posture.
6.2.2 Automated Security Analysis and Alert Management
Automated analysis will be performed on logs, system configurations, and other data points using
metrics developed by Xantrion and its partners. Alerts will be triggered on specific pre -defined
conditions and will generate a support ticket to be handled by Xantrion's Network Operations Center
(NOC) or Service Desk.
6.2 3 Customized Security Awareness Training
Xantrion will customize a security awareness training program using the included training platform
including phishing email exercises and video -based training.
6.2.4 Log Aggregation and Management
Xantrion will install a system to collect specific security logs from capable servers and network
security devices. These logs will be stored for 30 days in a resilient and secure hosted location.
Xantrion will provide and install necessary log collectors and configure supported systems to send
logs. At the end of the retention period, log data will be permanently deleted on a first -in -first -out
866.926.8746 19 www.xantrion.com
15900501.4
(FIFO) basis. If this agreement is terminated for any reason, Xantrion will be relieved of its obligation
to store client's log data. Retention beyond 30 days is available at additional cost.
6.2.5 Vulnerability Scanning and Management
Xantrion will scan Client's internal and internet facing hosts on a quarterly basis for devices covered
by this agreement. The scan data will be used to identify known vulnerabilities and results
summarized and delivered to client for review.
For systems covered by a CORE IT agreement, critical vulnerabilities will be scheduled for
remediation. For systems not covered by a CORE IT agreement remediation can be performed on a
time and materials basis.
6.2.6 Sensitive Data Discovery
Xantrion will scan client's network annually, or more often as mutually agreed, to discover locations
where sensitive data, such as Personally Identifiable Information (PII), is stored. Results will be
summarized and delivered to client for review.
6.2.7 Account Authentication Analytics
Xantrion will manage an approved authentication analytics system. The system is designed to detect
abnormal account behavior which may indicate compromise.
6.2.8 Identity Access Management
Xantrion will manage an approved identity management system used to provide single -sign on
capabilities between the client's identity provider and other systems.
6.2.9 Self -Assessment Support
Xantrion will provide support If client initiates or is requested to perform a self -assessment or
complete a security questionnaire by a regulating agency, or partner. Included support is limited to
responding to pre -formed questionnaires.
6.2.10 Quarterly Reporting
On a quarterly basis Xantrion will deliver a report describing the performance of services included in
this agreement.
6.2.11 Annual Security Review
Xantrion will meet with the client on an annual basis to review their cybersecurity program. Topics
for review during this meeting can include:
866.926.8746
20 www.xantrion.com
15900501.4
• Security Incidents
• Existing cybersecurity policies
• Latest security reports
• Exceptions to standards or recommendations
6.3 Limitations and client obligations
The following services can be performed according to the time and materials provisions of the General
Service Agreement.
• New functionality added to existing systems, including new single -sign -on integrations.
• Vendor Assessments
7 Hosting
7.1 Description of Services
Xantrion will host your systems on Xantrion-owned assets, configured to provide a fault -tolerant
operating environment for your critical systems.
7.2 Data location
Data is stored in secure DataCenter locations in the continental United States.
7.3 Service Level Agreement
See Section 17 of this document.
7.4 Effect of Termination
Unless otherwise agreed upon, all client data will be deleted from our hosting environment upon
termination of this service.
Prior to termination, in order to ensure continuity of service, at no cost, we will make server images and
/ or data available to Client or Client's new service provider for migration to their systems.
We can perform a migration from our service to an alternate provider or provide copies of images on
portable media on a time and materials basis.
866.926 8746
21 www.xantrion.com
15900501.4
8 Limitations applicable to all services
8.1 Support for End Users not covered by a CORE IT agreement
Support requests for end users not covered by a CORE IT agreement must be escalated to us by the
client's internal IT team. Xantrion cannot take support requests directly from end users, themselves.
8.2 Policy Authoring, Audit, and Questionnaire Support
Assistance with the creation of Client's internal compliance and security policies, responses to third
party audit requests for a detailed description of client's cybersecurity, business continuity and / or
disaster recovery practices will be provided on a time and materials basis. E.G. regulatory examinations,
ISO certification, SSAE audits, investor, insurance, or other due diligence requests.
9 Authorized Contacts
The Client will provide Xantrion with a list of individuals, including e-mail addresses and mobile phone
numbers, who are authorized to approve access control requests, as defined in the "Support FAQs for
Liaisons" document.
10 Phone and Email Support hours of operation
Our phones are answered live 24 x 7 x 365. Details of coverage as follows:
10.1 Phone Answer
• Phones are answered live by our Client Service Representatives from 6:00 AM to 7:00 PM PST,
Monday through Friday, excluding normal holidays. Our CSRs will make every effort to connect you
to an Engineer who can assist you immediately.
