Loading...
HomeMy WebLinkAboutDS Information Technology Services Agreement____________________________________________________________________________________ FOR CITY CLERK ONLY Council Meeting: October 7, 2024 Disposition: Authorized the City Manager to execute an agreement with addendum with Xantrion, Inc., for information technology services from November 1, 2024, through October 31, 2025, in an amount not to exceed $1,166,700 Agenda Item No: 2.d Meeting Date: October 7, 2024 SAN RAFAEL CITY COUNCIL AGENDA REPORT Department: Digital Service & Open Government Prepared by: Sean Mooney, Director City Manager Approval: ______________ TOPIC: INFORMATION TECHNOLOGY SERVICES AGREEMENT RENEWAL SUBJECT: AUTHORIZE THE CITY MANAGER TO EXECUTE AN AGREEMENT WITH ADDENDUM WITH XANTRION, INC., FOR INFORMATION TECHNOLOGY SERVICES FROM NOVEMBER 1, 2024, THROUGH OCTOBER 31, 2025, IN AN AMOUNT NOT TO EXCEED $1,166,700 RECOMMENDATION: Authorize the City Manager to execute an agreement with addendum with Xantrion, Inc., for information technology services from November 1, 2024, through October 31, 2025, in an amount not to exceed $1,166,700. BACKGROUND: In May 2019, the Department of Digital Service and Open Government published a Request for Proposals for a managed-service provider to address the City’s information technology systems and assembled an evaluation team with representatives from the Police, Fire, Library & Recreation, and Public Works departments. The City received eight proposals. At the end of the evaluation process, Xantrion (from Oakland, CA) was selected as the preferred vendor to partner with the City by providing the following services: •Technical support (“help desk”) •Network, server, and database administration •Equipment purchasing •User account management •Data backup and recovery •Network monitoring and security The City entered into an agreement with Xantrion in October 2019 for managed information technology services across all City departments. The City Council has approved renewing that one-year agreement for the past four years in October 2020, October 2021, October 2022, and October 2023, respectively. SAN RAFAEL CITY COUNCIL AGENDA REPORT / Page: 2 In the past five years, Xantrion has helped the City improve cybersecurity, supported network projects and citywide network resilience, streamlined day-to-day tech support, improved customer service, and standardized user management and purchasing. As of August 31, 2024, Xantrion has resolved 3,579 processed support tickets since November 1, 2023 (an increase of 13.33% from that same period last year). Xantrion continues to offer the City a high-quality level of service with an average acknowledgment time for incoming tickets of 4.11 minutes and a median acknowledgment time of two minutes. The average resolution time for a ticket is 5.91 hours, and the median resolution time for tickets this year is 1.20 hours. Over the last year, Xantrion has completed the following IT projects: •Proactive computer replacement – Replaced 70 end-of-life computers and worked with staff to migrate their software, files, and settings to the new systems. •Completed outstanding Office 365 Teams/SharePoint Migrations – Partnered with Digital Service to migrate all Departments from network drives to Teams/SharePoint environments. •Migrated the A&C Street garages to city-owned fiber network – This infrastructure project allows the A & C Street garages to leverage city-owned fiber optics that connect to the Public Safety Center for network connectivity, increasing bandwidth, adding redundancy, and providing enough network capacity to install new surveillance cameras. •Configured Single Sign On for cloud systems – Streamlined staff access and improved security by relying on the City’s identity and access management system, including multi-factor authentication (MFA), for the following applications: o Axios – Email marketing o PSD Citywide – Asset Management o Tyler Munis – Enterprise Resource Planning (ERP) o Velocity EHS - Environmental, Health and Safety Management program •Retired Police Department Mobile firewalls – Replaced two firewalls that were nearing the end of their life and moved functionality to more robust networking equipment owned by the City. The team also configured failover Virtual Private Network (VPN) tunnels to Verizon to ensure redundancy for Police Department mobile devices, which allow patrol cars to connect to the RIMS computer-aided dispatch system. SAN RAFAEL CITY COUNCIL AGENDA REPORT / Page: 3 •Migrated SRPD iPhones to iRIMS 6 – Assisted SRPD with migrating iRIMS4 to iRIMS6 which required deploying a new VPN solution for iPhones to have a direct connection to the RIMS (computer aided dispatch) database server. •Windows 2012 Server Upgrades – Worked with departments and vendors to migrate a line of business applications on 12 end-of-life servers to modern servers. •Public Safety Network Redesign – Redesigned the network connectivity between SRPD IT resources and MIDAS/neighboring agencies for the City to take control of the network boundary between the various networks. •Temporary Fourth Street Library – Deployed IT infrastructure that included internet service provider, networking equipment, WIFI, telephones, and relocated computers and printers. •Replaced switch stacks at City Hall and Morphew •Created replacement plan for end-of-life wireless system – evaluated various options and cost estimates, and provided a recommendation. •ERP cloud environment installation – Set up the cloud environment for the City’s Tyler MUNIS ERP project, including configuring of single sign-on for user accounts. •Teams Phone Migration (in progress) – Migrating the City’s end-of-life on-premises phone system to a VOIP cloud solution using Microsoft Teams Phone. Working with departments and vendors to verify numbers, users, call queues, auto attendants, etc., are successfully migrated over. ANALYSIS: The November 1, 2023 – October 31, 2024, agreement with Xantrion cost $1,131,000. Xantrion has proposed a 3.16% per-user increase in monthly costs to accommodate increases in operational costs to compensate for consumer price index inflation increases. Additional monthly costs included in our agreement include monthly backup of city data and hosting of our Security Event and Information Management (SEIM) system, which assists in detecting, analyzing, and responding to potential security threats. The only changes to this agreement include: •Updating the total monthly recurring costs to reflect the new total. •Updating rates of services outside of scope to reflect current hourly costs. •Updating the cost and service detail table to reflect the new contract cost. The agreement includes Xantrion’s cybersecurity insurance coverage, which was reduced last year from $10,000,000 to $5,000,000 due to increased insurance rates, and Xantrion’s goal is to better align with industry practices. The City carries $5,000,000 in cybersecurity liability coverage as part of its insurance coverage with the California Joint Powers Risk Management Authority (CJPRMA). Xantrion’s total liability coverage is consistent with the amount approved by the City Council last year and does not impact the City’s cybersecurity insurance coverage. The proposed renewal is for one year, beginning November 1, 2024, and ending October 31, 2025. Xantrion’s price for service remains competitive, and their service level and customer satisfaction with City staff remain high. 2023-24 2024-25 SAN RAFAEL CITY COUNCIL AGENDA REPORT / Page: 4 (3.16% per user increase) Annual Cost $1,131,000 $ 1,166,700 FISCAL IMPACT: The total amount of the proposed new agreement is $1,166,700. Funding to support this contract is provided within the approved FY 2024-25 budget through appropriations within the Technology Fund (fund 601). OPTIONS: The City Council has the following options to consider on this matter: 1.Authorize the City Manager to execute an agreement with an addendum with Xantrion, Inc., for information technology services from November 1, 2024, through October 31, 2025, in an amount not to exceed $1,166,700. 2.Direct staff to return with more information. 3.Take no action. RECOMMENDED ACTION: Authorize the City Manager to execute an agreement with addendum with Xantrion, Inc., for information technology services from November 1, 2024, through October 31, 2025, in an amount not to exceed $1,166,700. ATTACHMENT: 1. Xantrion General Service Agreement and Addendum GENERAL SERVICE AGREEMENT XANTRION INC. AND CITY OF SAN RAFAEL 866.926.8746 www.xantrion.com 15834843.4 IServices................................................................................................................................................. 4 1.1 Statement of Work........................................................................................................................ 4 1.2 Personnel......................................................................................................................................4 2 Terms of Payment................................................................................................................................. 4 2.1 Services Fees; Equipment and Software Costs.............................................................................. 4 2.2 Overdue Payments........................................................................................................................ 5 2.3 Taxes............................................................................................................................................. 5 3 Term, Termination................................................................................................................................. 5 3.1 Term.............................................................................................................................................. 5 3.2 Termination for Convenience........................................................................................................ 5 3.3 Termination for Cause................................................................................................................... 5 3.4 Effect of Termination.................................................................................................................... 6 3.5 Survival..........................................................................................................................................6 4 Equipment, Software and Supplies....................................................................................................... 6 4.1 Equipment; Software; Supplies..................................................................................................... 6 4.2 Limited Warranty.......................................................................................................................... 7 5 Independent Contractor Status............................................................................................................. 7 6 Non-Solicitation.....................................................................................................................................7 7 Unauthorized Access to Data or Use of the Services............................................................................ 7 8 No Warranties; Limitations of Liability; Indemnification....................................................................... 8 8.1 No Warranties...............................................................................................................................8 8.2 Limitation of Liability..................................................................................................................... 8 8.3 Indemnification............................................................................................................................. 8 9 Confidentiality.......................................................................................................................................9 9.1 Definition.......................................................................................................................................9 9.2 Confidentiality...............................................................................................................................9 9.3 Access to Systems......................................................................................................................... 