Master Service Agreement

The Customer requires the software, hardware and services described herein, and desires to engage the Vendor to deliver said software and services.
The Vendor has agreed to deliver the said software, hardware and services in accordance with the terms and conditions of this Agreement.

NOW THEREFORE, in consideration of the mutual covenants and promises made by the Parties and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties hereby agree as follows:

1.1 Definitions and Schedules

In this Agreement, including the Background section and all schedules, the following words and terms shall have the meaning set out in this section below. Other capitalized terms that are not set out below shall have the meaning given to them in the body of this Agreement.

“Agreement” means this Supply Agreement inclusive of all schedules, appendices, exhibits or other documents attached hereto or incorporated herein by reference, as amended from time to time;
“Applicable Laws” means all laws applicable to the Parties;
“City” means the City of Toronto;
“Commercial Proposal” means the description of items, quantity, and Annual Contract Price for such items, to be provided as part of the Services, as set out in Schedule A, which is attached to and forms part of this Agreement;
“Contract Price” means the fixed price set out in Schedule A to be paid by the Customer to the Vendor for the Services including the Software as outlined in the Additional items may be purchased under the “Contract Price”.
“Customer Data” means all data and information provided by Customer or its Authorized Users under this Agreement, including Personal Information, business information, and financial information;
“Documentation” means user documentation provided electronically or in paper form by the Vendor for use with the Software, as may be periodically updated and provided by the Vendor;
“FIPPA” means the Freedom of Information and Protection of Privacy Act (Ontario), as such Act may be amended or suspended;
“Personal Information” has the meaning given to it in FIPPA, as applicable;
“Services” means all of the obligations set out in this Agreement that are to be satisfied by Vendor;
“Software” means the software provided by the Vendor, including optional modules;
“Hardware” means the hardware provided by the Vendor, including optional modules.

1.2 Performance of Services, Grant of Software Licence and Authorized Uses

The Vendor will perform the Services and its other obligations in accordance with the terms of this Agreement and all Applicable Laws (including, without limitation, FIPPA, PHIPA and all other applicable privacy and personal information laws).
The Vendor hereby grants to the Customer and subject to the terms of this Agreement a non- exclusive, non-transferable, sub-licensable, licence (the “Licence”) for access to the Software to use the Software solely for the Customer’s business, in accordance with the terms set out in this Agreement.
The Vendor agrees that some Software may be hosted on the Customer’s servers and installed on the Customer’s computers, and that as part of the Service the Vendor will provide specifications for server hardware and database to support the Software, and assistance with the installation, configuration and implementation of the server-side applications that make up the Software according to the requirements of the Customer.
The Vendor will install the Hardware on the network to communicate with the Software and will be in accordance with the requirements of the Customer.
The Customer shall use the Software solely for its internal business purposes and shall not make the Software available to, or use the Software for the benefit of, any third party except as expressly set forth in this Agreement. The Customer shall not (i) sell, transfer, assign, distribute or otherwise commercially exploit or make available to any third party the Software except as expressly set forth herein; (ii) modify or make derivative works based upon the Software; (iii) reverse engineer the Software; (iv) remove, obscure or alter any proprietary notices or labels on the Software; (v) use, post, transmit or introduce any device, software or routine (including viruses, worms or other harmful code) which is designed to interfere with or attempts to interfere with the operation of the Software; (vi) defeat or attempt to defeat any security mechanism of the Software.

1.3 Access to the Software and Hardware by the Customer

As part of the Services and the Licence, Vendor hereby agrees to give Customer authorized users access to, and the right to use, the Software and Hardware for the purpose contemplated by this Agreement.
As part of the Services, the Vendor will do everything necessary to make the Software and Hardware comply with the requirements of this Agreement and be ready for normal use and operation by the Customer by the date agreed in the SOW.
Vendor will regularly provide upgrades and updates to the Software and the Hardware at no additional cost to the Vendor will meet the service level commitments set out in this Agreement.
Vendor represents and warrants that it owns the necessary intellectual property and licence rights in the Software and the Hardware (except for third party components, for which Vendor has the right to grant the Licence and permit the Customer to utilize for its intended use, without restriction or further cost) and the Documentation.

1.4 Conditions of Use

The Customer’s right to use the Software and Hardware is conditional upon the following. The Customer may not:
except as permitted by this Agreement, transfer to any other person any of its rights to use the Software with the Hardware;
sell, rent or lease the Software;
make the Software available to anyone who is not an “Authorized User”. An Authorized User is a Customer employee, contractor or patron, or student who is authorized by the Customer to access and use the Software;
create any derivative works based upon the Software or Documentation;
copy any feature, design or graphic in, or reverse engineer, the Software; or
use the Software or Hardware in a way that violates any criminal or civil law.

1.5 Warranties and Other Covenants

Software Warranties: Vendor warrants that:
- - - Vendor shall provide customer support in accordance with its most recently published Software Support Rates Guide as outlined in the attached Schedules;
    - the Software, Hardware and Services will meet the specifications set forth in the applicable SOW(s) attached hereto; and
    - Vendor owns or otherwise has the right to provide the Software and Hardware to the Customer and to perform all of Vendor’s other obligations under this Agreement.
Corporate and Other Warranties: Vendor warrants that, as of the date of this Agreement, Vendor:
- - - has full right, power and authority to enter into this Agreement and to perform its obligations under it;
    - is not under any obligation, contractual or otherwise, to request or obtain the consent of any person in order to enter into this Agreement and to perform Vendor’s obligations under it;
    - is a corporation, duly organized, legally existing, in good standing;
    - has the necessary corporate power to own its properties and assets and to carry on its business as it is now being conducted and to enter into this Agreement;
    - is not a party to or bound by any indenture, agreement (written or oral), instrument, licence, permit or understanding or other obligation or restriction under the terms of which the execution, delivery or performance of this Agreement will constitute or result in a violation or breach or default; and
    - all other representations and warranties made by Vendor in this Agreement are true and accurate.

1.6 Training and Support

Training for the Customer: Vendor shall provide the training described in the applicable SOW(s) as part of the Contract Price.
Support: Vendor shall provide the support services described in (SECTION 6 – Software Support Services Process) attached hereto.

1.7 Term of Agreement

Subject to earlier termination or suspension in accordance with the terms of this Agreement, the term of this Agreement will commence on the Effective Date written above and remain in effect until terminated under section 9 below.

1.8 Contract Price

The Customer shall pay the Contract Price in accordance with the Commercial Proposal attached hereto.
Vendor shall invoice the Customer annually in advance for all Annual Licence and Software or Hardware Maintenance.

