The URL can be used to link to this page

Home My WebLink AboutBox, Inc. 2019-05-14DocuSign Envelope ID: 700CAC01-F2ED-4AA5-682B-F9A904EB9A44 box COU No. a -L( Box, Inc. 900 Jefferson Ave Redwood City, CA 94063 Executed Order must be received by: April 30, 2019 Service Order This Box Service Order ("Order') is entered into by and between Box, Inc. ("Box") and City of Ukiah ("Customer") as of the Service Start Date and is governed by the Box Service Agreement ("Agreement") as per the link below, or as attached to this Order. Order Details City of Ukiah Billing Terms 300 Seminary Ave Service Start Date': May 14, 2019 Ukiah Service Renewal Date: May 14, 2020 California Payment Frequency: Annual 95482 Payment Method: Check United States Payment Terms: Net 30 Quote Number: Q-00042887 Bill Toe: Sold To: Name: Mary Horger Name: Mary Horger Email: mhorger@cityofukiah.com Email: mhorger@cityofukiah.com Phone: (707) 463-6233 Phone: (707) 463-6233 Products Product Name Business Plus Account Licenses Price Type Unit Price Quantity Amount Per Payment Frequency Recurring $300.00 36.00 $10,800.00 Total One Time Charges: Total Recurring Amount Per Payment Frequency: Total Order Amount: Total Price $10800.00 $ 0.00 USD $ 10,800.00 USD $ 10800.00 USD Additional Terms Signature IN WITNESS WHEREOF, Customer has authorized this Order as of the Date of signature below. Customer City of Ukiah Signature: Name (Print): Title: Date: s Q-00042887 DocuSign Envelope ID: 700CAC01-F2ED-4AA5-682B-F9A904EB9A44 box Box, Inc. 900 Jefferson Ave Redwood City, CA 94063 Executed Order must be received by: April 30, 2019 Service Order Agreement can be found at the following link or attached: https://legal.box.com/v/BSAv05242018US 1 If this order is executed by Customer or received by Box after the Service Start Date above, Box may adjust the Service Start Date based on the date Box provisions the products listed. 'Please note: All future invoices and billing inquiries will be emailed to this contact. Unless otherwise set forth in this Order, during the Subscription Period Box will periodically assess Customer's usage of the products purchased herein. In the event that Customer's use of the products is in excess of the amount purchased herein, Box reserves the right to issue an order for the number of additional products utilized by the Customer to be purchased by Customer on a prospective basis. Customer will either agree to said purchase or cease use of the additional products. Unless Premier Support is purchased under this order, SLC credits are not provided. Prices shown above do not include any taxes that may apply. Any such taxes are the responsibility of the Customer. This is an Order not an invoice. Notwithstanding anything to the contrary in the underlying agreement between the parties, any terms and conditions in any purchase order or similar documents issued by Customer shall be null and void. Q-00042887 box BOX SERVICE AGREEMENT COU No. C6) A.11 (v05242018US) This Box Service Agreement is entered into by and between Box, Inc. ("Box") and the customer identified in the corresponding Order referencing this Agreement ("Customer"). Box and Customer are sometimes referred to herein individually as a "Party" and together as the "Parties." This Agreement is effective and Customer agrees to be bound by its terms upon execution by Customer of the initial Order for the Box Service ("Agreement Effective Date"). For good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows: Section 1. Definitions Capitalized terms not otherwise defined elsewhere in this Agreement shall have the following meaning: "Account(s)" means the number of User account(s) specified in the applicable Order and created by a User for itself or on behalf of Customer (including accounts created by or for its Administrators, Managed Users, or External Users) within the Box Service. "Administrator(s)" means a person designated by Customer to have an Account with the authority to utilize the Administrative Console(s) to create and manage Accounts associated with Customer. "Administrative Console" means the functionality within the Box Service that allows Customer to manage User access, security and other administrative functionality for Accounts and where Customer shall receive updates or notifications for their Accounts and the Box Service. "Agreement" means this Box Service Agreement together with all Orders and Exhibits which are entered into between Box and Customer. "API" means the application -programming interface used by Customer to access certain functionality as provided by Box. "Box Reseller" means an entity that has entered into an agreement with Box that, among other things, authorizes the entity to resell the Box Service and, if applicable, provide certain services. "Box Service" means the cloud -based content collaboration software -as -a -service application provided by Box (including any Box Software) and subscribed to under an Order. "Box Software" means optional software provided by Box for installation on a User's device or accessed by Users from the Customer's or User's software, hardware or other device(s) and that allows a User to use certain functionality in connection with features of the Box Service. "Content" means the electronic documents uploaded by Users into Customer's Box Service account. "Customer Domain" means any and all Internet domains registered, owned or controlled by Customer and which is associated with an email address used by one or more Users to register an Account. "External User(s)" means a person who is permitted to access, store, retrieve or manage Content with a Managed User, and whose account was registered using an email address that is not associated with a Customer Domain. "Malware" means viruses, worms, time bombs, Trojan horses and other malicious code, files, scripts, agents or programs. "Managed User(s)" means a person who is permitted to access, store, retrieve or manage Content, and is associated with a Customer Domain. "Order" means the separate executed document(s) under which Customer subscribes to the Box Service, products or services pursuant to this Agreement and has been agreed to in writing by the Parties or as agreed to between Customer and Box Reseller. Page 1 of 16 Box Confidential box "Service Level Commitments" means the service level commitments set forth in Exhibit A. "Subscription Period" means the duration of Customer's subscription to the Box Service commencing on the service start date of the Order and continuing for the period up to the service renewal date or end date as specified in the applicable Order. "Support Services" has the meaning set forth in Exhibit A. "Term" has the meaning set forth in Section 11.1. "User(s)" means, collectively, any Administrator, Managed User or External User. "User Guide" means Box's then current published documentation specifying the functionality of the Box Service that is made generally available by Box to its customers or its users. Section 2. Access and Use of the Box Service 2.1 Access Grants. 2.1(A) Box Service Subscriptions. Subject to the terms and conditions of this Agreement Box shall: (a) make the Box Service available to Customer during the applicable Subscription Period; (b) allow Administrator(s) to access and use the Administrative Console to create and administer Accounts registered to Customer; and (c) allow Users to store, retrieve, collaborate and share Content through the Box Service in accordance with the subscription plan and quantity of Users purchased under the applicable Order. Customer is required to purchase an Account for each User in accordance with the applicable Box Service plan purchased. 