9 10 Compliance..........................................................................................................................................10 10.1 Protection of Personally Identifiable Information....................................................................... 10 10.2 Compliance with Laws Applicable to Client................................................................................ 10 10.3 Compliance with Software Manufacturer's Licensing and Allowed Usage Requirements.......... 11 11 Security Incident Response................................................................................................................. 11 11.1 Obligations.................................................................................................................................. 11 11.2 Disclaimer....................................................................................................................................11 13 Other Insurance Provisions................................................................................................................. 12 14 Harassment Free Workplace; Nondiscrimination............................................................................... 13 15 Miscellaneous......................................................................................................................................13 15.1 Notices........................................................................................................................................ 13 15.2 Governing Law............................................................................................................................. 13 15.3 Remedies.....................................................................................................................................13 15.4 Dispute Resolution; Attorney's Fees........................................................................................... 13 15.5 Force Majeure............................................................................................................................. 15 2 15.6 Headings......................................................................................................................................15 15.7 Severability..................................................................................................................................15 15.8 No Waiver................................................................................................................................... 15 15.9 No Assignment............................................................................................................................15 15.10 City Business License / Other Taxes............................................................................................ 16 15.11 Entire Agreement; Modification.................................................................................................. 16 16 Counterparts....................................................................................................................................... 17 Exhibit A -Addendum To The General Service Agreement Information Technology Services 19 866.926.8746 www.xantrion.com 15834843 4 GENERAL SERVICE AGREEMENT This General Service Agreement, including any attachments referenced herein and made a part hereof (this "Agreement"), is entered into as of November 1, 2024(the "Effective Date"), by and between Xantrion, Inc., a California corporation ("Xantrion"), with offices at 65120th Street, First Floor, Oakland, CA 94612, and City of San Rafael with offices at 1400 Fifth Avenue, San Rafael, CA 94901 ("Client"). 1 Services 1.1 Statement of Work Xantrion shall provide the services (the "Services") as described in the Addendum To The General Service Agreement Information Technology Services of even date herewith, attached as Exhibit A hereto and incorporated herein by reference ("Addendum"). The Services shall be performed and delivered in a workmanlike manner in accordance with generally recognized industry standards for computer consultants performing similar services. 1.2 Personnel Xantrion, acting as an independent contractor, shall engage employees, consultants, or subcontractors ("Xantrion Personnel") to provide the Services specifically outlined in the Addendum, and Xantrion shall be fully and directly responsible for all Xantrion Personnel. Xantrion shall (i) provide competent and qualified personnel to perform the Services; (ii) ensure that it complies with all laws, regulations, ordinances and licensing requirements; (iii) ensure Xantrion Personnel performing any Services on Client's premises comply with any applicable Client guidelines as provided to Xantrion from time to time, including, but not limited to, any data security policies; and (iv) determine the method, detail, and means of performing the Services under this Agreement. 2 Terms of Payment 2.1 Services Fees; Equipment and Software Costs Unless otherwise agreed to in writing by the parties, payment for Services by Xantrion ("Service Fees") rendered and any equipment, software, licenses, 3rd party services, hardware, parts and supplies ("Supplies") shall be due within forty-five (45) days from the date of the applicable invoice provided by Xantrion to Client. If Xantrion does not receive payment within such forty-five (45) day -period, Xantrion shall have the option to suspend the Services without any liability until payment is received. 4 www.xantrion.com 15834843 4 2.2 Overdue Payments Interest shall accrue on any delinquent amounts owed by Client to Xantrion at the rate of[0.8333% per month. In the event of a good faith dispute related to the invoices submitted by Xantrion, Client shall notify Xantrion in writing setting forth the reasons of such dispute, and the parties shall cooperate to resolve such dispute. 2.3 Taxes Client shall be responsible for any applicable sales or use taxes on any amounts payable by Client hereunder. 3 Term, Termination 3.1 Term Unless sooner terminated, the term of this Agreement, and the applicable Services requested asset forth in the accompanying Addendum shall be for one (1) year commencing on the Effective Date ("Term") and shall continue during the Term unless this Agreement is otherwise terminated sooner in accordance with Section 3.2 or Section 3.3. During this Term, Xantrion shall not increase its fee rates over and above the rates charged on Services provided as of the Effective Date. New Services added during the Term may be charged at Xantrion's then -current rates. The termination of any Service shall not modify any Term of this Agreement. The termination of this Agreement shall immediately terminate any and all Services executed hereunder. 3.2 Termination for Convenience Either party may terminate this Agreement or any applicable Service at any time without cause upon at least ninety (90) days' prior written notice to the other party. In the event that either party elects to terminate this Agreement pursuant to this Section 3.2, Xantrion agrees to provide sufficient efforts and cooperation to ensure an orderly and efficient transition of Services to Client or another service provider, whichever Client elects, at Xantrion's then -current time and materials rates. 3.3 Termination for Cause Either party may terminate this Agreement or any applicable Service for Cause (as defined below) immediately upon written notice to the other party. For purposes of this Agreement, "Cause" means: (i) Client's failure to pay any amount due within thirty (30) days of the applicable due date; (ii) a party's conviction of, or plea of nolo contendere to, any felony, or any other crime involving fraud, embezzlement, or act of moral turpitude; (iii) a party's unauthorized use or disclosure of any Confidential Information or other proprietary information of the other party or any other 866.926 8746 www xantrion com 15834843 4 party to whom the offending party owes an obligation of nondisclosure as a result of the parties' relationship; (iv) a material breach of this Agreement by a party which is incapable of cure, or with respect to a material breach capable of cure, is not cured within thirty (30) days after receipt of written notice from the affected party of such breach; (v) a dissolution or liquidation of any party, or any corporate action taken by any party for such purpose; (vi) any party's insolvency or admission of its inability to pay its debts generally as they become due; or (vii) any party's voluntary filing of a bankruptcy petition or general assignment for the benefit of creditors. 3.4 Effect of Termination Upon termination of this Agreement, Xantrion shall not be obligated to provide any further Services to Client and Xantrion shall have the right to remove any equipment or other Supplies belonging to Xantrion which has been installed or placed at Client's location for the performance of the Services hereunder. Client shall pay all outstanding invoices, as well as any invoices which may be submitted to Client following the date of termination for Services Fees or Supplies or costs incurred up to the date of termination, within ten (10) days of the date of termination or within thirty (30) days of the date of the invoice, whichever is later. Upon termination of this Agreement for any reason, each party shall (i) return to the other party or destroy all documents and tangible materials (and any copies) containing, reflecting, incorporating or based on the other party's Confidential Information, (ii) permanently erase all of the other party's Confidential Information from its computer systems, and (iii) if requested by the other party, provide written confirmation within ten (10) days of receiving such request that it has complied with the requirements of this section. 3.5 Survival. The terms of Sections 2, 3, 4, 5, 7, 8, 9, and 15 shall survive the termination of this Agreement. 4 Equipment, Software and Supplies 4.1 Equipment; Software; Supplies Xantrion is not responsible for compatibility issues, project delays, or other problems with Supplies (i) provided by Client, (ii) purchased by Client through a third party, or (iii) manufactured by a third party and purchased by Client from Xantrion (collectively, "Third Party Products") except if expressly recommended by Xantrion. Notwithstanding anything contained herein to the contrary, in the event Xantrion installs a Third Party Product and such Third Party Product fails within ninety (90) days of installation, Xantrion will provide the labor to re- install the product free of charge. 866.926.8746 6 www.xantrion.com 15834843.4 4.2 Limited Warranty Xantrion represents and warrants to Client that the Supplies, processes, and procedures employed, used, and operated by Xantrion in providing the Services will be sufficient to provide the Services at the levels of reliability represented in the description and definition of the Services. Third Party Products purchased through Xantrion are warrantied by their respective manufacturers and any applicable manufacturer's warranties will be passed through to the Client. Xantrion will only accept returns on such Third Party Products if they are defective and returned within thirty (30) days of Client's receipt of such Third Party Product. s Independent Contractor Status Client and Xantrion acknowledge and agree that: (i) Xantrion is an independent Contractor, (ii) the parties are not engaged in a joint venture, partnership, employment, or fiduciary relationship; and (iii) neither party is authorized to act as agent or incur any obligation on behalf of the other. 