1.9 Right to Terminate

Termination by Either Party. Either Party may terminate this Agreement upon the other Party’s material breach of the Agreement, provided that (i) the non-breaching Party sends written notice to the breaching Party describing the breach in reasonable detail; (ii) the breaching Party does not cure the breach within thirty (30) days following its receipt of such notice (the “Notice Period”); and (iii) following the expiration of the Notice Period, the non-breaching Party sends a second written notice indicating its election to terminate this Agreement. If the Vendor is the breaching Party, the Customer may elect to receive a refund for the balance of any pre-paid Contract Price for the period from the date of termination to the end of the period for which the pre-paid amount was paid. Upon electing to receive such refund, the refund shall be the Customer’s exclusive remedy for termination.
Termination for Insolvency, Bankruptcy: The Customer may terminate this Agreement upon thirty (30) days’ written notice if Vendor becomes insolvent, bankrupt or is otherwise unable to carry on business.
Termination for The Customer may terminate this Agreement without cause by providing no less than sixty (60) days’ written notice to Vendor.

1.10 Exclusion of Liability

Neither party shall be liable under this Agreement for any indirect, special, incidental, punitive or consequential damages under any theory of liability (whether in contract, tort, strict liability or any other theory), even if the other party has been informed of this possibility. Except for its indemnification obligations under Section 1.11 and confidentiality obligations under section 12, in no event shall either party’s aggregate liability, regardless of whether any action or claim is based on warranty, contract, tort, indemnification or otherwise, exceed the amounts paid or due by the Customer to the Vendor hereunder during the 12-month period prior to the event giving rise to such liability. The foregoing limitations shall apply even if the non-breaching party’s remedies under this Agreement fail their essential purpose.

1.11 Release and Indemnification

The Vendor now releases the Customer, its officials, officers, employees and agents from all costs, losses, damages and expenses, including those caused by personal injury, death, property damage, loss and economic loss arising out of, suffered or experienced by the Vendor, its Sub- contractors, and their respective officers, employees and agents in connection with the Software and Services under this Agreement.
Despite any insurance coverage of the Customer, the Vendor hereby agrees to indemnify and save harmless the Customer and its successors, assigns, official, employees, agents and authorized representatives and each of them (in each case an “Indemnified Party”) from and against all costs, losses, claims, damages, actions, and causes of actions (collectively referred to as “Claims”) that an Indemnified Party may sustain, incur, suffer or be put to at any time either before or after the expiration or termination of this Agreement, that arise out of: (a) a claim by a third party that the Software, Hardware, or Services infringes a patent or other intellectual property right of a third party; or (b) errors, omissions or negligent acts of the Vendor, its sub- contractors, or their respective officers, employees or agents under this Agreement excepting always that this indemnity does not apply to the extent, if any, to which the Claims are caused by errors, omissions or negligent acts of an Indemnified Party.
This indemnity will not affect or prejudice the Customer from exercising any other rights that may be available to it at law or in equity.
The release and indemnity set out above will survive the expiry or sooner termination of this Agreement.

1.12 Confidentiality

Mutual Confidentiality Obligations: As used herein, “Confidential Information” means all information of a Party (“Disclosing Party”) disclosed to the other Party (“Receiving Party”), whether orally, electronically, in writing, or by inspection of tangible objects (including, without limitation, documents or prototypes), that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information includes without limitation, all Customer Data (including any Personal Information of Authorized Users or others), and either Party’s business and marketing plans, technology and technical information, product designs, reports and business processes. Confidential Information shall not include any information that: (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party; (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (iii) was independently developed by the Receiving Party without breach of any obligation owed to the Disclosing Party; or (iv) is received from a third party without breach of any obligation owed to the Disclosing Party. The Receiving Party shall not disclose or use any Confidential Information of the Disclosing Party for any purpose other than performance or enforcement of this Agreement (in accordance with FIPPA) without the Disclosing Party’s prior written consent. If Receiving Party is compelled by law to disclose Confidential Information of Disclosing Party, including under FIPPA or other public information request it shall provide Disclosing Party with prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at Disclosing Party’s cost, if Disclosing Party wishes to contest the disclosure. Receiving Party shall protect the confidentiality of Disclosing Party’s Confidential Information in the same manner that it protects the confidentiality of its own confidential information of like kind (but in no event using less than reasonable care) and in accordance with FIPPA. Receiving Party shall retain Confidential Information in accordance with its standard records and data retention policies and FIPPA. Receiving Party shall promptly notify Disclosing Party if it becomes aware of any breach of confidentiality of Disclosing Party’s Confidential Information.
The confidentiality obligations set out in this Section 1.12 are in addition to Vendor’s obligation to comply with FIPPA and all other applicable privacy and personal information laws and the other security and privacy obligations set out in this Agreement.
In the course of or for the purpose of performing the Services contemplated under this Agreement, the Vendor will obtain or may have access to information, including but not limited to Customer’s data, Personal Information (including Personal Information of Authorized Users and others), technical information, financial information and business information, which is confidential to the Customer.
The Vendor will not use or reproduce the Confidential Information other than as reasonably required for the performance of the Services under this Agreement and only in accordance with The Vendor will not, without the prior written consent of the Customer given on such terms and conditions as it prescribes in its sole discretion, disclose or allow access to the Confidential Information to any person, except to only those of its own employees who have a need to know the Confidential Information solely for the provision of the Services, and who have been advised of its confidential nature and have agreed to be bound by the confidentiality and use-restriction provisions in this Section 1.12. The Vendor will take all reasonable precautions against the Confidential Information being used by or disclosed to any unauthorized person.
If the Vendor is required by any law, legal proceeding, or court or government order, to disclose any Confidential Information, the Vendor shall limit its disclosure of such Confidential Information to the extent and purpose legally required, provided that prior to any disclosure the Vendor will promptly notify the Customer in writing of the existence and the terms, and conditions of the required disclosure and, at the Customer’s request and expense, co-operate in obtaining a protective order or other assurance that confidential treatment and restrictions on use will be accorded such Confidential Information.
The Vendor confirms and acknowledges its obligations to comply with all obligations imposed on it pursuant to FIPPA (Ontario) with respect to all personal information received from the Customer whether as part of the Confidential Information or otherwise.
The Vendor acknowledges that in the event of a breach by the Vendor or any of its employees of their respective confidentiality obligations pursuant to this Section 1.12, damages alone would not be an adequate remedy. The Vendor therefore agrees with the Customer that, in addition to and without limiting any other right or remedy it may have, the Customer will have the right to an immediate injunction or other available equitable relief in any court of competent jurisdiction enjoining any threatened or actual breach of such obligations.
The Vendor shall return all copies of the Confidential Information to the Customer, in all tangible forms and media, and delete all Confidential Information resident in any databases or systems, upon the earliest of the following dates:
1. - expiration or earlier termination of this Agreement; or
  - written request of the Customer for return of the Confidential Information.
Any Software manuals or other instructional material supplied by Vendor to the Customer will be deemed, subject to the exclusions in Section 12.2, to be Vendor’s Confidential Information and the Customer will ensure that the Customer employees who are involved in the implementation and operation of the Software will comply with the obligations of this Section 1.12 in respect of such Confidential Information.
This Section 12 shall survive the expiration or earlier termination of this Agreement.