2.1(B) API Access. Subject to the terms and conditions of this Agreement, Customer shall have a non-exclusive right during the applicable Subscription Period to incorporate the API into any application used by or on behalf of Customer for the sole purpose of accessing the Box Service or accessing certain functionality of the Box Service, provided that such access is limited to the amount of API calls purchased by Customer in the applicable Order. 2.2 Acceptable Use of the Box Service. Customer's use of the Box Service shall conform with the allocations and amounts and the features and functionality of the Box Service plan subscribed to in the applicable Order (and as set forth in the product feature matrix). Customer agrees that it shall not transfer, rent, resell, charge or otherwise commercialize any use of the Box Service. Customer agrees that it is solely responsible for Users and Content. Customer agrees not to use or permit the use of the Box Service: (a) to communicate any message or material that is defamatory, harassing, libelous, threatening, or obscene; (b) in a way that violates or infringes upon the intellectual property rights or the privacy or publicity rights of any person or entity; (c) in any manner that may be unlawful or give rise to civil or criminal liability; (d) in any manner that is likely to damage, disable, overburden (exceeding the fair use policy), impair the Box Service or interfere in any way with the use or enjoyment of the Box Service by others; (e) to introduce any Malware or other malicious activity in User Account(s); or (f) in violation of any applicable export law or regulation. 2.3 Suspension of User Access to Service. Box may suspend a User's Account or remove or disable any Content which Box reasonably and in good faith believes is in violation of this Agreement or any applicable laws or regulations. For the avoidance of doubt, Box's right to suspend a User's Account or remove or disable Content is on a User -basis and does not extend to Customer's entire User base. Box agrees to provide Customer with reasonable notice of any such suspension or disablement before its implementation unless immediate suspension or disablement is necessary to comply with legal process, regulation, order or prevent imminent harm to the Box Service or any third party, in which case Box will notify Customer to the extent allowed by applicable law of such suspension or disablement, as soon as reasonably practicable thereafter. Section 3. Non -Box Applications and Services. Box may make available to Customer or Users optional third - party applications, services or products, which are licensed by their provider to Customer or Users, for use in connection with the Box Service ("Third -party Products"). Customer acknowledges that if it Customer chooses to utilize Third -party Products, Box will give effect to Customer's instruction as needed and as it relates to Customer use of such Third -party Products. Customer's use of any Third -party Products and any exchange of any information between Customer and third -party provider is solely between Customer and the applicable third -party provider. Box Page 2 of 16 Box Confidential box makes no warranties of any kind and assumes no liability whatsoever for Customer's or User's use of such Third -party Products. Section 4. Content Security; Data Privacy 4.1 Security. During the Term of this Agreement, Box will implement and maintain commercially reasonable administrative, physical and technical safeguards and measures to protect against unauthorized access to Content. Such security program will conform to the Box Security Exhibit attached hereto as Exhibit B, and is further described in Box's most recent Service Organization Control 1 (SOC1) and Service Organization Control 2 (SOC2) Type II audit reports (or substantially similar industry -standard reports) (collectively referred to as "Audit Reports"). Box will maintain the Audit Reports during the Term and will provide a copy to Customer once per year upon Customer's written request. During the Term, Box will not materially diminish the protections provided by the controls set forth in Exhibit B and the then -current Audit Reports. 4.2 Content Storage Location. The Box Service is provided from the United States and Content is stored in the United States. Notwithstanding the foregoing, Customer understands that nothing herein prohibits: (a) Users from accessing the Box Service, including Content, outside of the United States (subject to applicable law); and (b) processing information outside of the United States by Box. Box has certain products and features that enable storage or processing of Content outside of the United States and those products or features shall be subject to separate terms and conditions as may be agreed to between the Parties. 4.3 Data Protection and Onward Transfer of Data. In the course of providing the Box Service, Box may Process (as defined below) personal data that is in Content ("Customer Personal Data") on behalf of Customer and, in such event, Customer instructs Box to Process Customer Personal Data: (a) to provide the Box Service (in accordance with the features and functionality of the Box Service); (b) to enable User initiated actions on the Box Service; (c) as set forth in the Agreement or applicable Order; and (d) as further documented by a mutually agreed upon written instruction given by Customer and accepted by Box. The Parties agree to comply with the applicable Data Protection Legislation (as defined below) for onward transfer of personal data. Box will maintain, during the Subscription Period, a legally recognized method for onward transfer of Customer Personal Data such as Binding Corporate Rules for Processors, or other substantially similar mechanism as may be required by applicable law. "Process" means any operation or set of operations performed upon the Customer Personal Data, whether or not by automatic means, including collection, recording, organization, use, transfer, disclosure, storage, manipulation, combination and deletion of Customer Personal Data. "Personal Data" means any information relating to an identified or identifiable individual. "Data Protection Legislation" means the laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or United Kingdom applicable to the Processing of Customer Personal Data under this Agreement, including the General Data Protection Regulation 2016/679. Section 5. Customer Responsibilities 5.1 Establishment of Accounts. Customer will promptly appoint an Administrator for the Administrative Console and such Administrator shall be responsible for: (a) configuring the settings of the Box Service (b) managing any Customer devices and systems (c) assigning and managing of User Accounts and (d) enforcing and managing User access controls and permissions in accordance with Customer's own policies and applicable law and regulations. Customer will ensure that Managed Users do not share their password with any other person or permit any other person to log on as such Managed User. 5.2 Content. Customer will: (a) be solely responsible for the nature, quality and accuracy of the Content; (b) ensure that the Content complies with the terms of this Agreement and all applicable laws and regulations; (c) promptly handle and resolve any notices and claims relating to the Content (e.g. take-down notices pursuant to the Digital Millennium Copyright Act); and (d) ensure that it has the rights to the Content in order to grant Box the rights contemplated by this Agreement. Notwithstanding anything to the contrary, Box has no liability to Customer or any third party for any reason as a result of: (i) any unauthorized disclosure or access to a User's Account