6 Non -Solicitation Client acknowledges that Xantrion will recruit and train personnel to provide Services for Client under this Agreement, and that this is a costly and time-consuming endeavor. Client therefore agrees not to directly, or indirectly through a third party, solicit, induce, recruit for employment, or attempt to solicit, induce, or recruit for employment, any Xantrion personnel who has performed Services for Client under this Agreement to provide the same or similar services. Client shall comply with this obligation during the term of this Agreement, and for a period of twelve (12) consecutive months after termination. Client shall be relieved of its obligations under this provision if Client first pays Xantrion the sum of the actual cost of retaining and training individual personnel. The Parties further agree that this amount shall be no less than $60,000 per individual personnel, which Client agrees accurately reflects the minimum reasonable value of Xantrion's time and costs with respect to recruiting and training personnel to work for Client. Notwithstanding any other provisions in this Agreement, the parties retain all legal remedies, at law or equity, upon violation of this provision. 7 Unauthorized Access to Data or Use of the Services Xantrion is not responsible to Client for unauthorized access to the electronic data of Client stored on Xantrion's servers ("Client Data") or the unauthorized use of the Services unless such unauthorized access or use results from Xantrion's failure to meet its obligations described in the Agreement. Client is responsible for the use of the Services by any employee or consultant of Client, other than Xantrion, any person to whom Client has given access to the Client Data, and any person who gains access to the Client Data or Services as a result of Client's failure to use reasonable security precautions, even if such use was not authorized by Client. 866.926.8746 �Aml w.xantrion. com i58,asa', a 8 No Warranties; Limitations of Liability; Indemnification 8.1 No Warranties EXCEPT AS PROVIDED IN SECTION 1.1 (SERVICES) AND SECTION 4.2 (LIMITED WARRANTY), XANTRION EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, WITH REGARD TO THE SERVICES PROVIDED HEREUNDER, AND WITH REGARD TO ANY THIRD PARTY PRODUCTS, INCLUDING IN EACH CASE ANY WARRANTY OF NON -INFRINGEMENT, AND ANY AND ALL WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR ARISING FROM THE COURSE OF DEALING BETWEEN THE PARTIES OR USAGE OF TRADE. THESE DISCLAIMERS OF WARRANTY AND LIMITATIONS OF LIABILITY CONSTITUTE AN ESSENTIAL PART OF THIS AGREEMENT. 8.2 Limitation of Liability IN NO EVENT WILL XANTRION, WHETHER IN CONTRACT, TORT, EQUITY OR OTHERWISE, BE LIABLE FOR: (1) ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE OR EXEMPLARY DAMAGES (EVEN IF SUCH DAMAGES ARE FORESEEABLE, AND WHETHER OR NOT EITHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED WARRANTY.); OR (11) COSTS OF PROCUREMENT OF SUBSTITUTE PRODUCTS OR SERVICES, SUPPLIES, LOST PROFITS, LOSS OF DATA; OR (III) ANY DIRECT DAMAGES ARISING FROM OR RELATING TO THIS AGREEMENT, TO THE EXTENT THAT THE AGGREGATE AMOUNT OF SUCH DAMAGES EXCEEDS THE AGGREGATE SERVICES FEES ACTUALLY PAID BY CLIENT HEREUNDER IN THE SIX (6) CALENDAR MONTHS BEFORE SUCH CLAIM AROSE; PROVIDED THAT SUCH LIMITATION OF LIABILITY SHALL NOT EXTEND TO DIRECT DAMAGES INCURRED AS A RESULT OF THE WILLFUL MISCONDUCT OF XANTRION OR ITS EMPLOYEES. THE PARTIES AGREE THAT THE LIMITATIONS IN THIS SECTION ARE INTEGRAL TO THE AMOUNT OF FEES CHARGED IN CONNECTION WITH THIS AGREEMENT AND THAT, WERE XANTRION TO ASSUME ANY FURTHER LIABILITY, SUCH FEES WOULD OF NECESSITY HAVE BEEN SUBSTANTIALLY HIGHER. 8.3 Indemnification To the fullest extent permitted by law subject to the limitations set forth in this Agreement„ Xantrion shall indemnify and hold harmless, and defend the Client, its officers, agents, employees and volunteers (collectively, the "Client Indemnitees") from and against any and all suits, actions, legal proceedings, claims, demands, damages, losses and expenses which may be made by individuals or organizations, including, but not limited to attorneys' fees, expert fees and all other costs and fees of litigation (each a "Claim" and collectively the "Claims"), arising out of or resulting from the Xantrion's negligence or willful misconduct in the performance of the Services. The acceptance or approval of Xantrion's Services by Client or any of its directors, officers or employees shall not relieve or reduce Xantrion's indemnification obligations. However, to the extent that any Claim arises from, relates to, or is in connection with, the negligence or willful misconduct of the Client Indemnitees, or any of them, then Xantrion's indemnification obligation and liability hereunder for the Claim shall be reduced in proportion to the Client Indemnitees' total share of liability for the Claim as a result of the Client Indemnitees' negligence or willful misconduct. 366.926.8746 8 www.xantrion.com 1581484;.1 9 Confidentiality 9.1 Definition The term "Confidential Information" as used in this Agreement shall mean any information disclosed, directly or indirectly, by a party (the "Discloser") to the other party (the "Recipient") that may reasonably be considered proprietary or confidential including, without limitation, the Discloser's operational and business methods and practices, economic and financial information, know-how, recommendations, instructional methods, Client Data (as defined below), software and information systems, technical processes, products, product designs, machinery, research and development, intellectual property, and any material embodiments thereof. Notwithstanding the foregoing, the term "Confidential Information" shall not include any information that (i) is or becomes generally available to the public other than as a result of the Recipient's breach of this agreement; (ii) is or becomes available to the Recipient on a non -confidential basis from a third -party source, provided that such third party is not and was not prohibited from disclosing such Confidential Information; (iii) was in Recipient's possession prior to the Discloser's disclosure hereunder; or (iv) was or is independently developed by Recipient without using any Confidential Information. 9.2 Confidentiality The Recipient agrees to (i) take reasonable measures to protect and safeguard the confidentiality of, and avoid disclosure and unauthorized use of, the Discloser's Confidential Information with at least the same degree of care as the Recipient would protect its own Confidential Information, but in no event with less than a commercially reasonable degree of care; (ii) not use the Discloser's Confidential Information, or permit it to be accessed or used, for any purpose other than to exercise its rights or perform its obligations under this Agreement; and (iii) not disclose any such Confidential Information to any person or entity, except as required to assist the Recipient to exercise its rights or perform its obligations under this Agreement. Disclosure of Confidential Information is not prohibited if such disclosure is compelled pursuant to a legal proceeding or is otherwise prescribed by law. If the Recipient receives a request to disclose any Confidential Information pursuant to the order or requirement of a court, administrative agency, or other governmental body, the Recipient, prior to disclosing any Confidential Information, and, except as may be prohibited by law, will notify the Discloser of such requirements to afford the Discloser the opportunity to seek a protective order or other remedy. Xantrion representatives and contractors, shall only access Client systems and data as is necessary to perform the Services agreed to. Client understands that Xantrion representatives may share access with other vendors 866.925.8745 ,,wv,v.xantrion.Co, m 158118421 I to the limited extent required to perform the Services. Notwithstanding the foregoing, when access to criminal justice data or systems is necessary to perform the Services, Xantrion agrees that its designated representatives will comply with Client's requirements for access to such systems and information, including but not limited to fingerprinting and a satisfactory background check, as a precondition to being granted access to those systems or data. 10 Compliance None of the Services or underlying information or technology may be downloaded, exported, or re-exported into any country to which the United States has embargoed goods, or to any individual or entity that has been denied export privileges by the U.S. Treasury Department or the U.S. Department of Commerce. By using the Services, Client is agreeing to the foregoing and Client is representing and warranting that Client is not a national resident of, or located in or under the control of, any country subject to such export controls. 10.1 Protection of Personally Identifiable Information The parties agree to use commercially reasonable security precautions to protect Personally Identifiable Information, "PII", (as hereafter defined) transmitted to or from, or stored at, Xantrion's data centers. Client must comply with the laws applicable to Client's use of the Services and with Xantrion's policies and procedures, as may be amended. Client agrees to cooperate with Xantrion's reasonable investigation of Service outages, security problems, and any suspected breach. For purposes of this Agreement, "PII" means (i) any information that identifies an individual, such as name, social security number or other government issued number, date of birth, address, telephone number, biometric data, mother's maiden name, or other personally identifiable information; (ii) any "non-public personal information" as that term is defined in the Gramm -Leach -Bliley Act found at 15 USC Subchapter 1, § 6809(4), and (iii) any "protected health information" as defined in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The parties agree to comply with the applicable provisions of HIPAA, the requirements of any regulations promulgated thereunder including, without limitation, the federal privacy regulations as contained in 45 CFR Parts 160 and 164 (the "Federal Privacy Standards"), the Electronic Transaction Standards (45 CFR Parts 160 and 162) the Security Standards (45 CFR Parts 160, 162 and 164), and the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act"), Public Law 111-05 and regulations promulgated thereafter. The parties further agree to comply with the applicable provisions of the PROTECT Our Children Act contained in 42 USC 13032 and 18 USC 2258A . 10.2 Compliance with Laws Applicable to Client As it pertains to Client's Confidential Information and/or Data stored or managed by Xantrion, Xantrion will comply with any and all confidentiality, security, privacy and or compliance requirements, rules and/or regulations imposed on Client by local, state or federal authorities, agencies, regulatory agreements and or laws 866.926.8746 10 www.xantrion.com 15834843 d to the extent Client has provided to Xantrion in writing the specific requirements to satisfy said confidentiality, security, privacy and or compliance requirements, rules and/or regulations. 10.3 Compliance with Software Manufacturer's Licensing and Allowed Usage Requirements Client acknowledges its obligation to comply with all provisions of software manufacturer's licensing and allowed usage requirements. Client agrees to honor the provisions of the "Microsoft Cloud Agreement" incorporated herein by reference. 11 Security Incident Response 11.1 Obligations Xantrion acknowledges its obligation to support Clients in the event of a Security Incident. Services we will perform and the basis on which they will be billed are described in the Addendum — Services. 11.2 Disclaimer Xantrion does not represent that any service will prevent a security incident. Nor do we represent that we have legal expertise or expertise in forensic investigations. Clients are advised to consider purchasing cyber-liability policies to protect against the risk of a security incident. In the event of an incident, Client is advised to contact their own legal counsel to determine their obligations to report an incident, and to notify their insurance carrier of a potential claim and to permit the insurance company or its designated agents to conduct any investigation. 