1.13 Basis of Payment to the Vendor

In consideration of the Services performed by the Vendor to the satisfaction of the Customer and in strict conformity with the terms hereof, the Customer will pay the Vendor the fees and reimbursable expenses described in the applicable SOW(s), plus HST as applicable to the sale made to the Customer hereunder.
The fees for the Services are described in this Section 1.13 and in the Schedules. Subject to Section 1.13.3, payment to the Vendor will be based on hours worked by employees of the Vendor or by the sub-contractors multiplied by the applicable hourly charge-out rates stated in the Schedules.
If there are maximum, lump sum or other limiting amounts for fees or disbursements indicated herein for the Services or for portions thereof, then notwithstanding anything to the contrary in this Agreement the maximum fees or disbursements to be paid by the Customer to the Vendor for the Services or such portions of the Services will not exceed those stated amounts, except as mutually agreed in writing. Any limit on the fees or disbursements to be paid by the Customer to the Vendor will in no way diminish the duties and obligations of the Vendor to provide the Services covered by this Agreement.
Notwithstanding any other provisions of this Agreement, Vendor shall not be entitled to payment for any Services that have not been performed in compliance with the provisions of this Agreement.
The invoice must contain:
- - - the Vendor’s name, address and telephone number;
    - the Customer purchase order number;
    - the name of the Customer’s Project Manager;
    - the invoice number and date; and
    - Tax registration number(s).

1.14 Changes to Scope of Services

The scope of Services will be set out in a Statement of Work (SOW) that both parties must sign off on prior to the commencement of such Services. This will form the basis of the final cost for the implementation of the Hardware and Software solution. The SOW will be incorporated into and subject to this Agreement.
The Customer’s Project Manager may, from time to time and at any time on prior written notice to the Vendor, vary the scope of Services to be provided by the Vendor. In that case and where this Agreement contains delivery dates and/or limits as to fees or disbursements (or a defined “Maximum Fees and disbursements”) for all or any part of the Services, such delivery dates and/or limits will be adjusted as agreed to by both Parties in writing, and failing agreement, as reasonably determined by the Customer’s Project Manager.
Should the Vendor consider that any request or instruction from the Customer’s Project Manager constitutes a change in the scope of Services that results in a change in the fees or costs associated with the provision of the Services, the Vendor will provide the Customer’s Project Manager with notice in writing within five days of such request or instruction and no increase in such fees or costs shall be incurred until the Customer has agreed, in writing, to such increase or decrease.
If the Customer determines that the professional fees payable to the Vendor should be increased due to an increase in the scope of the Services then any such increases will be based on the hourly rates set out in the Vendors’ Commercial Proposal.

1.15 Unavoidable Delay

Time of the Time shall be of the essence of this Agreement.
Except for the performance of obligations to pay money, the time periods for the Customer and the Vendor to perform under this Agreement will be extended for periods of time during which their performance is delayed or prevented due to an Unavoidable For the purposes of this Section, an “Unavoidable Delay” means any circumstances beyond the reasonable control of the party trying to perform (such as, for example, acts of God, war or other strife or governmental action, ) but expressly excludes any and all delays caused by the Vendor’s lack of financial resources, the Vendor’s insolvency, strikes, lockouts or other withdrawals of services arising out of any labour dispute involving the Customer, the Vendor or a sub-contractor; or governmental action taken in the enforcement of any law specifically against the Vendor or its sub-contractors. If an Unavoidable Delay occurs, the non-performing party will, as soon as possible after the occurrence of the Unavoidable Delay, give written notice to the other party describing the circumstances preventing continued performance and the efforts being made to resume performance of its obligations under this Agreement.

1.16 Miscellaneous

No Waiver. No action or failure to act by the Customer shall constitute a waiver of any right or duty under this Agreement, or constitute an approval or acquiescence in any breach hereunder, except as may be specifically agreed in writing by the Customer.
The invalidity, illegality or unenforceability of any portion or provision of this Agreement or the occurrence of any event rendering any portion or provision of this Agreement void shall in no way affect the validity or enforceability of any other portion or provision of this Agreement. Any void portion or provision shall be deemed severed from this Agreement and the balance of this Agreement shall be construed and enforced as if this Agreement did not contain the particular portion or provision held to be void.
Remedies Cumulative. The remedies of the Parties provided for in this Agreement are cumulative and are in addition to any remedies available to the Parties at law or in equity. No remedy will be deemed to exclude or restrict the right of a Party to any other remedies against the other Party and a Party may from time to time have recourse to one or more of the remedies specified in this Agreement or at law notwithstanding the termination of this Agreement.
Further Assurances. Each Party shall execute such further and other documents and instruments and do such further and other acts as may be necessary to implement and carry out the provisions and intent of this Agreement.
Entire Agreement. This Agreement and all Schedules and SOWs attached hereto constitute the entire agreement between the Parties with respect to the subject matter hereof, and supersede all previous communications, representations and agreements, whether oral or written, with respect to the subject matter hereof.
This Agreement shall not be amended except as specifically agreed in writing by both the Customer and the Vendor.
Joint and Several Liability of Joint Venture Participants. If the Vendor is a joint venture of two or more entities, it is understood and agreed that the grants, covenants, provisos, claims, rights, powers, privileges and liabilities of the entities who comprise the Vendor shall be joint and several.
This Agreement shall enure to the benefit of and be binding upon the Customer and the Vendor and their respective successors and permitted assigns.
Independent This Agreement is a contract for software and services and Vendor, its officers, directors, shareholders, partners, personnel, affiliates and agents of Vendor are not, nor are they to be deemed to be, partners, appointees, employees or agents of the Customer. Vendor will not represent to anyone that Vendor has any authority to bind the Customer in any way or that Vendor is an agent of the Customer.
Governing Law and Resolution of Disputes. In the event of a dispute under this Agreement, the parties will use commercially reasonable efforts to resolve such dispute including referring such dispute to successively higher levels of management within each party. If a dispute is not resolved in accordance with the foregoing, the parties may agree to have the dispute resolved by way of mediation or arbitration. If, despite the foregoing, a dispute is still not resolved, either party may commence a legal action in the courts of Ontario, in which case such courts will have exclusive jurisdiction to determine all disputes arising under this Agreement and the parties now irrevocably agree to submit all disputes to the courts of Ontario.
This Agreement will be governed by the laws of the Province of Ontario.