or Content as a result of Customer's or a User's misuse of the Box Service or loss or theft of any User password or username, except to the extent resulting from Box's negligence or willful misconduct; (ii) any deletion, destruction, damage or loss of Content caused by or at the direction of Customer or a User; or (iii) any failure of Customer to maintain adequate security or virus controls in any devices used to access the Box Service. Page 3 of 16 Box Confidential box 5.3 Notification of Unauthorized Use. Customer will promptly notify Box in writing of any unauthorized use of any Account, Content or the Box Service that comes to Customer's attention. In the event of any such unauthorized use by a third party that obtains access to the Box Service directly or indirectly through Customer or any User, Customer will take all steps within Customer's control as reasonably necessary to terminate such unauthorized use and will provide Box with such cooperation and assistance related to any such unauthorized use as Box may reasonably request. Section 6. Support and Service Level Commitments. Exhibit A to this Agreement sets forth the Support Services and the Service Level Commitments for the Box Service during the Subscription Period. Section 7. Warranty and Disclaimer 7.1 Box Service Warranty. Box warrants that during the Subscription Period, the Box Service will perform substantially in accordance with the functions specified in the User Guide when used in a manner that conforms to the terms and conditions of this Agreement and the User Guide. Subject to the notice and cure provisions of Section 11.3 (Termination for Cause), Customer's sole and exclusive remedy and Box's entire liability for a breach of this warranty shall be for Box to use commercially reasonable efforts to modify the Box Service to substantially achieve in all respects the functionality described in the User Guide. If Box is unable to restore such functionality, Customer shall be entitled to terminate the applicable Order and receive a pro -rated refund of the fees pre -paid by Customer for the corresponding unused portion of the Subscription Period. The warranties set forth herein are made to and for the benefit of Customer only. 7.2 Mutual Warranties. Each Party represents and warrants to the other that: (a) this Agreement has been duly authorized, executed and delivered and constitutes a valid and binding agreement enforceable against such Party in accordance with its terms; (b) no authorization or approval from any third party is required in connection with such Party's execution, delivery or performance of this Agreement; and (c) the execution, delivery and performance of this Agreement does not violate the terms or conditions of any other agreement to which it is a party or by which it is otherwise bound. 7.3 Disclaimer of Warranties. EXCEPT AS PROVIDED IN THIS SECTION 7 AND SECTION 9.3 (CONSULTING SERVICES WARRANTY), AND TO THE EXTENT NOT PROHIBITED BY APPLICABLE LAW, NEITHER PARTY MAKES ANY (AND EACH PARTY SPECIFICALLY DISCLAIMS ALL) REPRESENTATIONS, WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION: (A) THAT THE BOX SERVICE WILL BE UNINTERRUPTED, ERROR -FREE OR FREE OF HARMFUL COMPONENTS; (B) THAT THE CONTENT WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED; (C) OF: (I) SATISFACTORY QUALITY; (II) FITNESS FOR A PARTICULAR PURPOSE; OR (III) NON -INFRINGEMENT; AND (D) ARISING OUT OF ANY COURSE OF PERFORMANCE, COURSE OF DEALING OR USAGE OF TRADE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES. IN SUCH AN EVENT, THE ABOVE EXCLUSION WILL NOT APPLY SOLELY TO THE EXTENT PROHIBITED BY LAW. Section 8. Proprietary Rights 8.1 Content Ownership by Customer. As between Customer and Box, Customer or its licensors own all right, title and interest in and to the Content. Customer hereby grants Box the right to transmit, process, use and disclose the Content solely to provide the Box Service to Customer or any User or to comply with applicable law. 8.2 Ownership of Box Service by Box. As between Box and Customer, Box or its licensors own and reserve all right, title and interest in and to, including any improvements or derivatives, the Box Service, the Box marks and other items used to provide the Box Service, other than the access rights expressly granted to Customer in Section 2.1 (Access Grant). No title to or ownership of any proprietary rights related to the Box Service is transferred to Customer or any User pursuant to this Agreement. All rights not expressly granted to Customer are reserved by Box. Box reserves the right, in its reasonable discretion and with notice to Customer, to change or require Customer to change its Box Service user ID and any custom or vanity URLs, custom links, or vanity domains Customer may obtain through the Box Service. In the event that Customer makes suggestions regarding any features, functionality or performance that Box adopts for any of its products including the Box Service (expressly excluding Customer Confidential Page 4 of 16 Box Confidential box Information), such features, functionality and performance shall be deemed to be automatically assigned under this Agreement to Box, and shall become the sole and exclusive property of Box. Section 9. Training or Consulting Services 9.1 General Terms. Customer may wish to receive certain services of a professional, educational, operational or technical nature (collectively, "Consulting Services), as further described in a mutually agreed upon Statement of Work ("SOW") or as otherwise outlined in the applicable Order. Each SOW will include, at a minimum: (a) a description of the Consulting Services and any Box Materials (as defined below) to be provided to Customer; and (b) the scope of the Consulting Services. 9.2 Box Materials. Box shall own all rights, title and interest in and to the documentation, templates, training materials, recordings and other items (collectively the "Box Materials") Box may provide to Customer as part of the Consulting Services (including any intellectual property rights therein, but excluding any Customer Confidential Information and Customer logos and trademarks that may be included in the Box Materials, collectively, "Customer Property"). Box shall have the right to use any such Customer Property solely for the purpose of providing the Consulting Services to Customer as set forth in this SOW. During the Term of the Agreement, Box hereby provides Customer with a royalty free, limited, non-exclusive, non-sublicensable, non -transferable and terminable license to use such Box Materials solely for Customer's internal operations in connection with its authorized use of the Box Service. For the avoidance of doubt, Box shall own all intellectual property rights in the proprietary tools, libraries, know-how, techniques and expertise used by Box to develop the Box Materials. Nothing herein shall be construed to assign or transfer any intellectual property rights in the proprietary tools, libraries, know-how, techniques and expertise ("Box Tools") used by Box to develop the Box Materials, and to the extent such Box Tools are delivered with or as part of the Box Materials, they are licensed, not assigned, to Customer, on the same terms as the Box Materials. 