12 INSURANCE During the term of this Agreement, Xantrion shall, at its own expense, maintain and carry insurance with financially sound and reputable insurers, in full force and effect that includes, but is not limited to: Insurance Type Description of Liability covered Aggregate Limit Cyber Liability, Privacy/Network Data breach of our systems or a Client system for which we $5 mm Security, Cyber Crime & Cyber are liable Including forensic costs, notification costs, credit Deception Endorsement or identity protection, extortion, regulatory action, fines and penalties. and business interruption. Third Party Crime Third Party Crime $250 K 11 Commercial General Liability Bodily injury, personal injury and property damage caused $2 mm by the business' operations, products, or injury that occurs on the business' premises. Errors and Omissions Liability Claims made by Clients for failure to provide products or $5 mm services, inadequate work or negligent actions. Workers Compensation On the job injury $1 mm Employment Practices Liability Claims made by employees alleging discrimination (based on $1 mm sex, race, age or disability, for example), wrongful termination, harassment and other employment -related issues, this also extends to Third Party — Clients, Vendors, etc. 13 Other Insurance Provisions 13.1 Except for professional liability insurance or worker's compensation insurance, the insurance policies shall be specifically endorsed to include Client, its officers, agents, employees, and volunteers, as additional insureds under the policies. 13.2 The additional insured coverage under Xantrion's insurance policies shall be "primary and noncontributory" with respect to any insurance or coverage maintained by Client and shall not call upon Client's insurance or self- insurance coverage for any contribution. The "primary and noncontributory" coverage in Xantrion's policies shall be at least as broad as ISO form CG20 0104 13. 13.3 Except for professional liability insurance or worker's compensation insurance, the insurance policies shall include, in their text or by endorsement, coverage for contractual liability and personal injury. 13.4 By execution of this Agreement, Xantrion hereby grants to Client a waiver of any right to subrogation which any insurer of Xantrion may acquire against Client by virtue of the payment of any loss under such insurance. Xantrion agrees to obtain any endorsement that may be necessary to effect this waiver of subrogation, but this provision applies regardless of whether or not Client has received a waiver of subrogation endorsement from the insurer. 13.5 Xantrion's worker's compensation insurance shall be specifically endorsed to waive any right of subrogation against Client. 13.6 Xantrion shall cooperate with Client in providing Client with copies of all insurance provisions or endorsements required by this Agreement. 12 14 Harassment Free Workplace; Nondiscrimination Xantrion and Client mutually commit to observing the highest standards of conduct in maintaining an environment that is free of discrimination, including harassment of any kind and on the basis of a legally protected status. Accordingly, Xantrion and Client will not tolerate any form of harassment against anyone, including employees, vendors, independent contractors, or guests. Xantrion and Client understand and acknowledge their legal obligation both, not to engage in, and to report any unwelcome conduct, whether verbal, physical, sexual, or visual, and that is based upon a person's protected status. Xantrion and Client shall not discriminate, in anyway, against any person on the basis of age, sex, race, color, religion, ancestry, national origin or disability in connection with or related to the performance of their duties and obligations under this Agreement. 15 Miscellaneous 15.1 Notices All notices under this Agreement shall be sent to a party at the respective address indicated in the introductory paragraph hereof, or to such other address as such party shall have notified the other in writing. All such notices so addressed shall be deemed duly given (a) upon delivery, if delivered by courier or by hand (against receipt); or (b) three days after posting, if sent by certified or registered mail, return receipt requested. 15.2 Governing Law This Agreement shall be construed and controlled by the laws of the State of California, without reference to conflicts of law principles. To the extent that any lawsuit is permitted under this Agreement, the parties hereby expressly consent to the personal and exclusive jurisdiction and venue of the state and federal courts located in Marin County, California. 15.3 Remedies The parties agrees that remedies at law for a breach or threatened breach of any of the provisions of this Agreement, including any disclosure or use of the Confidential Information, may be inadequate and, in recognition of this fact, in addition to all other remedies available at law, the parties will be entitled to seek specific performance or injunctive relief to enforce the terms of this Agreement. -).za uispute Kesomiion; Attorney's Fees Xantrion and Client agree to each use its best efforts to mutually resolve any claim, controversy, liability or dispute arises between the parties relating to or in connection in any way with this Agreement or its interpretation, validity or enforcement (collectively, "Disputes" or, in the singular, "Dispute"). 866.926.8746 13 �,vw�ni.xantrion.com 153143113 1 Failing that, and unless otherwise agreed by the parties in writing, such dispute shall be adjudicated by final, binding arbitration under the auspices, and in accordance with then -applicable commercial arbitration rules and procedures, of JAMS, Inc. ("JAMS") at JAMS' San Francisco offices. The arbitrator shall be mutually -agreed upon by the parties to the arbitration. If the parties cannot agree upon an arbitrator within ten (10) business days after the filing of any demand for arbitration or statement of claims with JAMS (or, if a party is asked to participate in the joint selection of an arbitrator, but is unresponsive or otherwise does not do so within the foregoing time period), then JAMS shall select as arbitrator a retired judge having at least ten (10) years' experience in industry -related disputes pursuant to its normal procedure for selecting an arbitrator when parties cannot agree upon an arbitrator. The parties to the Dispute shall share equally in the costs of arbitration. If any party to the Dispute fails or refuses to pay its portion of JAMS arbitration -related administration fees or arbitrator's fees in a timely manner, the other party to the Dispute may, at its election, pay such fees and proceed with the arbitration without the participation of the party who fails or refuses to pay its share of such fees, and any final arbitration award shall require the non-paying party to reimburse the paying party for such fees and costs. The arbitrator shall have the power to award only such damages, remedies, or relief that would be available in a court otherwise having jurisdiction of the matter, but no other damages, remedies or relief. The arbitrator shall render all rulings and make all adjudications based solely upon the law governing the claims, counterclaims and defenses pleaded and shall not invoke any basis (including, without limitation, notions of "just cause") other than such controlling law. The arbitrator shall have the authority to issue an award that provides for both legal and equitable relief, as applicable, including, without limitation, an order for issuance of a temporary or preliminary injunction. Notwithstanding the foregoing, the parties may avail themselves in the court of the rights and remedies provided by Section 1281.8 of the California Code of Civil Procedure. In any arbitration proceeding commenced under this section, the merits hearing (i.e., trial) shall begin by no later than ninety (90) calendar days after the filing of any demand for arbitration or statement of claim with JAMS. The arbitrator shall prepare a written statement of decision and award within five (5) business days following the conclusion of the arbitration merits hearing. Judgment on the decision, award or other order of the arbitrator may be confirmed and entered by the court. The decision of the arbitrator shall be final and conclusive, and the parties hereby waive the right to trial de novo or appeal, excepting only for the purpose of confirming the arbitrator's decision, award or other order and entering judgment thereupon, for which purpose the court shall have sole and exclusive jurisdiction. Such confirmation and entry of judgment may be obtained by ex parte application. Additionally, any petition to compel arbitration and any other legal proceeding seeking to enforce or avoid arbitration under this Agreement shall be filed and litigated exclusively in the court. The prevailing party in any arbitration of a Dispute shall be entitled to recover from the other party or parties the reasonable attorneys' fees and costs (including all costs of collection and recovery of any monies adjudicated to be due), experts' fees and costs, arbitration administrative fees, court filing and other fees, and arbitrator's fees that the prevailing party actually incurs in connection with that proceeding and any related -action or proceeding in the court; however, the parties agree that, in the event a party to the Dispute is adjudicated to be 866.926.8746 14 www xantrion.com 15834843 4 a prevailing party, that party shall seek to recover attorneys' fees under this section for the services performed only by two (2) attorneys from the same law firm retained by that party. In the event this provision is adjudicated to be unenforceable or the parties to the Dispute jointly elect to seek an adjudication of their dispute in a judicial forum, the foregoing fees and costs recovery provision shall apply with equal force to that judicial adjudication of the Dispute. 15.5 Force Majeure Neither party shall be deemed to have defaulted or breached hereunder, nor shall it hold the other party responsible for any cessation, interruption or delay in the performance of its obligations hereunder due to earthquake, flood, fire, storm, natural disaster, act of God, war, terrorism, hostile or warlike action including cyber or armed attacks in times of peace or war by a government or sovereign power, labor strike, lockout, boycott, or other similar events beyond the reasonable control of such party (collectively, "Force Majeure"), provided that the party relying upon this provision: (i) gives prompt written notice thereof, and (b) takes all steps reasonably necessary to mitigate the effects of the Force Majeure event. 15.6 Headings Headings used in this Agreement are for reference purposes only and shall not be deemed a part of this Agreement. 15.7 Severability If any provision in this Agreement is found or held to be invalid or unenforceable by a court of competent jurisdiction, then (i) the validity of other provisions of this Agreement shall not be affected or impaired thereby, and (ii) such provision shall be enforced to the maximum extent possible so as to effect the intent of the parties and shall be reformed without further action by the parties to the extent necessary to make such provision valid and enforceable. 15.8 No Waiver A waiver of a breach or default under this Agreement shall not be a waiver of any other breach or default. Failure of either party to enforce compliance with any term or condition of this Agreement shall not constitute a waiver of such term or condition unless accompanied by a dear written statement that such term or condition is waived. 15.9 No Assianrmen' Client shall not assign this Agreement without the prior written consent of the other party, which consent shall not be unreasonably withheld, except in the event of a merger, acquisition, or sale of substantially all of Client's assets. Subject to the foregoing, this Agreement shall inure to the benefit of the parties' permitted successors and assigns. 866 926.87/16 15 ,�v�wv xantricr corn 1583,1843 4 15.10 City Business License / Other Taxes. Xantrion shall obtain and maintain during the duration of this Agreement, a City of San Rafael business license as required by the San Rafael Municipal Code. Xantrion shall pay any and all state and federal taxes and any other applicable taxes. Client shall not be required to pay for any Services or work performed under this Agreement, until Xantrion has provided Client with a completed Internal Revenue Service Form W-9 (Request for Taxpayer Identification Number and Certification). 