As evidence of their Agreement to be bound by the above contract terms, Vendor and the Customer each have executed this Agreement as of the day and year first above written.

ITC Systems

________________________________ ________________________________________ ______________________________

Signature Print Name and Title Date

[Customer Name]

________________________________ ________________________________________ ______________________________

Signature Print Name and Title Date

SECTION 2 – [BLANK]

SECTION 3 – Software Support

Support Services are effective upon receipt or installation of the software, whichever was contracted for by and between ITC Systems (ITC), an Ontario Corporation (“Licensor”) and Customer.

3.1 Recitals

Customer has acquired a non-exclusive, non-transferable licence to use certain computer software in object code form and related user documentation (“Software”). Licensor desires to offer and Customer desires to obtain certain services with respect to the Software on the terms and conditions set forth herein.

3.2 Definitions

LICENCED PROGRAM (on-prem software only). The computer software described in the Licence Agreement, including subsequent releases to the extent offered to Customer under this Agreement or the Licence Agreement.
AGREEMENT TERM. One year, (included at no charge with the initial purchase and at prevailing prices thereafter), and automatically renewing itself, commencing on the first day following the expiration of the warranty period that applies to the Licenced Program pursuant to the Licence Agreement and according to ITC prices and terms in effect at that time. The Agreement Term shall automatically renew for successive periods of one year each unless and until terminated pursuant to Section 3.7 hereof.
ERROR. Any failure of the Licenced Program to execute its programming instructions or conform in functionality to the description of the Licenced Program. However, any nonconformity resulting from Customer’s misuse or improper use of the Licenced Program or combining or merging the Licenced Program with any hardware or software not supplied by Licensor, or not authorized to be so combined or merged by Licensor, shall not be considered an Error.
ERROR CORRECTION. Either a software modification or addition that, when made or added to the Licenced Program, establishes material conformity of the Licenced Program to the description of the Licenced Program, or a procedure or routine that, when observed in the regular operation of the Licenced Program, eliminates the practical adverse effect on Customer of such nonconformity.
ENHANCEMENTS. Any modification or addition that, when made or added to the Licenced Program, materially changes its utility, efficiency, functional capability, or application, but that does not constitute solely an Error Correction.
RELEASES. New versions of the Licenced Program, which may include Error Corrections and Enhancements.
NORMAL WORKING HOURS. The hours between 8:30 A.M. and 7:00 P.M. Eastern Time, Monday through Friday, excluding regularly scheduled holidays of Licensor.

3.3 Scope of Services

During the Agreement Term, Licensor shall render the following services in a responsive and timely manner in support of the Licenced Program, during Normal Working Hours. Covered services do not include on-site visits, which may be subject to additional charges. Licensor does frequently provide services outside of Normal Working Hours at no added charge, however, this is done at the sole discretion of Licensor and subject to staff availability and severity of the problem as determined by Licensor.

Licensor shall maintain a telephone and an e-mail address that allows Customer to report problems and seek assistance in use of the Licenced Program.
Licensor shall maintain a trained staff capable of rendering the services set forth in this This will include remote-in service for troubleshooting.
Licensor shall provide an electronic method of uploading or downloading software for analyzing reported Errors, testing Error Corrections and delivering Enhancements or New Releases.
Licensor shall be responsible for using all reasonable diligence in correcting verifiable and reproducible Errors when reported to Licensor in accordance with Licensor’s standard reporting Licensor shall, within 48 hours of verifying that such Error is present, initiate work in a diligent manner toward development of an Error Correction. Following completion of the Error Correction, Licensor shall provide the Error Correction through a “temporary fix” consisting of sufficient programming and operation instructions to implement the Error Correction and Licensor shall include the Error Correction in all subsequent Releases of the Licenced Program. Licensor shall not be responsible for correcting Errors in any version of the Licenced Program other than the most recent Release.
Licencor may issue new Releases of the Licenced Program from time to time that may contain Error Corrections and/or Enhancements. Licencor shall provide Customer with one copy of each new Release, without additional charge.

3.4 Additional Fees and Charges

If the Customer requests services, which are outside the scope of this Agreement, Customer shall be charged based on the rate schedule in effect at the time the service is provided.
If the Customer requires an on site visit to Customer’s facilities, such assistance, if required to be provided at Customer’s facility, shall be subject to standard ITC charges for travel and on-site assistance.

3.5 Proprietary Rights

To the extent that Licensor may provide Customer with any Error Corrections or Enhancements or any other software, including any new software programs or components, prepared by Licensor (collectively, Licenced Programs), Customer may (1) install one set of the Licenced Programs, in the most current form provided by Licensor, in Customer’s own facility; (2) use such Licenced Programs in a manner consistent with the requirements of the Licence Agreement, for purposes of serving Customer’s internal business needs; and (3) make one copy of the Licenced Programs in machine-readable form for non-productive backup purposes only. Customer may not use, copy, or modify the Licenced Programs, or any copy, adaptation, transcription, or merged portion thereof, except as expressly authorized by Licensor. Notwithstanding Section 5 hereof, Customer’s rights under this Section 5.1 shall remain in effect for so long as Customer is authorized to use the Licenced Programs under the Licence Agreement.
The Licenced Programs are and shall remain the sole property of Licensor.

3.6 Disclaimer of Warranty and Limitation of Liability

EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, LICENSOR EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES CONCERNING THE LICENCED PROGRAM OR THE SERVICES TO BE RENDERED HEREUNDER WHETHER EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Licensor’s cumulative liability for any claim arising in connection with Support Services may not exceed the lesser of the total hosted services fees and charges paid to Licensor by Customer within the last 12 months or the sum of $1000.00. Licensor shall not be liable for any indirect, consequential, special, exemplary or incidental damages of any kind and however caused.

3.7 Termination

This Agreement shall immediately terminate upon the termination of the Licence Agreement or non-payment of an invoice, which remains unpaid 60 days past invoice date, or upon written notice, or upon written notice of a material breach which has not been corrected within 30 days.
Following termination, Licensor shall immediately invoice Customer for all accrued fees and charges and all reimbursable expenses up to the date of termination, and Customer shall pay the invoiced amount net 30 days upon receipt. Customer may continue to use any work supplied to Customer by Licensor for the remaining term of the Licence Agreement.

3.8 Applicable Laws

All disputes arising out of or related to the limited warranties set forth herein (customer disputes) shall be governed by the laws of the province of Ontario or federal courts located in Ontario, without regard to principles of conflict of provinces.