9.3 Consulting Services Warranty. In regard to Consulting Services only, Box warrants that: (a) it and each of its employees, consultants and subcontractors, if any, that it uses to provide and perform Consulting Services hereunder has the necessary knowledge, skills, experience, qualifications, and resources to provide and perform the Consulting Services; and (b) the Consulting Services will be performed for and delivered to Customer in a professional and workmanlike manner. If through no fault or delay of Customer the Consulting Services do not conform to the foregoing warranty, and Customer notifies Box within seven (7) days of Box's delivery of the Consulting Services, Box will re -perform the non -conforming portions of the Consulting Services at no cost to Customer. Section 10. Fees and Payment 10.1 Fees. Customer agrees to pay all fees set forth on all Orders Any additional Order(s) for User subscriptions or products will be co -terminous with the existing Subscription Period. Unless otherwise specified in an Order, all fees and other amounts are payable in United States Dollars. 10.2 Non-refundable and No Cancellation. Except as specifically set forth in this Agreement, all payment obligations under all Orders are non -cancelable and all payments made are non-refundable. 10.3 Invoicing and Payment Terms. Unless otherwise specified in the applicable Order, Customer will pay all fees within thirty (30) days of the date the applicable invoice is issued by Box. In the event Customer disputes any invoiced fees, Customer will provide written notice of the disputed amount within fifteen (15) days after the date of such invoice and timely pay any undisputed portion of such invoice. The Parties will cooperate in good faith to resolve any disputed invoice or portion thereof within fifteen (15) days of notice of dispute. All amounts payable by Customer under this Agreement will be made without set-off and without any deduction or withholding. Customer will promptly reimburse Box for any cost or expense incurred in connection with any collection efforts undertaken by Box in connection with any past due amount owed under this Agreement. At Box's discretion, past due amounts may accrue a late fee equal to the lesser of 1.5% per month or the maximum amount allowed by applicable law. 10.4 Taxes. All Orders pursuant to this Agreement do not include any transaction taxes, which may include local, state, provincial, federal or foreign taxes, levies, duties or similar governmental assessments of any nature, including, but not limited to, value-added taxes ("VAT"), excise, use, goods and services taxes, consumption taxes or similar Page 5 of 16 Box Confidential box taxes (collectively defined as "General Taxes"). All fees invoiced pursuant to this Agreement are payable in full and without reduction for General Taxes or foreign withholding taxes (collectively defined as "Taxes"). Customer is responsible for paying all Taxes associated with fees due pursuant to this Agreement and Orders, excluding income taxes imposed on Box. If Box has a legal obligation to pay or collect Taxes (expressly excluding Box income tax) for which Customer is responsible under this Agreement, the appropriate amount shall be computed based on Customer's address listed in the applicable Order and Customer confirms that Box can rely on the sold -to name and address set forth in the Order(s) as being the place of supply for sales tax purposes. Such Taxes will be invoiced to and paid by Customer. If Customer is legally entitled to an exemption from the payment of any Taxes, Customer will promptly provide Box with legally sufficient tax exemption certificates for each taxing jurisdiction for which it claims exemption. Unless otherwise prohibited by law, Box will apply the benefits of any requested tax exemption to charges occurring under Customer's Box Service account after the date Box receives and reasonably processes such tax exemption certificates. 10.5 Non -Payment Suspension. If any invoices are more than sixty (60) days past due (except with respect to charges subject to a reasonable and good faith dispute as set forth in Section 10.3 (Invoicing and Payment Terms)), in addition to any other rights or remedies it may have under this Agreement or by applicable law, Box reserves the right to suspend Customer's access to the Box Service upon written notice, without liability to Customer, until such past due amounts are paid in full. 10.6 Purchases Through Box Resellers. If Customer places an Order for the Box Service from a Box Reseller, any terms herein related to ordering, invoicing, refunds or credits do not apply. Customer must establish such terms with Box Reseller. For the avoidance of doubt, nothing herein affects suspension rights or deactivation rights for Box or a Box Reseller provided for in this Agreement. Section 11. Term and Termination 11.1 Term of Agreement. This Agreement will commence on the Agreement Effective Date and will remain in effect for as long as there is an Order in effect ("Term"), unless otherwise terminated as provided for in Section 11.3 (Termination for Cause) below. 11.2 Term of Order and Renewal. Each Order placed under this Agreement will be in effect for a period of one (1) year from the service start date of the Order unless otherwise agreed in the Order. Thereafter, unless the Agreement is terminated as provided herein, the Order(s) will automatically renew for the same period of time as the Subscription Period of the prior Order, unless either Party notifies the other Party in writing of its intent not to renew the applicable Order(s) at least thirty (30) days' prior to the end of the then -current Subscription Period of such Order(s). 11.3 Termination for Cause. Either Party may terminate this Agreement for cause: (a) upon thirty (30) days' written notice to the other Party of a material breach of this Agreement if such breach remains uncured after the expiration of such period; or (b) if the other Party becomes insolvent, admits in writing its inability to pay its debts as they mature, makes an assignment for the benefit of creditors, becomes subject to control of a trustee, receiver or similar authority, or becomes subject to any bankruptcy or insolvency proceeding. 11.4 Post -Termination Obligations. Upon the termination or expiration of this Agreement for any reason, Customer will have no further rights to access the Box Service hereunder except as set forth in this Section 11.4. For thirty (30) days following the expiration or the termination of the Agreement or applicable Order, and subject to Customer's prior written request, Box will allow Customer limited access to retrieve any Content remaining on the Box Service. After such thirty (30) day period, Customer will have no further rights to access the Box Service. 11.5 Surviving Provisions. Upon any expiration or termination of this Agreement, the following sections will survive: Sections 1 (Definitions), 5.2 (Content), 7.3 (Disclaimer of Warranties), 8 (Proprietary Rights), 10 (Fees and Payments), 11.4 (Post Termination Obligations), 12 (Indemnification), 13 (Limitation of Liability), 14 (Confidentiality) and 15 (Miscellaneous). Page 6 of 16 Box Confidential box Section 12. Indemnification 12.1 Indemnification by Box. Box will defend Customer against any third -party claim that the Box Service infringes a registered patent, registered trademark, or copyright of a third party, or misappropriates a trade secret ("Claim Against Customer"), and will indemnify Customer for the resulting costs and damages finally awarded against Customer to such third party by a court of competent jurisdiction or agreed to in settlement. Box will have no liability to Customer under this Section 12.1 for any Claim Against Customer that arises out of: (a) any unauthorized use, reproduction, or distribution of the Box Service by Customer; (b) use of the Box Service in combination with any other software or equipment not supported in the User Guide if such Claim Against Customer would have been avoided without such combination; or (c) any modification or alteration of the Box Service by anyone other than Box or Box's agents without the written approval of Box. In the event of a Claim Against Customer pursuant to this Section 12.1, Box will (at Box's option and expense): (i) obtain for Customer the right to continue using the Box Service; (ii) modify the Box Service to make it non -infringing; or (iii) if subsections (i) and (ii) are not commercially viable (as determined by Box in its sole discretion), terminate this Agreement, in which case Customer will be entitled to a pro -rated refund of any fees pre -paid by Customer for the corresponding unused period of the applicable Subscription Period. 