15.11 Entire Agreement; Modification This Agreement, and any attachments hereto, contains the entire understanding of the parties with respect to the matters contained herein. This Agreement shall supersede any prior understanding or agreement, written or oral between the parties. In the event of any conflict between the terms hereunder and any attachment, these terms shall govern unless such attachment expressly states that the terms and conditions of the attachment shall control. There are no promises, covenants or undertaking other than those expressly set forth herein, and any other terms and conditions are rejected regardless of content, timing or method of communication. Any deviations from or additions to the terms of this Agreement must be in writing and will not be valid unless confirmed in writing by duly authorized officers of Xantrion and Client. 866.926.8746 16 www.xantrion.com 15834843.4 15 Counterparts This Agreement may be executed in counterparts, and each counterpart shall have the same force and effect as an original and shall constitute an effective, binding agreement on the part of each of the undersigned. This Agreement may be executed and delivered by facsimile transmission, by electronic mail in ".pdf," or any electronic signature complying with the U.S. federal ESIGN Act of 2000 (e.g., www.docusign.com). IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the date first written above. Signed: a-.17A i 7k&* Printed: Anne Bisagno Title: President Company Xantrion, Inc. Date: September 4, 2024 CITY OF SAN RAFAEL By: Cristine Alil�loct 12, 2024 410:44 PDT) CRISTINE ALILOVICH, City Manager G111111:141111 Brenna Narmi (for) Bi enna Nurmi (for) (Oct 14, 2024 07:35 PDT) LINDSAY LARA, City Clerk APPROVED AS TO FORM: 20be`t T EV&/h ROBERT F. EPSTEIN, City Attorney 17 ww\jv.xanr non.com 158348143 4 EXHIBIT A Addendum To The General Service Agreement Information Technology Services 866.926.8746 18 www.xantrion.com 15834843 4 866.926.8746 ADDENDUM TO THE GENERAL SERVICE AGREEMENT INFORMATION TECHNOLOGY SERVICES www.xantrion.com 15900501.4 TABLE OF CONTENTS 1 Summary Service Scope and Costs.......................................................................................................................4 2 CORE IT.................................................................................................................................................................5 2.1 Description of Services.................................................................................................................................5 2.2 Systems Administration................................................................................................................................5 2.3 Endpoint Support .........................................................................................................................................6 2.4 "Virtual Chief Information Officer" (vCIO) and Strategic Planning Services.................................................6 2.5 Limitations and Client Obligations................................................................................................................6 3 Systems Monitoring..............................................................................................................................................8 3.1 Description of Services.................................................................................................................................8 3.2 Monitoring systems......................................................................................................................................8 3.3 Monitoring hours..........................................................................................................................................9 3.4 Monitoring scope..........................................................................................................................................9 3.5 Patch Management....................................................................................................................................10 3.6 Thresholds & Monitoring Criteria...............................................................................................................10 3.7 Endpoint anti -virus and anti-malware management..................................................................................10 3.8 Client notification of monitoring alerts......................................................................................................10 3.9 Alert remediation.......................................................................................................................................10 3.10 Limitations and client obligations...............................................................................................................11 4 Managed Backups...............................................................................................................................................12 4.1 Description of Services...............................................................................................................................12 4.2 Recovery Point Objective...........................................................................................................................12 4.3 Recovery Time Objective............................................................................................................................12 4.4 Standby Server Hosting..............................................................................................................................12 4.5 System requirements.................................................................................................................................13 4.6 Effect of Termination..................................................................................................................................13 4.7 Estimating data backup costs.....................................................................................................................13 4.8 Limitations and client obligations...............................................................................................................14 5 Managed Security Essentials..............................................................................................................................15 5.1 Description of Services...............................................................................................................................15 5.2 List of Services............................................................................................................................................15 5.3 Security Incident Response........................................................................................................................15 5.4 Limitations and Client Obligations..............................................................................................................18 6 Managed Security...............................................................................................................................................19 6.1 Description of Services...............................................................................................................................19 6.2 List of Services............................................................................................................................................19 6.3 Limitations and client obligations...............................................................................................................21 7 Hosting................................................................................................................................................................21 7.1 Description of Services...............................................................................................................................21 7.2 Data location..............................................................................................................................................21 7.3 Service Level Agreement............................................................................................................................21 7.4 Effect of Termination..................................................................................................................................21 2 www.xantrion.com 15900501.4 8 Limitations applicable to all services..................................................................................................................22 8.1 Support for End Users not covered by a CORE IT agreement.....................................................................22 8.2 Policy Authoring, Audit, and Questionnaire Support.................................................................................22 9 Authorized Contacts...........................................................................................................................................22 10 Phone and Email Support hours of operation....................................................................................................22 10.1 Phone Answer.............................................................................................................................................22 10.2 E-mail processing........................................................................................................................................22 11 Rates for Services Outside of Scope...................................................................................................................23 12 Travel Expenses..................................................................................................................................................23 13 Service Level Agreement....................................................................................................................................24 13.1 Response Time............................................................................................................................................24 13.2 Service Level Credits...................................................................................................................................24 15 Costs and Service Detail......................................................................................................................................25 16 Counterparts.......................................................................................................................................................26 866.926.8746 3 www.xantrion.com 15900501.4 1 Summary Service Scope and Costs Service Name I Description I Included Services Core IT Comprehensive ITsupport for your staff, Systems ✓ Administration, Remediation, Management and Maintenance. Systems IT infrastructure monitoring designed to detect non- ✓ Monitoring functioning systems or services, in addition to conditions which may lead to instability or down time. Managed Backups Backup of systems and data to protect against loss. ✓ Includes `Best Effort" disaster recovery for data stored in our repository. Managed Security Fundamental security provisions and practices ✓ Essentials recommended for every organization Managed Security A comprehensive security offering designed to meet the Consider for needs of organizations subject to regulatory oversight and Future compliance requirements, or with a strong need to protect Implementation sensitive data. Hosting "Private Cloud" services designed to host critical business Consider for systems in highly -available redundant secure Datacenters, Future with locations in Denver and Salt Lake City. Implementation TOTAL Monthly Recurring Costs (Section 15) $97,225 15900501.4 2 CORE IT 2.1 Description of Services CORE IT is a comprehensive offering that includes technology support, administration, design, remediation, and maintenance, designed to provide the Client with: • A secure and stable Information Technology environment with exceptional up time. • A high level of employee technology support satisfaction. • A competitive advantage. • The lowest sustainable total cost of ownership. CORE IT is provided at a fixed monthly cost and includes unlimited desktop and systems support. 