ITC Systems

27 Mobile Drive,

Toronto, ON M4A 1H7

swsupport@itcsystems.com

1-877-ITC-TEAM (1-877-482-8326)

SECTION 4 – Hardware Maintenance

Hardware Maintenance Services are effective upon receipt or installation of the Hardware, whichever was contracted for by and between ITC Systems (ITC), an Ontario Corporation (“Seller”) and (“Customer”).

4.1 One-Year Limited Warranty

ITC warrants that hardware products sold by ITC will be free from defects in materials and workmanship for one (1) year from the date of shipment by ITC (“Limited Warranty”). The Limited Warranty is granted to the initial customer end-user only and is non-transferable. Any claims under this Limited Warranty must be made before the end of the applicable warranty period. During such period ITC, at its option, will: repair or replace any covered part which ITC determines to be defective in materials or workmanship; or provide a credit or refund. ITC reserves the right to substitute functionally equivalent new or serviceable used parts. ITC’s responsibility is limited to repair, replacement, credit or refund, any of which may be selected by ITC at its sole discretion. In the case that a product or component requires a warranty repair, the Customer is responsible for the shipping charges to return the product or component back to ITC. ITC will cover the cost of standard shipping to return repaired item to the Customer.

The One-Year Limited Warranty covers only defects arising under normal use. It does not include malfunctions or failures resulting from: misuse, abuse, neglect, alteration, problems with electrical power, usage not in accordance with product instructions; acts of nature or improper installation; or repairs made by anyone other than ITC, ITC-qualified third-party service providers, or Customer under the supervision and/or assistance of ITC technical support.

4.2 Return to Depot (RTD) – Option

In addition to Warranty service, the Customer may choose to purchase the RTD option. During the warranty period, with the RTD option, ITC provides advanced replacement of non-functioning hardware covered under the agreement and covers shipping charges both ways.

After the warranty period, with the RTD option, ITC provides advanced replacement of non-functioning hardware covered under the agreement, covers shipping charges both ways, and extends the warranty for the duration of the RTD contract.

Such service will be provided for a period of one (1) year from the date of invoice or for such other period(s) as provided in your agreement or invoice. The Agreement will be automatically renewed on the one-year anniversary.

4.3 Premium Return to Depot – Option

In addition to RTD service, the Customer may choose to purchase the Premium option. With this option ITC will cover the cost of overnight shipping for the initial delivery of advanced replacement equipment.

4.4 Premium On-Site Support – Option

In addition to RTD service, the Customer may choose to purchase the On-Site option. With this option ITC will cover the cost of our technicians to travel to and from the site to perform the needed maintenance or hardware swap.

4.5 Third Party Products

If Customer purchased a new system or a Maintenance Agreement, ITC provides the same depot and swap service for these products if they were purchased through ITC. They may include card readers, printers, display terminals, etc. ITC will act as the intermediary and perform the service functions as the primary service provider. Depot returns and swap service may take longer since three parties are involved. ITC will make every effort to minimize Customer inconvenience.

4.6 Return Procedures

Prior to returning product(s) to ITC for warranty service, Customer must obtain a Return Merchandise Authorization (RMA) number from ITC by contacting them as follows.

CONTACT SUPPORT:

Email: service@itcsystems.com

Voice: 1-877-ITC-TEAM (1-877-482-8326)

Replacement parts will be shipped to Customer at ITC’s expense, subject to availability, via ground delivery service after Customer obtains an RMA number. ITC shall not be responsible for failure of the delivery service to make on-time delivery. In the case the Customer has purchased Premium RTD service, replacement parts will be shipped overnight.

Customer must return the non-functioning product(s) to ITC in the original packaging with the RMA number clearly identified on the packaging. Items must be returned within 30 days otherwise the Customer will be invoiced for the products. Customer must retain the shipping information, including tracking numbers, until the items have been received by ITC. Any product(s) replaced by ITC shall become the property of ITC. If ITC determines that failure of the product(s) was not a result of a defect in materials or workmanship, ITC reserves the right to charge Customer for parts and labor at ITC then current labor rate. ITC will advise Customer prior to assessing these charges.

4.7 Technical Support Policy

Support is available for ITC hardware products, and third-party products sold by ITC, including card readers, printers, display terminals, etc. This service will be provided by ITC or through an ITC-authorized third-party provider.

4.8 Limitations

ITC makes no warranty whatsoever with respect to third party software included in any products sold by ITC, that are not part of ITC’s software, and all third-party software is sold “as is” and “with all faults.”

Except as set forth herein, ITC makes no warranties, expressed or implied, and ITC disclaims and negates all other warranties, including without limitation, implied warranties of merchantability, and fitness for a particular purpose and conformity to models or samples. Some states do not allow limitations on implied warranties, so these limitations may not apply to you.

IN NO EVENT SHALL ITC BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES. SOME STATES AND PROVINCES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO CUSTOMER.

NO VARIATION OR EXCEPTIONS IN THE TERMS STATED HEREIN CAN BE MADE WITHOUT WRITTEN AUTHORIZATION BY AN OFFICER OF ITC.

4.9 Applicable Laws

These limited warranties are incorporated into and are essential and material provisions of the terms and conditions of sale of new ITC products to Customer (sale terms). All disputes arising out of or related to the limited warranties set forth herein (customer disputes) shall be governed by the laws of the province of Ontario or federal courts located in Ontario, without regard to principles of conflict of provinces.

ITC Systems

27 Mobile Drive,

Toronto, ON M4A 1H7

sales@itcsystems.com

SECTION 5 – Software Support Service Detail

When a customer has a Support Services the following services are covered:

Details of Support	SOFTWARE SUPPORT
Details of Support	Database/ Back Office Applications	Equipment Terminal Applications	WEB Applications
Unlimited Phone Support	✓	✓	✓
Installation of Patches and Bug Fixes	✓	✓	✓
Minor Software Updates (Labour not included)	✓	✓	✓
Software Upgrade Planning and Scheduling	✓	✓	✓
Web Based Remote Support	✓	✓	✓
E-mail Support	✓	✓	✓
Access to Customer Portal	✓	✓	✓
Ready Reference Guides	✓	✓	✓
Installation Manuals	✓	✓	✓

Tasks and services not covered under Support Services:

Database Management due to an error caused by the end user or as requested.
(Documentation available)
- - - Back-up
    - Scheduling a system back-up
    - Restore
    - Import
    - Export
    - Changes
Installing or Re-installing a Database
- - - Moving/transferring
    - Re-installing to a new PC / Server / Terminal due to hardware failure or limitations
Re-installation of ITC Systems software due to customer error/misuse or hardware failure.
Creating SQL scripts to automate a task due to the fact that the software does not provide such a feature.
Installation and support of type of operating systems software – Windows updates, SQL Express, etc,.
Support of any hardware products that are used to run or access the ITC Systems applications by end users or of any peripheral hardware products not purchased from ITC Systems.
Support for any client network installations including software and hardware products.
Support for any client applications that interface to the ITC Systems products.
Support for any Internet services provided by the Client’s Internet Service Provider.
Support for any client dependant manual processes to manage document distribution.