12.2 Indemnification by Customer. Customer will defend Box against any third -party claim: (a) that any Content, or Customer's use of the Box Service in breach of this Agreement, infringes a registered patent, registered trademark, or copyright, or misappropriates a trade secret (to the extent that such infringement or misappropriation is not the result of Box's actions); or (b) relating to any Content or to Customer's use of the Box Service in violation of Section 2.2 (Acceptable Use of the Box Service). Customer will, with respect to any claim against Box that is subject to this Section 12.2, indemnify Box for the resulting costs and damages finally awarded against Box to such third party by a court of competent jurisdiction or agreed to in settlement. 12.3 Indemnification Process. As a condition of receiving an indemnification under this Agreement, the Party seeking indemnification hereunder (the "Indemnified Party") will provide the other Party (the "Indemnifying Party") with: (a) prompt written notice of the claim, provided, however, that the failure to give such notice shall not relieve the Indemnifying Party's obligations hereunder except to the extent that the Indemnifying Party is prejudiced by such failure; (b) complete control over the defense and settlement of the claim (provided, that the Indemnifying Party will not settle any claim without the Indemnified Party's prior written permission if the settlement fails to unconditionally release the Indemnified Party from all liability pertaining to such claim, such permission not to be unreasonably withheld, delayed or conditioned); and (c) such assistance in connection with the defense and settlement of the claim, at the Indemnifying Party's expense, as the Indemnifying Party may reasonably request. 12.4 Exclusive Remedy. This Section 12 states the Indemnified Party's sole and exclusive remedy against, and the Indemnifying Party's sole liability to, the other Party for any type of claim under this Section 12. Notwithstanding the foregoing, each Party will have the right to terminate this Agreement pursuant to Section 11.3 (Termination for Cause), to the extent the event giving rise to indemnification constitutes a material breach of this Agreement. Section 13. Limitation of Liability 13.1 Limitation of Liability. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL BOX'S AND ITS AFFILIATES' TOTAL AND CUMULATIVE LIABILITY, FOR ALL CLAIMS OF ANY NATURE ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE TOTAL FEES PAID BY CUSTOMER TO BOX (OR TO A BOX DISTRIBUTOR OR RESELLER, IF APPLICABLE) FOR THE BOX SERVICE IN THE TWELVE (12) MONTHS PRECEDING THE DATE OF THE FIRST EVENT WHICH GIVES RISE TO LIABILITY UNDER THIS AGREEMENT. THE FOREGOING LIMITATION DOES NOT LIMIT OR EXCLUDE ANY LIABILITY FOR DEATH OR PERSONAL INJURY CAUSED BY NEGLIGENCE. 13.2 Disclaimer of Consequential and Related Damages. IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS OR REVENUE, OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, LOSS OF GOODWILL OR LOSS OR USE OF DATA) HOWEVER CAUSED, WHETHER BASED IN CONTRACT, TORT, WARRANTY, NEGLIGENCE OR ANY OTHER THEORY OF LIABILITY, EVEN IF SUCH PARTY HAS BEEN ADVISED AS TO THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF INCIDENTAL, CONSEQUENTIAL OR OTHER DAMAGES. IN SUCH AN EVENT THIS EXCLUSION WILL NOT APPLY TO THE EXTENT THE EXCLUSION IS PROHIBITED BY LAW. Page 7 of 16 Box Confidential box Section 14. Confidentiality 14.1 Definition. Either Party may disclose Confidential Information to the other Party during the Term of this Agreement. "Confidential Information" means all information disclosed by one Party ("Disclosing Party") to the other Party ("Receiving Party") which is in tangible form and labeled "confidential" or the like, or that reasonably should be understood to be confidential given the nature of the information and the circumstances of the disclosure. The following information will be considered Confidential Information whether or not marked or identified as such: (a) Content; (b) the terms of this Agreement including all Orders and pricing thereto; (c) personal data of Users; and (d) the Disclosing Party's strategic roadmaps, product plans, product designs and architecture, technology and technical information, security processes, security audit reviews, business and marketing plans, and business processes. Confidential Information will not include information that as shown by the Receiving Party's records was: (i) already known to Receiving Party at the time of disclosure by the Disclosing Party; (ii) was disclosed to the Receiving Party by a third party who had the right to make such disclosure without any confidentiality restrictions; (iii) is, or through no fault of the Receiving Party has become, generally available to the public; or (iv) was independently developed by Receiving Party without use of the Disclosing Party's Confidential Information. 14.2 Protection. The Receiving Party will use no less than a reasonable standard of care to safeguard the Confidential Information received from the Disclosing Party. The Receiving Party will only use the Confidential Information of the Disclosing Party: (a) to exercise its rights and perform its obligations under this Agreement; or (b) as otherwise required by law. 14.3 Permitted Disclosure. Neither Party will disclose Confidential Information in violation of the terms and conditions of this Agreement to any third party without the prior written consent of the other Party. Notwithstanding the foregoing, each Party may disclose Confidential Information, including the terms and conditions of this Agreement, without the prior written consent of the other Party: (a) as compelled by law provided that, to the extent legally permissible, the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure and reasonable assistance, at the Disclosing Party's expense, if the Disclosing Party seeks to contest such disclosure; (b) in confidence to its legal counsel, accountants, banks and financing sources, partners, providers and their advisors; (c) in connection with the enforcement of rights or performance of obligations under this Agreement; (d) the terms and conditions of this Agreement in confidence, in connection with an actual or proposed merger, acquisition, or similar transaction; or (e) or to respond to an emergency which Box believes in the good faith requires Box to disclose information to assist in preventing the death or serious bodily injury of any person. Section 15. Miscellaneous 15.1 Contractual Relationship. The Parties are entering into this Agreement as independent contracting parties. Neither Party will have, or hold itself out as having, any right or authority to incur any obligation on behalf of the other Party. This Agreement will not be construed to create an association, joint venture or partnership between the Parties or to impose any partnership liability upon any Party. 15.2 Anti -Corruption. Customer agrees that it has not received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from any of Box's employees, agents or subcontractors in connection with this Agreement. Customer will use reasonable efforts to promptly notify Box at IegalopsPbox.com should Customer learn of any violation of this restriction. 