2.2 Systems Administration • User & Resource Management • Employee Onboarding and Termination • Hardware and Business Resource provisioning • Identity management and access control • Server, Network Infrastructure, and Endpoint Management ■ Deployment, Administration, Troubleshooting, and Remediation • Purchasing & Warranty Management ■ Replacement of systems "In Kind," at end of life • Data Backup System management • Application Management —Cloud or Server -Based • Deployment, Upgrades, Troubleshooting, & Remediation • License & Subscription Management • Vendor Coordination • Cloud -Based Voice over IP Systems • Administration, including Moves, Adds, and Changes. • Internet Connectivity ■ Vendor Management ■ Troubleshooting & Remediation • Mobile Devices & Tablets • Business Email connectivity • Office 365 apps • Other business apps (e.g., iTraklT, iRIMS, iAnnotate) 866.926.8746 5 www.xantrion.com 15900501.4 2.3 Endpoint Support • Unlimited remote support services are provided to your staff, 24 x 7 x 365. • On -site support, as required. 2.4 "Virtual Chief Information Officer" (vCIO) and Strategic Planning Services The client will be assigned a Xantrion "vCIO," whose core objective is to develop and maintain a business technology strategy that meets the business requirements and fosters growth. Detailed Services include: • Technology and Security Strategy and Advisement • Quarterly Business Review meetings • Business Continuity and Disaster Recovery Strategy • Cyber Security Risk Assessment and Mitigation Strategy • Budget Projections and Cost Management • Service Delivery Oversight ■ Client Satisfaction Oversight & Reporting • Identification and Resolution of trends or systemic issues • Support Escalation • Account Management, including agreement maintenance & resolution of billing matters • Project Coordination and Management • Incident Response Coordination 2.5 Limitations and Client Obligations 2.5.1 Services provided on a Time and Materials basis • Physical relocation of Staff systems. Ex: An employee wishes to move from one office location to another • Support for custom software solutions, developed specifically for your firm, and not supported by a major vendor Ex: Custom scripts, FileMaker Pro, and Access Databases are considered custom software solutions • Office Moves and Rebuilds • Business system or Infrastructure Projects that are being driven by new functionality or features 866.926.8746 www.xantrion.com 15900501.4 Ex: Cloud migrations, ERP, CRM, Accounting, or other Line of Business Application Implementation, Cloud VoIP phone migrations • Audio/Visual Systems Setup Ex: Deployment of a new videoconferencing solution, or assisting client guests with connectivity to projectors or displays 2.5.2 Warranties & Valid Support Agreements are Required Except as otherwise agreed, supported equipment, including, but not limited to: servers, shared storage, firewalls, switches, wireless access points, desktop and laptops, must carry a valid warranty and support agreement for these devices to remain with Xantrion's support scope. All line of business applications must include a valid support agreement, and the appropriate licensing to ensure compliance. 2.5.3 Spare Equipment We suggest maintaining spare staff systems to expedite setup and deployment in the event of an unexpected new hire or hardware failure. There is no additional monthly cost associated with the maintenance of spare endpoint systems. 2.5.4 Disaster Recovery Recovery from outages caused by theft of systems or environmental events such as earthquakes, floods, fire or sprinkler system activation will be performed on a time and materials basis. Clients wishing to reduce the risk of a disaster are encouraged to use cloud services or consider re- locating their systems to our secure data centers, as described in Section 7. For clients who maintain servers on -premise, we also offer Standby Server Hosting, described in Section 4.4, to reduce the time and cost associated with recovering from a disaster. 2.5.5 E-Discovery, Forensic and Breach Investigations Clients are advised that services provided as part of a CORE IT agreement are not designed to capture information required to support a forensic investigation. See also the limitations described in Section 5.3.5. 2.5.6 Abuse / Sabotage Notwithstanding other provisions, recovery from deliberate damage / sabotage to systems or data, either on -premise or in cloud, will be performed in accordance with the Time and Materials provisions of this agreement. 866. 9 26 8746 7 \NWW,xant;ion.corn 15900501.4 2.5.7 Support for Endpoints not Covered by this Agreement Support for systems not covered by this agreement is limited to the configuration and troubleshooting of secure remote access to business systems. Ex: Business email connectivity or Secure Remote Desktop. Xantrion will not provide hardware support for these systems out of scope; any operating system - level or networking support required to establish secure remote connectivity to business resources will be provided on a Time & Materials basis. 2.5.8 Web Content Development Xantrion does not manage web site content development or administration. We are happy to provide vendor recommendations for this purpose. 3 Systems Monitoring 3.1 Description of Services Xantrion's Monitoring services are designed to improve the overall availability, stability, and performance of the Client's critical business systems. Xantrion monitors key operating characteristics of the Client's designated systems and cloud solutions, in orderto detect and address early signs of potential system instability or failure, and to quickly identify and remediate the points of failure, in the event that a system or service outage occurs. Xantrion maintains a history of operating data which can be used as a benchmark for "normal" operations and to aid in the troubleshooting process. Note that while network breaches may be detected as a result of consequential anomalies in network operations, this service is not designed to provide intrusion detection or prevention and should not be relied upon for these purposes. 3.2 Monitoring systems Xantrion's central monitoring systems are located in secure datacenters. Data is gathered from client operating environments, using a combination of probes and agents installed directly on servers and endpoints. Data is also gathered from additional sources external to the client environment to provide a comprehensive overview of system status. Examples of external monitoring include: round-trip email flow, RDS host availability, and Office 365 status. 866.926.8746 www.xantrion.com 15900501.4 3.3 Monitoring hours Automated monitoring occurs 24 x 7 x 365. Engineers observe and remediate issues "live," from 6 AM to 7 PM PST, Monday through Friday. On request, Xantrion can establish a limited number of alerts which will trigger a notification to our live After -Hours answering service. The answering service will then contact an available engineer off -hours, alerting them to the issue raised by the system. 3.4 Monitoring scope The scope of Monitored Systems is dependent upon several factors, including client -specific requirements, capabilities of the monitoring services, and limitations of the systems being monitored. We recognize that client monitoring requirements are constantly changing as new systems are released and cloud services evolve. Our centralized monitoring systems are similarly evolving in terms of capacity and capabilities. Please discuss any specific monitoring needs with your vCIO, so that they may determine whether or not they can be met. The list below provides a sample of services & systems we will attempt to monitor: On Premises Systems Server hardware health Remote Server Management systems (DRAC / iLO) System resource utilization Disk utilization and 1/0 Warranty status Service availability Application level monitoring Active Directory SQL Exchange Internet Information Services UPS systems availability and battery health Networking devices System Resource Utilization Traffic Throughput 866,926.8746 Shared Storage RAID and Disk health LUN utilization SaaS, Websites & External Services Availability of Services Response times TLS/SSL certificate validity DNS resolution Expected page verification Synthetic email route trip testing Security Monitoring Antivirus health Windows patching health Privileged access groups changes Common account names monitoring Outboard firewall port blocking SFP monitoring 9 www.xanzilon.com 15900501.4 3.5 Patch Management Xantrion will manage patch deployment to systems, including servers, infrastructure devices, and endpoints, using our patch management solution. Xantrion conducts a literature review of all critical and security operating system updates as they are released by Microsoft. Prior to general release, deployment is tested on Xantrion's systems and on systems that clients have asked to be included within our patching test group. Xantrion will identify and withhold any patches that are deemed problematic. Approved patches are deployed monthly to workstations and laptop endpoints, and quarterly to servers. 3rd-party Application patching is provided for a select list of supported applications. 3.6 Thresholds & Monitoring Criteria Xantrion leverages a set of alerting conditions and thresholds within the central monitoring solution that have been developed and tuned, through a combination of manufacturer's Best Practice recommendations, in addition to real -world conditions. These thresholds are designed with the stability, uptime and health of your systems in mind, and should not be customized. 3.7 Endpoint anti -virus and anti-malware management Xantrion will manage the licenses, automated deployment, troubleshooting, and administration associated with the anti -virus and anti-malware solution, for all clients with a Core IT agreement, and for clients who have elected to bundle this offering with systems monitoring. 3.8 Client notification of monitoring alerts If requested, Xantrion will copy any recipients that you designate on automated alert notifications. For urgent and impactful issues, an Engineer will attempt to reach you by phone. For all other issues, we will reach out via e-mail. 3.9 Alert remediation Xantrion Engineers will attempt to contact Client for authorization before performing any remediation work outside of the standard Core IT agreement. If we are unable to contact you, we will use our best judgement in determining whether or to proceed without authorization. Examples of situations where we may act if we are unable to reach you could include: 866.926.8746 www.xantrion.com 15900501.4 • The affected system is covered under a CORE IT contract and therefore remediation work is included. • E-mail system is completely down. • Internet connectivity outage. • Remediation of issues that are determined to be the direct result of managed patching. 3.10 Limitations and client obligations The provisions listed in this section apply only to clients whose systems are not covered under a CORE IT agreement, or those with a "Monitoring -Only" Agreement. 3.10.1 Identification of Systems to be monitored You will provide us with a list of systems and/or cloud services that you want us to monitor. For hardware systems on -premise, we require the following information: ■ Device name ■ IP address • Hardware information (type, model, serial number) ■ Administrative Login Credentials ■ Physical location 3.10.2 Changes to monitoring Requests to add or remove systems or devices from the monitored scope should be sent in writing to support@xantrion.com. 3.10.3 Advance notification of systems maintenance We ask that you notify us in advance of planned maintenance that will impact services and system uptime, so that we can suspend monitoring and avoid "false alarms." 