ITC Systems may at its own discretion, and in concurrence with the Client, assist in troubleshooting and resolving any of the excluded services. The Client agrees to pay to ITC Systems all incurred costs for these services in accordance with the rates set forth in ITC Systems published rates and set out in an applicable SOW.

SECTION 6 – Software Support Services Process

Support Services provided by ITC Systems shall include support through its Support Department for the Software identified in the support contract. The support staff will provide diagnosis of problems or performance deficiencies of the Software including:

Timely resolution of the problem or performance deficiencies of the Software and/or escalations in accordance to set procedures;
Use commercially reasonable efforts to cure, as described in the support Services and Service Levels, and report any reproducible errors in the Software. Commercially reasonable is not intended to compromise the service levels agreed to in this

6.1 Recognized Statutory and Civic Holidays

Date	Month	CANADA	USA
New Years Day	January	✓	✓
Presidents Day	February		✓
Family Day	February	✓
Good Friday	April	✓	✓
Victoria Day	May	✓
Memorial Day	May		✓
Canada Day	July	✓
Independence Day	July		✓
Civic Holiday	August	✓
Labour Day	September	✓	✓
Canadian Thanksgiving	October	✓
American Thanksgiving	November (2 days)		✓
Christmas	December	✓	✓
Boxing Day	December	✓

6.2 Requesting Support

ITC Systems offers 24/7 support throughout North America. In addition to Standard Support, Premium Software Support may be purchased which automatically escalates your support request, 7 days per week, including holidays, to cover issues with a severity of Critical.

Software support services can be accessed in the following ways:

Toll Free: 1-844-606-6341

E-Mail: swsupport@itcsystems.com

Web Chat forum online via ITC Systems web site at: www.itcsystems.com

Support Tickets can also be created by visiting the ITC Systems Ticketing portal (https://osticket.itcsystems.com/). Once the ticket has been created, it will follow the standard troubleshooting process.

6.3 Services and Service Levels

ITC Systems provides a guaranteed uptime of 99.99% for its cloud-hosted software. In the event that uptime is less than 99.99% in any given month, the parties agree to work together to set out a service credit addendum to this Agreement. The Support Technician will make every effort to resolve issues at the time of the service call. This will be the initial method of resolving before assigning a severity level. Support staff will log and assign severity of all requests not resolved at the time of call, based on specific definitions. Requests will be handled based on severity assigned to them.

The following table describes the severity levels assigned to requests for problem resolution with associated response and completion time commitments and targets.

Severity	Definition	Target Response Time	Estimated Completion Time
Critical	The impact of the reported deficiency is such that the customer is unable to either use the Software or reasonably continue to work using the Software.	Within 1 business hour	Within 4 business hours
High	Important features of the Software are not working properly and there are no acceptable, alternative solutions. While other areas of the system are not impacted, the reported deficiency has created a significant, negative impact on the Client’s productivity or service level.	Within 2 business hours	Within 1 business day
Medium	Important features of the Software are unavailable, but an alternative solution is available or non- essential features of the Software are unavailable with no alternative solution. The Client impact, regardless of product usage, is minimal loss of operational functionality or implementation resources.	Within 1 business day	Within 5 business days
Low	Customer submits a Software information request, Software enhancement or documentation clarification which has no operational impact. The implementation or use of the Software by the Client is continuing and there is no negative impact on productivity.	Within 3 business days	Within next scheduled product upgrade release

If any reported problem cannot be reproduced within the ITC Systems test environment, ITC Systems may request to gain remote access to the Client’s system in order to troubleshoot the problem. The Client shall cooperate with ITC System’s support staff in providing such access in order to accelerate problem resolution.

If it is determined that the problem was not related to the Software, the Client agrees to pay to ITC Systems all incurred costs in accordance with ITC Systems published support rates.

Problem Escalation Management

ITC Systems uses a set of core procedures for the escalation of all support tickets. It is our mandate to escalate issues as circumstances dictate. The rate at which Support will escalate through the below schedule will depend on the Severity level of the reported issue.

Escalation may also begin if it perceived, by support, that the End-User’s expectations were not satisfactorily met.

6.4 Escalation Management Schedule

Escalation Level	Escalated by:	Escalated to:
1	End-User	Level 1 Technician
2	Level 1 Technician	Level 2 Technician
3	Level 2 Technician	Senior Analyst
4	Senior Analyst	Support Manager
5	Support Manager	Senior Manager

6.5 Maintenance

During the term of the Contract and providing Customer is a current subscriber to support and maintenance and has paid the support and maintenance fees due as per this Agreement, the ITC Systems will provide Customer access to copyrighted patches, updates, releases and new versions of its Software generally available to all customers with other generally available technical material. All patches, updates, releases and new versions shall be subject to the terms and conditions of the contract.

SECTION 7 – Data Breach Policy

7.1 Purpose

ITC Systems Inc. the Data Processor or (‘ITC’), collects, holds, and processes Customer Data, a valuable asset that needs to be suitably protected.

Every care is taken to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise security.

Compromise of information, confidentiality, integrity, or availability may result in harm to individual(s), reputational damage, detrimental effect on service provision, legislative non- compliance, and/or financial costs.

The purpose of the policy is to establish the goals and the vision for the breach response process. This policy will clearly define to whom it applies and under what circumstances, and it will include the definition of a breach, staff roles and responsibilities, standards and metrics (e.g., to enable prioritization of the incidents), as well as reporting, remediation, and feedback mechanisms. The policy shall be well publicized and made easily available to all personnel whose duties involve data privacy and security protection.

ITC’s intentions for publishing a Data Breach Response Policy are to focus significant attention on data security and data security breaches and how ITC’s established culture of openness, trust and integrity should respond to such activity. ITC Information Security is committed to protecting customers, employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

7.1.1 Background

This policy mandates that any individual who suspects that a theft, breach or exposure of Protected data or Sensitive data has occurred must immediately provide a description of what occurred via e-mail to databreach@itcsystems.com, or by calling +1 877 482-8326 x435. This e-mail address, and phone number are monitored by the ITC’s Information Security Response. This team will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the Information Security Administrator will follow the appropriate procedure in place.