15. 3 References. During the Term of the Agreement, Box may reference Customer as a Box customer in sales and marketing materials and public statements, subject to Customer's trademark and logo usage guidelines as provided to Box. Customer may send Box an email to stories@box.com if it does not wish to be used as a reference. 15.4 Ambiguities. Each Party has participated in the review of this Agreement. Any rule of construction to the effect that ambiguities are to be resolved against the drafting party shall not apply in interpreting this Agreement. The language in this Agreement shall be interpreted as to its fair meaning and not strictly for or against any party. 15.5 Notices. Any notice or other communication under this Agreement given by any Party to any other Party will be in writing and will be effective upon delivery as follows: (a) if to Customer, when sent via email to the email address specified in an Order or otherwise on record for Customer; and (b) if to Box, when sent via email to Page 8 of 16 Box Confidential box legalops@box.com. Any such notice, in either case, must specifically reference that it is a notice given under this Agreement. 15.6 Nonwaiver. The failure of either Party to insist upon or enforce strict performance of any of the provisions of this Agreement or to exercise any rights or remedies under this Agreement will not be construed as a waiver or relinquishment to any extent of such Party's right to assert or rely upon any such provision, right or remedy in that or any other instance; rather, the same will remain in full force and effect. 15.7 Assignment. Customer will not, directly, indirectly, by operation of law or otherwise, assign all or any part of this Agreement or its rights hereunder or delegate performance of any of its duties hereunder without the prior written consent of Box. Box may assign this Agreement (or Order) without obtaining Customer's consent: (a) to an affiliate of Box; or (b) in connection with a successor in interest in a merger, reorganization or a sale of all or substantially all of the assets of Box. Subject to the foregoing restrictions, this Agreement will be fully binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns. 15.8 Integration; Order of Precedence. This Agreement, together with any Orders and the Exhibits which are incorporated and included into this Agreement, constitutes the entire agreement between the Parties and supersedes any and all prior agreements or communications between the Parties with regard to the subject matter hereof. This Agreement may not be amended or modified except by a writing signed by both Parties hereto. The terms of this Agreement shall supersede and control over any conflicting or additional terms and conditions of any purchase order, acknowledgement, confirmation or other document issued by Customer. Notwithstanding the foregoing, in the event of a conflict between terms of this Agreement and an Order, the terms of the Order shall prevail. 15.9 Severability. In the event that any provision of this Agreement, or the application thereof, becomes or is declared by a court of competent jurisdiction to be illegal, void or unenforceable, the remainder of this Agreement will continue in full force and effect and the application of such provision will be interpreted so as reasonably to effect the intent of the Parties. The Parties will promptly replace such void or unenforceable provision with a valid and enforceable provision that will achieve, to the extent possible, the economic, business and other purposes of such void or unenforceable provision. 15.10 Applicable Law; Dispute Resolution. This Agreement will be construed and enforced in all respects in accordance with the laws of the State of California, U.S.A., without reference to its choice of law rules. Any dispute, controversy or claim arising under, out of or relating to this Agreement, will be finally determined by arbitration conducted by JAMS (or, if unavailable, then such other similar group that can provide former judges as arbiters) in accordance with the Rules of Arbitration of the International Chamber of Commerce applicable to commercial disputes by a single arbiter who is (a) fluent in written and spoken English, the language governing this Agreement, and (b) skilled and experienced with cloud or internet services. The place of such arbitration will be in Santa Clara County, California, U.S.A. The judgment of the arbitrator will be final, non -appealable (to the extent not inconsistent with applicable law) and binding upon the Parties, and may be entered in any court of competent jurisdiction. The foregoing does not limit or restrict either Party from seeking injunctive or other equitable relief from a court of competent jurisdiction. 15.11 Third -Party Beneficiaries. Nothing in this Agreement shall confer, or is intended to confer, on any third party any benefit or the right to enforce any term of this Agreement. 15.12 Force Majeure. In the event that either Party is prevented from performing, or is unable to perform, any of its obligations under this Agreement due to any cause beyond the reasonable control of the Party invoking this provision (including, without limitation, for causes due to war, fire, earthquake, flood, hurricane, riots, acts of God, Internet service provider failures or delays, denial of service attacks, or other similar causes) ("Force Majeure") the affected Party's performance will be excused and the time for performance will be extended for the period of delay or inability to perform due to such occurrence; provided that the affected Party: (a) provides the other Party with prompt notice (to the extent possible) of the nature and expected duration of the event; (b) uses commercially reasonable efforts to address and mitigate the cause and effect of such event; (c) provides periodic notice of relevant developments; and (d) provides prompt notice of the end of such event. For the avoidance of doubt, Customer understands that the Box Service may not be provided in countries listed in the Office of Foreign Assets Control Page 9 of 16 Box Confidential box sanction list and that Customer's access to the Box Service may be restricted in such countries and such prohibitions shall not constitute a Force Majeure. 15.13 Government Users. If Customer is a U.S. government entity or if this Agreement otherwise becomes subject to the Federal Acquisition Regulations (FAR), Customer acknowledges that elements of the Box Service constitute software and documentation and are provided as "Commercial Items" as defined at 48 C.F.R. 2.101, and are being licensed to U.S. government User as commercial computer software subject to the restricted rights described in 48 C.F.R. 2.101 and 12.212. Page 10 of 16 Box Confidential box EXHIBIT A Support Services and Service Level Commitments Definitions "Business Response Credit" means the credit that may be available to a Customer who has subscribed to the Business Services under the applicable Order and as specified Response Times, below. "Downtime" means any period during which the Customer is unable to access the Box Service, as measured at the Box network by industry standard took, due to an Issue which prevents the majority of Customer Users from accessing Content, expressly excluding Scheduled Downtime. "Issue" means a single, reproducible issue or problem affecting the functionality of the Box Service for Customer. "Enhanced Response Credit" means the credit that may be available to a Customer who has subscribed to one