3.10.4 Remediation of issues resulting from patching Client acknowledges that Xantrion's strategy for repairing an unstable system after patching may be, at our discretion, restoring from backup. Systems not covered by a CORE IT or Managed Backup agreement will be repaired on a time and materials basis. 850.926 8 71C 11 w\/vvv.xantrion.com 15900501.4 4 Managed Backups 4.1 Description of Services Xantrion will work with the Client to design a managed backup strategy that meets the business' Disaster Recovery and Data Retention requirements. Services will include: • Automated monitoring to ensure backups are completing successfully. • Engineer review of backup -related alerts during the business day. • Data retention as required by the Client (e.g. 30 days, 1 year, 7 years) • Quarterly auditing of the backup selection lists and file restore testing. • Annual test restores of a database or server critical to business operations. • Remediation of any issues related to the managed backup solution. • Restoration of files and servers as requested, subject to the limitations described in Sections 4.3 and 4.4 • Encryption of backup data "in transit" and "at rest" when replicating to Xantrion datacenters. • Optional "cloud -to -cloud" backups for supported cloud services: e.g. Office 365 • An optional on -premises "backup appliance." 4.2 Recovery Point Objective Servers are backed up nightly, by default. 4.3 Recovery Time Objective Data recovery requests will be handled in a timely manner, with restore times being subject to a number of factors (ex: internet bandwidth, etc.) File recovery, dependent upon data size, can generally be performed immediately upon notification. Recovery of an entire server may take 24 hours or longer. 4.4 Standby Server Hosting For clients storing backups in our datacenter, Xantrion maintains spare hosting capacity to allow for recovery in the event of a local disaster impacting client systems (ie: theft, earthquake, fire, flood) • This operation can take 24 to 72 hours and is subject to the availability of resources. • This agreement includes the cost of 1 month of hosting in our datacenters, should long-term failover be required. • Xantrion has a client concentration in the San Francisco Bay Area. Resource availability is *not* sufficient to permit the immediate recovery of all clients in the event of a regional disaster. 866.926.8746 www.xantrion.com 15900501.4 • Xantrion offers secure server hosting (described in Section 7) for clients who wish to ensure business continuity in the event of local disaster. 4.5 System requirements • Client systems must be compatible with Veeam, the backup software on which our platform is built. • Client internet services must be sufficient to permit the nightly replication of critical business systems. • As a conservative rule of thumb, assume at a minimum that data will change 5% per day and that 5 GB of data can be moved off -site per day for every 1 Mb/s of available internet upload bandwidth capacity. 4.6 Effect of Termination • Upon termination of the service agreement, unless otherwise requested, Xantrion will delete all copies of your data from our datacenter infrastructure. • In the event of termination, requests to export backup archives (ie: removable storage media) will be fulfilled on a time and materials basis. 4.7 Estimating data backup costs The client's estimated monthly recurring costs associated with managed backups, calculated on a per - GB basis, are listed in Section 15. The amount of data being held in aggregate by our hosted infrastructure is dependent upon several factors, including: • The amount of data being protected • Daily data change rate • The degree to which original data can be compressed and deduplicated in the backups • Retention periods The table below provides a guideline to estimate the total amount of data you will store in our hosted backup infrastructure, based on the amount of data on your servers that we protect and your retention period. Your actual costs may vary from these. GB of compressed data in the Retention backups per GB of original data being Off -site Storage Schema period protected Typical case High case 13 vnrn,vv.xant. ion.com 15900501.4 30 days 1 : 1 : 2 1 Daily incremental backups for the first 30 days + 1 Full backup Daily incremental backups for the 90 days 2 : 1 3 : 1 first 30 days + 3 x Monthly full backups Daily incremental backups for the first 30 days + 1 year 5: 1 8: 1 3 x Monthly full backups 3 x Quarterly full backups 1 x Annual full Backup Daily incremental backups for the first 30 days + 7 Years 8: 1 10 : 1 3 x Monthly full backups 3 x Quarterly full backups 7 x Annual full backups Example: • Data stored on your systems: • Retention Period: • Estimated Data stored on our systems: • Cost per Stored GB • Total Monthly Cost 4.8 Limitations and client obligations 1,000 GB 1 Year 5,000 to 8,000 GB Given in Section 15 Actual Data stored * Cost per stored GB Clients must define data retention requirements and notify us of any changes to these requirements. Clients with systems not covered by a CORE IT agreement must identify which systems should be included in the scope of the backups. Searches of electronic data, restoration of historical data for the purpose of legal investigations will be performed under the time and materials provisions of this agreement. It is not feasible to ensure the backup of laptop and desktop systems with a high degree of confidence. Backups of laptop and desktop endpoints, if requested, are performed on a `Best Effort" basis. As a Best Practice, all sensitive data should be stored on server hardware or in a secure cloud environment. 866.926.8746 14 www.xantrion.com 15900501.4 5 Managed Security Essentials 5.1 Description of Services Xantrion's Managed Security Essentials service helps clients achieve an enhanced cybersecurity posture and implement appropriate defensive safeguards to address common cybersecurity threats. 5.2 List of Services The following services are included in Managed Security Essentials: 5.2.1 Security Awareness Training End users may subscribe to Xantrion's standard security awareness training program. This program will consist of periodic email security testing and optional online video -based training. 5.2.2 Multi -Factor Authentication Xantrion will supply and manage an approved multi -factor authentication system. 5.2.3 Mobile Application Management Xantrion will supply and manage an approved mobile application management system. 5.2.4 Advanced Internet Filtering Xantrion will deploy advanced internet filtering technology to laptops, extending internet filtering to these devices when they are outside the corporate network. Internet filtering includes the detection of malware and blocking of malicious domains. 5.3 Security Incident Response 5.3.1 Overview Xantrion will assist our clients in responding to Security Incidents affecting their information systems within the limitations of existing agreements. Client Security Incidents are handled according to Xantrion's pre -defined Security Incident Response Policy. Please see Section 5.4 regarding limitations on services provided pursuant to this provision. 5.3.2 Definitions Security Event: Any observable change or occurrence in a system. Certain correlated events may become Security Alerts through automated analysis. 866.92)6.8; lc, www.xantnon.com 159005014 Security Alert: Notifications that a certain event or series of events have occurred. Alerts can be generated from automated systems or received in the form of user request to our service desk. Security Alerts may be escalated to become Security Incidents. Security Incident: A single or series of security events that, as assessed by Xantrion, have a significant likelihood of threatening information security and impacting business operations. Containment: Containment of a Security Incident are tasks performed by incident responders to limit the scope and impact of an ongoing Security Incident. Recovery: Recovery from a Security Incident is the process of returning impacted systems to normal operation and removing artifacts of the incident from the system. (For example; removing malware and recovering data from backup). Recovery steps may include remediation of security vulnerabilities to prevent future incidents. 5.3.3 Classification and Prioritization Xantrion classifies Security Alerts into 4 categories: Category I Description Insufficient Xantrion does not have the required information to properly classify Information this alert. Additional information is required from the client to continue processing this alert. Harmful The alert is identified as an attack or attempted attack that may result in damage or unauthorized access to information systems. The cause of the alert has rendered the Client's infrastructure vulnerable or compromised. Harmful alerts are escalated as Security Incidents. Harmless The alert is identified as a known attack, attempted known attack or reconnaissance effort. The client's systems are not considered vulnerable or compromised. The alert may be falsely triggered, is informational, or has been False Positive determined to be benign. 15900501.4 Xantrion prioritizes Security Incidents, based on their functional, informational, and recoverability impact: Priority Description High The incident impacts critical business functions. Represents a high likelihood of impacting information availability or confidentiality or requires a significant recovery effort. Medium The incident impacts multiple users. Represents a medium likelihood of impacting information availability or confidentiality. Recoverability effort is expected to be less than 24 hours. Low The incident is limited in scope and does not significantly impact business operations. There is a low likelihood of impacting information availability or confidentiality the recovery effort is minimal. 5.3.4 Detection Security Incidents are declared solely by Xantrion based a variety of sources including automated analysis and reports from end users. Xantrion will assess incoming Security Alerts to determine if a Security Incident is occurring or has occurred. 5.3.5 Notification Xantrion will notify our clients within 24 hours after a High or Medium priority Security Incident has been declared within the environment. 5.3.6 Containment and recovery For systems covered by CORE IT, Xantrion will perform all reasonable tasks to contain a Security Incident and once contained, recover systems to normal operation. 5.3.7 Post -Incident activity An Incident Report will be produced by Xantrion for all High and Medium priority Security Incidents. The report will be limited to Xantrion's involvement in the incident including: a summary of the incident, timeline of events, impact analysis, containment and recovery steps, root -cause analysis, and any additional recommended actions. 866.92-5.8745 17 www.xanUion.com 15900501.4 5.4 Limitations and Client Obligations 5.4.1 Disclaimer of Warranty Information security and compliance is a wide-ranging discipline which requires the involvement from all parts of a business. Xantrion's expertise and this service are limited specifically to the technical cybersecurity aspects of a comprehensive information security program. It is important to understand that subscribing to this service alone does not guarantee compliance with any law or regulation nor guarantee the absolute security of your systems. 5.4.2 Data Security Responsibility Client acknowledges and agrees that Xantrion does not provide legal services or warrant that the services or products provided or obtained on client's behalf will ensure client's compliance with any law, including but not limited to any law relating to safety, security or privacy. 5.4.3 Missing information Client is responsible for providing missing information for alerts classified as "Insufficient Information". If client fails to supply such information Xantrion may send a reminder or close the alert. 