7.2 Scope

ITC is obliged under Data Protection legislation to have in place an institutional framework designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility for the duration of the contract between the ITC and Institution.

This policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents across our customers.

This policy relates to all personal and special categories of data held by ITC regardless of format.

This policy applies to all employees of ITC. This includes temporary, casual or agency staff and contractors, consultants, suppliers and data processors working for, or on behalf of the Institution.

The objective of this policy is to contain any breach, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.

7.3 Policy Confirmed theft, data breach or exposure of ITC Protected data or ITC Sensitive data

As soon as a theft, data breach or exposure containing Protected data or Sensitive data is identified, the process of removing all access to that resource will begin.

The Information Security Administrator will chair an incident response team to handle the breach or exposure.

The team will include members from:

- - IT Infrastructure
  - IT Applications
  - Communications
  - Help Desk
  - Human Resources

The Information Security Administrator will be notified of the theft, breach or exposure. IT, along with the designated forensic team, will analyze the breach or exposure to determine the root cause.

Work with Forensic Investigators

As provided by ITC’s cyber insurance, the insurer will need to provide access to forensic investigators and experts that will determine how the breach or exposure occurred; the types of data involved; the number of internal/external individuals and/or organizations impacted; and analyze the breach or exposure to determine the root cause.

Develop a communication plan.

Work with ITC’s communications department to decide how to communicate the breach to a) Institutional customers, b) the public, and c) those directly affected.

Ownership and Responsibilities

Roles & Responsibilities:

- - Information Security Administrator is that member of the ITC community, designated by the President or the Director, Information Technology (IT) Infrastructure, who provides administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific information resources in consultation with the relevant Sponsors;
  - Users include virtually all members of the ITC community to the extent they have authorized access to information resources;
  - The Incident Response Team shall be chaired by Executive Management and shall include, but will not be limited to, the following departments or their representatives: IT-Infrastructure, IT-Application Security; Communications;

7.4 Enforcement

Any ITC personnel found in violation of this policy may be subject to disciplinary action, up to and including termination of employment. Any third-party partner company found in violation may have their network connection terminated.

7.5 Definitions

Protected Health Information (PHI) – Any information about health status, provision of health care, or payment for health care that is created or collected by a “Covered Entity” (or a Business Associate of a Covered Entity), and can be linked to a specific individual.

Personally Identifiable Information (PII) – Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de- anonymizing anonymous data can be considered

Protected data – See PII and PHI

Sensitive data – Data that is encrypted or in plain text and contains PII or PHI data. See PII and PHI above.

SECTION 8 – Cookie Statement

This Cookie Statement describes how we use cookies and how you can control them. Please read our Privacy Statement for more information on how we use your personal information.

What are cookies & how do they work?

Cookies are small text files placed on your device to make sure our websites work efficiently and seamlessly and to perform certain functions. They are unique to your account or your browser. The website sends information to the browser, which then creates a text file. Every time you go back to the same website, the browser retrieves and sends this file to the website’s server. Cookies cannot access, read, or modify any other data on your computer.

Learn more about cookies at http://www.allaboutcookies.org/.

How We Use Cookies

We use cookies and similar technologies on our websites, as almost all websites do. We also use cookies when you access some of our products and services. Cookies allow us, among other things, to store your preferences and settings, authenticate and log you in, provide you with a personalized experience, keep our websites secure, and analyze how our websites and online services are performing.

The following table provides information on the types of cookies we use for our websites and products and services.

Type of Cookies	Description
Sign-in and authentication	These cookies help us authenticate you, keep you signed in, and personalize the service.
Preferences and settings	These cookies help us remember your settings and preferences and deliver a personalized experience even if you are not logged in. For example, we can store which language you prefer.
Security	Security cookies support our security features and help us detect malicious activities.
Analytics	We do not perform analytics on your usage or information. We do provide an analytics module for your institution to glean data on system usage.
Social Sharing	None.
Marketing and advertising	None Note: We do not engage in behavioral or interest-based advertising to students through the products or services we provide.

How to Control Cookies & Opt-Out

You have a variety of tools to control and opt out of cookies and similar technologies. For example, you can use browser controls to block and delete cookies. You can also use controls made available by some third-party analytics service providers to opt out of data collection through web beacons and similar technologies. In some browsers you can set your cookie preferences for each site, which means you can disable cookies in general but allow them for websites that you trust. Please remember that many of our services may not function properly if you disable cookies for our websites or services.

Learn more about the cookie settings for the most popular browsers:

- - Google Chrome
  - Internet Explorer
  - Mozilla Firefox
  - Safari

For other browsers, visit the provider’s website. You should find this information by searching for “[browser name] cookie settings.”

Blocking or deleting cookies does not delete Local Storage Objects (LSOs) such as Flash objects or HTML5. To manage Flash cookie settings and preferences, you must use the settings manager on Adobe’s website. If you choose to delete Flash objects from our Service, then you may not be able to access and use all or part of the Service or benefit from the information and services offered.

SECTION 9 – Secure Handling of Customer Data

The Customer requires the Vendor to review, accept, and integrate the following requirements as part of this Agreement that involves the storage, transmission, processing, or collection of Customer Data, or access to Customer Data, by the Vendor. This section is intended to ensure that Customer’s security and compliance requirements are outlined and followed by the Vendor.

9.1 Security Controls

Network Security: The Vendor agrees at all times to maintain network security that – at a minimum – includes: network firewall provisioning, intrusion detection, and third-party penetration Furthermore, the Vendor agrees to maintain network security that conforms to the current standards set forth and maintained by the National Institute of Standards and Technology or other generally recognized comparable standard (e.g., ISO/IEC 27001, ISA 62443, COBIT 5, CCS CSC, SANS, PCI- DSS, etc.)
Risk Assessments: Both the Vendor and the Customer agree to conduct a formal penetration test at least once a year of ITC Systems’ netZcore Avro solution (Azure side and Customer side). Such test will be coordinated with the Vendor and the Customer, to be done as solution test. A penetration test is here defined as “the process of using approved, qualified personnel to conduct real-world attacks against a system so as to identify and correct security weaknesses before they are discovered and exploited by others.”
Security Auditing: The Vendor agrees to have an independent, industry-recognized third party security audit that conforms to the current standards set forth and maintained by the National Institute of Standards and Technology or other generally recognized comparable standard (e.g., ISO/IEC 27001, ISA 62443, COBIT 5, CCS CSC, SANS, PCI-DSS, etc.) performed at least once a year. The audit results and ITC’s plan for addressing or resolving of the audit results shall be shared with the Institution within 90 days of ITC’s receipt of the audit results.
Business Continuity Plan: The Vendor agrees to work with the Customer to develop detailed recovery procedures and manual workarounds in the event of a disaster. The plans should include emergency and contingency plans for the facilities in which Vendor information systems that process Customer Data are located. The Vendor’s redundant storage and its procedures for recovering data shall serve to reconstruct Customer Data in its original or last-replicated state from before the time it was lost or destroyed.
Cybersecurity Insurance: The Vendor agrees to maintain, at all times during the term of this Agreement, a comprehensive program of risk mitigation and cyber liability insurance. The Customer shall have the right to request copies of such certificates of insurance and/or other evidence of the adequacy of the above insurance coverage from the Vendor. The Vendor will provide 30 days notice in the case that the Cybersecurity Insurance is to be cancelled.
Testing and Remediation: The Vendor agrees to conduct a third-party assessment and penetration testing of the Customer’s environment on an annual basis. The Vendor agrees to remediate any critical findings within 90 days of becoming aware of such findings, and to share with the Customer what remediations were implemented.