of the Enhanced Support Services under the applicable Order and as specified under Response Times, below. "Enhanced SLC Credit" means the credit that may be available to a Customer who has subscribed to one of the Enhanced Support Services under the applicable Order and as specified under Service Level Commitments, below. "Support Services" means telephone, email or web -based assistance in the resolution of Issues reported by Customer to Box. Available Support Services are: "Standard Support Services" which is included the Customer's purchase of the Box Service; "Business Services" which is purchased by the Customer and identified under the applicable Order; or "Premier Services" or "Platinum Services" (together, "Enhanced Support Services") which are purchased by the Customer and identified under the applicable Order. "Scheduled Downtime" means a scheduled time period in which the Box Service is unavailable for use, and upon notice to Customer where practical. "Uptime Percentage" means the total number of minutes in a calendar month minus the number of minutes of Downtime experienced in such calendar month, divided by the total number of minutes in such calendar month. Support Services During the term of the Order, Box will provide to Customer the applicable Support Services. If Customer has not purchased Business Services or one of the Enhanced Support Services, then Standard Support Services will be provided. Support Services do not include: (a) physical installation or removal of the Box Software and any User Guides; (b) visits to Customer's site; (c) any professional services associated with the Box Service, including, without limitation, any custom development, data modeling, code review and application architecture/infrastructure design; (d) training; or (e) the set-up, configuration and use of the Box Service. Box's obligations do not extend to any ongoing test or training instances of the Box Service provided to Customer or Downtime, Issues or errors that are caused by: a) Third party hardware or software; b) Use of the Box Service in violation of the terms of the Agreement; or c) Use of the Box Service other than in accordance with any User Guide or the express instructions of Box. Page 11 of 16 Box Confidential box Response Times Standard Services Response Times For Customers with Standard Support Services, Box will use commercially reasonable efforts to meet the following target response times during the hours/days, as outlined below. Support Response Time 6AM — 6 PM Customer Local Time Monday — Friday Support Language English Support Access Method Web/Email Support Response Method Web/Email Number of Support Requests Unlimited Level 1—Urgent Level 2 — High Level 3 — Normal Within 4 business hours Within 8 business hours Within 1 business day Business Services Response Times For times as Customers who have purchased Business Services, Box will respond in accordance with the response below. If Box fails to meet the response times, Customer may be entitled to a response time credit outlined below ("Business Response Time Credit"). Support Response 24 Hours/Day 365 days/year Support Language English Support Access Method Web/Phone/Email Support Response Method Web/Phone/Email Number of Support Requests Unlimited Level 1—Urgent Level 2 — High Level 3 — Normal Level 4 -- Low Within 2 hours Within 4 hours Within 4 hours Greater than 4 hours Enhanced Support Services Response Times For Customers who have purchased one of the Enhanced Support Services, Box will respond in accordance with the response times below. If Box fails to meet the response times, Customer may be entitled to a response time credit as outlined below ("Enhanced Response Time Credit"). Support Response 24 Hours/Day 365 days/year Support Language English or Local language (based on availability) Support Access Method Web/Phone/Email Support Response Method Web/Phone/Email Number of Support Requests Unlimited Level 1—Urgent Level 2 — High Level 3 — Normal Level 4 -- Low Within 1 hour Within 2 hours Within 2 hours Greater than 2 hours (the above response times apply to cases submitted in English) Page 12 of 16 Box Confidential box Business Services and Enhanced Support Services Response Times Credits For Customers who have purchased Business Services or one of the Enhanced Support Services, if Box fails to meet the response times associated with Business Services or Enhanced Support Services, Customer may be entitled to a response time credit as outlined below ("Response Time Credit"). Response Time Credits: Customer will be eligible to receive a Response Time Credit, provided that: (1) Customer has purchased Business Services or one of the Enhanced Support Services; (2) Customer has opened a support ticket for an Issue; and (3) Box fails to meet the response times for Level 1 and Level 2 support tickets three (3) times during the given calendar month. Collectively, a "Response Credit Event". In the event that Customer incurs a Response Credit Event, Customer will receive a Response Time Credit of fifteen (15%) percent of the fees paid by Customer for the applicable Business Support Service or Enhanced Support Service for the month the Response Credit Event occurred. The Response Time Credit will be calculated on a straight-line, pro -rated basis with respect to any fees paid in advance. Notwithstanding anything to the contrary, in no event will the total amount of Response Time Credits exceed the applicable Business Services or Enhanced Support Services fees paid by Customer for the corresponding month. For clarity, for the purpose of calculating Response Time Credits, calendar months are calculated based on US Pacific Time Zone. The Response Time Credit is Customer's sole and exclusive remedy for any failure by Box to meet any response time performance obligations pertaining to the Box Service as set out in this Exhibit A. Customer is not eligible to receive Response Time Credits during any period of time when payments owed are past due. For Customer Orders placed through Box, Response Time Credits will be issued by Box, as determined in its sole discretion, either by applying to future billing cycle(s) or as a refund against annual fees earlier paid. For Customer orders placed through a Box Reseller, Response Time Credits, if any, will be issued as provided in the applicable agreement between Customer and Reseller. Page 13 of 16 Box Confidential box Service Level Commitments Standard Support Services For Customers with Standard Support Services, Box will use commercially reasonable efforts to meet an Uptime Percentage of at least 99.9%. Business Services For Customers with Business Services, Box will use commercially reasonable efforts to meet an Uptime Percentage of at least 99.9%. Enhanced Support Services For Customers with Uptime Percentage Enhanced SLC Credits Customers who Credits provided (1) Customer has fifteen (15) days (2) once Customer Percentage as below claim request for The Enhanced SLC Customer for the straight line, pro affected Users. SLC Credits if any, clarity, for the purpose Pacific Time Zone. The Enhanced SLC level obligations Customer is not are past due. For Customer Orders Box's sole discretion, paid. For Customer provided in the applicable Enhanced Support Services, Box will use commercially reasonable efforts of at least 99.9%. If Box fails to the meet the Uptime Percentage Customer as follows: to meet an will receive to receive SLC support within Uptime Box a written report. fees paid by (calculated on a for based on of Enhanced month. For based on US meet any service owed determined in fees earlier be issued as Uptime Percentage Enhanced SLC Credit Percentage Less than 99.9% but equal to or