• If all Engineers are busy when you call, we can arrange for a scheduled call-back
• Calls received outside of the defined business hours will be taken by a third -party answering service
who will then patch the call to an On -Call Engineer, for resolution.
10.2 E-mail processing
• For non -urgent issues and change requests, email support@xantrion.com
• Expect a response within 1 business day
• Do not e-mail if you need help immediately; please call
866 9268746
22 www.xantrion.com
15900501.4
• E-mail requests are monitored during business hours, 9AM to 5PM PST weekdays, excluding
holidays. Messages received after hours are converted into a ticket that is assigned to an Engineer
at the start of the next business day
11 Rates for Services Outside of Scope
Base Hourly rate
C Level $245/hr.
Engineer IV $220/hr.
Engineer III $195/hr.
Engineer II $170/hr.
Engineer I $145/hr.
• Business hours are 6:00 AM to 7:00 PM PST (M-F,) excluding traditional holidays.
• Work outside of business hours, or scheduled less than 1 day in advance, is charged at 1.5 times the
applicable base hourly rate.
• Work is charged in fifteen (15) minute increments.
• The minimum site visit charge is four (4) hours of service.
12 Travel Expenses
• There is no charge for travel within our normal service area, defined as the 9 counties that make up
the "Bay Area."
• Client will be notified in advance of any travel or work outside of the Bay Area that will incur added
costs.
• Travel Expenses associated with work outside of the Bay Area (including transportation, hotel stays,
per diem food expenses) will be billed to the client at cost.
• Time associated with travel outside of the Bay Area will be billed at''/z of the applicable Base Hourly
Rate.
866.926.8746
23 www.xantrion.com
15900501.4
13 Service Level Agreement
13.1 Response Time
13.1.1 Business -Critical issues
For "business -critical" issues, or those that prevent a group of individuals from doing their work,
Xantrion will make every effort to respond immediately. Your vCIC, if available, or a Xantrion
manager, will coordinate the appropriate resources on the Xantrion side and provide you with a
summary of impacted systems, a remediation plan and regular updates on progress.
Xantrion will work the issue continuously until resolved, engaging Sr -level Engineering resources,
subject matter experts, and vendors, as required.
13.1.2 Non -Urgent Issues and Change Requests
For non -urgent issues and change requests, email support@xantrion.com
Expect a response within 1 business day
E-mail requests are monitored during business hours, 6AM to 6PM PST weekdays, excluding
holidays. Messages received after hours are converted into a ticket that is assigned to an
Engineer at the start of the next business day
13.2 Service Level Credits
For each thirty (30) minutes of downtime from the time we are notified (excluding scheduled maintenance,)
Xantrion will issue a credit of five percent (5%) of the total Hosted Services, Systems Monitoring or Managed
Backup Fees due to Xantrion for the month in which such Critical event occurred, not to exceed the total
Hosted Services, Systems Monitoring or Data Backup Fees for such month.
Client is not entitled to a credit for downtime or outages resulting from circumstances beyond our control
including, but not limited to, ransomware, denial of service attacks, virus attacks, or hacking attempts.
14 Client -Specific Provisions
None.
866.926.8746
24 www.xantrion.com
15900501.4
15 Costs and Service Detail
Type
Qty
Each
Total
Active Users
425
$206
$87,550
Managed SEIM
1
$1,000
$1,000
Backups TBs
57
$100
$5,700
Monthly Total
$94,250
Annual Total
$1,131,000
The price and employee counts will stay constant through the first year unless there are significant changes
to the environment; significant defined as 10% or more of the monthly cost.
866 926.8746
25 www xantrion.com
1S900501.4
16 Counterparts
This Agreement may be executed in any number of counterparts, each of which shall be deemed an original,
but all of which, when taken together, shall constitute one and the same instrument.
IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the date first written below.
Signed:
Printed: Anne Bisagno
Title: President
Company Xantrion, Inc.
Date: August 31, 2023
CITY OF SAN RAFAEL
By: O istine Ali lovich (Oct 9, 2623 17:59 PDT)
CRISTINE ALILOVICH, City Manager
ATTEST:
Brenner Nurni (for)
Brenno Nurmi (For) (Oct 10, 2023 07:54 PDT)
LINDSAY LARA, City Clerk
APPROVED AS TO FORM:
ROBERT F. EPSTEIN, City Attorney
866.926.8746
26 www.xantrion.com
15900501.4