5.4.4 Incident Response It is the responsibility of the client to direct Xantrion's response to an incident according to their own policies and procedures, especially if evidence must be preserved, or a forensic investigation is expected. Clients are advised to maintain their own incident response plan including their own reporting requirements. The primary goal of Xantrion's incident response service is to contain and recover from Security Incidents. Client is aware that Xantrion may take immediate action without notification to contain and recover from a detected incident. Certain containment and recovery actions may hinder future forensic investigations. Xantrion's capabilities to assist with containment and recovery are limited for systems not covered by a CORE IT agreement. Containment of, and recovery from Security Incidents for these systems will be performed in coordination with the client on a best effort, time and materials basis. 5.4.5 Investigations Clients are advised that services provided under Managed Security Essentials are not designed to capture information required to support a forensic investigation. 866.926.8746 www.xantrion.com 15900501.4 Investigation including root cause analysis, preservation of evidence, attempts to determine if information was accessed or exfiltrated by unauthorized actors, or to identify unauthorized actors will be performed on a best efforts, time and materials basis. 6 Managed Security 6.1 Description of Services Xantrion's Managed Security service delivers a multi -layered cybersecurity solution tailored for small and medium businesses. The service is designed to aid clients in meeting regulatory compliance requirements and operating a secure computing environment. Managed Security requires a Systems Monitoring agreement for all covered systems. 6.2 List of Services The following services are included as part of the full Managed Security offering. 6.2.1 Cybersecurity Roadmap Xantrion will provide access to our internally developed cybersecurity standards based on industry leading control frameworks. A gap analysis will be performed, at least annually, between our developed standards and current state including recommendations for improving the client's security posture. 6.2.2 Automated Security Analysis and Alert Management Automated analysis will be performed on logs, system configurations, and other data points using metrics developed by Xantrion and its partners. Alerts will be triggered on specific pre -defined conditions and will generate a support ticket to be handled by Xantrion's Network Operations Center (NOC) or Service Desk. 6.2.3 Customized Security Awareness Training Xantrion will customize a security awareness training program using the included training platform including phishing email exercises and video -based training. 6.2.4 Log Aggregation and Management Xantrion will install a system to collect specific security logs from capable servers and network security devices. These logs will be stored for 30 days in a resilient and secure hosted location. Xantrion will provide and install necessary log collectors and configure supported systems to send logs. At the end of the retention period, log data will be permanently deleted on a first -in -first -out 866.926.87,46 19 www.xantrion.com 15900501.4 (FIFO) basis. If this agreement is terminated for any reason, Xantrion will be relieved of its obligation to store client's log data. Retention beyond 30 days is available at additional cost. 6.2.5 Vulnerability Scanning and Management Xantrion will scan Client's internal and internet facing hosts on a quarterly basis for devices covered by this agreement. The scan data will be used to identify known vulnerabilities and results summarized and delivered to client for review. For systems covered by a CORE IT agreement, critical vulnerabilities will be scheduled for remediation. For systems not covered by a CORE IT agreement remediation can be performed on a time and materials basis. 6.2.6 Sensitive Data Discovery Xantrion will scan client's network annually, or more often as mutually agreed, to discover locations where sensitive data, such as Personally Identifiable Information (PII), is stored. Results will be summarized and delivered to client for review. 6.2.7 Account Authentication Analytics Xantrion will manage an approved authentication analytics system. The system is designed to detect abnormal account behavior which may indicate compromise. 6.2.8 Identity Access Management Xantrion will manage an approved identity management system used to provide single -sign on capabilities between the client's identity provider and other systems. 6.2.9 Self -Assessment Support Xantrion will provide support If client initiates or is requested to perform a self -assessment or complete a security questionnaire by a regulating agency, or partner. Included support is limited to responding to pre -formed questionnaires. 6.2.10 Quarterly Reporting On a quarterly basis Xantrion will deliver a report describing the performance of services included in this agreement. 6.2.11 Annual Security Review Xantrion will meet with the client on an annual basis to review their cybersecurity program. Topics for review during this meeting can include: 20 www.xantrion.com 15900501.4 • Security Incidents • Existing cybersecurity policies • Latest security reports • Exceptions to standards or recommendations 6.3 Limitations and client obligations The following services can be performed according to the time and materials provisions of the General Service Agreement. • New functionality added to existing systems, including new single -sign -on integrations. • Vendor Assessments 7 Hosting 7.1 Description of Services Xantrion will host your systems on Xantrion-owned assets, configured to provide a fault -tolerant operating environment for your critical systems. 7.2 Data location Data is stored in secure DataCenter locations in the continental United States. 7.3 Service Level Agreement See Section 17 of this document. 7.4 Effect of Termination Unless otherwise agreed upon, all client data will be deleted from our hosting environment upon termination of this service. Priorto termination, in order to ensure continuity of service, at no cost, we will make server images and / or data available to Client or Client's new service provider for migration to their systems. We can perform a migration from our service to an alternate provider or provide copies of images on portable media on a time and materials basis. 866.926.8746 21 www.xantrion.com 15900501.4 8 Limitations applicable to all services 8.1 Support for End Users not covered by a CORE IT agreement Support requests for end users not covered by a CORE IT agreement must be escalated to us by the client's internal IT team. Xantrion cannot take support requests directly from end users, themselves. 8.2 Policy Authoring, Audit, and Questionnaire Support Assistance with the creation of Client's internal compliance and security policies, responses to third party audit requests for a detailed description of client's cybersecurity, business continuity and / or disaster recovery practices will be provided on a time and materials basis. E.G. regulatory examinations, ISO certification, SSAE audits, investor, insurance, or other due diligence requests. 9 Authorized Contacts The Client will provide Xantrion with a list of individuals, including e-mail addresses and mobile phone numbers, who are authorized to approve access control requests, as defined in the "Support FAQs for Liaisons" document. 10 Phone and Email Support hours of operation Our phones are answered live 24 x 7 x 365. Details of coverage as follows: 10.1 Phone Answer • Phones are answered live by our Client Service Representatives from 6:00 AM to 7:00 PM PST, Monday through Friday, excluding normal holidays. Our CSRs will make every effort to connect you to an Engineer who can assist you immediately. • If all Engineers are busy when you call, we can arrange for a scheduled call-back • Calls received outside of the defined business hours will be taken by a third -party answering service who will then patch the call to an On -Call Engineer, for resolution. 10.2 E-mail processing • For non -urgent issues and change requests, email support@xantrion.com • Expect a response within 1 business day • Do not e-mail if you need help immediately; please call 866.926 8-' www.xantrion.com 15900501.4 • E-mail requests are monitored during business hours, 9AM to 5PM PST weekdays, excluding holidays. Messages received after hours are converted into a ticket that is assigned to an Engineer at the start of the next business day 11 Rates for Services Outside of Scope Base Hourly rate C Level $260/hr. Engineer IV $230/hr. Engineer III $205/hr. Engineer II $180/hr. Engineer I $150/hr. • Business hours are 6:00 AM to 7:00 PM PST (M-F,) excluding traditional holidays. • Work outside of business hours, or scheduled less than 1 day in advance, is charged at 1.5 times the applicable base hourly rate. • Work is charged in fifteen (15) minute increments. • The minimum site visit charge is four (4) hours of service. 12 Travel Expenses • There is no charge for travel within our normal service area, defined as the 9 counties that make up the "Bay Area." • Client will be notified in advance of any travel or work outside of the Bay Area that will incur added costs. • Travel Expenses associated with work outside of the Bay Area (including transportation, hotel stays, per diem food expenses) will be billed to the client at cost. • Time associated with travel outside of the Bay Area will be billed at %: of the applicable Base Hourly Rate. 866.97_5.8716 23 win/w.xantr;on.com 15900501.4 13 Service Level Agreement 13.1 Response Time 13.1.1 Business -Critical issues For "business -critical' issues, or those that prevent a group of individuals from doing their work, Xantrion will make every effort to respond immediately. Your vCIO, if available, or a Xantrion manager, will coordinate the appropriate resources on the Xantrion side and provide you with a summary of impacted systems, a remediation plan and regular updates on progress. Xantrion will work the issue continuously until resolved, engaging Sr -level Engineering resources, subject matter experts, and vendors, as required. 13.1.2 Non -Urgent Issues and Change Requests For non -urgent issues and change requests, email support@xantrion.com Expect a response within 1 business day E-mail requests are monitored during business hours, 6AM to 6PM PST weekdays, excluding holidays. Messages received after hours are converted into a ticket that is assigned to an Engineer at the start of the next business day 13.2 Service Level Credits For each thirty (30) minutes of downtime from the time we are notified (excluding scheduled maintenance,) Xantrion will issue a credit of five percent (5%) of the total Hosted Services, Systems Monitoring or Managed Backup Fees due to Xantrion for the month in which such Critical event occurred, not to exceed the total Hosted Services, Systems Monitoring or Data Backup Fees for such month. Client is not entitled to a credit for downtime or outages resulting from circumstances beyond our control including, but not limited to, ransomware, denial of service attacks, virus attacks, or hacking attempts. 14 Client -Specific Provisions None. 866.926.8746 24 www.xantrion.com 15900501.4 15 Costs and Service Detail Type Qty Each Total Active Users 425 $213 $90,525 Managed SIEM 1 $1,000 $1,000 Backups TBs 57 $100 $5,700 Monthly Total $97,225 Annual Total $1,166,7 00 The price and employee counts will stay constant through the first year unless there are significant changes to the environment; significant defined as 10% or more of the monthly cost. 25 w\.A/w.xan rion, corn. 15900501.4 16 Counterparts This Agreement may be executed in any number of counterparts, each of which shall be deemed an original, but all of which, when taken together, shall constitute one and the same instrument. IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the date first written below. Signed: Printed: Anne Bisagno Title: President Company Xantrion, Inc. Date: September 4, 2024 CITY OF SAN RAFAEL By: si�41o:4aPDn CRISTINE ALILOVICH, City Manager ATTEST: Q0,MW Nu✓Yni (fo✓) Brenna Nurmi (for) (Oct 14. 2024 07:35 PDT) LINDSAY LARA, City Clerk APPROVED AS TO FORM: bbvt T FVkeih PDT, ROBERT F. EPSTEIN, City Attorney 866.926.8746 26 www.xantrion.com 15900501.4