more than 99.8% 5% Less than 99.8% but equal to or more than 99.7% 10% Less than 99.7% but equal to or more than 99.6% 15% Less than 99.6% but equal to or more than 99.5% 20% Less than 99.5% but equal to or more than 99.4% 25% Less than 99.4% but equal to or more than 99.3% 30% Less than 99.3% but equal to or more than 99.2% 35% Less than 99.2% but equal to or more than 99.1% 40% Less than 99.1% but equal to or more than 99.0% 45% Less than 99.0% 50% have purchased one of the Enhanced Support Services will be eligible that: reported an Issue related to a Downtime event by filing a ticket with Box of the Downtime event; and receives the Uptime Percentage report provided by Box and confirms 99.9% in the month the issue was experienced, Customer has provided Enhanced SLC Credits within fifteen (15) days of the date of uptime percentage Credits will be equal to the SLC Credit percentage multiplied by the Box Service that are attributable to the corresponding calendar month -rated basis with respect to any fees paid in advance) and then pro -rated Notwithstanding anything to the contrary, in no event will the total amount exceed the fees paid by Customer for the Box Service in the corresponding of calculating Enhanced SLC Credits, calendar months are calculated Credit is Customer's sole and exclusive remedy for any failure by Box to pertaining to the Box Service as set out in this Exhibit A. eligible to receive Enhanced SLC Credits during any period of time when payments placed through Box, Enhanced SLC Credits will be issued by Box, as either by applying to future billing cycle(s) or as a refund against annual orders placed through a Box Reseller, Enhanced SLC Credits, if any, will agreement between Customer and Reseller. Page 14 of 16 Box Confidential box Exhibit B Box Security Exhibit 1. Purpose. This Security Exhibit sets forth the information security program and infrastructure policies that Box will meet and maintain in order to protect Customer's Content from unauthorized use, access or disclosure, during the Term of the Agreement. 2. Information Security Management Program. Box will maintain throughout the Term of the Agreement an information security management program (the "ISMP") designed to protect and secure Content from unauthorized access or use. The ISMP will be documented and updated based on changes in applicable legal and regulatory requirements related to privacy and data security practices and industry standards. 3. Standards. Box incorporates commercially reasonable and appropriate methods and safeguards to protect the security, confidentiality, and availability of Content. Box will, at a minimum, adhere to applicable information security practices as identified in International Organization for Standardization 27001 (ISO/IEC 27001) (or a substantially equivalent or replacement standard) or other authoritative sources (e.g. SSAE 18, SOC1, SOC2). 4. Independent Assessments. On an annual basis, Box has an independent third -party organization conduct an independent assessment consisting of a Report on Controls at a Service Organization Relevant to Security, Availability, Processing, Integrity, Confidentiality and/or Privacy (SOC2 Type II) or such other assessment at its sole discretion (e.g. ISO 27001 Certificate or SOC1 Type II Report). Additionally, Box undergoes regular penetration testing from independent third parties at least on an annual basis. 5. Information Security Policies. Box will implement, maintain, and adhere to its internal information security and privacy policies that address the roles and responsibilities of Box's personnel, including both technical and non- technical personnel, who have direct or indirect access to Content in connection with providing the Box Service. All Box personnel with access to Content will receive annual training on Box's ISMP. 6. Information Security Infrastructure. a. Access Controls. Box will ensure appropriate access controls are in place to protect Content. Box agrees that it shall maintain, throughout the Term of the Agreement and at all times while Box has access to or possession of Content, appropriate access controls (physical, technical, and administrative) and shall maintain such access controls in accordance with Box's policies and procedures. b. Encryption. Box will encrypt Content at rest within the Box Service. Box will use at a minimum AES algorithm for encryption of Content at rest with a default value of 256 -bit strength. For Content in transit to and from the Box Service, Box agrees to use encryption unless Customer uses a method of transmission or feature which does not support encryption (such as unencrypted FTP, email, etc.). c. Network and Host Security. Box has network intrusion detection and firewalls in place. Box uses reasonable efforts to ensure that Box Service operating systems and applications that are associated with Content are patched or secured to mitigate the impact of security vulnerabilities in accordance with Box's patch management processes. Page 15 of 16 Box Confidential box d. Data Management. Box has adequate information security infrastructure controls in place for Content obtained, transported, and retained by Box for the provision of the Box Service. Box will destroy, delete, or otherwise make irrecoverable Content upon the disposal or repurposing of storage media containing Content. Content is logically separated from the content of other Box customers. Notwithstanding the foregoing, Customer understands and acknowledges that Customer will be solely responsible for implementing and maintaining access and security controls on its own systems. 7. Security Breach Management. a. Notice. Box will promptly notify Customer of any confirmed Security Breach. Box will cooperate with Customer's reasonable requests for information regarding any such Security Breach, and Box will provide regular updates on the Security Breach and the investigative action and corrective action taken. "Security Breach" means unauthorized access to Customer's Content. b. Remediation. In the event Box knows or has reason to know of a Security Breach, Box will, at its own expense: (i) investigate the actual or suspected Security Breach; (ii) provide Customer with a remediation plan to address the Security Breach and to mitigate the incident and reasonably prevent any further incidents; (iii) remediate the effects of the Security Breach in accordance with such remediation plan; and (iv) reasonably cooperate with Customer and any law enforcement or regulatory official investigating such Security Breach. 8. Business Continuity and Disaster Recovery. Box implements and maintains business continuity and disaster recovery capabilities designed to minimize disruption of providing the Box Service to Customer. Box shall review its business continuity and disaster recovery plans on at least an annual basis and update such plans, as needed. Further, Box will, at its discretion, perform annual testing of its business continuity and disaster recovery capabilities and provide to Customer, upon written request, a summary of Box's business continuity and disaster recovery capabilities, including related testing performed during the last year. 9. Subcontractors. Box will make reasonable efforts to ensure that subcontractors meet Box's security and privacy standards, to the extent applicable to their scope of performance, including ensuring that all persons authorized to perform services on behalf of Box have agreed to an appropriate obligation of confidentiality. Box, at its sole discretion and in accordance with its vendor management program, will perform periodic vendor assessments for security and privacy. Page 16 of 16 Box Confidential