9.2 Data Protection

Data Security: The Vendor shall develop, implement, maintain and use appropriate administrative, technical and physical security measures based on the latest industry security standards and best practices and in accordance with all applicable law, to preserve the confidentiality, integrity and availability of all electronically maintained or transmitted Customer Data received from, or on behalf of Institution or its students.
Data Encryption: The Vendor agrees to encrypt all Customer Data, either in transit or at rest. This includes any backup data as part of its backup and recovery processes. The Vendor agrees that any and all transmission or exchange of data with Customer and/or any other parties expressly designated by Customer – solely in accordance with Section 9.3.4 below – and/or any other transaction the Vendor engages in that involves Customer Data – shall take place via secure means, e.g. TLS protocol via HTTPS or SFTPS.
Data Storage: The Vendor has a policy that includes the following:
- - - Any and all Customer Data will be stored, processed, and maintained solely on designated target servers within Canada unless agreed to in writing by the Customer.
    - No Customer Data at any time will be processed on or transferred to any portable or laptop computing device or any portable storage medium, except as stated explicitly with a valid business reason in the agreement between the Customer and the Vendor, or as an exception made on a case- by-case basis as specifically agreed to in writing, in advance, by an authorized agent of the Customer.
    - ITC agrees that any portable or laptop computing devices as part of such agreed-upon exception will employ full-disk encryption as agreed in 2.2 above.
Data Separation: The Vendor agrees that Customer Data will be separated, either through physical or logical means, from other tenants in the Vendor’s infrastructure.
Audit Trail: The Vendor must log access and use of systems containing Customer Data, registering the access ID, time, authorization granted or denied, and relevant activity.

In addition to any other rights of inspection and audit that Customer may have, Customer or a person appointed by Customer, may, at any reasonable time during regular business hours and on reasonable prior notice to Vendor, conduct an inspection and/or audit for the purpose of verifying Vendor’s compliance with this Agreement and which may include an inspection Vendor’s security systems, a review of its policies and practices that impact Personal Information and interviews with Vendor personnel, and Vendor shall permit and provide reasonable assistance with any such inspection or audit.

Vendor shall log and within twenty-four (24) hours of a request by Customer, or such longer period as agreed to by the parties, provide Customer with a record of Vendor’s access to Personal Information, including access by Vendor employees and agents and through equipment controlled by Vendor, including the date and duration of the access and the identity of the person who accessed the Personal Information.

9.3 Data Stewardship

Data Ownership: The Vendor acknowledges that all Customer Data shared with the Vendor, or made accessible to the Vendor’s systems or personnel, remains the sole property of the Customer as defined by existing Customer regulation and/or Customer policy. Sole property ownership by Customer shall mean that Customer retains at all times all physical as well as the sole intellectual property ownership of the Customer Data.
Data Use: ITC agrees that any and all data exchanged shall be used expressly and solely for the purposes enumerated in the agreement between the Customer and the Vendor. Data shall not be distributed, repurposed or shared across other applications, environments, or business units of ITC.
Data Location: The Vendor agrees that no Customer Data will be outsourced or housed outside Canada without prior Customer authorization.
Data Redistribution: The Vendor agrees that no Customer Data of any kind shall be transmitted, exchanged or otherwise passed to other companies, subcontractors, or other interested third parties except on a case- by-case basis as specifically agreed to in writing in advance by an authorized agent of The Vendor agrees that all such Customer pre-approved companies, subcontractors, or other interested third parties used by the Vendor will be contractually held to standards no less rigorous than those outlined in this Agreement.
Legal Requests: If required by law or a court of competent jurisdiction or an administrative body to disclose Customer Data, the Vendor will notify the Customer in writing within two (2) business days of the legal request in order to give the Customer an opportunity to oppose any such disclosure.
End of Agreement Data Handling: The Vendor agrees that within 60 days of the termination of the agreement between the Customer and the Vendor, or the termination of the pertinent records retention period, whichever is later (hereafter referred to as “data retention period”), the Customer can reclaim any needed Customer Data in a mutually agreed upon format. At the end of the data retention period, the Vendor will erase, destroy, and render unreadable all Customer Data (including both production and backup data) according to the standards enumerated in DOD 5220.22 or NIST 800-88 and certify in writing that these actions have been completed.
Data Breach: In the event of a breach of any of the Vendor’s security obligations, unauthorized access to, disclosure, or loss of Customer Data or other event requiring notification under applicable law (“Notification Event”), ITC agrees to:
- - - Notify the Customer within twenty-four (24) hours of the discovery of the breach by providing notice via email to Customer’s Security Incident Response Team (email address to be supplied by CUSTOMER)
    - Cooperate and provide Customer with sufficient Notification Event details to allow Customer to comply with notification requirements under applicable privacy laws.
    - Assume responsibility for investigating and remedying Notification Events.
    - Indemnify, hold harmless and defend the Customer, the Customer’s officers, agents and employees from and against any claims, damages, or other harm related to such Notification Event, up to the limit of Cyber Liability Insurance held by the Vendor.

9.4 Compliance

Data Classification Addendum: The Vendor agrees to abide by all legal and regulatory compliance requirements that apply due to the nature of the Customer Data being shared (FIPPA, PHIPA, PIPEDA, CASL, PCI, GDPR, etc,.)
PCI Compliance: In cases where the Vendor is identified as a PCI third party service provider (TPSP), the Customer requires that the Vendor at all times shall maintain compliance with the most current Payment Card Industry Data Security Standard (PCI DSS). The Vendor may also agree to the Customer’s PCI Addendum.
GDPR Compliance: If the transfer of personal data to the Vendor is required and is subject to the GDPR, the Vendor is required to abide by the Customer’s Data Protection Addendum, as well as the GDPR requirements applicable to the Vendor.